Microsoft-Windows-PrintService
219 events across 3 channels
Event ID 1: The print spooler failed to import the printer driver that was downloaded from <ServerName> into the driver store for driver <DriverName>.
#Event ID 22: Failed to upgrade printer settings for printer <PrinterName> driver <DriverName>.
#Event ID 23: Printer <PrinterName> failed to initialize because a suitable <DriverName> driver could not be found.
#Event ID 99: The print spooler encountered a fatal error while executing a critical operation (OperationCode, error Error) and must immediately terminate.
#Description
The print spooler encountered a fatal error while executing a critical operation (OperationCode, error Error) and must immediately terminate. Try to manually restart the print spooler service (from Control Panel | Administrative Tools | Services or from an elevated command prompt running: net start spooler).
Message #
Fields #
| Name | Description |
|---|---|
OperationCode UInt32 | |
Error HexInt32 |
Event ID 100: Printer PrinterName successfully added.
#Description
Printer PrinterName successfully added. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 101: Failed to add printer PrinterName, error code ErrorCode.
#Description
Failed to add printer PrinterName, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 104: Deleting printer PrinterName succeeded.
#Description
Deleting printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 105: Deleting printer PrinterName failed, error code ErrorCode.
#Description
Deleting printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 106: Starting document job JobID for printer PrinterName succeeded.
#Description
Starting document job JobID for printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
JobID UInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 107: Starting document job JobID for printer PrinterName failed, error code ErrorCode.
#Description
Starting document job JobID for printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
JobID UInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 110: Ending document job JobID for printer PrinterName succeeded.
#Description
Ending document job JobID for printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
JobID UInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 111: Ending document job JobID for printer PrinterName failed, error code ErrorCode.
#Description
Ending document job JobID for printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
JobID UInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 114: Adding printer driver ObjectName succeeded.
#Event ID 115: Adding printer driver ObjectName failed, error code ErrorCode.
#Event ID 118: Opening printer ObjectName succeeded.
#Event ID 119: Opening printer ObjectName failed, error code ErrorCode.
#Event ID 122: Starting page job JobID at printer PrinterName succeeded.
#Description
Starting page job JobID at printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
JobID UInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 123: Starting page failed at printer JobID, error code ErrorCode.
#Description
Starting page failed at printer JobID, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
JobID UInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 124: Ending page job JobID at printer PrinterName succeeded.
#Description
Ending page job JobID at printer PrinterName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
JobID UInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 125: Ending page job JobID at printer PrinterName failed, error code ErrorCode.
#Description
Ending page job JobID at printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
JobID UInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 131: Setting printer PrinterName failed, error code ErrorCode.
#Description
Setting printer PrinterName failed, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
ErrorCode HexInt32 | |
PrinterName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 200: Adding CSR printer connection ObjectName succeeded.
#Event ID 201: Adding CSR printer connection ObjectName failed, error code ErrorCode.
#Event ID 204: Deleting CSR printer connection ObjectName succeeded.
#Event ID 205: Deleting CSR printer connection ObjectName failed, error code ErrorCode.
#Event ID 207: Opening CSR printer ObjectName failed, error code ErrorCode.
#Event ID 210: Closing CSR printer ObjectName succeeded.
#Event ID 211: Closing CSR printer ObjectName failed, error code ErrorCode.
#Event ID 212: Parsing inf (InfPath) for printer driver DriverName succeeded (processor architecture ProcessorArchitecture).
#Description
Parsing inf (InfPath) for printer driver DriverName succeeded (processor architecture ProcessorArchitecture). See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
Message UnicodeString | |
AdditionalInfo UnicodeString | |
InfPath UnicodeString | |
DriverName UnicodeString | |
InstallSection UnicodeString | |
ProcessorArchitecture UnicodeString | |
LastError HexInt32 | |
HResult HexInt32 |
Event ID 213: Parsing inf (InfPath) for printer driver DriverName failed (processor architecture ProcessorArchitecture), error code LastError, HRESULT HResult.
#Description
Parsing inf (InfPath) for printer driver DriverName failed (processor architecture ProcessorArchitecture), error code LastError, HRESULT HResult. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
SetupParseInf.Label UnicodeString | |
SetupParseInf.Message UnicodeString | |
SetupParseInf.AdditionalInfo UnicodeString | |
SetupParseInf.InfPath UnicodeString | |
SetupParseInf.DriverName UnicodeString | |
SetupParseInf.InstallSection UnicodeString | |
SetupParseInf.ProcessorArchitecture UnicodeString | |
SetupParseInf.LastError HexInt32 | |
SetupParseInf.HResult HexInt32 | |
Label UnicodeString | |
Message UnicodeString | |
AdditionalInfo UnicodeString | |
InfPath UnicodeString | |
DriverName UnicodeString | |
InstallSection UnicodeString | |
ProcessorArchitecture UnicodeString | |
LastError HexInt32 | |
HResult HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 213,
"version": 0,
"level": 2,
"task": 18,
"opcode": 12,
"keywords": 4611686018427388448,
"time_created": "2026-05-30T01:50:56.6850617+00:00",
"event_record_id": 73,
"correlation": {
"ActivityID": "{6C4AD011-B2EA-447E-ABE8-CBD1BBC806BE}"
},
"execution": {
"process_id": 3872,
"thread_id": 10128
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"SetupParseInf": {
"Label": "ParseInfAndCommitFileQueue",
"Message": "PreSelectDriverEx failed",
"AdditionalInfo": "-",
"InfPath": "-",
"DriverName": "Microsoft XPS Document Writer",
"InstallSection": "-",
"ProcessorArchitecture": "Windows x64",
"LastError": "0x705",
"HResult": "0x80070705"
}
},
"message": "Parsing inf (-) for printer driver Microsoft XPS Document Writer failed (processor architecture Windows x64), error code 0x705, HRESULT 0x80070705. See the event user data for context information."
}
Event ID 214: Installing printer driver DriverName succeeded.
#Description
Installing printer driver DriverName succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
Message UnicodeString | |
AdditionalInfo UnicodeString | |
InfPath UnicodeString | |
DriverName UnicodeString | |
InstallSection UnicodeString | |
ProcessorArchitecture UnicodeString | |
PackageAware UnicodeString | |
CoreDriverDependencies UnicodeString | |
LastError HexInt32 | |
HResult HexInt32 |
Event ID 215: Installing printer driver DriverName failed, error code LastError, HRESULT HResult.
#Description
Installing printer driver DriverName failed, error code LastError, HRESULT HResult. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
SetupInstallPrinterDriver.Label UnicodeString | |
SetupInstallPrinterDriver.Message UnicodeString | |
SetupInstallPrinterDriver.AdditionalInfo UnicodeString | |
SetupInstallPrinterDriver.InfPath UnicodeString | |
SetupInstallPrinterDriver.DriverName UnicodeString | |
SetupInstallPrinterDriver.InstallSection UnicodeString | |
SetupInstallPrinterDriver.ProcessorArchitecture UnicodeString | |
SetupInstallPrinterDriver.PackageAware UnicodeString | |
SetupInstallPrinterDriver.CoreDriverDependencies UnicodeString | |
SetupInstallPrinterDriver.LastError HexInt32 | |
SetupInstallPrinterDriver.HResult HexInt32 | |
Label UnicodeString | |
Message UnicodeString | |
AdditionalInfo UnicodeString | |
InfPath UnicodeString | |
DriverName UnicodeString | |
InstallSection UnicodeString | |
ProcessorArchitecture UnicodeString | |
PackageAware UnicodeString | |
CoreDriverDependencies UnicodeString | |
LastError HexInt32 | |
HResult HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 215,
"version": 0,
"level": 2,
"task": 19,
"opcode": 12,
"keywords": -9223372036854775264,
"time_created": "2026-05-30T01:50:56.6852684+00:00",
"event_record_id": 50,
"correlation": {
"ActivityID": "{6C4AD011-B2EA-447E-ABE8-CBD1BBC806BE}"
},
"execution": {
"process_id": 3872,
"thread_id": 10128
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"SetupInstallPrinterDriver": {
"Label": "InternalInstallPrinterDriverFromPackage",
"Message": "pfnPSetupParseInfAndCommitFileQueue failed",
"AdditionalInfo": "-",
"InfPath": "-",
"DriverName": "Microsoft XPS Document Writer",
"InstallSection": "-",
"ProcessorArchitecture": "Windows x64",
"PackageAware": "Not package aware",
"CoreDriverDependencies": "-",
"LastError": "0x0",
"HResult": "0x80070705"
}
},
"message": "Installing printer driver Microsoft XPS Document Writer failed, error code 0x0, HRESULT 0x80070705. See the event user data for context information."
}
Event ID 216: A printer setup operation succeeded during the installation process.
#Event ID 217: A printer setup operation failed during the installation process, error code LastError, HRESULT HResult.
#Description
A printer setup operation failed during the installation process, error code LastError, HRESULT HResult. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Context UnicodeString | |
Message UnicodeString | |
AdditionalInfo UnicodeString | |
ProcessorArchitecture UnicodeString | |
LastError HexInt32 | |
HResult HexInt32 |
Event ID 218: Copying printer driver package InfPath succeeded.
#Description
Copying printer driver package InfPath succeeded. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
Message UnicodeString | |
AdditionalInfo UnicodeString | |
Server UnicodeString | |
InfPath UnicodeString | |
DestInfPath UnicodeString | |
ProcessorArchitecture UnicodeString | |
LastError HexInt32 | |
HResult HexInt32 |
Event ID 219: Copying printer driver package InfPath failed, error code LastError, HRESULT HResult.
#Description
Copying printer driver package InfPath failed, error code LastError, HRESULT HResult. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
Label UnicodeString | |
Message UnicodeString | |
AdditionalInfo UnicodeString | |
Server UnicodeString | |
InfPath UnicodeString | |
DestInfPath UnicodeString | |
ProcessorArchitecture UnicodeString | |
LastError HexInt32 | |
HResult HexInt32 |
Event ID 220: Retrieving CSR cache information for printer ObjectName succeeded.
#Event ID 221: Retrieving CSR cache information for printer ObjectName failed, error code ErrorCode.
#Event ID 222: Message.
#Event ID 223: Message.
#Event ID 224: A remote print driver package operation Function failed with error code Error, server name Server.
#Event ID 225: An error occurred while installing printer driver 'DriverName'.
#Description
An error occurred while installing printer driver 'DriverName'. Error code: HResult. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 226: An error occurred while installing printer driver 'DriverName'.
#Description
An error occurred while installing printer driver 'DriverName'. The driver being installed is incompatible with this version of Windows. Please obtain and install a compatible version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
DriverModelVersion UInt32 |
Event ID 227: An error occurred while installing printer driver 'DriverName'.
#Description
An error occurred while installing printer driver 'DriverName'. Error code: HResult. The driver being installed relies on class driver 'RequiredClassDriver', which is not present on this computer. The class driver may be available on Windows Update. Please ensure that Windows Update is enabled in Device Installation Settings and that a connection can be established, and try again, or choose an alternate driver that works with this print device.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 228: An error occurred while installing printer driver 'DriverName'.
#Description
An error occurred while installing printer driver 'DriverName'. The driver being installed relies on class driver 'RequiredClassDriver', which failed to install. Error code: HResult. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 229: An error occurred while installing printer driver 'DriverName'.
#Event ID 230: A problem was encountered while installing printer driver 'DriverName'.
#Description
A problem was encountered while installing printer driver 'DriverName'. A printer extension bundled with the driver failed to register, and will be unavailable. Error code: HResult. The driver will still be functional. Please obtain and install a new version of the printer extension or printer driver from the manufacturer (if available).
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 231: An attempt was made to upgrade installed class driver 'DriverName' to a non-class driver.
#Description
An attempt was made to upgrade installed class driver 'DriverName' to a non-class driver. Doing so will prevent any driver that relies on the class driver to stop functioning. The class driver will remain installed.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 232: An attempt was made to upgrade installed printer driver 'DriverName' to an older version of the driver, which is unsupported.
#Description
An attempt was made to upgrade installed printer driver 'DriverName' to an older version of the driver, which is unsupported. If the older version of the driver is required, please delete the current version (via Print Management or Print Server Properties) and try again.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 233: An attempt was made to upgrade installed printer driver 'DriverName' to a version that does not support printer sharing, or may cause compatibility problem...
#Description
An attempt was made to upgrade installed printer driver 'DriverName' to a version that does not support printer sharing, or may cause compatibility problems when sharing to some computers. In order to use the new driver, please disable sharing for all print queues that are using this driver (via Print Management or the Sharing tab in Printer Properties) and try again.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 234: A problem was encountered while deleting printer driver 'DriverName'.
#Description
A problem was encountered while deleting printer driver 'DriverName'. A printer extension bundled with the driver failed to unregister. Error code: HResult. The driver will still be deleted.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 235: An error occurred while installing printer driver 'DriverName'.
#Description
An error occurred while installing printer driver 'DriverName'. The file 'Value' referenced by the Directive directive could not be found.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
Directive UnicodeString | |
Value UnicodeString |
Event ID 236: An error occurred while installing printer driver 'DriverName'.
#Description
An error occurred while installing printer driver 'DriverName'. The Directive directive is not allowed for this type of driver. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
Directive UnicodeString | |
ClassDriverOnly Boolean | |
NonClassDriverOnly Boolean |
Event ID 237: An error occurred while installing printer driver 'DriverName'.
#Description
An error occurred while installing printer driver ''. The directive is malformed, by having either an empty token or an incorrect number of tokens. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
Directive UnicodeString | |
EmptyToken Boolean | |
IncorrectNumberOfTokens Boolean |
Event ID 238: An error occurred while installing printer driver 'DriverName'.
#Event ID 239: An error occurred while installing printer driver 'DriverName'.
#Event ID 240: An error occurred while installing printer driver 'DriverName'.
#Description
An error occurred while installing printer driver 'DriverName'. There must be only one manifest per driver. Either no manifest was found, or too many manifests were found. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
MissingManifest Boolean | |
MultipleManifests Boolean |
Event ID 241: An attempt was made to upgrade installed printer driver 'DriverName' to a driver that does not support non-inbox port monitors.
#Description
An attempt was made to upgrade installed printer driver 'DriverName' to a driver that does not support non-inbox port monitors. In order to use the new driver, please remove or reconfigure all print queues that are using this driver and try again.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
InfPath UnicodeString | |
RequiredClassDriver UnicodeString | |
HResult HexInt32 |
Event ID 242: An error occurred while configuring print queue 'PrinterName'.
#Event ID 300: Printer param1 was created.
#Description
Printer param1 was created. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
PrinterCreated.Param1 | |
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 300,
"version": 0,
"level": 4,
"task": 4,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2026-06-13T15:13:09.6513266+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 8552,
"thread_id": 4996
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PrinterCreated": {
"Param1": "evtgen-printer"
}
},
"message": "Printer evtgen-printer was created. No user action is required."
}
Event ID 301: Printer param1 was deleted, and users will no longer be able to print to this printer.
#Description
Printer param1 was deleted, and users will no longer be able to print to this printer. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
PrinterDeleted.Param1 | |
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 301,
"version": 0,
"level": 4,
"task": 5,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2026-06-13T15:13:18.2273480+00:00",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 9060,
"thread_id": 7024
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"PrinterDeleted": {
"Param1": "evtgen-printer"
}
},
"message": "Printer evtgen-printer was deleted, and users will no longer be able to print to this printer. No user action is required."
}
Event ID 302: Printer param1 will be deleted.
#Description
Printer param1 will be deleted. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
PrinterDeletionPending.Param1 | |
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 302,
"version": 0,
"level": 4,
"task": 5,
"opcode": 10,
"keywords": 4611686018427389984,
"time_created": "2026-06-13T15:13:18.1778725+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 9060,
"thread_id": 6148
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PrinterDeletionPending": {
"Param1": "evtgen-printer"
}
},
"message": "Printer evtgen-printer will be deleted. No user action is required."
}
Event ID 303: Printer param1 was paused.
#Description
Printer param1 was paused. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
PrinterPaused.Param1 | |
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 303,
"version": 0,
"level": 4,
"task": 23,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2026-05-30T01:51:11.2092102+00:00",
"event_record_id": 98,
"correlation": {
"ActivityID": "{5EF3D886-AF92-402B-AAF8-5AC4C18D93B9}"
},
"execution": {
"process_id": 3872,
"thread_id": 10128
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PrinterPaused": {
"Param1": "PrintLab-PDF"
}
},
"message": "Printer PrintLab-PDF was paused. No user action is required."
}
Event ID 304: Printer param1 was resumed.
#Description
Printer param1 was resumed. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 304,
"version": 0,
"level": 4,
"task": 24,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2021-10-27T10:28:26.229212Z",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 1048,
"thread_id": 3836
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"PrinterUnPaused": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "{BABBC1A0-F75A-44B0-92BC-57E20CEDA1D8}"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 305: The jobs in the print queue for printer param1 were deleted.
#Event ID 306: Settings for printer param1 were changed.
#Description
Settings for printer param1 were changed. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
PrinterSet.Param1 | |
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 306,
"version": 0,
"level": 4,
"task": 17,
"opcode": 11,
"keywords": 4611686018427389984,
"time_created": "2026-06-13T15:13:10.0553491+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 8552,
"thread_id": 1836
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PrinterSet": {
"Param1": "evtgen-printer"
}
},
"message": "Settings for printer evtgen-printer were changed. No user action is required."
}
Event ID 307: Document param1, param2 owned by param3 on param4 was printed on param5 through port param6.
#Description
Document param1, param2 owned by param3 on param4 was printed on param5 through port param6. Size in bytes: SizeInBytes. Pages printed: PagesPrinted. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
DocumentPrinted.Param1 | |
DocumentPrinted.Param2 | |
DocumentPrinted.Param3 | |
DocumentPrinted.Param4 | |
DocumentPrinted.Param5 | |
DocumentPrinted.Param6 | |
DocumentPrinted.Param7 | |
DocumentPrinted.Param8 | |
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
param5 UnicodeString | |
param6 UnicodeString | |
param7 UnicodeString | |
param8 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 307,
"version": 0,
"level": 4,
"task": 26,
"opcode": 11,
"keywords": 4611686018427390016,
"time_created": "2026-05-30T01:51:30.3741444+00:00",
"event_record_id": 114,
"correlation": {},
"execution": {
"process_id": 12596,
"thread_id": 4296
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"DocumentPrinted": {
"Param1": "2",
"Param2": "document",
"Param3": "domainadmin",
"Param4": "\\\\JD-DC01-2022",
"Param5": "PrintLab-PDF",
"Param6": "C:\\PrintLab\\pdflab_output.pdf",
"Param7": "53851",
"Param8": "1"
}
},
"message": "Document 2, document owned by domainadmin on \\\\JD-DC01-2022 was printed on PrintLab-PDF through port C:\\PrintLab\\pdflab_output.pdf. Size in bytes: 53851. Pages printed: 1. No user action is required."
}
References #
Event ID 308: Document param1, param2 owned by param3 was paused on param4.
#Description
Document param1, param2 owned by param3 was paused on param4. This document will not print until the document owner resumes the print job. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
DocumentPaused.Param1 | |
DocumentPaused.Param2 | |
DocumentPaused.Param3 | |
DocumentPaused.Param4 | |
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 308,
"version": 0,
"level": 4,
"task": 26,
"opcode": 11,
"keywords": 4611686018427390016,
"time_created": "2026-05-30T01:51:14.6869907+00:00",
"event_record_id": 102,
"correlation": {
"ActivityID": "{A1E5D082-A57A-42F4-A80D-125F5E1EFB3F}"
},
"execution": {
"process_id": 3872,
"thread_id": 7704
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"DocumentPaused": {
"Param1": "7",
"Param2": "document",
"Param3": "domainadmin",
"Param4": "PrintLab-PDF"
}
},
"message": "Document 7, document owned by domainadmin was paused on PrintLab-PDF. This document will not print until the document owner resumes the print job. No user action is required."
}
Event ID 309: Document param1, param2 owned by param3 was resumed on param4.
#Description
Document param1, param2 owned by param3 was resumed on param4. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
DocumentResumed.Param1 | |
DocumentResumed.Param2 | |
DocumentResumed.Param3 | |
DocumentResumed.Param4 | |
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "{747EF6FD-E535-4D16-B510-42C90F6873A1}",
"event_source_name": "",
"event_id": 309,
"version": 0,
"level": 4,
"task": 26,
"opcode": 11,
"keywords": 4611686018427390016,
"time_created": "2026-05-30T01:51:15.7044064+00:00",
"event_record_id": 103,
"correlation": {
"ActivityID": "{F1F9D0C4-D7F6-44F1-9BA0-F0367025EA0C}"
},
"execution": {
"process_id": 3872,
"thread_id": 7704
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"DocumentResumed": {
"Param1": "6",
"Param2": "document",
"Param3": "domainadmin",
"Param4": "PrintLab-PDF"
}
},
"message": "Document 6, document owned by domainadmin was resumed on PrintLab-PDF. No user action is required."
}
Event ID 310: Document DocumentDeleted.Param1, DocumentDeleted.Param2 owned by DocumentDeleted.Param3 was deleted on DocumentDeleted.Param4.
#Description
Document DocumentDeleted.Param1, DocumentDeleted.Param2 owned by DocumentDeleted.Param3 was deleted on DocumentDeleted.Param4. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 310,
"version": 0,
"level": 4,
"task": 27,
"opcode": 11,
"keywords": 4611686018427390016,
"time_created": "2026-03-13T20:25:33.325281+00:00",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"DocumentDeleted": {
"Param1": "2",
"Param2": "Print Document",
"Param3": "domainadmin",
"Param4": "TestPrinter_EventGen"
}
},
"message": ""
}
Event ID 311: An administrator moved document param1, param2 owned by param3 to position param4 on param5.
#Description
An administrator moved document param1, param2 owned by param3 to position param4 on param5. This changes when the document will print. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
param5 UnicodeString |
Event ID 312: Form param1 was added.
#Event ID 313: Form param1 was removed.
#Event ID 314: Document param1, param2 owned by param3 timed out while printing on param4.
#Event ID 315: The print spooler failed to share printer param2 with shared resource name param3.
#Event ID 316: Printer driver param1 for param2 param3 was added or updated.
#Description
Printer driver param1 for param2 param3 was added or updated. Files:- param4. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 316,
"version": 0,
"level": 4,
"task": 8,
"opcode": 11,
"keywords": 4611686018427390208,
"time_created": "2021-10-27T10:14:27.309949Z",
"event_record_id": 153,
"correlation": {},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"DriverAdded": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "Generic / Text Only",
"Param2": "Windows x64",
"Param3": "Version-3",
"Param4": "UNIDRV.DLL, UNIDRVUI.DLL, TTY.GPD, UNIDRV.HLP, TTYRES.DLL, TTY.INI, TTY.DLL, TTYUI.DLL, TTYUI.HLP, UNIRES.DLL, STDNAMES.GPD, STDDTYPE.GDL, STDSCHEM.GDL, STDSCHMX.GDL"
}
}
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Splunk # view in coverage
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 317: Printer driver param1 was deleted.
#Description
Printer driver param1 was deleted. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 317,
"version": 0,
"level": 4,
"task": 9,
"opcode": 11,
"keywords": 4611686018427390208,
"time_created": "2021-10-27T10:28:26.494838Z",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 1048,
"thread_id": 3768
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"DriverDeleted": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "Generic / Text Only"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 318: Failed to upgrade printer settings for printer param1 driver param2.
#Event ID 319: Printer param1 failed to initialize because a suitable param2 driver could not be found.
#Description
Printer param1 failed to initialize because a suitable param2 driver could not be found. The new printer settings that you specified have not taken effect. Install or reinstall the printer driver. You might need to contact the vendor for an updated driver.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 320: Printer param1 failed to initialize because none of its ports (param2) could be found.
#Event ID 321: File(s) param1 associated with printer param2 were added or updated.
#Description
File(s) param1 associated with printer param2 were added or updated. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"event_id": 321,
"level": "Information",
"task": "Adding a printer driver",
"opcode": "Spooler Operation Succeeded",
"time_created": "2026-03-17T19:25:13.9297980+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-PrintService/Operational"
},
"event_data": {}
}
Event ID 322: While attempting to publish the printer to the Active Directory directory service, Windows failed to publish property param1 at param2.
#Event ID 323: While attempting to publish the printer to the Active Directory directory service, the print spooler could not create or update the print queue bec...
#Description
While attempting to publish the printer to the Active Directory directory service, the print spooler could not create or update the print queue because Windows failed to bind to container: param1. Error: param2. The printer is not published in Active Directory and cannot be located by searching Active Directory.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 325: While attempting to remove the printer from the Active Directory directory service, Windows failed to delete print queue param1 at param2.
#Event ID 326: While attempting to publish the printer to the Active Directory directory service, the print spooler could not create or update the print queue und...
#Description
While attempting to publish the printer to the Active Directory directory service, the print spooler could not create or update the print queue under container param1. Error: param2. The printer is not published in Active Directory and cannot be located by searching Active Directory.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 327: While attempting to publish the printer to the Active Directory directory service, the print spooler could not create print queue param1 under containe...
#Description
While attempting to publish the printer to the Active Directory directory service, the print spooler could not create print queue param1 under container param2 because Mandatory properties could not be set. Error: param3. The printer is not published in Active Directory and cannot be located by searching Active Directory.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Event ID 328: While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue con...
#Description
While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue container because the primary domain query failed. Error: param1. This can occur if Domain Name System (DNS) cannot resolve the domain controller IP address, or if the domain controller or directory service is not functioning correctly. The printer is not published in Active Directory and cannot be located by searching Active Directory.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 329: While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue con...
#Description
While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue container because the Domain Name System (DNS) domain name could not be retrieved. Error: param1. This can occur if DNS cannot resolve the domain controller IP address, or if the domain controller or directory service is not functioning correctly. The printer is not published in Active Directory and cannot be located by searching Active Directory.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 331: While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue con...
#Description
While attempting to publish the printer to the Active Directory directory service, the print spooler could not find the appropriate print queue container on domain param1. Error: param2. The printer is not published in Active Directory and cannot be located by searching Active Directory.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 332: The printer was successfully published to the Active Directory directory service.
#Event ID 333: While attempting to publish the printer to the Active Directory directory service, the print spooler failed to create or update print queue param1 in c...
#Description
While attempting to publish the printer to the Active Directory directory service, the print spooler failed to create or update print queue param1 in container param2. Error: param3. The printer is not published in Active Directory and cannot be located by searching Active Directory.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Event ID 334: The printer was successfully removed from the Active Directory directory service.
#Description
The printer was successfully removed from the Active Directory directory service. Print queue param1 was successfully deleted from container param2. The printer can no longer be located by searching Active Directory. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 335: While attempting to remove the printer from the Active Directory directory service, the print spooler failed to delete print queue param1 from containe...
#Event ID 336: Print queue param1 was successfully updated in the Active Directory directory service container param2.
#Event ID 337: The print queue could not be found on domain param1.
#Event ID 338: Printer param1 was successfully removed from the Active Directory directory service.
#Event ID 342: The print spooler removed print queue param1 from the Active Directory directory service because it does not have a Universal Naming Convention (UNC) n...
#Event ID 343: The print spooler was unable to connect to print queue param1 based on the information published in the Active Directory.
#Description
The print spooler was unable to connect to print queue param1 based on the information published in the Active Directory. Error param2. No user action is required. If this print queue continues to be unreachable it may be removed from Active Directory.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 344: The print spooler removed print queue param1 from the Active Directory directory service.
#Event ID 345: The print spooler removed print queue param1 from the Active Directory directory service because it is a duplicate of another print queue.
#Event ID 346: The print spooler removed print queue param1 from the Active Directory directory service.
#Event ID 347: Print queue param1 could not be deleted (pruned) from the Active Directory directory service.
#Description
Print queue param1 could not be deleted (pruned) from the Active Directory directory service. Error: param2. The spooler will periodically try to remove the entry until it is successful. Continued failures may indicate an Active Directory problem, a basic network problem, or a communication problem between the domain controller and the print server.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 348: This version of param1 is incompatible with this version of Windows.
#Event ID 349: The print spooler failed to create a symbolic link between HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Print\\Printers and HKEY_LOCAL_M...
#Description
The print spooler failed to create a symbolic link between HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Print\\Printers and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers. Error param1. This only affects older applications, but is probably a sign that the system itself is in a poor condition or that the print spooler does not have the proper registry permissions.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 350: Document param1 failed to print and was deleted because of corruption in the spooled file.
#Event ID 351: The attempt for param1 to use a Windows NT 4.
#Description
The attempt for param1 to use a Windows NT 4.0 (kernel mode) driver failed because this version of Windows does not support Windows NT 4.0 printer drivers. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 352: The priority of document param1, param2 owned by param3 was changed to param4 on param5.
#Description
The priority of document param1, param2 owned by param3 was changed to param4 on param5. Windows prints the document with the highest priority number before other print jobs with lower priority numbers. Documents that are currently printing are unaffected by changes in priority. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
param5 UnicodeString |
Event ID 353: The document failed to print because the user did not have the necessary privileges.
#Description
The document failed to print because the user did not have the necessary privileges.
Message #
Event ID 354: param1 initialization failed at param2.
#Description
param1 initialization failed at param2. Error: Error. This can occur because of system instability or a lack of system resources.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 354,
"version": 0,
"level": 2,
"task": 36,
"opcode": 12,
"keywords": 9223372036854777856,
"time_created": "2021-10-27T10:28:26.260460Z",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 1048,
"thread_id": 3836
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"InitFailed": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"Param1": "\\\\fs03vuln\\Kiwi Legit Printer",
"Param2": "\\\\fs03vuln\\print$\\W32X86\\3\\mimispool.dll",
"Param3": "2. The system cannot find the file specified.\r\n"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 356: Failed to install or update driver param1 on cluster spooler resource param2.
#Description
Failed to install or update driver param1 on cluster spooler resource param2. Win32 error: param3. The printer driver is different from the driver in use on other computers (nodes) in the cluster. This can occur because of a transient failure in replication between nodes.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Event ID 359: The attempt to install printer param1 into an offline operating system image failed with Win32 error code param2.
#Description
The attempt to install printer param1 into an offline operating system image failed with Win32 error code param2. This can occur if the printer driver requires user input or displays a user interface (UI) during installation.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 360: Updating the color profile failed for printer param1 with Win32 error code param2.
#Event ID 361: Printer param1 failed to initialize its ports.
#Description
Printer param1 failed to initialize its ports. Win32 error: param2. This error usually occurs because of a problem with the port monitor. Try recreating the port using a standard TCP/IP printer port, if possible. This problem does not affect other printers.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 362: The print spooler could not initialize because resolving the local machine name to IP addresses failed with error code param1.
#Description
The print spooler could not initialize because resolving the local machine name to IP addresses failed with error code param1. This may be a transient error. Try to manually restart the print spooler service (from Control Panel | Administrative Tools | Services or from an elevated command prompt running: net start spooler).
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 363: The print spooler param1 failed to start.
#Event ID 364: Windows could not load print processor param1 because EnumDatatypes did not return any data.
#Description
Windows could not load print processor param1 because EnumDatatypes did not return any data. Module: param2. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 365: Windows could not load print processor param1 because EnumDatatypes failed.
#Description
Windows could not load print processor param1 because EnumDatatypes failed. Error code param2. Module: param3. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Event ID 366: The print server security descriptor for param1 is invalid.
#Event ID 367: Windows could not initialize printer param1 because the print processor param2 could not be found.
#Description
Windows could not initialize printer param1 because the print processor param2 could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 368: The print spooler failed to verify printer driver package param1 for environment param2.
#Description
The print spooler failed to verify printer driver package param1 for environment param2. Win32 system error code param3. This can occur after an operating system upgrade or because of data loss on the hard drive. The print spooler will try to regenerate the driver information from the driver store, which is where drivers are saved before they are installed. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"event_id": 368,
"level": "Error",
"task": "Verifying or regenerating a print driver package",
"opcode": "Spooler Operation Failed",
"time_created": "2026-03-17T19:25:14.8986873+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-PrintService/Operational"
},
"event_data": {
"Param2": "Windows x64",
"Param1": "Remote Desktop Easy Print",
"Param3": "2 (0x2)"
}
}
Event ID 369: The print spooler failed to verify printer driver package for environment param1.
#Event ID 370: The print spooler failed to regenerate the printer driver information for driver param1 for environment param2.
#Description
The print spooler failed to regenerate the printer driver information for driver param1 for environment param2. Win32 system error code param3. This can occur after an operating system upgrade or because of data loss on the hard drive.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Event ID 371: The print spooler failed to unshare printer param2 which is shared as param3.
#Event ID 372: The document PrintOnProcFailedEd.Param1, owned by PrintOnProcFailedEd.Param2, failed to print on printer PrintOnProcFailedEd.Param3.
#Description
The document PrintOnProcFailedEd.Param1, owned by PrintOnProcFailedEd.Param2, failed to print on printer PrintOnProcFailedEd.Param3. Try to print the document again, or restart the print spooler.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
param5 UnicodeString | |
param6 UnicodeString | |
param7 UnicodeString | |
param8 UnicodeString | |
param9 UnicodeString | |
param10 UnicodeString | |
param11 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 372,
"version": 0,
"level": 2,
"task": 26,
"opcode": 12,
"keywords": 9223372036854777920,
"time_created": "2026-03-13T18:26:33.122143+00:00",
"event_record_id": 24,
"correlation": {},
"execution": {
"process_id": 3664,
"thread_id": 14104
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PrintOnProcFailedEd": {
"Param1": "Print Document",
"Param2": "domainadmin",
"Param3": "HP LaserJet Pro M148f-M149f 2 (redirected 1)",
"Param4": "RAW",
"Param5": "0",
"Param6": "0",
"Param7": "0",
"Param8": "0",
"Param9": "\\\\LAB-DC01",
"Param10": "2152796161",
"Param11": null
}
},
"message": ""
}
Event ID 373: The spooler has detected that a component has an unusually large number of open Graphical Device Interface (GDI) objects.
#Description
The spooler has detected that a component has an unusually large number of open Graphical Device Interface (GDI) objects. As a result, some enhanced metafile (EMF) print jobs might not print until the spooler is restarted.
Message #
Event ID 502: The print spooler failed to get the computer name.
#Event ID 503: The system failed to initialize the local print provider: Error Error.
#Event ID 504: Failed to initialize the router work crew: Error Error.
#Event ID 505: Failed to create Phase2Init event in WaitForSpoolerInitialization: Error Error.
#Event ID 507: The system failed to initialize the name cache: Error Error.
#Event ID 508: Failed to initialize the router cache: Error Error.
#Event ID 509: The print spooler cannot start because the PrinterBusEnumerator could not start.
#Event ID 510: InitializeProvider cannot allocate memory for Name.
#Event ID 511: The print spooler failed to load print provider Name.
#Event ID 512: InitializePrintProvider failed for provider Name.
#Event ID 513: Group Policy was unable to add per computer connection Name.
#Event ID 514: Group Policy was unable to delete per computer connection Name.
#Event ID 515: Group Policy was unable to delete per computer printer connection Name.
#Description
Group Policy was unable to delete per computer printer connection Name. Error Error. The printer connection is still available to users on this computer. This can occur if the name of the printer connection is incorrect, if there is a Group Policy problem, or if the print spooler cannot contact the print server. Group Policy will periodically retry deleting the printer connection.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Error HexInt32 |
Event ID 516: Group Policy was unable to deploy per computer printer connection Name.
#Description
Group Policy was unable to deploy per computer printer connection Name. Error Error. The printer connection is not available to users on this computer. This can occur if the name of the printer connection is incorrect, if there is a Group Policy problem, or if the print spooler cannot contact the print server. Group Policy will periodically retry adding the printer connection.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Error HexInt32 |
Event ID 517: Group Policy was unable to update per computer printer connection Name.
#Description
Group Policy was unable to update per computer printer connection Name. Error code Error. This can occur if the name of the printer connection is incorrect, if there is a Group Policy problem, or if the print spooler cannot contact the print server. Group Policy will periodically retry updating the printer connection.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Error HexInt32 |
Event ID 518: Group Policy was unable to delete the per user printer connection Name.
#Description
Group Policy was unable to delete the per user printer connection Name. Error code Error. The printer connection is still available to users on this computer. This can occur if the name of the printer connection is incorrect, if there is a Group Policy problem, or if the print spooler cannot contact the print server. Group Policy will periodically retry deleting the printer connection.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Error HexInt32 |
Event ID 519: Group Policy was unable to deploy per user printer connection Name.
#Description
Group Policy was unable to deploy per user printer connection Name. Error code Error. The printer connection is not available to the users on this computer to which the Group Policy object applies. This can occur if the name of the printer connection is incorrect, if there is a Group Policy problem, or if the print spooler cannot contact the print server. Group Policy will periodically retry adding the printer connection.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Error HexInt32 |
Event ID 520: Group Policy was unable to update per user printer connection Name.
#Description
Group Policy was unable to update per user printer connection Name. Error code Error. This can occur if the name of the printer connection is incorrect, if there is a Group Policy problem, or if the print spooler cannot contact the print server. Group Policy will periodically retry updating the printer connection.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Error HexInt32 |
Event ID 600: The print spooler failed to import the printer driver that was downloaded from DriverSource into the driver store for driver Driver.
#Description
The print spooler failed to import the printer driver that was downloaded from DriverSource into the driver store for driver Driver. Error code= Error. This can occur if there is a problem with the driver or the digital signature of the driver.
Message #
Fields #
| Name | Description |
|---|---|
DriverSource UnicodeString | |
Driver UnicodeString | |
Error UnicodeString |
Event ID 601: The print spooler failed to download and import the printer driver from DriverSource into the driver store for driver Driver.
#Event ID 602: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key RegistryKey1\RegistryKey2.
#Description
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key RegistryKey1\RegistryKey2. This can occur if the key name or values are malformed or missing.
Message #
Fields #
| Name | Description |
|---|---|
RegistryKey1 UnicodeString | |
RegistryKey2 UnicodeString |
Event ID 603: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key RegistryKey.
#Description
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key RegistryKey. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
Message #
Fields #
| Name | Description |
|---|---|
RegistryKey UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"event_id": 603,
"level": "Error",
"task": "Client-side rendering",
"opcode": "Spooler Operation Failed",
"time_created": "2026-03-18T22:31:39.5383820+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-PrintService/Operational"
},
"event_data": {
"RegistryKey": "S-1-5-21-1006758700-2167138679-1475694448-1000\\Printers\\Connections"
}
}
Event ID 604: The print spooler encountered an unknown driver type while saving Name cache information.
#Event ID 701: The print filter pipeline host cannot initialize with the Component Object Model (COM) system.
#Event ID 702: The print filter pipeline host is shutting down due to the following error: Error HResult.
#Event ID 703: The print filter pipeline host is shutting down due to an error in signaling the Component Object Model (COM) proxy in the spooler.
#Event ID 704: The print filter pipeline host is shutting down because the query interface for ISignal in the Component Object Model (COM) proxy in the spooler fa...
#Description
The print filter pipeline host is shutting down because the query interface for ISignal in the Component Object Model (COM) proxy in the spooler failed. Error HResult. This can occur because of system instability or a lack of system resources.
Message #
Fields #
| Name | Description |
|---|---|
HResult HexInt32 |
Event ID 800: Spooling job JobDiag.JobId.
#Description
Spooling job JobDiag.JobId.
Message #
Fields #
| Name | Description |
|---|---|
JobId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 800,
"version": 0,
"level": 4,
"task": 43,
"opcode": 1,
"keywords": 4612811918334230528,
"time_created": "2026-03-13T20:25:11.317144+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 10520
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"JobDiag": {
"JobId": 2
}
},
"message": ""
}
Event ID 801: Printing job JobDiag.JobId.
#Description
Printing job JobDiag.JobId.
Message #
Fields #
| Name | Description |
|---|---|
JobId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 801,
"version": 0,
"level": 4,
"task": 43,
"opcode": 0,
"keywords": 4612811918334230528,
"time_created": "2026-03-13T20:25:11.789801+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"JobDiag": {
"JobId": 2
}
},
"message": ""
}
Event ID 802: Deleting job DeleteJobDiag.JobId.
#Description
Deleting job DeleteJobDiag.JobId.
Message #
Fields #
| Name | Description |
|---|---|
JobId UInt32 | |
JobSize UInt32 | |
DataType UInt32 | |
Pages UInt32 | |
PagesPerSide UInt32 | |
FilesOpened Int16 | |
JobSizeHigh UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 802,
"version": 0,
"level": 4,
"task": 43,
"opcode": 2,
"keywords": 4612811918334230528,
"time_created": "2026-03-13T20:25:33.325147+00:00",
"event_record_id": 9,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"DeleteJobDiag": {
"JobId": 2,
"JobSize": 53408,
"DataType": 1,
"Pages": 1,
"PagesPerSide": 0,
"FilesOpened": 3,
"JobSizeHigh": 0
}
},
"message": ""
}
Event ID 805: Rendering job RenderJobDiag.JobId.
#Description
Rendering job RenderJobDiag.JobId.
Message #
Fields #
| Name | Description |
|---|---|
JobId UInt32 | |
GdiJobSize UInt32 | |
ICMMethod UInt32 | |
Color Int16 | |
XRes Int16 | |
YRes Int16 | |
Quality Int16 | |
Copies Int16 | |
TTOption Int16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 805,
"version": 0,
"level": 4,
"task": 43,
"opcode": 0,
"keywords": 4612811918334230528,
"time_created": "2026-03-13T20:25:33.323370+00:00",
"event_record_id": 8,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"RenderJobDiag": {
"JobId": 2,
"GdiJobSize": 53408,
"ICMMethod": 0,
"Color": 2,
"XRes": 600,
"YRes": 600,
"Quality": 600,
"Copies": 1,
"TTOption": 0
}
},
"message": ""
}
References #
Event ID 806: Pausing job JobId.
#Event ID 807: Resuming job JobId.
#Event ID 808: The print spooler failed to load a plug-in module PluginDllName, error code ErrorCode.
#Description
The print spooler failed to load a plug-in module PluginDllName, error code ErrorCode. See the event user data for context information.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
PluginDllName UnicodeString | ||
ErrorCode HexInt32 | 4 detection rules | |
Context Int16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 808,
"version": 0,
"level": 2,
"task": 36,
"opcode": 12,
"keywords": 9223372036854906880,
"time_created": "2021-10-27T10:28:26.322960Z",
"event_record_id": 12,
"correlation": {
"#attributes": {
"ActivityID": "8811EC75-6F9C-4103-BB8A-EEED31FA139D"
}
},
"execution": {
"process_id": 1656,
"thread_id": 1572
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "FS03.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"LoadPluginFailed": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"PluginDllName": "C:\\Windows\\system32\\spool\\DRIVERS\\x64\\3mimispool.dll",
"ErrorCode": "0x7e",
"Context": 110
}
}
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
aws::errorCode | eq | 0x45A | 2 rules | sigma, splunk |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
- Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/printing/event-ids-associated-point-print-restrictions
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 809: The print spooler failed to recursively delete the directory DirectoryName, error code WaitForReboot.
#Event ID 810: The print spooler failed to delete the directory DirectoryName and the contained files, error code WaitForReboot.
#Event ID 811: The print spooler failed to move the file Source to Destination, error code ErrorCode.
#Event ID 812: The print spooler failed to delete the file Source, error code ErrorCode.
#Event ID 813: The print spooler failed to copy the file Source to Destination, error code ErrorCode.
#Event ID 814: The print spooler failed to install the print processor Processor Environment Path, error code ErrorCode.
#Event ID 815: The print spooler service failed to register the RPC server protocol sequence ProtocolSequence, error code ErrorCode.
#Event ID 816: The print spooler service detected an invalid RPC protocol sequence ValidatedProtocolSequence, expecting ExpectedProtocolSequence, error code ErrorCode.
#Event ID 817: The RPC end-point policy for the print spooler service is disabled.
#Description
The RPC end-point policy for the print spooler service is disabled. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
WindowsStarterEdition HexInt32 | |
SuiteStorageServer HexInt32 | |
SystemPrintingDisabled HexInt32 | |
SuiteBlade HexInt32 | |
SuiteEmbeddedRestricted HexInt32 | |
SuiteComputerServer HexInt32 |
Event ID 818: The print spooler RPC server failed to start, error code ErrorCode.
#Event ID 819: Client Side Rendering is currently disabled by policy (Policy).
#Event ID 820: Client side rendering to PrintProcessor failed, error code ErrorCode.
#Description
Client side rendering to PrintProcessor failed, error code ErrorCode. The print spooler service will retry server side rendering. See the event user data for more context information.
Message #
Fields #
| Name | Description |
|---|---|
PrintProcessor UnicodeString | |
Connection UnicodeString | |
IsXpsPrinter HexInt32 | |
ErrorCode HexInt32 |
Event ID 821: The print spooler Client Side Rendering is attempting to render the job JobId on the server (Server Side Rendering), status Status.
#Description
The print spooler Client Side Rendering is attempting to render the job JobId on the server (Server Side Rendering), status Status. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
JobId UInt32 | |
Level HexInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 822: Unknown print processor (LocalPrintProcessor) or invalid data type (LocalDataType), error ErrorCode, Client Side Rendering is disabled.
#Description
Unknown print processor (LocalPrintProcessor) or invalid data type (LocalDataType), error ErrorCode, Client Side Rendering is disabled. See the event user data for more context information.
Message #
Fields #
| Name | Description |
|---|---|
LocalPrintProcessor UnicodeString | |
RemotePrintProcessor UnicodeString | |
DefaultPrintProcessor UnicodeString | |
LocalDataType UnicodeString | |
RemoteDataType UnicodeString | |
DefaultDataType UnicodeString | |
ErrorCode HexInt32 |
Event ID 823: The default printer was changed to NewDefaultPrinter.
#Description
The default printer was changed to NewDefaultPrinter. See the event user data for context information.
Message #
Fields #
| Name | Description |
|---|---|
DefaultPrinterSelectedBySpooler UInt32 | |
OldDefaultPrinter UnicodeString | |
NewDefaultPrinter UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Module UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 823,
"version": 0,
"level": 4,
"task": 49,
"opcode": 11,
"keywords": 9223372036854906880,
"time_created": "2021-10-27T10:09:16.280929Z",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 2552,
"thread_id": 4012
},
"channel": "Microsoft-Windows-PrintService/Admin",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
}
},
"user_data": {
"ChangingDefaultPrinter": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"DefaultPrinterSelectedBySpooler": 1,
"OldDefaultPrinter": "-",
"NewDefaultPrinter": "Kiwi Legit Printer",
"Status": "0x0",
"Module": "spoolsv.exe"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 824: A fatal error occurred while printing job DocumentName, id JobId on the print queue PrintQueue.
#Description
A fatal error occurred while printing job DocumentName, id JobId on the print queue PrintQueue. The print filter pipeline process was terminated. Error information: ErrorInfo.
Message #
Fields #
| Name | Description |
|---|---|
DocumentName UnicodeString | |
JobId UInt32 | |
PrintQueue UnicodeString | |
ErrorInfo UnicodeString |
Event ID 825: Client side rendering to PrintProcessor failed, error code ErrorCode.
#Description
Client side rendering to PrintProcessor failed, error code ErrorCode. The print spooler service will not retry server side rendering. See the event user data for more context information.
Message #
Fields #
| Name | Description |
|---|---|
PrintProcessor UnicodeString | |
Connection UnicodeString | |
IsXpsPrinter HexInt32 | |
ErrorCode HexInt32 |
Event ID 826: Force Client Side Rendering policy was successfully set on printer PrinterName, path PrinterPath, port PortName.
#Event ID 827: The specified print queue QueueName is invalid.
#Event ID 828: The print job JobId failed with error code ErrorCode.
#Event ID 829: XPS API call Name (Context) started.
#Description
XPS API call Name (Context) started.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Context UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
Event ID 830: XPS API call Name (Context) ended, status StatusCode.
#Description
XPS API call Name (Context) ended, status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Context UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
Event ID 831: XPS API dependency Name (Context) started.
#Description
XPS API dependency Name (Context) started.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Context UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
Event ID 832: XPS API dependency Name (Context) ended, status StatusCode.
#Description
XPS API dependency Name (Context) ended, status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Context UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
Event ID 833: Print spooler operation Name (Context) started.
#Description
Print spooler operation Name (Context) started.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Context UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
Event ID 834: Print spooler operation Name (Context) ended, status StatusCode.
#Description
Print spooler operation Name (Context) ended, status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Context UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
Event ID 842: The print job PrintDriverSandboxJobPrintProc.JobId was sent through the print processor PrintDriverSandboxJobPrintProc.Processor on printer PrintDriverSandboxJobPrintProc.Printer, driver PrintDrive...
#Description
The print job JobId was sent through the print processor Processor on printer Printer, driver Driver, in the isolation mode IsolationMode (0 - loaded in the spooler, 1 - loaded in shared sandbox, 2 - loaded in isolated sandbox). Win32 error code returned by the print processor: Error.
Message #
Fields #
| Name | Description |
|---|---|
JobId UInt32 | |
Processor UnicodeString | |
Printer UnicodeString | |
Driver UnicodeString | |
IsolationMode UInt32 | |
Error HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 842,
"version": 0,
"level": 4,
"task": 50,
"opcode": 11,
"keywords": 4611686018427650048,
"time_created": "2026-03-13T20:25:33.321078+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 3692,
"thread_id": 11700
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PrintDriverSandboxJobPrintProc": {
"JobId": 2,
"Processor": "MS_XPS_PROC",
"Printer": "TestPrinter_EventGen",
"Driver": "Microsoft Print To PDF",
"IsolationMode": 0,
"ErrorCode": "0x0"
}
},
"message": ""
}
References #
Event ID 843: The print spooler service recorded SucceededRpcCalls successful and FailedRpcCalls failed RPC requests for all active print driver sandbox hosts.
#Event ID 844: The print spooler selected the isolation mode IsolationMode (0 - loaded in the spooler, 1 - loaded in shared sandbox, 2 - loaded in isolated sandbox) for prin...
#Event ID 845: Attempted to load module Module for printer Printer, printer driver Driver.
#Event ID 846: Cached printer PrinterName has been scavenged and deleted.
#Event ID 847: Cached printer PrinterName has been scheduled for deletion due to a logon scavenging operation.
#Event ID 848: Printer PrinterName was shared by the print spooler as ShareName.
#Description
Printer PrinterName was shared by the print spooler as ShareName.
Message #
Fields #
| Name | Description |
|---|---|
PrinterName UnicodeString | |
ShareName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 848,
"version": 0,
"level": 4,
"task": 30,
"opcode": 11,
"keywords": 4611686018427387936,
"time_created": "2021-10-27T10:14:27.466200Z",
"event_record_id": 154,
"correlation": {},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"PrinterSharing": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"PrinterName": "Kiwi Legit Printer",
"ShareName": "Kiwi Legit Printer"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 849: Printer PrinterName shared as ShareName was unshared by the print spooler.
#Description
Printer PrinterName shared as ShareName was unshared by the print spooler.
Message #
Fields #
| Name | Description |
|---|---|
PrinterName UnicodeString | |
ShareName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PrintService",
"guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
"event_source_name": "",
"event_id": 849,
"version": 0,
"level": 4,
"task": 31,
"opcode": 11,
"keywords": 4611686018427387936,
"time_created": "2021-10-27T10:14:21.369976Z",
"event_record_id": 151,
"correlation": {
"#attributes": {
"ActivityID": "C43202E9-CB0F-0000-D030-32C40FCBD701"
}
},
"execution": {
"process_id": 2552,
"thread_id": 4028
},
"channel": "Microsoft-Windows-PrintService/Operational",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"PrinterSharing": {
"#attributes": {
"xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
},
"PrinterName": "Kiwi Legit Printer",
"ShareName": "Kiwi Legit Printer"
}
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 850: The print spooler called the function Function in print driver module Driver.
#Event ID 851: Point and Print not allowed by policy for queue PrintQueue.
#Event ID 852: Driver OriginalDriver could not be installed for printer connection PrinterName.
#Description
Driver OriginalDriver could not be installed for printer connection PrinterName. The print system selected the replacement driver NewDriver for the printer connection. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
OriginalDriver UnicodeString | |
NewDriver UnicodeString | |
PrinterName UnicodeString |
Event ID 853: Print Client Side Rendering synchronization for print job cache completed with code Error for printer PrinterName.
#Event ID 854: Print Client Side Rendering synchronization for printer information cache completed with code Error for printer PrinterName.
#Event ID 855: OpenPrinter cache entry added for printer PrinterName with access code AccessCode.
#Event ID 856: Connection 'ConnectionName' has been reconfigured for normal operation because branch office printing has been disabled.
#Event ID 857: Connection 'ConnectionName' has been reconfigured for normal operation because the queue is incompatible with branch office printing.
#Event ID 858: Connection 'ConnectionName' has been reconfigured for normal operation because the queue has been configured for Server Side Rendering.
#Description
Connection 'ConnectionName' has been reconfigured for normal operation because the queue has been configured for Server Side Rendering. To re-enable Branch Office Printing, enable the 'Render Jobs On Client' setting on the server queue.
Message #
Fields #
| Name | Description |
|---|---|
ConnectionName UnicodeString |
Event ID 859: Connection 'ConnectionName' has been reconfigured for normal operation because the client is incompatible with branch office printing.
#Event ID 860: Connection 'ConnectionName' has been reconfigured for normal operation because the server is incompatible with branch office printing.
#Event ID 861: Connection 'ConnectionName' has been reconfigured for normal operation because the remote port is incompatible with branch office printing.
#Event ID 862: Connection 'ConnectionName' has been reconfigured for normal operation because the 'Keep Printed Jobs' setting is enabled on the queue.
#Description
Connection 'ConnectionName' has been reconfigured for normal operation because the 'Keep Printed Jobs' setting is enabled on the queue. To re-enable Branch Office Printing, disable the 'Keep Printed Jobs' setting on the server queue.
Message #
Fields #
| Name | Description |
|---|---|
ConnectionName UnicodeString |
Event ID 863: Connection 'ConnectionName' has been reconfigured for normal operation due to an internal error, Error.
#Event ID 864: The Windows Fax and Scan servicing operation failed, HRESULT HResult.
#Event ID 865: There were Failures print job failures out of Jobs jobs sent to printer 'PrinterName' using driver 'DriverName'.
#Description
There were Failures print job failures out of Jobs jobs sent to printer 'PrinterName' using driver 'DriverName'. The printer driver isolation setting was updated to load the printer driver inside the print spooler process. No user action is required.
Message #
Fields #
| Name | Description |
|---|---|
Failures UInt32 | |
Jobs UInt32 | |
PrinterName UnicodeString | |
DriverName UnicodeString |
Event ID 866: The print spooler failed to create a Plug and Play printer device object for the printer 'PrinterName'.
#Description
The print spooler failed to create a Plug and Play printer device object for the printer 'PrinterName'. Print object instance identifier 'DeviceObjectInstanceIdentifier'. Error code HResultErrorCode. This printer will not be fully functional until the print spooler service is restarted and the Plug and Play printer device object is successfully created.
Message #
Fields #
| Name | Description |
|---|---|
PrinterName UnicodeString | |
DeviceObjectInstanceIdentifier UnicodeString | |
HResultErrorCode HexInt32 |
Event ID 867: The WS-Print Port Monitor failed to initialize correctly.
#Event ID 868: The Offline EventLog on machine 'MachineName' exceeded the allow maximum size.
#Event ID 869: In VALIDATINGDRVINFO, Adding printer driver ObjectName failed, error code ErrorCode.
#Event ID 870: The print spooler failed to download package for driver Driver.
#Event ID 871: The current print job was rejected due to Device Control Print Restrictions.
#Description
The current print job was rejected due to Device Control Print Restrictions. Rejection Reason: RestrictionReason, Printer: PrinterName, Job or Document Name: JobOrDocumentName, User Name: UserName, Port Name: PortName.
Message #
Fields #
| Name | Description |
|---|---|
RestrictionReason UnicodeString | |
PrinterName UnicodeString | |
JobOrDocumentName UnicodeString | |
UserName UnicodeString | |
PortName UnicodeString |
Event ID 1111: Driver <DriverName> required for printer <PrinterName> is unknown.
#Event ID 4098: The computer <ComputerName or IP> preference item in the '{GUID}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the s...
#Event ID 4909: Print Service event 4909 (manifest stub).
#Event ID 8192: The user <UserName> preference item in the '{GUID}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and need...
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 747ef6fd-e535-4d16-b510-42c90f6873a1
Defined in ntprint.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02