NPCAP 0.99-r5 I lose internet after reboot on Windows 7 64 bit

[BrianG61UK]

Reverting to 0.99-r4 is a fix.

To reproduce problem install 0.99-r5 with: Auto start driver at boot: Yes Support loopbaack traffic: No Restrict to admin only: Yes Support raw 802.11 for WiFi: No Support 802.1Q: No WinPcap compatible: Yes

Reboot.

You have lost internet access.

[dmiller-nmap]

Thanks for this bug report! Can you please run DiagReport on the problem system after reboot and include the output along with the NPFInstall.log file from the Npcap installation directory.

Does uninstalling Npcap restore Internet access? Does it require a reboot to restore access after uninstalling? Does the problem happen if WinPcap compatible mode is not chosen or if Admin-only mode is not chosen? Does Npcap work properly before the reboot, or is there some other indication that something is wrong?

[BrianG61UK]

Okay I've done a bit of experimenting but it's bedtime now. ZIPped files attached. NPCAP1.zip Yes when rebooted in faulty state internet came back soon after uninstalling NPCAP 0.99-r5 without rebooting or anything.

[jcurl]

I can confirm the same problem on my Win7 32-bit box. When I installed npcap, everything was still working after the install until a reboot. Then after the reboot my WiFi adapters can see APs (didn't try to connect), but my Local Ethernet wouldn't connect to my DHCP server and was allocated a 169.254.0.0/16 address. Uninstalling without reboot resolved the problem.

Please see attached the logs for 0.99-r5. npcap099r5.zip

Installed 0.99-r4 as suggested and I have an IP address. I've attached logs for that too. 0.99-r4.zip

[BrianG61UK]

Thanks. My system is Windows 7 64 bit.

[rhyttr]

Same problem as @jcurl : After install Npcap 0.99-r5, my Local Ethernet wouldn't connect to my DHCP server and was allocated a 169.254.0.0/16 address. Uninstalling without reboot resolved the problem.

Windows7 64bit

[dmiller-nmap]

I think this is related to the attempted fix for nmap/npcap#83. Windows 7 has a limit on the number of Ndis Filter drivers that can be installed. By default, that limit is 8, but it can be increased in the Registry to 14. @jcurl's DiagReport shows 13 installed, and @BrianG61UK's shows 14. Previously, Npcap's installation process would just break when we tried to install more than that, but 0.99-r5 added the ability to increase the limit in the Registry as needed (up to 14) to avoid the error. I guess something happened near that limit where the stack wasn't able to handle it after reboot?

Here are some steps to take to see if I'm right and what to do about it:

1. Please report the value from the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\MaxNumFilters so we can diagnose better.
2. Try installing without WinPcap API-compatible mode. This isn't needed for Wireshark or Nmap, though it is needed for other software that isn't aware of Npcap, and it doubles the number of filter drivers Npcap tries to install.
3. Try installing without raw 802.11 WiFi capture. This also doubles the number of filter drivers we try to install, though it has a legitimate use.

[BrianG61UK]

Okay, my MaxNumFilters seems to be 14 hex (or 20 decimal) at the moment. I guess that's invalid so I'll change it to 14 decimal and try 0.99-r5 again when I get a chance. Later: Still doesn't work right with MaxNumFilters as 14 (decimal). I didn't realise I was right up against a limit so I may just uninstall and not bother at all with winpcap or npcap I rarely need them.

[Fang3s]

How could I fix it by myself? Should I just modify MaxNumFilters to make it more than installed filter count of items under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\

I cannot find npcap 0.99-r4 to download.

I googled.

• Is MaxNumFilters (max NDIS filters) registry value on Windows 8 removed?

Q:

I haven't seen MaxNumFilters value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\ registry key on Windows 8 anymore. Is there some changes compared to Windows 7?

A:

Yes we made some improvements in that department. Windows Vista and Windows 7 limit the number of NDIS filters that can be installed, since many kernel callbacks are nested through each filter. If you install too many filters, it's easy to run out of kernel stack space and bugcheck.

Starting with Windows 8, however, during an NDIS controlpath callout (e.g., status indication), NDIS automatically detects that a callstack is running low on stack space, and expands the stack before calling into the next filter. The datapath was also reworked to turn recursive calls into iterative calls. (This is why, if you break into the kernel debugger in the datapath, you no longer see the entire set of filters on the callstack; you'll probably only see the highest filter on the callstack.)

The net result is that Windows 8 can scale to many more filters, since it is no longer bounded by their cumulative stack consumption. We have automated tests that go up to 32 filters, I believe. Therefore, we changed the default value of the installed filter limit to unlimited. (When the value doesn't exist in the registry, it is interpreted as "unlimited"). "MaxNumFilters" is still read, and would be enforced if you set its value. In fact, I think this value might be preserved across OS upgrades, so you might find Windows 8 machines "in the wild" with this value still set with a Windows 7 value.

how can I find out how many network filter drivers I have using Windows 7 and uninstall if too many Q:

I have been told to locate the following registry subkey HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Network but cannot find it. I have clicked Start,click Run, type regedit, OK but still cannot find it

A:

sralpert replied on October 26, 2011 Apparently, there is a key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\MaxNumFilters

that shows the maximum count. Further, if you look at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network{4d36e974-e325-11ce-bfc1-08002be10318}\

Each entry corresponds to a possible filter.

In my case, I had 13 filters but the MaxNumFilters was only set at 8! Some installs (like Virtual PC) will not complete if you have 13 or more.

Steve Alpert

How to get a list of network filters installed on a Windows 7 system

Q:

I've run into several situations where users in my office have tried to install software, such as vpn software, and the installation has failed due to exceeding the maximum number of filters allowed, as defined by the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\MaxNumFilters. My understanding is that the default is 8 and the maximum is 14.

I'd like to know if it is possible to get a count of the number of network filters currently installed on a system. For bonus points, I'd like to know if there is a way to determine what the filters are associated with: the installed software or dlls, something that could be useful in determining what could be uninstalled.

I would hope this information would be useful to others.

A:

haven't figured out how to map back to a file on disk.

The following PowerShell will output the current maximum filters configured, the count of filters installed, followed by the description and registry path.

get-itemproperty hklm:\SYSTEM\CurrentControlSet\Control\Network | format-list -property MaxNumFilters $children = get-childitem -path hklm:\system\currentcontrolset\control\network\"{4d36e974-e325-11ce-bfc1-08002be10318}" | get-childitem | where-object {$.PSChildName -eq "Ndi"} | get-itemproperty | where-object {$.FilterClass} |get-itemproperty -name FilterClass "Filter Count: " + $children.count "Filter List: " $children | foreach-object -process { get-itemproperty -path $_.PSParentPath } | format-list -property Description,PSPath

The output will be something like the following: MaxNumFilters : 8 Filter Count: 6

sc query npcap & reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\ /v MaxNumFilters

[trevershick]

https://nmap.org/npcap/dist/

[dmiller-nmap]

@BrianG61UK Thanks for checking that. It's odd that the value was 0x14 instead of 14. We definitely are using 14 (decimal) in the new code.

@Fang3s Thanks for the helpful info. You can always find the latest Npcap installers at https://nmap.org/npcap/#download

[dmiller-nmap]

I've reproduced the bug now here, and it does not have to do with the number of filter drivers installed (though that could still cause problems for some users). Windows 7 just doesn't like Npcap 0.99-r5 at the moment. We will keep this issue updated as we find out more. Thanks for your help and patience!

[dmiller-nmap]

Workaround available: Install without the "Automatically start the Npcap driver at boot time" option. Start the npcap driver after boot by running (as administrator) net start npcap. Once the driver has finished starting, Npcap functions can be used and there is no loss of connectivity.

Nmap attempts to start the driver if it is not already started, potentially initiating a UAC prompt. Unfortunately, in my testing, it tries too quickly to use Npcap functions before the driver is done starting, resulting in "dnet: failed to open device eth0" error message. Just trying again was sufficient to let the driver finish starting.

[dmiller-nmap]

This issue is fixed in Npcap 0.99-r6.