SPOOLSV.exe modfying client printer driver registry; printer driver becomes non-functional on client

-

hi,

i'm facing issue print driver on client pc being broken.

problem description:

during normal operation of client pcs, hp universal printer driver becomes non functional due registry driver being modified. users on affected client unable print queue uses driver. problem per-machine rather per-user. printers either produce no output, or garbaled characters on many sheets of paper.

where workaround listed below enacted, there no known re-occurences of issue have been observed in our environment (at time of writing).

environment: 
 server - windows 2008 r2 enterprise, sp1 + updates, dedicated print server
 affected printer driver - hp universal printer driver pcl6 (v5.4)
 client pcs - windows 7 x64 enterprise edition sp1 + updates
   
troubleshooting undertaken:

viewing properties of printer driver shows dependant files, printer monitor , file information missing. auditing has been enabled on specific registry key locate process has modified associated registry values. no readily identifiable commonalities between machines have been identified yet.


workarounds known:

removal of printer driver , package affected client, followed reinstall server resolves problem. in cases, driver continues listed in use.  in these instances delting registry key "system\currentcontrolset\control\print\environments\windows x64\drivers\version-3\hp universal printing pcl 6 (v5.4)" , restarting spooler allows driver downloaded print server again.

does have thoughts on source of issue?  seem similar http://social.technet.microsoft.com/forums/en-us/winserverprint/thread/e2acb625-027d-47a9-b4a7-1616e270bcbc - though has been marked answered ande there no solution issues see in thread.

supporting information:


auditing of hp printer driver registry key has revealed:
windows registry audit logs
========================= record starts =========================
log name:      security
source:        microsoft-windows-security-auditing
date:          28/05/2012 15:28:39
event id:      4657
task category: registry
level:         information
keywords:      audit success


description:
registry value modified.
 
subject:
                security id:                         system
               
              
                logon id:                             0x3e7
 
object:
                object name:                    \registry\machine\system\controlset001\control\print\environments\windows x64\drivers\version-3\hp universal printing pcl 6 (v5.4)
                object value name:       monitor
                handle id:                           0x634
                operation type:                               existing registry value modified
 
process information:
                process id:                          0x56c
                process name:                  c:\windows\system32\spoolsv.exe
 
change information:
                old value type:                                reg_sz
                old value:                           hppmopjl
                new value type:                             reg_sz
                new value:                       
 
========================== record ends ==========================

========================= record starts =========================
log name:      security
source:        microsoft-windows-security-auditing
date:          28/05/2012 15:28:39
event id:      4657
task category: registry
level:         information
keywords:      audit success


description:
registry value modified.

subject:
                security id:                         system
               
              
                logon id:                             0x3e7

object:
                object name:                    \registry\machine\system\controlset001\control\print\environments\windows x64\drivers\version-3\hp universal printing pcl 6 (v5.4)
                object value name:       file
                handle id:                           0x634
                operation type:                               existing registry value modified
 
process information:
                process id:                          0x56c
                process name:                  c:\windows\system32\spoolsv.exe
 
change information:
                old value type:                                reg_sz
                old value:                           unidrv.hlp
                new value type:                             reg_sz
                new value:                       
 
========================== record ends ==========================

========================= record starts =========================
log name:      security
source:        microsoft-windows-security-auditing
date:          28/05/2012 15:28:39
event id:      4657
task category: registry
level:         information
keywords:      audit success
description:
registry value modified.
 
subject:
                security id:                         system
               
              
                logon id:                             0x3e7
 
object:
                object name:                    \registry\machine\system\controlset001\control\print\environments\windows x64\drivers\version-3\hp universal printing pcl 6 (v5.4)
                object value name:       dependent files
                handle id:                           0x634
                operation type:                               existing registry value modified
 
process information:
                process id:                          0x56c
                process name:                  c:\windows\system32\spoolsv.exe
 
change information:
                old value type:                                reg_multi_sz (new lines replaced *. * replaced **)
                old value:                           hpcui118.dll*hpcpe118.dll*hpcdmc64.dll*hpbcfgre.dll*hpcpu118.cfg*hpc6r118.dll*hpcsm118.gpd*hpc6m118.gpd*hpcst118.dll*hpcur118.dll*hpcpn118.dll*hpcu1186.hpx*hpcsc118.dtd*hpcev118.dll*hpchl118.cab*hpcu118.dem*hpmux118.dll*hpmur118.dll*hpmpm081.dll*hpmpw081.dll*hpmsn118.dll*hpmsl118.dll*hpcsat20.dll*hpcu118u.ini*hpcu1186.xml*hpcls118.dll*hpcss118.dll*pjl.gpd*pclxl.gpd*stdnames.gpd*fxcompchannel_x64.dll*cioum.dll*cioum64.msi*hpcpn118.dll*hpcpp118.dll*pclxl.dll*unires.dll*unidrvui.dll*stddtype.gdl*stdschem.gdl*stdschmx.gdl*hpcc6118.dll*hpdrvjct.dll*hppdcompio.dll*hpbuio64.dll*hpfxcomw.dll*hpfie118.dll*hpsysobj.dll*hpsecureprint64.dll*hpspw118.dll
                new value type:                             reg_multi_sz (new lines replaced *. * replaced **)
                new value:                       
 
========================== record ends ==========================

========================= record starts =========================
log name:      security
source:        microsoft-windows-security-auditing
date:          28/05/2012 15:28:39
event id:      4663
task category: registry
level:         information
keywords:      audit success


description:
attempt made access object.

subject:
                security id:                         system
               
              
                logon id:                             0x3e7
 
object:
                object server:   security
                object type:      key
                object name:    \registry\machine\system\controlset001\control\print\environments\windows x64\drivers\version-3\hp universal printing pcl 6 (v5.4)
                handle id:           0x634

process information:
                process id:          0x56c
                process name:  c:\windows\system32\spoolsv.exe
 
access request information:
                accesses:            set key value
                                                               
                access mask:     0x2
 
========================== record ends ==========================


print spooler admin logs
======================= record starts =========================
log name:      microsoft-windows-printservice/admin

source:        microsoft-windows-printservice

date:          28/05/2012 15:28:50

event id:      372

task category: printing document

level:         error

keywords:      classic spooler event,document print job


description:

the document <filename>, owned <username>, failed print on printer {01b96ca1-1c5a-497b-a667-28239e442049}. try print document again, or restart print spooler.

data type: nt emf 1.008. size of spool file in bytes: 434804. number of bytes printed: 0. total number of pages in document: 2. number of pages printed: 0. client computer: \\<machinename>. win32 error code returned print processor: 5. access denied.

========================== record ends ==========================


is audit record client machine or server?

the event log entry should print server printer name looks csr printer client.  client side  rendering disabled on print shares?   i'd expect datatype raw default.

\controlset001 backup copy of registry, i'll assume see \currentcontrolset well.

alan morris windows printing team




Windows Server  >  Print/Fax



Comments

Post a Comment

Popular posts from this blog

Error: 0x80073701 when trying to add Print Services Role in Windows 2012 Standard

-
hello, i'm getting error when trying add print services role in windows 2012 standard. i'm getting same error whether use gui or powershell. this new server install. the powershell error follows: add-windowsfeature : request add or remove features on specified server failed. installation of 1 or more roles, role services, or features failed. the referenced assembly not found. error: 0x80073701 at line:1 char:1 + add-windowsfeature print-services + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + categoryinfo          : invalidoperation: (@{vhd=; credent...name=localhost}:psobject) [install-windowsfeature],     exception     + fullyqualifiederrorid : dismapi_error__failed_to_enable_updates,microsoft.windows.servermanager.commands.addwind    owsfeaturecommand success restart needed exit code      feature result ------- ------...
Read more

Windows 2016 RDS event 1306 Connection Broker Client failed to redirect the user... Error: NULL

-
Image
i'm attempting setup windows 2016 rds standard deployment session hosting.  layout follows: rds01 - rds connection broker , web access ts02 - rds session host ts03 - rds session host domain these servers part of has (1) windows 2008 server , (2) windows 2016 servers acting dcs.  domain running @ windows 2003 functional level. servers on single routed network no firewall between them.  dns , ptr records servers exist , resolve on hosts.  servers can pinged each other. in other words, there no network connectivity issues. i've setup rds deployment several times w/ same results. the issue can login via rdweb interface on rds01 win10 desktop , connect published rdp desktop without issue (i.e. no error messages user) , no errors in logs.  when try directly rdp rds01, authenticate user (per event log) error stating user doesn't have access system.  in event log event id 1306 message of "remote desktop connection broker client faile...
Read more

Como saber quien entro a mi PC por la Red

-
quisiera saber si es posible, o existe forma de auditar quien accedió a mi pc vía red, es decir se que hay software que perminten auditar el file server para saber quien entro y modifico y/o borro un archivo... pero si alguien entro mi pc \\pcname\c$ hay forma de determinar que usuario entro al disco c de una pc en especifica y copio, modifico o borro un archivo...   y la otra pregunta cuales son las mejores herramientas para auditar la red y el file server   gracias una forma de detectar quien esta conectado tu pc es través del comando net user entra en cmd y escribes net user eso muestra los usuarios que están conectados en tu equipo en un momento determinado, se que no es lo que pides pero puede servir para descubir alguien en determinado momento. para que no este compartido le dan clic derecho sobre mi pc>propiedades>remoto y le desmarcan donde dice ''permitir que este equipo envíe invitaciones ...
Read more