search

nmap / npcap

Nmap Project's Windows packet capture and transmission library
https://npcap.com
Other
3.01k stars 519 forks source link

Npcap installation failure with error code 0x80070006 (ERROR_INVALID_HANDLE) #600

Open dmiller-nmap opened 2 years ago

dmiller-nmap commented 2 years ago

A customer has reported Npcap fails to install with the error 0x80070006. Logs show that the driver installation via SetupAPI succeeds (no errors in SetupAPI.dev.log), but the installation/binding as a NDIS LWF via the NetCfg API fails. OS is Microsoft Windows 10 Enterprise 2016 LTSB, build 14393, x86_64.

Relevant portion of NPFInstall.log:

[0000248C] 2022-04-07 13:17:04 --> wmain
[0000248C] 2022-04-07 13:17:04     _tmain: executing, argv[0] = C:\Program Files\Npcap\NPFInstall.exe.
[0000248C] 2022-04-07 13:17:04     _tmain: executing, argv[1] = -n.
[0000248C] 2022-04-07 13:17:04     _tmain: executing, argv[2] = -i.
[0000248C] 2022-04-07 13:17:05 --> InstallDriver
[0000248C] 2022-04-07 13:17:05 --> GetServiceInfFilePath
[0000248C] 2022-04-07 13:17:05     lpFilename = C:\Program Files\Npcap\NPCAP.inf
[0000248C] 2022-04-07 13:17:05 <-- GetServiceInfFilePath
[0000248C] 2022-04-07 13:17:05 --> InstallSpecifiedComponent
[0000248C] 2022-04-07 13:17:05 --> HrGetINetCfg
[0000248C] 2022-04-07 13:17:05 <-- HrGetINetCfg
[0000248C] 2022-04-07 13:17:05 --> HrInstallNetComponent
[0000248C] 2022-04-07 13:17:05     bWiFiService = 0.
[0000248C] 2022-04-07 13:17:05     HrInstallComponent: executing, szComponentId = INSECURE_NPCAP.
[0000248C] 2022-04-07 13:17:05 --> HrInstallComponent
[0000248C] 2022-04-07 13:17:06     INetCfgClassSetup::Install: error, szComponentId = INSECURE_NPCAP.
[0000248C] 2022-04-07 13:17:06 <-- HrInstallComponent
[0000248C] 2022-04-07 13:17:06     HrInstallComponent: error, szComponentId = INSECURE_NPCAP.
[0000248C] 2022-04-07 13:17:06 <-- HrInstallNetComponent
[0000248C] 2022-04-07 13:17:06     Error 0x80070006: Couldn't install the network component.

Possible cause:

Das Handle ist ungültig.

[0000248C] 2022-04-07 13:17:06 --> HrReleaseINetCfg
[0000248C] 2022-04-07 13:17:06 <-- HrReleaseINetCfg
[0000248C] 2022-04-07 13:17:06 <-- InstallSpecifiedComponent
[0000248C] 2022-04-07 13:17:06     Error 0x80070006: InstallSpecifiedComponent

Possible cause:

Das Handle ist ungültig.

[0000248C] 2022-04-07 13:17:06 <-- InstallDriver
[0000248C] 2022-04-07 13:17:06     _tmain: error, nStatus = -2147024890.
[0000248C] 2022-04-07 13:17:06 <-- wmain

Previously, we were unable to further diagnose problems like this because NetCfg does not provide a text log or event log entries. However, we have identified a way to use performance tracing to produce a log of NetCfg internals (posted below as comment). Unfortunately, we have so far not identified the reason for the error. Here are the relevant results from the most recent API call that failed:

<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15627.833" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupSetObjectProperties"
  FormattedMessage="Begin API NetSetupSetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/Operation/Start" TimeMsec="15627.848" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084" OperationType="Modify object" ObjectType="NDIS light-weight filter driver" ObjectId="7daf2ac8-e9f6-4765-a842-f1f5d2501341" PropertyBuffer="01100800CCCCCCCCB000000000000000..."
  FormattedMessage="Begin operation Modify object on NDIS light-weight filter driver in transaction e931c741-3daf-48bd-b2de-a820abab1084: 7daf2ac8-e9f6-4765-a842-f1f5d2501341 on 192:01100800CCCCCCCCB000000000000000... " />
<Event EventName="Microsoft-Windows-Network-Setup/Plugincallback/Start" TimeMsec="15628.749" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084" PluginId="-939,524,096" PluginName="Compatibility key projections"
  Api="ObjectEventSink::OnModifyObject"
  FormattedMessage="Begin calling into plugin Compatibility key projections " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15628.752" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupInitialize"
  FormattedMessage="Begin API NetSetupInitialize on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15628.754" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.002" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupInitialize" Code="0"
  FormattedMessage="End API NetSetupInitialize on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15628.756" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjects"
  FormattedMessage="Begin API NetSetupGetObjects on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15628.761" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.005" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjects" Code="0"
  FormattedMessage="End API NetSetupGetObjects on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15628.763" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjects"
  FormattedMessage="Begin API NetSetupFreeObjects on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15628.766" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.002" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjects" Code="0"
  FormattedMessage="End API NetSetupFreeObjects on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15628.779" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjectProperties"
  FormattedMessage="Begin API NetSetupGetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15628.785" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.005" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjectProperties" Code="0"
  FormattedMessage="End API NetSetupGetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15628.787" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjectProperties"
  FormattedMessage="Begin API NetSetupFreeObjectProperties on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15628.789" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.002" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjectProperties" Code="0"
  FormattedMessage="End API NetSetupFreeObjectProperties on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15629.606" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjectProperties"
  FormattedMessage="Begin API NetSetupGetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15629.618" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.012" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjectProperties" Code="0"
  FormattedMessage="End API NetSetupGetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15629.621" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjectProperties"
  FormattedMessage="Begin API NetSetupFreeObjectProperties on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15629.623" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.002" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjectProperties" Code="0"
  FormattedMessage="End API NetSetupFreeObjectProperties on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15629.625" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjectProperties"
  FormattedMessage="Begin API NetSetupGetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15629.631" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.006" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjectProperties" Code="0"
  FormattedMessage="End API NetSetupGetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15629.633" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjectProperties"
  FormattedMessage="Begin API NetSetupFreeObjectProperties on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15629.635" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.002" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjectProperties" Code="0"
  FormattedMessage="End API NetSetupFreeObjectProperties on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15629.638" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjectProperties"
  FormattedMessage="Begin API NetSetupGetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15629.643" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.005" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupGetObjectProperties" Code="0"
  FormattedMessage="End API NetSetupGetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15629.645" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjectProperties"
  FormattedMessage="Begin API NetSetupFreeObjectProperties on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15629.647" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.002" TransactionGuid="00000000-0000-0000-0000-000000000000"
  Api="NetSetupFreeObjectProperties" Code="0"
  FormattedMessage="End API NetSetupFreeObjectProperties on transaction 00000000-0000-0000-0000-000000000000 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Start" TimeMsec="15630.195" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupClose"
  FormattedMessage="Begin API NetSetupClose on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15630.198" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="0.003" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupClose" Code="0"
  FormattedMessage="End API NetSetupClose on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />
<Event EventName="Microsoft-Windows-Network-Setup/Plugincallback/Stop" TimeMsec="15630.201" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="1.452" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084" Output="0" Code="-2,147,418,113"
  FormattedMessage="End calling into plugin " />
<Event EventName="Microsoft-Windows-Network-Setup/Operation/Stop" TimeMsec="15630.336" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" DURATION_MSEC="2.488" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084" Code="-2,147,024,890"
  FormattedMessage="Operation e931c741-3daf-48bd-b2de-a820abab1084 ended with code -2,147,024,890 " />
<Event EventName="Microsoft-Windows-Network-Setup/ExternalAPI/Stop" TimeMsec="15630.372" ProcessName="Process(1624) (1624)" ThreadID="8,604" ProcessorNumber="1" TransactionGuid="e931c741-3daf-48bd-b2de-a820abab1084"
  Api="NetSetupSetObjectProperties" Code="-2,147,024,890"
  FormattedMessage="End API NetSetupSetObjectProperties on transaction e931c741-3daf-48bd-b2de-a820abab1084 " />

So the error stack appears to be:

dmiller-nmap commented 2 years ago

To create a NetCfg performance trace/log, use the following procedure:

  1. Download the attached netcfg_trace.xml.txt (rename to .xml)
  2. Edit the netcfg_trace.xml file to specify an output folder in the <OutputLocation>, <RootPath>, and <Subdirectory> elements. Alternatively, this can be done via Performance Monitor after the template is imported.
  3. In an Administrator command shell, import the Data Collector Set template: logman import netcfg_trace -xml netcfg_trace.xml
  4. Start the data collection immediately before running the Npcap installer: logman start netcfg_trace
  5. Run the Npcap installer as you normally would.
  6. When the installer is finished, stop the data collection: logman stop netcfg_trace
  7. Send us the resulting NetCfg-Trace-1.etl file (it was about 1.6MB on my system for a reinstall, 0.5MB on the system with the error).

The XML config was generated by creating a trace in Performance Monitor for the "Microsoft-Windows-Network-Setup" trace provider and exporting it with the "Save template..." action.

dmiller-nmap commented 2 years ago

@jtippet: Is there any way to use this trace to identify a problem? Do you have any ideas or suggestions?

jtippet commented 2 years ago

Wow, you've stumbled deep into the dark alleyway of INetCfg guts...

"Compatibility key projections" is the bit that writes out all the registry keys that NetCfg used to write, prior to win10. The OS itself doesn't use any of these keys anymore, but we leave them lying around for all the apps that think they're entitled to go rummaging through NetCfg's internal state. (Anecdote: Early in win10, we had an appcompat bug because one of our supposedly-private registry keys contained an stringified representation of a GUID that used lowercase for the hexadecimal digits, while the 3rd-party app only worked if the GUID was written in UPPERCASE.... So after banging my head against the desk on that, I made a unit test that runs both the win8 netcfg and the current netcfg inside parallel sandboxes, then asserts that both write the exact same stuff to the registry during typical driver operations.)

14393 is a very old OS build. I remember one problem we had in roughly that timeframe was that when writing to a driver's service key (like HKLM\System\CurrentControlSet\Services\foo\...), some 3rd party antimalware product would block the write. It did this in a very messy way: it allowed usermode to open the key with the KEY_SET_VALUE right, but then returned STATUS_ACCESS_DENIED when actually calling the syscall behind RegSetValueExW. Since that's a violation of the semantics of the syscalls, NetCfg did not handle that situation very gracefully in earlier builds of win10. I'm not sure that's what's happening here, but it is plausible, since the plugin is trying to write keys all over the system. tldr: have the customer try temporarily suspending any 3rd party antivirus and retrying the install.

We keep persistent logs in c:\Windows\Logs\NetSetup . I believe you need to work at Microsoft in order to decode that file, but I'd be happy to do that for you. We don't consider those logs to have personally-identifiable information (it's just the names of network drivers, hardware IDs, timestamps and PIDs), but out of an abundance of caution, please don't publish the raw ETL files publicly, unless the log is from a test/lab machine that you don't care about. You can email them to my github account name @microsoft.com. The customer does not need to attempt another repro; the logs typically go back at least a month, and would include any NetCfg errors in that time.

It may help to know if indeed we're getting back some error on a write to the registry -- procmon can gather the evidence for that. The customer would have to attempt another repro for that, and that trace file definitely contains personal information. So this is optional.

dmiller-nmap commented 2 years ago

Thanks so much! We'll look into these options for the customer.

fyodor commented 2 years ago

Thanks @jtippet, this is great info!