Access Denied When Editing Hosts File After Virus Has Been Removed and CACLS
Several weeks ago, I had a customer bring a computer in, infected with viruses along with a host of other problems that needed to be dealt with.
As is so often the case, the computer was needed back as quickly as possible so I immediately started on my routine of scouring the system for viruses and getting them removed.
While there were several instances of the infections, a common occurrence, I was able to remove them and had the system seemingly running fine within a day.
She picked up the computer and all seemed to be well.
A few days later, though, she called me to tell me that while the computer was running just fine, she could not seem to get to any of the major search engines.
She was going on vacation and, as it turned out, I was unable to look at the system until she returned.
It is not uncommon for a virus to leave some residual effects even though the virus has been removed and knowing this, I figured that there must have been an edit made to the hosts file.
The hosts file is a file that is typically contained in the computer's windows\system32\drivers\etc directory and is a text editable file.
This file overrides any DNS lookups by containing information as to where to find certain domains.
There are a lot of advantages to this, but one of the big disadvantages is that if the file contains inaccurate information about a domain, your web browser will not find it.
When I got my hands on her computer, I immediately went looking for a hosts file and lo and behold, it was gone.
I then attempted to copy a virgin hosts file to the computer and was told that I could not as the file already existed.
I checked to make sure that the file options showed hidden files but the hosts file still did not show up.
I then unchecked the box for hiding protected operating system files and voila - there was the hiding "hosts" file.
Now the fun begins.
Since this is a system file now, how do I edit it? Even as an administrator, the operating system will not let you make changes to it.
Luckily Microsoft has included a utility called "CACLS.
EXE" which allows you to re-assign permissions on files - even system files.
Now, this is not a utility that I recommend that you go hog-wild with as there is a very good reason for files being set as system files.
However, if you know that a file should not be a system file, this is the perfect utility to use to change things back.
Once I used the cacls command, I was able to edit the file.
The virus had made bogus entries for Google, Yahoo, Bing and a few others and once I removed these entries from the hosts file, all was well.
Now, there is plenty of documentation out there talking about the different command line parameters and what they do, so it's pointless for me to go into it here.
What it does seem, however, is that not a lot of people knew the exact syntax needed to run this in this particular case so, I'm just going to share here, the exact command so that should you run into the same problem, you don't have to go through the trial and error method.
The command is as follows (you will want to substitute the "marc" with the administrative username that you are logged in as): cacls c:\windows\system32\drivers\etc\hosts /p marc:f This command will now give you complete control of the hosts file.
It is possible that the file might be set to read only, System and Hidden so you will need to change the attributes with the following command: attrib -r -h -s c:\windows\system32\drivers\etc\hosts This will make the file writable.
I hope this is helpful to those of you that are running into this problem.
And, as always, if you need any help, please do not hesitate to contact me! Good luck!
As is so often the case, the computer was needed back as quickly as possible so I immediately started on my routine of scouring the system for viruses and getting them removed.
While there were several instances of the infections, a common occurrence, I was able to remove them and had the system seemingly running fine within a day.
She picked up the computer and all seemed to be well.
A few days later, though, she called me to tell me that while the computer was running just fine, she could not seem to get to any of the major search engines.
She was going on vacation and, as it turned out, I was unable to look at the system until she returned.
It is not uncommon for a virus to leave some residual effects even though the virus has been removed and knowing this, I figured that there must have been an edit made to the hosts file.
The hosts file is a file that is typically contained in the computer's windows\system32\drivers\etc directory and is a text editable file.
This file overrides any DNS lookups by containing information as to where to find certain domains.
There are a lot of advantages to this, but one of the big disadvantages is that if the file contains inaccurate information about a domain, your web browser will not find it.
When I got my hands on her computer, I immediately went looking for a hosts file and lo and behold, it was gone.
I then attempted to copy a virgin hosts file to the computer and was told that I could not as the file already existed.
I checked to make sure that the file options showed hidden files but the hosts file still did not show up.
I then unchecked the box for hiding protected operating system files and voila - there was the hiding "hosts" file.
Now the fun begins.
Since this is a system file now, how do I edit it? Even as an administrator, the operating system will not let you make changes to it.
Luckily Microsoft has included a utility called "CACLS.
EXE" which allows you to re-assign permissions on files - even system files.
Now, this is not a utility that I recommend that you go hog-wild with as there is a very good reason for files being set as system files.
However, if you know that a file should not be a system file, this is the perfect utility to use to change things back.
Once I used the cacls command, I was able to edit the file.
The virus had made bogus entries for Google, Yahoo, Bing and a few others and once I removed these entries from the hosts file, all was well.
Now, there is plenty of documentation out there talking about the different command line parameters and what they do, so it's pointless for me to go into it here.
What it does seem, however, is that not a lot of people knew the exact syntax needed to run this in this particular case so, I'm just going to share here, the exact command so that should you run into the same problem, you don't have to go through the trial and error method.
The command is as follows (you will want to substitute the "marc" with the administrative username that you are logged in as): cacls c:\windows\system32\drivers\etc\hosts /p marc:f This command will now give you complete control of the hosts file.
It is possible that the file might be set to read only, System and Hidden so you will need to change the attributes with the following command: attrib -r -h -s c:\windows\system32\drivers\etc\hosts This will make the file writable.
I hope this is helpful to those of you that are running into this problem.
And, as always, if you need any help, please do not hesitate to contact me! Good luck!