T1547.012 Print Processors in MITRE ATT&CK Explained

Sıla Özeren Hacıoğlu | 2 MIN READ

| March 29, 2026

What Is T1547.012 Print Processors in MITRE ATT&CK?

T1547.012 Print Processors is a technique in the MITRE ATT&CK framework under the Persistence tactic. It involves the exploitation of print processors, which are dynamic link libraries (DLLs) used by the Windows print spooler service (spoolsv.exe) to manage print jobs, handle data formats, and control print layouts.

Print processors are integral to the functioning of the print spooler service, but their high-level privileges make them an attractive target for adversaries. By exploiting print processors, attackers can achieve persistence and privilege escalation within the system, ensuring malicious code is executed during printing operations, often without detection.

To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.

Adversary Use of T1547.012 Print Processors

The Print Spooler is designed to load custom DLLs, known as print processors, to manage various data formats for printing. Because spoolsv.exe runs with SYSTEM privileges and starts automatically during boot, an adversary who places a malicious DLL in the appropriate system directory and registers it via the registry can achieve both high-privilege execution and persistence.

The technical implementation begins with moving the malicious DLL into the architecture-specific print processor directory. For modern 64-bit Windows systems, the Print Spooler expects these files to reside in a specific path under the system's spooling folder [1]:

# Placing the DLL into the expected system directory
$printProcDir = "C:\Windows\System32\spool\prtprocs\x64"
Copy-Item -Path "C:\path\to\payload.dll" -Destination "$printProcDir\malicious.dll"

After the file is positioned, the adversary must register it with the Windows Registry. The Spooler service enumerates subkeys under the Print Processors hive for the specific environment (e.g., Windows x64). By adding a new key with a Driver value pointing to the filename, the adversary ensures that the next time the Spooler service initializes, it will load the malicious DLL into its own process memory.

# Registering the new Print Processor in the Registry
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\LegitLookName"
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name "Driver" -Value "malicious.dll" -PropertyType String

Execution is finally triggered when the spoolsv.exe process is started or restarted. This can happen naturally during a system reboot, or it can be forced by an adversary with sufficient local permissions to restart the service.

Once the service restarts, it reads the registry, identifies the new "Print Processor," and loads the DLL, executing the code (typically within DllMain) with SYSTEM integrity.

# Forcing the Print Spooler to reload and execute the DLL
Restart-Service -Name Spooler -Force