Windows 10 hosts file used by another process

There are a few other question with this same title but they do not solve my problem, so I am opening another one.

I have set the permission for the "hosts" file to full access for the current user. I have even taken the ownership. Current user is in Administrators group.
I have turned off UAC.

I have removed read only permission from the file.

C:\Windows\System32\drivers\etc>attrib hosts
A            C:\Windows\System32\drivers\etc\hosts

I have disabled my Panada Antivirus. I have also stopped 3 panda services from Services palette.
I open an elevated Command Line (run as Administrator). Run Notepad and change the file. When I try to save the file I receive the following error:

"The process cannot access the file because it is being used by another process.
I check the file using "Unlocker" and the software says there is no active lock on the file.

Can anyone help?

wmac

Posted 2015-09-04T16:45:29.117

Reputation: 1 047

1Most of the time disabling an AV isn't entirely sufficient. I suggest you, uninstall Panda Antivirus, then try to edit the hosts file. – Ramhound – 2015-09-04T16:50:28.977

2Find out which process is locking a file or folder in Windows – DavidPostill – 2015-09-04T17:09:27.523

1David, as I mentioned Unlocker says no one has locked it. Process explorer finds no handle attached to the file. – wmac – 2015-09-04T20:14:53.183

Removing Panda did not work either. It is very strange. – wmac – 2015-09-04T22:00:06.493

Answers

I could eventually find the culprit. It was a program called "Tiny Firewall" (a windows firewall rule management software) that caused the problem.

I am not exactly sure what does it do to the hosts file because none of the available software could show a lock on the file. I could find that it is somehow involved with the file using process monitor (Sysinternals). I quit the UI and stopped the process (would not allow to stop, killed the process-tree and set to manual service).

P.S.: This is a feature of Tiny Firewall (protection of hosts file) and you can simply turn it off from its settings.

wmac

Posted 2015-09-04T16:45:29.117

Reputation: 1 047

I had the same issue, my hosts file was locked by ZoneAlarm Firewall. To solve it, i had to uncheck [X] Lock Hosts File in ZoneAlarm settings

Jossef Harush

Posted 2015-09-04T16:45:29.117

Reputation: 829

4In ZoneAlarm 15, it will not work to simply turn the firewall off - You have to select Firewall/Basic Firewall/Settings/Advanced Settings - then uncheck Lock hosts file. – Gene – 2016-11-17T20:31:50.770

Thank you - I have been "destroying" Windows security settings to be able to edit this file. So, thanks to ZA I am probably MUCH worse off (aka how to restore "TrustedInstaller" as owner - my earlier solution that worked over a year ago (last time I edited hosts). Sigh! Again - Thanks!! – Michael Felt – 2017-02-20T07:32:18.547

Just came across and solved this issue, after a little faffing, so thought I'd offer notes.

I used SysInternals Process Explorer, Run as Administrator, to find the process that was locking the file (by using Find > Find Handle or DLL). Note that when I ran it without Administrator permissions it couldn't see the system-level WRSA process.

In my case it was WRSA.exe, which is Webroot Secure Anywhere. Disabling the protection unlocked the file and I was able to overwrite it easily. In some versions of webroot you will have to open "Advanced Settings > Shields" and un-check the option for blocking edits to the hosts file.

It's completely right that anti-virus software should protect files such as hosts, of course. Malware loves that sort of thing.

Mark Rendle

Posted 2015-09-04T16:45:29.117

Reputation: 263

You are life saver! I had the Webroot block. Nothing had worked until your solution! Thanks! – IrfanClemson – 2018-06-04T17:51:16.507

In my case, HOSTS file was constantly locked by svchost.exe !

The problem started since I have used the tool HostsMan. It had filled the HOSTS file with about 18 MBs of DNS numbers and domains. And my PC was suddenly offline.

So, with the tool Process Explorer, I searched for "etc\HOSTS". When you click on one entry in the search results, the corresponding locking process is highlighted in brown colour. So I found out, that HOSTS file had been locked by the process svchost.exe and sometimes by other processes as well. I waited until no other process than svchost.exe had been locking HOSTS. Then I killed the process tree of that concerning svhosts.exe! Within the few seconds, while that svhosts.exe process had not yet restarted (thus HOSTS was temporaily unlocked), I finally managed to rename HOSTS manually into anything else like "HOSTS000". Then I renamed the neighbouring file "HOSTS.back" (which is the backup with the default content) into HOSTS. Problem solved! I suddenly was online again.

Check the picture below for the DNS filters, which I had activated. I guess, Windows 10 simply was overloaded with all those 50 thousands of domain names saved into the HOSTS file.

gloschtla

Posted 2015-09-04T16:45:29.117

Reputation: 73