Npcap 1.60 Causes BSOD in Win 11, 1.55 OK

[GlennInTN]

While installing Wireshark (win64-3.6.5) on a new Win 11 laptop, I was given the option of keeping npcap OEM or installing npcap 1.55. Being adventuresome (or an idiot) and wanting the latest and greatest, I downloaded and installed npcap 1.60 instead. Within a few minutes the system BSOD'd, referencing some problem in ndis.sys. After reboot it BSOD'd again, never seeming to last more that 10 or 15 minutes without ever running Wireshark.

Steps taken:
Step 1: Uninstalled Wireshark & npcap. Noticed that npcap was locked by fing agent and would not uninstall without killing fing agent. Set fing agent service to Manual start instead of automatic.
Observed: Booted at 12:08:26 and watched for BSOD while occaisonally using system with fing agent not running, & Wireshark & npcap not installed. Still waiting for BSOD... Ran fine overnight, no BSOD.

Step 2: Run Fing to Check status of Fing Agent & npcap

    (Asside: Fing would not start, "Fing Service not found" popup followed by auto download of Fing ver 2.10.0. 
Installed Fing ver 2.10.0 & re-ran, same result - "Fing Service not found" Try to start Fing Agent via Computer Management 
    failed, error 1053. Uninstalled Fing ver 2.10.0, had to manually remove Fing Agent using (as admin) c:\>sc delete Fing.Agent - 
    reboot - verified Fing & Fing Agent gone.
Reinstall Fing ver 2.10.0 - Verified Fing.Agent running - Verified Fing runs normally - leaves itself running in background when 
    stopped. Verified npcap OEM (ver 1.55) was installed by Fing installation and running as a kernel_driver.)

    Begin wait for BSOD 11:14

Step 3:15:54 no BSOD - Reinstall Wireshark, but used option to keep current version of npcap (OEM 1.55)
Verify Wireshark working on both Ethernet & WiFi, Verify npcap & fing.agent both running, wait for BSOD 16:14
09:55 next day - no BSOD - Hypothesis: npcap 1.60 causes problem.

Attached Systeminfo

systeminfo.txt

Further info available on request.

[dmiller-nmap]

Thanks for this report. Please try Npcap 1.70, as it has resolved a few issues and has added additional safeguards against instability like this. Additionally, if you can send a crash dump or minidump to dmiller@nmap.com, I can verify whether this is a new or previously-known issue.

Please let us know if Npcap 1.70 resolves the problem so we can close this issue.

[GlennInTN]

Thanks dmiller-nmap.
I have installed and tested with Npcap 1.70 and can report that I have News, and Bad News. (I did not specify Good News because I'm not convinced Npcap is doing anything like it did in version 1.55)

First the news: I uninstalled Npcap 1.55 and installed 1.70, then started FingAgent and Wireshark. It has been running for several hours now with no BSOD or other crashes. (I also retested 1.60 and it still fails with BSOD after about 45 or fewer minutes and I did get a memory.dmp file.)

Now the bad news: With Npcap 1.70 both Fing and Wireshark are broken! Fing tells me that I am not connected to my network when normal network operations say that I am. With Wireshark when I try to start a capture on my Ethernet interface, Wireshark tells me it cannot set the interface into Promiscuous mode and refuses to run a capture. When I run just fingagent (service) and then search for Npcap in Process Explorer - Find Handle or DLL, it finds nothing. With Npcap 1.55 the same Process Explorer find returns three instances of fingagent.exe using \Device\NPCAP... (see attached file). I have also attached a similar search with Wireshark and Npcap 1.55 (working) and 1.60 (saying not connected to network) for comparison.

About 1.60, do you want a complete memory.dmp file (1.7GB) or do you want me to reinstall 1.60 and try for a smaller dump after BSOD? (choices are: Small memory dump 256 KB, Kernel memory dump, Complete memory dump, Active memory dump, or the 1.7GB file I already have.)
.
Running Fing 2.10.0 and Wireshark 3.6.5. I think there are newer versions, but I have held off upgrading in case you needed further clarification on the Npcap 1.60 problem.

Let me know what I can do to help.

[binarymaster]

Hello. It seems I'm affected by the very same problem. I have updated Wireshark yesterday, and it asked me to update Npcap to version 1.60, which I did.

Once I have installed it, everything went ok, but on the next day with a fresh boot up it started to BSOD. I also have identified that version 1.55 is not affected, and versions 1.60 and 1.70 are affected. Interestingly the BSOD happens right after 6 minutes of uptime, even if all network interfaces are disabled (except loopback, as you cannot simply disable it), and even if no user is logged in system.

My system specs:

• Lenovo ThinkPad x240
• Windows 8.1 Pro x64 (Version 6.3 build 9600)
• Npcap was installed with these options: 802.11 raw packets enabled, WinPcap compatibility enabled

Crash minidump attached: minidump.zip

• BugCheck code: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
• Exception code: c0000005 (Access violation)
• Faulting instruction: ndis!ndisCreateStringStreamEntry+2f

[fyodor]

Thanks for the report, @binarymaster, and I'm sorry to hear about the trouble. Are you able to test whether this happens with Npcap version 1.70 WITHOUT the raw wifi option enabled?

[binarymaster]

@fyodor just checked, the crash seems to happen only when raw wifi option is enabled.

I have reinstalled 1.70 without this option and the crash didn't happened in an expected time period (waited around 10 mins), then reinstalled it with this option and rebooted - BSOD happened again right after 6 mins since boot up.

[fyodor]

Thanks @binarymaster, that does help narrow this down.

[ntoskrnl11]

binarymaster is running Windows 8.1, so his issue could be the same as #565.

[binarymaster]

Indeed that one looks more relevant to my case, I'll keep track on both issues, thanks!

[dmiller-nmap]

@GlennInTN The full memory dump would be invaluable to us! This crash in particular is impossible to diagnose from a minidump since there is no evidence of Npcap in the crashing stack. We have no idea what Npcap might be doing at the time of the crash without a full dump. You can try to compress it and send via email to dmiller@nmap.com. If it is still too large, contact me via that address and we will arrange a different transfer method. Thanks!

[dmiller-nmap]

@GlennInTN Thanks for sending those files. The crash does appear to be Npcap's fault, and I recognize it as the same crash that was previously reported by a Npcap OEM licensee and fixed in Npcap 1.70. We did not have a complete memory dump at that time, which is why we ended up refactoring a good chunk of driver code to ensure all the edge cases were covered. My analysis at that time was:

The basic problem is that a capture handle was being shut down at the same time that the adapter it was connected to was being detached from the NDIS stack. Incomplete locking and state management led to multiple threads trying to deallocate resources, and the capture handle's thread tried to obtain a lock that had already been destroyed by the network adapter's thread. The junk data at that location caused an address violation when the lock acquisition routine was run. The relevant change is 74cc937.

I will update the CHANGELOG to note this issue was addressed at the same time as #584.

[GlennInTN]

@dmiller-nmap I'm a little confused. Is the BSOD problem I saw in Npcap 1.60 fixed in 1.70 or do I need to wait for some future version?

What about @fyodor 's problem with 1.70 and BSOD when raw WiFi option enabled? (I realize it's in Win 8.1, #584 )

If fixed in 1.70, what about my issues with 1.70 described previously:

With Npcap 1.70 both Fing and Wireshark are broken! Fing tells me that I am not connected to my network when normal network operations say that I am. With Wireshark when I try to start a capture on my Ethernet interface, Wireshark tells me it cannot set the interface into Promiscuous mode and refuses to run a capture.

If there is a new version coming, I'll wait. If this issue (#601) is fixed in 1.70, I'll reinstall 1.70 and re-verify that I didn't just do something stupid, and open a new issue if necessary.

[dmiller-nmap]

The BSoD crash in this issue is the same as one that was privately reported (no issue number) and determined to be resolved by the same change that resolved #584. Therefore, this crash is resolved in Npcap 1.70.

I installed Fing 2.10.0 and Npcap 1.70 and did not experience the problems you described. If you continue to have these problems, please open a new issue with a separate description. You may mention this issue in the description.