Questions

Answer for:

Who is using my printer?

Message 6 of 7

View entire thread
+
0 Votes
robo_dev

do a google search on "windows print queue forensics"

In XP, the spool files are in \Windows\system32\spool\printers.

Once a job has printed, these files are typically erased, but with a forensics utility and/or an undelete utility, you can recover and analyze the spool files.

The file you want to find is the spool shadow file (e.g. File001.SHD), which would contain the username, data/time, name of file printed, and file format.