title: Port Monitors (T1547.010)
id: df00tech-t1547-010
status: experimental
description: "Adversaries may use port monitors to run an adversary-supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\\Windows\\System32 and will be loaded and run by the print spooler service, spoolsv.exe, under SYSTEM level permissions on boot. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the Driver value of an existing or new arbitrarily named subkey of HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors."
references:
  - https://attack.mitre.org/techniques/T1547/010/
  - https://df00tech.com/detections/T1547.010
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate printer driver installations by IT administrators using vendor-provided installers (HP, Canon, Lexmark, etc.) that register port monitors through AddMonitor API"
  - "Print management software (PaperCut, PrinterLogic, Pharos) that installs custom port monitors for print job tracking and accounting"
  - "PDF printer utilities (Adobe PDF, Microsoft Print to PDF, CutePDF) that register virtual port monitors during installation"
  - "Windows Update or WSUS deploying printer driver updates that modify the Print\\Monitors registry key"
level: high