Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management   (+ MDM) Orchestration   (+ monitoring) Software management   (+ CVEs) Integrations

Docs
Stories
News Ask around Share your story COMPANY
The handbook What people are saying

Pricing Schedule a demo
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
News Ask around Schedule a demo Share your story COMPANY The handbook What people are saying
Pricing Try it yourself
Queries/
Get Windows print spooler remote code execution vulnerability

Get Windows print spooler remote code execution vulnerability

Contributor's GitHub profile picture

Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.

To learn more about queries, check this guide.

Query PowerShellNEW BashNEW
SELECT CASE cnt WHEN 2 THEN "TRUE" ELSE "FALSE" END "Vulnerable" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;
$processes = Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE CommandLine LIKE 'nmap%'"  
foreach ($proc in $processes) {  
    # Get parent's name  
    $parentName = ""  
    if ($proc.ParentProcessId) {  
        $parentProc = Get-WmiObject Win32_Process -Filter "ProcessId=$($proc.ParentProcessId)" -ErrorAction SilentlyContinue  
        if ($parentProc) {  
            $parentName = $parentProc.Name  
        }  
    }  

    # Get username from process owner  
    $username = ""  
    $ownerInfo = $proc.GetOwner()  
    if ($ownerInfo.ReturnValue -eq 0) {  
        $username = "$($ownerInfo.Domain)\$($ownerInfo.User)"  
    }  

    # Convert WMI creation date to readable time  
    $startTime = $null  
    if ($proc.CreationDate) {  
        $startTime = [Management.ManagementDateTimeConverter]::ToDateTime($proc.CreationDate)  
    }  

    # cwd is not available from Win32_Process; use placeholder  
    $cwd = "N/A"  

    # Create a custom object with the desired fields  
    $result = [PSCustomObject]@{  
        pid         = $proc.ProcessId  
        name        = $proc.Name  
        path        = $proc.ExecutablePath  
        cmdline     = $proc.CommandLine  
        cwd         = $cwd  
        start_time  = $startTime  
        parent      = $proc.ParentProcessId  
        parent_name = $parentName  
        username    = $username  
    }  

    Write-Output $result  
}
An icon indicating that this section has important information

PowerShell commands are currently work in progress, contributions welcome.

An icon indicating that this section has important information

Bash commands for macOS are currently work in progress, contributions welcome.

Platform

macOSApple

WindowsWindows

LinuxLinux

ChromeOSChromeOS

Suggest an editEdit Talk to an engineerTalk to us
Fleet logo
Multi platform Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About News Jobs Logos/artwork Why open source?
ISO 27001 coming soon a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2025 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo
Tried Fleet yet?

Get started with Fleet

Start
continue
×