HOSTS Query

[Filthy McNasty]

Is there some setting within WinXP Pro SP2 which protects the HOSTS file
from alteration? Following recent hardware problems, I took the
opportunity to re-install Windows using a slip-streamed SP2 CD. Under
SP1 I had never been able to run a successful upgrade to SP2 - Too many
unidentified problems. Anyway, soon into the reinstallation - security
updates and security-related programs first - I decided to overwrite my
HOSTS with the MVPS HOSTS file. No dice. Eventually I tried Safe Mode
and succeeded. This was BEFORE installing SpyBot S&D, SpywareBlaster or
WinPatrol. ZoneAlarm free had NOT been configured to protect HOSTS.
Barring ZA, only Ewido and AVG Free were running. Both give me a clean
bill of health, so Trojans and Viruses (ii?) are not suspected

The only other notion I had, is that XP Pro has some default service
running which locks the HOSTS as in use before log-in. The problem with
that idea is that, as an experiment, in Safe Mode I renamed HOSTS so
that there was nothing to be locked. Nevertheless, on reboot, attempts
to copy MVPS HOSTS to the correct location, or to rename the previously
disabled HOSTS, failed, even though the renamed file should not have
been in use

I have NOT tinkered with my default Services, other than to disable
Messenger and UP&P. Nor have I installed those parts of XP - IIS and the
like - which are not part of the default installation. ALL essential
security patches have been installed, plus the latest DotNet RunTimes

Thanks for any ideas. It's only an irritation, soluble in Safe Mode, but
I like to know why things do not behave as they should

 

[Wesley Vogel]

Right click HOSTS | General tab | Read-only

You can enable or disable Read-only. Read-only means that it cannot be
changed or accidentally deleted.

With the HOSTS file set to Read-only, if you make a change and try to save
it you get a message similar to this:

---------------------------
Notepad
---------------------------
The text in the C:\Documents and Settings\Wesley P. Vogel\Desktop\HOSTS file
has changed.

Do you want to save the changes?
---------------------------
Yes No Cancel
---------------------------

If you click Yes you get a message similar to this:

---------------------------
Notepad
---------------------------
Cannot create the C:\Documents and Settings\Wesley P. Vogel\Desktop\HOSTS
file.

Make sure that the path and filename are correct.
---------------------------
OK
---------------------------

If you click OK, a Save As dialog pops up with HOSTS in the File name box
and Text Documents (*.txt) in the Save as type box.

If you use mvps.bat, it has two lines...

IF EXIST %winbootdir%\HOSTS*.* ATTRIB +A -H -R -S %winbootdir%\HOSTS*.*>NUL
and
IF EXIST %windir%\SYSTEM32\DRIVERS\ETC\HOSTS*.* ATTRIB +A -H -R -S

%winbootdir%\HOSTS is for Windows 98 & ME.

The ATTRIB +A -H -R -S part sets the Archive, unsets the Hidden, Read-only
and System attributes.

Spybot - S & D has setting that can set the Read-only attribute.

Spybot - S & D | Tools | IE Tweaks |
Lock Hosts file read-only as protection against hijackers

Note, if you manually set HOSTS to Read-only, the checkmark will appear in
Spybot - S & D and vice versa.

HOSTS File Manager changes the attributes of
%windir%\system32\drivers\etc\HOSTS to Read-only, System and Hidden.

[[Steve C sends along this tip: ZoneAlarm Pro includes an option (in the
"Firewall" section, "Main" tab, "Advanced" button) to "Lock host file",
which seems to give extremely effective protection to the HOSTS file.]]
http://www.mvps.org/winhelp2002/hostsfaq.htm#Locking

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Filthy McNasty]

Using at least one appendage, the entity known in this space-time

With the HOSTS file set to Read-only, if you make a change and try to
save it you get a message similar to this:

---------------------------
Notepad
---------------------------
The text in the C:\Documents and Settings\Wesley P.
Vogel\Desktop\HOSTS file has changed.

Do you want to save the changes?
---------------------------
Yes No Cancel
---------------------------

If you click Yes you get a message similar to this:

---------------------------
Notepad
---------------------------
Cannot create the C:\Documents and Settings\Wesley P.
Vogel\Desktop\HOSTS file.

Make sure that the path and filename are correct.
---------------------------
OK
---------------------------

If you click OK, a Save As dialog pops up with HOSTS in the File name
box and Text Documents (*.txt) in the Save as type box.

If you use mvps.bat, it has two lines...

IF EXIST %winbootdir%\HOSTS*.* ATTRIB +A -H -R -S
%winbootdir%\HOSTS*.*>NUL and
IF EXIST %windir%\SYSTEM32\DRIVERS\ETC\HOSTS*.* ATTRIB +A -H -R -S

%winbootdir%\HOSTS is for Windows 98 & ME.

The ATTRIB +A -H -R -S part sets the Archive, unsets the Hidden,
Read-only and System attributes.

Spybot - S & D has setting that can set the Read-only attribute.

Spybot - S & D | Tools | IE Tweaks |
Lock Hosts file read-only as protection against hijackers

Note, if you manually set HOSTS to Read-only, the checkmark will
appear in Spybot - S & D and vice versa.

HOSTS File Manager changes the attributes of
%windir%\system32\drivers\etc\HOSTS to Read-only, System and Hidden.

[[Steve C sends along this tip: ZoneAlarm Pro includes an option (in
the "Firewall" section, "Main" tab, "Advanced" button) to "Lock host
file", which seems to give extremely effective protection to the HOSTS
file.]] http://www.mvps.org/winhelp2002/hostsfaq.htm#Locking

Whoops. Forgot to mention - Attribs Archive - Not H/R/S. ZA not locking.
SpyBot wasn't yet installed. It's a big mystery. Obviously something is
locking HOSTS at normal boot time, but isn't running in safe mode. Could
it be Ewido? There is nothing in Ewido that mentions HOSTS, but it was
the only app running bar AVG Free and ZA. Other than that it could be a
service, one of MS's recent security fixes or Media Player 10. Only
default services for XP Pro were running when I noticed this behaviour,
though I've added a few since with Diskeeper, Acrobat Reader and the
like. No apps other than Ewido, AVG Free and ZA were installed at that
point

But thanks for the reply. My money's on MP10 or WGA, for no other reason
than that they're new. But who knows with HotFixes?

 

[Wesley Vogel]

Why are you running two AV applications? Ewido and AVG Free.

I doubt that WMP 10 has anything to do with it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

Using at least one appendage, the entity known in this space-time

With the HOSTS file set to Read-only, if you make a change and try to
save it you get a message similar to this:

---------------------------
Notepad
---------------------------
The text in the C:\Documents and Settings\Wesley P.
Vogel\Desktop\HOSTS file has changed.

Do you want to save the changes?
---------------------------
Yes No Cancel
---------------------------

If you click Yes you get a message similar to this:

---------------------------
Notepad
---------------------------
Cannot create the C:\Documents and Settings\Wesley P.
Vogel\Desktop\HOSTS file.

Make sure that the path and filename are correct.
---------------------------
OK
---------------------------

If you click OK, a Save As dialog pops up with HOSTS in the File name
box and Text Documents (*.txt) in the Save as type box.

If you use mvps.bat, it has two lines...

IF EXIST %winbootdir%\HOSTS*.* ATTRIB +A -H -R -S
%winbootdir%\HOSTS*.*>NUL and
IF EXIST %windir%\SYSTEM32\DRIVERS\ETC\HOSTS*.* ATTRIB +A -H -R -S

%winbootdir%\HOSTS is for Windows 98 & ME.

The ATTRIB +A -H -R -S part sets the Archive, unsets the Hidden,
Read-only and System attributes.

Spybot - S & D has setting that can set the Read-only attribute.

Spybot - S & D | Tools | IE Tweaks |
Lock Hosts file read-only as protection against hijackers

Note, if you manually set HOSTS to Read-only, the checkmark will
appear in Spybot - S & D and vice versa.

HOSTS File Manager changes the attributes of
%windir%\system32\drivers\etc\HOSTS to Read-only, System and Hidden.

[[Steve C sends along this tip: ZoneAlarm Pro includes an option (in
the "Firewall" section, "Main" tab, "Advanced" button) to "Lock host
file", which seems to give extremely effective protection to the HOSTS
file.]] http://www.mvps.org/winhelp2002/hostsfaq.htm#Locking

Whoops. Forgot to mention - Attribs Archive - Not H/R/S. ZA not locking.
SpyBot wasn't yet installed. It's a big mystery. Obviously something is
locking HOSTS at normal boot time, but isn't running in safe mode. Could
it be Ewido? There is nothing in Ewido that mentions HOSTS, but it was
the only app running bar AVG Free and ZA. Other than that it could be a
service, one of MS's recent security fixes or Media Player 10. Only
default services for XP Pro were running when I noticed this behaviour,
though I've added a few since with Diskeeper, Acrobat Reader and the
like. No apps other than Ewido, AVG Free and ZA were installed at that
point

But thanks for the reply. My money's on MP10 or WGA, for no other reason
than that they're new. But who knows with HotFixes?

--
Will Cornish of Cardigan, UK
filthy-mcnasty at bigfoot dot com

No nastier than you; No filthier than usual

 

[Filthy McNasty]

Using at least one appendage, the entity known in this space-time continuum

Why are you running two AV applications? Ewido and AVG Free.

Ewido, now owned by AVG's GriSoft, is billed as an Anti-Spyware tool. I
figure that they should between them cover Trojans AND Virus activity. And
as they are both from the same firm they should work together without
conflict

 

[Wesley Vogel]

I did not know that.

Gotcha!

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In