Hi Jeffrey.
First of all, thanks a lot for your help, dedication and promptness of your reply.
The following results have been
Regarding the question of packets not working, we would like to remark that except the ARP packet, every other traffic works well in spite of the fact that our LWF is below NWF.
The system does not recover either after a reboot or after uninstalling the WiFi NIC and reinstalling it. In contrast, if we uninstall and reinstall our LWF, the problem is solved and, what’s more, if we just stop and start the LWF, the problem is solved again.
With respect to the INF, at the end of this reply you can see the whole file copied and pasted. We hope not to flood you with too much information.
Talking about the FilterClass, it does not affect our case because our LWF has had the same parameter since the beginnings, years ago.
Apart from this, what we have seen in the registry is that our LWF is ALWAYS below the NWF, in both the working and not working cases. So as you said it seems to be a problem with the inf or netcfg.
The FilterList registry entry is:
{247296B6-A5D0-4153-92FD-80329CFD73DF}-{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000 WFP Native MAC Layer LightWeight Filter
{247296B6-A5D0-4153-92FD-80329CFD73DF}-{5CBF81BF-5055-47CD-9055-A76B2B4E3698}-0000 Virtual WiFi Filter Driver
{247296B6-A5D0-4153-92FD-80329CFD73DF}-{E475CF9A-60CD-4439-A75F-0079CE0E18A1}-0000 >>> NativeWiFi Filter <<<
{247296B6-A5D0-4153-92FD-80329CFD73DF}-{C98E08D2-C96C-4F43-947D-E63428BE1BBA}-0000 *** Our LWF ***
{247296B6-A5D0-4153-92FD-80329CFD73DF}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000 QoS Packet Scheduler
{247296B6-A5D0-4153-92FD-80329CFD73DF}-{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000 WFP 802.3 MAC Layer LightWeight Filter
After stopping and starting the LWF, what solves the issue, we have observed that the FilterList does not change, but with the !ndiskd.netreport command the order is correct, with the LWF above the NWF. In contrast, in error cases the ndiskd shows the LWF below the NWF and the registry entries remain invariable. So it looks like the registry key list is just fixed and is not updated, whereas the ndiskd extension gives us the exact configuration. Is this true? How does it work?
We have a tool that installs and uninstalls the LWF using the functions provided by the NetCfg library. To discard it, we have tested installing the LWF manually, via INF, from network adapter properties. The results have been the same that we have presented, so we believe it’s nothing to do with that tool but with the INF or the Netcfg library.
Finally we must say that we have tested the case with a bunch of different wifi devices, and some of them worked well in the same conditions that the initial one failed. That makes us consider the possibility that even though the LWF is below the NWF (at least in the registry), the right behaviour may be influenced by the WiFi NIC driver. Does this make sense?
Again thanks a lot for your time and help. Have a good day.
*********************************************************************************************
--------------------------------------------- INF FILE --------------------------------------
*********************************************************************************************
;-------------------------------------------------------------------------
; – NNSNAHSL.INF –
;
; NDIS Kernelmode I/O Driver
;
; Copyright (c) 2014, Panda Security, S.L. All rights reserved.
;-------------------------------------------------------------------------
[version]
Signature = “$Windows NT$”
Class = NetService
ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}
Provider = %Panda%
DriverVer = 12/31/2014,4.1.0.47
CatalogFile = nnsnahsl.cat
[Manufacturer]
%Panda%=PANDA,NTx86,NTia64,NTamd64
[PANDA]
%NNSNAHSL_Desc%=Install, NNSNAHSL
[PANDA.NTx86]
%NNSNAHSL_Desc%=Install, NNSNAHSL
[PANDA.NTia64]
%NNSNAHSL_Desc%=Install, NNSNAHSL
[PANDA.NTamd64]
%NNSNAHSL_Desc%=Install, NNSNAHSL
;-------------------------------------------------------------------------
; Installation Section
;-------------------------------------------------------------------------
[Install]
AddReg=Inst_Ndi
Characteristics=0x40000 ; NCF_NDIS_PROTOCOL
NetCfgInstanceId=“{c98e08d2-c96c-4f43-947d-e63428be1bba}”
Copyfiles = NNSNAHSL.copyfiles.sys
CopyInf = nnsnahsl.inf
[SourceDisksNames]
1=%NNSNAHSL_Desc%,“”,
[SourceDisksFiles]
NNSNAHSL.sys=1
[DestinationDirs]
DefaultDestDir=12
NNSNAHSL.copyfiles.sys=12
[NNSNAHSL.copyfiles.sys]
NNSNAHSL.sys,2
;-------------------------------------------------------------------------
; Ndi installation support
; - ethernet: ethernet & MobileBroadband support for XP/Vista
; - ppip : Added for MobileBroadband support in Win7/8/8.1
;-------------------------------------------------------------------------
[Inst_Ndi]
HKR, Ndi,Service,“NNSNAHSL”
HKR, Ndi,CoServices,0x00010000,“NNSNAHSL”
HKR, Ndi,HelpText,%NNSNAHSL_HelpText%
HKR, Ndi,FilterClass, compression
HKR, Ndi,FilterType,0x00010001,0x00000002
HKR, Ndi\Interfaces,UpperRange,“noupper”
HKR, Ndi\Interfaces,LowerRange,“nolower”
HKR, Ndi\Interfaces, FilterMediaTypes,“ethernet, tokenring, fddi, wan, ppip”
HKR, Ndi\Interfaces, LowerExclude, , “ndisatm, ndiscowan, ndiswan, ndiswanasync, ndiswanipx, ndiswannbf, vpnva”
HKR, Ndi,FilterRunType, 0x00010001, 2 ; OPTIONAL Filter | This is an optional filter module
;-------------------------------------------------------------------------
; Service installation support
;-------------------------------------------------------------------------
[Install.Services]
AddService=NNSNAHSL,NNSNAHSL_Service_Inst
[NNSNAHSL_Service_Inst]
DisplayName = %NNSNAHSL_Desc%
ServiceType = 1 ;SERVICE_KERNEL_DRIVER
StartType = 1 ;SERVICE_SYSTEM_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary = %12%\NNSNAHSL.sys
LoadOrderGroup = NDIS
Description = %NNSNAHSL_Desc%
AddReg = Common.Params.reg
[Install.Remove.Services]
DelService = NNSNAHSL,0x200
[Install.Remove]
DelFiles = NNSNAHSL.copyfiles.sys
[Common.Params.reg]
HKR, FilterDriverParams\DriverParam, ParamDesc, , “Driverparam for lwf”
HKR, FilterDriverParams\DriverParam, default, , “5”
HKR, FilterDriverParams\DriverParam, type, , “int”
HKR, FilterAdapterParams\AdapterParam, ParamDesc, , “Adapterparam for lwf”
HKR, FilterAdapterParams\AdapterParam, default, , “10”
HKR, FilterAdapterParams\AdapterParam, type, , “int”
;-------------------------------------------------------------------------
; Strings Section
;-------------------------------------------------------------------------
[Strings]
Panda = “Panda Security, S.L.”
NNSNAHSL_Desc = “Network Activity Hook Server LightWeight Filter Driver”
NNSNAHSL_HelpText = “Network Activity Hook Server LWF Packet Interception Driver”