“Failed to install WinpkFilter NDIS LWF driver with error 0x800700b7” or critical value of driver customization

By | January 22, 2018

One of our customers has recently reported that WinpkFilter installation has failed with error code 0x800700b7. This was the first report mentioning such error code and we have spend some time to research the issue at a customer side. Such behavior seems to be worth mentioning in a dedicated post.

0x800700b7 error code can be decoded as ERROR_ALREADY_EXISTS, hence my first action was to check if the driver was already installed. However, it wasn’t the case and we started to check the installation steps.

First thing I have noticed after checking netcfg.exe command line used by the customer, is that it still uses WinpkFilter default component name (nt_ndisrd). Further research discovered that FILTER_UNIQUE_NAME (in common.h) and corresponding NetCfgInstanceId (in ndisrd_lwf.inf) GUID({CD75C963-E19F-4139-BC3B-14019EF72F19}) were also left unchanged. Actually, only driver image was renamed!
It is important to note here that above mentioned customization steps are crucial and if ignored then the derived driver would conflict with  WinpkFilter standard build. Although, the customer did not install the standard build of WinpkFilter Runtime, but obviously it could be another WinpkFilter based driver without proper customization. So we just had to find it!

Next steps are fairly obvious, netcfg.exe pointed that nt_ndisrd component name belongs to “Intel(R) Technology Access Filter Driver” netrfl.sys (see below):


netcfg -v -s nt_ndisrd


Network Services
—————–
ms_netbios NetBIOS Interface

ms_wfplwf_upper WFP 802.3 MAC ? LightWeight ???
nt_ndisrd Intel(R) Technology Access Filter Driver

Following analysis discovered that netrfl.sys driver INF file (netrfl.inf) has exactly the same customization problems (see below). Neither service name (ndisrd) nor component name (nt_ndisrd) were customized (normally, I would expect changing both to ndisrfl and nt_ndisrfl respectively). In addition NetCfgInstanceId has the same GUID as original WinpkFilter driver.


;
; Copyright (C), Intel Corporation. All rights reserved.
; ********************************************************************************
; ** Filename: netrfl.inf
; ** Abstract: Windows* INF File for Intel(R) Technology Access Filter Driver
; ********************************************************************************
;
[version]
Signature = "$Windows NT$"
Class = NetService
ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}
Provider = %INTEL%
CatalogFile=ndisrfl.cat
DriverVer=07/09/2015,1.5.0.1009

[Manufacturer]
%INTEL%=Ntkr,NTx86,NTia64,NTamd64

[Ntkr.NTx86]
%ndisrfl_Desc%=Install, nt_ndisrd

[Ntkr.NTia64]
%ndisrfl_Desc%=Install, nt_ndisrd

[Ntkr.NTamd64]
%ndisrfl_Desc%=Install, nt_ndisrd

;————————————————————————-
; Installation Section
;————————————————————————-
[Install]
AddReg=Inst_Ndi
Characteristics=0x40000
NetCfgInstanceId=”{CD75C963-E19F-4139-BC3B-14019EF72F19}”
Copyfiles = ndisrd.copyfiles.sys
DelFiles = ndisrd.delfiles.sys

[SourceDisksNames]
1=%ndisrfl_Desc%,””,,

[SourceDisksFiles]
ndisrfl.sys=1

[DestinationDirs]
DefaultDestDir=12
ndisrd.copyfiles.sys=12

[ndisrd.copyfiles.sys]
ndisrfl.sys,,,2

[ndisrd.delfiles.sys]
ndisrfl.sys

;————————————————————————-
; Ndi installation support
;————————————————————————-
[Inst_Ndi]
HKR, Ndi,Service,,”ndisrd
HKR, Ndi,CoServices,0x00010000,”ndisrd
HKR, Ndi,HelpText,,%ndisrfl_HelpText%
HKR, Ndi,FilterClass,, compression
HKR, Ndi,FilterType,0x00010001,0x00000002
HKR, Ndi\Interfaces,UpperRange,,”noupper”
HKR, Ndi\Interfaces,LowerRange,,”nolower”
HKR, Ndi\Interfaces, FilterMediaTypes,,”ethernet,wan,tunnel,ppip”
HKR, Ndi,FilterRunType, 0x00010001, 1 ;this filter must run before any protocol can bind to the below miniport

;————————————————————————-
; Service installation support
;————————————————————————-
[Install.Services]
AddService=ndisrd,,ndisrd_Service_Inst

[ndisrd_Service_Inst]
DisplayName = %ndisrfl_Desc%
ServiceType = 1 ;SERVICE_KERNEL_DRIVER
StartType = 1 ;SERVICE_SYSTEM_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary = %12%\ndisrfl.sys
LoadOrderGroup = NDIS
Description = %ndisrfl_Desc%

[Strings]
INTEL = “Intel Corporation”
ndisrfl_Desc = “Intel(R) Technology Access Filter Driver”
ndisrfl_HelpText = “Intel(R) Technology Access Filter Driver”

In order to avoid such issues, please carefully read and follow the WinpkFilter build and customization guide. Also, please note that for the Developer license customers we provide one custom build of WinpkFilter drivers at no extra cost.

Leave a Reply

Your email address will not be published. Required fields are marked *