Recently a friend asked me to help him install the winpcap on his computer. Winpcap is the packet capture and network monitoring library for Windows. Some network analyzer (such as, the new version of Ethereal) or url sniffer (such as ) need winpcap.

However, my friend got an error when installing the winpcap. He tried both the old 3.x version and the new 4.x version of winpcap, but everytime he got an error message "error opening for writing, c:\windows\system32\drivers\npf.sys". We googled the internet and found many people suffered the same problem and no solution was provided so far. Some people said it's due to the insufficient priveledge of the user account to install a driver file, but my friend's account is the administrator. Some other people said you may need to first delete the old npf.sys in the system32\driver folder and then reinstall it again, but we checked this folder and didn't find a file called npf.sys existing. We also closed the firewall and anti-virus software, but the problem is still there.

Finally, we made another try by copying a virus-free npf.sys from another computer to my friend's computer. Then, we found the reason. The system prompts that we cannot copy npf.sys (34,064 bytes) to npf.sys (0 bytes). But we just mentioned that we already did the check, and we didn't have a file named as npf.sys installed. So the only reason will be: there's a sub-directory called npf.sys existing. We checked again, and Bingo, we got it!There's a directory called c:\windows\system32\drivers\NPF.SYS existing on the computer (notice, it's not a file, but a directory(文件夹)). This NPF.SYS directory is empty and with name in upper case. I suspect there's some other softwares (with high probability to be a trojan or spyware) installed this NPF.SYS directory into the system32\drivers folder (they pretended to be a file of winpcap, then they could capture or sniff your password over the network). Later, it may be removed by anti-virus programs. But, it's not cleaned up, the resudual NPF.SYS directory is still on your system.

In summary, if you encounterred the same question (Error opening file for writing c:\windows\system32\drivers\npf.sys), try to first check if you have a NPF.SYS directory installed under \windows\system32\drivers.

具体操作:

1.工具-->文件夹选项-->查看-->不要隐藏受系统保护的文件、选中显示所有文件和文件夹

2.你会发现c:\windows\system32\drivers\NPF.SYS 名字的文件夹，里面的内容是空的,把这个文件夹删掉,再从别人电脑上复制一个同样名字c:\windows\system32\drivers\npf.sys的文件回来就可以了!