The host file is not something that should be used today, especially when you’re in a domain unless you’re using it for diagnostic purposes, usually this file is used to allow a client to resolve an address or change the address that’s being resolved by the client.
DNS records should be updated
DNS should be your first port of calls for this if you’re in a domain and if you don’t have access to change the DNS records, then I strongly suggest against using a host file.
Attack factors for malicious software
Ransomeware and malware will also successfully utilize the host file to perform certain operations, so it’s not a particularly to be using for operational reasons However, many things there are a couple of cases where it is very handy.
Antivirus usually keeps its eye on the host file
The host file is one of those files that antivirus usually has the ability to block, which means you won’t be able to edit the file, even if you elevate your command prompt to administrator level, This means the file is frozen in the state from when the antivirus has blocked all updates to it.
Host files can be a lifesaver
If you are in a consumer environment, then the host file can be used to block, malicious websites by adding the website and then pointing it 0.0.0.0 - this will effectively render the website inaccessible from the computer you’ve done this on - which means as a cheap alternative to security proxies and Web filtering.
Host file does not appear to be working?
If you have this file excluded From the clutches of your antivirus protection, and you also have the access to write this file - which obviously will need to come from running notepad with elevated access
The scenario is, you’ve added some entries to the host file this file has been successfully saved, but when you query a record in that file windows doesn’t seem to honor the records added to the host file.
This is the exact situation I was in to make me write this post, obviously, situations like this the first port of call is the event log and more specifically the System event log, so let’s take a spool through that.
The Error (from Event Viewer)
We know that, Windows is not using the host file but this event logs give you more clues, this can from the System event log for the DNS client and the error says it cannot be "read" as per the event below:
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 21/08/2024 17:50:00 PM
Event ID: 1012
Level: Error
User: NETWORK SERVICE
Description: There was an error while attempting to read the local hosts file.
The XML data is not that helpful excluding the fact that we get the PID of the processing that generated the error which was cmd.exe - this is true I was trying a ping command.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FEA378B03DDB4D}" />
<EventID>1012</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2024-08-21T17:50:00.424228100Z" />
<EventRecordID>99726</EventRecordID>
<Correlation />
<Execution ProcessID="1552" ThreadID="3300" />
<Channel>System</Channel>
<Computer>HostFail</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData>
<Data Name="ErrorCode">3221225485</Data>
<Data Name="Location">0</Data>
<Data Name="Context">0</Data>
</EventData>
</Event>
Check Hosts file folder path
We now need to navigate to the hosts file location which is the path below, if you do not know:
C:\Windows\System32\drivers\etc
When I took at look I noticed something weird, why is there a file called hosts_orig - this is human action, so I presume someone has renamed the hosts file to that name and then copied another version from another server or location, why?
Well this then immediately told me this was ACL permission issues, this is what the security should look like for the hosts file:
However on the actual hosts file it looks like this, which means the "system" account cannot read the file
Then you need to click Apply, as then you take ownership you will need to close the ACL down and reload it as per this:
The only permission left are as follows:
Local Administrator : Full Control
Local Users : Read and Execute
Once these are applied, your hosts file will start working once again, however it will start working once System has access to the file.