Nothing fancy here, just an easy registry check. You're welcome to spruce it up to your specific needs..
Description: Checks for registry keys related to the "PrintNightmare" vulnerability CVE-2021-34527 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
What The Data Shows: Provides back ALL keys in the PointAndPrint registry path, and what the key values are.
The following two keys are indicators of the vulnerability being present
NoWarningNoElevationOnUpdate
NoWarningNoElevationOnInstall
- If the key is set to 1 then it's considered vulnerable,
- If the key is set to 0 then it's considered not vulnerable,
- and if "Not Matched" is returned then there's no keys present in the PointAndPrint registry path and considered not vulnerable.
SQL:
SELECT data, path FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint';
Sexy updated (vulnerable) version from @jnelson:
SELECT
CASE
WHEN EXISTS (SELECT 1
FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
AND name in ('NoWarningNoElevationOnInstall','UpdatePromptSettings')
AND data = 1)
THEN 'VULNERABLE'
ELSE 'NOT_VULNERABLE'
END 'CVE-2021-34527_status';
> Requirement: Windows Systems
