A Print Spooler vulnerability is a Windows printing-service flaw that can let an attacker abuse printer drivers, Point and Print settings, or the spooler service to run code with high privileges. CVE-2021-36958 was one of the PrintNightmare-era bugs, but the safer response is still current: keep Windows patched, restrict who can install printer drivers, disable Print Spooler where printing is not needed, and investigate any suspicious driver or printer-server activity.
Why Print Spooler Bugs Still Matter
Print Spooler runs as a privileged Windows service, so a mistake in driver installation or spooler file handling can become more serious than a normal printer problem. Home users usually face risk after installing unknown printer or driver packages. Businesses face a broader risk when workstations can connect to shared printers, old drivers remain installed, or servers keep Print Spooler enabled even though they never print.
| Situation | Risk and what to do |
|---|---|
| You print from this PC | Keep Windows updated, install printer drivers only from trusted vendors or Windows Update, and remove printers you no longer use. |
| This is a server, kiosk, or PC that never prints | Disable Print Spooler so the service is not exposed unnecessarily. |
| A printer driver appeared after using an unknown tool | Remove the printer and driver package, then scan for bundled software or persistence. |
| You manage shared printers | Limit Point and Print, require administrator approval for driver installation, and prefer modern protected print paths where available. |
What CVE-2021-36958 Was
CVE-2021-36958 was a Windows Print Spooler vulnerability disclosed after the first PrintNightmare fixes. It focused attention on privileged file operations and printer-driver behavior that could let an attacker gain SYSTEM-level execution on a vulnerable Windows machine. Microsoft’s advisory and later driver-installation changes moved the practical defense from a single patch to a safer printing configuration.
The older news around this issue is still useful as history, but readers who arrive today usually need a decision: is printing required on this machine, are printer drivers controlled, and did a suspicious installer or print server change anything? For earlier PrintNightmare context, see our related note on Windows Print Spooler driver issues.
How to Reduce Print Spooler Risk Now
- Install current Windows updates. Do this before changing printer settings, because many Print Spooler fixes shipped through cumulative Windows updates.
- Disable Print Spooler where it is not needed. On a machine that never prints, administrators can stop the service and set it to disabled with PowerShell:
Stop-Service SpoolerandSet-Service Spooler -StartupType Disabled. Re-enable it only if printing is required. - Restrict printer driver installation. Treat unexpected Point and Print prompts, unsigned drivers, and drivers from unknown print servers as security events. Microsoft changed Point and Print defaults so driver installation requires administrator rights.
- Remove old printers and drivers. Unused printer queues and stale driver packages make troubleshooting harder. Remove them from Windows settings or Print Management before adding a fresh vendor-supported driver.
- Prefer safer modern print paths. On newer Windows builds, Microsoft’s protected print model reduces reliance on third-party print drivers when compatible printers and policy settings allow it.
When to Scan the PC
A Print Spooler vulnerability by itself is not the same as malware on the computer. Scan the PC when you saw a fake driver updater, a suspicious printer installer, unexpected command prompts, new printer queues you did not add, or alerts after connecting to a shared printer. For driver-related cleanup, our guide to safe Plug and Play drivers and the fake driver updater cleanup guide cover the user-side risks that often appear with printer-driver abuse.
If a suspicious installer already ran, remove the unknown printer or driver package, reboot, and run a full Gridinsoft Anti-Malware scan to check for bundled apps, startup entries, scheduled tasks, hidden files, or other leftovers that a normal driver uninstall may miss.
FAQ
Should I disable Print Spooler on Windows 11?
Disable it only on computers that do not need to print or manage printers. If you print regularly, keep the service enabled but restrict driver installation and keep Windows updated.
Is CVE-2021-36958 still exploitable today?
Fully patched Windows systems with safer driver-installation settings are not in the same state as unpatched 2021 systems. The bigger current risk is usually poor configuration, old printer drivers, or installing drivers from untrusted sources.
Can a printer driver contain malware?
Yes, a driver or driver installer can be abused like other privileged software. Use vendor or Windows Update drivers, avoid “driver updater” bundles, and scan the PC if the installer came from an unknown source.
References
- Microsoft Security Response Center. “CVE-2021-36958 Windows Print Spooler Remote Code Execution Vulnerability.” MSRC, accessed June 29, 2026. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958
- Microsoft Support. “KB5005652: Manage new Point and Print default driver installation behavior.” Microsoft, accessed June 29, 2026. https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
- Microsoft Learn. “Windows protected print mode.” Microsoft, accessed June 29, 2026. https://learn.microsoft.com/en-us/windows-hardware/drivers/print/windows-protected-print-mode

