Closed akontsevoy closed 2 years ago
Thanks for reporting this. As mentioned in https://github.com/nmap/npcap/issues/233#issuecomment-875677245, we are working to ensure the certificates in the trust chain are added to the proper trust stores on the target computer, which reportedly resolves the issue. We expect to have a release that resolves this issue within the next week or so.
@dmiller-nmap But the certificate issue seems to be only half of the problem; even if the driver warning is accepted and the driver is installed, it then fails to start on WS2008R2 with The parameter is incorrect.
. I've seen such a problem before when trying to install drivers written for later NT versions onto earlier NT versions; it suggests you are probably using some API that's not supported in NT 6.1. (Which doesn't make sense to me, given that you ship separate/older drivers for NT 6.1 anyways -- but I get what I get.)
it suggests you are probably using some API that's not supported in NT 6.1.
Is there any way, e.g. from NPFInstall.log
, to determine which call that is?
Not really (NPFInstall.log included above); sc.exe start npcap
only outputs the error code, and so does event log:
The Npcap Packet Driver (NPCAP) service failed to start due to the following error:
The parameter is incorrect.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2021-09-03T00:41:30.199104800Z" />
<EventRecordID>82008</EventRecordID>
<Correlation />
<Execution ProcessID="480" ThreadID="1628" />
<Channel>System</Channel>
<Computer>[redacted]</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">Npcap Packet Driver (NPCAP)</Data>
<Data Name="param2">%%87</Data>
</EventData>
</Event>
So I can only assume that's what gets returned by the DriverEntry
function (NTSTATUS equivalent).
Npcap has been installed with the following command line: npcap-1.50-oem.exe /loopback_support=no /admin_only=yes /dot11_support=no /winpcap_mode=no
Service registry entries:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000018
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6e,70,63,\
61,70,2e,73,79,73,00
"DisplayName"="Npcap Packet Driver (NPCAP)"
"Group"="NDIS"
"Description"="Npcap Packet Driver (NPCAP)"
"NdisMajorVersion"=dword:00000006
"NdisMinorVersion"=dword:00000014
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Linkage]
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,7b,34,41,45,36,42,35,35,43,2d,36,44,44,\
36,2d,34,32,37,44,2d,41,35,42,42,2d,31,33,35,33,35,44,34,42,45,39,32,36,7d,\
00,5c,44,65,76,69,63,65,5c,7b,36,36,39,37,33,45,35,30,2d,43,46,34,34,2d,34,\
36,41,37,2d,41,44,38,36,2d,30,46,33,36,39,44,33,30,41,43,41,32,7d,00,5c,44,\
65,76,69,63,65,5c,7b,46,39,33,45,42,37,38,36,2d,38,39,36,38,2d,34,33,43,35,\
2d,42,43,35,38,2d,35,34,44,38,37,33,38,35,30,36,30,45,7d,00,5c,44,65,76,69,\
63,65,5c,7b,36,41,31,36,45,44,45,42,2d,32,34,44,46,2d,34,31,36,41,2d,42,34,\
32,37,2d,43,45,44,38,38,45,46,43,41,30,30,36,7d,00,5c,44,65,76,69,63,65,5c,\
7b,44,44,32,46,34,38,30,30,2d,30,44,45,42,2d,34,41,39,38,2d,41,33,30,32,2d,\
30,37,37,37,43,42,39,35,35,44,43,31,7d,00,5c,44,65,76,69,63,65,5c,7b,46,42,\
34,37,34,45,36,43,2d,46,39,33,46,2d,34,38,34,38,2d,39,34,35,45,2d,38,36,37,\
38,30,44,32,41,39,38,39,37,7d,00,5c,44,65,76,69,63,65,5c,7b,30,36,42,34,33,\
43,31,31,2d,38,36,30,45,2d,34,37,31,32,2d,41,36,39,46,2d,41,37,32,31,42,37,\
43,33,39,36,36,34,7d,00,5c,44,65,76,69,63,65,5c,4e,64,69,73,57,61,6e,49,70,\
00,5c,44,65,76,69,63,65,5c,4e,64,69,73,57,61,6e,42,68,00,5c,44,65,76,69,63,\
65,5c,4e,64,69,73,57,61,6e,49,70,76,36,00,00
"Route"=hex(7):22,7b,34,41,45,36,42,35,35,43,2d,36,44,44,36,2d,34,32,37,44,2d,\
41,35,42,42,2d,31,33,35,33,35,44,34,42,45,39,32,36,7d,22,00,22,7b,36,36,39,\
37,33,45,35,30,2d,43,46,34,34,2d,34,36,41,37,2d,41,44,38,36,2d,30,46,33,36,\
39,44,33,30,41,43,41,32,7d,22,00,22,7b,46,39,33,45,42,37,38,36,2d,38,39,36,\
38,2d,34,33,43,35,2d,42,43,35,38,2d,35,34,44,38,37,33,38,35,30,36,30,45,7d,\
22,00,22,7b,36,41,31,36,45,44,45,42,2d,32,34,44,46,2d,34,31,36,41,2d,42,34,\
32,37,2d,43,45,44,38,38,45,46,43,41,30,30,36,7d,22,00,22,7b,44,44,32,46,34,\
38,30,30,2d,30,44,45,42,2d,34,41,39,38,2d,41,33,30,32,2d,30,37,37,37,43,42,\
39,35,35,44,43,31,7d,22,00,22,7b,46,42,34,37,34,45,36,43,2d,46,39,33,46,2d,\
34,38,34,38,2d,39,34,35,45,2d,38,36,37,38,30,44,32,41,39,38,39,37,7d,22,00,\
22,7b,30,36,42,34,33,43,31,31,2d,38,36,30,45,2d,34,37,31,32,2d,41,36,39,46,\
2d,41,37,32,31,42,37,43,33,39,36,36,34,7d,22,00,22,4e,64,69,73,57,61,6e,49,\
70,22,00,22,4e,64,69,73,57,61,6e,42,68,22,00,22,4e,64,69,73,57,61,6e,49,70,\
76,36,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,6e,70,63,61,70,5f,7b,34,41,45,36,42,35,\
35,43,2d,36,44,44,36,2d,34,32,37,44,2d,41,35,42,42,2d,31,33,35,33,35,44,34,\
42,45,39,32,36,7d,00,5c,44,65,76,69,63,65,5c,6e,70,63,61,70,5f,7b,36,36,39,\
37,33,45,35,30,2d,43,46,34,34,2d,34,36,41,37,2d,41,44,38,36,2d,30,46,33,36,\
39,44,33,30,41,43,41,32,7d,00,5c,44,65,76,69,63,65,5c,6e,70,63,61,70,5f,7b,\
46,39,33,45,42,37,38,36,2d,38,39,36,38,2d,34,33,43,35,2d,42,43,35,38,2d,35,\
34,44,38,37,33,38,35,30,36,30,45,7d,00,5c,44,65,76,69,63,65,5c,6e,70,63,61,\
70,5f,7b,36,41,31,36,45,44,45,42,2d,32,34,44,46,2d,34,31,36,41,2d,42,34,32,\
37,2d,43,45,44,38,38,45,46,43,41,30,30,36,7d,00,5c,44,65,76,69,63,65,5c,6e,\
70,63,61,70,5f,7b,44,44,32,46,34,38,30,30,2d,30,44,45,42,2d,34,41,39,38,2d,\
41,33,30,32,2d,30,37,37,37,43,42,39,35,35,44,43,31,7d,00,5c,44,65,76,69,63,\
65,5c,6e,70,63,61,70,5f,7b,46,42,34,37,34,45,36,43,2d,46,39,33,46,2d,34,38,\
34,38,2d,39,34,35,45,2d,38,36,37,38,30,44,32,41,39,38,39,37,7d,00,5c,44,65,\
76,69,63,65,5c,6e,70,63,61,70,5f,7b,30,36,42,34,33,43,31,31,2d,38,36,30,45,\
2d,34,37,31,32,2d,41,36,39,46,2d,41,37,32,31,42,37,43,33,39,36,36,34,7d,00,\
5c,44,65,76,69,63,65,5c,6e,70,63,61,70,5f,4e,64,69,73,57,61,6e,49,70,00,5c,\
44,65,76,69,63,65,5c,6e,70,63,61,70,5f,4e,64,69,73,57,61,6e,42,68,00,5c,44,\
65,76,69,63,65,5c,6e,70,63,61,70,5f,4e,64,69,73,57,61,6e,49,70,76,36,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters]
"NdisImPlatformBindingOptions"=dword:00000000
"LoopbackSupport"=dword:00000001
"DltNull"=dword:00000001
"Edition"="Npcap OEM"
"AdminOnly"=dword:00000001
"Dot11Support"=dword:00000000
"VlanSupport"=dword:00000000
"WinPcapCompatible"=dword:00000000
"DefaultFilterSettings"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{06B43C11-860E-4712-A69F-A721B7C39664}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{06B43C11-860E-4712-A69F-A721B7C39664}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{4AE6B55C-6DD6-427D-A5BB-13535D4BE926}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{4AE6B55C-6DD6-427D-A5BB-13535D4BE926}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{5356FE17-48EE-4A7A-BECE-645E20060A52}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{5356FE17-48EE-4A7A-BECE-645E20060A52}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{66513FCE-F1B9-480C-B278-3DD588D5D452}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{66513FCE-F1B9-480C-B278-3DD588D5D452}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{66973E50-CF44-46A7-AD86-0F369D30ACA2}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{66973E50-CF44-46A7-AD86-0F369D30ACA2}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{6A16EDEB-24DF-416A-B427-CED88EFCA006}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{6A16EDEB-24DF-416A-B427-CED88EFCA006}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{DD2F4800-0DEB-4A98-A302-0777CB955DC1}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{DD2F4800-0DEB-4A98-A302-0777CB955DC1}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{F4373218-ED19-4F3D-8DB4-982009ED86B7}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{F4373218-ED19-4F3D-8DB4-982009ED86B7}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{F93EB786-8968-43C5-BC58-54D87385060E}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{F93EB786-8968-43C5-BC58-54D87385060E}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{FB474E6C-F93F-4848-945E-86780D2A9897}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\Adapters\{FB474E6C-F93F-4848-945E-86780D2A9897}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{06B43C11-860E-4712-A69F-A721B7C39664}]
"InterfaceGuid"=hex:3c,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{4AE6B55C-6DD6-427D-A5BB-13535D4BE926}]
"InterfaceGuid"=hex:34,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{5356FE17-48EE-4A7A-BECE-645E20060A52}]
"InterfaceGuid"=hex:39,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{66513FCE-F1B9-480C-B278-3DD588D5D452}]
"InterfaceGuid"=hex:38,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{66973E50-CF44-46A7-AD86-0F369D30ACA2}]
"InterfaceGuid"=hex:3a,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{6A16EDEB-24DF-416A-B427-CED88EFCA006}]
"InterfaceGuid"=hex:36,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{DD2F4800-0DEB-4A98-A302-0777CB955DC1}]
"InterfaceGuid"=hex:33,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{F4373218-ED19-4F3D-8DB4-982009ED86B7}]
"InterfaceGuid"=hex:37,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{F93EB786-8968-43C5-BC58-54D87385060E}]
"InterfaceGuid"=hex:35,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Parameters\NdisAdapters\{FB474E6C-F93F-4848-945E-86780D2A9897}]
"InterfaceGuid"=hex:3b,fa,13,f8,22,07,ec,11,86,74,02,84,6b,94,3d,39
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\npcap\Enum]
"Count"=dword:00000000
"NextInstance"=dword:00000000
"INITSTARTFAILED"=dword:00000001
Update: both issues still persist as of 1.55; that is, driver installation still throws a warning (and fails in silent mode), or if forced, the installed driver fails to start (same error 87).
Using the /prior_driver
option (install driver from version 1.31) does not remediate the first problem, that is driver installation still throws a warning (and fails in silent mode). It does, however, remediate the second problem: if the driver is forced to install, it works.
Therefore, the second problem (driver failing to start on NT 6.1) was introduced in 1.31<version<=1.50 (probably in 1.40). If I had to guess, it's those registry access changes in Packet.c.
The first problem (driver install warning) was probably introduced when you changed your code signing CA (again). As I mentioned in #107, it's not about certificates not being installed in the trusted root store (tried that -- didn't fix the problem, not for NT 6.1), nor is it about SHA256 signatures being used (I do have SHA256 patches installed). It's something else that's different about your old CA and new CA; we need to figure out what exactly. Whatever it is, it readily reproduces on (for example) Racemi WS2008R2 images in AWS EC2 (even after installing SHA256 patches and the rest of Windows updates). Perhaps we are installing root CAs into the wrong store? (Is there a separate trusted CA store for driver code signing as opposed to user code signing?) Can you maybe get in touch with your new CA or with Microsoft and have them shed some light on why one CA works and the other doesn't, despite all the steps taken?
The problem is most likely that the MS kernel-mode code signing cross-certificate for our CA expired 30 minutes before we signed the drivers for Npcap 1.31. Microsoft's official policy is that only drivers signed through the WHQL certification process can be installed on Windows now, though for some reason none of our own tests showed this to be a problem. This is the issue that the /prior_driver
option was intended to work around, though apparently it did not because we were 30 minutes late on that driver. I would guess that Npcap 1.31 installer also exhibits the same issue.
The issue of the driver not starting is again not something that showed up in our testing, but I believe it is due to changing our NX pool opt-in mechanism. Windows 6.1 does not support no-execute (NX) nonpaged memory allocations, but later versions do. When we shipped a single binary Windows 7 through 8.1, we used the POOL_NX_OPTIN method to use NX pool on systems that support it by doing a runtime check. When we separated the Windows 7 driver into its own binary, we changed opt-in mechanisms, but code analysis was misidentifying some things, so after several iterations of changes we ended up with a build that attempts to make allocations from the NX pool even on Windows 7 (6.1). This is most likely the cause of the driver failing to start. This should have been caught in our testing, but we have not observed it, and I do not have a good explanation.
The signature issue falls under #237, so we can discuss it there. We will continue using this issue to track the driver start failure problem.
This issue is fixed in Npcap 1.60. For discussion of the driver install warning/prompt, see #237.
Version 1.50 of Npcap introduced the same regression on Windows Server 2008 R2 (fully patched before ESU) as 0.9990 did (see nmap/npcap#107). When installing manually, a warning pops up to install the driver, and when installing silently, it fails (this time the installer returns proper exit code though, and no longer leaves Npcap half-installed). This is despite kb3033929, kb4474419-v3, and kb4490628 patches installed.
Worse, the driver, even when it installed manually, fails to start on WS2008R2 afterwards:
It looks like you've changed the signer again (now to DigiCert); perhaps you need to install their root and intermediate certificates into appropriate certificate stores before installing the driver? And since by now you are shipping different drivers for W7, W8 and W10, could we not simply leave the W7/2008R2 driver signing process alone? No more changes would be made to those systems except critical patches, so whatever signing mechanism that worked before should in theory continue to work (as long as the involved certificates don't expire or get revoked).
Contents of setupapi.dev.log (silent install failure followed by manual install warning override):
Contents of
NPFInstall.log
(again, failed silent install followed by successful manual install):