3

I would like to read a user's spooled files. A service I'm writing to monitor the contents of %WINDIR%\system32\spool\PRINTERS ** however....

  • On Windows 7, a standard user cannot read this location.
  • On Windows 10, a standard user cannot read this location.
  • On Windows 11, a standard user cannot read this location.

Question(s):

  • Is there a documented or undocumented policy for allowing standard users to read this location or perhaps their own spooled files? (I understand file permissions may workaround this, but I'd prefer to leave these alone since it's a system directory and a future update may revert this change)
  • If not, is there a quick way to render spool files to user space? (Instruct the spooler to write these files to a user-readable location?)

**Note: The spool file location is currently retrieved from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory.

Possibly related: https://stackoverflow.com/questions/65778053

tresf
  • 281
  • 2
  • 11
  • 2
    Could you create an account with the appropriate permissions and run the service under that account? – Andrew Morton Sep 01 '22 at 17:42
  • Hi, yes, this is the current workaround (currently to run as the default `SYSTEM` account), however running the service as a standard application and as the current user is preferred as it has the benefit of interacting with the current desktop environment and at a lower security requirements, both preferable to the end-users. – tresf Sep 01 '22 at 17:45
  • I've added the `icacls` output from Windows 11 to the question. – tresf Sep 01 '22 at 17:50
  • 2
    FWIW, the output of icacls is the same on Windows 10, and a standard user in that OS cannot read that location either. I have no Windows versions earlier than that to look at. So maybe create a service that can see the content of the directory, and another service that interfaces with that and the user. – Andrew Morton Sep 01 '22 at 18:09
  • Yeah, I just tested on Windows 10 and I can confirm the the permissions there don't allow reading either. Hmm... Ok, so this isn't a change with Windows 11 specifically. I'll update the question to be more accurate. – tresf Sep 02 '22 at 00:59
  • (It's untested yet by myself) What does the following PowerShell command return?: `Get-Printer | Get-PrintJob` – swbbl Sep 02 '22 at 05:45
  • `$doc = "$env:WINDIR\system32\spool\PRINTERS\" + $([string](Get-Printer | Get-PrintJob | Select -First 1).Id).PadLeft(5, '0') + ".SPL"` ... `Get-Item $doc` works splendidly well. I'll propose this as an a possible solution. – tresf Sep 04 '22 at 16:37

2 Answers2

1

Using PowerShell as an example for grabbing a spooled file (adjust as needed!) (Thanks to @swbbl for the recommendation)

$jobId = [string](Get-Printer | Get-PrintJob | Select -First 1).Id

$splFile = "$env:WINDIR\system32\spool\PRINTERS\" + $jobId.PadLeft(5, '0') + ".SPL"

Get-Item $splFile

This works because a user can read their own spooled documents, just not the parent directory.

tresf
  • 281
  • 2
  • 11
0

So in an odd turn of events, it appears although the %WINDIR%\system32\spool\PRINTERS directory is not readable, spooled files you created are. So if you can get the jobId from Winspool/Win32 APIs, you can calculate the file name from the jobId (e.g. jobId: 7 ~= 00007.SPL), you can read your own files.

This is because Windows adds special read permissions for the files you've created, at least for Windows 10 x86_64. Oddly, Windows 11 ARM64 does not, so it's not possible unless you change the spool file location.

Not all apps are OK with being denied parent file permissions.

cacls C:\WINDOWS\system32\spool\PRINTERS\00007.SPL

C:\WINDOWS\system32\spool\PRINTERS\00007.SPL WIN11\user:(ID)(special access:)

STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES

For example if your jobId is "7":

  • type C:\WINDOWS\system32\spool\PRINTERS\00007.SPL
    Access is denied.
  • notepad C:\WINDOWS\system32\spool\PRINTERS\00007.SPL
    ✅ Opens properly.
tresf
  • 281
  • 2
  • 11