[Winpcap-users] Windows 7 Pro x64 RE Install Fails

Fish" (David B. Trout fish at infidels.org
Sun Jan 8 20:38:10 PST 2012 

Fred Marshall wrote:

[...]
> If I run
> net start npf
> I get Syhstem error 2 has occurred
> The system cannot find the file specified. !!!!!!

Well THAT'S not good.


> So, it appears there is a difference between
> sc qc npf
> and
> net start npf

"sc qc npf" simply queries the Service Control Manager's database and
displays the entry for that service name. It does not otherwise do anything.
It is a query function. It is not an action function. It does not stop or
start a service. It simply DISPLAYS it.

The "net start" command actually starts the service, and does so according
to the information as registered in the Service Control Manager's database
(which is really just a few keys and values in the
HKLM\System\CurrentControlSet\Services branch of the registry).


> I've also looked at the ... well I can't find the full steps
> but it's like in the not plugnplay, hidden, etc.
> and it's not showing there.......
> 
> Everything has been run as Administrator, etc.

Perhaps you're thinking of the "msinfo32" command?

Start -> Run: msinfo32.

Expand the "Software Environment" branch, and select the first entry called
"System Drivers".

In the list of drivers, locate the one for Name = "NPF", Description =
"NetGroup Packet Filter Driver".

The "Type" should be "Kernel Driver", the Start Mode should be "Auto"
(possibly; depends on user preference). The "Started" will be "Yes" if the
driver has been started, but on your troublesome system it's more than
likely "No".

Now, go back to your Administrator Command Prompt (where you originally
entered your "sc qc npf" command from) and notice the path that's displayed:

C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\npf.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NetGroup Packet Filter Driver
        DEPENDENCIES       :
        SERVICE_START_NAME :

This means the driver called "npf.sys" SHOULD be in your
%SystemRoot%\system32\drivers directory. Change to that directory and do a
'dir' (or 'dir /b | find /i "npf"). You SHOULD see two drivers listed:

  npf.sys
  npfs.sys

The second one listed (npfs.sys) is NOT the one we're interested in.

It is the FIRST one that we are interested in: the "npf.sys" driver.

If it is not listed in your dir display (if it does not exist in your
system32\drivers directory), then THAT is your problem. (and from the sounds
of everything you've told us so far that *IS* indeed your problem).

Now, the question then becomes, *WHY* isn't it there?!  :)

The installation of WinPCap *should* have placed it there.

If, after installing WinPCap , it is still not there, then either:

  a) something is broken with the WinPCap installer (unlikely)

or:

  b) something on your system is preventing the WinPCap installer from being
able to write to that directory (much more likely)

Check you driver and/or directory permissions to make sure they're correct.
Maybe you changed them a long time ago and forgot you did so.

Or perhaps you changed some system policy (Group Policy) related to
installing device drivers a long time ago and forgot you did so.

It could be anything.

You need to dig through your memory and try to remember what it was you did
(or what some other piece of software that you installed may have done).


AS A QUICK TEST, you might consider *manually* copying the npf.sys driver to
there from a known working system. (Just make sure it's for the same
architecture: x64). The try starting the npf service again: "net start npf".
It SHOULD work.


Then all we would need to do is determine WHY the WinPCap installation is
unable to accomplish the same thing. THAT'S the mystery it seems.


I also STRONGLY suggest (and this is good advice not just for you but for
EVERYONE who manages a computer system, which includes your personal
computer) that you begin keeping a LOG of everything you do from now on.

I've been doing it for years now and it has saved my butt on more than one
occasion!

Just create a "_Windows Changes.txt" file somewhere (e.g. in your Documents
folder) and keep a shortcut to it on your desktop. Then whenever you change
ANYTHING on your system, be it a simple tweaking of a system service, the
installation of a program (or even Microsoft Updates) or the changing a
registry entry, etc... just type a new entry.

It doesn't have to be much.

Just a few lines.

Date, time, and what you did, etc.

Sort of like a "diary" of daily events in the life of your system. :)

But just get in the habit of doing it!

Don't think you can get away with NOT doing it, because it's easy to forget
days or weeks later when you're having trouble that several days/weeks ago
you changed something on your system and it's only NOW coming back to bite
you.

Trust me. You'll thank me for it later. :)

Good luck.

Let us know how it goes!

-- 
"Fish" (David B. Trout) 
 fish at softdevlabs.com

More information about the Winpcap-users mailing list