Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)
From: Graham Bloice <[email protected]>
Date: Sun, 26 Jul 2015 11:24:34 +0100

On 26 July 2015 at 02:47, Guy Harris <[email protected]> wrote:
As long as the user software can provide to libpcap, if necessary, some way of launching the helper with sufficient privileges (this had better not require a GUI, as you might not have a GUI available if you're trying to capture with, for example, tcpdump or TShark; it might involve running it through sudo), it should be supported by any software (and might default to something like sudo, so that only GUI-based applications would need to specify a mechanism - and they might just be able to specify "use the default GUI mechanism").

Unfortunately I think Windows UAC either requires the process to be started by the user with sufficient privileges such that UAC elevation is unnecessary, or if a process requires elevation a GUI UAC prompt is shown.  I don't know of a mechanism whereby a non-GUI process can request elevation in a non-GUI manner apart from requesting the user enter credentials which entails a load of other issues.  Generally, command line tools, such as PowerShell cmdlets just fail if they don't have the privileges required to undertake the task, e.g.

From a non-elevated PowerShell prompt:

C:\temp\winpcap> Get-Service npf | Stop-Service
Stop-Service : Service 'NetGroup Packet Filter Driver (npf)' cannot be stopped due to the following error: Cannot
open npf service on computer '.'.
At line:1 char:19
+ Get-Service npf | Stop-Service
+                   ~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Stop-Service
   ], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand

And from an elevated one it succeeds as one would expect.

Graham Bloice