Add printer driver entries to ignored paths

[atc0005]

Overview

Recently we've seen a spread of alerts related to pending file rename operations associated with printer drivers, all of which have been determined to not require a system reboot.

Example:

• Value PendingFileRenameOperations of type MULTI_SZ for key HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager found Entries [54 total, 52 skipped]: C:/Windows/system32/spool/V4Dirs/F8018001-864E-4D9C-952D-802CF423E5B8/3c7e7fad.BUD, C:/Windows/system32/spool/V4Dirs/F8018001-864E-4D9C-952D-802CF423E5B8/3c7e7fad.gpd

All told, I've seen these two paths referenced thus far:

• C:\Windows\system32\spool\DRIVERS\x64
• C:\Windows\system32\spool\V4Dirs

It's probably worth adding explicit entries to ignore spool paths for the time being.

References

• https://social.technet.microsoft.com/Forums/lync/en-US/851cd514-e5e1-4428-9055-f1f45aff9208/what-is-cwindowssystem32spoolv4dirs-?forum=winserverprint
• GH-32

[atc0005]

Some additional thoughts that came to me earlier:

• new flag with a specific keyword to ignore all entries for the PendingFileRenameOperations registry key value
• extend ignore support (which is roughly what I've already implied) to allow ignoring specific patterns within MULTI_SZ registry key value types
  • would treat provided slice of values as patterns to match (i.e., "contains")
  • e.g., spool
  • e.g., firefox
  • e.g., chrome

[atc0005]

It's probably worth adding explicit entries to ignore spool paths for the time being.

It doesn't look like this support is available yet. There is support for ignoring paths, but not specific values in a given registry key.