Automating print logging for DFIR purposes

I had this in my stack of old technical documentation I’ve created in my security lab. I think its great when people secure data on removable medium by either not allowing device writing or by mandating data be encrypted prior to copying. But what happens if you are in the middle of an active DFIR investigation and you are trying to recover what a person printed.

Well yes… you can actually do that. Although it isn’t well documented. Hopefully this can reach those that have been searching for a way to turn on operational print logging automatically when machine is added to a domain. Here is how…

First the script:

If EXIST “c:\windows\system32\PrintAudit.txt” GOTO END

wevtutil sl Microsoft-Windows-PrintService/Operational /ms:35400960 /e:true /q

Copy %logonserver%\netlogon\PrintAudit.txt c:\windows\system32

:END
exit

The PrintAudit.txt file can be blank. We just need a empty file to put in a secure directory so this machine script does not run again. You can name the script whatever you want. This is just a simple .bat script.

You can place the scripts in the netlogon directory along with the blank txt file.

Active directory Implementation:

⦁ Create a blank GPO and call it whatever you want
⦁ Copy .bat and PrintAudit.txt in the netlogon folder
⦁ Go to Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)
⦁ Click Startup and click the Add button
⦁ Click on Browse. In this example the script has been pre-populated in the scripts folder because the script exists in the netlogon folder as shown below.

Set the GPO to where all your workstations/servers are. For ease of use I suggest setting the GPO on the root of your domain in active directory. That way every machine gets this regardless of where it is in your AD OU structure.

I’ve verified this works on Windows 7/8.1/10/2008/2008r2/2012R2/2016

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.