New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Npcap OEM 0.9987: Silent installer silently fails, leaves Npcap half-installed #1910
Comments
Thanks for pointing this out. Our goal with Npcap was to support Windows versions that were still in extended support by Microsoft, but we were forced to miss that goal by our certificate expiring 2 months before Server 2008 (based on Vista) ended extended support. Since the signature issue was the only problem and it was able to be bypassed by a user accepting the warning, we went ahead with the release without making changes to NDIS version or NTDDI version that would have explicitly removed support for those versions. Going forward, we will be making these changes, so the next release of Npcap will not be capable of running on Windows versions prior to Windows 7 (Windows 2008 R2). You have raised a valid point about the installer not gracefully handling a failure at this point. We are already looking at changes to better handle fixing broken installations, and we will look into how errors are handled so that this does not happen in the future. |
I don't think it's necessary to explicitly desupport Vista/WS2008, unless you mean to upgrade Npcap to a higher NDIS version and take advantage of new functionality. But either way, if the silent failure in the installer is fixed, this should work for us -- as long as the installer properly reports failure and cleans up after itself, our software will fall back onto installing and using WinPcap. |
We do intend on supporting higher NDIS versions, since users have complained that Npcap interferes with advanced functions like RSC (#1417). We also hope that using a higher version of WFP functions will help address some issues we've seen related to loopback capture (#1789). The commit above fixes an actual bug in the installer code that goes all the way back to Npcap 0.78: in silent mode, a failure to install the filter driver would not be communicated to the main installer function, so it continued with the install as though it had succeeded. Future releases will always fail gracefully without corrupting the system if this step fails. |
@dmiller-nmap Understood. But which commit are you referring to? I see no commits referenced here, nor any relevant new commits in npcap or nmap repo networks... |
Hi @akontsevoy . The commit is actually to our Npcap build system repo rather than our normal Npcap repo since the changes are to the NSI file. But they will be in the next release. And if you do need access to the NSI for some reason, just let me know your email address. Cheers! |
Yeah, I thought it was to a private repo, and that's probably why it didn't show up here, even if this issue was mentioned in a PR there. For the moment we can wait until the next release, if it's reasonably soon; in the mean time we're trying to get our customer to verify a solution to a different issue supposedly fixed in 0.9987. |
@fyodor @dmiller-nmap In the mean time, could you please increase the stack reservation size in the build of |
The installer change was made for Npcap 0.9988, fixing this issue. If you have further problems, please open a new issue. Note that I moved the discussion of stack reservation size to its own issue, #1951. |
When installing Npcap on (for example) Windows Server 2008 (non-R2, fully updated), the
npcap.sys
driver is treated as unsigned (probably due to the lack of SHA256 signature verification support or the inability to install a certificate on those systems). The user gets a prompt (even if/S
option is given), and if agreed, the install is successful.However, our software installs Npcap OEM while running under LocalSystem account, there is no user-reachable session where the prompt could be displayed. Driver installation fails with
ERROR_DRIVER_STORE_ADD_FAILED
,NPFInstall.exe
returns -1. No issues here that haven't already been discussed.However, when that happens, the overall installer exe (
npcap-0.9987-oem.exe
) still returns 0, so our application considers the installation successful. Worse, it leaves Npcap half-installed; no clean-up is performed, so if our application later tries to detect Npcap installation through the presence ofwpcap.dll
, it thinks Npcap is installed; but when it starts using Npcap, of course no adapters (or since 0.998x, only loopback adapter) is present to capture from.The correct behavior (IMO) should be:
NPFInstall.exe
returned an error or crashed, etc) -- preferrably with a different error code for each reason. Our process calling the installer can then execute appropriate fallback and error reporting actions.While at it, I would also suggest increasing the stack reservation size of
NPFInstall.exe
and other helper exes to at least 8 MB (your builds probably uses the default 1). We've received evidence of this process crashing with a stack overflow exception (c0000409) on some systems while installing Npcap 0.993. We've been unable to reproduce this locally; however, we have experienced this before with other programs when certain antiviruses are installed that inject code into applications (CylancePROTECT in particular). Increasing the stack reservation helped eliminate the crashes in that case.Install command used:
npcap-0.9987-oem.exe /loopback_support=no /admin_only=yes /dot11_support=no /winpcap_mode=no /S
Contents of NPFInstall.log:
Contents of install.log:
Output of systeminfo:
The text was updated successfully, but these errors were encountered: