cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 10
‎11-18-2021 07:29 AM

Print Spooler Crashing

We're having print spooler issues across our enterprise.  The spooler is constantly stopping and user have to manually start the spooler in order to print.  In reviewing system logs, we found this:

Log Name:      Application

Source:        Application Error

Date:          11/18/2021 8:54:38 AM

Event ID:      1000

Task Category: (100)

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      ComputerNameGoesHere

Description:

Faulting application name: spoolsv.exe, version: 10.0.19041.1288, time stamp: 0x025024ad

Faulting module name: HIPHandlers64.dll, version: 10.6.0.11932, time stamp: 0x61891258

Exception code: 0xc0000005

Fault offset: 0x000000000000fbfe

Faulting process id: 0xa60

Faulting application start time: 0x01d7dc83c415781f

Faulting application path: C:\windows\System32\spoolsv.exe

Faulting module path: C:\Program Files\McAfee\Endpoint Security\Threat Prevention\Ips\HIPHandlers64.dll

Report Id: 90d73827-445c-42af-8102-73b2ae59be72

Faulting package full name:

Faulting package-relative application ID:

There does not appear to be an corresponding ENS events.  Any thoughts on why this is happening?

We're running ENS Threat Prevention 10.7.0.2725 

 

3 people had this problem.
0 Kudos
Reply
9 Replies
Daveb3d
MVP
Report Inappropriate Content
Message 2 of 10
‎11-18-2021 08:19 AM

Re: Print Spooler Crashing

Not a fix, but to temporarily get around this, have you tried disabling the spoolsv application protection rule in the Exploit Prevention policy?  Might or might not work.  But you probably need to open a ticket.

I am not seeing this myself, btw.

Dave

0 Kudos
Reply
McDuff
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 10
‎12-01-2021 09:50 AM

Re: Print Spooler Crashing

Hey, we're having this issue too, have you found a workaround, resolution?

0 Kudos
Reply
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 10
‎12-01-2021 10:22 AM

Re: Print Spooler Crashing

Unfortunately, we did not find a viable resolution or workaround.  

0 Kudos
Reply
Geert_Duchateau
Level 7
Report Inappropriate Content
Message 5 of 10
‎01-20-2022 07:05 AM

Re: Print Spooler Crashing

Is there already more information about this issue ? We have on our company the same problem.

 

Log Name: Application
Source: Application Error
Date: 12/8/2021 6:04:06 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: Computername
Description:
Faulting application name: spoolsv.exe, version: 10.0.18362.1854, time stamp: 0xf3af5844
Faulting module name: HIPHandlers64.dll, version: 10.6.0.11932, time stamp: 0x61891258
Exception code: 0xc0000005
Fault offset: 0x000000000000fbfe
Faulting process id: 0x32d4
Faulting application start time: 0x01d7ec556df39809
Faulting application path: C:\Windows\System32\spoolsv.exe
Faulting module path: C:\Program Files\McAfee\Endpoint Security\Threat Prevention\Ips\HIPHandlers64.dll
Report Id: 55e4664f-66a2-49e2-85e9-7b1089590931
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-12-08T17:04:06.251812200Z" />
<EventRecordID>10695</EventRecordID>
<Channel>Application</Channel>
<Computer>Computername</Computer>
<Security />
</System>
<EventData>
<Data>spoolsv.exe</Data>
<Data>10.0.18362.1854</Data>
<Data>f3af5844</Data>
<Data>HIPHandlers64.dll</Data>
<Data>10.6.0.11932</Data>
<Data>61891258</Data>
<Data>c0000005</Data>
<Data>000000000000fbfe</Data>
<Data>32d4</Data>
<Data>01d7ec556df39809</Data>
<Data>C:\Windows\System32\spoolsv.exe</Data>
<Data>C:\Program Files\McAfee\Endpoint Security\Threat Prevention\Ips\HIPHandlers64.dll</Data>
<Data>55e4664f-66a2-49e2-85e9-7b1089590931</Data>
<Data>
</Data>
<Data>
</Data>
</EventData>
</Event>

printspooler restarts after following event :The RPC end-point policy for the print spooler service is disabled.
Log Name: Microsoft-Windows-PrintService/Operational
Source: Microsoft-Windows-PrintService
Date: 12/8/2021 6:04:11 PM
Event ID: 817
Task Category: Enabling spooler RPC endpoints
Level: Error
Keywords: Router
User: SYSTEM
Computer: Computername
Description:
The RPC end-point policy for the print spooler service is disabled. See the event user data for context information.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PrintService" Guid="{747ef6fd-e535-4d16-b510-42c90f6873a1}" />
<EventID>817</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>47</Task>
<Opcode>12</Opcode>
<Keywords>0x4000000000002000</Keywords>
<TimeCreated SystemTime="2021-12-08T17:04:11.327631900Z" />
<EventRecordID>13</EventRecordID>
<Correlation />
<Execution ProcessID="2980" ThreadID="3032" />
<Channel>Microsoft-Windows-PrintService/Operational</Channel>
<Computer>Computername</Computer>
<Security UserID="S-1-5-18" />
</System>
<UserData>
<RpcEndPointPolDisabled xmlns="http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events">
<WindowsStarterEdition>0x0</WindowsStarterEdition>
<SuiteStorageServer>0x0</SuiteStorageServer>
<SystemPrintingDisabled>0x0</SystemPrintingDisabled>
<SuiteBlade>0x0</SuiteBlade>
<SuiteEmbeddedRestricted>0x0</SuiteEmbeddedRestricted>
<SuiteComputerServer>0x0</SuiteComputerServer>
</RpcEndPointPolDisabled>
</UserData>
</Event

0 Kudos
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 6 of 10
‎01-20-2022 07:42 AM

Re: Print Spooler Crashing

Hi @Geert_Duchateau,

Thank you for your post. I would suggest contacting us via a Service Request with an analysis from MS on the crash to further investigate the issue.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
McDuff
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 10
‎01-20-2022 07:44 AM

Re: Print Spooler Crashing

Unexpectedly, it appears the issue was resolved after we:

- Disabled HIPS IPS/Network IPS (this allows ENS Exploit Protection to take over)

- Upgraded ENS to the latest, 10.7.0 November 2021 update 

- Upgraded McAfee Agent to 5.6.6.232 <== probably not related, but that was included in our change

0 Kudos
Reply
McDuff
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 10
‎01-20-2022 08:48 AM

Re: Print Spooler Crashing

We did open up a ticket with both McAfee and Microsoft.  Microsoft said they couldn't help because it had to do with McAfee.  McAfee's suggestion was to try upgrading and see if that resolves the problem.

0 Kudos
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 9 of 10
‎01-20-2022 09:17 AM

Re: Print Spooler Crashing

Hi @McDuff,

Thank you for your response. May I know if the SR is still open?

Can you help us with the version you were currently working with?

An upgrade is usually suggested to be tried just to ensure we do not work on an issue that may get resolved by a newer version even though it was not a recognized or known issue.

Also, May I know if you have an analysis from MS on the Crash as well? If the issue reproducible with the latest version as well, we should be able to investigate further. We would first begin with component isolation to understand which feature is exactly causing the crash here (In this case, Exploit Prevention would be the first to be checked because of the dll involved.).

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
McDuff
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 10
‎01-20-2022 09:49 AM

Re: Print Spooler Crashing

Issue was happening on systems that had BOTH HIPS 8.0.0.5005, and 10.5.5 (Aug 2019), and those that just had ENS. I believe there were some systems that had a slightly newer version of ENS that were having the issue as well.

SR was closed as the tech asked me to try upgrading to see if that resolved the problem, and I said I wasn't able to test the upgrade immediately, so they closed the case and said I could re-open later.  Surprisingly, the upgrade did seem to solve the problem so I didn't re-open the ticket.

Yes, we were able to get a crash report and it did appear to point HIPHandlers64.dll, which is a component of BOTH ENS and HIPS.  Microsoft wasn't able to 100% determine it was due to McAfee but they said the probability was high that HIPHandlers64.dll was the main culprit and that's when we opened the ticket with McAfee

e 000000000269d0f0 00007ff9cafc48d8 HIPHandlers64!Vba_GetDiskFreeSpaceW_Enter_Handler+0x18d40

f 000000000269d120 00007ff9cafc80a6 HIPHandlers64!MoveFileExW_Enter_Handler+0x498

10 000000000269d160 00007ff9cb027267 HIPHandlers64!Spool_NTCreateFile_Enter_Handler+0x1c6

Faulting application path: C:\WINDOWS\System32\spoolsv.exe

Faulting module path: C:\Program Files\McAfee\Endpoint Security\Threat revention\Ips\HIPHandlers64.dll

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC