Are there certain specific host file entries that Windows 2008 will ignore for security purposes?

Question

While troubleshooting a network timeout/connectivity WinHTTP issue, I temporarily added a host file entry for:

127.0.0.1 ctldl.windowsupdate.com

(The server has no internet connection and the firewall was causing some extended timeouts -- I wanted to temporarily set it to a local address for it to fail immediately).

For some reason though, even after flushing DNS cache, ping attempts still go to the actual IP.

This got me to thinking: Are there certain FQDNs which Windows 2008 absolutely will not acknowledge host file entries for? Perhaps for malware/virus protection?

Just tried it on one of my Windows 2008 Servers- exactly the same behaviour- same with www.windowsupdate.com - very strange. — AliGibbs, Jul 13 '12 at 15:53

score 9 · Accepted Answer · answered Jul 13 '12 at 16:06

This has been "known" for quite a few years actually.

if you look in the dnsapi.dll (in system32) you'll see a string of hosts.

There's a

DomainScreenList:

windowsupdate.microsoft.com windowsupdate.com microsoftupdate.com download.microsoft.com update.microsoft.com

HostsScreenList:

microsoft.com www.microsoft.com support.microsoft.com wustats.microsoft.com microsoftupdate.microsoft.com office.microsoft.com msdn.microsoft.com go.microsoft.com msn.com www.msn.com msdn.com www.msdn.com

I don't believe Microsoft ever commented on it, but I guess the intent was to prevent malware and other tools from adding entries to the hosts file.

Are there certain specific host file entries that Windows 2008 will ignore for security purposes?

1 Answers1