Why is splunk-winprintmon.exe being run every minu...

tkw03 · ‎02-04-2021

Can someone tell me what this log record means? I see MANY of them across all my widows hosts but I am unsure of why its invoking winprintmon.exe? We ARE monitoring windows events on this machine BUT not printer monitoring.

02/03/2021 02:02:29 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=6417
EventType=0
Type=Information
ComputerName=hostname.domain.com
TaskCategory=System Integrity
OpCode=Info
RecordNumber=3903849
Keywords=Audit Success
Message=The FIPS mode crypto selftests succeeded.

	Process ID:		0x1e2c
	Process Name:		C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe

I am just unsure why its invoking winprintmon.

It seems to run every minute.

Thanks as always

scelikok · ‎02-04-2021

Hi @tkw03,

Splunk monitor processes are checked and restarted every 60 seconds even there is no active input.

You can disable them by adding below to inputs.conf on forwarders;

[WinPrintMon]
interval = -1
disabled = 1

. You may see splunk-* processes other than splunk-winevtlog.exe. You can do similar for them too.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Why is splunk-winprintmon.exe being run every minute?

inputs.conf

universal forwarder

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation