What is npf?

The genuine npf.sys file is a software component of WinPCap by Riverbed.
WinPCap is a packet sniffing tool that provides access to link-layer networks for Windows machines. Npf.sys is a filter driver that is essential for the functioning of WinPCap. This is a driver file that may be required for the correct functioning of one or several applications and should not be removed. WinPCap provides programs the ability to capture and transmit network packets by bypassing the protocol stack. It also includes additional features such as support for remote packet capture, kernel-level packet filtering, and a network statistics engine. WinPcap has found its application in many open source and commercial network tools, including network monitors, network intrusion detection systems, protocol analyzers, traffic generators, sniffers, and network testers. The WinPCap project began in 1999 due to an emergent need to run tcpdump (a common packet analyzer that runs under the command line) on computers based on the Windows platform. The project was started by Gianluca Varenni, an Italian software programmer, and is currently being maintained by Riverbed Technology, Inc., an American company that develops WAN optimisation technology. Riverbed was founded in 2002 and is currently headquartered in San Francisco, CAlifornia, USA.

NPF stands for NetGroup Packet Filter Driver

Npf.sys is a Windows driver. A driver is a small software program that allows your computer to communicate with hardware or connected devices. This means that a driver has direct access to the internals of the operating system, hardware etc. The free file information forum can help you determine if npf.sys is a Windows system file or if it belongs to an application that you can trust.

Run a free scan to check for npf drivers in need of updating

Npf.sys file information

The process known as npf.sys (NT5/6 AMD64) Kernel Driver or npf.sys (NT5/6 (version x86) Kernel Driver) or WinPcap Packet Driver (NPF) belongs to software NetGroup Packet Filter Driver or WinPcap Netgroup Packet Filter Driver or WinPcap Packet Driver (NPF) by CACE Technologies ( or Riverbed Technology.

Description: Npf.sys is not essential for the Windows OS and causes relatively few problems. The file npf.sys is located in the C:\Windows\System32\drivers folder. Known file sizes on Windows 10/8/7/XP are 35,088 bytes (31% of all occurrences), 32,512 bytes and 8 more variants. 
The driver can be started or stopped from Services in the Control Panel or by other programs. The program has no visible window. The service has no detailed description. The file is not a Windows core file. The file is digitally signed. The npf.sys file is a Verisign signed file. npf.sys appears to be a compressed file. Therefore the technical security rating is 21% dangerous, however you should also read the user reviews.

Recommended: Identify npf.sys related errors

Important: Some malware disguises itself as npf.sys, particularly when not located in the C:\Windows\System32\drivers folder. Therefore, you should check the npf.sys process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.


User Comments

Part of a packet sniffer librarie WinPCap (here installed by a WM media capturing program WM Recorder 10)
Used by WinPcap, an open-source windows packet capturer
  David   (further information)
part of WinPcap
as said before - this is part of the winPCap library - if you use a Ethereal, this file is vital
  frederic   (further information)
Confirm David -- installed by WinPcap
used by winPcap Pretty safe.
  Brendan   (further information)
it belongs to WinPcap, an Network-Packet Sniffer (OpenSource)
  RanuKanu   (further information)
If you know why WinPcap is installed, this isn't a problem. Otherwise...
  Dave   (further information)
Part of the WinPcap package, is also installed by software that needs a virtual LAN
used by Ethereal via Wi Fi Defense application
Part of installed Winpcap
npf.sys on windows xp is a hijacking malware item. I removed the file from c:\windows\system32 and no longer get hijacked to an unwanted website.
Someone hacked into my server and noticed in the event viewer this: The NetGroup Packet Filter Driver service was successfully sent a start control.
npf.sys is a file of Winpcap
  Mohd Akram  
I think it's ok. I have Wireshark and I wanted to use it lately but it didn't start and now I can see that ComboFix qurantained this file.
Because of npf.sys my System (Vista) did not want to start anymore... could not repair it, so I need to install Windows completly new. (The Problem startet after Windows Update on 10.03.10)
Possibly harmful - ComboFix detects it as Malware and removes it
Used by Devolo dLAN - networking via power sockets
  Dave Horton  
I have 2 now on my system in C:\Windows\System32\drivers ... my antivirus keeps saying it's blocking traffic from npf.sys.
  G. Patzkowsky  
installed with WinPcap during SADP and iVMS software from Hikvision (CCTV anufacturer)

Rating chart

Summary: Average user rating of npf.sys: based on 25 votes with 20 user comments. 15 users think npf.sys is essential for Windows or an installed application. 3 users think it's probably harmless. 3 users think it's neither essential nor dangerous. 2 users suspect danger. 2 users think npf.sys is dangerous and recommend removing it. One user is not sure about it.

Do you have additional information?
What do you know about npf.sys:
How would you rate it:
Link for more info:
Your Name:

Best practices for resolving npf issues

A clean and tidy computer is the key requirement for avoiding problems with npf. This means running a scan for malware, cleaning your hard drive using 1cleanmgr and 2sfc /scannow, 3uninstalling programs that you no longer need, checking for Autostart programs (using 4msconfig) and enabling Windows' 5Automatic Update. Always remember to perform periodic backups, or at least to set restore points.

Should you experience an actual problem, try to recall the last thing you did, or the last thing you installed before the problem appeared for the first time. Use the 6resmon command to identify the processes that are causing your problem. Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or, for Windows 8 and later versions, executing the 7DISM.exe /Online /Cleanup-image /Restorehealth command. This allows you to repair the operating system without losing data.

To help you analyze the npf.sys process on your computer, the following programs have proven to be helpful: ASecurity Task Manager displays all running Windows tasks, including embedded hidden processes, such as keyboard and browser monitoring or Autostart entries. A unique security risk rating indicates the likelihood of the process being potential spyware, malware or a Trojan. BMalwarebytes Anti-Malware detects and removes sleeping spyware, adware, Trojans, keyloggers, malware and trackers from your hard drive.

Other processes

npf.sys [all]