Identify the Crash Cause
The Print Spooler runs as spoolsv.exe. When it crashes, the event logs capture exactly what killed it.
# Check System event log for spooler crashes
Get-WinEvent -LogName System |
Where-Object {$_.Message -like "*spoolsv*" -or $_.Message -like "*spooler*"} |
Select TimeCreated, Id, Message | Format-List
# Check Application event log for faults
Get-WinEvent -LogName Application |
Where-Object {$_.ProviderName -like "*print*"} |
Select TimeCreated, Id, Message | Format-List
Key events to look for:
- Event 7031 — Service terminated unexpectedly (System log)
- Event 1000 — Application fault in spoolsv.exe — check the Faulting module field, it often names the driver DLL
- Event 372 — Print driver failed and was isolated (Print service log)
Find the Corrupt Driver
The faulting module in Event 1000 usually names the driver. But if you have many printers, enumerate them all:
# List all installed printer drivers Get-PrinterDriver | Select Name, PrinterEnvironment, InfPath | Format-Table # Check for very old drivers (pre-2015 are common culprits) Get-PrinterDriver | Select Name, DriverVersion | Sort DriverVersion
Cross-reference the driver name from the event log against this list. The faulting module (e.g., hpzuiss7.dll) belongs to a specific manufacturer's driver package.
Remove the Bad Driver
# Stop the spooler Stop-Service Spooler -Force # Remove the printer using the driver first Remove-Printer -Name "HP LaserJet P2055d" # Remove the driver itself Remove-PrinterDriver -Name "HP LaserJet P2055d Class Driver"
If PowerShell removal fails with "driver in use":
- Open Print Management (printmanagement.msc)
- Navigate to Print Servers → [server] → Drivers
- Right-click the driver → Remove Driver Package
Clear the Spool Queue
Sometimes a stuck print job causes the crash, not a corrupt driver. Try clearing the queue first:
# Stop spooler Stop-Service Spooler -Force # Delete all queued print jobs Remove-Item "C:\Windows\System32\spool\PRINTERS\*" -Force -Recurse # Restart spooler Start-Service Spooler
PrintNightmare Patches
Since 2021, the Print Spooler has been a repeated attack vector. Verify your patch level:
# Check patch level
Get-HotFix | Where-Object {$_.HotFixID -in @("KB5004945","KB5005033","KB5005030")} |
Select HotFixID, InstalledOn
On print servers that don't need remote management, restrict driver installation to admins only via GPO: Computer Configuration → Policies → Administrative Templates → Printers → Limits print driver installation to Administrators.
Prevention
- Use Type 4 drivers wherever possible — they run in user mode and cannot crash the spooler
- Audit installed printer drivers quarterly and remove unused ones
- Keep Windows Server updated — most PrintNightmare variants were fixed in cumulative updates
- For enterprise environments, evaluate Universal Print (Microsoft's cloud print solution) to eliminate the on-prem print server entirely