Wireshark mailing list archives
Re: Multiple UAC requests when starting/using Wireshark with Npcap's "Admin-only" mode ON
From: Graham Bloice <graham.bloice () trihedral com>
Date: Tue, 28 Jun 2016 12:32:01 +0100
On 22 June 2016 at 16:57, Yang Luo <hsluoyb () gmail com> wrote:
Hi list, I recently got an issue about Npcap's Admin-only mode. It's actually a pretty old question: I updated to the latest available release (Npcap 0.07 r17) and checked theoption to only allow > admin user to use it. When starting Wireshark, I had about 10 requests one after the other from UAC for NPcapHelper. Every time capture is started, it also pops up. It would be great if there was no more than a single request.This is because Npcap will prompt a UAC window for every Npcap's DLL loading. And Wireshark invokes multiple times of dumpcap.exe, which loads Npcap's DLLs (wpcap.dll, Packet.dll). It seems that in Linux there's a special user or a group that is permitted to do the capturing. And Wireshark can run under that user/group. But on Windows, the convention is using UAC window to do the privilege escalation. So we can't copy Linux's solution here. I wonder is there any other way to solve this? Like the Wireshark GUI only uses one dumpcap.exe instance during its lifecycle? Cheers, Yang
I think a solution similar to that used by Linux could be used, i.e. "Admin-only" mode could be changed to require membership of a local group, e.g. "Npcap-users", and then NPcapHelper could check that the calling user is a member of that group. Modifying a groups membership requires a UAC elevation, so is still protected as to those that can use Npcap. -- Graham Bloice
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Multiple UAC requests when starting/using Wireshark with Npcap's "Admin-only" mode ON Yang Luo (Jun 22)
- Re: Multiple UAC requests when starting/using Wireshark with Npcap's "Admin-only" mode ON Graham Bloice (Jun 28)