Printers in sandboxes

Previously I have described how the spooler process can fall over due to any 3rd party module loaded into it:

With Windows 7, and more importantly Windows Server 2008 R2, we have the very cool functionality to allow printer isolation – for those printers that support it (i.e. don’t call spooler functions directly).


On a per-printer basis, Print Driver Isolation (PDI) has 3 possible modes:
- NONE – traditional “modules all loaded and executed within spoolsv.exe”
- SHARED – consider this similar to the IIS web application pool model where multiple apps share a process
- ISOLATED – the printer driver is loaded into its own process, spawned by DCOM

You can read more detail on this feature here:


The MSDN article also shows how you can manually modify a .INF file to have the driver report that it supports isolation (obviously test this, as only the manufacturer can indicate whether they support this).

So if you have a rogue printer driver that doesn’t play nicely with the other children, maybe it can be tested in its own sandbox…