[npcap] - wireshark stopped see adapters after windows 10 updated to "annivarsary edition"

[zdm]

Hi. Today windows 10 was updated and wireshark don't see network adapters any more. I am tried to reinstall npcap and wireshark - this wasn't helpful. Npcap installed in winpcap compat. mode and wireshark detected npcap during install process.

[mhoes]

Hi,

I can install npcap-0.78-r4-ev.exe without errors, and can capture traffic after installation with Wireshark. I do get a Windows Security pop-up though, asking me 'Would you like to install this device software ?", with an option to 'Always trust software from Insecure.Com LLC". Also, the npcap loopback adapter now does get removed when uninstalling npcap.

Running Windows Home 64-bit Version 1607 (OS Build 14393.479), secure boot enabled in my UEFI firmware, and I did an upgrade from Windows 7 to Windows 10, not a clean install.

On Mon, Dec 12, 2016 at 12:57 AM, Daniel Miller notifications@github.com wrote:

Everyone,

Sorry for the confusion. I had a misconfiguration that caused our EV-signed drivers to not validate, so they were not working on any system. Now they work on Windows 8 at least, and I would appreciate a test with Windows 10 1607. Here is the download link for Npcap 0.78 r4, EV cert https://nmap.org/tmp/c/npcap-0.78-r4-ev.exe.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nmap/nmap/issues/492#issuecomment-266318363, or mute the thread https://github.com/notifications/unsubscribe-auth/ANiXM8_g-OSkRDPRpwllE2e2w69JDB-2ks5rHI4HgaJpZM4JekI0 .

[BavoB]

@ mhoes: which probably proves the point. For Win10 1607 with secure boot enabled (freshly installed, but as your experience shows even for upgrades depending on who knows what) you need attestation, no way around it.

[BavoB]

For completeness sake: this is the EV version installed on Windows 2012 R2 (server) - UEFI with secure boot. So AFAIK the attestation is also needed here or else there is still something else wrong. I got the Windows Security pop-up 'Would you like to install this device software ?", to which I answered 'no' (do not always trust Insecure LLC).

[mhoes]

@BavoB: Perhaps I understand you incorrectly (or you incorrectly understood me), but I said that I can install pcap-0.78-r4-ev.exe (I thought that this was a EV-signed driver, and not the attestation-signed drivers) without errors; in other words, that it does work for me.

On Tue, Dec 13, 2016 at 2:21 PM, BavoB notifications@github.com wrote:

@ mhoes: which probably proves the point. For Win10 1607 with secure boot enabled (freshly installed, but as your experience shows even for upgrades depending on who knows what) you need attestation, no way around it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nmap/nmap/issues/492#issuecomment-266736532, or mute the thread https://github.com/notifications/unsubscribe-auth/ANiXM0FIqDqKlF9_k6nz3hgJf4vthvk7ks5rHpvAgaJpZM4JekI0 .

[BavoB]

Oops sorry my bad.

From: mhoes [mailto:notifications@github.com] Sent: dinsdag 13 december 2016 15:52 To: nmap/nmap nmap@noreply.github.com Cc: BavoB bavo.bostoen@hotmail.com; Mention mention@noreply.github.com Subject: Re: [nmap/nmap] [npcap] - wireshark stopped see adapters after windows 10 updated to "annivarsary edition" (#492)

@BavoB: Perhaps I understand you incorrectly (or you incorrectly understood me), but I said that I can install pcap-0.78-r4-ev.exe (I thought that this was a EV-signed driver, and not the attestation-signed drivers) without errors; in other words, that it does work for me.

On Tue, Dec 13, 2016 at 2:21 PM, BavoB notifications@github.com<mailto:notifications@github.com> wrote:

@ mhoes: which probably proves the point. For Win10 1607 with secure boot enabled (freshly installed, but as your experience shows even for upgrades depending on who knows what) you need attestation, no way around it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nmap/nmap/issues/492#issuecomment-266736532, or mute the thread https://github.com/notifications/unsubscribe-auth/ANiXM0FIqDqKlF9_k6nz3hgJf4vthvk7ks5rHpvAgaJpZM4JekI0 .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/nmap/nmap/issues/492#issuecomment-266758366, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADg7cfwY5IA6iO9jpW5UKeQSZ41hlcymks5rHrEpgaJpZM4JekI0.

[hsluoyz]

@BavoB

I got the Windows Security pop-up 'Would you like to install this device software ?", to which I answered 'no'

If you choose no here, then you will always fail the driver install no matter how our driver is signed. So please choose yes.

[BavoB]

OK, although (our) best practices state the opposite ;-).

From: Yang Luo [mailto:notifications@github.com] Sent: dinsdag 13 december 2016 16:54 To: nmap/nmap nmap@noreply.github.com Cc: BavoB bavo.bostoen@hotmail.com; Mention mention@noreply.github.com Subject: Re: [nmap/nmap] [npcap] - wireshark stopped see adapters after windows 10 updated to "annivarsary edition" (#492)

@BavoBhttps://github.com/BavoB

I got the Windows Security pop-up 'Would you like to install this device software ?", to which I answered 'no'

If you choose no here, then you will always fail the driver install no matter how our driver is signed. So please choose yes.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/nmap/nmap/issues/492#issuecomment-266775860, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADg7cYwZfuKdsJWSNme5B3V91o7W12kKks5rHr9-gaJpZM4JekI0.

[mhoes]

It appears to me as if two things are getting mixed up here, but I may be wrong ? (I made a screenshot of the pop-up I get, yours may be different). In the pop-up, there are actually two related, but different, things. First of all, there is a 'checkbox' that you can check if you always want to trust drivers singed by "Insecure.Com LLC". You don't have to check that box, but you can. I'm guessing that if you do check the box to always trust the signer that you will never get this pop-up again, and that you will get the pop-up again if you don't.

Then there are the 'install' and 'dont install' buttons. If you want to install the driver (and I'm guessing that you want to) then you must click the button that says 'install'. If you haven't checked the checkbox in combination with clicking on 'install', you will only trust the signer once, for this install only, instead of always.

[marlop352]

0.78 r2-ev does not work(fails to create services) 0.78 r2-atestation works with 0.78 r4 windows gives an error after installation saying that it blocked the installation of a driver not digitally signed

0.78 r4-ev still gives me the same error as 0.78 r4 even if I mark the always trust box(witch does not appear on 0.78 r4) (checking that box should have made it accept the driver I think)

Windows 10 Pro 1607 (it's a clean install, not an update from a previous version) with secure boot enabled

[dmiller-nmap]

Ok, all: I just published Npcap 0.78 r5, which has attestation-signed drivers for Win10 users, dual-signed SHA1/SHA256 drivers with MS Cross-Certs for Windows 8 and earlier. We are back in business! Do let us know if you still experience these problems.

[BavoB]

Hi,

Everything seems to work as expected (Win10 x64 1607 fresh install with secure boot on).

Thanks, Bavo

From: Daniel Miller [mailto:notifications@github.com] Sent: donderdag 15 december 2016 19:06 To: nmap/nmap nmap@noreply.github.com Cc: BavoB bavo.bostoen@hotmail.com; Mention mention@noreply.github.com Subject: Re: [nmap/nmap] [npcap] - wireshark stopped see adapters after windows 10 updated to "annivarsary edition" (#492)

Ok, all: I just published Npcap 0.78 r5https://github.com/nmap/npcap/releases/tag/v0.78-r5, which has attestation-signed drivers for Win10 users, dual-signed SHA1/SHA256 drivers with MS Cross-Certs for Windows 8 and earlier. We are back in business! Do let us know if you still experience these problems.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/nmap/nmap/issues/492#issuecomment-267398073, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADg7cfwAJBhQkvhLonxrrGJs6zZtX0Goks5rIYGIgaJpZM4JekI0.

[mhoes]

Hi,

WORKSFORME: Win10 x64 1607, upgrade from Win7, secure boot on. No pup-ups during installation asking for permission. Wireshark able to capture packets as expected. Note: Npcap loopback adapter doesn't get uninstalled upon npcap uninstall.

On Thu, Dec 15, 2016 at 7:06 PM, Daniel Miller notifications@github.com wrote:

Ok, all: I just published Npcap 0.78 r5 https://github.com/nmap/npcap/releases/tag/v0.78-r5, which has attestation-signed drivers for Win10 users, dual-signed SHA1/SHA256 drivers with MS Cross-Certs for Windows 8 and earlier. We are back in business! Do let us know if you still experience these problems.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nmap/nmap/issues/492#issuecomment-267398073, or mute the thread https://github.com/notifications/unsubscribe-auth/ANiXMzqQw40KA5t1o0k-T4d3q_qTepAzks5rIYGIgaJpZM4JekI0 .

[BavoB]

OK, I had a chance to uninstall 0.78 r4 on a Window Win2012 R2 server + install 0.78 r5 (system with secure boot enabled). My findings, some of which have been reported before:

• uninstalling took very long and didn't remove the adapters (which I removed manually), but eventually it did uninstall - it seemed to be stuck on the 'stopping npcap driver' stage
• installing 0.78 r5 worked, but I did get the 'failed to create service' error: however after installing it seemed to work ==> i did not have winpcap installed on this system, I installed npcap in winpcap api compatible mode and the programs that normally rely on winpcap seemed to be working normally

So I guess there is some progress ;-)

I have some questions:

1. what services are created by the installer, what is their name? (I'd like to check in services msc to see if it is running)
2. are the uninstall problems also related to the (kernel) driver signing requirements/problems ==> although here I'm not running on Win10 based system
3. what is the current status of npcap compared to winpcap: can this be run safely with a program like Wireshark (without Winpcap)?

[mhoes]

Hrm.

On Tue, Dec 20, 2016 at 1:21 PM, BavoB notifications@github.com wrote:

installing 0.78 r5 worked, but I did get the 'failed to create service' error

If you got a pop-up (not sure), did you remember to click on the 'install' button this time instead of 'dont install' like you did last time ?

[dmiller-nmap]

Looks like we handled the core issue reported here. If you continue to have problems with uninstalling, please open a new issue so we can track and fix it. Thanks!