Share via

Why is the Windows 11 Spoolsv.exe process sending out SNMP and PDL (ports 161, 9100 respectively) to a private IP that does not exist on the network?

Anonymous
2024-05-11T03:09:59+00:00

While looking at the network traffic we have, from the perspective of our firewall, the logs were showing what I considered to be a problem that needed to be investigated more.

There were WWW IPs showing up as being on our LAN and IPs that had our internal LAN prefix octets but do not exist on our LAN.

The WWW IPs on the internal LAN was worked out to be the way the log files handled entries for the return traffic from the WWW, so no 

foul there.

The issue of internal IPs that don't exist was more perplexing.

Using packet captures by the firewall and local Wireshark installations along with 'netstat -ab' commands and TCPView I was able to determine that across all of our Windows 11 devices the spoolsv.exe, otherwise known as 'Print Spooler' system service, is the culprit.

On roughly 10 second intervals the spoolsv.exe process is sending out an SNMP packet to the IP address of 192.168.1.202 over UDP with a target port of 161.

Concurrent with the above, but on much more random intervals ranging from 1 to 15 seconds+, there is a PDL packet to 192.168.1.202 targetting TCP port 9100. According to web pages, port 9100 is used for streaming raw data to a printer.

The weird parts of this are:

- We have no device at 192.168.1.202 and never had one in the past.

- We have never used an IP address in the 192.168.1.* space.

- There is no network tunnel to some other network. Our network is a standalone island within the walls of our building.

- This happens on Windows 11 devices that were upgraded mid last year from Windows 10 and brand new Dell devices that were delivered less than a month ago and put on the network.

- All devices are patched to current releases for OS and firmware.

Our firewall doesn't know what to do with packets for 192.168.1.202 so we defined an access rule within the firewall to block them from going anywhere but the LAN segment the desktops are on.

I have not found any references to this combination of network traffic and spoolsv.exe on the WWW and am wondering if others have encountered this, know why it is happening and how to stop it? 

I did find a reference to a malware payload that was trying to be a replacement for spoolsv.exe and exfiltrating data as a print data stream out of the facility, which is seriously sneaky.

Questions, comments and opposing views are welcomed.

Paul

***moved from Windows / Windows 11 / Devices and drivers***

Windows for business | Windows Client for IT Pros | Networking | Software-defined networking

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-12-01T06:52:39+00:00

    Try to disable SNMP on all network printer-ports:

    2 people found this answer helpful.
    0 comments

7 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-05-17T03:42:23+00:00

    Rosy, et al...

    My thanks for your additional response.

    As for answers.

    1. Clear System Cache:

    • folder was empty

    2. Registry Cleanup:

    Went through the HKLM and HKCU for 'printer' and 'queue' and found nothing that hints as being a configuration item or pointer to 'some file' for any of the queues.

    3. Reinstall Notepad and Wordpad:

    They are no longer in the feature option product list. ;( Have to use PowerShell commands to remove and add them back from the MS Store. ;((((

    I did not do that this evening as I ran out of time. Will do that early next week.

    4. Check Application Data:

    I always run with viewing hidden files. Have been using the Notepad++ app to do searches of info within files for RICOH queues. It does go through appdata and other folders.

    5. System File Checker (SFC):

    Ran the system file checker and rebooted the desktop. The net effect was the utility said it found a bunch of stuff and fixed it. Lots of Notepad/Wordpad and other things in the CBS log file. The bad RICOH queue still shows in Notepad/Wordpad and no where else.

    Would be exceedingly helpful if someone with access to the source files of Notepad/Wordpad went through them looking for how they are doing print queue management and getting their info from!

    The fact that the Office products do not list the bad RICOH queue but Notepad/Wordpad does is seriously weird.

    I am seriously stumped on this.

    Paul

    0 comments
  2. Anonymous
    2024-05-31T05:40:52+00:00

    Hello Paul,

    Thank you for providing detailed information.

    Based on the steps and results you've shared, here are some additional measures to resolve the issue of Notepad and WordPad displaying the incorrect RICOH queue:

    1. PowerShell Reinstallation of Notepad and WordPad:
      • Use the following PowerShell commands to reinstall Notepad and WordPad: powershell Remove Notepad and WordPad 
        Get-AppxPackage *Microsoft.WindowsNotepad* | Remove-AppxPackage 

Get-AppxPackage *Microsoft.WindowsWordPad* | Remove-AppxPackage
        Reinstall Notepad and WordPad from the Microsoft Store 
        Add-AppxPackage -register "C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_0.0.1.0_x64__8wekyb3d8bbwe\AppxManifest.xml" -DisableDevelopmentMode 

Add-AppxPackage -register "C:\Program Files\WindowsApps\Microsoft.WindowsWordPad_0.0.1.0_x64__8wekyb3d8bbwe\AppxManifest.xml" -DisableDevelopmentMode
    2. Check Print Management:
      • Open Control Panel and go to "Devices and Printers".
      • Check for any remaining RICOH print queues. If found, delete them.
      • Restart the print spooler service by running the following commands in Command Prompt: cmd 
        net stop spooler 

net start spooler
    3. Clean Print Queues Using Registry Editor:
      • Open Registry Editor (regedit) and navigate to the following paths to check for any remaining RICOH print queues: 
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
      • Delete any entries related to RICOH.
    4. Try Other Text Editors*
      • Use other text editors (such as Notepad++, Visual Studio Code) to see if they display the same RICOH queue. If they don't, the issue might be specific to Notepad and WordPad.

    Thank you for your patience and cooperation. If you have any questions or need further assistance, please feel free to contact me.

    Best regards,

    Rosy

    0 comments
  3. Anonymous
    2024-05-31T16:30:12+00:00

    Rosy..

    It gets weirder.

    I used the commands you listed to de-install Notepad and Wordpad.

    The reinstall of Notepad failed. Had to use the following line to install.

    Add-AppxPackage -register "C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2402.22.0_x64__8wekyb3d8bbwe\AppxManifest.xml" -DisableDevelopmentMode

    Wordpad still shows up off the Start button after reinstall. It does not show up using 'Get=AppxPackage'.

    In reality the Wordpad aspect of this issue may be mute since it looks like Wordpad is going away in 24H2 release according to the following article.

    https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-24h2-will-remove-cortana-and-wordpad-apps/

    The registry entries do not have the bad RICOH references.

    The spooler queue folder on the C: drive is empty.

    Only Notepad and Wordpad show the bad RICOH printer queue.

    Notepad++, Word, PowerPoint, etc do not show the bad RICOH queue.

    Seriously weird that only Notepad and Wordpad show this one print queue.

    My thanks for your time and thoughts along this journey..

    Take care.

    Paul

    0 comments