npcap 0.9985 can't install

[MrPepka]

I can't update the npcap driver. When trying to install, error e0000247 is displayed (associated with the certificate if I'm not mistaken). How to fix it? What files should I send for a more accurate error diagnosis?

[dmiller-nmap]

Thanks for reporting this. What version of Windows are you running? Error 0x247 appears to be related to Unicode processing. What locale (language or localization) are you using in Windows? Please include the NPFInstall.log and install.log from \Program Files\Npcap\.

[MrPepka]

NPFInstall.log
install.log
I have Windows in English and the language is set to Polish. Earlier versions of npcap were installed without any problem, only this new version has a problem. The system is Windows 8.1

[luisdallos]

Related issue: nmap/nmap#875

The installed security catalog file C:\Program Files\Npcap\npcap.cat (file size: 2716 bytes) is signed with a self-signed certificate:

SignTool.exe verify /a /v /kp "C:\Program Files\Npcap\npcap.cat"

Verifying: C:\Program Files\Npcap\npcap.cat
Unable to verify this file using a catalog.
Hash of file (sha1): EA750CDC691DE33A0B1A9224C1BCF2BAF077BC37

Signing Certificate Chain:
    Issued to: WDKTestCert nmap,131259686273466591
    Issued by: WDKTestCert nmap,131259686273466591
    Expires:   Thu Dec 10 20:00:00 2026
    SHA1 hash: F587B3379B4385078E0F53EDAE66938ACABDD7A1

File is not timestamped.

SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Which causes signature verification failure of the driver package, as shown in C:\Windows\Inf\setupapi.dev.log (OS is Windows 8.1 Pro x64, with all updates installed)

>>>  [SetupCopyOEMInf - C:\Program Files\Npcap\NPCAP.inf]
>>>  Section start 2019/12/15 22:19:12.302
      cmd: "C:\Program Files\Npcap\NPFInstall.exe" -n -i2
     sto: {Setup Import Driver Package: C:\Program Files\Npcap\NPCAP.inf} 22:19:12.317
     inf:      Provider: Nmap Project
     inf:      Class GUID: {4D36E974-E325-11CE-BFC1-08002BE10318}
     inf:      Driver Version: 12/08/2019,17.45.53.294
     inf:      Catalog File: npcap.cat
     sto:      {Copy Driver Package: C:\Program Files\Npcap\NPCAP.inf} 22:19:12.329
     sto:           Driver Package = C:\Program Files\Npcap\NPCAP.inf
     sto:           Flags          = 0x00000007
     sto:           Destination    = C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}
     sto:           Copying driver package files to 'C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}'.
     flq:           Copying 'C:\Program Files\Npcap\npcap.cat' to 'C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}\npcap.cat'.
     flq:           Copying 'C:\Program Files\Npcap\NPCAP.inf' to 'C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}\NPCAP.inf'.
     flq:           Copying 'C:\Program Files\Npcap\npcap.sys' to 'C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}\npcap.sys'.
     sto:      {Copy Driver Package: exit(0x00000000)} 22:19:12.392
     pol:      {Driver package policy check} 22:19:12.944
     pol:      {Driver package policy check - exit(0x00000000)} 22:19:12.946
     sto:      {Stage Driver Package: C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}\NPCAP.inf} 22:19:12.948
     inf:           {Query Configurability: C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}\NPCAP.inf} 22:19:12.970
     inf:                Driver package 'NPCAP.inf' is configurable.
     inf:           {Query Configurability: exit(0x00000000)} 22:19:12.978
     flq:           Copying 'C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}\npcap.cat' to 'C:\Windows\System32\DriverStore\Temp\{2a8dd362-5bb9-1641-9c90-37042e20a910}\npcap.cat'.
     flq:           Copying 'C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}\NPCAP.inf' to 'C:\Windows\System32\DriverStore\Temp\{2a8dd362-5bb9-1641-9c90-37042e20a910}\NPCAP.inf'.
     flq:           Copying 'C:\Users\Admin\AppData\Local\Temp\{60d854b7-be25-7544-a2ba-cc4c4bc67f0f}\npcap.sys' to 'C:\Windows\System32\DriverStore\Temp\{2a8dd362-5bb9-1641-9c90-37042e20a910}\npcap.sys'.
     sto:           {DRIVERSTORE IMPORT VALIDATE} 22:19:13.035
     sig:                {_VERIFY_FILE_SIGNATURE} 22:19:13.140
     sig:                     Key      = NPCAP.inf
     sig:                     FilePath = C:\Windows\System32\DriverStore\Temp\{2a8dd362-5bb9-1641-9c90-37042e20a910}\NPCAP.inf
     sig:                     Catalog  = C:\Windows\System32\DriverStore\Temp\{2a8dd362-5bb9-1641-9c90-37042e20a910}\npcap.cat
!    sig:                     Verifying file against specific (valid) catalog failed! (0x800b0109)
     sig:                {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 22:19:13.201
     sig:                {_VERIFY_FILE_SIGNATURE} 22:19:13.203
     sig:                     Key      = NPCAP.inf
     sig:                     FilePath = C:\Windows\System32\DriverStore\Temp\{2a8dd362-5bb9-1641-9c90-37042e20a910}\NPCAP.inf
     sig:                     Catalog  = C:\Windows\System32\DriverStore\Temp\{2a8dd362-5bb9-1641-9c90-37042e20a910}\npcap.cat
!    sig:                     Verifying file against specific Authenticode(tm) catalog failed! (0x800b0109)
     sig:                {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 22:19:13.223
!!!  sig:                Driver package catalog file certificate does not belong to Trusted Root Certificates, and Code Integrity is enforced.
!!!  sig:                Driver package failed signature validation. Error = 0xE0000247
     sto:           {DRIVERSTORE IMPORT VALIDATE: exit(0xe0000247)} 22:19:13.240
!!!  sig:           Driver package failed signature verification. Error = 0xE0000247
!!!  sto:           Failed to import driver package into Driver Store. Error = 0xE0000247
     sto:      {Stage Driver Package: exit(0xe0000247)} 22:19:13.247
     sto: {Setup Import Driver Package - exit (0xe0000247)} 22:19:13.256
!!!  inf: Failed to import driver package into driver store
<<<  Section end 2019/12/15 22:19:14.160
<<<  [Exit status: FAILURE(0xe0000247)]

[dmiller-nmap]

@luisdallos Thanks for analyzing this. I will investigate what could have gone wrong on our build system to cause this file to not be signed with our EV code-signing cert.

[dmiller-nmap]

Ok, here's the problem: we used to dual-sign the Npcap driver with a SHA-1 cert and a SHA-256 cert, because Windows Vista didn't understand SHA-256. When we renewed our certificate, we did not get the SHA-1 cert renewed, and we changed our build system to only sign with the SHA-256 cert by removing the functions that sign with SHA-1. However, the CAT file was only ever signed with SHA-1 because that file format does not support multiple signatures. So the published CAT file used for systems other than Windows 10 was never re-signed when building the installer, and instead has the "test" signature added by Visual Studio. I would have expected Microsoft to flag this as a problem when they provided their Attestation Signature for Windows 10, but they just overwrote it with their own signature there.

We will release a new installer to address this issue. I am not sure yet whether we will increase the version number for this or not.

[dmiller-nmap]

Npcap 0.9986 should solve this issue. Please let us know if you have any further problems.

[MrPepka]

Yes, i'm comform. Driver install with success
Thx for help

[muse117]

Npcap 0.9986 should solve this issue. Please let us know if you have any further problems.

@dmiller-nmap I installed npap in win2008R2 and found such an error "The publisher of this driver software could not be verified". I installed kb4474419(support for sha-2 sign) patch can be used normally. I would like to know that it must be installed this patch?