This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Failed to create npcap service

0

Hi there,

I am getting the "Failed to create npcap service for win7, win8 and win10. Please try installing Npcap again, or use the official Npcap installer from www.nmap.org" too. I don't get any compatibility assistant messages though.

I checked out the windows security update Pascal provided (KB3033929) and windows told me that it is already installed. I further did all updates which were found by windows update and tried to install npcap again, but I still get the above error message.

In Wireshark, the driver is not working (Warning: "The NPF driver is not running" and no interfaces to capture from).

asked 19 Oct '15, 02:41

aliminat0r's gravatar image

aliminat0r
6112
accept rate: 0%

converted to question 20 Oct '15, 08:08

Jaap's gravatar image

Jaap ♦
11.7k16101


2 Answers:

0

You can go to the installation path of Npcap, and manually run "NPFInstall.exe -iw" and "NPFInstall.exe -i", and provide me the output here. Those are the actual driver installation commands that the installer uses.


UPDATE:

Solution:

For Vista x64 and Win7 x64 users:

If you still get the pop-up window that said Windows requires a digitally signed driver (or get error 577 when executing net start npf), please try these steps:

1) Install Microsoft's KB3033929 patch successfully (it should requires reboot).

2) Install latest Npcap 0.05-r8.

3) If step 2) still fails running the driver, then reinstall an alternate version of Npcap you NEVER installed on the machine before (like 0.05-r7, if you unfortunately tried 0.05-r7 before step1), then try 0.05-r6.) to "flush" the driver cache. You should use the same option of Install Npcap in WinPcap API-compatible Mode as you did in step 2). This installation of 0.05-r7 should work.

4) Reinstall back the latest Npcap 0.05-r8. This second-time installation should succeed.

answered 26 Oct '15, 03:59

Yang%20Luo's gravatar image

Yang Luo
9117
accept rate: 4%

edited 02 Feb '16, 07:36

I have exactly the same issue, here is what the installer tells me:

c:\Program Files\Npcap>NPFInstall.exe -i: Npcap LWF driver has failed the installation.

(28 Jan '16, 03:13) NelsonB

for my own experience:

after installing the security update provided by Pascal, Win7 doesn't seem to be able to install Npcap immediately. Maybe you need to restart several times to wait that update to take effect.

(28 Jan '16, 05:53) Yang Luo

Possibly because Windows hasn't yet updated with the SHA256 root certs or CRL's or something else related to enabling SHA256 certs?

(28 Jan '16, 06:18) grahamb ♦

Do you have an idea of the way to do that?

(29 Jan '16, 02:15) NelsonB

Not really, although this page implies it happens automagically when Windows is presented with a certificate who's root CA is not in the trusted store. Of course the system has to be connected to the internet to do this.

Possibly right-clicking the npcap installer and examining the certificate via the digital signature tab will trigger the update. The above listed page says events will be logged indicating that the update has taken place.

(29 Jan '16, 03:39) grahamb ♦

Thanks for the fast feedback. I right-clicked on npcap-nmap-0.05-r5.exe, went to the digital signature tab, got: Signa name: Insecure.Com LLC, Digest Algorithme: sha1 In the Details window I have several infos, among them: CN = DigiCert SHA2 Assured ID Code Signing CA

I tried the "Certificate installation" button in the "General tab", Windows tells me everithing is fine, but I still have the same problem when installing the npcap driver...

(29 Jan '16, 07:36) NelsonB

Have you tried to clear your driver files cache? It should be in: C:\Windows\System32\DriverStore\FileRepository\npf.infXXXXXX. (the folder name is very long) Delete this npf.infXXXXXX folder. You may need SYSTEM permissions to do this. Then reinstall Npcap.

(29 Jan '16, 09:51) Yang Luo
showing 5 of 7 show 2 more comments

0

Hmm. I've just downloaded that copy (0.05-r5) of npcap and had the same issue, I then tried the latest version (0.05-r7) and that did seem to install correctly.

However, I don't think the signature is correctly timestamped, as in, it appears there is no timestamp. As I understand it, this should prevent the correct installation on Windows 7 onwards post the SHA1 apocalypse (1/1/2016), see this TechNet page for more info. In addition, I only see a SHA1 digest hash, I'd understood we were meant to have moved to SHA256 now (with dual signing for Vista and Server 2K8 that can't handle SHA256).

You can check if you have the updates that kill untimestamped SHA1 digital signatures with the command certutil -getreg chain\Default\WeakSha1ThirdPartyAfterTime. If you've installed the updates this will return a string such as WeakSha1ThirdPartyAfterTime REG_BINARY = 01/01/2016 07:00.

answered 29 Jan '16, 10:31

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi. I have added SHA256 digest and timestamp support, see Npcap 0.05-r8: https://github.com/nmap/npcap/releases PS: But this doesn't seem to resolve the issue. I tried by installing KB3033929 in Win7 x64, Npcap still can't run.

(01 Feb '16, 05:32) Yang Luo

Hi. I have the correct output from CertUtil (thanks grahamb). Trying to install npcap-nmap-0.05-r8 gave me basically the same result, but now I got a warning dialog that tells me the npcap.sys (NT6 AMD64) driver is not digitally signed.

(02 Feb '16, 06:51) NelsonB

I also get the same unsigned warning with -r8. I've been in email contact with @Yang Luo to discuss what I think is an incorrect signature. Hopefully we can get this resolved soon.

(02 Feb '16, 07:08) grahamb ♦