4.10.16. Spooler service

The Spooler service runs one RPC service, spoolss:

Z:\>ifids -p ncacn_np -e \pipe\spoolss \\.
Interfaces: 1
  12345678-1234-abcd-ef00-0123456789ab v1.0

Z:\>ifids -p ncalrpc-e spoolss serveur
Interfaces: 1
  12345678-1234-abcd-ef00-0123456789ab v1.0

Starting with Windows Server 2003, the Spooler service does not create the spoolss named pipe endpoint by default if no shared printer is configured. Instead, the spoolss LPC port is used as local endpoint to communicate with the Spooler service.

It is possible to set the RegisterSpoolerRemoteRpcEndpoint registry value to 1 to force the creation of the spoolss named pipe endpoint, even if no shared printer is configured:

GPO: Allow Print Spooler to accept client connections
Key: HKLM\Software\Policies\Microsoft\Windows NT\Printers
Value: RegisterSpoolerRemoteRpcEndPoint (REG_DWORD)
Default value: 0

IDL (Interface Definition Language) for the spoolss interface is available in Samba 4 [66].

Table 4.65. winspool operations

InterfaceOperation numberOperation nameWindows API
12345678-1234-abcd-ef00-0123456789ab v1.0: winspool (spoolss)   
 0x00RpcEnumPrintersEnumPrinters
 0x01RpcOpenPrinterOpenPrinter
 0x02RpcSetJobSetJob
 0x03RpcGetJobGetJob
 0x04RpcEnumJobsEnumJobs
 0x05RpcAddPrinterAddPrinter
 0x06RpcDeletePrinterDeletePrinter
 0x07RpcSetPrinterSetPrinter
 0x08RpcGetPrinterGetPrinter
 0x09RpcAddPrinterDriverAddPrinterDriver
 0x0aRpcEnumPrinterDriversEnumPrinterDrivers
 0x0bRpcGetPrinterDriverGetPrinterDriver
 0x0cRpcGetPrinterDriverDirectoryGetPrinterDriverDirectory
 0x0dRpcDeletePrinterDriverDeletePrinterDriver
 0x0eRpcAddPrintProcessorAddPrintProcessor
 0x0fRpcEnumPrintProcessorsEnumPrintProcessors
 0x10RpcGetPrintProcessorDirectoryGetPrintProcessorDirectory
 0x11RpcStartDocPrinterStartDocPrinter
 0x12RpcStartPagePrinterStartPagePrinter
 0x13RpcWritePrinterWritePrinter
 0x14RpcEndPagePrinterEndPagePrinter
 0x15RpcAbortPrinterAbortPrinter
 0x16RpcReadPrinterReadPrinter
 0x17RpcEndDocPrinterEndDocPrinter
 0x18RpcAddJobAddJob
 0x19RpcScheduleJobScheduleJob
 0x1aRpcGetPrinterDataGetPrinterData
 0x1bRpcSetPrinterDataSetPrinterData
 0x1cRpcWaitForPrinterChange 
 0x1dRpcClosePrinterClosePrinter
 0x1eRpcAddFormAddForm
 0x1fRpcDeleteFormDeleteForm
 0x20RpcGetFormGetForm
 0x21RpcSetFormSetForm
 0x22RpcEnumFormsEnumForms
 0x23RpcEnumPortsEnumPorts
 0x24RpcEnumMonitorsEnumMonitors
 0x25RpcAddPortAddPort
 0x26RpcConfigurePortConfigurePort
 0x27RpcDeletePortDeletePort
 0x28RpcCreatePrinterIC 
 0x29RpcPlayGdiScriptOnPrinterIC 
 0x2aRpcDeletePrinterIC 
 0x2bRpcAddPrinterConnectionAddPrinterConnection
 0x2cRpcDeletePrinterConnectionDeletePrinterConnection
 0x2dRpcPrinterMessageBox 
 0x2eRpcAddMonitorAddMonitor
 0x2fRpcDeleteMonitorDeleteMonitor
 0x30RpcDeletePrintProcessorDeletePrintProcessor
 0x31RpcAddPrintProvidorAddPrintProvidor
 0x32RpcDeletePrintProvidorDeletePrintProvidor
 0x33RpcEnumPrintProcessorDatatypesEnumPrintProcessorDatatypes
 0x34RpcResetPrinterResetPrinter
 0x35RpcGetPrinterDriver2GetPrinterDriver2
 0x36RpcClientFindFirstPrinterChangeNotificationFindFirstPrinterChangeNotification
 0x37RpcFindNextPrinterChangeNotificationFindNextPrinterChangeNotification
 0x38RpcFindClosePrinterChangeNotificationFindClosePrinterChangeNotification
 0x39RpcRouterFindFirstPrinterChangeNotificationOld 
 0x3aRpcReplyOpenPrinter 
 0x3bRpcRouterReplyPrinter 
 0x3cRpcReplyClosePrinter 
 0x3dRpcAddPortEx 
 0x3eRpcRemoteFindFirstPrinterChangeNotification 
 0x3fRpcSpoolerInit 
 0x40RpcResetPrinterEx 
 0x41RpcRemoteFindFirstPrinterChangeNotificationEx 
 0x42RpcRouterReplyPrinterEx 
 0x43RpcRouterRefreshPrinterChangeNotification 
 0x44RpcSetAllocFailCount 
 0x45RpcSplOpenPrinter 
 0x46RpcAddPrinterEx 
 0x47RpcSetPort 
 0x48RpcEnumPrinterData 
 0x49RpcDeletePrinterData 
 0x4aRpcClusterSplOpen 
 0x4bRpcClusterSplClose 
 0x4cRpcClusterSplIsAlive 
 0x4dRpcSetPrinterDataEx 
 0x4eRpcGetPrinterDataEx 
 0x4fRpcEnumPrinterDataEx 
 0x50RpcEnumPrinterKey 
 0x51RpcDeletePrinterDataEx 
 0x52RpcDeletePrinterKey 
 0x53RpcSeekPrinter 
 0x54RpcDeletePrinterDriverEx 
 0x55RpcAddPerMachineConnection 
 0x56RpcDeletePerMachineConnection 
 0x57RpcEnumPerMachineConnections 
 0x58RpcXcvData 
 0x59RpcAddPrinterDriverEx 
 0x5aRpcSplOpenPrinter 
 0x5bRpcGetSpoolFileInfo 
 0x5cRpcCommitSpoolData 
 0x5dRpcCloseSpoolFileHandle 
 0x5eRpcFlushPrinterFlushPrinter
> Windows XP and Windows Server 20030x5fRpcSendRecvBidiData 
 0x60RpcAddDriverCatalog 
> Windows Vista0x61RpcAddPrinterConnection2 
 0x62RpcDeletePrinterConnection2 
 0x63RpcInstallPrinterDriverFromPackage 
 0x64RpcUploadPrinterDriverPackage 
 0x65RpcGetCorePrinterDrivers 
 0x66RpcCorePrinterDriverInstalled 
 0x67RpcGetPrinterDriverPackagePath 
 0x68RpcReportJobProcessingProgress 

In August 2005, a security vulnerability discovered by Kostya Kortchinsky was fixed by Microsoft in the MS05-043 security bulletin [67]. The vulnerability can be exploited calling the AddPrinterEx operation (opnum 0x46).