Re: Multiple UAC requests when starting/using Wireshark with Npcap's "Admin-only" mode ON

[Graham Bloice <graham.bloice () trihedral com>]

On 22 June 2016 at 16:57, Yang Luo <hsluoyb () gmail com> wrote:

> Hi list,
>
> I recently got an issue about Npcap's Admin-only mode. It's actually a
> pretty old question:
>
> I updated to the latest available release (Npcap 0.07 r17) and checked the
> > option to only allow > admin user to use it. When starting Wireshark, I had
> > about 10 requests one after the other from UAC for NPcapHelper. Every time
> > capture is started, it also pops up.
> > It would be great if there was no more than a single request.
>
>
> This is because Npcap will prompt a UAC window for every Npcap's DLL
> loading. And Wireshark invokes multiple times of dumpcap.exe, which loads
> Npcap's DLLs (wpcap.dll, Packet.dll).
>
> It seems that in Linux there's a special user or a group that is permitted
> to do the capturing. And Wireshark can run under that user/group. But on
> Windows, the convention is using UAC window to do the privilege escalation.
> So we can't copy Linux's solution here. I wonder is there any other way to
> solve this? Like the Wireshark GUI only uses one dumpcap.exe instance
> during its lifecycle?
>
>
> Cheers,
> Yang
I think a solution similar to that used by Linux could be used, i.e.
"Admin-only" mode could be changed to require membership of a local group,
e.g. "Npcap-users", and then NPcapHelper could check that the calling user
is a member of that group.

Modifying a groups membership requires a UAC elevation, so is still
protected as to those that can use Npcap.

-- 
Graham Bloice

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe