Npcap 0.9985: Driver goes to DEMAND_START after Windows 10 feature update, won't start at pcap_findalldevs() #1911
Description
Npcap 0.9985 was installed on a Windows 10 Enterprise version 1803 with the default start service start mode for npcap.sys (npcap-0.9985-oem.exe /loopback_support=no /admin_only=yes /dot11_support=no /winpcap_mode=no /S). It worked as expected until Windows received a feature update to version 1909. The driver start type has changed to DEMAND_START and no longer starts on OS boot:
>sc qc npcap [SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npcap
TYPE : 1 KERNEL_DRIVER
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\npcap.sys
LOAD_ORDER_GROUP : NDIS
TAG : 17
DISPLAY_NAME : Npcap Packet Driver (NPCAP)
DEPENDENCIES :
SERVICE_START_NAME :
I think this behavior of Windows updates has been discussed before and it was concluded that nothing can be done about it.
However, the problem is that Npcap versions prior to 0.998x (or at least 0.99-r7) used to start the driver themselves when the library was opened and pcap_findalldevs() executed. But this no longer happens with 0.9985; the driver remains stopped and only the loopback interface is returned. If the driver is manually started, it works as expected.
Furthermore, the workaround we had in place to detect and remediate such condition (check if pcap_findalldevs() returns no adapters, execute NPFInstall.exe -r -n and manually restart the driver) is no longer effective, because at least since 0.998x a loopback adapter is always returned regardless of the state of the driver (though we can adjust the work-around on our end).
I believe the original behavior (i.e. to start the npcap service if stopped) was correct.