Winpcap works.
Npcap - not.

Hi @zdm ,

Is your OS x86 or x64? Which Npcap version and Wireshark version did you use? Which Npcap installation options did you choose? Thanks.

I have tested latest Npcap 0.08 r3 (with WinPcap Compat Mode) and latest Wireshark Development Release (2.1.1) on my Win10 x64 Anniversary version without any issues.

Please don't use Wireshark Stable Release because it can't recognize the new version Npcap when installed in non-WinPcap Compat Mode (which is by default).

Windows 10 x64

Wireshark 2.0.5 x 64

I tried following npcap versions:
0.08-r2
0.08
0.07-r17

On 08.08.2016 03:42, Yang Luo wrote:

Hi @zdm https://github.com/zdm ,

Is your OS x86 or x64? Which Npcap version and Wireshark version did
you use? Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238119783, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSPLEBGTtgI64dafMqjuEtOfrt_7sks5qdnt3gaJpZM4JekI0.

I tried your environment and didn't encounter that issue. What error message did you actually see?

Wireshark doesn't show any errors, just shows no adapters.

On 08.08.2016 08:10, Yang Luo wrote:

I tried your environment and didn't encounter that issue. What error
message did you actually see?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238143145, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSKXeekOXzqlfxLlmsNTGN7LmW13Fks5qdrozgaJpZM4JekI0.

1. Install Npcap with default options.
2. Reboot after intall.
3. try nmap --iflis and paste the output here.

I have removed winpcap and installed npcap-v0.08-r2 with default options.

In not elevated cmd nmap return nothing:

But in elevated I got error:

Oh, I forgot to say.

Please install Nmap's dev version: https://nmap.org/dist/nmap-7.25BETA1-setup.exe

And please install latest Npcap 0.08 r3.

With nmap-7.25-beta1 results are the same.

On 08.08.2016 08:41, Yang Luo wrote:

Oh, I forgot to see. Please install Nmap's dev version:
https://nmap.org/dist/nmap-7.25BETA1-setup.exe

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238146254, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSM5dyTxbmUKly16L0gYzKfaVlElHks5qdsGYgaJpZM4JekI0.

1. See if the C:\Windows\System32\Npcap folder contains these two files: wpcap.dll, Packet.dll
2. In Administrator CMD, enter sc query npcap and paste the result here.

1. Files are present;
2. Service is stopped

SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 31  (0x1f)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

In Administrator CMD, enter net start npcap and paste the result here.

Problem with signature

d:\downloads\111>net start npcap
System error 577 has occurred.

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

1. Unzip the attached signtool.zip, put signtool.exe to somewhere your CMD can find (e.g. . C:\Program Files\Npcap)
2. In CMD, cd into the C:\Program Files\Npcap path, enter signtool verify /kp /c npcap.cat npcap.sys and paste the result here.

signtool.zip

0 sha256 RFC3161
Successfully verified: npcap.sys

On 08.08.2016 09:29, Yang Luo wrote:

|signtool verify /kp /c npcap.cat npcap.sys|

1. Restore the OS to the un-updated state.
2. Uninstall Npcap.
3. OS Update.
4. Install Npcap.

I made clean os install a day ago.

On 08.08.2016 09:55, Yang Luo wrote:

1. Restore the OS to the un-updated state.
2. Uninstall Npcap.
3. OS Update.
4. Install Npcap.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238155582, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSBoYypoQ6McWBwnoFySitntpiegPks5qdtLHgaJpZM4JekI0.

I have no idea what happened.. Can I get a remote access?

yes, do you have teamviewer?

On 08.08.2016 10:01, Yang Luo wrote:

I have no idea what happened.. Can I get a remote access?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238156601, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSBBQxdNG9wZkONyQ80c_dbTxZfKnks5qdtRkgaJpZM4JekI0.

Yes. You can email me the password:) hsluoyz@gmail.com

The network connectivity is so bad. I can't even move the mouse in the remote window.

I don't know why, I have 100 Mb channel.

I need to go to the office now, and will be available in several hours.

So, the problem in the driver signature.

I will try to find the solution too, I already check, that your
certificate is stored as trusted.

On 08.08.2016 10:48, Yang Luo wrote:

The network connectivity is so bad. I can't even move the mouse in the
remote window.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238164611, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSB2UxR32QYZ_Uez95mup17fI2hWzks5qdt9QgaJpZM4JekI0.

I found the article, that describes drivers signing changes in windows
10 anniversary edition.

http://www.thewindowsclub.com/driver-signing-changes-windows-10

Maybe this will helpful to solve the problem.

On 08.08.2016 10:48, Yang Luo wrote:

The network connectivity is so bad. I can't even move the mouse in the
remote window.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238164611, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSB2UxR32QYZ_Uez95mup17fI2hWzks5qdt9QgaJpZM4JekI0.

I think, that this requirement should be met:

"The latest version of Windows 10 will load only Kernel mode drivers
signed digitally by the Dev Portal. However, the changes will affect
only the new installations of the operating system with Secure Boot
http://www.thewindowsclub.com/understanding-measured-boot-secure-boot-work-windows-8
on. The non-upgraded fresh installations would require drivers signed by
Microsoft."

On 08.08.2016 10:48, Yang Luo wrote:

The network connectivity is so bad. I can't even move the mouse in the
remote window.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238164611, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSB2UxR32QYZ_Uez95mup17fI2hWzks5qdt9QgaJpZM4JekI0.

Thanks! This should be the reason.

From your link here, the following 5 conditions have described what kind of Windows will be affected by this new signing rule:

1. PCs upgraded to Windows 10 Build 1607 from a previous version of Windows (for instance Windows 10 version 1511) are not affected by the change.
2. PCs without Secure Boot functionality, or Secure Boot off, are not affected either.
3. All drivers signed with cross-signing certificates that were issued prior to July 29, 2015, will continue to work.
4. Boot drivers won’t be blocked to prevent systems from failing to boot. They will be removed by the Program Compatibility Assistant, however.
5. The change affects only Windows 10 Version 1607. All previous versions of Windows are not affected.

But it's a little weird. Even the latest Npcap 0.08 r3's driver files were signed in July, 24. So according to the condition 3., Npcap driver should work without signature issues. I don't know why you encounter this issue.

Moreover, I have tried to reproduce this issue but I couldn't. I have installed a fresh Win10 1607 x64 in my VMware Workstation 12, but Npcap 0.08 r3 installs successfully. From msinfo32.exe, I saw that this VM doesn't support secure boot. But based on this post, it said that changing a registry key can "make“ msinfo32.exe believe secure boot is supported and enabled. I tried this method and it works. But I don't know if this cheating will also deceive the above condition 2. And I re-signed all the driver files to make sure the condition 3 will not be satisfied.

But why still can't reproduce this issue? It seems that the only reason is the secure boot. My secure boot cheating doesn't work. Unfortunately, I don't have an available machine for me to install Win 10 1607, so I have to use a VM here. Do you know any other ways to get a Win 10 VM with the secure boot support? Like using VirtualBox? or using a remote machine from providers like Amazon, etc.?

A useful Q&A with Microsoft:
https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/

Windows Hardware Dev Center:
https://developer.microsoft.com/en-us/windows/hardware

Windows Hardware Dev Center Dashboard:
https://sysdev.microsoft.com/en-us/hardware/signup/

I my case everything happens, like it described in the article.
I have clean windows installed and npcap driver is not loading.

@zdm , OK. I found hyper-V supports secure boot in VMs. And I have reproduced your issue with Npcap 0.08 r4 in my VM. We will discuss about how to improve our signing method. Thanks for reporting this issue!

@fyodor , can you register an account here: https://sysdev.microsoft.com/en-us/hardware/signup/ ? So we can log in to see what's going on there.

Any updates about the signing problem?

@BavoB @mhoes @marlop352 @zdm @sanitybit,

We have obtained an EV code signing certificate and are in the process of figuring out how to best accomplish the Dev Portal signing in such a way that it supports all versions of Windows from 7 through 10. Since you have each experienced problems with the driver signing issue, we are asking you to help us test a couple candidate builds of the latest Npcap 0.78 r2:

First, we have built [an installer with drivers signed directly by our EV cert]. This works on earlier versions of Windows, but we have not tested yet whether it works on Windows 10 1607, which is of course the primary problem. If this works for you on the Anniversary Update, we can begin shipping installers with this configuration right away.

If that should fail, we have an installer with Microsoft Attestation-signed drivers. The drivers were cross-signed by Microsoft through the Dev Portal after we signed them with our EV cert, and will most likely work with Windows 10, any release. Unfortunately, the do NOT work with previous versions.

If the first installer (EV-only) works for Win10 1607, then we can be done. If only the second one (attestation signed) works, then we will have to multiply again the drivers we ship: SHA-1-signed for Win7, EV-signed for Win8, and attestation-signed for Win10.

Please let us know at your earliest convenience which of these installers works for you, if any.

NOTE: these URLs are not permanent. Once we get a configuration finalized, we'll remove them and you can go back to obtaining Npcap through the Github releases page.

Win10 with secure boot enabled:

• npcap-0.78-r2-attestation.exe - works;
• npcap-0.78-r2-ev.exe - not installed, failed to create service during installation;

@mhoes @zdm , I have fixed this Npcap loopback adapters are not uninstalled issue in latest Npcap 0.78 r4.

Please try the installer at: https://github.com/nmap/npcap/releases

Note: this version still doesn't support Win10 1607 with Secure Boot on. Only the Microsoft Attestation-signed version Npcap released by Dan supports it.

0.78 r2-ev does not work(fails to create services)

0.78 r2-atestation works

with 0.78 r4 windows gives an error after installation saying that it blocked the installation of a driver not digitally signed

@marlop352 , Npcap 0.78 r4 still doesn't support Win10 1607 with Secure Boot on. Only the Microsoft Attestation-signed version Npcap released by Dan supports it. You can wait for Dan to release a 0.78 r4 version.

@hsluoyz thought so, reported it because the error was different from what I remember happening when using the normal installer

I don't know how you generate the installer of how this specific one works, but can't it have the two types of binaries(normal and attestation) and choose which to use by detecting what system it's been run from?

Everyone,

Sorry for the confusion. I had a misconfiguration that caused our EV-signed drivers to not validate, so they were not working on any system. Now they work on Windows 8 at least, and I would appreciate a test with Windows 10 1607. Here is the download link for Npcap 0.78 r4, EV cert.

@ mhoes: which probably proves the point. For Win10 1607 with secure boot enabled (freshly installed, but as your experience shows even for upgrades depending on who knows what) you need attestation, no way around it.

For completeness sake: this is the EV version installed on Windows 2012 R2 (server) - UEFI with secure boot. So AFAIK the attestation is also needed here or else there is still something else wrong.
I got the Windows Security pop-up 'Would you like to install this device software ?", to which I answered 'no' (do not always trust Insecure LLC).

@BavoB

I got the Windows Security pop-up 'Would you like to install this device software ?", to which I answered 'no'

If you choose no here, then you will always fail the driver install no matter how our driver is signed. So please choose yes.

It appears to me as if two things are getting mixed up here, but I may be wrong ? (I made a screenshot of the pop-up I get, yours may be different). In the pop-up, there are actually two related, but different, things. First of all, there is a 'checkbox' that you can check if you always want to trust drivers singed by "Insecure.Com LLC". You don't have to check that box, but you can. I'm guessing that if you do check the box to always trust the signer that you will never get this pop-up again, and that you will get the pop-up again if you don't.

Then there are the 'install' and 'dont install' buttons. If you want to install the driver (and I'm guessing that you want to) then you must click the button that says 'install'. If you haven't checked the checkbox in combination with clicking on 'install', you will only trust the signer once, for this install only, instead of always.

0.78 r2-ev does not work(fails to create services)
0.78 r2-atestation works
with 0.78 r4 windows gives an error after installation saying that it blocked the installation of a driver not digitally signed

0.78 r4-ev still gives me the same error as 0.78 r4 even if I mark the always trust box(witch does not appear on 0.78 r4) (checking that box should have made it accept the driver I think)

Windows 10 Pro 1607 (it's a clean install, not an update from a previous version) with secure boot enabled

Ok, all: I just published Npcap 0.78 r5, which has attestation-signed drivers for Win10 users, dual-signed SHA1/SHA256 drivers with MS Cross-Certs for Windows 8 and earlier. We are back in business! Do let us know if you still experience these problems.

OK, I had a chance to uninstall 0.78 r4 on a Window Win2012 R2 server + install 0.78 r5 (system with secure boot enabled). My findings, some of which have been reported before:

• uninstalling took very long and didn't remove the adapters (which I removed manually), but eventually it did uninstall - it seemed to be stuck on the 'stopping npcap driver' stage
• installing 0.78 r5 worked, but I did get the 'failed to create service' error: however after installing it seemed to work ==> i did not have winpcap installed on this system, I installed npcap in winpcap api compatible mode and the programs that normally rely on winpcap seemed to be working normally

So I guess there is some progress ;-)

I have some questions:

1. what services are created by the installer, what is their name? (I'd like to check in services msc to see if it is running)
2. are the uninstall problems also related to the (kernel) driver signing requirements/problems ==> although here I'm not running on Win10 based system
3. what is the current status of npcap compared to winpcap: can this be run safely with a program like Wireshark (without Winpcap)?

Looks like we handled the core issue reported here. If you continue to have problems with uninstalling, please open a new issue so we can track and fix it. Thanks!