On 22 June 2016 at 16:57, Yang Luo <[email protected]> wrote: > Hi list, > > I recently got an issue about Npcap's Admin-only mode. It's actually a > pretty old question: > > I updated to the latest available release (Npcap 0.07 r17) and checked the >> option to only allow > admin user to use it. When starting Wireshark, I had >> about 10 requests one after the other from UAC for NPcapHelper. Every time >> capture is started, it also pops up. >> It would be great if there was no more than a single request. > > > This is because Npcap will prompt a UAC window for every Npcap's DLL > loading. And Wireshark invokes multiple times of dumpcap.exe, which loads > Npcap's DLLs (wpcap.dll, Packet.dll). > > It seems that in Linux there's a special user or a group that is permitted > to do the capturing. And Wireshark can run under that user/group. But on > Windows, the convention is using UAC window to do the privilege escalation. > So we can't copy Linux's solution here. I wonder is there any other way to > solve this? Like the Wireshark GUI only uses one dumpcap.exe instance > during its lifecycle? > > > Cheers, > Yang > > > I think a solution similar to that used by Linux could be used, i.e. "Admin-only" mode could be changed to require membership of a local group, e.g. "Npcap-users", and then NPcapHelper could check that the calling user is a member of that group.
Modifying a groups membership requires a UAC elevation, so is still protected as to those that can use Npcap. -- Graham Bloice
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
