Thursday, August 11, 2016

GetBestRoute bug in Windows 10 Anniversary Release 1607

After upgrading to Windows 10 Anniversary Release 1607 on August 6, 2016, I noticed something strange happening with ARP Scanning Tool and I traced it to an intermittent problem in the IpHlpApi function GetBestRoute.

When the computer is first booted, GetBestRoute works normally as it has in NetScanTools Pro for years and as it has on other Windows operating systems. I am using it to determine if an IPv4 address can be reached LOCALLY without going through the Default Gateway. Operating System specifics:  64 bit OS build 14393.51, only one ethernet wired 1GB network interface connected to an IPv4 network. Compiled as a 32 bit application using VC++ 2012.

Code snippet:

memset(&IPForwardRow, 0, sizeof(IPForwardRow));

DWORD dwResult = GetBestRoute(targetIPAddress, outgoingIf, &IPForwardRow);

// note the fail on getting non-local route
if(dwResult == NO_ERROR && IPForwardRow.dwForwardType != MIB_IPROUTE_TYPE_DIRECT)
 // note the failure with a popup stating that the route is not local,
 // ie. not on the same subnet or local network segment

Problem statement: if you pass in ANY targetIPAddress between and and outgoing interface is on your computer, it should come back with MIB_IPROUTE_TYPE_DIRECT. This is the normal way it works. Here is a view of the contents of the IPForwardRow structure as it should appear with and as the interface ( is the default gateway).

You can see the dwForwardDest is populate correctly as is dwForwardMask and the ForwardType is direct as expected.

But for any other IPv4 address through, you get this with empty dwForwardDest and dwForwardMask with the route type INCORRECTLY shown as MIB_IPROUTE_TYPE_INDIRECT.

Obviously something was broken in this new Windows 10 release. It is intermittent but once it goes into this failure mode, it stays in the failure mode until the computer is rebooted. I do not know what the trigger is.

I have fixed it by writing my own GetBestRoute equivalent - but I should not have to do that. Microsoft PLEASE FIX this ASAP!

NetScanTools Pro v11.80 released Aug 4, 2016

NetScanTools Pro 11.80 was released on Aug 4, 2016. This version was completely compiled on Windows 10 and is dual code-signed with both SHA256 and SHA1.

We added a new IPv6 Route Tool that displays the routes and many other properties.

There are many changes and the most obvious change is in the way WinPcap compatible interfaces are shown and selected. Tools that use WinPcap now have a much more verbose description of the interface, not just the IPv4 address shown before. Previously, users would occasionally run into problems where the IPv4 address shown in the dropdown list was not able to be opened even though WinPcap says it was compatible with it. The way the interfaces are opened based on the selection was significantly changed internally so there should be less chance of problems.

The Real Time Blacklist Check tool was changed from a text based single threaded (one after the other) output to a grid based output with multithreading. In other words, in v11.80 many RBL servers are queried simultaneously for the presence of the mail server IPv4 address in their databases.

SNMP tools now support SNMPv3 without the enduser having to go obtain libeay32.dll. We have an Encryption Registration Number and the software is ECCN 5D992.c.

The SNMP Scanner and SNMP Dictionary Attack Tools were worked on extensively to fix problems that happened if you sorted a column with scanning (no longer allowed) and also problems with the XML Excel Schema. Side note - if you are using Excel, don't 'import' the XML file, simply 'open' it just like any other Excel file.

Here are the specific changes:
-Compiled on Windows 10.
-New Tool: IPv6 Routing Table.
-Significant change to the way WinPcap compatible interfaces are listed and chosen. Layout of some tools had to change to support longer selection box.Opening and using a WinPcap network interface no longer depends on matching the IPv4 address.
-We now test to verify that the official WinPcap service or the alternative npcap or Win10Pcap services are running.
-Realtime Black List Check tool completely rewritten with new user interface and it is now multithreaded for increased speed.
-SNMP Core and Advanced tools now have simplified SNMPv3 options. SNMP DLL now has libeay32.dll added and SNMP Library Manager was removed. ECCN 5D992.c
-SNMP Scanner, SNMP Dictionary Attack and Protected Storage Viewer have updated grid controls and are now prevented from sorting by clicking on the column header while the tool is working. Exporting with Microsoft Excel schema has been updated - simply 'open' the XML file from Excel (do not import it). SNMP v1+v2c setting is now properly saved.
-ARP based tools now confirm that the target IPv4 addresses are within the same subnet as the chosen WinPcap interface.
-ARP Scan now automatically sorts by the IP address column when complete.
-Whois changed so that if whois server does not respond, it times out and automatically stops.
-Assigned IPv6 Teredo server is shown in IPv6 Compatible Interfaces.
-Corrected privilege problems with writing to certain parts of the registry during registration process.
-Updated SQLite to version 3.13.0
-Updated MAC address/Manufacturer database.
-Updated IP to Country database.
-Code signing now uses both SHA256 and SHA1 for maximum operating system portability.