It’s been a while, and boy was it a Spring/Summer to remember regarding Microsoft vulnerabilities. Print Nightmare (CVE-2021-34527) scared me enough to want to ensure I went “blue team” enough to prevent any infection. So, I crafted a somewhat crude, but effective, script to detect and remediate on the machines I had influence over. You can find the script in my Github repo.

A couple of things to point out

You’ll notice right at the top that my intention was to disable the print spooler service altogether where I could get away with it:

#For more info:

#For machines where printing is not needed and we can just disable printing altogether!!!
Get-Service -Name Spooler
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Of course, on user machines that’s a little more difficult and hence the trouble to detect and remediate those machines. The most fool-proof way to detect if the appropriate patch has been installed is to search for it:

$Session = New-Object -ComObject "Microsoft.Update.Session"
$Searcher = $Session.CreateUpdateSearcher()
$historyCount = $Searcher.GetTotalHistoryCount()
$hotfix = $Searcher.QueryHistory(0, $historyCount) | Where-Object {$_.Title -like "*KB5004945*"}
if ($null -ne $hotfix)
    $patchApplied = $True
    Write-Host "Patch KB5004945 has not been applied and you are at risk.  Please install Windows Updates and run this script again."    

You might be tempted to use the Get-Hotfix Powershell command to detect for the presence of the installed update. Sometimes that works, but not always according to this post.

The rest of the script is pretty much taken from the recommendations in the Microsoft Security Update Guide for this vulnerability. Please have a look and feel free to drop a comment regarding any similar solutions you might have come up with. And feel free to download, mod, and even open a PR if you like.

Thanks for reading!