Two filter drivers in one binary causes System error 2 on the 2nd driver

I have two NDIS filter drivers in the same binary. This seems to work based on this MSDN forum thread.

I encountered an issue: Both drivers have been successfully installed using NetCfg API. However, the second installed driver won't start. It causes System error 2:

C:\Program Files\Npcap>net start npcap
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.


C:\Program Files\Npcap>net start npcap_wifi
System error 2 has occurred.


The system cannot find the file specified.

If I install npcap_wifi first, npcap second, then npcap service fails to start. DbgView shows that the second driver's DriverEntry is never called. And the NetCfg API install doesn't show any error either. So I don't know what's wrong here? Thanks!

---

My source code:

The 1st driver's INF is: npcap.inf. It uses service name npcap.

The 2nd driver's INF is: npcap_wifi.inf It uses service name npcap_wifi.

The shared binary is: Packet.c. I used DriverEntry's RegistryPath to determine which service the binary is running as.

The driver installer is: NPFInstall.cpp. The command NPFInstall.exe -i is used to install the 1st driver and NPFInstall.exe -i2 is used to install the 2nd driver.

---

UPDATE:

I have modified npcap.inf based on your fake service method:

;-------------------------------------------------------------------------
; NPCAP.INF -- Npcap NDIS 6.x LightWeight Filter Driver
;
; Copyright (c) 2015, Insecure.Com LLC.  All rights reserved.
;------------------------------------------------------------------------
[version]
Signature       = "$Windows NT$"
Class           = NetService
ClassGUID       = {4D36E974-E325-11CE-BFC1-08002BE10318}
CatalogFile     = %NPF_DriverName%.cat
Provider        = %Insecure%
DriverVer=05/15/2015,14.48.38.905


[Manufacturer]
%Insecure%=Insecure,NTx86,NTia64,NTamd64

[Insecure.NTx86]
%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP
%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI

[Insecure.NTia64]
%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP
%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI

[Insecure.NTamd64]
%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP
%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI

;-------------------------------------------------------------------------
; Installation Section
;-------------------------------------------------------------------------
[FilterStandard]
NetCfgInstanceId="{7daf2ac8-e9f6-4765-a842-f1f5d2501341}"
Copyfiles = npf.copyfiles.sys
Characteristics=0x40000
AddReg=FilterStandard.reg

[FilterWiFi]
NetCfgInstanceId="{7daf2ac8-e9f6-4765-a842-f1f5d2501351}"
Characteristics=0x40000
AddReg=FilterWiFi.reg

[SourceDisksNames]
1=%NPF_Desc_Standard%,"",,

[SourceDisksFiles]
npcap.sys=1

[DestinationDirs]
DefaultDestDir=12
npf.copyfiles.sys=12

[npf.copyfiles.sys]
%NPF_DriverName%.sys,,,2


;-------------------------------------------------------------------------
; Ndi installation support for the standard filter
;-------------------------------------------------------------------------
[FilterStandard.reg]
HKR, Ndi,Service,,%NPF_Filter_Name_Standard%
HKR, Ndi,CoServices,0x00010000,%NPF_Filter_Name_Standard%
HKR, Ndi,HelpText,,%NPF_HelpText%
HKR, Ndi,FilterClass,, compression


; For a Monitoring filter, use this:
;     HKR, Ndi,FilterType,0x00010001, 1 ; Monitoring filter
; For a Modifying filter, use this:
;     HKR, Ndi,FilterType,0x00010001, 2 ; Modifying filter
HKR, Ndi,FilterType,0x00010001,2


HKR, Ndi\Interfaces,UpperRange, , noupper
HKR, Ndi\Interfaces,LowerRange, , "ndis5,ndis4"


; TODO: Ensure that the list of media types below is correct.  Typically,
; filters include "ethernet".  Filters may also include "ppip" to include
; native WWAN stacks, but you must be prepared to handle the packet framing.
; Possible values are listed on MSDN, but common values include:
;     ethernet, wan, ppip, wlan
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, fddi, wan, ppip, wlan, bluetooth, ndis5, vwifi, flpp4, flpp6, vchannel, nolower"


; For a Mandatory filter, use this:
;     HKR, Ndi,FilterRunType,0x00010001, 1 ; Mandatory filter
; For an Optional filter, use this:
;     HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter
HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter


; By default, Mandatory filters unbind all protocols when they are
; installed/uninstalled, while Optional filters merely pause the stack.  If you
; would like to override this behavior, you can include these options.  These
; options only take effect with 6.30 filters on Windows "8" or later.
; To prevent a full unbind, and merely pause/restart protocols:
;     HKR, Ndi,UnbindOnAttach,0x00010001, 0 ; Do not unbind during FilterAttach
;     HKR, Ndi,UnbindOnDetach,0x00010001, 0 ; Do not unbind during FilterDetach
; To force a full unbind/bind (which includes pause/restart, of course):
;     HKR, Ndi,UnbindOnAttach,0x00010001, 1 ; Unbind during FilterAttach
;     HKR, Ndi,UnbindOnDetach,0x00010001, 1 ; Unbind during FilterDetach
;

;-------------------------------------------------------------------------
; Ndi installation support for the WiFi filter
;-------------------------------------------------------------------------
[FilterWiFi.reg]
HKR, Ndi,Service,,%NPF_Filter_Name_WiFi%
HKR, Ndi,CoServices,0x00010000,%NPF_Filter_Name_WiFi%
HKR, Ndi,HelpText,,%NPF_HelpText%
HKR, Ndi,FilterClass,, ms_medium_converter_128


; For a Monitoring filter, use this:
;     HKR, Ndi,FilterType,0x00010001, 1 ; Monitoring filter
; For a Modifying filter, use this:
;     HKR, Ndi,FilterType,0x00010001, 2 ; Modifying filter
HKR, Ndi,FilterType,0x00010001,2


HKR, Ndi\Interfaces,UpperRange, , noupper
HKR, Ndi\Interfaces,LowerRange, , "ndis5,ndis4"


; TODO: Ensure that the list of media types below is correct.  Typically,
; filters include "ethernet".  Filters may also include "ppip" to include
; native WWAN stacks, but you must be prepared to handle the packet framing.
; Possible values are listed on MSDN, but common values include:
;     ethernet, wan, ppip, wlan
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, fddi, wan, ppip, wlan, bluetooth, ndis5, vwifi, flpp4, flpp6, vchannel, nolower"


; For a Mandatory filter, use this:
;     HKR, Ndi,FilterRunType,0x00010001, 1 ; Mandatory filter
; For an Optional filter, use this:
;     HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter
HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter


; By default, Mandatory filters unbind all protocols when they are
; installed/uninstalled, while Optional filters merely pause the stack.  If you
; would like to override this behavior, you can include these options.  These
; options only take effect with 6.30 filters on Windows "8" or later.
; To prevent a full unbind, and merely pause/restart protocols:
;     HKR, Ndi,UnbindOnAttach,0x00010001, 0 ; Do not unbind during FilterAttach
;     HKR, Ndi,UnbindOnDetach,0x00010001, 0 ; Do not unbind during FilterDetach
; To force a full unbind/bind (which includes pause/restart, of course):
;     HKR, Ndi,UnbindOnAttach,0x00010001, 1 ; Unbind during FilterAttach
;     HKR, Ndi,UnbindOnDetach,0x00010001, 1 ; Unbind during FilterDetach
;

;-------------------------------------------------------------------------
; Service installation support
;-------------------------------------------------------------------------
[FilterStandard.Services]
AddService=%NPF_Filter_Name_Standard%,,FilterStandard.svc

[FilterWiFi.Services]
AddService=%NPF_Filter_Name_WiFi%,,FilterWiFi.svc

[FilterStandard.svc]
DisplayName     = %NPF_Desc_Standard%
ServiceType     = 1 ;SERVICE_KERNEL_DRIVER
StartType       = 3 ;SERVICE_DEMAND_START
ErrorControl    = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary   = %12%\%NPF_DriverName%.sys
LoadOrderGroup  = NDIS
Description     = %NPF_Desc_Standard%
AddReg          = Common.Params.reg, NdisImPlatformBindingOptions.reg

[FilterWiFi.svc]
DisplayName     = %NPF_Desc_WiFi%
ServiceType     = 1 ;SERVICE_KERNEL_DRIVER
StartType       = 3 ;SERVICE_DEMAND_START
ErrorControl    = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary   = %12%\%NPF_DriverName%.sys
LoadOrderGroup  = NDIS
Description     = %NPF_Desc_WiFi%
AddReg          = Common.Params.reg, NdisImPlatformBindingOptions.reg

[FilterStandard.Remove.Services]
DelService=%NPF_Filter_Name_Standard%,0x200 ; SPSVCINST_STOPSERVICE

[FilterWiFi.Remove.Services]
DelService=%NPF_Filter_Name_WiFi%,0x200 ; SPSVCINST_STOPSERVICE

[Common.Params.reg]

[NdisImPlatformBindingOptions.reg]
HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,0 ; Subscribe to default behavior

[Strings]
NPF_DriverName = "npcap"
NPF_Filter_Name_Standard = "npcap"
NPF_Filter_Name_WiFi = "npcap_wifi"
Insecure = "Nmap Project"
NPF_Desc_Standard = "Npcap Packet Driver (NPCAP)"
NPF_Desc_WiFi = "Npcap Packet Driver (NPCAP) (Wi-Fi)"
NPF_HelpText = "A NDIS 6 filter driver & WFP callout driver to support packet capturing and sending under Windows 7, 8 & 10"

And my installer code is changed to:

HRESULT HrInstallNetComponent(IN INetCfg* pnc, IN LPCTSTR lpszComponentId, IN const GUID* pguidClass, IN LPCTSTR lpszInfFullPath)
{
    DWORD dwError;
    HRESULT hr = S_OK;
    TCHAR szDrive[_MAX_DRIVE];
    TCHAR szDir[_MAX_DIR];
    TCHAR szDirWithDrive[_MAX_DRIVE + _MAX_DIR];

    //
    // If full path to INF has been specified, the INF
    // needs to be copied using Setup API to ensure that any other files
    // that the primary INF copies will be correctly found by Setup API
    //
    if (lpszInfFullPath)
    {
        //
        // Get the path where the INF file is.
        //
        _tsplitpath(lpszInfFullPath, szDrive, szDir, NULL, NULL);

        _tcscpy(szDirWithDrive, szDrive);
        _tcscat(szDirWithDrive, szDir);

        //
        // Copy the Service INF file to the \Windows\Inf Folder
        //
        if (!SetupCopyOEMInfW(lpszInfFullPath, szDirWithDrive, // Other files are in the
            // same dir. as primary INF
            SPOST_PATH,    // First param is path to INF
            0,             // Default copy style
            NULL,          // Name of the INF after
            // it's copied to %windir%\inf
            0,             // Max buf. size for the above
            NULL,          // Required size if non-null
            NULL)          // Optionally get the filename
            // part of Inf name after it is copied.
           )
        {
            dwError = GetLastError();

            hr = HRESULT_FROM_WIN32(dwError);
        }
    }

    if (S_OK == hr)
    {
        //
        // Install the network component.
        //
        hr = HrInstallComponent(pnc, NDISLWF_SERVICE_PNP_DEVICE_ID, pguidClass);

        if (hr == S_OK)
        {
            hr = HrInstallComponent(pnc, NDISLWF_SERVICE_PNP_DEVICE_ID_WIFI, pguidClass);

            if (hr == S_OK)
            {
                //
                // On success, apply the changes
                //
                hr = pnc->Apply();
            }
        }
    }

    return hr;
}

And the result is the second service npcap_wifi ends up with system error 2:

C:\Program Files\Npcap>sc query npcap

SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Program Files\Npcap>sc query npcap_wifi
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\Program Files\Npcap>sc query npcap
SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Program Files\Npcap>sc query npcap_wifi

SERVICE_NAME: npcap_wifi
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 2  (0x2)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Program Files\Npcap>net start npcap
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.


C:\Program Files\Npcap>net start npcap_wifi
System error 2 has occurred.

The system cannot find the file specified.


C:\Program Files\Npcap>

Does this look right? The question is I still don't get the DriverEntry call for the 2nd LWF in DbgView? So how the 2nd LWF work then?

---

UPDATE:

I guess this is what I should do next? I called NdisFRegisterFilterDriver twice in my DriverEntry to register 2 LWFs. The 2 FChars structures only differ in FriendlyName, UniqueName, ServiceName. But the 2nd NdisFRegisterFilterDriver always fails with NDIS_STATUS_FAILURE (0xc0000001). I don't know why.

Here's my code:

//
//  Packet Driver's entry routine.
//
_Use_decl_annotations_
NTSTATUS
DriverEntry(
    IN PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
    )
{
    NDIS_FILTER_DRIVER_CHARACTERISTICS FChars;
    NDIS_FILTER_DRIVER_CHARACTERISTICS FChars_WiFi;
    NTSTATUS Status = STATUS_SUCCESS;

    // Use NonPaged Pool instead of No-Execute (NX) Nonpaged Pool for Win8 and later, this is for security purpose.
    ExInitializeDriverRuntime(DrvRtPoolNxOptIn);

    WCHAR* bindT;
    PKEY_VALUE_PARTIAL_INFORMATION tcpBindingsP;
    UNICODE_STRING macName;
    ULONG OsMajorVersion, OsMinorVersion;
    NDISGROUPMAXPROCESSORCOUNT MyNdisGroupMaxProcessorCount;
    NDIS_STRING GroupMaxProcessorCount;
    UNREFERENCED_PARAMETER(RegistryPath);

    TRACE_ENTER();
    FilterDriverObject = DriverObject;

    PsGetVersion(&OsMajorVersion, &OsMinorVersion, NULL, NULL);
    TRACE_MESSAGE2(PACKET_DEBUG_LOUD, "OS Version: %d.%d\n", OsMajorVersion, OsMinorVersion);

    // RegistryPath = "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap" for standard driver
    // RegistryPath = "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap_wifi" for WiFi driver
    g_Dot11SupportMode = 0;
    for (USHORT i = 0; i < RegistryPath->Length / 2; i ++)
    {
        if (RegistryPath->Buffer[i] == L'_')
        {
            g_Dot11SupportMode = 1;
            break;
        }
    }
    TRACE_MESSAGE1(PACKET_DEBUG_LOUD, "g_Dot11SupportMode (based on RegistryPath) = %d\n", g_Dot11SupportMode);

    if (g_Dot11SupportMode)
        NdisInitUnicodeString(&g_NPF_Prefix, g_NPF_PrefixBuffer_Wifi);
    else
        NdisInitUnicodeString(&g_NPF_Prefix, g_NPF_PrefixBuffer);

    //
    // Get number of CPUs and save it
    //
    RtlInitUnicodeString(&GroupMaxProcessorCount, L"NdisGroupMaxProcessorCount");
    MyNdisGroupMaxProcessorCount = (NDISGROUPMAXPROCESSORCOUNT) NdisGetRoutineAddress(&GroupMaxProcessorCount);
    if (MyNdisGroupMaxProcessorCount) // for NDIS620 and later (Win7 and later).
    {
        g_NCpu = MyNdisGroupMaxProcessorCount(ALL_PROCESSOR_GROUPS);
        TRACE_MESSAGE2(PACKET_DEBUG_LOUD, "g_NCpu (NdisGroupMaxProcessorCount): %d, NPF_MAX_CPU_NUMBER: %d\n", g_NCpu, NPF_MAX_CPU_NUMBER);
        if (g_NCpu > NPF_MAX_CPU_NUMBER)
        {
            g_NCpu = NPF_MAX_CPU_NUMBER;
        }
    }
    else // for NDIS6 (Vista)
    {
        g_NCpu = NdisSystemProcessorCount();
    }

    //
    // Register as a service with NDIS
    //
    NPF_registerLWF(&FChars, FALSE);
    NPF_registerLWF(&FChars_WiFi, TRUE);

    DriverObject->DriverUnload = NPF_Unload;

    //
    // Standard device driver entry points stuff.
    //
    DriverObject->MajorFunction[IRP_MJ_CREATE] = NPF_OpenAdapter;
    DriverObject->MajorFunction[IRP_MJ_CLOSE] = NPF_CloseAdapter;
    DriverObject->MajorFunction[IRP_MJ_CLEANUP] = NPF_Cleanup;
    DriverObject->MajorFunction[IRP_MJ_READ] = NPF_Read;
    DriverObject->MajorFunction[IRP_MJ_WRITE] = NPF_Write;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = NPF_IoControl;

    bindP = getAdaptersList();

    if (bindP == NULL)
    {
        TRACE_MESSAGE(PACKET_DEBUG_LOUD, "Adapters not found in the registry, try to copy the bindings of TCP-IP.");

        tcpBindingsP = getTcpBindings();

        if (tcpBindingsP == NULL)
        {
            TRACE_MESSAGE(PACKET_DEBUG_LOUD, "TCP-IP not found, quitting.");
            goto RegistryError;
        }

        bindP = (WCHAR *)tcpBindingsP;
        bindT = (WCHAR *)(tcpBindingsP->Data);
    }
    else
    {
        bindT = bindP;
    }

    for (; *bindT != UNICODE_NULL; bindT += (macName.Length + sizeof(UNICODE_NULL)) / sizeof(WCHAR))
    {
        RtlInitUnicodeString(&macName, bindT);
        NPF_CreateDevice(DriverObject, &macName);
    }

    // Register the filter to NDIS.
    Status = NdisFRegisterFilterDriver(DriverObject,
        (NDIS_HANDLE) FilterDriverObject,
        &FChars,
        &FilterDriverHandle);
    if (Status != NDIS_STATUS_SUCCESS)
    {
        TRACE_MESSAGE1(PACKET_DEBUG_LOUD, "NdisFRegisterFilterDriver: failed to register filter with NDIS, Status = %x", Status);
        TRACE_EXIT();
        return Status;
    }
    else
    {
        TRACE_MESSAGE2(PACKET_DEBUG_LOUD, "NdisFRegisterFilterDriver: succeed to register filter with NDIS, Status = %x, FilterDriverHandle = %x", Status, FilterDriverHandle);
    }

    // Register the WiFi filter to NDIS.
    Status = NdisFRegisterFilterDriver(DriverObject,
        (NDIS_HANDLE)FilterDriverObject,
        &FChars_WiFi,
        &FilterDriverHandle_WiFi);
    if (Status != NDIS_STATUS_SUCCESS)
    {
        TRACE_MESSAGE1(PACKET_DEBUG_LOUD, "NdisFRegisterFilterDriver: failed to register filter (WiFi) with NDIS, Status = %x", Status);
        TRACE_EXIT();
        return Status;
    }
    else
    {
        TRACE_MESSAGE2(PACKET_DEBUG_LOUD, "NdisFRegisterFilterDriver: succeed to register filter (WiFi) with NDIS, Status = %x, FilterDriverHandle_WiFi = %x", Status, FilterDriverHandle_WiFi);
    }

#ifdef HAVE_WFP_LOOPBACK_SUPPORT
    // Use Winsock Kernel (WSK) to send loopback packets.
    Status = NPF_WSKStartup();
    if (!NT_SUCCESS(Status))
    {
        TRACE_EXIT();
        return Status;
    }

    Status = NPF_WSKInitSockets();
    if (!NT_SUCCESS(Status))
    {
        TRACE_EXIT();
        return Status;
    }
#endif

    NdisAllocateSpinLock(&g_OpenArrayLock);

    TRACE_EXIT();
    return STATUS_SUCCESS;

RegistryError:

    Status = STATUS_UNSUCCESSFUL;
    TRACE_EXIT();
    return(Status);
}
//-------------------------------------------------------------------
VOID
NPF_registerLWF(
    PNDIS_FILTER_DRIVER_CHARACTERISTICS pFChars,
    BOOLEAN bWiFiOrNot
    )
{
    NDIS_STRING FriendlyName = RTL_CONSTANT_STRING(NPF_SERVICE_DESC_WIDECHAR); // display name
    NDIS_STRING UniqueName = RTL_CONSTANT_STRING(FILTER_UNIQUE_NAME); // unique name, quid name
    NDIS_STRING ServiceName = RTL_CONSTANT_STRING(NPF_DRIVER_NAME_SMALL_WIDECHAR); // this to match the service name in the INF
    NDIS_STRING FriendlyName_WiFi = RTL_CONSTANT_STRING(NPF_SERVICE_DESC_WIDECHAR_WIFI); // display name
    NDIS_STRING UniqueName_WiFi = RTL_CONSTANT_STRING(FILTER_UNIQUE_NAME_WIFI); // unique name, quid name
    NDIS_STRING ServiceName_WiFi = RTL_CONSTANT_STRING(NPF_DRIVER_NAME_SMALL_WIDECHAR_WIFI); // this to match the service name in the INF

    NdisZeroMemory(pFChars, sizeof(NDIS_FILTER_DRIVER_CHARACTERISTICS));
    pFChars->Header.Type = NDIS_OBJECT_TYPE_FILTER_DRIVER_CHARACTERISTICS;
    pFChars->Header.Size = sizeof(NDIS_FILTER_DRIVER_CHARACTERISTICS);
#if NDIS_SUPPORT_NDIS61
    pFChars->Header.Revision = NDIS_FILTER_CHARACTERISTICS_REVISION_2;
#else
    pFChars->Header.Revision = NDIS_FILTER_CHARACTERISTICS_REVISION_1;
#endif

    pFChars->MajorNdisVersion = NDIS_FILTER_MAJOR_VERSION; // NDIS version is 6.2 (Windows 7)
    pFChars->MinorNdisVersion = NDIS_FILTER_MINOR_VERSION;
    pFChars->MajorDriverVersion = 1; // Driver version is 1.0
    pFChars->MinorDriverVersion = 0;
    pFChars->Flags = 0;

    // Use different names for the WiFi driver.
    if (bWiFiOrNot)
    {
        pFChars->FriendlyName = FriendlyName_WiFi;
        pFChars->UniqueName = UniqueName_WiFi;
        pFChars->ServiceName = ServiceName;
        // pFChars->ServiceName = ServiceName_WiFi;
    }
    else
    {
        pFChars->FriendlyName = FriendlyName;
        pFChars->UniqueName = UniqueName;
        pFChars->ServiceName = ServiceName;
    }

    pFChars->SetOptionsHandler = NPF_RegisterOptions;
    pFChars->AttachHandler = NPF_AttachAdapter;
    pFChars->DetachHandler = NPF_DetachAdapter;
    pFChars->RestartHandler = NPF_Restart;
    pFChars->PauseHandler = NPF_Pause;
    pFChars->SetFilterModuleOptionsHandler = NPF_SetModuleOptions;
    pFChars->OidRequestHandler = NPF_OidRequest;
    pFChars->OidRequestCompleteHandler = NPF_OidRequestComplete;
    pFChars->CancelOidRequestHandler = NPF_CancelOidRequest;

    pFChars->SendNetBufferListsHandler = NPF_SendEx;
    pFChars->ReturnNetBufferListsHandler = NPF_ReturnEx;
    pFChars->SendNetBufferListsCompleteHandler = NPF_SendCompleteEx;
    pFChars->ReceiveNetBufferListsHandler = NPF_TapEx;
    pFChars->DevicePnPEventNotifyHandler = NPF_DevicePnPEventNotify;
    pFChars->NetPnPEventHandler = NPF_NetPnPEvent;
    pFChars->StatusHandler = NPF_Status;
    pFChars->CancelSendNetBufferListsHandler = NPF_CancelSendNetBufferLists;
}

For the 2nd LWF, I used the 1st LWF's ServiceName (npcap), or used its own npcap_wifi, neither works.

The entire source code is here: https://github.com/nmap/npcap/commit/1cac59271a9772ebbfff0db9c8a051b6553c25a2

---

UPDATE:

I analyzed the WPP trace, it shows:

    [1]0004.015C::08/28/2016-20:26:58.498 [mp]==>NdisFRegisterFilterDriver: DriverObject FFFF8A85572FD6D0, Npcap Packet Driver (NPCAP)
    [1]0004.015C::08/28/2016-20:26:58.498 [mp]==>ndisCreateFilterDriverRegistry, FilterServiceName FFFFCB01F6F617D0
    [1]0004.015C::08/28/2016-20:26:58.498 [mp]Reading DefaultFilterSettings from registry - Status 0xc0000034(STATUS_OBJECT_NAME_NOT_FOUND), Validation = 0 
    [1]0004.015C::08/28/2016-20:26:58.498 [mp]==>ndisSetAllFilterDefaultParameters, FilterServiceName FFFFCB01F6F617D0 FilterRegistryPath FFFFCB01F6F61610 FilterParams FFFFF80DD6A88598
    [1]0004.015C::08/28/2016-20:26:58.498 [mp]<==ndisSetAllFilterDefaultParameters, FilterServiceName FFFFCB01F6F617D0 FilterRegistryPath FFFFCB01F6F61610 FilterParams FFFFF80DD6A88598 Status 0
    [1]0004.015C::08/28/2016-20:26:58.498 [mp]<==ndisCreateFilterDriverRegistry, FilterServiceName FFFFCB01F6F617D0 Status 0
    [1]0004.015C::08/28/2016-20:26:58.498 [mp]>Begin filter driver's SetOptionsHandler. FilterDriver=FFFF8A85532E6010
    [1]0004.015C::08/28/2016-20:26:58.498 [mp]<End filter driver's SetOptionsHandler.   FilterDriver=FFFF8A85532E6010, Status=0x00000000
    [1]0004.015C::08/28/2016-20:26:58.498 [km]Begin PNP operations on miniport FFFF8A85538DC1A0
    [0]0004.015C::08/28/2016-20:26:58.498 [km]End PNP operations on miniport FFFF8A85538DC1A0
    [0]0004.015C::08/28/2016-20:26:58.499 [mp]<==NdisFRegisterFilterDriver, Status 0
    [0]0004.015C::08/28/2016-20:26:58.499 [mp]==>NdisFRegisterFilterDriver: DriverObject FFFF8A85572FD6D0, Npcap Packet Driver (NPCAP) (WiFi version)
    [0]0004.015C::08/28/2016-20:26:58.499 [mp]==>ndisCreateFilterDriverRegistry, FilterServiceName FFFFCB01F6F618B0
    [0]0004.015C::08/28/2016-20:26:58.499 [mp]Reading DefaultFilterSettings from registry - Status STATUS_SUCCESS, Validation = 0 
    [0]0004.015C::08/28/2016-20:26:58.499 [mp]<==ndisCreateFilterDriverRegistry, FilterServiceName FFFFCB01F6F618B0 Status 0
    [0]0004.015C::08/28/2016-20:26:58.499 [mp]NdisFRegisterFilterDriver: Cannot find filter 7daf2ac8-e9f6-4765-a842-f1f5d2501351 in the registry.  Did INetCfg install this filter successfully?
    [0]0004.015C::08/28/2016-20:26:58.499 [mp]<==NdisFRegisterFilterDriver, Status c0000001

So it seems that NDIS didn't find the 2nd filter's registry 7daf2ac8-e9f6-4765-a842-f1f5d2501351. But I checked it in regedit. It has that key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}]
"InstallTimeStamp"=hex:e0,07,08,00,00,00,1c,00,0c,00,1a,00,39,00,88,03
"Characteristics"=dword:00040000
"ComponentId"="INSECURE_NPCAP"
"Description"="@oem11.inf,%npf_desc_standard%;Npcap Packet Driver (NPCAP)"
"InfPath"="oem11.inf"
"InfSection"="FilterStandard"
"LocDescription"="@oem11.inf,%npf_desc_standard%;Npcap Packet Driver (NPCAP)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}\Ndi]
"TimeStamp"=hex:e0,07,08,00,00,00,1c,00,0c,00,1a,00,39,00,88,03
"HelpText"="A NDIS 6 filter driver & WFP callout driver to support packet capturing and sending under Windows 7, 8 & 10"
"Service"="npcap"
"CoServices"=hex(7):6e,00,70,00,63,00,61,00,70,00,00,00,00,00
"FilterClass"="compression"
"FilterType"=dword:00000002
"FilterRunType"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}\Ndi\Interfaces]
"LowerRange"="ndis5,ndis4"
"UpperRange"="noupper"
"FilterMediaTypes"="ethernet, fddi, wan, ppip, wlan, bluetooth, ndis5, vwifi, flpp4, flpp6, vchannel, nolower"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501351}]
"InstallTimeStamp"=hex:e0,07,08,00,00,00,1c,00,0c,00,1a,00,3a,00,7e,02
"Characteristics"=dword:00040000
"ComponentId"="INSECURE_NPCAP_WIFI"
"Description"="@oem11.inf,%npf_desc_wifi%;Npcap Packet Driver (NPCAP) (Wi-Fi)"
"InfPath"="oem11.inf"
"InfSection"="FilterWiFi"
"LocDescription"="@oem11.inf,%npf_desc_wifi%;Npcap Packet Driver (NPCAP) (Wi-Fi)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501351}\Ndi]
"TimeStamp"=hex:e0,07,08,00,00,00,1c,00,0c,00,1a,00,3a,00,7e,02
"HelpText"="A NDIS 6 filter driver & WFP callout driver to support packet capturing and sending under Windows 7, 8 & 10"
"Service"="npcap_wifi"
"CoServices"=hex(7):6e,00,70,00,63,00,61,00,70,00,5f,00,77,00,69,00,66,00,69,\
  00,00,00,00,00
"FilterClass"="ms_medium_converter_128"
"FilterType"=dword:00000002
"FilterRunType"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501351}\Ndi\Interfaces]
"LowerRange"="ndis5,ndis4"
"UpperRange"="noupper"
"FilterMediaTypes"="ethernet, fddi, wan, ppip, wlan, bluetooth, ndis5, vwifi, flpp4, flpp6, vchannel, nolower"

So I don't know why NDIS reports NdisFRegisterFilterDriver: Cannot find filter 7daf2ac8-e9f6-4765-a842-f1f5d2501351 in the registry. Did INetCfg install this filter successfully??