Motivation
I had an issue I have to investigate at the begining of 2009. Since W2K8 seems to have some enhancement regarding security consideration. This was an example in a case that WMI printer provider query, which is like “SELECT * FROM __InstanceCreation Event WITHIN 1 WHERE TargetInstance ISA ‘Win32_Printer'” through WMI provider context from Application. This query led to perform SPOOLSS!EnumPrintersW() within spooler context with “NT AUTHORITY\SYSTEM”. Unfortunately, As a resulf ot that, we came across the follwoing Event Log.
Implementation of TPrintProvider class introduced into win32spl.dll since W2K8 caused this.


EventSource: “SpoolerWin32SPL”
EventId: 4


Debug Log

THREAD 89b62710 Cid 0960.0b20 Teb: 7ffda000 Win32Thread: ff5dea50 WAIT: (UserRequest) UserMode Non-Alertable
898ba718 SynchronizationEvent
89a177b8 SynchronizationEvent
IRP List:
89a50310: (0006,0220) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap 832087c0
Owning Process 0 Image: <Unknown>
Attached Process 89becc80 Image: rscorsvc.exe
Wait Start TickCount 17687 Ticks: 40 (0:00:00:00.625)
Context Switch Count 1890
UserTime 00:00:00.093
KernelTime 00:00:00.093
Win32 Start Address ZCollect!_threadstartex (0x3304a4ec)
Stack Init 8ce63000 Current 8ce628c0 Base 8ce63000 Limit 8ce60000 Call 0
Priority 12 BasePriority 10 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
8ce628d8 816b83bf 89b62710 816f9920 89b62798 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8ce6291c 816b53cf 89b62710 00000000 00000002 nt!KiSwapThread+0x44f
8ce62970 81819ed4 00000002 8ce62aa8 00000001 nt!KeWaitForMultipleObjects+0x53d
8ce62bfc 81819c43 00000002 00000001 00000000 nt!ObpWaitForMultipleObjects+0x256
8ce62d48 81658a7a 00000002 01c3f5ec 00000001 nt!NtWaitForMultipleObjects+0xcc
8ce62d48 77689a94 00000002 01c3f5ec 00000001 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8ce62d64)
01c3f598 77689244 7607c3e4 00000002 01c3f5ec ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01c3f59c 7607c3e4 00000002 01c3f5ec 00000001 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
01c3f638 777c0208 01c3f5ec 01c3f660 00000000 kernel32!WaitForMultipleObjectsEx+0x11d (FPO: [Non-Fpo])
01c3f68c 7720ab28 000002dc 01c3f6d4 ffffffff USER32!RealMsgWaitForMultipleObjectsEx+0x13c (FPO: [Non-Fpo])
01c3f6b4 7720ac88 01c3f6d4 ffffffff 01c3f6e4 ole32!CCliModalLoop::BlockFn+0x97 (FPO: [Non-Fpo])
01c3f6dc 77317b73 ffffffff 0020cdb0 01c3f7e8 ole32!ModalLoop+0x5b (FPO: [Non-Fpo])
01c3f6f8 77318b68 00000000 01c3f7fc 00000000 ole32!ThreadSendReceive+0x12c (FPO: [Non-Fpo])
01c3f720 773189d4 01c3f7e8 00243c28 01c3f844 ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0x194 (FPO: [Non-Fpo])
01c3f800 7720ad2e 00243c28 01c3f928 01c3f90c ole32!CRpcChannelBuffer::SendReceive2+0xef (FPO: [Non-Fpo])
01c3f81c 7720ace0 01c3f928 01c3f90c 00243c28 ole32!CCliModalLoop::SendReceive+0x1e (FPO: [Non-Fpo])
01c3f894 7722e688 00243c28 01c3f928 01c3f90c ole32!CAptRpcChnl::SendReceive+0x73 (FPO: [Non-Fpo])
01c3f8e8 76e5364e 00243c28 01c3f928 01c3f90c ole32!CCtxComChnl::SendReceive+0x1c5 (FPO: [Non-Fpo])
01c3f900 76e536af 03ad7ecc 01c3f9c4 76e533e2 RPCRT4!NdrProxySendReceive+0x43
01c3f90c 76e533e2 81d96d3a 01c3fdc4 070001f3 RPCRT4!NdrpProxySendReceive+0xc (FPO: [0,0,0])
01c3fd84 76e535f4 718b2ba8 718b27de 01c3fdc4 RPCRT4!NdrClientCall2+0x5e9
01c3fdac 76dee20e 01c3fdc4 00000017 01c3fdfc RPCRT4!ObjectStublessClient+0x6f
01c3fdbc 718e6374 03ad7ecc 001e28fc 0020ed9c RPCRT4!ObjectStubless+0xf
01c3fdfc 3650cae8 001e28fc 0020ed9c 0020ed9c fastprox!CWbemSvcWrapper::XWbemServices::ExecNotificationQueryAsync+0x91 (FPO: [Non-Fpo])
01c3fe44 365050d5 00000001 029309e8 36505851 ctrx_ext!CPrinterTracker::DetectPrinterCreates+0x118 (FPO: [Non-Fpo]) (CONV: thiscall)
01c3fe50 36505851 00000005 00ed49fc 3650804d ctrx_ext!CCtrxExt::InitMonitoring+0xd5 (FPO: [Non-Fpo]) (CONV: thiscall)
01c3fe5c 3650804d 00000005 36505287 00000001 ctrx_ext!CCtrxExt::OnStartupPhase+0x141 (FPO: [Non-Fpo]) (CONV: thiscall)
01c3fe64 36505287 00000001 00000005 00ed4998 ctrx_ext!CCtrxExt::_NotifyEvent+0x2d (FPO: [Non-Fpo]) (CONV: thiscall)
01c3fe74 33009c29 029309e8 00000001 00000005 ctrx_ext!_IMPAExtensionImpl<CCtrxExt>::NotifyEvent+0x27 (FPO: [Non-Fpo]) (CONV: stdcall)
01c3fe98 33010f39 00000001 00000005 81d93690 ZCollect!MPACollector::NotifyEvent+0x53 (CONV: thiscall)
01c3fecc 3301443c 00000005 00000000 00ed0cb8 ZCollect!QThread::DoPhasedStartup+0x17a (CONV: thiscall)
01c3ff10 3302b6d2 00ed4698 81d93714 00000000 ZCollect!QThread::StartQueue+0x197 (CONV: thiscall)
01c3ff48 3304a4c6 00ed0cb8 81d937dc 00000000 ZCollect!StartQReader+0x30 (CONV: stdcall)
01c3ff80 3304a56b 00000000 76074911 00edbeb8 ZCollect!_callthreadstartex+0x1b (FPO: [Non-Fpo]) (CONV: cdecl)
01c3ff88 76074911 00edbeb8 01c3ffd4 7766e4b6 ZCollect!_threadstartex+0x7f (FPO: [Non-Fpo]) (CONV: stdcall)
01c3ff94 7766e4b6 00edbeb8 76ac79b1 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
01c3ffd4 7766e489 3304a4ec 00edbeb8 ffffffff ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])
01c3ffec 00000000 3304a4ec 00edbeb8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

kd> du 0020ed9c
0020ed9c “SELECT * FROM __InstanceCreation”
0020eddc “Event WITHIN 1 WHERE TargetInsta”
0020ee1c “nce ISA ‘Win32_Printer'”

kd> !thread -1 7
THREAD 8a01f670 Cid 100c.1028 Teb: 7ffae000 Win32Thread: ffbede90 RUNNING on processor 0
Impersonation token: 8a59d3e8 (Level Impersonation)
Owning Process 0 Image: <Unknown>
Attached Process 8a016d90 Image: WmiPrvSE.exe
Wait Start TickCount 21220 Ticks: 0
Context Switch Count 1337
UserTime 00:00:01.937
KernelTime 00:00:02.312
Win32 Start Address RPCRT4!ThreadStartRoutine (0x76de4dfe)
Stack Init 8e7fa000 Current 8e7f9b48 Base 8e7fa000 Limit 8e7f7000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
014de74c 6ea2cc37 00000006 00000000 00000002 WINSPOOL!EnumPrintersW (FPO: [Non-Fpo])
014de7b8 6ea2cdf3 0130d320 00000000 014de7dc cimwin32!CWin32Printer::DynInstancePrinters+0xda (FPO: [Non-Fpo])
014de7c8 6ed5f3dd 0130d320 00000000 00000111 cimwin32!CWin32Printer::EnumerateInstances+0xf (FPO: [Non-Fpo])
014de7dc 6ed5f82f 0130d320 00000000 7fb9fbe8 framedynos!Provider::CreateInstanceEnum+0x21 (FPO: [Non-Fpo])
014decd0 00070ed5 0130f9b8 00292bc4 00000000 framedynos!CWbemProviderGlue::CreateInstanceEnumAsync+0x1cd (FPO: [Non-Fpo])
014ded10 00070d45 00000000 00288fc8 00000000 wmiprvse!CInterceptor_IWbemSyncProvider::Helper_CreateInstanceEnumAsync+0x159 (FPO: [Non-Fpo])
014ded54 76de31eb 0130f9b8 00292afc 00000000 wmiprvse!CInterceptor_IWbemSyncProvider::CreateInstanceEnumAsync+0xc1 (FPO: [Non-Fpo])
014ded7c 76e5184f 00070cbd 014def88 00000005 RPCRT4!Invoke+0x2a
014df1a8 76e52006 00279b30 002739c8 00264f68 RPCRT4!NdrStubCall2+0x27b
014df1f8 718eb35e 00279b30 00264f68 002739c8 RPCRT4!CStdStubBuffer_Invoke+0xa0 (FPO: [SEH])
014df20c 77319759 0128f354 00264f68 002739c8 FastProx!CBaseStublet::Invoke+0x29 (FPO: [Non-Fpo])
014df254 773196f3 00264f68 00275f78 0026b9a8 ole32!SyncStubInvoke+0x3c (FPO: [Non-Fpo])
014df2a0 77239d67 00264f68 00275e70 0128f354 ole32!StubInvoke+0xb9 (FPO: [Non-Fpo])
014df37c 77239c5c 002739c8 00000000 0128f354 ole32!CCtxComChnl::ContextInvoke+0xfa (FPO: [Non-Fpo])
014df398 773187a4 00264f68 00000001 0128f354 ole32!MTAInvoke+0x1a (FPO: [Non-Fpo])
014df3c8 77319498 d0908070 002739c8 0128f354 ole32!AppInvoke+0xaa (FPO: [Non-Fpo])
014df4a4 77318780 00264f10 00263100 00270f38 ole32!ComInvokeWithLockAndIPID+0x32c (FPO: [Non-Fpo])
014df4f0 76de3420 00270f38 7fdbaa13 00270f38 ole32!ThreadInvoke+0x2fd (FPO: [Non-Fpo])
014df52c 76de32ce 7731984e 00270f38 014df628 RPCRT4!DispatchToStubInCNoAvrf+0x41
014df5a0 76de4a8a 00000000 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0xdf
014df5c4 76de48b8 00270f38 00000000 014df628 RPCRT4!RPC_INTERFACE::DispatchToStub+0x67
014df5f8 76de3e6a 00270f9c 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x3e
014df638 76de3d78 00270ec8 014df674 00270ec8 RPCRT4!LRPC_SCALL::DispatchRequest+0x298
014df6a4 76de303a 00270ec8 00272268 0026f920 RPCRT4!LRPC_SCALL::HandleRequest+0x1d2
014df748 76e03617 00000000 014df7c4 76de1627 RPCRT4!LRPC_ADDRESS::ProcessIO+0x214
014df754 76de1627 00252d60 00000013 00000000 RPCRT4!ProcessLrpcComplete+0x20
014df7c4 76de4df0 014df7f0 76de4db7 00252d60 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x212
014df7cc 76de4db7 00252d60 00000000 00000000 RPCRT4!ProcessIOEventsWrapper+0xd
014df7f0 76de4e1c 0026f180 014df808 76074911 RPCRT4!BaseCachedThreadRoutine+0x5c
014df7fc 76074911 00270a68 014df848 7766e4b6 RPCRT4!ThreadStartRoutine+0x1e
014df808 7766e4b6 00270a68 762680c4 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
014df848 7766e489 76de4dfe 00270a68 ffffffff ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])
014df860 00000000 76de4dfe 00270a68 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

kd> !thread -1 7
THREAD 898766e0 Cid 06d4.0c88 Teb: 7ffae000 Win32Thread: 00000000 RUNNING on processor 0
Impersonation token: 8a4c0950 (Level Impersonation)
Owning Process 0 Image: <Unknown>
Attached Process 89a88b68 Image: spoolsv.exe
Wait Start TickCount 17727 Ticks: 0
Context Switch Count 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address RPCRT4!ThreadStartRoutine (0x76de4dfe)
Stack Init 9e5e0000 Current 9e5df7e8 Base 9e5e0000 Limit 9e5dd000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
028cef60 71fc7a1b 0227001c 00000002 00000000 ADVAPI32!ReportEventW+0x2 (FPO: [Non-Fpo])
028cefa0 71f9f2e0 00000002 00000000 c0000004 win32spl!NLOGLibrary::TEventLog::LogEvent+0x4a (FPO: [Non-Fpo])
028cf004 71f93956 00000002 00000c6c 021ce6e0 win32spl!TPrintOpen::RediscoverPrinterConnections+0x104 (FPO: [Non-Fpo])
028cf028 73747bb5 00000006 00000000 00000002 win32spl!TPrintProvider::ppEnumPrinters+0x29 (FPO: [Non-Fpo])
028cf074 00d4339d 00000006 00000000 00000002 SPOOLSS!EnumPrintersW+0xb4 (FPO: [Non-Fpo])
028cf0a8 00d43320 00000006 00000000 00000002 spoolsv!YEnumPrinters+0xd4 (FPO: [Non-Fpo])
028cf0d0 76de31eb 00000006 00000000 00000002 spoolsv!RpcEnumPrinters+0x21 (FPO: [Non-Fpo])
028cf100 76e5184f 00d432ff 028cf308 00000007 RPCRT4!Invoke+0x2a
028cf52c 76e4edb5 00000000 00000000 00104b00 RPCRT4!NdrStubCall2+0x27b
028cf548 76de3420 00104b00 65dc820e 00104b00 RPCRT4!NdrServerCall2+0x1e
028cf584 76de32ce 76e4ed97 00104b00 028cf628 RPCRT4!DispatchToStubInCNoAvrf+0x41
028cf5f8 76dd20dd 00000000 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0xdf
028cf638 76de3d78 00104a90 028cf674 00104a90 RPCRT4!LRPC_SCALL::DispatchRequest+0xa2
028cf6a4 76de303a 00104a90 000f9f48 00104bd8 RPCRT4!LRPC_SCALL::HandleRequest+0x1d2
028cf748 76e03617 00000000 028cf7c4 76de1627 RPCRT4!LRPC_ADDRESS::ProcessIO+0x214
028cf754 76de1627 00081528 00000013 00000000 RPCRT4!ProcessLrpcComplete+0x20
028cf7c4 76de4df0 028cf7f4 76de4db7 00081528 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x212
028cf7cc 76de4db7 00081528 00000000 00000000 RPCRT4!ProcessIOEventsWrapper+0xd
028cf7f4 76de4e1c 000f1540 028cf80c 76074911 RPCRT4!BaseCachedThreadRoutine+0x5c
028cf800 76074911 000ff818 028cf84c 7766e4b6 RPCRT4!ThreadStartRoutine+0x1e
028cf80c 7766e4b6 000ff818 75e327ee 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
028cf84c 7766e489 76de4dfe 000ff818 ffffffff ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])
028cf864 00000000 76de4dfe 000ff818 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

kd> !token -n 8a4c0950
_TOKEN 8a4c0950
TS Session ID: 0
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Groups:
00 S-1-16-16384 Unrecognized SID
Attributes – GroupIntegrity GroupIntegrityEnabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes – Mandatory Default Enabled
02 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes – Mandatory Default Enabled
03 S-1-5-6 (Well Known Group: NT AUTHORITY\SERVICE)
Attributes – Mandatory Default Enabled
04 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes – Mandatory Default Enabled
05 S-1-5-15 (Well Known Group: NT AUTHORITY\This Organization)
Attributes – Mandatory Default Enabled
06 S-1-5-80-2402865663-3129190671-725286074-1860017563-2838182404 (no name mapped)
Attributes – Default Enabled Owner
07 S-1-5-5-0-112781 (no name mapped)
Attributes – Mandatory Default Enabled Owner LogonId
08 S-1-2-0 (Well Known Group: localhost\LOCAL)
Attributes – Mandatory Default Enabled
09 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes – Default Enabled Owner
Primary Group: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Privs:
03 0x000000003 SeAssignPrimaryTokenPrivilege Attributes – Enabled
04 0x000000004 SeLockMemoryPrivilege Attributes – Enabled Default
05 0x000000005 SeIncreaseQuotaPrivilege Attributes – Enabled
07 0x000000007 SeTcbPrivilege Attributes – Enabled Default
08 0x000000008 SeSecurityPrivilege Attributes – Enabled
09 0x000000009 SeTakeOwnershipPrivilege Attributes – Enabled
10 0x00000000a SeLoadDriverPrivilege Attributes – Enabled
11 0x00000000b SeSystemProfilePrivilege Attributes – Enabled Default
12 0x00000000c SeSystemtimePrivilege Attributes – Enabled
13 0x00000000d SeProfileSingleProcessPrivilege Attributes – Enabled Default
14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes – Enabled Default
15 0x00000000f SeCreatePagefilePrivilege Attributes – Enabled Default
16 0x000000010 SeCreatePermanentPrivilege Attributes – Enabled Default
17 0x000000011 SeBackupPrivilege Attributes – Enabled
18 0x000000012 SeRestorePrivilege Attributes – Enabled
19 0x000000013 SeShutdownPrivilege Attributes – Enabled
20 0x000000014 SeDebugPrivilege Attributes – Enabled Default
21 0x000000015 SeAuditPrivilege Attributes – Enabled Default
22 0x000000016 SeSystemEnvironmentPrivilege Attributes – Enabled
23 0x000000017 SeChangeNotifyPrivilege Attributes – Enabled Default
25 0x000000019 SeUndockPrivilege Attributes – Enabled
28 0x00000001c SeManageVolumePrivilege Attributes – Enabled
29 0x00000001d SeImpersonatePrivilege Attributes – Enabled Default
30 0x00000001e SeCreateGlobalPrivilege Attributes – Enabled Default
33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes – Enabled Default
34 0x000000022 SeTimeZonePrivilege Attributes – Enabled Default
35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes – Enabled Default
Authentication ID: (0,3e7)
Impersonation Level: Impersonation
TokenType: Impersonation
Source: Advapi TokenFlags: 0x0
Token ID: 37c91 ParentToken ID: 0
Modified ID: (0, 36e28)
RestrictedSidCount: 0 RestrictedSids: 00000000
OriginatingLogonSession: 3e7

kd> dc 028cef60
028cef60 00000014 71fc7a1b 0227001c 00000002 …..z.q..’…..
028cef70 00000000 c0000004 00000000 00000001 …………….
028cef80 00000000 028cef94 00000000 00000000 …………….
028cef90 80070002 025b00b0 00000000 00000000 ……[………
028cefa0 028cf004 71f9f2e0 00000002 00000000 …….q……..
028cefb0 c0000004 025b00b0 00000000 00000000 ……[………
028cefc0 00000000 025c24c8 00000000 72e77820 …..$\….. x.r
028cefd0 72ef33d8 72e7bb7c 00000006 021bb318 .3.r|..r……..
kd> dd 028cef94 L1
028cef94 025b00b0
kd> du 025b00b0
025b00b0 “S-1-5-18\Printers\Connections”

Global Escalation Manager Tokyo
-fb