The Spooler service runs one RPC service, spoolss:
Z:\>ifids -p ncacn_np -e \pipe\spoolss \\. Interfaces: 1 12345678-1234-abcd-ef00-0123456789ab v1.0 Z:\>ifids -p ncalrpc-e spoolss serveur Interfaces: 1 12345678-1234-abcd-ef00-0123456789ab v1.0
Starting with Windows Server 2003, the Spooler service does not create the spoolss named pipe endpoint by default if no shared printer is configured. Instead, the spoolss LPC port is used as local endpoint to communicate with the Spooler service.
It is possible to set the RegisterSpoolerRemoteRpcEndpoint registry value to 1 to force the creation of the spoolss named pipe endpoint, even if no shared printer is configured:
GPO: Allow Print Spooler to accept client connections Key: HKLM\Software\Policies\Microsoft\Windows NT\Printers Value: RegisterSpoolerRemoteRpcEndPoint (REG_DWORD) Default value: 0
IDL (Interface Definition Language) for the spoolss interface is available in Samba 4 [66].
Table 4.65. winspool operations
| Interface | Operation number | Operation name | Windows API |
|---|---|---|---|
| 12345678-1234-abcd-ef00-0123456789ab v1.0: winspool (spoolss) | |||
| 0x00 | RpcEnumPrinters | EnumPrinters | |
| 0x01 | RpcOpenPrinter | OpenPrinter | |
| 0x02 | RpcSetJob | SetJob | |
| 0x03 | RpcGetJob | GetJob | |
| 0x04 | RpcEnumJobs | EnumJobs | |
| 0x05 | RpcAddPrinter | AddPrinter | |
| 0x06 | RpcDeletePrinter | DeletePrinter | |
| 0x07 | RpcSetPrinter | SetPrinter | |
| 0x08 | RpcGetPrinter | GetPrinter | |
| 0x09 | RpcAddPrinterDriver | AddPrinterDriver | |
| 0x0a | RpcEnumPrinterDrivers | EnumPrinterDrivers | |
| 0x0b | RpcGetPrinterDriver | GetPrinterDriver | |
| 0x0c | RpcGetPrinterDriverDirectory | GetPrinterDriverDirectory | |
| 0x0d | RpcDeletePrinterDriver | DeletePrinterDriver | |
| 0x0e | RpcAddPrintProcessor | AddPrintProcessor | |
| 0x0f | RpcEnumPrintProcessors | EnumPrintProcessors | |
| 0x10 | RpcGetPrintProcessorDirectory | GetPrintProcessorDirectory | |
| 0x11 | RpcStartDocPrinter | StartDocPrinter | |
| 0x12 | RpcStartPagePrinter | StartPagePrinter | |
| 0x13 | RpcWritePrinter | WritePrinter | |
| 0x14 | RpcEndPagePrinter | EndPagePrinter | |
| 0x15 | RpcAbortPrinter | AbortPrinter | |
| 0x16 | RpcReadPrinter | ReadPrinter | |
| 0x17 | RpcEndDocPrinter | EndDocPrinter | |
| 0x18 | RpcAddJob | AddJob | |
| 0x19 | RpcScheduleJob | ScheduleJob | |
| 0x1a | RpcGetPrinterData | GetPrinterData | |
| 0x1b | RpcSetPrinterData | SetPrinterData | |
| 0x1c | RpcWaitForPrinterChange | ||
| 0x1d | RpcClosePrinter | ClosePrinter | |
| 0x1e | RpcAddForm | AddForm | |
| 0x1f | RpcDeleteForm | DeleteForm | |
| 0x20 | RpcGetForm | GetForm | |
| 0x21 | RpcSetForm | SetForm | |
| 0x22 | RpcEnumForms | EnumForms | |
| 0x23 | RpcEnumPorts | EnumPorts | |
| 0x24 | RpcEnumMonitors | EnumMonitors | |
| 0x25 | RpcAddPort | AddPort | |
| 0x26 | RpcConfigurePort | ConfigurePort | |
| 0x27 | RpcDeletePort | DeletePort | |
| 0x28 | RpcCreatePrinterIC | ||
| 0x29 | RpcPlayGdiScriptOnPrinterIC | ||
| 0x2a | RpcDeletePrinterIC | ||
| 0x2b | RpcAddPrinterConnection | AddPrinterConnection | |
| 0x2c | RpcDeletePrinterConnection | DeletePrinterConnection | |
| 0x2d | RpcPrinterMessageBox | ||
| 0x2e | RpcAddMonitor | AddMonitor | |
| 0x2f | RpcDeleteMonitor | DeleteMonitor | |
| 0x30 | RpcDeletePrintProcessor | DeletePrintProcessor | |
| 0x31 | RpcAddPrintProvidor | AddPrintProvidor | |
| 0x32 | RpcDeletePrintProvidor | DeletePrintProvidor | |
| 0x33 | RpcEnumPrintProcessorDatatypes | EnumPrintProcessorDatatypes | |
| 0x34 | RpcResetPrinter | ResetPrinter | |
| 0x35 | RpcGetPrinterDriver2 | GetPrinterDriver2 | |
| 0x36 | RpcClientFindFirstPrinterChangeNotification | FindFirstPrinterChangeNotification | |
| 0x37 | RpcFindNextPrinterChangeNotification | FindNextPrinterChangeNotification | |
| 0x38 | RpcFindClosePrinterChangeNotification | FindClosePrinterChangeNotification | |
| 0x39 | RpcRouterFindFirstPrinterChangeNotificationOld | ||
| 0x3a | RpcReplyOpenPrinter | ||
| 0x3b | RpcRouterReplyPrinter | ||
| 0x3c | RpcReplyClosePrinter | ||
| 0x3d | RpcAddPortEx | ||
| 0x3e | RpcRemoteFindFirstPrinterChangeNotification | ||
| 0x3f | RpcSpoolerInit | ||
| 0x40 | RpcResetPrinterEx | ||
| 0x41 | RpcRemoteFindFirstPrinterChangeNotificationEx | ||
| 0x42 | RpcRouterReplyPrinterEx | ||
| 0x43 | RpcRouterRefreshPrinterChangeNotification | ||
| 0x44 | RpcSetAllocFailCount | ||
| 0x45 | RpcSplOpenPrinter | ||
| 0x46 | RpcAddPrinterEx | ||
| 0x47 | RpcSetPort | ||
| 0x48 | RpcEnumPrinterData | ||
| 0x49 | RpcDeletePrinterData | ||
| 0x4a | RpcClusterSplOpen | ||
| 0x4b | RpcClusterSplClose | ||
| 0x4c | RpcClusterSplIsAlive | ||
| 0x4d | RpcSetPrinterDataEx | ||
| 0x4e | RpcGetPrinterDataEx | ||
| 0x4f | RpcEnumPrinterDataEx | ||
| 0x50 | RpcEnumPrinterKey | ||
| 0x51 | RpcDeletePrinterDataEx | ||
| 0x52 | RpcDeletePrinterKey | ||
| 0x53 | RpcSeekPrinter | ||
| 0x54 | RpcDeletePrinterDriverEx | ||
| 0x55 | RpcAddPerMachineConnection | ||
| 0x56 | RpcDeletePerMachineConnection | ||
| 0x57 | RpcEnumPerMachineConnections | ||
| 0x58 | RpcXcvData | ||
| 0x59 | RpcAddPrinterDriverEx | ||
| 0x5a | RpcSplOpenPrinter | ||
| 0x5b | RpcGetSpoolFileInfo | ||
| 0x5c | RpcCommitSpoolData | ||
| 0x5d | RpcCloseSpoolFileHandle | ||
| 0x5e | RpcFlushPrinter | FlushPrinter | |
| > Windows XP and Windows Server 2003 | 0x5f | RpcSendRecvBidiData | |
| 0x60 | RpcAddDriverCatalog | ||
| > Windows Vista | 0x61 | RpcAddPrinterConnection2 | |
| 0x62 | RpcDeletePrinterConnection2 | ||
| 0x63 | RpcInstallPrinterDriverFromPackage | ||
| 0x64 | RpcUploadPrinterDriverPackage | ||
| 0x65 | RpcGetCorePrinterDrivers | ||
| 0x66 | RpcCorePrinterDriverInstalled | ||
| 0x67 | RpcGetPrinterDriverPackagePath | ||
| 0x68 | RpcReportJobProcessingProgress |
In August 2005, a security vulnerability discovered by Kostya Kortchinsky was fixed by Microsoft in the MS05-043 security bulletin [67]. The vulnerability can be exploited calling the AddPrinterEx operation (opnum 0x46).