Is there a documented or undocumented policy for allowing standard users to read the print spool location or perhaps their own spooled files?

Question

I would like to read a user's spooled files. A service I'm writing to monitor the contents of %WINDIR%\system32\spool\PRINTERS ** however....

• On Windows 7, a standard user cannot read this location.
• On Windows 10, a standard user cannot read this location.
• On Windows 11, a standard user cannot read this location.

Question(s):

• Is there a documented or undocumented policy for allowing standard users to read this location or perhaps their own spooled files? (I understand file permissions may workaround this, but I'd prefer to leave these alone since it's a system directory and a future update may revert this change)
• If not, is there a quick way to render spool files to user space? (Instruct the spooler to write these files to a user-readable location?)

**Note: The spool file location is currently retrieved from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory.

Possibly related: https://stackoverflow.com/questions/65778053

Answer 1

Using PowerShell as an example for grabbing a spooled file (adjust as needed!) (Thanks to @swbbl for the recommendation)

$jobId = [string](Get-Printer | Get-PrintJob | Select -First 1).Id
$splFile = "$env:WINDIR\system32\spool\PRINTERS" + $jobId.PadLeft(5, '0') + ".SPL"
Get-Item $splFile

This works because a user can read their own spooled documents, just not the parent directory.

Answer 2

So in an odd turn of events, it appears although the %WINDIR%\system32\spool\PRINTERS directory is not readable, spooled files you created are. So if you can get the jobId from Winspool/Win32 APIs, you can calculate the file name from the jobId (e.g. jobId: 7 ~= 00007.SPL), you can read your own files.

This is because Windows adds special read permissions for the files you've created, at least for Windows 10 x86_64. Oddly, Windows 11 ARM64 does not, so it's not possible unless you change the spool file location.

Not all apps are OK with being denied parent file permissions.

cacls C:\WINDOWS\system32\spool\PRINTERS\00007.SPL
C:\WINDOWS\system32\spool\PRINTERS\00007.SPL WIN11\user:(ID)(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES

For example if your jobId is "7":

• type C:\WINDOWS\system32\spool\PRINTERS\00007.SPL
Access is denied.
• notepad C:\WINDOWS\system32\spool\PRINTERS\00007.SPL
  ✅ Opens properly.