T The Triage ManualTechnical Guides for IT Emergencies
P2 · Windows Server

Print Spooler (spoolsv.exe) Crashes on Windows Server Due to RPC over SMB Hardening — Network Print Queues Go Offline

The spoolsv.exe process crashes unexpectedly on Windows Server 2016/2019/2022 print servers, taking all network print queues offline. The root cause is RPC-over-named-pipe security hardening breaking compatibility with legacy v3 print drivers, which respond with memory access violations when their traditional RPC communication paths are restricted. Remediation involves either isolating legacy drivers into separate printer processes or migrating to v4 class print drivers that do not rely on direct RPC hooks.

Indicators

Likely causes

Diagnostic steps

  1. Open Event Viewer and navigate to Windows Logs > Application. Filter for Event ID 1000 to identify the faulting module name (win32spl.dll or a third-party print processor DLL) and the exact crash timestamp.
    Confirms that spoolsv.exe is the crashing process and identifies which DLL is responsible, distinguishing an in-box Windows driver issue from a third-party driver issue.
  2. Open Print Management console (printmanagement.msc) and enumerate all installed print drivers. Note which drivers are v3 class versus v4 class.
    Identifies legacy v3 drivers that rely on direct RPC hooks over named pipes and are therefore vulnerable to crashes under RPC-over-SMB hardening.
  3. Run Get-PrinterDriver in PowerShell to list all drivers with their MajorVersion property (v3 = MajorVersion 3, v4 = MajorVersion 4).
    Provides a scriptable inventory of driver versions for documentation and to identify all v3 drivers requiring remediation.
  4. Correlate the faulting DLL name from Event ID 1000 against the list of installed v3 drivers and their associated print processor DLLs to pinpoint the specific driver or vendor component causing the crash.
    Narrows remediation scope to the specific driver(s) requiring isolation or replacement, avoiding unnecessary changes to working print queues.
  5. Check whether RPC-over-named-pipe hardening policies or security updates have recently been applied to the print server — review Windows Update history and Group Policy for SMB/RPC-related settings.
    Establishes the triggering event and confirms that RPC hardening is active, validating the likely cause before committing to driver migration.
  6. After identifying affected v3 drivers, enable 'Print driver isolation' for one driver via the Print Management console (right-click driver > Properties > set to 'Isolated'), restart the spooler, and observe whether crashes cease.
    Validates the workaround before broad rollout and confirms that driver isolation prevents the memory access violation triggered by restricted RPC channels.
  7. Check Print Spooler service status via PowerShell: Get-Service -Name Spooler | Select-Object Name, Status, StartType
    Quickly determines whether the spooler is running, stopped, or crash-looping from the command line without opening the GUI.
  8. List all current print jobs across queues: Get-PrintJob -PrinterName '*' | Select-Object PrinterName, Id, DocumentName, JobStatus, SubmittedTime
    Identifies stalled or corrupted jobs that are blocking all subsequent print work before clearing the queue.
  9. Check driver version and environment: Get-PrinterDriver | Select-Object Name, DriverVersion, PrinterEnvironment, InfPath
    Surfaces mismatched drivers (e.g. 32-bit driver on 64-bit OS) and confirms driver version for vendor comparison.
  10. Verify network connectivity to print server: Test-NetConnection -ComputerName <PrintServerName> -Port 445
    Rules out network-layer failures before pursuing driver or spooler remediation.
  11. Query System event log for spooler service termination: Get-WinEvent -LogName System | Where-Object { $_.ProviderName -eq 'Service Control Manager' -and $_.Message -like '*Spooler*' } | Select-Object TimeCreated, Id, Message -First 20
    Identifies Event ID 7034 (service terminated unexpectedly) and other Service Control Manager entries indicating recurring spooler crashes.
  12. Review PrintService Operational and Admin event logs: Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' -MaxEvents 50
    Surfaces driver crashes, spooler errors, and per-job failures that do not appear in the Application log.
  13. Test printer data port reachability: Test-NetConnection -ComputerName <PrinterIP> -Port 9100
    Validates RAW/JetDirect printing port to direct-IP printers, distinguishing device-level network failure from spooler issues.
  14. List recently installed updates: Get-HotFix | Sort-Object InstalledOn -Descending | Select -First 10
    Correlates onset of printing failures with a specific KB (e.g., PrintNightmare or RPC hardening patches).

Resolution path

Prevention

Tools

References

print-spoolerspoolsv.exeRPCSMBnamed-pipesprint-driverv3-driverv4-driverwin32spl.dllEvent-ID-1000Event-ID-7034Windows-Server-2016Windows-Server-2019Windows-Server-2022Windows-10Windows-11driver-isolationsecurity-hardeningprint-servercrashmemory-access-violationqueue-stallspool-clearendpointnetwork-printingprintnightmarepoint-and-printscannerscan-to-folderscan-to-emailTCP-9100peripheralsPrintService-log