Where to find WinPcap in system control? (on Windows 8.1 Pro 64bit)

windows-8 winpcap

Where can I find WinPcap in system control, I assumed it is running as a service but it seems I am mistaken.

I started WinPcap via command line (source):

runas /u:administrator "net start npf"

Before starting WinPcap Wireshark didn't show any capture interfaces and afterwards it does. So I assume it is running. But I can't find it in the services list of the task manager.

To narrow down the candidates I compared running services after starting and stopping WinCap but there is no difference.

How can I directly confirm that this "service" is running on Windows 8?

C:\WINDOWS\system32>sc query "npf"

SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

MYSTERIOUS:

sc query lists 85 services - none of which is "npf" - but sc query npf will find it.


Solution 1:

Yes, you are right, WinPcap is a service (but mainly a driver), named NetGroup Packet Filter Driver. The fact is that it cannot be seen in the Windows Services Manager.

You can find it in the registry at :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF

Not tested, but it seems that you can change the way the service starts. Navigate to the registry key above. Then you will find a REG DWORD value named Start. Values are :

  • Value 0x3 : SERVICE_DEMAND_START
  • Value 0x2 : SERVICE_AUTO_START
  • Value 0x1 : SERVICE_SYSTEM_START

In the doc they say that it's work only on Windows NTx, but give it a try ! On my system it is set to 0x2.

To view it in a GUI, goto (i am talking about Windows7, hope it will work on Windows8) :

  1. Run msinfo32.exe
  2. Then expand Software environment
  3. Then choose System Drivers

Here you can get the status for npf service (but cannot interact with it)

Edit :

How can I directly confirm that this "service" is running on Windows 8?

You can use this from the command prompt to check the service state :

sc query "npf"

or this, to check specificaly if it is running :

sc query "npf" | findstr RUNNING
or 
sc query "npf" | find "RUNNING"

Edit 2 :

Mysterious : sc query lists 85 services - none of which is "npf" - but sc query npf will find it.

Seems normal. Regarding the doc this is the way sc works.

By default, SC lists only services, not drivers. NPF is more a driver.

  • To get all drivers : sc query type= driver (NPF will appears)

  • To get all (Services + Drivers) : sc query type= all (NPF will appears also)

Related

Change default mouse cursor on OSX Mavericks
Upgraded to Windows 10, can't find hyper-v management tools
What H.264/H.265 video compression parameters provide DVD-equivalent quality with better compression?
Why is the "Task category" drop down to filter a Windows event log disabled?
What ZIP compression method do common OS's natively support?
Upgrade Python from 2.6 to 2.7 on Centos 6.5
Results view does not change with zoom feature in SQL Server Management Studio
Delete files with wildcard in subfolder
Bash on Ubuntu on Windows - could not resolve host using VPN
How to open a page in incognito mode from HTML?
Which compression method to use in PHP?
How can I append text to /etc/apt/sources.list from the command line?