“Failed to install WinpkFilter NDIS LWF driver with error 0x800700b7” or critical value of driver customization

By | January 22, 2018

One of our customers has recently reported that WinpkFilter installation has failed with error code 0x800700b7. This was the first report mentioning such error code, and we have spent some time to research the issue at a customer side. Such behavior seems to be worth mentioning in a dedicated post.

0x800700b7 error code can be decoded as ERROR_ALREADY_EXISTS. Hence, my first action was to check if the driver was already installed. However, it wasn’t the case, and we started to check the installation steps.

First thing I have noticed after checking netcfg.exe command line used by the customer, is that it still uses WinpkFilter default component name (nt_ndisrd). Further research discovered that FILTER_UNIQUE_NAME (in common.h) and corresponding NetCfgInstanceId (in ndisrd_lwf.inf) GUID({CD75C963-E19F-4139-BC3B-14019EF72F19}) were also left unchanged. Actually, only the driver image was renamed!
It is important to note here that above-mentioned customization steps are crucial and if ignored then the derived driver would conflict with  WinpkFilter standard build. Although, the customer did not install the standard build of WinpkFilter Runtime, but obviously, it could be another WinpkFilter based driver without proper customization. So, we just had to find it!

Next steps are fairly obvious, netcfg.exe pointed that nt_ndisrd component name belongs to “Intel® Technology Access Filter Driver” netrfl.sys (see below):

netcfg -v -s nt_ndisrd
Network Services
-----------------
ms_netbios NetBIOS Interface
...
ms_wfplwf_upper WFP 802.3 MAC ? LightWeight ???
nt_ndisrd Intel(R) Technology Access Filter Driver
...

Following analysis discovered that netrfl.sys driver INF file (netrfl.inf) has the same customization problems (see below). Neither service name (ndisrd) nor component name (nt_ndisrd) were customized (normally, I would expect changing both to ndisrfl and nt_ndisrfl respectively). In addition, NetCfgInstanceId has the same GUID as the original WinpkFilter driver.

;
; Copyright (C), Intel Corporation. All rights reserved.
; ********************************************************************************
; ** Filename: netrfl.inf
; ** Abstract: Windows* INF File for Intel(R) Technology Access Filter Driver
; ********************************************************************************
;
[version]
Signature = "$Windows NT$"
Class = NetService
ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}
Provider = %INTEL%
CatalogFile=ndisrfl.cat
DriverVer=07/09/2015,1.5.0.1009

[Manufacturer]
%INTEL%=Ntkr,NTx86,NTia64,NTamd64

[Ntkr.NTx86]
%ndisrfl_Desc%=Install, nt_ndisrd

[Ntkr.NTia64]
%ndisrfl_Desc%=Install, nt_ndisrd

[Ntkr.NTamd64]
%ndisrfl_Desc%=Install, nt_ndisrd

;————————————————————————-
; Installation Section
;————————————————————————-
[Install]
AddReg=Inst_Ndi
Characteristics=0x40000
NetCfgInstanceId=”{CD75C963-E19F-4139-BC3B-14019EF72F19}”
Copyfiles = ndisrd.copyfiles.sys
DelFiles = ndisrd.delfiles.sys

[SourceDisksNames]
1=%ndisrfl_Desc%,””,,

[SourceDisksFiles]
ndisrfl.sys=1

[DestinationDirs]
DefaultDestDir=12
ndisrd.copyfiles.sys=12

[ndisrd.copyfiles.sys]
ndisrfl.sys,,,2

[ndisrd.delfiles.sys]
ndisrfl.sys

;————————————————————————-
; Ndi installation support
;————————————————————————-
[Inst_Ndi]
HKR, Ndi,Service,,”ndisrd“
HKR, Ndi,CoServices,0x00010000,”ndisrd“
HKR, Ndi,HelpText,,%ndisrfl_HelpText%
HKR, Ndi,FilterClass,, compression
HKR, Ndi,FilterType,0x00010001,0x00000002
HKR, Ndi\Interfaces,UpperRange,,”noupper”
HKR, Ndi\Interfaces,LowerRange,,”nolower”
HKR, Ndi\Interfaces, FilterMediaTypes,,”ethernet,wan,tunnel,ppip”
HKR, Ndi,FilterRunType, 0x00010001, 1 ;this filter must run before any protocol can bind to the below miniport

;————————————————————————-
; Service installation support
;————————————————————————-
[Install.Services]
AddService=ndisrd,,ndisrd_Service_Inst

[ndisrd_Service_Inst]
DisplayName = %ndisrfl_Desc%
ServiceType = 1 ;SERVICE_KERNEL_DRIVER
StartType = 1 ;SERVICE_SYSTEM_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary = %12%\ndisrfl.sys
LoadOrderGroup = NDIS
Description = %ndisrfl_Desc%

[Strings]
INTEL = “Intel Corporation”
ndisrfl_Desc = “Intel(R) Technology Access Filter Driver”
ndisrfl_HelpText = “Intel(R) Technology Access Filter Driver”

To avoid such issues, please carefully read and follow the WinpkFilter build and customization guide. Also, please note that for the Developer license customers, we provide one custom build of WinpkFilter drivers at no extra cost.

8 thoughts on ““Failed to install WinpkFilter NDIS LWF driver with error 0x800700b7” or critical value of driver customization

  1. Boriss Popov

    Hello, i have problem with this ITA filter driver, how to replace it (manually, cant remove it in Programs and Components/device manager) with proper WinpkFilter driver? When i disable the ITA filter (ndisrfl.sys) my network doesnt work and i get BSODs some times cause of it also, since it is outdated and no longer supported. Id be glad for any tips to fix this, thanks.

    Reply
  2. Vadim Smirnov

    Hello Boris,

    I’m not 100% sure but I think ndisrfl.sys is old version of customized WinpkFilter driver (probably used by Realtek). Would you like to uninstall it completely? What Windows version do you use?

    -Vadim

    Reply
  3. Boriss Popov

    Hi Vadim, thanks for reply. Yes I would like to remove it I guess. I have Windows 10 x64 (ver 1809).

    Reply
  4. Vadim Smirnov

    Please try the following steps:
    1) Start command line (cmd.exe) or PowerShell as Administrator and execute “netcfg -u nt_ndisrfl”. This should uninstall the component.
    2) To completely remove the driver from the system navigate to \Windows\INF and find the oemXXX.inf which contains “nt_ndisrfl”. Then execute “pnputil /delete-driver oemXXX.inf”. (XXX is normally a 1-3 digits number).

    Reply
  5. Go Komura

    Hello, is this article related to the vulnerability in Intel Online Connect? I saw your name mentioned in the acknowledgments for that vulnerability, so I thought you might be aware of it.

    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00121.html

    I am struggling with an issue where the Intel Technology Access Service process consumes a large amount of memory on a control PC in a factory. Could this phenomenon be related to CVE-2018-3634?

    There is no information available on this vulnerability, and you are my only hope. I would greatly appreciate it if you could provide an answer.

    Reply
    1. Vadim Smirnov Post author

      Hello,

      CVE-2018-3634 involves crafting a specific I/O request that can trigger a system BSOD. Therefore, I don’t believe it is related to the memory leak issue you’re experiencing.

      Reply
      1. Go Komura

        Thank you for your reply. I had been wondering whether CVE-2018-3634 was related to my memory leak issue, so I am very relieved to know that it probably isn’t. I will reconsider my approach. Thank you very much again.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *