Wireshark-dev: Re: [Wireshark-dev] Multiple UAC requests when starting/using Wireshark with Npc
From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Tue, 28 Jun 2016 12:32:01 +0100

On 22 June 2016 at 16:57, Yang Luo <hsluoyb@xxxxxxxxx> wrote:
Hi list,

I recently got an issue about Npcap's Admin-only mode. It's actually a pretty old question:

I updated to the latest available release (Npcap 0.07 r17) and checked the option to only allow > admin user to use it. When starting Wireshark, I had about 10 requests one after the other from UAC for NPcapHelper. Every time capture is started, it also pops up.
It would be great if there was no more than a single request.

This is because Npcap will prompt a UAC window for every Npcap's DLL loading. And Wireshark invokes multiple times of dumpcap.exe, which loads Npcap's DLLs (wpcap.dll, Packet.dll).

It seems that in Linux there's a special user or a group that is permitted to do the capturing. And Wireshark can run under that user/group. But on Windows, the convention is using UAC window to do the privilege escalation. So we can't copy Linux's solution here. I wonder is there any other way to solve this? Like the Wireshark GUI only uses one dumpcap.exe instance during its lifecycle?


Cheers,
Yang



I think a solution similar to that used by Linux could be used, i.e. "Admin-only" mode could be changed to require membership of a local group, e.g. "Npcap-users", and then NPcapHelper could check that the calling user is a member of that group.

Modifying a groups membership requires a UAC elevation, so is still protected as to those that can use Npcap.

--
Graham Bloice