Avast is preventing me from running the packet capture service that is needed for Wireshark on Windows 10. Checked behavior on 2 different PCs - Lenovo X1 / Win 10 Pro 1809 / Avast Premium Security build 19.8.4793.535; Lenovo X61 / Win 10 Pro 1903 / Avast Internet Secuirty 19.8.2393. Also found references to issue elsewhere, as yet unresolved (other than “remove Avast”) - https://github.com/nmap/nmap/issues/1562 and https://forum.avast.com/?topic=226927.0 (German)
To reproduce behaviour:
On a machine without Avast installed, install npcap from https://nmap.org/npcap/ - I have been using current version v0.993
After install completes, npcap service is running - can confirm via powershell get-service. Service can be successfully stopped and restarted via net stop / net start commands. Wireshark is able to capture packets via the service. Situation persists across reboots.
Install Avast Internet Security 19.8.2393. Npcap continues to function correctly as before.
Reboot computer. Event log captures error event 7000 “The Npcap Packet Driver (NPCAP) service failed to start due to the following error: The system cannot find the file specified.” This error is reported with each attempt to start service via net start. No interfaces are available in Wireshark as the packet capture service is not running.
De-install Avast, reboot computer, npcap now functions again.
Disabling all shields while Avast is installed does have any impact on the problem.
I’m guessing Avast is denying npcap access to a network resource it requires, and that this is being reported as a generic file access error by the service manager. Happy to help with further diagnostics / tests.
Mike
Firewall is set to private for the active network connection. Issue is also present when there is no active network connection, and also when firewall shield is disabled.
Hi,
This problem is caused by very mysterious conflict between our firewall driver and the NPCAP. This is pretty weird because our driver is not loaded in the time when NPCAP initialization (DriverEntry) is failing in the function WSKBind (STATUS_ACCESS_DENIED) and in addition, Bind function is not filtered by our firewall.
There is only one possible cause of this problem - our firewall is using so called boot-time WFP rules, but all of them are set as pass-thru if our driver is not running.
Good news is that some workaround exists. Please, rename attached file to npcap.reg and import it to the Registry by double-click. After reboot, loading of NPCAP driver will be postponed to the time when our firewall is running and boot-time WFP rules are out of game.
I suggest that you start a new topic and describe your exact problem.
This reg. fix was designed for a particular problem not a similar problem. It therefore may work but may not and
the registry isn’t something to mess with.
The file is in the post as an attachment, you just need to be logged in to see it. As this is your first message I guess you probably searched and saw the post without the file, decided to register and log in to ask your question without realizing that you could see it by then.