Think you have a false positive on this rule?

Sid 1-52205


OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt


This event is generated when an attempt to corrupt the memory of a Windows Kernel driver is performed via a malicious printer driver


Local Privilege Escalation

Detailed information

The Windows Win32k.sys kernel driver is vulnerable to a memory corruption error that could lead to a local privilege escalation. By creating a malicious user-mode printer driver an attacker is able to corrupt the memory of the Windows system and obtain privileges that they should otherwise not have.

Affected systems

  • Windows 7

Ease of attack


False positives

False negatives

Corrective action

Apply patch and system updates.


  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1393