From 478d3272763d21529079f35bc022cfa3cc91dfc3 Mon Sep 17 00:00:00 2001
From: Daniel Miller <dmiller@nmap.org>
Date: Wed, 26 Jul 2017 23:45:58 -0500
Subject: [PATCH] Switch service registry options to Parameters subkey

Nonstandard registry values in the service's registry key get wiped out
by Windows updates like the Creators Update. They should be kept in the
Parameters subkey instead; and now they are.

See nmap/nmap#906
---
 docs/npcap-guide.xml                          |  4 +-
 installer/DiagReport.ps1                      | 35 +++++-----
 .../NPFInstall/NPFInstall/LoopbackRecord.cpp  |  2 +-
 .../NPFInstall/NPFInstall/WlanRecord.cpp      |  2 +-
 packetWin7/npf/npf/Packet.c                   | 70 ++++++++++++-------
 version.h                                     |  6 +-
 6 files changed, 66 insertions(+), 53 deletions(-)

diff --git a/docs/npcap-guide.xml b/docs/npcap-guide.xml
index e068ba4f..463b617c 100644
--- a/docs/npcap-guide.xml
+++ b/docs/npcap-guide.xml
@@ -195,7 +195,7 @@ StrCpy $inst_ver "$R2.$R3.$R4.$R5"
 
     <para>
       You can check the installation options of an already installed Npcap by reading the registry
-      key: <filename>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap</filename>.
+      key: <filename>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters</filename>.
       The entries like <filename>AdminOnly</filename>,
       <filename>Loopback</filename>, <filename>DltNull</filename>,<filename>Dot11Support</filename>,
       <filename>VlanSupport</filename>, <filename>WinPcapCompatible</filename>, etc. show the installation options.
@@ -375,7 +375,7 @@ printf("%s", pcap_version);
   
   <itemizedlist>
   <listitem><para>Detect Npcap Loopback Adapter's presence, by reading registry value Loopback
-  at key <filename>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap</filename>.
+  at key <filename>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters</filename>.
   If <filename>LoopbackSupport</filename> is 0x00000001, then the adapter's device name is in the <filename>LoopbackAdapter</filename> REG_SZ value.
   Then perform the following steps.</para></listitem>
 
diff --git a/installer/DiagReport.ps1 b/installer/DiagReport.ps1
index 04d2c0b0..78d0d750 100644
--- a/installer/DiagReport.ps1
+++ b/installer/DiagReport.ps1
@@ -46,11 +46,6 @@ function get_os_bit()
     return (Get-WmiObject Win32_OperatingSystem).OSArchitecture
 }
 
-function get_winpcap_mode()
-{
-    return (Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\npcap).GetValue("WinPcapCompatible")
-}
-
 function get_install_path()
 {
     if ($os_bit -eq "32-bit")
@@ -64,7 +59,6 @@ function get_install_path()
 }
 
 $os_bit = get_os_bit
-$winpcap_mode = get_winpcap_mode
 $install_path = get_install_path
 
 
@@ -195,16 +189,22 @@ else
 
 write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npcap:")
 (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npcap | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
+write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npcap\Parameters:")
+(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npcap\Parameters | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
 write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npcap_wifi:")
 (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npcap_wifi | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
-
-if ($winpcap_mode -eq 1)
-{
-    write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npf:")
-    (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npf | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
-    write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npf_wifi:")
-    (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npf_wifi | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
-}
+write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npcap_wifi\Parameters:")
+(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npcap_wifi\Parameters | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
+
+# WinPcap registry items
+write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npf:")
+(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npf | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
+write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npf\Parameters:")
+(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npf\Parameters | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
+write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npf_wifi:")
+(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npf_wifi | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
+write_report ("HKLM:\SYSTEM\CurrentControlSet\Services\npf_wifi\Parameters:")
+(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\npf_wifi\Parameters | out-string -stream | ? { $_ -NOTMATCH '^ps.+' })
 
 #########################################################
 write_report ("`n")
@@ -214,10 +214,7 @@ write_report ("*************************************************")
 
 Get-Service npcap
 
-if ($winpcap_mode)
-{
-    Get-Service npf
-}
+Get-Service npf
 
 #########################################################
 write_report ("`n")
@@ -232,4 +229,4 @@ write_report ("Please refer to: $install_path\install.log")
 # ) >> $report_file_name
 ) 2>&1 >> $report_file_name
 
-notepad $report_file_name
\ No newline at end of file
+notepad $report_file_name
diff --git a/packetWin7/NPFInstall/NPFInstall/LoopbackRecord.cpp b/packetWin7/NPFInstall/NPFInstall/LoopbackRecord.cpp
index b3b10366..84f8a883 100644
--- a/packetWin7/NPFInstall/NPFInstall/LoopbackRecord.cpp
+++ b/packetWin7/NPFInstall/NPFInstall/LoopbackRecord.cpp
@@ -344,7 +344,7 @@ BOOL AddFlagToRegistry_Service(tstring strDeviceName)
 {
 	TRACE_ENTER();
 	TRACE_EXIT();
-	return WriteStrToRegistry(NPCAP_SERVICE_REG_KEY_NAME, NPCAP_REG_LOOPBACK_VALUE_NAME, tstring(_T("\\Device\\") + strDeviceName).c_str(), KEY_WRITE);
+	return WriteStrToRegistry(NPCAP_SERVICE_REG_KEY_NAME _T("\\Parameters"), NPCAP_REG_LOOPBACK_VALUE_NAME, tstring(_T("\\Device\\") + strDeviceName).c_str(), KEY_WRITE);
 }
 
 BOOL RecordLoopbackDevice(int iNpcapAdapterID)
diff --git a/packetWin7/NPFInstall/NPFInstall/WlanRecord.cpp b/packetWin7/NPFInstall/NPFInstall/WlanRecord.cpp
index ad54742b..fbec840d 100644
--- a/packetWin7/NPFInstall/NPFInstall/WlanRecord.cpp
+++ b/packetWin7/NPFInstall/NPFInstall/WlanRecord.cpp
@@ -293,7 +293,7 @@ BOOL AddFlagToRegistry_Dot11Adapters(LPCTSTR strDeviceName)
 {
 	TRACE_ENTER();
 	TRACE_EXIT();
-	return WriteStrToRegistry(NPCAP_SERVICE_REG_KEY_NAME, NPCAP_REG_DOT11_VALUE_NAME, strDeviceName, KEY_WRITE);
+	return WriteStrToRegistry(NPCAP_SERVICE_REG_KEY_NAME _T("\\Parameters"), NPCAP_REG_DOT11_VALUE_NAME, strDeviceName, KEY_WRITE);
 }
 
 BOOL writeWlanAdapterGuidsToRegistry()
diff --git a/packetWin7/npf/npf/Packet.c b/packetWin7/npf/npf/Packet.c
index e4ce5f37..ed30e5e0 100644
--- a/packetWin7/npf/npf/Packet.c
+++ b/packetWin7/npf/npf/Packet.c
@@ -242,6 +242,7 @@ DriverEntry(
 {
 	NDIS_FILTER_DRIVER_CHARACTERISTICS FChars; // The specification for the filter.
 	NDIS_FILTER_DRIVER_CHARACTERISTICS FChars_WiFi; // The specification for the WiFi filter.
+	UNICODE_STRING parametersPath;
 	NTSTATUS Status = STATUS_SUCCESS;
 
 	// Use NonPaged Pool instead of No-Execute (NX) Nonpaged Pool for Win8 and later, this is for security purpose.
@@ -264,38 +265,53 @@ DriverEntry(
 	PsGetVersion(&OsMajorVersion, &OsMinorVersion, NULL, NULL);
 	TRACE_MESSAGE2(PACKET_DEBUG_LOUD, "OS Version: %d.%d\n", OsMajorVersion, OsMinorVersion);
 
-	// Get the AdminOnly option, if AdminOnly=1, devices will be created with the safe SDDL, to make sure only Administrators can use Npcap driver.
-	// If the registry key doesn't exist, we view it as AdminOnly=0, so no protect to the driver access.
-	g_AdminOnlyMode = NPF_GetRegistryOption_Integer(RegistryPath, &g_AdminOnlyRegValueName);
-	// Get the DltNull option, if DltNull=1, loopback traffic will be DLT_NULL/DLT_LOOP style, including captured and sent packets.
-	// If the registry key doesn't exist, we view it as DltNull=0, so loopback traffic are Ethernet packets.
-	g_DltNullMode = NPF_GetRegistryOption_Integer(RegistryPath, &g_DltNullRegValueName);
-	// Get the Dot11Support option, if Dot11Support=1, Npcap driver will enable the raw 802.11 functions.
-	// If the registry key doesn't exist, we view it as Dot11Support=1, so has raw 802.11 support.
-	g_Dot11SupportMode = NPF_GetRegistryOption_Integer(RegistryPath, &g_Dot11SupportRegValueName);
-	// Get the VlanSupport option, if VlanSupport=1, Npcap driver will try to recognize 802.1Q VLAN tag when capturing and sending data.
-	// If the registry key doesn't exist, we view it as VlanSupport=0, so no VLAN support.
-	g_VlanSupportMode = NPF_GetRegistryOption_Integer(RegistryPath, &g_VlanSupportRegValueName);
-	// Get the TimestampMode option. The meanings of its values is described in time_calls.h.
-	// If the registry key doesn't exist, we view it as TimestampMode=0, so the default "QueryPerformanceCounter" timestamp gathering method.
-	g_TimestampMode = NPF_GetRegistryOption_Integer(RegistryPath, &g_TimestampRegValueName);
+	RtlInitUnicodeString(&parametersPath, NULL);
+	parametersPath.MaximumLength=RegistryPath->Length+wcslen(L"\\Parameters")*sizeof(WCHAR)+sizeof(UNICODE_NULL);
+	parametersPath.Buffer=ExAllocatePool(PagedPool, parametersPath.MaximumLength);
+	if (!parametersPath.Buffer) {
+		return STATUS_INSUFFICIENT_RESOURCES;
+	}
+	RtlZeroMemory(parametersPath.Buffer, parametersPath.MaximumLength);
+	RtlCopyUnicodeString(&parametersPath, RegistryPath);
+	RtlAppendUnicodeToString(&parametersPath, L"\\Parameters");
+
+	Status = RtlCheckRegistryKey(RTL_REGISTRY_ABSOLUTE,
+			parametersPath.Buffer);
+	if (NT_SUCCESS(Status)) {
+		// Get the AdminOnly option, if AdminOnly=1, devices will be created with the safe SDDL, to make sure only Administrators can use Npcap driver.
+		// If the registry key doesn't exist, we view it as AdminOnly=0, so no protect to the driver access.
+		g_AdminOnlyMode = NPF_GetRegistryOption_Integer(&parametersPath, &g_AdminOnlyRegValueName);
+		// Get the DltNull option, if DltNull=1, loopback traffic will be DLT_NULL/DLT_LOOP style, including captured and sent packets.
+		// If the registry key doesn't exist, we view it as DltNull=0, so loopback traffic are Ethernet packets.
+		g_DltNullMode = NPF_GetRegistryOption_Integer(&parametersPath, &g_DltNullRegValueName);
+		// Get the Dot11Support option, if Dot11Support=1, Npcap driver will enable the raw 802.11 functions.
+		// If the registry key doesn't exist, we view it as Dot11Support=1, so has raw 802.11 support.
+		g_Dot11SupportMode = NPF_GetRegistryOption_Integer(&parametersPath, &g_Dot11SupportRegValueName);
+		// Get the VlanSupport option, if VlanSupport=1, Npcap driver will try to recognize 802.1Q VLAN tag when capturing and sending data.
+		// If the registry key doesn't exist, we view it as VlanSupport=0, so no VLAN support.
+		g_VlanSupportMode = NPF_GetRegistryOption_Integer(&parametersPath, &g_VlanSupportRegValueName);
+		// Get the TimestampMode option. The meanings of its values is described in time_calls.h.
+		// If the registry key doesn't exist, we view it as TimestampMode=0, so the default "QueryPerformanceCounter" timestamp gathering method.
+		g_TimestampMode = NPF_GetRegistryOption_Integer(&parametersPath, &g_TimestampRegValueName);
 
 #ifdef HAVE_WFP_LOOPBACK_SUPPORT
-	NPF_GetRegistryOption_String(RegistryPath, &g_LoopbackRegValueName, &g_LoopbackAdapterName);
-	if (g_LoopbackAdapterName.Buffer != NULL && g_LoopbackAdapterName.Length != ADAPTER_NAME_SIZE * 2)
-	{
-		TRACE_MESSAGE2(PACKET_DEBUG_LOUD, "g_LoopbackAdapterName is invalid, g_LoopbackAdapterName.Length = %d, ADAPTER_NAME_SIZE * 2 = %d\n",
-			g_LoopbackAdapterName.Length, ADAPTER_NAME_SIZE * 2);
-		ExFreePool(g_LoopbackAdapterName.Buffer);
-		g_LoopbackAdapterName.Buffer = NULL;
-		g_LoopbackAdapterName.Length = 0;
-		g_LoopbackAdapterName.MaximumLength = 0;
-	}
+		NPF_GetRegistryOption_String(&parametersPath, &g_LoopbackRegValueName, &g_LoopbackAdapterName);
+		if (g_LoopbackAdapterName.Buffer != NULL && g_LoopbackAdapterName.Length != ADAPTER_NAME_SIZE * 2)
+		{
+			TRACE_MESSAGE2(PACKET_DEBUG_LOUD, "g_LoopbackAdapterName is invalid, g_LoopbackAdapterName.Length = %d, ADAPTER_NAME_SIZE * 2 = %d\n",
+					g_LoopbackAdapterName.Length, ADAPTER_NAME_SIZE * 2);
+			ExFreePool(g_LoopbackAdapterName.Buffer);
+			g_LoopbackAdapterName.Buffer = NULL;
+			g_LoopbackAdapterName.Length = 0;
+			g_LoopbackAdapterName.MaximumLength = 0;
+		}
 #endif
 #ifdef HAVE_RX_SUPPORT
-	NPF_GetRegistryOption_String(RegistryPath, &g_SendToRxRegValueName, &g_SendToRxAdapterName);
-	NPF_GetRegistryOption_String(RegistryPath, &g_BlockRxRegValueName, &g_BlockRxAdapterName);
+		NPF_GetRegistryOption_String(&parametersPath, &g_SendToRxRegValueName, &g_SendToRxAdapterName);
+		NPF_GetRegistryOption_String(&parametersPath, &g_BlockRxRegValueName, &g_BlockRxAdapterName);
 #endif
+	}
+	if (parametersPath.Buffer) ExFreePool(parametersPath.Buffer);
 
 	// RegistryPath = "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap" for standard driver
 	// RegistryPath = "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap_wifi" for WiFi driver
diff --git a/version.h b/version.h
index 1edd2087..a6609e58 100644
--- a/version.h
+++ b/version.h
@@ -87,11 +87,11 @@
 #define /*
  !define /**/ WINPCAP_MINOR				0
 #define /*
- !define /**/ WINPCAP_REV				92
+ !define /**/ WINPCAP_REV				93
 #define /*
- !define /**/ WINPCAP_BUILD				612
+ !define /**/ WINPCAP_BUILD				727
 #define /*
- !define /**/ WINPCAP_VER_STRING		"0.92"
+ !define /**/ WINPCAP_VER_STRING		"0.93"
 
 #define WINPCAP_WPCAP_STRING_VERSION WINPCAP_VER_STRING