Print Spooler (spoolsv.exe) Crashes on Windows Server Due to RPC over SMB Hardening — Network Print Queues Go Offline
The spoolsv.exe process crashes unexpectedly on Windows Server 2016/2019/2022 print servers, taking all network print queues offline. The root cause is RPC-over-named-pipe security hardening breaking compatibility with legacy v3 print drivers, which respond with memory access violations when their traditional RPC communication paths are restricted. Remediation involves either isolating legacy drivers into separate printer processes or migrating to v4 class print drivers that do not rely on direct RPC hooks.
Indicators
- spoolsv.exe process stops unexpectedly — all network printing queues go offline simultaneously
- Print queues remain offline until the Print Spooler service is manually restarted
- Event ID 1000 in the Application event log, with faulting module listed as win32spl.dll or a third-party print processor DLL
- Entire office locations lose the ability to print, impacting operations, shipping, and billing departments
- Print jobs submitted but appear in queue then disappear or stall without printing
- Error dialog 'Operation could not be completed' when attempting to print
- Printer shown as offline in Devices and Printers despite confirmed network connectivity
- Users unable to add or see network printers
- Scan-to-folder or scan-to-email operations time out or fail
- 'Windows cannot connect to the printer' error when connecting to a shared printer
- Print jobs stuck with status 'Spooling', 'Error', or 'Deleting - Printing'
Likely causes
- RPC-over-named-pipe security hardening mitigations on Windows Server 2016/2019/2022 restrict traditional RPC communications used by legacy v3 print drivers, causing memory access violations in spoolsv.exe
- Legacy v3 print drivers use direct RPC hooks over SMB named pipes that are blocked or restricted by updated security policy, resulting in spoolsv.exe process termination
- Third-party print processor DLLs loaded in-process by spoolsv.exe that are incompatible with the hardened RPC stack cause the entire spooler to crash
- Stuck or corrupted print jobs blocking the spooler queue
- Network printer share unavailable due to print server outage or DNS resolution failure
- Group Policy printer mappings failing due to permissions or connectivity issues
- Windows Update replacing or invalidating existing printer drivers (common post-Patch Tuesday)
- Windows Update regression from PrintNightmare-related patches breaking point-and-print driver installation
- TCP/IP port configuration mismatch (RAW 9100 vs LPR)
- SMB1 disabled on client blocking legacy scan-to-share workflows
- Group Policy 'Point and Print Restrictions' or RestrictDriverInstallationToAdministrators blocking driver installation
- Printer DHCP lease change causing IP drift and port mismatch
Diagnostic steps
-
Open Event Viewer and navigate to Windows Logs > Application. Filter for Event ID 1000 to identify the faulting module name (win32spl.dll or a third-party print processor DLL) and the exact crash timestamp.Confirms that spoolsv.exe is the crashing process and identifies which DLL is responsible, distinguishing an in-box Windows driver issue from a third-party driver issue.
-
Open Print Management console (printmanagement.msc) and enumerate all installed print drivers. Note which drivers are v3 class versus v4 class.Identifies legacy v3 drivers that rely on direct RPC hooks over named pipes and are therefore vulnerable to crashes under RPC-over-SMB hardening.
-
Run Get-PrinterDriver in PowerShell to list all drivers with their MajorVersion property (v3 = MajorVersion 3, v4 = MajorVersion 4).Provides a scriptable inventory of driver versions for documentation and to identify all v3 drivers requiring remediation.
-
Correlate the faulting DLL name from Event ID 1000 against the list of installed v3 drivers and their associated print processor DLLs to pinpoint the specific driver or vendor component causing the crash.Narrows remediation scope to the specific driver(s) requiring isolation or replacement, avoiding unnecessary changes to working print queues.
-
Check whether RPC-over-named-pipe hardening policies or security updates have recently been applied to the print server — review Windows Update history and Group Policy for SMB/RPC-related settings.Establishes the triggering event and confirms that RPC hardening is active, validating the likely cause before committing to driver migration.
-
After identifying affected v3 drivers, enable 'Print driver isolation' for one driver via the Print Management console (right-click driver > Properties > set to 'Isolated'), restart the spooler, and observe whether crashes cease.Validates the workaround before broad rollout and confirms that driver isolation prevents the memory access violation triggered by restricted RPC channels.
-
Check Print Spooler service status via PowerShell: Get-Service -Name Spooler | Select-Object Name, Status, StartTypeQuickly determines whether the spooler is running, stopped, or crash-looping from the command line without opening the GUI.
-
List all current print jobs across queues: Get-PrintJob -PrinterName '*' | Select-Object PrinterName, Id, DocumentName, JobStatus, SubmittedTimeIdentifies stalled or corrupted jobs that are blocking all subsequent print work before clearing the queue.
-
Check driver version and environment: Get-PrinterDriver | Select-Object Name, DriverVersion, PrinterEnvironment, InfPathSurfaces mismatched drivers (e.g. 32-bit driver on 64-bit OS) and confirms driver version for vendor comparison.
-
Verify network connectivity to print server: Test-NetConnection -ComputerName <PrintServerName> -Port 445Rules out network-layer failures before pursuing driver or spooler remediation.
-
Query System event log for spooler service termination: Get-WinEvent -LogName System | Where-Object { $_.ProviderName -eq 'Service Control Manager' -and $_.Message -like '*Spooler*' } | Select-Object TimeCreated, Id, Message -First 20Identifies Event ID 7034 (service terminated unexpectedly) and other Service Control Manager entries indicating recurring spooler crashes.
-
Review PrintService Operational and Admin event logs: Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' -MaxEvents 50Surfaces driver crashes, spooler errors, and per-job failures that do not appear in the Application log.
-
Test printer data port reachability: Test-NetConnection -ComputerName <PrinterIP> -Port 9100Validates RAW/JetDirect printing port to direct-IP printers, distinguishing device-level network failure from spooler issues.
-
List recently installed updates: Get-HotFix | Sort-Object InstalledOn -Descending | Select -First 10Correlates onset of printing failures with a specific KB (e.g., PrintNightmare or RPC hardening patches).
Resolution path
- Option A — Driver Isolation (shorter-term workaround): In the Print Management console (printmanagement.msc), locate each legacy v3 print driver identified during diagnostics. Right-click the driver, select Properties, and set 'Driver Isolation' to 'Isolated'. This runs the driver in a separate process so a crash does not bring down the entire spooler.
- Restart the Print Spooler service after enabling isolation: net stop spooler && net start spooler
- Option B — v4 Driver Migration (permanent fix): Replace all v3 class print drivers with manufacturer-supplied v4 class print drivers for the same printer models. v4 drivers avoid direct RPC hooks and are compatible with the hardened RPC-over-SMB stack.
- Deploy updated v4 drivers via Print Management console or Group Policy printer deployment. Remove and re-add affected print queues using the new v4 drivers.
- If a specific third-party print processor DLL is identified as the faulting module and neither isolation nor a v4 driver is immediately available, contact the print vendor for an updated print processor compatible with RPC-over-SMB hardening.
- If stalled jobs are suspected: stop the spooler (Stop-Service -Name Spooler -Force), delete all spool files (Remove-Item -Path 'C:\Windows\System32\spool\PRINTERS\*' -Force -Recurse), then restart the spooler (Start-Service -Name Spooler). Note: spool files cannot be recovered once deleted — notify affected users before clearing.
- If spooler continues crashing after isolation/driver steps and the system was recently patched, consider rolling back the relevant Windows Update via Settings > Update & Security > View Update History > Uninstall Updates.
- To re-add a network printer after driver or queue remediation: Add-Printer -ConnectionName '\\<PrintServer>\<ShareName>' or via Settings > Printers & Scanners > Add a printer.
- For direct-IP printer discovery/port issues, recreate the TCP/IP port: Add-PrinterPort -Name 'IP_<ip>' -PrinterHostAddress '<ip>', then re-add printer with Add-Printer -Name '<PrinterName>' -DriverName '<Driver>' -PortName 'IP_<ip>'
- For scan-to-share failures, verify SMB signing settings and enable SMB2 on the MFP; if SMB1 is required and unavailable, reconfigure the device to scan-to-email or SFTP
- For Point and Print failures after PrintNightmare patches, review Group Policy 'Point and Print Restrictions' and the RestrictDriverInstallationToAdministrators registry value (HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint)
- Verification: confirm Get-Service Spooler returns Running, Test-NetConnection to printer on port 9100 returns TcpTestSucceeded: True, a Windows test page prints successfully, and no new errors appear in Microsoft-Windows-PrintService/Admin
Prevention
- Proactively audit all installed print drivers before applying RPC-over-SMB hardening updates: identify every v3 driver and either migrate to v4 equivalents or pre-configure driver isolation in Print Management console before the security change is applied.
- Standardize on v4 class print drivers for all new print queue deployments on Windows Server 2019/2022 — v4 drivers do not use direct RPC hooks and are resilient to RPC-over-named-pipe restrictions.
- Enable print driver isolation ('Isolated' mode) by default for all third-party print drivers as an organizational baseline, so that any future driver crash cannot take down the entire spooler process.
- Subscribe to vendor security bulletins and test RPC hardening updates in a staging print server environment before production rollout to catch driver incompatibilities before they cause outages.
- Configure Print Spooler service automatic recovery so transient crashes self-resolve: sc failure Spooler reset= 86400 actions= restart/5000/restart/10000/restart/20000
- Monitor the System event log for Event ID 7034 scoped to the Spooler service as an early warning of recurring driver-induced crashes before a full outage occurs.
- Standardize on a single vetted driver version per printer model and deploy via Print Management console or Intune
- Reserve DHCP addresses for network printers to prevent IP drift and stale port bindings
- Configure Group Policy 'Point and Print Restrictions' explicitly to align with current PrintNightmare mitigations
- Implement print server monitoring for Spooler service state and queue depth (SCOM, PRTG, or scheduled task)
Tools
- printmanagement.msc — Print Management console (driver isolation and queue management)
- Event Viewer — Application log, filter on Event ID 1000 (crash diagnosis)
- Services.msc / net stop|start spooler — Print Spooler service control
- printui /s /t2 — Print server properties UI for driver management from command line
- Get-PrinterDriver (PowerShell) — enumerate installed drivers and driver class (v3/v4)
- Get-Service / Stop-Service / Start-Service (PowerShell) — manage Print Spooler service state
- Get-PrintJob / Remove-PrintJob (PowerShell) — inspect and clear print queues
- Remove-PrinterDriver (PowerShell) — remove faulting drivers
- Add-Printer (PowerShell) — reconnect network printers via command line
- Test-NetConnection (PowerShell) — verify TCP/IP connectivity to print server on port 445
- Microsoft-Windows-PrintService/Operational and /Admin event logs
- Vendor diagnostic utilities (HP Print and Scan Doctor, Epson Status Monitor, etc.)
- wusa.exe — Windows Update Standalone Installer for KB removal
- Add-PrinterPort (PowerShell) — recreate TCP/IP printer ports
References
- Print Spooler Crashes (RPC over SMB Hardening Fallouts) — The Triage Manual Source
- Microsoft Docs — Troubleshoot print spooler errors
- Microsoft Docs — Get-PrintJob (PrintManagement module)