Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to install - Failed to create the npcap service: 0xe0000247 #233

Closed
davepalmeruk opened this issue Sep 8, 2020 · 25 comments
Closed

Unable to install - Failed to create the npcap service: 0xe0000247 #233

davepalmeruk opened this issue Sep 8, 2020 · 25 comments

Comments

@davepalmeruk
Copy link

@davepalmeruk davepalmeruk commented Sep 8, 2020

Hi there.

As part of OEM usage our contact is attempting to silent install 0.9983 which fails (this way allows npcap to show as installed in Apps/Features, yet the setipapi.dev log still shows a cert install failure). As part of troubleshooting we've moved to the latest version 0.9997 via the GUI installer to attempt forward fixing and troubleshooting. As a baseline install of 0.9997 via installer .exe was also attempted on a new, previously not installed host.

The installation fails on existing or new servers and provides exception error and continued events in setupapi.dev. log. The client is running on Win Server 2012 R2 with admin rights.

npcap - failed to create service
setupapi.dev.txt

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Sep 9, 2020

Thanks for this report. This error indicates a signature validation problem. Can you run the following PowerShell commands on the affected system? The files will be present while the error message box is shown, but they will be deleted after you click "OK," so the commands must be run while the error message box is still present.

Get-AuthenticodeSignature "C:\Program Files\Npcap\npcap.cat" | select *
Get-AuthenticodeSignature "C:\Program Files\Npcap\npcap.sys" | select *

@davepalmeruk
Copy link
Author

@davepalmeruk davepalmeruk commented Sep 11, 2020

I have requested this be ran in Powershell whilst the error is present - will return the info as soon as I'm provided the outputs.

@davepalmeruk
Copy link
Author

@davepalmeruk davepalmeruk commented Sep 15, 2020

OUTPUT OF “Get-AuthenticodeSignature "C:\Program Files\Npcap\npcap.cat" | select *”
PS C:\Users\xxxxxx> Get-AuthenticodeSignature "C:\Program Files\Npcap\npcap.cat" | select *

SignerCertificate : [Subject]
CN=Insecure.Com LLC, O=Insecure.Com LLC, L=Seattle, S=Washington, C=US,
SERIALNUMBER=200010310013, OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US

                     [Issuer]
                       CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

                     [Serial Number]
                       0EA33B42058F115CF22CAD9A60251ED4

                     [Not Before]
                       01/05/2020 01:00:00

                     [Not After]
                       07/05/2021 13:00:00

                     [Thumbprint]
                       29BACAE898852AAB0BB9162881053B703B9D1005

TimeStamperCertificate : [Subject]
CN=DigiCert Timestamp Responder, O=DigiCert, C=US

                     [Issuer]
                       CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

                     [Serial Number]
                       03019A023AFF58B16BD6D5EAE617F066

                     [Not Before]
                       22/10/2014 01:00:00

                     [Not After]
                       22/10/2024 01:00:00

                     [Thumbprint]
                       614D271D9102E30169822487FDE5DE00A352B01D

Status : UnknownError
StatusMessage : A certificate chain could not be built to a trusted root authority
Path : C:\Program Files\Npcap\npcap.cat
SignatureType : Authenticode
IsOSBinary : False

OUTPUT OF “Get-AuthenticodeSignature "C:\Program Files\Npcap\npcap.sys" | select *”
PS C:\Users\xxxxx> Get-AuthenticodeSignature "C:\Program Files\Npcap\npcap.sys" | select *

SignerCertificate : [Subject]
CN=Insecure.Com LLC, O=Insecure.Com LLC, L=Seattle, S=Washington, C=US,
SERIALNUMBER=200010310013, OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US

                     [Issuer]
                       CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

                     [Serial Number]
                       09256314069E7E6A88CB823075C0D9C9

                     [Not Before]
                       01/05/2020 01:00:00

                     [Not After]
                       07/05/2021 13:00:00

                     [Thumbprint]
                       4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9

TimeStamperCertificate : [Subject]
CN=TIMESTAMP-SHA256-2019-10-15, O="DigiCert, Inc.", C=US

                     [Issuer]
                       CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US

                     [Serial Number]
                       04CD3F8568AE76C61BB0FE7160CCA76D

                     [Not Before]
                       01/10/2019 01:00:00

                     [Not After]
                       17/10/2030 01:00:00

                     [Thumbprint]
                       0325BD505EDA96302DC22F4FA01E4C28BE2834C5

Status : UnknownError
StatusMessage : A certificate chain could not be built to a trusted root authority
Path : C:\Program Files\Npcap\npcap.sys
SignatureType : Authenticode
IsOSBinary : False

@davepalmeruk
Copy link
Author

@davepalmeruk davepalmeruk commented Sep 15, 2020

In the meantime I have also asked the contact to provide the below to be attached for our internal support ticket. Happy to provide a copy of them here too.

  1. DiagReport - Run C:\Program Files\Npcap\DiagReport.bat. It will pop up a text report via Notepad (it's stored in: C:\Program Files\Npcap\DiagReport.txt)
  2. install.log - The file called install.log under C:\Program Files\Npcap

Additionally the setupapi.dev log includes the line:
!!! sig: Driver package catalog file certificate does not chain to a root, and Code Integrity is enforced.

So asked to check the event viewer results for any related Code Integrity logs which may also help us.
Application and Services logs > Microsoft > Windows > CodeIntegrity

@davepalmeruk
Copy link
Author

@davepalmeruk davepalmeruk commented Nov 16, 2020

Is there any update on this issue, or anything further we can provide to assist?
This issue has stopped the installation/use of the monitoring product which utilises NPCAP until resolved.

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Nov 18, 2020

@davepalmeruk We did make a change to driver signing in Npcap 1.00 which I neglected to put into the changelog: instead of dual-signing with SHA-1 and SHA-256 for all platforms, we now separately sign the driver for Windows 7 with SHA-1 only, and the drivers for all other platforms are signed with SHA-256. This eliminates a weird case of signature mismatch because the npcap.cat file only supports 1 signature at a time, so Npcap 0.9997 and earlier had to use SHA-1 regardless of whether SHA-256 is supported on the system (which it is for all Microsoft-supported Windows versions).

All that to say, please try Npcap 1.00 and see if that resolves the problem.

@ttimasdf
Copy link

@ttimasdf ttimasdf commented Jan 5, 2021

still having this problem. on Windows 10 Pro 2004. Tried both 1.1.0 and 0.9997 version without luck.

@davepalmeruk
Copy link
Author

@davepalmeruk davepalmeruk commented Jan 5, 2021

Same - Customer has tried to install v1.0 and still gets a failure message.
MicrosoftTeams-image

@davepalmeruk
Copy link
Author

@davepalmeruk davepalmeruk commented Jan 5, 2021

See the setup log from the failed attempt (15th Dec - v1.0)

[SetupCopyOEMInf - C:\Program Files\Npcap\NPCAP.inf]
Section start 2020/12/15 13:37:18.714
cmd: "C:\Program Files\Npcap\NPFInstall.exe" -n -i
sto: {Setup Import Driver Package: C:\Program Files\Npcap\NPCAP.inf} 13:37:18.714
inf: Provider: Nmap Project
inf: Class GUID: {4D36E974-E325-11CE-BFC1-08002BE10318}
inf: Driver Version: 09/25/2020,10.35.51.668
inf: Catalog File: npcap.cat
sto: {Copy Driver Package: C:\Program Files\Npcap\NPCAP.inf} 13:37:18.714
sto: Driver Package = C:\Program Files\Npcap\NPCAP.inf
sto: Flags = 0x00000007
sto: Destination = C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}
sto: Copying driver package files to 'C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}'.
flq: Copying 'C:\Program Files\Npcap\npcap.cat' to 'C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}\npcap.cat'.
flq: Copying 'C:\Program Files\Npcap\NPCAP.inf' to 'C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}\NPCAP.inf'.
flq: Copying 'C:\Program Files\Npcap\npcap.sys' to 'C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}\npcap.sys'.
sto: {Copy Driver Package: exit(0x00000000)} 13:37:18.761
pol: {Driver package policy check} 13:37:18.870
pol: {Driver package policy check - exit(0x00000000)} 13:37:18.870
sto: {Stage Driver Package: C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}\NPCAP.inf} 13:37:18.870
inf: {Query Configurability: C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}\NPCAP.inf} 13:37:18.886
inf: Driver package 'NPCAP.inf' is configurable.
inf: {Query Configurability: exit(0x00000000)} 13:37:18.886
flq: Copying 'C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}\npcap.cat' to 'C:\Windows\System32\DriverStore\Temp{47ea7fc2-9140-554f-8652-0a3a0044907b}\npcap.cat'.
flq: Copying 'C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}\NPCAP.inf' to 'C:\Windows\System32\DriverStore\Temp{47ea7fc2-9140-554f-8652-0a3a0044907b}\NPCAP.inf'.
flq: Copying 'C:\Users<user-removed>\AppData\Local\Temp{7a7bbc3b-345f-1f47-bbaa-ef41b07cfe33}\npcap.sys' to 'C:\Windows\System32\DriverStore\Temp{47ea7fc2-9140-554f-8652-0a3a0044907b}\npcap.sys'.
sto: {DRIVERSTORE IMPORT VALIDATE} 13:37:18.902
sig: {_VERIFY_FILE_SIGNATURE} 13:37:18.917
sig: Key = NPCAP.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp{47ea7fc2-9140-554f-8652-0a3a0044907b}\NPCAP.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp{47ea7fc2-9140-554f-8652-0a3a0044907b}\npcap.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 13:37:18.949
sig: {_VERIFY_FILE_SIGNATURE} 13:37:18.949
sig: Key = NPCAP.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp{47ea7fc2-9140-554f-8652-0a3a0044907b}\NPCAP.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp{47ea7fc2-9140-554f-8652-0a3a0044907b}\npcap.cat
! sig: Verifying file against specific Authenticode(tm) catalog failed! (0x800b010a)
! sig: Error 0x800b010a: A certificate chain could not be built to a trusted root authority.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b010a)} 13:37:18.964
!!! sig: Driver package catalog file certificate does not chain to a root, and Code Integrity is enforced.
!!! sig: Driver package failed signature validation. Error = 0xE0000247
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0xe0000247)} 13:37:18.964
!!! sig: Driver package failed signature verification. Error = 0xE0000247
!!! sto: Failed to import driver package into Driver Store. Error = 0xE0000247
sto: {Stage Driver Package: exit(0xe0000247)} 13:37:18.964
sto: {Setup Import Driver Package - exit (0xe0000247)} 13:37:18.980
!!! inf: Failed to import driver package into driver store
!!! inf: Error 0xe0000247: A problem was encountered while attempting to add the driver to the store.
<<< Section end 2020/12/15 13:37:19.042
<<< [Exit status: FAILURE(0xe0000247)]

@davepalmeruk
Copy link
Author

@davepalmeruk davepalmeruk commented Feb 22, 2021

Is there any further change to this issue?
The end customer still cannot install NPCAP due to this error and trying the later versions didn't change the outcome.

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Mar 1, 2021

I checked the signature thumbprints and the INF DriverVersion in your logs against the files in the Npcap 1.00 installler and I found that it's trying to install the Windows 7-only build of the driver, which has been signed with our SHA-1 certificate only. The server is probably configured to not accept SHA-1 certificates, but a bigger problem is that Windows Server 2012 R2 ought to be installing the Win8/Win8.1 build of the driver, which is signed with our SHA-2 cert. Can you provide the install.log and NPFInstall.log files from the Npcap installation directory? These will show me what the installer thought it was doing when it chose those builds to install.

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Mar 4, 2021

@davepalmeruk as a Npcap OEM licensee, you may contact us via email for technical support. We'd like to get this resolved for you.

@davepalmeruk
Copy link
Author

@davepalmeruk davepalmeruk commented Mar 16, 2021

NPFInstall.log
install.log

@dmiller-nmap, thanks. Please see the logs requested.

@electricretina
Copy link

@electricretina electricretina commented Mar 22, 2021

I have the same issue. Was a solution found?

@robertdsteele
Copy link

@robertdsteele robertdsteele commented Mar 22, 2021

Same issue here with Win8.1

@brentil
Copy link

@brentil brentil commented Mar 29, 2021

We're experiencing the same issue with Npcap 1.10 and Npcap 1.20 on Windows 2012 R2 (Win8.1).

install.log
NPFInstall.log

@fumannychu
Copy link

@fumannychu fumannychu commented May 3, 2021

Some of you have the following text in your output: StatusMessage : A certificate chain could not be built to a trusted root authority

The fix for me was to manually install the trust chains required by npcap.cat and npcap.sys. Those were the following:

  1. Microsoft Root Certificate Authority 2010
  2. Microsoft Windows Third Party Component CA 2014
  3. Microsoft Windows Hardware Compatibility Publisher
  4. Microsoft Time-Stamp PCA 2010
  5. Microsoft Time-Stamp Service
  6. Microsoft Code Verification Root
  7. DigiCert High Assurance EV Root CA
  8. DigiCert EV Code Signing CA (SHA2)

Once all those are imported in the local certificate store, the application installed for me. I'm in an offline environment, so some of the certs may already exist if you're Internet connected.

@shaheenahmed
Copy link

@shaheenahmed shaheenahmed commented May 18, 2021

Did anyone get the issue resolved?
Does it have something to do with gpedit.msc in Windows?

@fyodor
Copy link
Member

@fyodor fyodor commented Jun 3, 2021

Thanks everyone! We are planning to add the extra certs for the next upcoming Npcap release, which should improve compatibility for systems which are missing any of them for one reason or another.

@dpward
Copy link

@dpward dpward commented Jun 8, 2021

@fyodor One of the certificates mentioned above is actually expired now. (Re-pasting part of that comment here to fix the formatting; the dates are shown as DD/MM/YYYY in UTC+1.)

This was used to sign npcap 1.31 which was released 2 weeks before the certificate expired. I'm not familiar with how validation works in this context — is it enough for the signature to have been created during the certificate's validity period?

Either way, I assume a new signing certificate needs to be obtained if it has not been already.

SignerCertificate      : [Subject]
                           CN=Insecure.Com LLC, O=Insecure.Com LLC, L=Seattle, S=Washington, C=US,
                         SERIALNUMBER=200010310013, OID.2.5.4.15=Private Organization,
                         OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US

                         [Issuer]
                           CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

                         [Serial Number]
                           09256314069E7E6A88CB823075C0D9C9

                         [Not Before]
                           01/05/2020 01:00:00

                         [Not After]
                           07/05/2021 13:00:00

                         [Thumbprint]
                           4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Jun 8, 2021

@dpward We renewed our certificates which will be used for the next release. All signed files are countersigned by a trusted timestamping authority which proves the certificate was valid at the time of signature.

@fyodor
Copy link
Member

@fyodor fyodor commented Jun 24, 2021

OK we made these changes in the new Npcap 1.50 release so please let us know if it resolves the problem or if anyone is still having signature validation problems like this. Cheers!

@tjsqrd
Copy link

@tjsqrd tjsqrd commented Jul 6, 2021

I had the same issue with 1.50. Solution was to export the two root certificates from the trusted publisher store and import them into the trusted root store. Once this was done install completed successfully.

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Jul 7, 2021

@tjsqrd Thanks for the update. We can make this change to the next release of our installer.

@genniferchill
Copy link

@genniferchill genniferchill commented Jul 15, 2021

We run Server 2012 R2 in a very closed environment. We are trying to install Npcap 1.50 and the installation fails with "Failed to create the npcap service 0x0000247. Please try installing Npcap again or use the latest official Npcap installer from https://hmap.ort/npcap/. I did download my installer from the official site. The failure event in the install.log file is: 2097152,"Failed to create the npcap service: 0xe0000247. Please try installing Npcap again, or use the latest official Npcap installer from https://nmap.org/npcap/"

I need this installation to work correctly in order to get Tenable Nessus Manager to install. Any assistance would be greatly appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet