18 replies to this topic

[AlBundy]

Hi @all,

I want to use Wireshark and Cain&Abel on my VistaPE-DVD.
Therefore I have created a script to install WinPcap but unfortunately it does not work correctly. :-(

1. I have to copy the drivers to Windows\System32
2. install and start the driver (maybe both view startmenu-entry)

To 1.: I copy the files to %BaseSRC%\Windows\System32 - but I can not find it on DVD. :-/
To 2.: Because of 1. I can't test it. :-)

Maybe someone can help me.

Thanks

Al

Here is the script:

[main]

Title=WinPcap 4.0.2

Description=

Selected=True

Level=5

Version=1

Author=Hawk

Date=2008-08-02

Contact=



[variables]

%ProgramFolder%=WinPcap

%ProgramEXE%=

%ProgramTitle%=

%StartMenuAppGroup%=

%DownloadURL%=http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe

%Filename%=WinPcap_4_0_2.exe

%ArchiveSubDir%=



[Process]

Echo,Processing %ProgramTitle%...

# download

Run,%ScriptFile%,Download,%DownloadURL%,%Filename%

# extract

Run,%ScriptFile%,Extract,%Filename%

DirDelete,%ScriptDir%\%ProgramFolder%\$R0

DirDelete,%ScriptDir%\%ProgramFolder%\$PLUGINSDIR

DirDelete,%ScriptDir%\%ProgramFolder%\$TEMP

DirCopy,%ScriptDir%\%ProgramFolder%\$SYSDIR\*,%ScriptDir%\%ProgramFolder%

DirDelete,%ScriptDir%\%ProgramFolder%\$SYSDIR

# registry-settings

Run,%ScriptFile%,RegistrySettings

# copy

#CopyProgram,"%ScriptDir%\%ProgramFolder%"

DirCopy,%ScriptDir%\%ProgramFolder%\*,%BootSRC%\Windows\System32

# cleanup

DirDelete,"%ScriptDir%\%ProgramFolder%"



[Download]

If,ExistFile,"%ScriptDir%\#2",If,%pCheckBox1%,Equal,True,FileDelete,"%ScriptDir%\#2"

WebGetIfNotExist,"#1","%ScriptDir%\#2"



[Extract]

If,#2,Equal,"",Set,%OutputFolder%,"%ProgramFolder%"

If,#2,NotEqual,"",Set,%OutputFolder%,"#2"

ShellExecute,Hide,"%Tools%\7z.exe","x -y -o#$q%ScriptDir%\%OutputFolder%#$q #$q%ScriptDir%\#1#$q"

If,%ArchiveSubDir%,NotEqual,"",If,ExistDir,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%",DirMove,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%\*","%ScriptDir%\%OutputFolder%"

If,%ArchiveSubDir%,NotEqual,"",If,ExistDir,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%",DirDelete,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%"



[RegistrySettings]

#Software.AddReg = HKLM\Software

#SetupReg.AddReg = HKLM\System

#Default.AddReg  = HKUsers\.Default or HKCU

#RegAddBoot,"HKLM",0x1,"Section","Key(Text)","String"

RegAddBoot,"HKLM",0x1,"System\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

RegAddBoot,"HKLM",0x4,"System\ControlSet001\Services\NPF","ErrorControl",0x1

RegAddBoot,"HKLM",0x2,"System\ControlSet001\Services\NPF","ImagePath","System32\drivers\npf.sys"

RegAddBoot,"HKLM",0x4,"System\ControlSet001\Services\NPF","Start",0x3

RegAddBoot,"HKLM",0x4,"System\ControlSet001\Services\NPF","Type",0x1

RegAddBoot,"HKLM",0x3,"System\ControlSet001\Services\NPF\Security","Security",01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,

00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00

,

04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18

,

00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01

,

02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00

,

00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00

,

00,00,00,05,12,00,00,00



[Interface]

pCheckBox1="force download",1,3,0,0,200,18,False

[AlBundy]

The first problem is solved - I only have to copy the files to %TargetDir%\Windows\System32 and not to %BootSRC%\Windows\System32 :-)

But now I need to start the service which dows not work, becaus I can't see it in ServicesPE.

Al

[AlBundy]

I really hope, that someone can help me.
Files will be copied and registry-entries were made.

But I can't start the Service. :-(

My current Script:

[main]

Title=WinPcap 4.0.2

Description=

Selected=True

Level=5

Version=1

Author=Hawk

Date=2008-08-02

Contact=



[variables]

%ProgramFolder%=WinPcap

%ProgramEXE%=npf_mgm.exe

%ProgramTitle%=WinPcap

%StartMenuAppGroup%=

%DownloadURL%=http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe

%Filename%=WinPcap_4_0_2.exe

%ArchiveSubDir%=



[Process]

Echo,Processing %ProgramTitle%...

# download

Run,%ScriptFile%,Download,%DownloadURL%,%Filename%

# extract

Run,%ScriptFile%,Extract,%Filename%

DirDelete,%ScriptDir%\%ProgramFolder%\$R0

DirDelete,%ScriptDir%\%ProgramFolder%\$PLUGINSDIR

DirDelete,%ScriptDir%\%ProgramFolder%\$TEMP

DirCopy,%ScriptDir%\%ProgramFolder%\$SYSDIR\*,%ScriptDir%\%ProgramFolder%

DirDelete,%ScriptDir%\%ProgramFolder%\$SYSDIR

# registry-settings

Run,%ScriptFile%,RegistrySettings

# copy

#CopyProgram,"%ScriptDir%\%ProgramFolder%"

DirCopy,%ScriptDir%\%ProgramFolder%\*,%TargetDir%\Windows\System32

AddAutoRun,"NetGroup Packet Filter Driver","x:\windows\system32\net.exe","start #$qNPF#$q",3

# cleanup

DirDelete,"%ScriptDir%\%ProgramFolder%"



[Download]

If,ExistFile,"%ScriptDir%\#2",If,%pCheckBox1%,Equal,True,FileDelete,"%ScriptDir%\#2"

WebGetIfNotExist,"#1","%ScriptDir%\#2"



[Extract]

If,#2,Equal,"",Set,%OutputFolder%,"%ProgramFolder%"

If,#2,NotEqual,"",Set,%OutputFolder%,"#2"

ShellExecute,Hide,"%Tools%\7z.exe","x -y -o#$q%ScriptDir%\%OutputFolder%#$q #$q%ScriptDir%\#1#$q"

If,%ArchiveSubDir%,NotEqual,"",If,ExistDir,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%",DirMove,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%\*","%ScriptDir%\%OutputFolder%"

If,%ArchiveSubDir%,NotEqual,"",If,ExistDir,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%",DirDelete,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%"



[RegistrySettings]

#Software.AddReg = HKLM\Software

#SetupReg.AddReg = HKLM\System

#Default.AddReg  = HKUsers\.Default or HKCU

#RegAddBoot,"HKLM",0x1,"Section","Key(Text)","String"

RegHiveLoad,Tmp_setupreg_hiv,%RegSystem%

RegWrite,"HKLM",0x1,"Tmp_setupreg_hiv\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

RegWrite,"HKLM",0x4,"Tmp_setupreg_hiv\ControlSet001\Services\NPF","ErrorControl",0x1

RegWrite,"HKLM",0x2,"Tmp_setupreg_hiv\ControlSet001\Services\NPF","ImagePath","System32\drivers\npf.sys"

RegWrite,"HKLM",0x4,"Tmp_setupreg_hiv\ControlSet001\Services\NPF","Start",0x2

RegWrite,"HKLM",0x4,"Tmp_setupreg_hiv\ControlSet001\Services\NPF","Type",0x1

#RegWrite,"HKLM",0x3,"Tmp_setupreg_hiv\ControlSet001\Services\NPF\Security","Security",01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,

00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,

04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,

00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,

02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,

00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,

00,00,00,05,12,00,00,00

RegHiveUnLoad,Tmp_setupreg_hiv



[Interface]

pCheckBox1="force download",1,3,0,0,200,18,False

[Brito]

Hi AlBundy, welcome to boot land.

I see that you are using the old way to write vistaPE scripts.

My advice is to use the newer app script format to ensure others understand your scripting and that everything is done correctly.

You find plenty of app scripts on the respective forum section here: http://www.boot-land...hp?showforum=65 that you can use as example to learn from.

After converting your script to the current app script we can better debug and understand why the service doesn't work.

Using the new app script format ensures that your work can be used in other projects like LiveXP and also ensure that future vistaPE versions understand and run your script perfectly.

[AlBundy]

Thanks for your answer but why do I use the old format?

The only difference is the way to load the hive and where I get my files from.

1. I always try to use the api of vistape - but unfortunately it is not complete.
2. I don't want to put the files into my script because it is easier to update the download-URL than the nested file.

The only thing I want to do ist to copy some files (already done) and register them as a service to start them via "net start npf".

[Brito]

Thanks for your answer but why do I use the old format?

I think you're probably using an older version of VistaPE and this old format is slowly being removed even thought there are still many references to it that take a bit longer to fade away but will nevertheless be confusing for new people writing scripts.

1. I always try to use the api of vistape - but unfortunately it is not complete.

You're using the old API that has been discontinued a year ago, please use the updated one to avoid further confusions.

Code portability on the new API is the reason why it is so important in the first place.

The code that worked on VistaPE was too static and nowhere prepared for changes, the same happened for other wb projects some time ago so we all decided to work together for a common way to write scripts to ensure that the future scripts could be used and shared by everyone.

This allowed to build a bigger library of available scripts and ensure that things got much simpler for everyone else understand.

Also, I can't really express how difficult it was to write a script for a project some years ago to later have to rewrite it again just because something else changes (project evolves, want to try another projects , etc, etc) or find enough people using the same project to provide some help.

So think about this as a measure to ensure that more people can actually read your code and see what is going wrong, and also as good initiative to ensure that your script can be re-used in the future vistaPE versions for example.

-----------------------

Why can't you start the service?

Start your boot disk, double-check from regedit if the registry keys are correctly setup then try launching the service from command line using the "net start" command. This is a good way to see if it starts well or not and see the debug message.

In case of fail then it wouldn't be related to your script but rather something else still missing or incorrectly done.

-----

Also, there is a plugin available for bartPE made by sherpya: http://www.bootcd.us...ap-Library.html

You can likely use this plugin on your VistaPE project since the latest winbuilder versions (>075) are natively supporting bartPE plugins.

How does this bartPE support works?

Plugins are directly converted to app script language using the new API and this way we ensure that these plugins work, just another example of their importance.

There is also a bartPE plugin converter inside winbuilder that you can use to get the correct app script from this plugin with the missing registry entries that you don't have on your script.

Good luck.

[AlBundy]

The "debug"-message from "net start" is "Das System kann die Datei nicht öffnen" - which means "the system can not open the file" :-)
This error comes on my and sherpyas plugin.

I'm using the latest VistaPE which comes with WinBuilder 075 beta 3

Where can I get more informations about the new api - I've only found this link http://www.vistape.n...istape-api.html

Al

[Brito]

The "debug"-message from "net start" is "Das System kann die Datei nicht öffnen" - which means "the system can not open the file" :-)

Please post the converted app script from sherpya's plugin here and also verify that all files are placed on the correct location.

Also, have you checked with regedit if your entries matched the correct values?

Where can I get more informations about the new api - I've only found this link

The link you mention is following the current API but introduces some command that you should avoid like RegAddBoot, use the reg_add as it is outputted from the bartPE plugin to see what I mean.

The resulting code from the plugin converter is a good example or you use all the other scripts available on the app script section as example for every possible usage.

The liveXP project is also notorious for following very strictly the API guidelines, look on the app scripts from it's server to avoid having to download just to see how they were coded: http://livexp.boot-l...et/LiveXP/Apps/

Also, inside api.script (a file inside your project) there is a quick list of available functions that are supported.

Last but not least, the tutorials sections contain some tutorials that should explain how things work from the start:
http://www.boot-land...s/?showforum=31
http://www.boot-land...?showtopic=4415
http://www.boot-land...?showtopic=4424

The search tool on this forum should also help, do ask whenever in doubt and I'll try to help.

[Brito]

I've wrote a small tutorial explaining the proper way to write reg keys here: http://www.boot-land...?showtopic=5518

[AlBundy]

Thanks for the links.

If I try to convert WinPcap or use the original BartPE-plugin I get this error "You must define %drFile% to use this plugin!".
If I use the files from sherpya in my plugin I get the error I mentioned above.
--> It seems that the files from sherpya and my new ones are correct - even the registry-entries.
But there seems another error with VistaPÉ (Btw. I'm using WAIK as source).

Is the eventlog available in VistaPE?
Maybe there are more informations about the error.

Al

[Brito]

I don't know what %drFile% but maybe Peter has some clue.

It seems that the files from sherpya and my new ones are correct - even the registry-entries.

Unless you updated your script since it was published here I can clearly see that sherpya's plugin is writing more registry data than your own code..

If this is not the case then I'd suggest getting in touch with Sherpya himself, he's also a member here on boot land.

[AlBundy]

I don't know what %drFile% but maybe Peter has some clue.

This comes from the converter:

[Main]

Title=[Sherpya] WinPcap Library v1.4 - wpcap v4.0.0.755 (4.0)

Type=script

Selected=True

Level=5

Author=WinBuilder version 075

Credits=PEBuilder plugin winpcap.inf



[Process]

If,ExistFile,%ProjectDir%\infconvert.ini,AddVariables,%ProjectDir%\infconvert.ini,variables

If,NotExistVar,%drFile%,Exit,"You must define %drFile% to use this plugin!"

If,NotExistVar,%spFile%,Exit,"You must define %spFile% to use this plugin!"

Run,%ScriptFile%,SourceDisksFiles

Run,%ScriptFile%,Software.AddReg

Run,%ScriptFile%,SetupReg.AddReg

Run,%ScriptFile%,Append



[SourceDisksFiles]

Echo,"Copying files.."

Run,%ScriptFile%,Inf-Copy,npptools.dll,"%target_sys%"

FileCopy,"%ScriptDir%\files\*.dll","%target_sys%"

FileCopy,"%ScriptDir%\files\*.exe","%target_sys%"

FileCopy,"%ScriptDir%\files\*.sys","%target_sys%\drivers"

FileCopy,"%ScriptDir%\startpcap.cmd","%target_sys%"



[Software.AddReg]

Echo,"Loading registry hive: [software]"

Hive_Load,HKU

Echo,"Writing new values on registry hive.."

reg_add,0x1,"%reg%\Microsoft\Windows\CurrentVersion\RunOnceEx\960","100","||xpeinit.exe -s -m "Installing WinPcap Service" npf_mgm.exe -i"

reg_add,0x1,"%reg%\Microsoft\Windows\CurrentVersion\RunOnceEx\960","200","||xpeinit.exe -s -m "Starting WinPcap Service" npf_mgm.exe -s"

Hive_Unload,HKU



[SetupReg.AddReg]

Echo,"Loading registry hive: [setupreg.hiv]"

Hive_Load,HKLM

Echo,"Writing new values on registry hive.."

reg_add,0x1,"%reg%\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\NPF","ImagePath","System32\drivers\npf.sys"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Start","3"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Type","1"

reg_add,0x3,"%reg%\ControlSet001\Services\NPF\Security","Security","01","00","14","80","90","00","00","00","9c","00","00",\

"00","14","00","00","00","30","00","00","00","02","00","1c","00","01","00","00","00","02","80","14","00","ff","01","0f","00","01",\

"01","00","00","00","00","00","01","00","00","00","00","02","00","60","00","04","00","00","00","00","00","14","00","fd","01","02",\

"00","01","01","00","00","00","00","00","05","12","00","00","00","00","00","18","00","ff","01","0f","00","01","02","00","00","00",\

"00","00","05","20","00","00","00","20","02","00","00","00","00","14","00","8d","01","02","00","01","01","00","00","00","00","00",\

"05","0b","00","00","00","00","00","18","00","fd","01","02","00","01","02","00","00","00","00","00","05","20","00","00","00","23",\

"02","00","00","01","01","00","00","00","00","00","05","12","00","00","00","01","01","00","00","00","00","00","05","12","00","00","00"

Hive_Unload,HKLM



[Append]

Add_Shortcut,StartMenu,"Network","#$pSystemRoot#$p\system32\startpcap.cmd","(Re)Start WinPcap Service"



[Inf-Copy]

StrFormat,path,#2,%pth%

If,NotExistDir,%pth%,DirMake,%pth%

StrFormat,RTrim,#1,1,%short%

StrFormat,Right,#1,1,%right%

Run,%ScriptFile%,Load-Driver,%short%,%right%,#2



[Load-Driver]

If,ExistFile,"%source_win%\%spFile%",ShellExecute,"hide","expand.exe","#$q%source_win%\%spFile%#$q -F:#1#2 #$q#3#$q"

If,NotExistFile,#3,ShellExecute,"hide","expand.exe","#$q%source_win%\%drFile%#$q -F:#1 #$q#3#$q"

If,NotExistFile,#3,If,ExistFile,%source_win%\#1*,CopyOrExpand,%source_win%\#1#2,#3

Unless you updated your script since it was published here I can clearly see that sherpya's plugin is writing more registry data than your own code..

Not - nearly all are uncommented.

Al

[Brito]

Hi again,

I've wrapped the the reg code on your previous topic to make this discussion readable again.

----

There is a warning I noticed on sherpya's site regarding winpcap:

you need to start network first

http://oss.netfarm.it/winpe/


Sorry for asking, but have you started the network support on your boot disk before trying to call the service from command line using "net start"?

--------

I also assume that the code he has commented out of the plugin was due to be somewhere repeated elsewhere inside the XPE plugin that is normally used with bartPE. Since we are not using XPE maybe it wouldn't hurt to add the missing CLSID registry code on your script:

Hive_Load,HKUreg_add,0x0,"Classes\AppID\{D413C502-3FAA-11D0-B254-444553540000}"reg_add,0x1,"Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}",,"PSFactoryBuffer"reg_add,0x2,"Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}\InProcServer32",,"PsNPPAgn.dll"reg_add,0x1,"Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}\InProcServer32","ThreadingModel","Both"reg_add,0x1,"Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}",,"NPPAgent"reg_add,0x1,"Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}","AppID","{D413C502-3FAA-11D0-B254-444553540000}"reg_add,0x2,"Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}\LocalServer32",,"%SystemRoot%\system32\NPP\NPPAgent.exe"reg_add,0x1,"Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}\LocalServer32","ThreadingModel","Apartment"reg_add,0x1,"Classes\Interface\{394540A0-6FCF-11D0-ACE0-0000F80114D3}",,"IRemoteDelaydC"reg_add,0x1,"Classes\Interface\{394540A0-6FCF-11D0-ACE0-0000F80114D3}\NumMethods",,"16"reg_add,0x1,"Classes\Interface\{394540A0-6FCF-11D0-ACE0-0000F80114D3}\ProxyStubClsid32",,"{944AD531-B09D-11CE-B59C-00AA006CB37D}"reg_add,0x1,"Classes\Interface\{8947C648-3833-11D1-8682-00C04FBFE171}",,"IRemoteCallBack"reg_add,0x1,"Classes\Interface\{8947C648-3833-11D1-8682-00C04FBFE171}\NumMethods",,"4"reg_add,0x1,"Classes\Interface\{8947C648-3833-11D1-8682-00C04FBFE171}\ProxyStubClsid32",,"{944AD531-B09D-11CE-B59C-00AA006CB37D}"reg_add,0x1,"Classes\Interface\{944AD531-B09D-11CE-B59C-00AA006CB37D}",,"IRemoteStats"reg_add,0x1,"Classes\Interface\{944AD531-B09D-11CE-B59C-00AA006CB37D}\NumMethods",,"16"reg_add,0x1,"Classes\Interface\{944AD531-B09D-11CE-B59C-00AA006CB37D}\ProxyStubClsid32",,"{944AD531-B09D-11CE-B59C-00AA006CB37D}"reg_add,0x1,"Classes\Interface\{944AD532-B09D-11CE-B59C-00AA006CB37D}",,"IRemoteFinder"reg_add,0x1,"Classes\Interface\{944AD532-B09D-11CE-B59C-00AA006CB37D}\NumMethods",,"4"reg_add,0x1,"Classes\Interface\{944AD532-B09D-11CE-B59C-00AA006CB37D}\ProxyStubClsid32",,"{944AD531-B09D-11CE-B59C-00AA006CB37D}"reg_add,0x1,"Classes\Interface\{E99A04AB-AB95-11D0-BE96-00A0C94989DE}",,"IRemoteESP"reg_add,0x1,"Classes\Interface\{E99A04AB-AB95-11D0-BE96-00A0C94989DE}\NumMethods",,"13"reg_add,0x1,"Classes\Interface\{E99A04AB-AB95-11D0-BE96-00A0C94989DE}\ProxyStubClsid32",,"{944AD531-B09D-11CE-B59C-00AA006CB37D}"Hive_Unload,HKU

Could this be the missing step?

--------

Let's keep on going to see what else is missing to be done here..

[AlBundy]

1. Is network started: yes
-> but not with penetcfg, because I only have WAIK as source (network is working)
2. I changed my script to use the new way to handle reg-values (also have added the CLSID).
-> even can't start npf - I get the same error mentioned above (System error 4 - System can not open the file).

I see the driver under System Explorer -> System -> Driver.

Here is my modified script:

[main]

Title=WinPcap 4.0.2

Description=

Selected=True

Level=5

Version=1

Author=Hawk

Date=2008-08-02

Contact=



[variables]

%ProgramFolder%=WinPcap

%ProgramEXE%=

%ProgramTitle%=WinPcap

%StartMenuAppGroup%=

%DownloadURL%=http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe

%Filename%=WinPcap_4_0_2.exe

%ArchiveSubDir%=



[Process]

Echo,Processing %ProgramTitle%...

# download

Run,%ScriptFile%,Download,%DownloadURL%,%Filename%

# extract

Run,%ScriptFile%,Extract,%Filename%

DirDelete,%ScriptDir%\%ProgramFolder%\$R0

DirDelete,%ScriptDir%\%ProgramFolder%\$PLUGINSDIR

DirDelete,%ScriptDir%\%ProgramFolder%\$TEMP

DirCopy,%ScriptDir%\%ProgramFolder%\$SYSDIR\*,%ScriptDir%\%ProgramFolder%

DirDelete,%ScriptDir%\%ProgramFolder%\$SYSDIR

# registry-settings

Run,%ScriptFile%,RegistrySettings

# copy

#CopyProgram,"%ScriptDir%\%ProgramFolder%"

DirCopy,%ScriptDir%\%ProgramFolder%\*,%TargetDir%\Windows\System32

AddAutoRun,"NetGroup Packet Filter Driver","x:\windows\system32\net.exe","start #$qNPF#$q",3

# cleanup

DirDelete,"%ScriptDir%\%ProgramFolder%"



[Download]

If,ExistFile,"%ScriptDir%\#2",If,%pCheckBox1%,Equal,True,FileDelete,"%ScriptDir%\#2"

WebGetIfNotExist,"#1","%ScriptDir%\#2"



[Extract]

If,#2,Equal,"",Set,%OutputFolder%,"%ProgramFolder%"

If,#2,NotEqual,"",Set,%OutputFolder%,"#2"

ShellExecute,Hide,"%Tools%\7z.exe","x -y -o#$q%ScriptDir%\%OutputFolder%#$q #$q%ScriptDir%\#1#$q"

If,%ArchiveSubDir%,NotEqual,"",If,ExistDir,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%",DirMove,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%\*","%ScriptDir%\%OutputFolder%"

If,%ArchiveSubDir%,NotEqual,"",If,ExistDir,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%",DirDelete,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%"



[RegistrySettings]

Echo,"Loading registry hive: [software]"

Hive_Load,HKU

Echo,"Writing new values on registry hive.."

reg_add,0x2,"%reg%\WinPcap","","%SystemDrive%\Programs\WinPcap"

reg_add,0x0,"%reg%\Classes\AppID\{D413C502-3FAA-11D0-B254-444553540000}"

reg_add,0x1,"%reg%\Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}","","PSFactoryBuffer"

reg_add,0x2,"%reg%\Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}\InProcServer32","","PsNPPAgn.dll"

reg_add,0x1,"%reg%\Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}\InProcServer32","ThreadingModel","Both"

reg_add,0x1,"%reg%\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}","","NPPAgent"

reg_add,0x1,"%reg%\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}","AppID","{D413C502-3FAA-11D0-B254-444553540000}"

reg_add,0x2,"%reg%\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}\LocalServer32","","%SystemRoot%\system32\NPP\NPPAgent.exe"

reg_add,0x1,"%reg%\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}\LocalServer32","ThreadingModel","Apartment"

reg_add,0x1,"%reg%\Classes\Interface\{394540A0-6FCF-11D0-ACE0-0000F80114D3}","","IRemoteDelaydC"

reg_add,0x1,"%reg%\Classes\Interface\{394540A0-6FCF-11D0-ACE0-0000F80114D3}\NumMethods","","16"

reg_add,0x1,"%reg%\Classes\Interface\{394540A0-6FCF-11D0-ACE0-0000F80114D3}\ProxyStubClsid32","","{944AD531-B09D-11CE-B59C-00AA006CB37D}"

reg_add,0x1,"%reg%\Classes\Interface\{8947C648-3833-11D1-8682-00C04FBFE171}","","IRemoteCallBack"

reg_add,0x1,"%reg%\Classes\Interface\{8947C648-3833-11D1-8682-00C04FBFE171}\NumMethods","","4"

reg_add,0x1,"%reg%\Classes\Interface\{8947C648-3833-11D1-8682-00C04FBFE171}\ProxyStubClsid32","","{944AD531-B09D-11CE-B59C-00AA006CB37D}"

reg_add,0x1,"%reg%\Classes\Interface\{944AD531-B09D-11CE-B59C-00AA006CB37D}","","IRemoteStats"

reg_add,0x1,"%reg%\Classes\Interface\{944AD531-B09D-11CE-B59C-00AA006CB37D}\NumMethods","","16"

reg_add,0x1,"%reg%\Classes\Interface\{944AD531-B09D-11CE-B59C-00AA006CB37D}\ProxyStubClsid32","","{944AD531-B09D-11CE-B59C-00AA006CB37D}"

reg_add,0x1,"%reg%\Classes\Interface\{944AD532-B09D-11CE-B59C-00AA006CB37D}","","IRemoteFinder"

reg_add,0x1,"%reg%\Classes\Interface\{944AD532-B09D-11CE-B59C-00AA006CB37D}\NumMethods","","4"

reg_add,0x1,"%reg%\Classes\Interface\{944AD532-B09D-11CE-B59C-00AA006CB37D}\ProxyStubClsid32","","{944AD531-B09D-11CE-B59C-00AA006CB37D}"

reg_add,0x1,"%reg%\Classes\Interface\{E99A04AB-AB95-11D0-BE96-00A0C94989DE}","","IRemoteESP"

reg_add,0x1,"%reg%\Classes\Interface\{E99A04AB-AB95-11D0-BE96-00A0C94989DE}\NumMethods","","13"

reg_add,0x1,"%reg%\Classes\Interface\{E99A04AB-AB95-11D0-BE96-00A0C94989DE}\ProxyStubClsid32","","{944AD531-B09D-11CE-B59C-00AA006CB37D}"

Hive_Unload,HKU

Echo,"Loading registry hive: [setupreg.hiv]"

Hive_Load,HKLM

Echo,"Writing new values on registry hive.."

reg_add,0x1,"%reg%\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\NPF","ImagePath","System32\drivers\npf.sys"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Start","2"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Type","1"

reg_add,0x3,"%reg%\ControlSet001\Services\NPF\Security","Security","01","00","14","80","90","00",\

"00","00","9c","00","00",\

"00","14","00","00","00","30","00","00","00","02","00","1c","00","01","00","00","00","02","80","14","00",\

"ff","01","0f","00","01","01","00","00","00","00","00","01","00","00","00","00","02","00","60","00","04","00",\

"00","00","00","00","14","00","fd","01","02","00","01","01","00","00","00","00","00","05","12","00","00",\

"00","00","00","18","00","ff","01","0f","00","01","02","00","00","00","00","00","05","20","00","00","00","20",\

"02","00","00","00","00","14","00","8d","01","02","00","01","01","00","00","00","00","00","05","0b","00","00",\

"00","00","00","18","00","fd","01","02","00","01","02","00","00","00","00","00","05","20","00","00","00","23",\

"02","00","00","01","01","00","00","00","00","00","05","12","00","00","00","01","01","00","00","00","00","00",\

"05","12","00","00","00"

Hive_Unload,HKLM



[Interface]

pCheckBox1="force download",1,3,0,0,200,18,False

[Brito]

I've emailed Sherpya about this matter and he replied back with an interesting comment:

are you sure winpcap version you're trying works with a normal install of vista?

Maybe it would be wise to try replicate the winpcap install on a regular Vista machine beforing trying on vistaPE with the latest files: http://www.winpcap.o...all/default.htm

There are techniques described on the portable apps section that you can use to capture the install details.

[AlBundy]

Unfortunately I havn't Vista.
As mentioned on the the WinPcap-site it should work under Vista - so I think it should also work under VistaPE.

But I will try to install WinPcap in VistaPE and log with RegShot what will be changed...

Al

I've emailed Sherpya about this matter and he replied back with an interesting comment:



Maybe it would be wise to try replicate the winpcap install on a regular Vista machine beforing trying on vistaPE with the latest files: http://www.winpcap.o...all/default.htm

There are techniques described on the portable apps section that you can use to capture the install details.

[AlBundy]

Ok - I installed WinPcap in VistaPE, monitored changes with RegShot and modified my script.
But it already does not work,

Maybo somen with VistaDVD as Source can test if my script works for him (or her).

[main]

Title=WinPcap 4.0.2

Description=

Selected=True

Level=5

Version=1

Author=Hawk

Date=2008-08-02

Contact=



[variables]

%ProgramFolder%=WinPcap

%ProgramEXE%=rpcapd.exe

%ProgramTitle%=WinPcap

%StartMenuAppGroup%=

%DownloadURL%=http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe

%Filename%=WinPcap_4_0_2.exe

%ArchiveSubDir%=



[Process]

Echo,Processing %ProgramTitle%...

# download

Run,%ScriptFile%,Download,%DownloadURL%,%Filename%

# extract

Run,%ScriptFile%,Extract,%Filename%

DirDelete,%ScriptDir%\%ProgramFolder%\$R0

DirDelete,%ScriptDir%\%ProgramFolder%\$PLUGINSDIR

DirDelete,%ScriptDir%\%ProgramFolder%\$TEMP

# registry-settings

Run,%ScriptFile%,RegistrySettings

# copy

DirMove,"%ScriptDir%\%ProgramFolder%\$SYSDIR\*","%TargetDir%\Windows\System32"

DirDelete,"%ScriptDir%\%ProgramFolder%\$SYSDIR"

RunFromRam,True

CopyProgram,"%ScriptDir%\%ProgramFolder%"

#AddAutoRun,"NetGroup Packet Filter Driver","x:\windows\system32\net.exe","start #$qNPF#$q",3

# cleanup

DirDelete,"%ScriptDir%\%ProgramFolder%"



[Download]

If,ExistFile,"%ScriptDir%\#2",If,%pCheckBox1%,Equal,True,FileDelete,"%ScriptDir%\#2"

WebGetIfNotExist,"#1","%ScriptDir%\#2"



[Extract]

If,#2,Equal,"",Set,%OutputFolder%,"%ProgramFolder%"

If,#2,NotEqual,"",Set,%OutputFolder%,"#2"

ShellExecute,Hide,"%Tools%\7z.exe","x -y -o#$q%ScriptDir%\%OutputFolder%#$q #$q%ScriptDir%\#1#$q"

If,%ArchiveSubDir%,NotEqual,"",If,ExistDir,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%",DirMove,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%\*","%ScriptDir%\%OutputFolder%"

If,%ArchiveSubDir%,NotEqual,"",If,ExistDir,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%",DirDelete,"%ScriptDir%\%OutputFolder%\%ArchiveSubDir%"



[RegistrySettings]

Echo,"Loading registry hive: [setupreg.hiv]"

Hive_Load,HKLM

Echo,"Writing new values on registry hive.."

reg_add,0x1,"%reg%\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\NPF","ImagePath","System32\drivers\npf.sys"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Start","3"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Type","1"

Hive_Unload,HKLM

Echo,"Loading registry hive: [software]"

Hive_Load,HKU

Echo,"Writing new values on registry hive.."

reg_add,0x1,"%reg%\WinPcap","","X:\Program Files\WinPcap"

Hive_Unload,HKU



[Interface]

pCheckBox1="force download",1,3,0,0,200,18,False

[Schnufti]

WinPcap Script Download

Using WinPCap 4.1.2,
built using WinBuilder 080,
for VISTA PE with WAIK

hope it works for you as well.

...

[process]

Echo,Processing %ProgramTitle%...using %ScriptFile%

RunFromRam,%pCheckBox1%



Echo,...Extracting Files...

run,%ScriptFile%,ExtractOrCopy



Echo,...Adding Registry Settings...

run,%ScriptFile%,Registry



[ExtractOrCopy]

DirMake,"%TargetDir%\Program Files\%ProgramFolder%"

ExtractAllFiles,"%ScriptFile%","WinPcap","%TargetDir%\Program Files\%ProgramFolder%"

ExtractAllFiles,"%ScriptFile%","drivers","%TargetDir%\Windows\System32\Drivers"

ExtractAllFiles,"%ScriptFile%","system32","%TargetDir%\Windows\System32"



[Registry]

//write all Registry entries into ControlSet001, it will be loaded into CurrentControlSet during boot of VistaPE

//if CurrentControlSet were filled already, then there will be a blue screen during startup

hive_load,HKLM

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Type","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Start","2"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\NPF","ImagePath","system32\drivers\npf.sys"

reg_add,0x1,"%reg%\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","TimestampMode","0"

reg_add,0x1,"%reg%\ControlSet001\Services\NPF\Enum","0","Root\LEGACY_NPF\0000"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF\Enum","Count","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF\Enum","NextInstance","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Type","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Start","2"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\NPF","ImagePath","system32\drivers\npf.sys"

reg_add,0x1,"%reg%\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","TimestampMode","0"

reg_add,0x1,"%reg%\ControlSet001\Services\NPF\Enum","0","Root\LEGACY_NPF\0000"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF\Enum","Count","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF\Enum","NextInstance","1"



// \Root\LEGACY_NPF to prevent 1058 Error when trying net start

reg_add,0x4,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF","NextInstance","1"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","Service","NPF"

reg_add,0x4,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","Legacy","1"

reg_add,0x4,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","ConfigFlags","0"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","Class","LegacyDriver"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","ClassGUID","{8ECC055D-047F-11D1-A537-0000F8753ED1}"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","DeviceDesc","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","Capabilities","0"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000\Control","ActiveService","NPF"



//rpcapd is experimental and not needed for functioning of npf driver, it is here for the sake of completeness

reg_add,0x4,"%reg%\ControlSet001\Services\rpcapd","Type","16"

reg_add,0x4,"%reg%\ControlSet001\Services\rpcapd","Start","3"

reg_add,0x4,"%reg%\ControlSet001\Services\rpcapd","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\rpcapd","ImagePath","#$q%ProgramFiles%\WinPcap\rpcapd.exe#$q -d -f #$q%ProgramFiles%\WinPcap\rpcapd.ini#$q"

reg_add,0x1,"%reg%\ControlSet001\Services\rpcapd","DisplayName","Remote Packet Capture Protocol v.0 (experimental)"

reg_add,0x1,"%reg%\ControlSet001\Services\rpcapd","ObjectName","LocalSystem"

reg_add,0x1,"%reg%\ControlSet001\Services\rpcapd","Description","Allows to capture traffic on this machine from a remote machine."

hive_unload



[EncodedFolders]

drivers

system32

WinPcap



....



[WinPcap]

rpcapd.exe=58188,77584



...



[system32]

Packet.dll=45790,61054

pthreadVC.dll=12223,16298

wpcap.dll=135334,180446





[drivers]

npf.sys=19011,25348



...

best regards
Schnufti

[homes32]

WinPcap Script Download

Using WinPCap 4.1.2,
built using WinBuilder 080,
for VISTA PE with WAIK

hope it works for you as well.

...

[process]

Echo,Processing %ProgramTitle%...using %ScriptFile%

RunFromRam,%pCheckBox1%



Echo,...Extracting Files...

run,%ScriptFile%,ExtractOrCopy



Echo,...Adding Registry Settings...

run,%ScriptFile%,Registry



[ExtractOrCopy]

DirMake,"%TargetDir%\Program Files\%ProgramFolder%"

ExtractAllFiles,"%ScriptFile%","WinPcap","%TargetDir%\Program Files\%ProgramFolder%"

ExtractAllFiles,"%ScriptFile%","drivers","%TargetDir%\Windows\System32\Drivers"

ExtractAllFiles,"%ScriptFile%","system32","%TargetDir%\Windows\System32"



[Registry]

//write all Registry entries into ControlSet001, it will be loaded into CurrentControlSet during boot of VistaPE

//if CurrentControlSet were filled already, then there will be a blue screen during startup

hive_load,HKLM

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Type","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Start","2"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\NPF","ImagePath","system32\drivers\npf.sys"

reg_add,0x1,"%reg%\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","TimestampMode","0"

reg_add,0x1,"%reg%\ControlSet001\Services\NPF\Enum","0","Root\LEGACY_NPF\0000"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF\Enum","Count","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF\Enum","NextInstance","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Type","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","Start","2"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\NPF","ImagePath","system32\drivers\npf.sys"

reg_add,0x1,"%reg%\ControlSet001\Services\NPF","DisplayName","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF","TimestampMode","0"

reg_add,0x1,"%reg%\ControlSet001\Services\NPF\Enum","0","Root\LEGACY_NPF\0000"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF\Enum","Count","1"

reg_add,0x4,"%reg%\ControlSet001\Services\NPF\Enum","NextInstance","1"



// \Root\LEGACY_NPF to prevent 1058 Error when trying net start

reg_add,0x4,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF","NextInstance","1"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","Service","NPF"

reg_add,0x4,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","Legacy","1"

reg_add,0x4,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","ConfigFlags","0"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","Class","LegacyDriver"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","ClassGUID","{8ECC055D-047F-11D1-A537-0000F8753ED1}"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","DeviceDesc","NetGroup Packet Filter Driver"

reg_add,0x4,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000","Capabilities","0"

reg_add,0x1,"%reg%\ControlSet001\Enum\Root\LEGACY_NPF\0000\Control","ActiveService","NPF"



//rpcapd is experimental and not needed for functioning of npf driver, it is here for the sake of completeness

reg_add,0x4,"%reg%\ControlSet001\Services\rpcapd","Type","16"

reg_add,0x4,"%reg%\ControlSet001\Services\rpcapd","Start","3"

reg_add,0x4,"%reg%\ControlSet001\Services\rpcapd","ErrorControl","1"

reg_add,0x2,"%reg%\ControlSet001\Services\rpcapd","ImagePath","#$q%ProgramFiles%\WinPcap\rpcapd.exe#$q -d -f #$q%ProgramFiles%\WinPcap\rpcapd.ini#$q"

reg_add,0x1,"%reg%\ControlSet001\Services\rpcapd","DisplayName","Remote Packet Capture Protocol v.0 (experimental)"

reg_add,0x1,"%reg%\ControlSet001\Services\rpcapd","ObjectName","LocalSystem"

reg_add,0x1,"%reg%\ControlSet001\Services\rpcapd","Description","Allows to capture traffic on this machine from a remote machine."

hive_unload



[EncodedFolders]

drivers

system32

WinPcap



....



[WinPcap]

rpcapd.exe=58188,77584



...



[system32]

Packet.dll=45790,61054

pthreadVC.dll=12223,16298

wpcap.dll=135334,180446





[drivers]

npf.sys=19011,25348



...

best regards
Schnufti

why are you replying to a 2 year old thread?