写代码

Recently a friend asked me to help him install the winpcap on his computer. Winpcap is the packet capture and network monitoring library for Windows. Some network analyzer (such asWireshark, the new version of Ethereal) or url sniffer (such as Url helper) need winpcap. 

However, my friend got an error when installing the winpcap. He tried both the old 3.x version and the new 4.x version of winpcap, but everytime he got an error message "error opening for writing, c:\windows\system32\drivers\npf.sys". We googled the internet and found many people suffered the same problem and no solution was provided so far. Some people said it's due to the insufficient priveledge of the user account to install a driver file, but my friend's account is the administrator. Some other people said you may need to first delete the old npf.sys in the system32\driver folder and then reinstall it again, but we checked this folder and didn't find a file called npf.sys existing. We also closed the firewall and anti-virus software, but the problem is still there. 

Finally, we made another try by copying a virus-free npf.sys from another computer to my friend's computer. Then, we found the reason. The system prompts that we cannot copy npf.sys (34,064 bytes) to npf.sys (0 bytes). But we just mentioned that we already did the check, and we didn't have a file named as npf.sys installed. So the only reason will be: there's a sub-directory called npf.sys existing. We checked again, and Bingo, we got it!There's a directory called c:\windows\system32\drivers\NPF.SYS existing on the computer (notice, it's not a file, but a directory). This NPF.SYS directory is empty and with name in upper case. I suspect there's some other softwares (with high probability to be a trojan or spyware) installed this NPF.SYS directory into the system32\drivers folder (they pretended to be a file of winpcap, then they could capture or sniff your password over the network). Later, it may be removed by anti-virus programs. But, it's not cleaned up, the resudual NPF.SYS directory is still on your system.

In summary, if you encounterred the same question (Error opening file for writing c:\windows\system32\drivers\npf.sys), try to first check if you have a NPF.SYS directory installed under \windows\system32\drivers.