Npcap OEM 0.9990: Driver install warning/prompt on WS2008R2; silent install fails

akontsevoy commented 4 years ago

Greetings,

On a fully patched Windows Server 2008 R2 x64 (including the all-important SHA2 patch, KB3033929), I am still getting failures of silent installation thanks to "untrusted" drivers. Comodo's CA certs are added to Windows trusted root and intermediate cert stores, and Insecure.com LLC certificate is added to the trusted publishers store. Npcap 0.9984 (the last version signed by DigiCert, as opposed to Comodo) does not suffer from this problem. The below logs indicate that Windows can't build the certificate chain up to a trusted root (which is, for kernel drivers, apparently only "Microsoft Code Verification Root"). But I can't seem to find any fault with the driver package; its npcap.cat seems to include all intermediate certificates, including COMODO RSA Certification Authority cross-signed by Microsoft Code Verification Root. What's worse, signtool.exe /kp validates the package just fine on the target system!

Note that the prompt is different than an unsigned driver prompt that you'd see on Windows Server 2008 (non-R2) which does not support SHA2 signatures.

Contents of NPFInstall.log:

NPFInstall.log

[00000C68] 2020-04-16 18:41:23 --> wmain
[00000C68] 2020-04-16 18:41:23     _tmain: executing, argv[0] = C:\Program Files\Npcap\NPFInstall.exe.
[00000C68] 2020-04-16 18:41:23     _tmain: executing, argv[1] = -n.
[00000C68] 2020-04-16 18:41:23     _tmain: executing, argv[2] = -c.
[00000C68] 2020-04-16 18:41:23 --> ClearDriverStore
[00000C68] 2020-04-16 18:41:23 --> executeCommand
[00000C68] 2020-04-16 18:41:23     executeCommand: executing, strCmd = pnputil.exe -e.
[00000C68] 2020-04-16 18:41:23     executeCommand: result = Microsoft PnP Utility

Published name :            oem0.inf
Driver package provider :   Microsoft
Class :                     Printers
Driver date and version :   06/21/2006 6.1.7600.16385
Signer name :               Microsoft Windows

Published name :            oem1.inf
Driver package provider :   Microsoft
Class :                     Printers
Driver date and version :   06/21/2006 6.1.7601.17514
Signer name :               Microsoft Windows

Published name :            oem2.inf
Driver package provider :   Citrix Systems, Inc.
Class :                     Storage controllers
Driver date and version :   06/15/2012 6.0.2.56921
Signer name :               Microsoft Windows Hardware Compatibility Publisher

Published name :            oem3.inf
Driver package provider :   Citrix Systems, Inc.
Class :                     System devices
Driver date and version :   07/19/2011 5.9.960.49119
Signer name :               Microsoft Windows Hardware Compatibility Publisher

Published name :            oem4.inf
Driver package provider :   Citrix Systems, Inc.
Class :                     System devices
Driver date and version :   03/15/2012 6.0.2.54160
Signer name :               Microsoft Windows Hardware Compatibility Publisher

Published name :            oem5.inf
Driver package provider :   Citrix Systems, Inc.
Class :                     Network adapters
Driver date and version :   07/19/2011 5.9.960.49119
Signer name :               Microsoft Windows Hardware Compatibility Publisher

Published name :            oem6.inf
Driver package provider :   Citrix Systems, Inc.
Class :                     System devices
Driver date and version :   01/20/2012 6.0.2.52988
Signer name :               Microsoft Windows Hardware Compatibility Publisher

.
[00000C68] 2020-04-16 18:41:23 <-- executeCommand
[00000C68] 2020-04-16 18:41:23 --> getInfNamesFromPnpUtilOutput
[00000C68] 2020-04-16 18:41:23 <-- getInfNamesFromPnpUtilOutput
[00000C68] 2020-04-16 18:41:23 <-- ClearDriverStore
[00000C68] 2020-04-16 18:41:23     _tmain: succeed, nStatus = 0.
[00000C68] 2020-04-16 18:41:23 <-- wmain
[00000EF8] 2020-04-16 18:41:23 --> wmain
[00000EF8] 2020-04-16 18:41:23     _tmain: executing, argv[0] = C:\Program Files\Npcap\NPFInstall.exe.
[00000EF8] 2020-04-16 18:41:23     _tmain: executing, argv[1] = -n.
[00000EF8] 2020-04-16 18:41:23     _tmain: executing, argv[2] = -iw.
[00000EF8] 2020-04-16 18:41:23 --> InstallWFPCallout
[00000EF8] 2020-04-16 18:41:23 --> GetWFPCalloutInfFilePath
[00000EF8] 2020-04-16 18:41:23     lpFilename = C:\Program Files\Npcap\NPCAP_wfp.inf
[00000EF8] 2020-04-16 18:41:23 <-- GetWFPCalloutInfFilePath
[00000EF8] 2020-04-16 18:41:23 --> isFileExist
[00000EF8] 2020-04-16 18:41:23     FindFirstFile: succeed, szFileFullPath = C:\Program Files\Npcap\NPCAP_wfp.inf.
[00000EF8] 2020-04-16 18:41:23 <-- isFileExist
[00000EF8] 2020-04-16 18:41:23     LaunchINFSectionEx: executing, szCmd = C:\Program Files\Npcap\NPCAP_wfp.inf,DefaultInstall,,36,N.
[00000EF8] 2020-04-16 18:41:23 <-- InstallWFPCallout
[00000EF8] 2020-04-16 18:41:23     _tmain: succeed, nStatus = 0.
[00000EF8] 2020-04-16 18:41:23 <-- wmain
[00000578] 2020-04-16 18:41:23 --> wmain
[00000578] 2020-04-16 18:41:23     _tmain: executing, argv[0] = C:\Program Files\Npcap\NPFInstall.exe.
[00000578] 2020-04-16 18:41:23     _tmain: executing, argv[1] = -n.
[00000578] 2020-04-16 18:41:23     _tmain: executing, argv[2] = -i.
[00000578] 2020-04-16 18:41:23 --> PacketInstallDriver60
[00000578] 2020-04-16 18:41:23 --> InstallDriver
[00000578] 2020-04-16 18:41:23 --> GetServiceInfFilePath
[00000578] 2020-04-16 18:41:23     lpFilename = C:\Program Files\Npcap\NPCAP.inf
[00000578] 2020-04-16 18:41:23 <-- GetServiceInfFilePath
[00000578] 2020-04-16 18:41:23 --> InstallSpecifiedComponent
[00000578] 2020-04-16 18:41:23 --> HrGetINetCfg
[00000578] 2020-04-16 18:41:23 <-- HrGetINetCfg
[00000578] 2020-04-16 18:41:23 --> HrInstallNetComponent
[00000578] 2020-04-16 18:41:24     SetupCopyOEMInfW: error, errCode = 0xe0000247.
[00000578] 2020-04-16 18:41:24 <-- HrInstallNetComponent
[00000578] 2020-04-16 18:41:25     Error 0xe0000247: Couldn't install the network component.
[00000578] 2020-04-16 18:41:25 --> HrReleaseINetCfg
[00000578] 2020-04-16 18:41:25 <-- HrReleaseINetCfg
[00000578] 2020-04-16 18:41:25 <-- InstallSpecifiedComponent
[00000578] 2020-04-16 18:41:25     Error 0xe0000247: InstallSpecifiedComponent

[00000578] 2020-04-16 18:41:25 <-- InstallDriver
[00000578] 2020-04-16 18:41:25 <-- PacketInstallDriver60
[00000578] 2020-04-16 18:41:25     _tmain: error, nStatus = -1.
[00000578] 2020-04-16 18:41:25 <-- wmain

Contents of SetupAPI.dev.log:

>>>  [SetupCopyOEMInf - C:\Program Files\Npcap\NPCAP.inf]
>>>  Section start 2020/04/16 18:41:23.881
      cmd: "C:\Program Files\Npcap\NPFInstall.exe" -n -i
     sto: {Import Driver Package: C:\Program Files\Npcap\NPCAP.inf} 18:41:23.959
     sto:      Importing driver package into Driver Store:
     sto:           Driver Store   = C:\Windows\System32\DriverStore (Online | 6.1.7601)
     sto:           Driver Package = C:\Program Files\Npcap\NPCAP.inf
     sto:           Architecture   = amd64
     sto:           Locale Name    = neutral
     sto:           Flags          = 0x00000008
     sto:      Copying driver package files to 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}'.
     inf:      Opened INF: 'C:\Program Files\Npcap\NPCAP.inf' ([strings])
     inf:      Opened INF: 'C:\Program Files\Npcap\NPCAP.inf' ([strings])
     flq:      {FILE_QUEUE_COPY}
     flq:           CopyStyle      - 0x00000000
     flq:           SourceRootPath - 'C:\Program Files\Npcap'
     flq:           SourceFilename - 'npcap.cat'
     flq:           TargetDirectory- 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}'
     flq:      {FILE_QUEUE_COPY exit(0x00000000)}
     flq:      {FILE_QUEUE_COPY}
     flq:           CopyStyle      - 0x00000000
     flq:           SourceRootPath - 'C:\Program Files\Npcap'
     flq:           SourceFilename - 'NPCAP.inf'
     flq:           TargetDirectory- 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}'
     flq:      {FILE_QUEUE_COPY exit(0x00000000)}
     flq:      {FILE_QUEUE_COPY}
     flq:           CopyStyle      - 0x00000000
     flq:           SourceRootPath - 'C:\Program Files\Npcap'
     flq:           SourceFilename - 'npcap.sys'
     flq:           TargetDirectory- 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}'
     flq:      {FILE_QUEUE_COPY exit(0x00000000)}
     flq:      {_commit_file_queue}
     flq:           CommitQ DelNodes=0 RenNodes=0 CopyNodes=3
     flq:           {_commit_copy_subqueue}
     flq:                subqueue count=3
     flq:                source media:
     flq:                     SourcePath   - [C:\Program Files\Npcap]
     flq:                     SourceFile   - [npcap.cat]
     flq:                     Flags        - 0x00000000
     flq:                {_commit_copyfile}
     flq:                     CopyFile: 'C:\Program Files\Npcap\npcap.cat'
     flq:                           to: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\SETDAA6.tmp'
     flq:                     MoveFile: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\SETDAA6.tmp'
     flq:                           to: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\npcap.cat'
     flq:                {_commit_copyfile exit OK}
     flq:                {_commit_copyfile}
     flq:                     CopyFile: 'C:\Program Files\Npcap\NPCAP.inf'
     flq:                           to: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\SETDAA7.tmp'
     flq:                     MoveFile: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\SETDAA7.tmp'
     flq:                           to: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\NPCAP.inf'
     flq:                {_commit_copyfile exit OK}
     flq:                {_commit_copyfile}
     flq:                     CopyFile: 'C:\Program Files\Npcap\npcap.sys'
     flq:                           to: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\SETDAB8.tmp'
     flq:                     MoveFile: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\SETDAB8.tmp'
     flq:                           to: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\npcap.sys'
     flq:                {_commit_copyfile exit OK}
     flq:           {_commit_copy_subqueue exit OK}
     flq:      {_commit_file_queue exit OK}
     pol:      {Driver package policy check} 18:41:24.022
     pol:      {Driver package policy check - exit(0x00000000)} 18:41:24.022
     sto:      {Stage Driver Package: C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\NPCAP.inf} 18:41:24.022
     inf:           Opened INF: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\NPCAP.inf' ([strings])
     inf:           Opened INF: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\NPCAP.inf' ([strings])
     sto:           Copying driver package files:
     sto:                Source Path      = C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}
     sto:                Destination Path = C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}
     flq:           {FILE_QUEUE_COPY}
     flq:                CopyStyle      - 0x00000010
     flq:                SourceRootPath - 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}'
     flq:                SourceFilename - 'npcap.cat'
     flq:                TargetDirectory- 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}'
     flq:           {FILE_QUEUE_COPY exit(0x00000000)}
     flq:           {FILE_QUEUE_COPY}
     flq:                CopyStyle      - 0x00000010
     flq:                SourceRootPath - 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}'
     flq:                SourceFilename - 'NPCAP.inf'
     flq:                TargetDirectory- 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}'
     flq:           {FILE_QUEUE_COPY exit(0x00000000)}
     flq:           {FILE_QUEUE_COPY}
     flq:                CopyStyle      - 0x00000010
     flq:                SourceRootPath - 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}'
     flq:                SourceFilename - 'npcap.sys'
     flq:                TargetDirectory- 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}'
     flq:           {FILE_QUEUE_COPY exit(0x00000000)}
     flq:           {_commit_file_queue}
     flq:                CommitQ DelNodes=0 RenNodes=0 CopyNodes=3
     flq:                {_commit_copy_subqueue}
     flq:                     subqueue count=3
     flq:                     source media:
     flq:                          SourcePath   - [C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}]
     flq:                          SourceFile   - [npcap.cat]
     flq:                          Flags        - 0x00000000
     flq:                     {_commit_copyfile}
     flq:                          CopyFile: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\npcap.cat'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\SETDAF4.tmp'
     flq:                          MoveFile: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\SETDAF4.tmp'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\npcap.cat'
     flq:                     {_commit_copyfile exit OK}
     flq:                     {_commit_copyfile}
     flq:                          CopyFile: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\NPCAP.inf'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\SETDAF5.tmp'
     flq:                          MoveFile: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\SETDAF5.tmp'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\NPCAP.inf'
     flq:                     {_commit_copyfile exit OK}
     flq:                     {_commit_copyfile}
     flq:                          CopyFile: 'C:\Windows\TEMP\{50e8902f-52c9-5639-1400-867485aeea30}\npcap.sys'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\SETDB06.tmp'
     flq:                          MoveFile: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\SETDB06.tmp'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\npcap.sys'
     flq:                     {_commit_copyfile exit OK}
     flq:                {_commit_copy_subqueue exit OK}
     flq:           {_commit_file_queue exit OK}
     sto:           {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 18:41:24.068
     inf:                Opened INF: 'C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\NPCAP.inf' ([strings])
     sig:                {_VERIFY_FILE_SIGNATURE} 18:41:24.068
     sig:                     Key      = NPCAP.inf
     sig:                     FilePath = C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\NPCAP.inf
     sig:                     Catalog  = C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\npcap.cat
!    sig:                     Verifying file against specific (valid) catalog failed! (0x800b0109)
!    sig:                     Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:                {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 18:41:24.895
     sig:                {_VERIFY_FILE_SIGNATURE} 18:41:24.895
     sig:                     Key      = NPCAP.inf
     sig:                     FilePath = C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\NPCAP.inf
     sig:                     Catalog  = C:\Windows\System32\DriverStore\Temp\{728b893f-9701-7e58-e556-b66e7a175516}\npcap.cat
!    sig:                     Verifying file against specific Authenticode(tm) catalog failed! (0x800b010a)
!    sig:                     Error 0x800b010a: A certificate chain could not be built to a trusted root authority.
     sig:                {_VERIFY_FILE_SIGNATURE exit(0x800b010a)} 18:41:24.895
!!!  sto:                An unexpected error occurred while validating driver package. Assuming that driver package is unsigned. Catalog = npcap.cat, Error = 0x800B010A
!!!  sto:                Driver package is considered unsigned.
!!!  ndv:                Driver package failed signature validation. Error = 0xE0000247
     sto:           {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0xe0000247)} 18:41:24.911
!!!  sto:           Driver package failed signature verification. Error = 0xE0000247
!!!  sto:           Failed to import driver package into Driver Store. Error = 0xE0000247
     sto:      {Stage Driver Package: exit(0xe0000247)} 18:41:24.911
!!!  sto:      Failed to stage driver package to Driver Store. Error = 0xE0000247, Time = 920 ms
     sto: {Import Driver Package: exit(0xe0000247)} 18:41:24.911
     inf: Opened INF: 'C:\Program Files\Npcap\NPCAP.inf' ([strings])
!    inf: Add to Driver Store unsuccessful
!    inf: Error 0xe0000247: A problem was encountered while attempting to add the driver to the store.
!!!  inf: returning failure to SetupCopyOEMInf
<<<  Section end 2020/04/16 18:41:24.989
<<<  [Exit status: FAILURE(0xe0000247)]

Contents of SetupAPI.dev.log with version 0.9984 on the same system:

>>>  [SetupCopyOEMInf - C:\Program Files\Npcap\NPCAP.inf]
>>>  Section start 2020/04/17 03:57:21.087
      cmd: "C:\Program Files\Npcap\NPFInstall.exe" -n -i
     sto: {Import Driver Package: C:\Program Files\Npcap\NPCAP.inf} 03:57:21.087
     sto:      Importing driver package into Driver Store:
     sto:           Driver Store   = C:\Windows\System32\DriverStore (Online | 6.1.7601)
     sto:           Driver Package = C:\Program Files\Npcap\NPCAP.inf
     sto:           Architecture   = amd64
     sto:           Locale Name    = neutral
     sto:           Flags          = 0x00000000
     sto:      Copying driver package files to 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}'.
     inf:      Opened INF: 'C:\Program Files\Npcap\NPCAP.inf' ([strings])
     inf:      Opened INF: 'C:\Program Files\Npcap\NPCAP.inf' ([strings])
     flq:      {FILE_QUEUE_COPY}
     flq:           CopyStyle      - 0x00000000
     flq:           SourceRootPath - 'C:\Program Files\Npcap'
     flq:           SourceFilename - 'npcap.cat'
     flq:           TargetDirectory- 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}'
     flq:      {FILE_QUEUE_COPY exit(0x00000000)}
     flq:      {FILE_QUEUE_COPY}
     flq:           CopyStyle      - 0x00000000
     flq:           SourceRootPath - 'C:\Program Files\Npcap'
     flq:           SourceFilename - 'NPCAP.inf'
     flq:           TargetDirectory- 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}'
     flq:      {FILE_QUEUE_COPY exit(0x00000000)}
     flq:      {FILE_QUEUE_COPY}
     flq:           CopyStyle      - 0x00000000
     flq:           SourceRootPath - 'C:\Program Files\Npcap'
     flq:           SourceFilename - 'npcap.sys'
     flq:           TargetDirectory- 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}'
     flq:      {FILE_QUEUE_COPY exit(0x00000000)}
     flq:      {_commit_file_queue}
     flq:           CommitQ DelNodes=0 RenNodes=0 CopyNodes=3
     flq:           {_commit_copy_subqueue}
     flq:                subqueue count=3
     flq:                source media:
     flq:                     SourcePath   - [C:\Program Files\Npcap]
     flq:                     SourceFile   - [npcap.cat]
     flq:                     Flags        - 0x00000000
     flq:                {_commit_copyfile}
     flq:                     CopyFile: 'C:\Program Files\Npcap\npcap.cat'
     flq:                           to: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\SETC463.tmp'
     flq:                     MoveFile: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\SETC463.tmp'
     flq:                           to: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\npcap.cat'
     flq:                {_commit_copyfile exit OK}
     flq:                {_commit_copyfile}
     flq:                     CopyFile: 'C:\Program Files\Npcap\NPCAP.inf'
     flq:                           to: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\SETC464.tmp'
     flq:                     MoveFile: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\SETC464.tmp'
     flq:                           to: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\NPCAP.inf'
     flq:                {_commit_copyfile exit OK}
     flq:                {_commit_copyfile}
     flq:                     CopyFile: 'C:\Program Files\Npcap\npcap.sys'
     flq:                           to: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\SETC465.tmp'
     flq:                     MoveFile: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\SETC465.tmp'
     flq:                           to: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\npcap.sys'
     flq:                {_commit_copyfile exit OK}
     flq:           {_commit_copy_subqueue exit OK}
     flq:      {_commit_file_queue exit OK}
     pol:      {Driver package policy check} 03:57:21.118
     pol:      {Driver package policy check - exit(0x00000000)} 03:57:21.118
     sto:      {Stage Driver Package: C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\NPCAP.inf} 03:57:21.118
     inf:           Opened INF: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\NPCAP.inf' ([strings])
     inf:           Opened INF: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\NPCAP.inf' ([strings])
     sto:           Copying driver package files:
     sto:                Source Path      = C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}
     sto:                Destination Path = C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}
     flq:           {FILE_QUEUE_COPY}
     flq:                CopyStyle      - 0x00000010
     flq:                SourceRootPath - 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}'
     flq:                SourceFilename - 'npcap.cat'
     flq:                TargetDirectory- 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}'
     flq:           {FILE_QUEUE_COPY exit(0x00000000)}
     flq:           {FILE_QUEUE_COPY}
     flq:                CopyStyle      - 0x00000010
     flq:                SourceRootPath - 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}'
     flq:                SourceFilename - 'NPCAP.inf'
     flq:                TargetDirectory- 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}'
     flq:           {FILE_QUEUE_COPY exit(0x00000000)}
     flq:           {FILE_QUEUE_COPY}
     flq:                CopyStyle      - 0x00000010
     flq:                SourceRootPath - 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}'
     flq:                SourceFilename - 'npcap.sys'
     flq:                TargetDirectory- 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}'
     flq:           {FILE_QUEUE_COPY exit(0x00000000)}
     flq:           {_commit_file_queue}
     flq:                CommitQ DelNodes=0 RenNodes=0 CopyNodes=3
     flq:                {_commit_copy_subqueue}
     flq:                     subqueue count=3
     flq:                     source media:
     flq:                          SourcePath   - [C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}]
     flq:                          SourceFile   - [npcap.cat]
     flq:                          Flags        - 0x00000000
     flq:                     {_commit_copyfile}
     flq:                          CopyFile: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\npcap.cat'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\SETC482.tmp'
     flq:                          MoveFile: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\SETC482.tmp'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\npcap.cat'
     flq:                     {_commit_copyfile exit OK}
     flq:                     {_commit_copyfile}
     flq:                          CopyFile: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\NPCAP.inf'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\SETC483.tmp'
     flq:                          MoveFile: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\SETC483.tmp'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\NPCAP.inf'
     flq:                     {_commit_copyfile exit OK}
     flq:                     {_commit_copyfile}
     flq:                          CopyFile: 'C:\Users\ADMINI~1\AppData\Local\Temp\2\{55d512a3-f8b2-47da-76aa-da48bd0ab66a}\npcap.sys'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\SETC494.tmp'
     flq:                          MoveFile: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\SETC494.tmp'
     flq:                                to: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\npcap.sys'
     flq:                     {_commit_copyfile exit OK}
     flq:                {_commit_copy_subqueue exit OK}
     flq:           {_commit_file_queue exit OK}
     sto:           {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 03:57:21.149
     inf:                Opened INF: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\NPCAP.inf' ([strings])
     sig:                {_VERIFY_FILE_SIGNATURE} 03:57:21.149
     sig:                     Key      = NPCAP.inf
     sig:                     FilePath = C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\NPCAP.inf
     sig:                     Catalog  = C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\npcap.cat
!    sig:                     Verifying file against specific (valid) catalog failed! (0x800b0109)
!    sig:                     Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:                {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 03:57:21.181
     sig:                {_VERIFY_FILE_SIGNATURE} 03:57:21.181
     sig:                     Key      = NPCAP.inf
     sig:                     FilePath = C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\NPCAP.inf
     sig:                     Catalog  = C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\npcap.cat
     sig:                     Success: File is signed in Authenticode(tm) catalog.
     sig:                     Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
     sig:                {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 03:57:21.196
     sto:                Validating driver package files against catalog 'npcap.cat'.
     sto:                Driver package is valid.
     sto:           {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 03:57:21.196
     sto:           Verified driver package signature:
     sto:                Digital Signer Score = 0xFF000000
     sto:                Digital Signer Name  = <unknown>
     sto:           {DRIVERSTORE_IMPORT_NOTIFY_BEGIN} 03:57:21.196
     inf:                Opened INF: 'C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}\NPCAP.inf' ([strings])
     sto:                Create system restore point:
     sto:                     Description = Device Driver Package Install: Nmap Project Network Service
     sto:                     Time        = 0ms
     sto:                     Status      = 0x0000007E (FAILURE)
     sto:           {DRIVERSTORE_IMPORT_NOTIFY_BEGIN: exit(0x00000000)} 03:57:21.212
     sto:           Importing driver package files:
     sto:                Source Path      = C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}
     sto:                Destination Path = C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_b8e999af81612f8f
     sto:           {Copy Directory: C:\Windows\System32\DriverStore\Temp\{03e30e7f-d2cf-3817-c8fa-2562e2a43377}} 03:57:21.212
     sto:                Target Path = C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_b8e999af81612f8f
     sto:           {Copy Directory: exit(0x00000000)} 03:57:21.212
     sto:           {Index Driver Package: C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_b8e999af81612f8f\NPCAP.inf} 03:57:21.212
     idb:                Registered driver store entry 'npcap.inf_amd64_neutral_b8e999af81612f8f'.
     idb:                Published 'npcap.inf_amd64_neutral_b8e999af81612f8f\npcap.inf' to 'C:\Windows\INF\oem9.inf'
     idb:                Published driver store entry 'npcap.inf_amd64_neutral_b8e999af81612f8f'.
     sto:                Published driver package INF 'oem9.inf' was changed.
     sto:                Active published driver package is 'npcap.inf_amd64_neutral_b8e999af81612f8f'.
     sto:           {Index Driver Package: exit(0x00000000)} 03:57:21.664
     sto:           {DRIVERSTORE_IMPORT_NOTIFY_END} 03:57:21.664
     ndv:                No system restore point was set earlier.
     sto:           {DRIVERSTORE_IMPORT_NOTIFY_END: exit(0x00000000)} 03:57:21.664
     sto:      {Stage Driver Package: exit(0x00000000)} 03:57:21.664
     ndv:      Doing device matching lookup!
     sto:      Driver package was staged to Driver Store. Time = 593 ms
     sto:      Imported driver package into Driver Store:
     sto:           Filename = C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_b8e999af81612f8f\NPCAP.inf
     sto:           Time     = 624 ms
     sto: {Import Driver Package: exit(0x00000000)} 03:57:21.711
     inf: Opened INF: 'C:\Program Files\Npcap\NPCAP.inf' ([strings])
     inf: Driver Store location: C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_b8e999af81612f8f\NPCAP.inf
     inf: Published Inf Path: C:\Windows\INF\oem9.inf
     inf: Opened INF: 'C:\Program Files\Npcap\NPCAP.inf' ([strings])
     inf: Installing catalog npcap.cat as: oem9.CAT
     inf: OEM source media location: C:\Program Files\Npcap\
<<<  Section end 2020/04/17 03:57:21.727
<<<  [Exit status: SUCCESS]

Output of signtool.exe verify /kp /v npcap.cat (0.9990):

Verifying: npcap.cat
Hash of file (sha256): D6193B2E57CB7C22D712007CB450A421992670D470CFACEA399E31A46FE4B273

Signing Certificate Chain:
    Issued to: COMODO RSA Certification Authority
    Issued by: COMODO RSA Certification Authority
    Expires:   Tue Jan 19 00:59:59 2038
    SHA1 hash: AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4

        Issued to: COMODO RSA Extended Validation Code Signing CA
        Issued by: COMODO RSA Certification Authority
        Expires:   Mon Dec 03 00:59:59 2029
        SHA1 hash: 351A78EBC1B4BB6DC366728D334231ABA9AE3EA7

            Issued to: Insecure.Com LLC
            Issued by: COMODO RSA Extended Validation Code Signing CA
            Expires:   Sun Nov 06 00:59:59 2022
            SHA1 hash: 1C58BD08D220F81B21FB2837E3AB65AEE5EFD727

The signature is timestamped: Mon Feb 03 18:46:22 2020
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 13:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

            Issued to: TIMESTAMP-SHA256-2019-10-15
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Thu Oct 17 01:00:00 2030
            SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 14:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: COMODO RSA Certification Authority
        Issued by: Microsoft Code Verification Root
        Expires:   Sun Apr 11 23:16:20 2021
        SHA1 hash: 106870659C069F248C8C0A05ACD871CABEB3CC38

            Issued to: COMODO RSA Extended Validation Code Signing CA
            Issued by: COMODO RSA Certification Authority
            Expires:   Mon Dec 03 00:59:59 2029
            SHA1 hash: 351A78EBC1B4BB6DC366728D334231ABA9AE3EA7

                Issued to: Insecure.Com LLC
                Issued by: COMODO RSA Extended Validation Code Signing CA
                Expires:   Sun Nov 06 00:59:59 2022
                SHA1 hash: 1C58BD08D220F81B21FB2837E3AB65AEE5EFD727

Successfully verified: npcap.cat

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Output of signtool.exe verify /kp /v npcap.cat (0.9984):

Verifying: npcap.cat
Hash of file (sha1): AB5AF9CD89A49741718DBC86158F533818B139F8

Signing Certificate Chain:
    Issued to: DigiCert High Assurance EV Root CA
    Issued by: DigiCert High Assurance EV Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

        Issued to: DigiCert EV Code Signing CA
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Sun Apr 18 13:00:00 2027
        SHA1 hash: 846896AB1BCF45734855C61B63634DFD8719625B

            Issued to: Insecure.Com LLC
            Issued by: DigiCert EV Code Signing CA
            Expires:   Thu Nov 07 13:00:00 2019
            SHA1 hash: 83B2DDFEF9F7004438D7AA66C524344F71A70B48

The signature is timestamped: Sat Nov 02 04:02:13 2019
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 01:00:00 2021
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Tue Oct 22 01:00:00 2024
            SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 14:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: DigiCert High Assurance EV Root CA
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 20:55:33 2021
        SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143

            Issued to: DigiCert EV Code Signing CA
            Issued by: DigiCert High Assurance EV Root CA
            Expires:   Sun Apr 18 13:00:00 2027
            SHA1 hash: 846896AB1BCF45734855C61B63634DFD8719625B

                Issued to: Insecure.Com LLC
                Issued by: DigiCert EV Code Signing CA
                Expires:   Thu Nov 07 13:00:00 2019
                SHA1 hash: 83B2DDFEF9F7004438D7AA66C524344F71A70B48

Successfully verified: npcap.cat

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

I can't seem to find any fault with 0.9990 as opposed to 0.9984, other than that it's signed by a different CA and uses SHA256 to sign (rather than SHA1) -- but in theory this should not matter. Perhaps it's the fact that the signing certificate is by Comodo, but the timestamp signature is still by DigiCert? Perhaps it should be switched to Comodo as well, per instructions at https://support.comodoca.com/Com_KnowledgeDetailPageSectigo?Id=kA01N000000zFK6 ?

dmiller-nmap commented 4 years ago

Thanks for reporting this. We've been working with 2 separate private reports of this happening on Windows Server 2012 and Windows 7. The timestamp signature is an interesting idea we had not looked into. We're trying with the next installer to bundle all certs in the chain and install those before trying to install the driver, though as you pointed out, the error still happens on systems where the certificate chain is valid according to signtool /kp. We hadn't switched to Comodo's timestamp server because it's very slow.

I notice that even Npcap 0.9984 has a minor error regarding a signature that doesn't terminate in a trusted root. I will try looking into that, too.

Our long-term plan is to pursue WHQL certification so that Microsoft signs off on our drivers and we don't have to worry about certificate chains any more. This is especially important since Server 2016 does not work with attestation-signed drivers any more (which is what we have been using for Windows 10-based systems).

akontsevoy commented 4 years ago

Speaking of WHQL, I was wondering why your Win10 drivers are counter-signed by Microsoft but their Win7/8 versions are not. I thought they are otherwise the same drivers.

dmiller-nmap commented 4 years ago

The counter-signature for Win10 is an "attestation signature," which is not trusted by Windows versions prior to Windows 10. Similarly, Windows 10 does not trust non-Microsoft-signed drivers without significant security modifications that we will of course not perform in our installer. They are the same drivers down to the byte at the moment, but we are investigating supporting more recent NDIS versions for the Windows 10 driver since it needs to be shipped separately anyway.

dmiller-nmap commented 4 years ago

Npcap 0.9991 is signed with a certificate from a different issuer, as well as a secondary SHA-1 signature. This has worked on these platforms in the past, so we believe Npcap 0.9991 will solve this problem. Please let us know so we can close this issue.

akontsevoy commented 4 years ago

@dmiller-nmap This is still not fixed as of 0.9991. In fact, the install now fails the same way on any Windows version below W10/WS2016. This is because npcap.cat is signed with a SHA1 certificate, but only SHA2 certificate is installed into the Trusted Publishers store. Manually installing the SHA1 certificate into the said store works around the problem (including WS2008R2). But the problem with that is, adding this certificate to store also allows Npcap to install on WS2008 gold (non-R2). Which should no longer be allowed in the first place (just like on WS2003), as support for Vista and WS2008 was recently dropped. Because on these systems, Npcap driver installs but does not work.

fyodor commented 4 years ago

Thanks for everyone's comments. This should be fixed in 0.9994 so I'm closing the issue. But please comment and re-open if anyone finds it not fixed for them.

nmap / npcap

Npcap OEM 0.9990: Driver install warning/prompt on WS2008R2; silent install fails #107