Microsoft-Windows-PrintService
219 events across 3 channels
Event ID 1 — The print spooler failed to import the printer driver that was downloaded from <ServerName> into the driver store for driver <DriverName>.
Event ID 22 — Failed to upgrade printer settings for printer <PrinterName> driver <DriverName>.
Event ID 23 — Printer <PrinterName> failed to initialize because a suitable <DriverName> driver could not be found.
Event ID 99 — The print spooler encountered a fatal error while executing a critical operation (OperationCode, error Error) and must immediately terminate.
Event ID 100 — Printer PrinterName successfully added.
Description
Printer PrinterName successfully added. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 101 — Failed to add printer PrinterName, error code ErrorCode.
Description
Failed to add printer PrinterName, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 104 — Deleting printer PrinterName succeeded.
Description
Deleting printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 105 — Deleting printer PrinterName failed, error code ErrorCode.
Description
Deleting printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 106 — Starting document job JobID for printer PrinterName succeeded.
Description
Starting document job JobID for printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
JobID UInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 107 — Starting document job JobID for printer PrinterName failed, error code ErrorCode.
Description
Starting document job JobID for printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
JobID UInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 110 — Ending document job JobID for printer PrinterName succeeded.
Description
Ending document job JobID for printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
JobID UInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 111 — Ending document job JobID for printer PrinterName failed, error code ErrorCode.
Description
Ending document job JobID for printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
JobID UInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 114 — Adding printer driver ObjectName succeeded.
Event ID 115 — Adding printer driver ObjectName failed, error code ErrorCode.
Event ID 118 — Opening printer ObjectName succeeded.
Event ID 119 — Opening printer ObjectName failed, error code ErrorCode.
Event ID 122 — Starting page job JobID at printer PrinterName succeeded.
Description
Starting page job JobID at printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
JobID UInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 123 — Starting page failed at printer JobID, error code ErrorCode.
Description
Starting page failed at printer JobID, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
JobID UInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 124 — Ending page job JobID at printer PrinterName succeeded.
Description
Ending page job JobID at printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
JobID UInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 125 — Ending page job JobID at printer PrinterName failed, error code ErrorCode.
Description
Ending page job JobID at printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
JobID UInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 131 — Setting printer PrinterName failed, error code ErrorCode.
Description
Setting printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
ErrorCode HexInt32 | — |
PrinterName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 200 — Adding CSR printer connection ObjectName succeeded.
Event ID 201 — Adding CSR printer connection ObjectName failed, error code ErrorCode.
Event ID 204 — Deleting CSR printer connection ObjectName succeeded.
Event ID 205 — Deleting CSR printer connection ObjectName failed, error code ErrorCode.
Event ID 207 — Opening CSR printer ObjectName failed, error code ErrorCode.
Event ID 210 — Closing CSR printer ObjectName succeeded.
Event ID 211 — Closing CSR printer ObjectName failed, error code ErrorCode.
Event ID 212 — Parsing inf (InfPath) for printer driver DriverName succeeded (processor architecture ProcessorArchitecture).
Description
Parsing inf (InfPath) for printer driver DriverName succeeded (processor architecture ProcessorArchitecture). See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
Message UnicodeString | — |
AdditionalInfo UnicodeString | — |
InfPath UnicodeString | — |
DriverName UnicodeString | — |
InstallSection UnicodeString | — |
ProcessorArchitecture UnicodeString | — |
LastError HexInt32 | — |
HResult HexInt32 | — |
Event ID 213 — Parsing inf (InfPath) for printer driver DriverName failed (processor architecture ProcessorArchitecture), error code LastError, HRESULT HResult.
Description
Parsing inf (InfPath) for printer driver DriverName failed (processor architecture ProcessorArchitecture), error code LastError, HRESULT HResult. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
Message UnicodeString | — |
AdditionalInfo UnicodeString | — |
InfPath UnicodeString | — |
DriverName UnicodeString | — |
InstallSection UnicodeString | — |
ProcessorArchitecture UnicodeString | — |
LastError HexInt32 | — |
HResult HexInt32 | — |
Event ID 214 — Installing printer driver DriverName succeeded.
Description
Installing printer driver DriverName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
Message UnicodeString | — |
AdditionalInfo UnicodeString | — |
InfPath UnicodeString | — |
DriverName UnicodeString | — |
InstallSection UnicodeString | — |
ProcessorArchitecture UnicodeString | — |
PackageAware UnicodeString | — |
CoreDriverDependencies UnicodeString | — |
LastError HexInt32 | — |
HResult HexInt32 | — |
Event ID 215 — Installing printer driver DriverName failed, error code LastError, HRESULT HResult.
Description
Installing printer driver DriverName failed, error code LastError, HRESULT HResult. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
Message UnicodeString | — |
AdditionalInfo UnicodeString | — |
InfPath UnicodeString | — |
DriverName UnicodeString | — |
InstallSection UnicodeString | — |
ProcessorArchitecture UnicodeString | — |
PackageAware UnicodeString | — |
CoreDriverDependencies UnicodeString | — |
LastError HexInt32 | — |
HResult HexInt32 | — |
Event ID 216 — A printer setup operation succeeded during the installation process.
Description
A printer setup operation succeeded during the installation process. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Context UnicodeString | — |
Message UnicodeString | — |
AdditionalInfo UnicodeString | — |
ProcessorArchitecture UnicodeString | — |
LastError HexInt32 | — |
HResult HexInt32 | — |
Event ID 217 — A printer setup operation failed during the installation process, error code LastError, HRESULT HResult.
Description
A printer setup operation failed during the installation process, error code LastError, HRESULT HResult. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Context UnicodeString | — |
Message UnicodeString | — |
AdditionalInfo UnicodeString | — |
ProcessorArchitecture UnicodeString | — |
LastError HexInt32 | — |
HResult HexInt32 | — |
Event ID 218 — Copying printer driver package InfPath succeeded.
Description
Copying printer driver package InfPath succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
Message UnicodeString | — |
AdditionalInfo UnicodeString | — |
Server UnicodeString | — |
InfPath UnicodeString | — |
DestInfPath UnicodeString | — |
ProcessorArchitecture UnicodeString | — |
LastError HexInt32 | — |
HResult HexInt32 | — |
Event ID 219 — Copying printer driver package InfPath failed, error code LastError, HRESULT HResult.
Description
Copying printer driver package InfPath failed, error code LastError, HRESULT HResult. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | — |
Message UnicodeString | — |
AdditionalInfo UnicodeString | — |
Server UnicodeString | — |
InfPath UnicodeString | — |
DestInfPath UnicodeString | — |
ProcessorArchitecture UnicodeString | — |
LastError HexInt32 | — |
HResult HexInt32 | — |
Event ID 220 — Retrieving CSR cache information for printer ObjectName succeeded.
Event ID 221 — Retrieving CSR cache information for printer ObjectName failed, error code ErrorCode.
Event ID 224 — A remote print driver package operation Function failed with error code Error, server name Server.
Description
A remote print driver package operation failed with error code , server name . This was most likely caused by an unexpected error in the protocol communication between the client and the print server.
Message #
Fields #
| Name | Description |
|---|---|
Function UnicodeString | — |
Error HexInt32 | — |
Server UnicodeString | — |
Event ID 225 — An error occurred while installing printer driver 'DriverName'.
Event ID 226 — An error occurred while installing printer driver 'DriverName'.
Event ID 227 — An error occurred while installing printer driver 'DriverName'.
Event ID 228 — An error occurred while installing printer driver 'DriverName'.
Event ID 229 — An error occurred while installing printer driver 'DriverName'.
Event ID 230 — A problem was encountered while installing printer driver 'DriverName'.
Event ID 231 — An attempt was made to upgrade installed class driver 'DriverName' to a non-class driver.
Event ID 232 — An attempt was made to upgrade installed printer driver 'DriverName' to an older version of the driver, which is unsupported.
Event ID 233 — An attempt was made to upgrade installed printer driver 'DriverName' to a version that does not support printer sharing, or may cause compatibility problem...
Event ID 234 — A problem was encountered while deleting printer driver 'DriverName'.
Description
A problem was encountered while deleting printer driver 'DriverName'. A printer extension bundled with the driver failed to unregister. Error code: HResult. The driver will still be deleted.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | — |
InfPath UnicodeString | — |
RequiredClassDriver UnicodeString | — |
HResult HexInt32 | — |
Event ID 235 — An error occurred while installing printer driver 'DriverName'.
Description
An error occurred while installing printer driver 'DriverName'. The file 'Value' referenced by the Directive directive could not be found.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | — |
InfPath UnicodeString | — |
RequiredClassDriver UnicodeString | — |
Directive UnicodeString | — |
Value UnicodeString | — |
Event ID 236 — An error occurred while installing printer driver 'DriverName'.
Description
An error occurred while installing printer driver 'DriverName'. The Directive directive is not allowed for this type of driver. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | — |
InfPath UnicodeString | — |
RequiredClassDriver UnicodeString | — |
Directive UnicodeString | — |
ClassDriverOnly Boolean | — |
NonClassDriverOnly Boolean | — |
Event ID 237 — An error occurred while installing printer driver 'DriverName'.
Description
An error occurred while installing printer driver ''. The directive is malformed, by having either an empty token or an incorrect number of tokens. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | — |
InfPath UnicodeString | — |
RequiredClassDriver UnicodeString | — |
Directive UnicodeString | — |
EmptyToken Boolean | — |
IncorrectNumberOfTokens Boolean | — |
Event ID 238 — An error occurred while installing printer driver 'DriverName'.
Event ID 239 — An error occurred while installing printer driver 'DriverName'.
Event ID 240 — An error occurred while installing printer driver 'DriverName'.
Event ID 241 — An attempt was made to upgrade installed printer driver 'DriverName' to a driver that does not support non-inbox port monitors.
Event ID 242 — An error occurred while configuring print queue 'PrinterName'.
Event ID 300 — Printer param1 was created.
#Description
Printer param1 was created. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 300,
"version": 0,
"level": 4,
"task": 4,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2021-10-27T10:14:27.559950Z",
"event_record_id": 155,
"correlation": {},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"PrinterCreated": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "Kiwi Legit Printer"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 301 — Printer param1 was deleted, and users will no longer be able to print to this printer.
#Description
Printer param1 was deleted, and users will no longer be able to print to this printer. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 301,
"version": 0,
"level": 4,
"task": 5,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2021-10-27T10:14:21.369976Z",
"event_record_id": 152,
"correlation": {
"#attributes": {
"ActivityID": "C43202E9-CB0F-0000-D030-32C40FCBD701"
}
},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"PrinterDeleted": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "Kiwi Legit Printer"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 302 — Printer param1 will be deleted.
#Description
Printer param1 will be deleted. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 302,
"version": 0,
"level": 4,
"task": 5,
"opcode": 10,
"keywords": 4611686018427389984,
"time_created": "2021-10-27T10:14:21.369976Z",
"event_record_id": 150,
"correlation": {
"#attributes": {
"ActivityID": "C43202E9-CB0F-0000-D030-32C40FCBD701"
}
},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"PrinterDeletionPending": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "Kiwi Legit Printer"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 303 — Printer param1 was paused.
Event ID 304 — Printer param1 was resumed.
#Description
Printer param1 was resumed. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 304,
"version": 0,
"level": 4,
"task": 24,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2021-10-27T10:28:26.229212Z",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 1048,
"thread_id": 3836
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"PrinterUnPaused": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "{BABBC1A0-F75A-44B0-92BC-57E20CEDA1D8}"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 305 — The jobs in the print queue for printer param1 were deleted.
Event ID 306 — Settings for printer param1 were changed.
#Description
Settings for printer param1 were changed. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 306,
"version": 0,
"level": 4,
"task": 17,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2021-10-27T10:28:26.229212Z",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 1048,
"thread_id": 3836
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"PrinterSet": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "{BABBC1A0-F75A-44B0-92BC-57E20CEDA1D8}"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 307 — Document param1, param2 owned by param3 on param4 was printed on param5 through port param6.
Description
Document param1, param2 owned by param3 on param4 was printed on param5 through port param6. Size in bytes: SizeInBytes. Pages printed: PagesPrinted. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
param5 UnicodeString | — |
param6 UnicodeString | — |
param7 UnicodeString | — |
param8 UnicodeString | — |
References #
Event ID 308 — Document param1, param2 owned by param3 was paused on param4.
Event ID 309 — Document param1, param2 owned by param3 was resumed on param4.
Event ID 310 — Document DocumentDeleted.Param1, DocumentDeleted.Param2 owned by DocumentDeleted.Param3 was deleted on DocumentDeleted.Param4.
Description
Document DocumentDeleted.Param1, DocumentDeleted.Param2 owned by DocumentDeleted.Param3 was deleted on DocumentDeleted.Param4. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
DocumentDeleted.Param1 | — |
DocumentDeleted.Param2 | — |
DocumentDeleted.Param3 | — |
DocumentDeleted.Param4 | — |
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 310,
"version": 0,
"level": 4,
"task": 27,
"opcode": 11,
"keywords": 4611686018427390016,
"time_created": "2026-03-13T20:25:33.325281+00:00",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"DocumentDeleted": {
"Param1": "2",
"Param2": "Print Document",
"Param3": "domainadmin",
"Param4": "TestPrinter_EventGen"
}
},
"message": ""
}
Event ID 311 — An administrator moved document param1, param2 owned by param3 to position param4 on param5.
Description
An administrator moved document param1, param2 owned by param3 to position param4 on param5. This changes when the document will print. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
param5 UnicodeString | — |
Event ID 312 — Form param1 was added.
Event ID 313 — Form param1 was removed.
Event ID 314 — Document param1, param2 owned by param3 timed out while printing on param4.
Event ID 315 — The print spooler failed to share printer param2 with shared resource name param3.
Event ID 316 — Printer driver param1 for param2 param3 was added or updated.
#Description
Printer driver param1 for param2 param3 was added or updated. Files:- param4. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 316,
"version": 0,
"level": 4,
"task": 8,
"opcode": 11,
"keywords": 4611686018427390208,
"time_created": "2021-10-27T10:14:27.309949Z",
"event_record_id": 153,
"correlation": {},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"DriverAdded": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "Generic / Text Only",
"Param2": "Windows x64",
"Param3": "Version-3",
"Param4": "UNIDRV.DLL, UNIDRVUI.DLL, TTY.GPD, UNIDRV.HLP, TTYRES.DLL, TTY.INI, TTY.DLL, TTYUI.DLL, TTYUI.HLP, UNIRES.DLL, STDNAMES.GPD, STDDTYPE.GDL, STDSCHEM.GDL, STDSCHMX.GDL"
}
}
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Print Spooler Adding A Printer Driver source: The following analytic detects the addition of new printer drivers by monitoring Windows PrintService operational logs, specifically EventCode 316. This detection leverages log data to identify messages indicating the addition or update of printer drivers, such as "kernelbase.dll" and "UNIDRV.DLL." This activity is significant as it may indicate exploitation attempts related to vulnerabilities like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain code execution or escalate privileges, potentially compromising the affected system. Immediate isolation and investigation of the endpoint are recommended.
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 317 — Printer driver param1 was deleted.
#Description
Printer driver param1 was deleted. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 317,
"version": 0,
"level": 4,
"task": 9,
"opcode": 11,
"keywords": 4611686018427390208,
"time_created": "2021-10-27T10:28:26.494838Z",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 1048,
"thread_id": 3768
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"DriverDeleted": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "Generic / Text Only"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 318 — Failed to upgrade printer settings for printer param1 driver param2.
Event ID 319 — Printer param1 failed to initialize because a suitable param2 driver could not be found.
Event ID 320 — Printer param1 failed to initialize because none of its ports (param2) could be found.
Event ID 321 — File(s) param1 associated with printer param2 were added or updated.
Event ID 322 — While attempting to publish the printer to the Active Directory directory service, Windows failed to publish property param1 at param2.
Event ID 323 — While attempting to publish the printer to the Active Directory directory service, the print spooler could not create or update the print queue bec...
Event ID 325 — While attempting to remove the printer from the Active Directory directory service, Windows failed to delete print queue param1 at param2.
Event ID 326 — While attempting to publish the printer to the Active Directory directory service, the print spooler could not create or update the print queue und...
Event ID 327 — While attempting to publish the printer to the Active Directory directory service, the print spooler could not create print queue param1 under containe...
Event ID 328 — While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue con...
Event ID 329 — While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue con...
Event ID 331 — While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue con...
Event ID 332 — The printer was successfully published to the Active Directory directory service.
Event ID 333 — While attempting to publish the printer to the Active Directory directory service, the print spooler failed to create or update print queue param1 in c...
Event ID 334 — The printer was successfully removed from the Active Directory directory service.
Event ID 335 — While attempting to remove the printer from the Active Directory directory service, the print spooler failed to delete print queue param1 from containe...
Event ID 336 — Print queue param1 was successfully updated in the Active Directory directory service container param2.
Event ID 337 — The print queue could not be found on domain param1.
Event ID 338 — Printer param1 was successfully removed from the Active Directory directory service.
Event ID 342 — The print spooler removed print queue param1 from the Active Directory directory service because it does not have a Universal Naming Convention (UNC) n...
Event ID 343 — The print spooler was unable to connect to print queue param1 based on the information published in the Active Directory.
Event ID 344 — The print spooler removed print queue param1 from the Active Directory directory service.
Event ID 345 — The print spooler removed print queue param1 from the Active Directory directory service because it is a duplicate of another print queue.
Event ID 346 — The print spooler removed print queue param1 from the Active Directory directory service.
Event ID 347 — Print queue param1 could not be deleted (pruned) from the Active Directory directory service.
Event ID 348 — This version of param1 is incompatible with this version of Windows.
Event ID 349 — The print spooler failed to create a symbolic link between HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Print\\Printers and HKEY_LOCAL_M...
Event ID 350 — Document param1 failed to print and was deleted because of corruption in the spooled file.
Event ID 351 — The attempt for param1 to use a Windows NT 4.
Event ID 352 — The priority of document param1, param2 owned by param3 was changed to param4 on param5.
Event ID 353 — The document failed to print because the user did not have the necessary privileges.
Description
The document failed to print because the user did not have the necessary privileges.
Message #
Event ID 354 — param1 initialization failed at param2.
#Description
param1 initialization failed at param2. Error: Error. This can occur because of system instability or a lack of system resources.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Error UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 354,
"version": 0,
"level": 2,
"task": 36,
"opcode": 12,
"keywords": 9223372036854777856,
"time_created": "2021-10-27T10:28:26.260460Z",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 1048,
"thread_id": 3836
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"InitFailed": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "\\\\fs03vuln\\Kiwi Legit Printer",
"Param2": "\\\\fs03vuln\\print$\\W32X86\\3\\mimispool.dll",
"Param3": "2. The system cannot find the file specified.\r\n"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 356 — Failed to install or update driver param1 on cluster spooler resource param2.
Event ID 359 — The attempt to install printer param1 into an offline operating system image failed with Win32 error code param2.
Event ID 360 — Updating the color profile failed for printer param1 with Win32 error code param2.
Event ID 361 — Printer param1 failed to initialize its ports.
Event ID 362 — The print spooler could not initialize because resolving the local machine name to IP addresses failed with error code param1.
Event ID 363 — The print spooler param1 failed to start.
Event ID 364 — Windows could not load print processor param1 because EnumDatatypes did not return any data.
Event ID 365 — Windows could not load print processor param1 because EnumDatatypes failed.
Event ID 366 — The print server security descriptor for param1 is invalid.
Event ID 367 — Windows could not initialize printer param1 because the print processor param2 could not be found.
Event ID 368 — The print spooler failed to verify printer driver package param1 for environment param2.
Event ID 369 — The print spooler failed to verify printer driver package for environment param1.
Event ID 370 — The print spooler failed to regenerate the printer driver information for driver param1 for environment param2.
Event ID 371 — The print spooler failed to unshare printer param2 which is shared as param3.
Event ID 372 — The document PrintOnProcFailedEd.Param1, owned by PrintOnProcFailedEd.Param2, failed to print on printer PrintOnProcFailedEd.Param3.
Description
The document PrintOnProcFailedEd.Param1, owned by PrintOnProcFailedEd.Param2, failed to print on printer PrintOnProcFailedEd.Param3. Try to print the document again, or restart the print spooler.
Message #
Fields #
| Name | Description |
|---|---|
PrintOnProcFailedEd.Param1 | — |
PrintOnProcFailedEd.Param2 | — |
PrintOnProcFailedEd.Param3 | — |
PrintOnProcFailedEd.Param4 | — |
PrintOnProcFailedEd.Param5 | — |
PrintOnProcFailedEd.Param6 | — |
PrintOnProcFailedEd.Param7 | — |
PrintOnProcFailedEd.Param8 | — |
PrintOnProcFailedEd.Param9 | — |
PrintOnProcFailedEd.Param10 | — |
PrintOnProcFailedEd.Param11 | — |
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
param5 UnicodeString | — |
param6 UnicodeString | — |
param7 UnicodeString | — |
param8 UnicodeString | — |
param9 UnicodeString | — |
param10 UnicodeString | — |
param11 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 372,
"version": 0,
"level": 2,
"task": 26,
"opcode": 12,
"keywords": 9223372036854777920,
"time_created": "2026-03-13T18:26:33.122143+00:00",
"event_record_id": 24,
"correlation": {},
"execution": {
"process_id": 3664,
"thread_id": 14104
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PrintOnProcFailedEd": {
"Param1": "Print Document",
"Param2": "domainadmin",
"Param3": "HP LaserJet Pro M148f-M149f 2 (redirected 1)",
"Param4": "RAW",
"Param5": "0",
"Param6": "0",
"Param7": "0",
"Param8": "0",
"Param9": "\\\\LAB-DC01",
"Param10": "2152796161",
"Param11": null
}
},
"message": ""
}
Event ID 373 — The spooler has detected that a component has an unusually large number of open Graphical Device Interface (GDI) objects.
Message #
Event ID 502 — The print spooler failed to get the computer name.
Event ID 503 — The system failed to initialize the local print provider: Error Error.
Event ID 504 — Failed to initialize the router work crew: Error Error.
Event ID 505 — Failed to create Phase2Init event in WaitForSpoolerInitialization: Error Error.
Event ID 507 — The system failed to initialize the name cache: Error Error.
Event ID 508 — Failed to initialize the router cache: Error Error.
Event ID 509 — The print spooler cannot start because the PrinterBusEnumerator could not start.
Event ID 510 — InitializeProvider cannot allocate memory for Name.
Event ID 511 — The print spooler failed to load print provider Name.
Event ID 512 — InitializePrintProvider failed for provider Name.
Event ID 513 — Group Policy was unable to add per computer connection Name.
Event ID 514 — Group Policy was unable to delete per computer connection Name.
Event ID 515 — Group Policy was unable to delete per computer printer connection Name.
Event ID 516 — Group Policy was unable to deploy per computer printer connection Name.
Event ID 517 — Group Policy was unable to update per computer printer connection Name.
Event ID 518 — Group Policy was unable to delete the per user printer connection Name.
Event ID 519 — Group Policy was unable to deploy per user printer connection Name.
Event ID 520 — Group Policy was unable to update per user printer connection Name.
Event ID 600 — The print spooler failed to import the printer driver that was downloaded from DriverSource into the driver store for driver Driver.
Event ID 601 — The print spooler failed to download and import the printer driver from DriverSource into the driver store for driver Driver.
Event ID 602 — The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key RegistryKey1\RegistryKey2.
Event ID 603 — The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key RegistryKey.
Event ID 604 — The print spooler encountered an unknown driver type while saving Name cache information.
Event ID 701 — The print filter pipeline host cannot initialize with the Component Object Model (COM) system.
Event ID 702 — The print filter pipeline host is shutting down due to the following error: Error HResult.
Event ID 703 — The print filter pipeline host is shutting down due to an error in signaling the Component Object Model (COM) proxy in the spooler.
Event ID 704 — The print filter pipeline host is shutting down because the query interface for ISignal in the Component Object Model (COM) proxy in the spooler fa...
Event ID 800 — Spooling job JobDiag.JobId.
Description
Spooling job JobDiag.JobId.
Message #
Fields #
| Name | Description |
|---|---|
JobDiag.JobId UInt32 | — |
JobId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 800,
"version": 0,
"level": 4,
"task": 43,
"opcode": 1,
"keywords": 4612811918334230528,
"time_created": "2026-03-13T20:25:11.317144+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 10520
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"JobDiag": {
"JobId": 2
}
},
"message": ""
}
Event ID 801 — Printing job JobDiag.JobId.
Description
Printing job JobDiag.JobId.
Message #
Fields #
| Name | Description |
|---|---|
JobDiag.JobId UInt32 | — |
JobId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 801,
"version": 0,
"level": 4,
"task": 43,
"opcode": 0,
"keywords": 4612811918334230528,
"time_created": "2026-03-13T20:25:11.789801+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"JobDiag": {
"JobId": 2
}
},
"message": ""
}
Event ID 802 — Deleting job DeleteJobDiag.JobId.
Description
Deleting job DeleteJobDiag.JobId.
Message #
Fields #
| Name | Description |
|---|---|
DeleteJobDiag.JobId UInt32 | — |
DeleteJobDiag.JobSize UInt32 | — |
DeleteJobDiag.DataType UInt32 | — |
DeleteJobDiag.Pages UInt32 | — |
DeleteJobDiag.PagesPerSide UInt32 | — |
DeleteJobDiag.FilesOpened Int16 | — |
DeleteJobDiag.JobSizeHigh UInt32 | — |
JobId UInt32 | — |
JobSize UInt32 | — |
DataType UInt32 | — |
Pages UInt32 | — |
PagesPerSide UInt32 | — |
FilesOpened Int16 | — |
JobSizeHigh UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 802,
"version": 0,
"level": 4,
"task": 43,
"opcode": 2,
"keywords": 4612811918334230528,
"time_created": "2026-03-13T20:25:33.325147+00:00",
"event_record_id": 9,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"DeleteJobDiag": {
"JobId": 2,
"JobSize": 53408,
"DataType": 1,
"Pages": 1,
"PagesPerSide": 0,
"FilesOpened": 3,
"JobSizeHigh": 0
}
},
"message": ""
}
Event ID 805 — Rendering job RenderJobDiag.JobId.
#Description
Rendering job RenderJobDiag.JobId.
Message #
Fields #
| Name | Description |
|---|---|
RenderJobDiag.JobId UInt32 | — |
RenderJobDiag.GdiJobSize UInt32 | — |
RenderJobDiag.ICMMethod UInt32 | — |
RenderJobDiag.Color Int16 | — |
RenderJobDiag.XRes Int16 | — |
RenderJobDiag.YRes Int16 | — |
RenderJobDiag.Quality Int16 | — |
RenderJobDiag.Copies Int16 | — |
RenderJobDiag.TTOption Int16 | — |
JobId UInt32 | — |
GdiJobSize UInt32 | — |
ICMMethod UInt32 | — |
Color Int16 | — |
XRes Int16 | — |
YRes Int16 | — |
Quality Int16 | — |
Copies Int16 | — |
TTOption Int16 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 805,
"version": 0,
"level": 4,
"task": 43,
"opcode": 0,
"keywords": 4612811918334230528,
"time_created": "2026-03-13T20:25:33.323370+00:00",
"event_record_id": 8,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"RenderJobDiag": {
"JobId": 2,
"GdiJobSize": 53408,
"ICMMethod": 0,
"Color": 2,
"XRes": 600,
"YRes": 600,
"Quality": 600,
"Copies": 1,
"TTOption": 0
}
},
"message": ""
}
References #
Event ID 806 — Pausing job JobId.
Event ID 807 — Resuming job JobId.
Event ID 808 — The print spooler failed to load a plug-in module PluginDllName, error code ErrorCode.
#Description
The print spooler failed to load a plug-in module PluginDllName, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
PluginDllName UnicodeString | — |
ErrorCode HexInt32 | — |
Context Int16 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 808,
"version": 0,
"level": 2,
"task": 36,
"opcode": 12,
"keywords": 9223372036854906880,
"time_created": "2021-10-27T10:28:26.322960Z",
"event_record_id": 12,
"correlation": {
"#attributes": {
"ActivityID": "8811EC75-6F9C-4103-BB8A-EEED31FA139D"
}
},
"execution": {
"process_id": 1656,
"thread_id": 1572
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"LoadPluginFailed": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"PluginDllName": "C:\\Windows\\system32\\spool\\DRIVERS\\x64\\3mimispool.dll",
"ErrorCode": "0x7e",
"Context": 110
}
}
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/printing/event-ids-associated-point-print-restrictions
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 809 — The print spooler failed to recursively delete the directory DirectoryName, error code WaitForReboot.
Event ID 810 — The print spooler failed to delete the directory DirectoryName and the contained files, error code WaitForReboot.
Event ID 811 — The print spooler failed to move the file Source to Destination, error code ErrorCode.
Event ID 812 — The print spooler failed to delete the file Source, error code ErrorCode.
Event ID 813 — The print spooler failed to copy the file Source to Destination, error code ErrorCode.
Event ID 814 — The print spooler failed to install the print processor Processor Environment Path, error code ErrorCode.
Event ID 815 — The print spooler service failed to register the RPC server protocol sequence ProtocolSequence, error code ErrorCode.
Event ID 816 — The print spooler service detected an invalid RPC protocol sequence ValidatedProtocolSequence, expecting ExpectedProtocolSequence, error code ErrorCode.
Event ID 817 — The RPC end-point policy for the print spooler service is disabled.
Description
The RPC end-point policy for the print spooler service is disabled. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
WindowsStarterEdition HexInt32 | — |
SuiteStorageServer HexInt32 | — |
SystemPrintingDisabled HexInt32 | — |
SuiteBlade HexInt32 | — |
SuiteEmbeddedRestricted HexInt32 | — |
SuiteComputerServer HexInt32 | — |
Event ID 818 — The print spooler RPC server failed to start, error code ErrorCode.
Event ID 819 — Client Side Rendering is currently disabled by policy (Policy).
Event ID 820 — Client side rendering to PrintProcessor failed, error code ErrorCode.
Description
Client side rendering to PrintProcessor failed, error code ErrorCode. The print spooler service will retry server side rendering. See the event user data for more context information.
Message #
Fields #
| Name | Description |
|---|---|
PrintProcessor UnicodeString | — |
Connection UnicodeString | — |
IsXpsPrinter HexInt32 | — |
ErrorCode HexInt32 | — |
Event ID 821 — The print spooler Client Side Rendering is attempting to render the job JobId on the server (Server Side Rendering), status Status.
Description
The print spooler Client Side Rendering is attempting to render the job JobId on the server (Server Side Rendering), status Status. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
JobId UInt32 | — |
Level HexInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 822 — Unknown print processor (LocalPrintProcessor) or invalid data type (LocalDataType), error ErrorCode, Client Side Rendering is disabled.
Description
Unknown print processor (LocalPrintProcessor) or invalid data type (LocalDataType), error ErrorCode, Client Side Rendering is disabled. See the event user data for more context information.
Message #
Fields #
| Name | Description |
|---|---|
LocalPrintProcessor UnicodeString | — |
RemotePrintProcessor UnicodeString | — |
DefaultPrintProcessor UnicodeString | — |
LocalDataType UnicodeString | — |
RemoteDataType UnicodeString | — |
DefaultDataType UnicodeString | — |
ErrorCode HexInt32 | — |
Event ID 823 — The default printer was changed to NewDefaultPrinter.
#Description
The default printer was changed to NewDefaultPrinter. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
DefaultPrinterSelectedBySpooler UInt32 | — |
OldDefaultPrinter UnicodeString | — |
NewDefaultPrinter UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Module UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 823,
"version": 0,
"level": 4,
"task": 49,
"opcode": 11,
"keywords": 9223372036854906880,
"time_created": "2021-10-27T10:09:16.280929Z",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 2552,
"thread_id": 4012
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"ChangingDefaultPrinter": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"DefaultPrinterSelectedBySpooler": 1,
"OldDefaultPrinter": "-",
"NewDefaultPrinter": "Kiwi Legit Printer",
"Status": "0x0",
"Module": "spoolsv.exe"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 824 — A fatal error occurred while printing job DocumentName, id JobId on the print queue PrintQueue.
Description
A fatal error occurred while printing job DocumentName, id JobId on the print queue PrintQueue. The print filter pipeline process was terminated. Error information: ErrorInfo.
Message #
Fields #
| Name | Description |
|---|---|
DocumentName UnicodeString | — |
JobId UInt32 | — |
PrintQueue UnicodeString | — |
ErrorInfo UnicodeString | — |
Event ID 825 — Client side rendering to PrintProcessor failed, error code ErrorCode.
Description
Client side rendering to PrintProcessor failed, error code ErrorCode. The print spooler service will not retry server side rendering. See the event user data for more context information.
Message #
Fields #
| Name | Description |
|---|---|
PrintProcessor UnicodeString | — |
Connection UnicodeString | — |
IsXpsPrinter HexInt32 | — |
ErrorCode HexInt32 | — |
Event ID 826 — Force Client Side Rendering policy was successfully set on printer PrinterName, path PrinterPath, port PortName.
Event ID 827 — The specified print queue QueueName is invalid.
Event ID 828 — The print job JobId failed with error code ErrorCode.
Event ID 829 — XPS API call Name (Context) started.
Event ID 830 — XPS API call Name (Context) ended, status StatusCode.
Event ID 831 — XPS API dependency Name (Context) started.
Event ID 832 — XPS API dependency Name (Context) ended, status StatusCode.
Event ID 833 — Print spooler operation Name (Context) started.
Event ID 834 — Print spooler operation Name (Context) ended, status StatusCode.
Event ID 842 — The print job PrintDriverSandboxJobPrintProc.JobId was sent through the print processor PrintDriverSandboxJobPrintProc.Processor on printer PrintDriverSandboxJobPrintProc.Printer, driver PrintDrive...
#Message #
Fields #
| Name | Description |
|---|---|
PrintDriverSandboxJobPrintProc.JobId UInt32 | — |
PrintDriverSandboxJobPrintProc.Processor UnicodeString | — |
PrintDriverSandboxJobPrintProc.Printer UnicodeString | — |
PrintDriverSandboxJobPrintProc.Driver UnicodeString | — |
PrintDriverSandboxJobPrintProc.IsolationMode UInt32 | — |
PrintDriverSandboxJobPrintProc.ErrorCode | — |
JobId UInt32 | — |
Processor UnicodeString | — |
Printer UnicodeString | — |
Driver UnicodeString | — |
IsolationMode UInt32 | — |
Error HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 842,
"version": 0,
"level": 4,
"task": 50,
"opcode": 11,
"keywords": 4611686018427650048,
"time_created": "2026-03-13T20:25:33.321078+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PrintDriverSandboxJobPrintProc": {
"JobId": 2,
"Processor": "MS_XPS_PROC",
"Printer": "TestPrinter_EventGen",
"Driver": "Microsoft Print To PDF",
"IsolationMode": 0,
"ErrorCode": "0x0"
}
},
"message": ""
}
References #
Event ID 843 — The print spooler service recorded SucceededRpcCalls successful and FailedRpcCalls failed RPC requests for all active print driver sandbox hosts.
Event ID 844 — The print spooler selected the isolation mode IsolationMode (0 - loaded in the spooler, 1 - loaded in shared sandbox, 2 - loaded in isolated sandbox) for prin...
Description
The print spooler selected the isolation mode IsolationMode (0 - loaded in the spooler, 1 - loaded in shared sandbox, 2 - loaded in isolated sandbox) for printer Printer, printer driver Driver.
Message #
Fields #
| Name | Description |
|---|---|
IsolationMode UInt32 | — |
Printer UnicodeString | — |
Driver UnicodeString | — |
Event ID 845 — Attempted to load module Module for printer Printer, printer driver Driver.
Event ID 846 — Cached printer PrinterName has been scavenged and deleted.
Event ID 847 — Cached printer PrinterName has been scheduled for deletion due to a logon scavenging operation.
Event ID 848 — Printer PrinterName was shared by the print spooler as ShareName.
#Description
Printer PrinterName was shared by the print spooler as ShareName.
Message #
Fields #
| Name | Description |
|---|---|
PrinterName UnicodeString | — |
ShareName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 848,
"version": 0,
"level": 4,
"task": 30,
"opcode": 11,
"keywords": 4611686018427387936,
"time_created": "2021-10-27T10:14:27.466200Z",
"event_record_id": 154,
"correlation": {},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"PrinterSharing": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"PrinterName": "Kiwi Legit Printer",
"ShareName": "Kiwi Legit Printer"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 849 — Printer PrinterName shared as ShareName was unshared by the print spooler.
#Description
Printer PrinterName shared as ShareName was unshared by the print spooler.
Message #
Fields #
| Name | Description |
|---|---|
PrinterName UnicodeString | — |
ShareName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 849,
"version": 0,
"level": 4,
"task": 31,
"opcode": 11,
"keywords": 4611686018427387936,
"time_created": "2021-10-27T10:14:21.369976Z",
"event_record_id": 151,
"correlation": {
"#attributes": {
"ActivityID": "C43202E9-CB0F-0000-D030-32C40FCBD701"
}
},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"PrinterSharing": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"PrinterName": "Kiwi Legit Printer",
"ShareName": "Kiwi Legit Printer"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 850 — The print spooler called the function Function in print driver module Driver.
Event ID 851 — Point and Print not allowed by policy for queue PrintQueue.
Event ID 852 — Driver OriginalDriver could not be installed for printer connection PrinterName.
Description
Driver OriginalDriver could not be installed for printer connection PrinterName. The print system selected the replacement driver NewDriver for the printer connection. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
OriginalDriver UnicodeString | — |
NewDriver UnicodeString | — |
PrinterName UnicodeString | — |
Event ID 853 — Print Client Side Rendering synchronization for print job cache completed with code Error for printer PrinterName.
Event ID 854 — Print Client Side Rendering synchronization for printer information cache completed with code Error for printer PrinterName.
Event ID 855 — OpenPrinter cache entry added for printer PrinterName with access code AccessCode.
Event ID 856 — Connection 'ConnectionName' has been reconfigured for normal operation because branch office printing has been disabled.
Event ID 857 — Connection 'ConnectionName' has been reconfigured for normal operation because the queue is incompatible with branch office printing.
Event ID 858 — Connection 'ConnectionName' has been reconfigured for normal operation because the queue has been configured for Server Side Rendering.
Event ID 859 — Connection 'ConnectionName' has been reconfigured for normal operation because the client is incompatible with branch office printing.
Event ID 860 — Connection 'ConnectionName' has been reconfigured for normal operation because the server is incompatible with branch office printing.
Event ID 861 — Connection 'ConnectionName' has been reconfigured for normal operation because the remote port is incompatible with branch office printing.
Event ID 862 — Connection 'ConnectionName' has been reconfigured for normal operation because the 'Keep Printed Jobs' setting is enabled on the queue.
Event ID 863 — Connection 'ConnectionName' has been reconfigured for normal operation due to an internal error, Error.
Event ID 864 — The Windows Fax and Scan servicing operation failed, HRESULT HResult.
Event ID 865 — There were Failures print job failures out of Jobs jobs sent to printer 'PrinterName' using driver 'DriverName'.
Event ID 866 — The print spooler failed to create a Plug and Play printer device object for the printer 'PrinterName'.
Event ID 867 — The WS-Print Port Monitor failed to initialize correctly.
Event ID 868 — The Offline EventLog on machine 'MachineName' exceeded the allow maximum size.
Event ID 869 — In VALIDATINGDRVINFO, Adding printer driver ObjectName failed, error code ErrorCode.
Event ID 870 — The print spooler failed to download package for driver Driver.
Event ID 871 — The current print job was rejected due to Device Control Print Restrictions.
Description
The current print job was rejected due to Device Control Print Restrictions. Rejection Reason: RestrictionReason, Printer: PrinterName, Job or Document Name: JobOrDocumentName, User Name: UserName, Port Name: PortName.
Message #
Fields #
| Name | Description |
|---|---|
RestrictionReason UnicodeString | — |
PrinterName UnicodeString | — |
JobOrDocumentName UnicodeString | — |
UserName UnicodeString | — |
PortName UnicodeString | — |