Print Spooler (spoolsv.exe) High CPU & Memory Usage: Fix Crashes and Harden Windows

Posted on November 3, 2025

4 min read

1. Introduction

The Windows Print Spooler (spoolsv.exe) manages the print pipeline: it accepts jobs, formats them via drivers, and sends them to local or network queues. When it breaks, users see endless “Printing…” prompts, high CPU, or printers that vanish mid-task. When attackers abuse it (most infamously via PrintNightmare-style techniques), it can become a lateral-movement or privilege-escalation foothold.

This hands-on guide shows you how to triage printing failures fast, safely clear jammed queues, confirm you’re running the legitimate Microsoft binary (not a look-alike), rebuild the print subsystem, and harden Print Spooler on endpoints and servers.

Real-world examples you’ll recognize:

Crash loop after a new driver: A Type 3 vendor driver pushes an update to a Remote Desktop farm. Users can’t print; Event Viewer fills with Service Control Manager 7031 crashes and PrintService driver events. Removing the third-party driver and reinstalling a v4 package ends the loop (see section 4.3).
Runaway queue on a file/print server: A corrupted .SPL file grows to gigabytes, spoolsv.exe sits at 25–50% CPU, and all jobs stall. Stopping the service and clearing ...\PRINTERS\* restores service within minutes (section 4.2).
Impostor binary for persistence: EDR flags a spoolsv.exe in C:\ProgramData\ started by a scheduled task. The path and missing Microsoft signature expose it as malware; cleanup involves quarantining the file, removing the task, and auditing Spooler startup (section 4.5).
Domain controller exposure: Spooler left enabled on DCs is abused via a print driver installation vector to achieve SYSTEM and domain privileges. Hardening removes Spooler from DCs, restricts Point and Print to approved servers, and closes the lateral-movement route (section 4.6).

2. Quick triage (fast fixes)

Restart the Spooler service

powershell
Get-Service Spooler | Stop-Service -Force
Start-Service Spooler

Clear the queue (safe)

powershell
Stop-Service Spooler -Force
Remove-Item -Path "$env:SystemRoot\System32\spool\PRINTERS\*" -Force -ErrorAction SilentlyContinue
Start-Service Spooler

Check the binary path and signature (fast malware sanity check)
The only valid path is C:\Windows\System32\spoolsv.exe. Anything else is suspicious. Confirm the Publisher is Microsoft Corporation (see “Step 5” below).

Disable Spooler temporarily on non-printing servers (stability/security)

powershell
Stop-Service Spooler -Force
Set-Service Spooler -StartupType Disabled

3. Prerequisites

Local admin rights on the PC or server you’re fixing.
Affected users logged off (prevents jobs from re-queuing during cleanup).
Optional: Sysinternals tools (Sigcheck, Autoruns) for deeper verification.

4. Step-by-step guide

4.1 Verify the real `spoolsv.exe`

Press Win + R → type services.msc → locate Print Spooler. Ensure the service name is exactly Spooler.
Open C:\Windows\System32, right-click spoolsv.exe → Properties → Digital Signatures → verify “Microsoft Windows” signer and a valid timestamp.
If the file is elsewhere (e.g., C:\Users\<name>\spoolsv.exe or C:\Windows\SysWOW64\spoolsv.exe): treat it as malicious, quarantine with your AV/EDR, and proceed to “4.5 Check for impersonation/persistence.”

4.2 Clear stuck print jobs and rebuild the queue

Stop Spooler:
```
powershell
Stop-Service Spooler -Force
```

Empty queue folders:

powershell
Remove-Item "$env:SystemRoot\System32\spool\PRINTERS\*" -Force -ErrorAction SilentlyContinue
Remove-Item "$env:SystemRoot\System32\spool\drivers\W32X86\*.tmp" -Force -ErrorAction SilentlyContinue
Remove-Item "$env:SystemRoot\System32\spool\drivers\x64\*.tmp" -Force -ErrorAction SilentlyContinue

Start Spooler:
```
powershell
Start-Service Spooler
```
Re-add the printer if it disappeared: Settings → Bluetooth & devices → Printers & scanners → Add device.

4.3 Reset the print subsystem (drivers and ports)

Elevated PowerShell:

powershell
Stop-Service Spooler -Force
:: Backup registry hive for print settings
reg export "HKLM\SYSTEM\CurrentControlSet\Control\Print" "$env:TEMP\print.reg" /y

:: Remove printers (non-IPPS ports preserved)
Get-Printer | Remove-Printer -ErrorAction SilentlyContinue

:: Remove third-party print drivers (keep Microsoft class drivers)
Get-PrinterDriver | Where-Object {$_.Manufacturer -ne "Microsoft"} | Remove-PrinterDriver -RemoveFromDriverStore -ErrorAction SilentlyContinue

Start-Service Spooler

Reinstall vendor drivers from a trusted source (avoid random driver aggregators).

4.4 Inspect PrintService logs for root cause

Open Event Viewer → Applications and Services Logs → Microsoft → Windows → PrintService. Enable the Operational log if disabled.
Look for:
- Event ID 372/808: driver installation events (useful for detecting unexpected driver adds).
- Event ID 808/310xx: Point and Print/driver package actions.
- Event ID 307: document printed (who, what, where).

4.5 Detect spoolsv.exe impostors and persistence

Path check: Only C:\Windows\System32\spoolsv.exe is valid. Anything else = suspicious.
Signature check (optional Sysinternals):
```
cmd
sigcheck -q -m -i C:\Windows\System32\spoolsv.exe
```
Confirm a Microsoft signature and clean VirusTotal score (if your policy allows VT queries).
Autoruns sweep (Logon, Services, Scheduled Tasks) for entries pointing to spoolsv.exe outside System32. Remove/quarantine anomalies.
Network sanity: spoolsv.exe should not maintain outbound internet beacons. Use:
```
powershell
Get-NetTCPConnection | Where-Object {$_.OwningProcess -eq (Get-Process spoolsv).Id}
```
Unexpected remote IPs from spoolsv.exe are a red flag.

4.6 Harden Print Spooler (workstations and servers)

Disable Spooler where not needed (especially on domain controllers, RDS hosts, jump boxes).
```
powershell
Stop-Service Spooler -Force
Set-Service Spooler -StartupType Disabled
```
Restrict Point and Print (Group Policy, for managed fleets):
Computer Configuration → Administrative Templates → Printers
- Enable “Package Point and Print – Approved servers” and specify only your print servers.
- Enable “Point and Print Restrictions” → “Users can’t install drivers” unless elevated; show warning/elevation prompts for all servers.
Patch and audit drivers: keep Windows and print drivers current; remove legacy Type 3/Kernel-mode drivers if vendor provides v4 packages.
Block remote printing if unnecessary (firewall): disable the “File and Printer Sharing” rules or scope them to management subnets only.
Attack Surface Reduction (ASR): If using Microsoft Defender for Endpoint, create rules to block unsigned or unexpected driver loads and monitor Spooler service abuse patterns.

4.7 Validate repair

Service state:

powershell
Get-Service Spooler | Format-Table Status, StartType, Name

Test job: Print a test page. Confirm an Event ID 307 in PrintService → Operational.
CPU stabilized: spoolsv.exe should idle near 0% when not printing. If it spikes, look for corrupt drivers or runaway jobs in PRINTERS.

5. Security hardening checklist (copy/paste)

Disable Spooler on systems that never print.
Lock down Point and Print to approved servers only; require elevation for driver install/update.
Remove legacy/unused printer drivers; migrate to v4 packages.
Patch Windows regularly; include out-of-band Spooler security updates when released.
Scope firewall rules; block remote printing where it isn’t needed.
Alert on new printer driver installs and on spoolsv.exe network connections.

6. Conclusion

Most print failures boil down to corrupt jobs or drivers; most security risks stem from leaving Spooler exposed on systems that don’t need it. Use the quick triage to restore service, verify you’re running the signed Microsoft binary, and apply the hardening steps to cut both downtime and attack surface.

7. FAQ

What is spoolsv.exe and where should it live?

spoolsv.exe is the Windows Print Spooler service binary. The only legitimate path is C:\Windows\System32\spoolsv.exe. If you find it anywhere else (e.g., user profile, Temp, ProgramData), treat it as malicious and quarantine it.

Is spoolsv.exe a virus?

No. It’s a core Windows component. However, malware commonly masquerades as spoolsv.exe using a different path. Always verify the file location and digital signature (Publisher: Microsoft Corporation).

Can I safely disable the Print Spooler?

Yes, if the device does not need to print. Disabling Spooler improves security, especially on servers (e.g., domain controllers, RDS, jump hosts). Use: Stop-Service Spooler -Force; Set-Service Spooler -StartupType Disabled.

How do I clear a stuck print queue?

Stop the Spooler, delete all files in %SystemRoot%\System32\spool\PRINTERS, then start the Spooler again. This flushes jammed jobs without reinstalling printers.

Why is spoolsv.exe using high CPU?

Common causes are corrupt jobs, buggy or outdated printer drivers, and continuously retrying network printers. Clear the queue, update or remove the driver, and check PrintService → Operational log for errors.

Do I need the latest printer drivers?

Yes. Outdated or kernel-mode Type 3 drivers often cause crashes and Print Spooler instability. Prefer vendor-provided v4 driver packages and keep them updated.

Will disabling Spooler break scanning or PDF printing?

It will disable Windows printing. Scanning software may still work if it doesn’t depend on the print pipeline, but printing to PDF or virtual printers typically requires the Spooler.

How can I detect Spooler abuse in my environment?

Enable and monitor the PrintService Operational log, alert on unexpected driver installs, restrict Point and Print, and watch for spoolsv.exe outbound network connections. EDR rules can flag suspicious Spooler activity patterns.