Windows Protected Print Mode
techcommunity.microsoft.comThis is a step in the right direction, but IMO not far enough. Printers can (IIUC) cause the client machines to automatically install “printer support apps”, which are like somewhat limited drivers. They do this stuff:
https://learn.microsoft.com/en-us/windows-hardware/drivers/d...
This includes intercepting the raw XPS data being sent to the printer and modifying it.
It looks like these things are lightly sandboxed, but that’s not enough. These apps get access to extremely sensitive data, and they should be very sandboxed. IMO it should have input access to the document and printer settings, output access to what gets printed, and that’s it. No network, no storage, no Windows API, etc. Think wasm-style sandboxing.
But I don’t think MS thinks like this.
You very often also need some backchannel from the printer, e.g. for toner levels, available paper sizes, installed options. But there is a more important point:
Printer manufacturers also don't think like this. They desperately want to know what you are printing, order overpriced ink for you, sell additional services like print-by-mail, etc. All that won't work without lots of permissions for the printer support apps.
If it just were about the conversion path (print job, settings) -> (printer data stream), a PDL, filter program and a sandbox would be totally sufficient and nobody would ever need a "printer support app". If a printer needs such an app, it is already using too many privileges anyways, printer support apps should never be needed actually.
Edit: typo.
> Printer manufacturers also don't thing like this
at this point, what are they gonna do? Not provide windows drivers?
My family has an HP printer. My father uses Windows, and has had to install an HP app to scan documents. My Mac, on the other hand, can connect, print, and through the built-in "Printers & Scanners" panel in System Settings, or through the Print Center app.
I think this is probably a solved problem. Windows would have to support whatever API Macs use.
CUPS runs fine on windows as it is.
The problem isn't a technical one.
Provide drivers using the old model and a set of instructions to enable that.
Edit: I guess instructions won't even be necessary, as far as I've understood, there will just be a warning. And users are already trained to just ignore those.
> You very often also need some backchannel from the printer, e.g. for toner levels
Fine. That runs in a separate sandbox with access to the printer and the ability to display a UI. No other privileges.
> Printer manufacturers also don't think like this.
This is irrelevant. The whole article is about MS forcing a certain model on printer manufacturers.
Yes, we played with printing hooking [1] with the XPS Print API. Capturing and modifying the original document.
Source code available.
[1] https://blog.nektra.com/2015/10/20/instrumenting-the-windows...
What I do not understand is why the print spooler runs as the highest-privileged SYSTEM account. Any vulnerability in the print stack is basically game over. It seems to me that changing this long due and should be possible without dropping support to all old drivers (and printers).
It goes all the way back to Windows 3.11, where printer drivers often directly fiddled the Centronics parallel port themselves.
The Centronics port is nominally one-way, but it didn't take long for people to realize you could use it for bidirectional communication, thanks to a self-test feature IBM built into the original PC's parallel port adapter, which everybody copied faithfully.
The most famous use was probably "LapLink" which enabled fast file transfer via a special cable.
Printers and their matching drivers used the bidirectional communication to provide mode detailed status information than the single "Paper Out" signal.
And the rest as they say, is a parade of horribles
> And the rest as they say, is a parade of horribles
The most ‘fun’ of these was when Microsoft marketing came up with the “Plug and Play” (https://en.wikipedia.org/wiki/Legacy_Plug_and_Play), and the engineers had to implement it for this port.
So, you have a port designed so that writing anything to it prints a character, but you somehow have to figure out what (if anything) is attached to it without making a printer attached to it print anything, a CD Writer to write, a hard disk to lock up, etc, with each device possibly having its own devious way of doing two-way communication over that port (by the time Windows 95 came out, how to do that was more or less settled, but users still had tons of old hardware and/or older parallel ports that behaved slightly differently)
If not for the time pressure to ship something, I think it must have been fun to work in the Microsoft department developing that feature with hundreds of obscure parallel port devices.
And of course, it never worked perfectly. How could it? I know people who had a device that erroneously got detected as a tape drive, making ¿Windows NT 4? pop up some dialog for attaching it.
>It goes all the way back to Windows 3.11, where printer drivers often directly fiddled the Centronics parallel port themselves.
I know a large bank who had a well paid dev on the payroll who's job was exclusively reverse engineering, patching and writing windows printer drivers so their old specialized institutional printers could keep working on modern Windows because the printer manufacturer would not publish newer drivers.
Printing is still a very important part of many wealthy legacy industries which explains why there's so much fuss around it.
Worth noting that in true Microsoft fashion, Windows Protected Print Mode will still co-exist with the printer driver subsystem it's supposedly replacing:
>Q: Will Windows prevent installation of new printer drivers?
>A: Windows will continue to allow vendor-supplied printer drivers to be installed via separate installation packages.
My sincere kudos to them, Apple/Google/FOSS would have thrown out the old with no regard.
Windows has tried to "fix" printing several times now, the architecture is so deeply cursed that every time they do, it breaks the ecosystem completely. I assure you that Windows engineers in 2023 are very much aware of how terrible printing in Windows is
It's hard to underestimate how poor the software coming out of printer manufacturers is.
This is well overdue, the existing situation is dire not just in terms of security but the general quality of software from the printer manufacturers.
However this is going to break a lot of existing applications. The printer manufacturers have been laggards when it comes to adopting v4 drivers which date back to Vista.
No doubt manufacturers will us this as an excuse to force users into buying a new model, blaming Microsoft in the process.
I use two printers with “Driverless CUPS” currently. One is 10+ years old HP, and the other is 20+ Xerox.
When done right, you don’t need new printers.
You just need to buy network-ready printers with native PostScript or PDF support. Then it has always worked.
But most "cheap" (if not accounting for consumables) inkjet crap isn't like that.
I know some folks out there bragging about saving on toner by still repairing an HP LaserJet 2… I can’t see this being an easy transition…
Those LaserJets often already do support LPR and IPP. Some of this is just further pushing tech that's been in Windows since Windows 2000 and deprecating the old stuff.
As long as you can send PS, PCL or PDF to the printer via some "standard" network protocol (IPP, LPD, LPR, JetDirect), the "driver" will just be a PDL file and won't need any special privileges.
Easy enough to setup a raspberry pi as a ipp server
I wonder if this will impact specialized photo and other graphic art printers? Things like the large format Epson and other Pro printers. What about plotters and vinyl cutout printers?
They usually have a ton of driver specific settings, etc. for tuning the output. How will these settings be managed without drivers specific to them?
Their manufacturers have better incentive to provide quality drivers. For models after EoL there's always the "an old machine, dedicated, not connected to network" solution.
I wish I knew anything about printing, but why can’t my computer just send a PDF to the printer and have it deal with the details itself? I don’t quite understand the need for the computer to have to get into the nitty gritty other than just sending the source and a JSON. Printers nowadays can handle the printing autonomously (obviously, since they can print via WiFi/bluetooth/pendrive since 2005)
You need the user to select paper trays, simplex or duplex, etc. For bigger devices that might include document finishing options. Label printers might have a guillotine. Print/release where you need a pin at the printer to release the document are becoming more prevalent.
All this requires some interaction with the user. IPP Everywhere covers a lot but I'm guessing there will be some niche requirements that it misses.
This happens at a different layer than the printer driver; you just need to modify the postscript.
Paper trays, duplex, duplex with tumble, and cutting are specifiable in postscript; this is `setpagedevice`. Even things like custom stapler options (staple first two pages, etc) can be specified. See something like https://support.hp.com/us-en/document/bpp01888 for docs
As I said IPP Everywhere covers a lot but there will always be requirements that haven't been considered.
Business laserprinters were always like that in regards to Postscript, followed by PDF, assuming your wallet is confortable with it.
Those kinds of printers aren't used to print things directly from within WinWord.exe though.
Might be don’t update situations.. errh
It's written in the linked article actually, there will be new lower privileged apps that can do this
Looks like all printers will need to be Mopria certified, which is the first time I've heard of this certification:
Mopria is a certification program for / dialect of IPP[0]. Same thing with AirPrint, which is the iOS equivalent. Pretty much every printer made in the last decade speaks enough IPP to network print on at least iOS and Android; Microsoft is just leveraging that to seal HP's garbage code out of the spooler process.
[0] https://en.wikipedia.org/wiki/Internet_Printing_Protocol
Incredible fittingly that page just shows me `Undefined constant "C_DESCRIPTION_SOFTWARE"`. Presumably it doesn't support deep linking?
From the comment section it appears that it just needs to support the mopria standard. There is no requirement that it is actually certified.
Question, why the printers cannot act like web servers? Just receive a REST api request and then proceed to do their own thing (aka drive the printer to execute the request). Why my computer needs to know how to operate the printer?
That's what IPP and IPP Everywhere does, and as far as I know, most modern printers support it, even using it over USB. IIRC it only specifies a common set of print options, so you might need a driver for anything more, but basic printing should "just work".
This is basically how Laserprints with Postcript work, UNIX classical printing was nothing more than sending a Postscript file over the network to the printer, turns out not everyone wants to pay the prices they usually have.
Some problems arise when users print large high resolution images. Printers often dont have the buffer to store it all and so it needs to be sent in chunks/streams etc. There are other examples this is just one.
So basically the blocker is the cost of having a processor and sufficient memory in the printer? Judging from the smartphones the bom of that would be like less than $10?
I saw that a Motorola g play smartphone with MT6765 and 3gb of ram is <$70.
If the recent revelations in the Epic vs Google court case are anything to go by, Motorola is likely getting paid by Google for every single Google search and Google Play Store transaction that occurs on that phone. It could even be sold at a loss. I don't think pointing at a low-cost smartphone is a very useful point of reference given that context.
However, I think there are plenty of Linux SBCs (single board computers) that have 4GB of RAM for around $50, just no screen, GPS, cellular modem, cameras, speakers... all sorts of things that add cost to a cell phone. $10 is a far-fetched claim, in my opinion, and citations are needed. The Pi Zero 2W is $15 and only has 512MB of RAM. So, sure, let's go with $50.
Have you considered how cheap printers are? I see multiple inkjet printers on Amazon that cost $59. Adding $50 would nearly double the price of the unit. Other manufacturers would eat their lunch, so you can see why no one is rushing to offer a $59 printer with an additional $50 worth of computer built in. Even if it were "only" $25 extra, that is still significant.
At the higher end, printers do start to include more of everything, but those aren't the printers the average consumer is buying.
MTK6765V is $9.9 [1] 3GB LPDDR3 is $10 [2]
[1] https://www.martview.com/mtk-cpu-mt6765v-cb-1839-amsh-btpkvx... [2] https://tinyurl.com/5zretykj
Plus I doubt that a printer needs that much memory or strong cpu to print.
Two components do not make a product. The SBC market is a better litmus test for the real costs. There is plenty of competition making products of all kinds.
This is literally what's proposed here. The keyword is "Driverless printing" or in some contexts "IPP".
But sometimes that's not quite enough, the world of hardware is complex. Not every printer is your office Letter sized paper spewing box.
Some printers do that. Xerox uses their own wsprintwwhich uses http. Why they use their own thing instead of ipp, I have no idea… macOS uses ipp if the printer supports it. Maybe ipp is not workin well over usb
Obviously the printing situation has been a nightmare for everyone involved for years. That said, Microsoft et al have made me so cynical at this point that I can’t read about “protected printing”, “secure printing”, and “putting the user first” without assuming this is a way to put some DRM filters in place to make sure you don’t print out those locked PDFs regardless of what tool you’re using. I’ll be glad to be wrong.
The worry there would have to be from a PDF requiring some secure signing key in Adobe Reader or something like that.
Otherwise you can always decrypt/unlock a PDF using open source software.
I read the article and am not sure if this will be implemented in Windows 10 or not. I still use a 20 year old HP laserjet via Vista drivers that install OK for now, will I be forced to get a new printer?
no, but you may need to put a $35 raspberry pi CUPS server on it to turn it into a network printer
And you can even get AirPrint compatibility. My Samsung laser printer driver wasn't working on Apple Silicon anymore (the printer is from 2007) but since CUPS supports it and AirPrint doesn't seem to require too much from a printer I was able to get it working fine with a Pi. And it's handier to use than ever before.
I guess Windows/Android have something similar.
Windows 10 will meet EOL in 2025, which coincides with the ceasing of publishing printer drivers to Windows Update. Anything beyond that likely won't apply since Windows 10 past 2025 will either be out of support or only getting security updates.
The key point here is that Microsoft will refuse to WHQL-sign or publish third-party printer drivers from 2027 onwards.
Third-party drivers, without WHQL-signing, will continue to be installable past 2027 on the provided timeline if the manufacturer provides them.
Presumably there exists (or will exist?) a WHQL-signed minidriver that passes any processing step to a userland process?
It is only for resource-constrained machines of the early-1990s that printer-drivers needed any kind of kernel-level access to a system; with IPP and modern USB stacks no-longer needing any kind of kernel module, I'm not seeing how this should be a problem for anyone except domestic spy agencies losing the ability to suppeptiously intercept every printed document.
In response to these comments, I can only point to the instructions I followed, from this 2016 post[0].
"The HP forums say it’s not possible, but it’s actually pretty easy to do. [...] Windows will try to install it and it will look like it’s installed but it wont actually work. You’ll be able to see it in the device manager as an “unspecified device”, but you wont be able to print."
[0]https://www.davemroz.com/installing-hp-laserjet-1012-windows...
Windows comes with a generic PCL6 driver which should be fine with a 20 year old LaserJet.
I’ve been printing using IPP with Haiku for years (since no drivers), works well. Good to see Windows finally go down this route as well, since installing crappy printer drivers was always an issue (dealing with vendor crapware).
I've been printing using IPP with Windows for decades. Good to see Haiku finally go down this route as well.
Any printer you've used in Haiku with IPP has worked in Windows with IPP since Windows 2000.
It sounds like you daily drive Haiku as your primary OS! Fascinating!
Do you dual-boot Linux or Windows at all?
I'm guessing you put up with one of them (or something made by Apple) at work...?
Can I put a USB printer in the USB port of my router and get network printing? I don't want to use WiFi printing nor want to keep one PC on the network on at all times which HAS to print one page before others on network can print using it.
This Is windows network BTW
It would depend entirely on the software running on your router.
Would most likely just be CUPS?
> Can I put a USB printer in the USB port of my router and get network printing?
Probably, if the router's firmware supports the feature. Usually you'll be able to use AppSocket/JetDirect <https://www.cups.org/doc/network.html>, so the printer's address would be `socket://router/`.
Printing through the router is not guaranteed to work, though. I have one 4x6 USB label printer that does not work correctly this way with my Asus router, while other USB printers do. That same printer does print correctly when using a Raspberry Pi running CUPS.
Wouldn't this come down to the printer manufacturers?
They would need an internal NAT driver via USB.. windows could then pick it up as a networked printer. But windows won't go try detect your printer plugged into the router..
If I understood your question correctly.
Yeah
If IPP is HTTP-based would it be possible to print directly from the brower to the printer, regardless of OS?
That would be kinda cool or am I misunderstanding something?
If your printer for example supports IPP and Postscript or PDF then that would be possible. Higher end (commercial) HP printers usually offer this functionality. Take a look at CUPS [1] if you want to know more about IPP.
The real problem is the printer makers want to make printers as cheap as possible and sell lots of ink to rake in the $.
An actual good printer would have enough compute (Raspberry Pi would be sufficient) and storage (a small ssd) to handle the task by itself. Then printing is nothing more than copying a file to the printer.
>The real problem is the printer makers want to make printers as cheap as possible
I don't think they want to. They are forced into it by the razor thin margins on cheap hardware. It's a race to the bottom.
> Over the past year, the MORSE team has been working in collaboration with the Windows Print team to modernize the Windows Print System
So that's why printing in Win 10 is a mess, with no standard print dialogue and no print preview.
I just want to know which older printers will be no longer supported because they have an obscure page description language and their drivers will be blocked.
Is this some conspiracy with printer vendors to drastically increase sales?
I have two old photo printers that work quite well and replacing them would be extremely expensive. The driver among other things contains features to match up color profiles.
I have label printers that are old that also work well.
All rely on custom printer drivers.
I hope this new system is going to be phased in over a long timeframe, so I can keep using old printers. Even if writing software to integrate these printers with the new system no printer manufacturer is going to revisit 10 - 15-year-old printeres with a new set of drivers.
You really need to blame the printer manufacturers. Microsoft released XPS based drivers with Windows Vista in 2007. It was back ported to XP and in beta for a long time before release. Despite that the printer manufacturers are still releasing V3 drivers (GDI based) today.
It seems they won't move forward unless they are forced to. It's about time.
I'd be much happier if they could just adopt and contribute to CUPS like everyone else.
CUPS is the exact opposite of modern and has many of the problems they describe in the article you commented on.
According to the article, they're moving people to IPP (the protocol CUPS uses), with the difference that it will warn if configured with encryption disabled (I can't be bothered to check to see what CUPS does for transport encryption by default, but according to MS, it does support it out of the box).
Other things they mention are just a function of having access to the source code (CUPS drivers are mostly open source), and not letting people install DLLs with elevated privilege over the the printer network port (as far as I know, this was never a thing that cups supported). They mention XPS (isn't that dead yet? Is it more secure than PDF/A, or PS?) and Mopria (not sure what this is, but the specifications page on their webpage only mentions things that are obvious security holes: piping your print spool through the cloud, and having the device advertise using Bluetooth Low Energy)
Anyway, CUPS has none of the problems mentioned in the article from what I can see. (Except that it might be common practice to misconfigure it with transport security disabled).
> According to the article, they're moving people to IPP (the protocol CUPS uses)
I'd hate to spoil your revisionist history, but Windows has supported IPP out of the box since Windows 2000 (in 1999), right around the same time CUPS had its very first release.
CUPS did not invent IPP.
What eventually became IPP was initially proposed by Novell ('memba them?) back in 1996.
The difference is Windows already had this entire ecosystem of legacy print drivers whereas Linux had barely-functioning print services at the time. It's easier to move to something new when you can scrap the past wholesale.
It's amazing that Linux (and Mac and Solaris etc.) having decent printing is largely because of the work of one guy.
So, then what is this announcement? They're moving to WPP, which is... IPP but it warns on crypto downgrade, and is maybe incompatible?
I thought Windows defaulted to SMB for printer discovery, and not IPP. Anyway, from the announcement, they don't seem to be improving on what I'm used to getting from CUPS.
Maybe the announcement means "IPP Everywhere" instead of "IPP".
That is the extensions to IPP that adds network discovery (via multicast DNS) and 'driverless' printing (by mandating that prints support standard document formats). It probably also includes a standardised way for client to find out what paper sizes, duplex, quality, etc. settings the prints has.
Mopria is a printing standard - https://mopria.org/alliance-faqs
A “Universal Standard” — only available to alliance members.
Sorry Linux.
Meh. CUPS already works with IPP printers.
Can we just remove all printing functionality from the OS?
Printers are mostly networked in today's world. And the OS usually isn't involved when an application wants to talk to another device on the network beyond TCP connections etc.
Just get the application to (using a library), connect directly to the printer, submit its job, show status, and disconnect when done.
The last thing I want is every application to have a different interface to connect, configure and select printers. I think having it be a user-space library is a great idea but I would like that library to be provided by the OS. That way I can use a common interface for connecting and configuring defaults for printers that are then available in all apps. Then the app can use that library to fire jobs to the printer. (Maybe with some provided common UI component)
Like CUPS or something?
CUPS subsystem for Windows™
It would be Windows™ subsystem for CUPS.
>Printers are mostly networked in today's world.
I never connect printers directly to the network because their firmware/OS are all flaming pieces of garbage with terrible UIs and conventions. In my house, all network printers are connected to the home server (running Windows Server) and it's the home server that actually deals with presenting the printers to the network.
The time and nerves I've saved by having an actual, proper operating system handle the networking is immeasurable.
While I completely agree with you, cheap printers do a lot of heavy lifting in the printer driver, so we'd have to give up on $100 inkjets. Which we a really should do, but, well, good luck with that.
Nowadays, cheap printers have to work with Android, which means they have to speak IPP. At least for basic printing, crappy drivers have been a thing of the past for a while now.