Tuesday, March 10, 2015

Solving Serious WinPcap Installation Problems

This post will address some serious WinPcap problems our customers have seen on Windows 8.1. While they are not necessarily unique to that version of Windows, these problems may also occur on other Windows versions as well.

Applicability: This discussion is limited to the current WinPcap 4.1.3 release and is intended for users of Windows 7, 8, 8.1.

Related Blog Post:
WinPcap Installation, Status and other Tips

Common Symptoms:
  • WinPcap 4.1.3 official installer hangs at 'extract: Packet.dll' or similar.
  • Wireshark gives this message on startup "The NPF driver isn't running. You may have trouble capturing or listing interfaces."
  • NetScanTools Pro gives a message that WinPcap is not found or if it is found NetScanTools Pro locks up when you run a tool that uses WinPcap.
  • Windows locks up when you run software that uses WinPcap forcing you to do a power cycle reboot.

Where to start:
The first thing to do is find out if any or all of the three major components are installed and their versions.

1. Using File Explorer, find out if this file exists: c:\Windows\system32\drivers\npf.sys. If so, right click on it and make note of the version number. Version 4.1.3 shows up as 4.1.0.2980 (don't ask me why).

2. Search your hard drives (especially drives where programs are installed) for both wpcap.dll and packet.dll.

Right click on EVERY DLL found, do Properties/Details and verify that you see 4.1.0.2980 (4.1.3).

These are the only acceptable locations for 'public' WinPcap DLLs on a 64 bit Windows system:
c:\windows\system32\wpcap.dll (64 bit version of DLL)
c:\windows\SysWOW64\wpcap.dll (32 bit version of DLL)
c:\windows\system32\packet.dll (64 bit version of DLL)
c:\windows\SysWOW64\packet.dll (32 bit version of DLL)

These are the only acceptable locations for 'public' WinPcap DLLs on a 32 bit Windows system:
c:\windows\system32\wpcap.dll (32 bit version of DLL)
c:\windows\system32\packet.dll (32 bit version of DLL)

Did you find any other instances of wpcap.dll and/or packet.dll on your system? if so, that's huge red flag. One of our end-users running Windows 8.1 64 bit experienced all of the Common Symptoms above and he found WinPcap version 4.1.2.1742 which is actually WinPcap Pro AKA WinPcap OEM in a Netgear ReadyNAS Remote program directory.

Here's why it could be a problem: 4.1.2.1742 is WinPcap Pro. When a program loads the WinPcap Pro wpcap.dll and packet.dll, it creates a version of the winpcap driver 'on-the-fly' in system32/drivers and runs it. WinPcap Pro was intended for use on systems where WinPcap is not installed, so at least on Windows 8.1 with ReadyNAS Remote, there is apparently interference between the two types of WinPcap. (other special WinPcap Pro/OEM versions you might find: 4.1.2.2001, 4.1.2.1879, 4.0.2.1340, 4.0.2.1252, 4.0.2.1123, 4.0.2.1040, 4.0.2.901, 4.0.2.755) WinPcap Pro was discontinued by Riverbed before Windows 8 was released.

Our end-user tried to stop WinPcap with 'sc stop npf' and got 'stop-pending' status which meant it was in use. Then if he rebooted and did a 'sc queryex npf', it said npf was stopped, however, if he did 'sc start npf' it said an instance of npf is already running. Very confusing and definitely not what you would expect to see.

Solution that worked for the end-user:
The end-user stopped the ReadyNASRemote.exe process in Task Manager, then renamed ReadyNASRemote.exe to something else, then rebooted. That worked because the program could not start at boot time and therefore did not load it's special WinPcap Pro.

Next, we had to find out where ReadyNASRemote was being started from at boot time. It was not in the registry HKLM or Windows Task Scheduler. It was being launched using a shortcut under c:\ProgramData\Microsoft\Windows\start menu\programs\startup.

Once it was stopped the end-user could remove the official 'public' DLLs from the locations in Step 2 above and force a reinstall of WinPcap 4.1.3 public edition without a problem. We do not know which exact version of ReadyNASRemote this user had installed - he determined that he did not use it, so he uninstalled it before I found out.

Generalized Procedure assuming wpcap.dll and packet.dll are found elsewhere:
  1. Find any WinPcap DLLs that are not in their normal places and figure out which executable is using them (check Task Manager for those exes in the same directory as the WinPcap DLLs).
  2. Stop the offending executable process from Task Manager and rename the exe to something else (or find out where it is being started from and disable the starting process).
  3. Reboot.
  4. Remove the official WinPcap DLLs from system32 and SysWOW64 (carefully! do not remove the npf.sys) no matter what version they are.
  5. Reinstall the official WinPcap version from winpcap.org
  6. Verify WinPcap is running using administrative Command Prompt 'sc queryex npf'.
  7. Start Wireshark or NetScanTools Pro and confirm normal operation. (If Wireshark hangs at configuration 100%, review topic 5 here.)
  8. Now you have to decide if you really want to keep the offending program that was using it's own private WinPcap - that's up to you.

The next blog post will deal with the situation where you did NOT find any other out-of-place instances of wpcap.dll and packet.dll.

No comments: