title: Print Processors (T1547.012)
id: df00tech-t1547-012
status: experimental
description: "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding a Registry key under HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors with a Driver value pointing to the malicious DLL. The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges."
references:
  - https://attack.mitre.org/techniques/T1547/012/
  - https://df00tech.com/detections/T1547.012
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate printer driver installations from vendors (HP, Canon, Lexmark, Xerox) that install custom print processors via AddPrintProcessor API"
  - "Print management software (PaperCut, Pharos, Equitrac) that deploys custom print processors for job accounting and watermarking"
  - Windows Update or WSUS deploying updated print processor DLLs as part of printer driver packages
  - IT administrators manually installing print processors using PowerShell or the Print Management console on print servers
level: high