Printers in sandboxes

Previously I have described how the spooler process can fall over due to any 3rd party module loaded into it:
https://blogs.technet.com/mrsnrub/archive/2009/04/24/who-is-more-the-spool-the-spool-or-the-spool-who-follows-the-spool.aspx

With Windows 7, and more importantly Windows Server 2008 R2, we have the very cool functionality to allow printer isolation – for those printers that support it (i.e. don’t call spooler functions directly).

On a per-printer basis, Print Driver Isolation (PDI) has 3 possible modes:
- NONE – traditional “modules all loaded and executed within spoolsv.exe”
- SHARED – consider this similar to the IIS web application pool model where multiple apps share a process
- ISOLATED – the printer driver is loaded into its own process, spawned by DCOM

You can read more detail on this feature here:
https://blogs.technet.com/askperf/archive/2009/10/08/windows-7-windows-server-2008-r2-print-driver-isolation.aspx
https://msdn.microsoft.com/en-us/library/ff560836.aspx

The MSDN article also shows how you can manually modify a .INF file to have the driver report that it supports isolation (obviously test this, as only the manufacturer can indicate whether they support this).

So if you have a rogue printer driver that doesn’t play nicely with the other children, maybe it can be tested in its own sandbox…