Where can I find WinPcap in system control, I assumed it is running as a service but it seems I am mistaken.
I started WinPcap via command line (source):
runas /u:administrator "net start npf"
Before starting WinPcap Wireshark didn't show any capture interfaces and afterwards it does. So I assume it is running. But I can't find it in the services list of the task manager.
To narrow down the candidates I compared running services after starting and stopping WinCap but there is no difference.
How can I directly confirm that this "service" is running on Windows 8?
C:\WINDOWS\system32>sc query "npf"
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
MYSTERIOUS:
sc query
lists 85 services – none of which is "npf" – but sc query npf
will find it.
Best Answer
Yes, you are right, WinPcap is a service (but mainly a driver), named
NetGroup Packet Filter Driver
. The fact is that it cannot be seen in theWindows Services Manager
.You can find it in the registry at :
Not tested, but it seems that you can change the way the service starts. Navigate to the registry key above. Then you will find a
REG DWORD
value namedStart
. Values are :0x3
: SERVICE_DEMAND_START0x2
: SERVICE_AUTO_START0x1
: SERVICE_SYSTEM_STARTIn the doc they say that it's work only on Windows NTx, but give it a try ! On my system it is set to
0x2
.To view it in a GUI, goto (i am talking about
Windows7
, hope it will work onWindows8
) :msinfo32.exe
Software environment
System Drivers
Here you can get the status for
npf
service (but cannot interact with it)Edit :
You can use this from the command prompt to check the service state :
or this, to check specificaly if it is running :
Edit 2 :
Seems normal. Regarding the doc this is the way
sc
works.By default,
SC
lists only services, not drivers.NPF
is more a driver.To get all drivers :
sc query type= driver
(NPF will appears)To get all (Services + Drivers) :
sc query type= all
(NPF will appears also)