Event ID 301 — Printer param1 was deleted, and users will no longer be able to print to this printer.

Provider: Microsoft-Windows-PrintService
Channel: Operational
Level: Informational
Task: Deletingaprinter
Opcode: SpoolerOperationSucceeded

Description

Printer param1 was deleted, and users will no longer be able to print to this printer. No user action is required.

Message #

Printer %1 was deleted, and users will no longer be able to print to this printer. No user action is required.

Fields #

Name	Description
`param1` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PrintService",
    "guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
    "event_source_name": "",
    "event_id": 301,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 11,
    "keywords": 4611686018427389984,
    "time_created": "2021-10-27T10:14:21.369976Z",
    "event_record_id": 152,
    "correlation": {
      "#attributes": {
        "ActivityID": "C43202E9-CB0F-0000-D030-32C40FCBD701"
      }
    },
    "execution": {
      "process_id": 2552,
      "thread_id": 4028
    },
    "channel": "Microsoft-Windows-PrintService/Operational",
    "computer": "fs03vuln.offsec.lan",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "PrinterDeleted": {
      "#attributes": {
        "xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
      },
      "Param1": "Kiwi Legit Printer"
    }
  }
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx