The host file in system32 is empty what to do. Corrupted HOSTS file in C:\Windows\System32\drivers\etc folder: what should I do? Where is the hosts file

Hello, dear readers of the blog site. Today I want to talk about such a rather simple thing in my device as hosts file.

Remarkably, it lives on almost all operating systems (and therefore all computers of Internet users), from Linux to Windows 7. Another distinguishing feature is that it does not have an extension, but this is due precisely to the fact that it works it should be in any OS, which means it must be universal.

But this is not the main thing. Although he is a relic of the past, there are still plenty of ways to use Hosts for both good and bad purposes. For example, viruses and virus writers love it very much and often use it either to replace official sites with their phishing duplicates or to block the ability to update your anti-virus program.

However, network equipment needs IP-ishniks and nothing else. Therefore, a list of correspondence between the host name and its Ip address () was manually formed. Such a list was called Hosts and sent to all nodes of the local network. Everything was great until the moment when it became impossible to use such a method due to the huge number of entries contained in this file. Distributing it became problematic.

In this regard, we decided to approach this issue differently, namely, to place on the Internet a whole (domain name system) that would store all these correspondence tables and users' computers turned to the nearest of them with the question of which Ip-ishnik corresponds to the Vasya.ru domain.

At the same time, everyone safely forgot about the Hosts file, but it still had a place to be in all operating systems, except that only its content was extremely scarce. Usually there was and still is only one entry:

127.0.0.1 localhost

For some reason, this IP address (or rather the range 127.0.0.1 - 127.255.255.255) was chosen to represent the local host (private IP), i.e. the very computer you are sitting at (literally localhost - “this computer”). But, really, that's all for the old IPv4 (fourth version).

And in IPv6, which is now in use (due to the fact that the number of addresses included in the previous version is no longer enough for everyone), such an entry will look a little different:

::1 localhost

But the essence is the same. Because now both standards for specifying an IP address are still used or can be used, then in the Hosts file usually both of these lines are present. True, any gibberish can be written above them (depending on the OS used), but all those lines contain the hash symbol # (hash) at the beginning, which means that these lines are comments and should not be taken into account.

On my old Windows Vista, the Hosts file now looks like this:

# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a "#" symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # This HOSTS file created by Dr.Web Anti-rootkit API 127.0.0.1 localhost:: 1 localhost

Record syntax very simple - first the IP address is indicated, and then, after any number of spaces (tab characters), the name of the host (computer, node or domain) is written. A separate line is used for each entry of this kind.

Here the main question arises, and what place does Hosts take now in the process of establishing correspondence between the domain names entered in the browser and those IP addresses that are hidden behind these domains? Well, as it turned out, it occupies a very important place, namely the first one. But first things first.

So, you enter the URL address () into the address bar of the browser, or follow the link from the browser bookmarks, or from any web page open in it. In any case, the browser receives from you the path to the document you want to see.

Either way, the URL will contain the domain name of the site on which the document you are interested in lies (the site in our example). However, this domain corresponds to a very specific server (maybe virtual), where this very site is hosted. And this server must must be an IP address so that it is visible on the network and can be accessed.

Your browser cannot know which IP corresponds to the domain name contained in the URL (well, unless you have enabled caching of DNS records in this very browser and this site was previously visited by you). Therefore he addressed first for clarification, specifically to the Hosts file on your computer.

If this domain is not found there (and the corresponding IP), then the browser will start torturing DNS record caching service from Windows. If earlier you accessed this domain and not much time has passed since then, then the DNS cache will give the browser this same IP address. The browser will receive it and open the document you requested.

If there are no records for this domain among the cache, then the browser will send a request to the nearest DNS server (most likely, it will be your server) and receive the required information from it. True, in this case there may be a slight delay in opening the web page you requested, but with modern Internet speeds this will be practically not noticeable.

And this happens with absolutely any request to open a document from the Internet from your computer. Do you get it? Empty Hosts does not create any problems, but if you fill it out, and even with malicious intent, it may turn out that you enter the password for your Yandex wallet not on the official website of this payment system, but on a phishing resource with a similar design (see) .

How can this be? Well, no one is immune from infection with viruses (), and a virus can easily add the IP address of a phishing resource to the Hosts and associate the domain name money.yandex.ru with it, for example. Therein lies the danger.

A fake social networking site might intercept your passwords, charge you an entry fee, or do something more creative. The saddest thing is that it is impossible to notice the substitution, because the correct domain name will show off in the address bar of the browser.

Where is the Hosts file located and how can I remove virus entries from it?

On the other hand remove the changes made by the virus from the Host file even an absolute noob in computers can. Usually the problem lies precisely in finding where this very file is located.

In older versions of Windows, such as XP or 2000, it was open to everyone and lived in system folders at the following address:

Windows\System32\drivers\etc\

You won’t believe it, but he lives at the same address in both Windows 7 and Vista, but everything is somewhat more complicated there, because following the path:

C:\Windows\System32\drivers\

You won't find the etc folders there. The developers felt that this file should not be touched by ordinary mortals in order to avoid problems.

However, the hosts file in windows 7 and vista nevertheless, there is a place to be, you just need to look for it, having received Administrator rights. Personally, I never even tried to figure out all this nonsense with rights, but for myself I found a very simple way to get around this limitation.

So, go to the menu button "Start" - "All Programs" and find the folder "Accessories" there. Labels live inside it, among which it is easy to see the Notepad. Right-click on it and from the context menu that appears, select "Run as Administrator":

Well, actually, half the work is done. Now in notepad, select "File" - "Open" from the top menu. In the standard Windows Explorer window, find the etc folder you are looking for (inside the Windows\System32\drivers\ directory), select "All Files" in the lower right corner from the drop-down list and watch with happy eyes the appearance of this top-secret file:

It will be exactly without an extension, and the rest of the crap, like hosts.txt, very often create viruses to divert your attention and confuse you in the end. For a real file, they set the "Hidden" attribute, which can be set or unchecked by simply right-clicking on the file and selecting the lowest item "Properties":

And since in Windows, by default, extensions are not displayed for registered file types (that’s why they did it - I don’t understand), then the user finds hosts.txt without seeing either its extension or the fact that there is another hosts in the same folder, but it is hidden from his eyes.

Making changes to the fake, he never achieves anything, starts tearing his hair, wringing his hands and goes to the store for a new laptop in order to finally get into his beloved Contact, which the virus blocked on the old computer. Ahh, horror.

Although, of course, the user may be advanced and enable the display of hidden and system files in the settings. In Windows Vista, for this you need to go to the "Control Panel" - "Folder Options" - the "View" tab and move the checkmark to the line "Show hidden folders and files". By the way, it would be better to uncheck the “Hide extensions…” line above:

There is very easy way to open this file. It will be enough to press the key combination Win + R on the keyboard (or select the “Run” item from the “Start” button menu), then enter the following line in the window that opens and press Enter:

Notepad %windir%\system32\drivers\etc\hosts

But it doesn't matter. We still found where this secret (for Windows 7 and vista) file is located, and we must carefully examine it for possible abuse. If the initial examination of the patient did not reveal any pathologies, then look to the page scroll area in Notepad.

Sometimes the virus makes its entries after a few hundred blank lines, thereby reducing the risk of them being detected by you. If there is no scrollbar, then everything is fine, and if there is, then use it and bring your Hosts to the form that it should have from birth, i.e. it will be enough to have only two lines in it (no one needs comments):

127.0.0.1 localhost::1 localhost

Well if address substitution in this file it is quite simple to represent, for example, it might look like this:

127.0.0.1 localhost::1 localhost 77.88.21.3 site

How, in this case, is the blocking certain sites through Hosts? Well, it's just that the domain to be blocked is assigned a private IP address of 127.0.0.1, like so:

127.0.0.1 localhost::1 localhost 127.0.0.1 vk.com 127.0.0.1 odnoklassniki.ru

Clever browser finds this match and tries to get the desired document (web page) from your own computer, which, of course, it fails and about which it will immediately inform you. By the way, this is a good way to block your children from accessing sites that you think they should not visit. Of course, you will still need to create a list of such sites or take it somewhere, but you can try it if you wish.

As I already mentioned, in ancient times, when the Internet for most users was still slow, to speed up the opening of sites, their IPs were registered in Hosts. Another thing is that these same resources periodically changed hosting and, along with it, IP addresses. And the user, forgetting about what he did six months ago to speed up the Internet, is trying in vain to understand why his favorite resources are not available to him.

How to use Hosts when transferring a site to a new hosting?

Well, and finally, I would like to talk about how, by making changes to the Hosts file, you can work with a site that has moved to a new hosting even before a new record is registered on all DNS servers (putting a new Ip address in line with your domain ). The method is very simple, but effective.

So, you are changing the host. Naturally, the IP address of your site also changes. How do they find out about it on the Internet? Everything is correct, using a network of DNS servers. By the way, you yourself will make the first and most important step by going to the control panel of your registrar and registering the addresses of the NS servers of your new host there.

It is from them that the new DNS will spread throughout the Internet. But this process is lengthy and, in the worst case scenario, it can take a couple of days. At this time, the site should be available both on the new and on the old hosting, so that users from all over the world would not be deprived of the opportunity to see it.

However, you yourself will be interested to know how, in fact, your resource feels with the new host? Check the operation of all plugins and other things. Is it really necessary to wait from several hours to two days? Because it's unbearable.

First, you can try to reset the DNS cache on your own computer, because it may prevent you from seeing your resource on a new hosting if external DNS servers have already received a new record. How to do it? Again, everything is very simple. Press the key combination Win + R on the keyboard (or select the “Run” item from the “Start” button menu), and then enter in the window that opens:

A very scary window called command prompt will open, where you will need to paste this command:

ipconfig /flushdns

The regular paste buttons in the Command Prompt window don't work, so just right-click on it and choose Paste.

After that, press "Enter", the DNS cache will be cleared on your computer and you can try to open your site again. By the way, the DNS cache can also be in the browser itself, so clear it or refresh the window while holding down the "Shift" button on the keyboard.

By the way, if you are interested, you can view the contents of the DNS cache by typing the following command at the command line:

ipconfig /displaydns

Is the site still open on the old hosting? No problem. We find the Hosts file in the way described just above and add only one line to it:

109.120.169.66 site

Where 109.120.169.66 - this will be IP address of your new hosting, followed by your site's domain name. Everything. While the rest of the world is admiring your resource on the old hosting, you have the opportunity to fix possible jambs on the engine already transferred to the new hosting. The thing is wonderful and I always use it.

Good luck to you! See you soon on the blog pages site

Using the hosts file

By managing the hosts file, you can speed up access to some sites or, conversely, restrict access to them. You can organize a redirect from one page to another site. For example, when accessing some prohibited resources, a redirect to the website of the Ministry of Internal Affairs will occur.

But a greater danger is posed by malicious software, which, having gained access to the hosts file, will use it for its malicious purposes. For example, block access to websites, social networks, or websites of antivirus software companies.

Where is the hosts file located?

As a rule, if it is a Windows operating system (NT, 2000, XP, 2003, Vista, 7, 8), the hosts file is located in the system partition on drive C. The full address looks like this: C:\Windows\System32\drivers\etc\hosts.

There is also a faster way to get to the host file. To do this, press the key combination: Win + R or "Start" → "Run". A command window will open. We enter the following command:

notepad %windir%\system32\drivers\etc\hosts

And here is the host file itself, which by default looks like this:

If there is no hosts file in this folder, then most likely the virus has changed its location in the registry key. Below is the registry key, which specifies the path to the folder with the host file:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters \DataBasePath

In addition, the hosts file can be hidden. In this case, go to "Folder Options" → "View" and set the value to "Show hidden folders, files and drives."

How to edit the hosts file?

The hosts file can be edited with any text editor. For example, in a standard Windows notepad.

Let's look at the editing options and for starters block access to the sites mentioned above: vk.com and ok.ru.

The site or sites to which you want to block access are written on a new line, first the local IP address is indicated at the beginning of the line - 127.0.0.1 .

In our case, the entry looks like this:

127.0.0.1 vk.com
127.0.0.1 ok.ru

We save the changes. Now we open the browser and try to go to vk.com or ok.ru. As you can see, the hosts file did its job, and the attempt to connect to these sites failed.

You can also redirect(make a redirect) to another site. To do this, you need to know the IP address of the site where the redirect will be made, and next to it, with a space, indicate the domain from which the redirect is being made.

The example below shows that at first I registered the IP address of the site yandex.ru (213.180.204.3), and after a space I indicated the vk.com domain.

This means that when you try to access the vk.com website, you will be redirected to yandex.ru (213.180.204.3).

To speed up the loading of the site, you need to know its IP address and domain. This data is written in the hosts file.

It would seem that everything is simple: you need to register the necessary changes in the hosts file and click "Save". But the system swears and does not allow you to save the desired changes. More precisely, it offers to save to a separate text file.

This is due to the tightening of security rules in the latest OS versions, and this makes sense, since many viruses try to write their lines here. In this case, changes are made by us, and this is done purposefully.

You need to do the following. Return to the location of the hosts file and right-click to call up the context menu, where select "Properties".

Go to the "Security" tab and select the user under whose name you work.

Agree with the security downgrade warning. Go back and save changes.

There is an easier way to edit the hosts file - using the command line. You can read.

To restore the default hosts file settings, simply copy and paste the following text:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
#space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

It's so easy and simple by editing the hosts file, you can block access to sites or redirect. That's all for today.

In the next article, I will explain how to edit the hosts file if the Windows system is locked. In addition, I will answer popular questions: "Why can't I go to Odnoklassniki?", "Why can't I go to VKontakte, mail and other sites?". Subscribe and do not miss the release of this article (the article has already been published, you can read it).

Today, quite often users of social networks like VKontakte or Odnoklassniki encounter the problem of logging into the site. The system controls this through the HOSTS file, which is located in the C:\Windows\System32\drivers\etc tree. Unfortunately, this service is most often affected by viruses. Let's try to figure out how to fix the situation.

What files are located in the C:\Windows\System32\drivers\etc directory, and what are they responsible for?

First, let's look at the files in this folder. In addition to the desired file, only four more objects should be located here. If there is something else, you can safely say that or something like that.

In terms of file functions, for example, the C:\Windows\System32\drivers\etc\services object and other files, including HOSTS, protocol, lmhosts, and networks, are responsible for some functions of a user's access to certain resources on the Web.

The one in question determines the mapping of a database of domain names to IP addresses. In addition, its use involves accelerating the user's access to the most frequently visited pages on the Internet bypassing DNS servers, as well as blocking some unwanted resources or banner links. By default, in addition to the descriptive text part, it contains the only entry of interest to us at the end of the text, namely: 127.0.0.1 localhost. Everything! There should be no more additional entries in it.

Checking the IP address of sites

If we talk about the example of the correspondence of a domain name to the real IP address of a resource, you can check it in a completely elementary way, using the standard input of the ping command on the command line, after which the URL of the checked resource is indicated separated by a space.

To get the IP of any resource, you must use the following combination: ping www.(site name).(domain ownership). For example, for the Facebook network, this would look like ping www.facebook.com. After executing the command, the desired address and statistics of the so-called ping will be displayed on the screen.

What should I do if the file is infected with a virus?

Unfortunately, it is the C:\Windows\System32\drivers\etc\HOSTS file that viruses infect most often. After that, when a user enters the same social network, he is either redirected to a clone site, or a message is generally displayed requiring payment for entry. Immediately make a reservation: not a single “social program” takes money for using the services of a resource. Hence the conclusion: this is a virus (sometimes artificial blocking, which is extremely rare).

If such a misfortune has already happened, you should first check the computer system. In some cases, you should not even use the antivirus installed on the system, because it has already missed the threat, and there is no guarantee that it will detect and remove it as a result of an on-demand scan.

It is better to run some portable utilities like Dr. Web (preferably Cure IT!) or KVRT, which doesn't even require installation. But even such powerful products do not always help, and blocking access to resources, specified in the C:\Windows\System32\drivers\etc\HOSTS file, remains and continues to work. Let's see how we can get rid of it.

Correcting file text manually

First, we go to the C:\Windows\System32\drivers\etc directory itself, after which we select our file and right-click to call up the menu with the “Open with…” command (initially, the system file itself will not be opened by double-clicking, because it does not have an extension) . Now, from the list of available programs, select the standard Notepad and look at the contents of the text.

As a rule, an infected file may contain entries like 127.0.0.1, followed by the addresses of resources of the same "social networks" (for example, 127.0.0.1 odnoklassniki.ru). This is the first sign that they were produced due to the operation of malicious code. It turns out that the control elements of the system, referring to the HOSTS file, are constantly produced when trying to access it.

The simplest fix is to delete all content and then paste the original text (it can be taken from another computer or found on the Internet). After that, you just need to save the changes (Ctrl + S) and restart the computer terminal. You can, of course, try to replace the desired file with the original one, but the system is unlikely to allow this even if you have administrator rights. In addition, this option works in about 20-30% of cases.

Problems with HOSTS and the lmhosts.sam object

The problem can often be more serious. The fact is that sometimes when you enter the C:\Windows\System32\drivers\etc directory, the HOSTS file we need is visually missing.

First, in the "Explorer" you should use the service menu, and then select the folder options, where the option to show hidden objects (files and folders) is activated. In addition, you need to remove the "birds" from the lines of hiding protected system files and extensions for registered types. Now our file is visible.

However, this is where the real problems begin. The fact is that when you try to edit or save, the system displays a message stating that the file C:\Windows\System32\drivers\etc\HOSTS is not writable. What to do in this case?

We take drastic measures - we delete the HOSTS file, preferably from the Recycle Bin. You can quickly remove it bypassing the "Recycle Bin" by pressing Shift + Del. Then we right-click on the free space of the window and select the command to create a new text file and name it hosts or HOSTS without an extension, as you wish, it does not matter. We agree with the warning of the system regarding the change of the extension and proceed to editing. As it is already clear, the next steps are similar to the previous option - just paste the original content and save the newly created document. After that, we delete the lmhosts.sam file (it is it that affects the performance of the desired host file), after which we again reboot the system.

This option will restore access to your favorite sites that were previously blocked. By the way, this method almost always works.

Instead of an afterword

As can be seen from the foregoing, it is quite easy to fix the problem with blocking Internet resources, even without having any special knowledge and skills for this. True, before you start editing the HOSTS system object, you should make sure that the standard anti-virus software check did not give anything. Some users try to use utilities like Microsoft Fix It. Please note that if there is a virus in the system, the files will be re-infected, and the corrections will be made only for a while.

Today, users of social networks such as VKontakte or Odnoklassniki often encounter a problem when it is impossible to access the site. The system controls this with the HOSTS file located in the C:\Windows\System32\drivers\etc tree.

However, this servant is just often exposed to viruses. In today's article, we will talk about how to fix this situation.

What files exist in the C:\Windows\System32\drivers\etc directory, and what are they responsible for?

First you need to pay attention to the files that are stored in this folder. In addition to the existing file, only four objects should be placed here. If there is something else, it can be argued that it is a virus or some kind of malicious file. If we consider functions, for example, the object C:\Windows\System32\drivers\etc\services and other files, including HOSTS, protocol, lmhosts and networks, they are responsible for certain functions of user access to specific resources on the Internet. HOSTS maps a database of domain names to IP addresses. Also, its use provides for accelerating access to web pages that the user visits most often, bypassing DNS servers. In addition, unwanted resources or banner links are blocked. In addition to the descriptive text part, by default it stores a single entry at the end of the text, which in this case is of interest. This is exactly: 127.0.0.1 localhost. Nothing else should be there.

Checking the IP address of sites

When considering an example of a domain name matching the site's real IP address, you can check it in a simple way. To do this, just enter ping into the command line, and then specify the URL of the resource that is being checked, separated by a space. To get the IP of any site, you should use the following combination: ping www.(resource name).(domain ownership). For example, for the social network Facebook it will look like this: ping www.facebook.com. When the command is executed and the desired address is displayed on the screen, as well as the statistics of the so-called ping.

What actions are required if a file is infected with a virus?

It is worth noting that it is the C:\Windows\System32\drivers\etc\HOSTS file that is often infected with viruses. When a user goes to the same social network, they are redirected to a clone site or a message appears in which the user is required to pay an entrance fee. It is necessary to immediately clarify: not a single social network provides for spending money for using the services of a resource. Thus, the conclusion immediately suggests itself: the system is infected with a virus. In some cases, artificial blocking occurs, which is quite rare. If this still happened, you must first carefully check the device using a virus scanner. Sometimes it makes no sense to use the program installed in the system, because it has already missed the virus, so there is no guarantee that this will not happen again. It is advisable to use portable utilities such as Dr. Web (or better Cure IT!) or KVRT. It is worth noting that these programs do not even need installation. Unfortunately, in some cases, these utilities, which are quite powerful, are unable to help deal with the problem.

Correcting file text manually

First, go to the C:\Windows\System32\drivers\etc directory itself, then select the required file. By pressing the right mouse button, you need to open a menu with the command "Open with ...". Next, from the list of available programs, you need to select the standard Notepad and familiarize yourself with the contents of the text. Usually, in an infected file, you can see entries like 127.0.0.1, after which the addresses of social networking sites are written. For example, 127.0.0.1 odnoklassniki.ru. This is already a sign that they were created as a result of running malicious code. Thus, it turns out that the system controls permanently block the site when you try to enter it, referring to the HOSTS file. The easiest way to get rid of this problem is to delete the content the next time you insert the original text. Then you need to save the received changes using the key combination Ctrl + S, and reboot the computer. It is also possible to replace the desired file with the original one, however, most likely, the system will not allow this even if you have administrator rights. In addition, this method is effective only in 20-30% of cases.

Problems with hidden HOSTS file and lmhosts.sam object

Just want to note that such problems can be quite serious. The thing is that in some cases, when entering the C:\Windows\System32\drivers\etc directory, the HOSTS file required by the user is visually observed. In this case, you must first visit the "Explorer" and apply the service menu, and then select the folder options, where the option to show hidden objects is used. You should also uncheck the lines for hiding protected files, as well as extensions for registered types. After that, the object can be visually detected.

True, everything is not so simple here, because it is after this that the real problems begin. So, when you try to edit or save, the system displays a message that the file C:\Windows\System32\drivers\etc\HOSTS is not writable. What actions should be taken in this case? The drastic measures to be taken are to delete the HOSTS file. By the way, do not forget about visiting the "Basket". From there it is also desirable to remove it. If the user decides to do it quickly, without going to the "Basket", he can use the key combination Shift + Del.

You must right-click on an empty space in the window and select the command to create a new text file. You need to name it hosts or HOSTS without extension. In principle, it does not play a big role. Then you should agree with the system warning, which is associated with changing the extension, and you can start editing. It is not difficult to guess that all actions are the same as in the previous version. You only need to paste the original content and save the created document. Next, you should delete the lmhosts.sam file, which affects the performance of the desired host file. At the end, the system needs to be rebooted. This option is able to restore access to your favorite resources that were previously blocked. It is also worth noting that this method is almost always effective.

From all of the above, we can conclude that it is very easy to fix the problem that leads to the blocking of web resources. It is not necessary to have any special knowledge and skills. Although, before you start editing the HOSTS system object, you need to make sure that the standard check by anti-virus software did not work. Some users try to apply programs like Microsoft Fix It. It should be taken into account that if a virus is present in the system, the files may become infected again.

The hosts file is designed to match domain names (websites), which are written using characters, and corresponding IP addresses (for example, 145.45.32.65), which are written as four numbers. You can open any site in the browser not only after entering its name, but also after entering the IP address of this site.

On Windows, requests to the hosts file take precedence over requests to DNS servers. At the same time, the contents of this file are controlled by the computer administrator himself.

Therefore, quite often malware tries to change the contents of the hosts file. Why are they doing this?

They do this to block access to popular sites, or to redirect the user to other sites. There, at best, he will be shown an advertisement, and at worst, a fake page of a popular resource (social network, email service window, online banking service, etc.) will be opened, asking him to enter data from his account.

Thus, due to the carelessness of the user, an attacker can access the user's data and cause damage to him.

Where is the hosts file located?

The hosts file is located in the folder with the Windows operating system, usually it is the "C" drive on the user's computer.

The path to the hosts file will be:

C:\Windows\System32\drivers\etc\hosts

You can manually follow this path, or directly open the folder with the host file, using a special command.

For quick access to the file, press the key combination "Windows" + "R" on the keyboard. This will open the Run window. In the "Open" field, enter either the path to the file (see above), or one of these commands:

%systemroot%\system32\drivers\etc %WinDir%\System32\Drivers\Etc

This file does not have an extension, but it can be opened and edited with any text editor.

Default contents of the hosts file

On the Windows operating system, the "hosts" file has the following standard content:

# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a "#" symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost

This file is similar in content to Windows 7, Windows 8, Windows 10 operating systems.

All entries that start with the pound sign # and continue to the end of the line are largely irrelevant to Windows, as they are comments. These comments explain what this file is for.

It says here that the hosts file is for mapping IP addresses to site names. Entries in the hosts file will need to be made according to certain rules: each entry must begin on a new line, the IP address is written first, and then the site name after at least one space. Further after the pound sign (#), it will be possible to write a comment to the entry inserted into the file.

These comments do not affect the operation of the computer in any way, you can even delete all these entries, leaving only an empty file.

You can download the standard hosts file from here to install it on your computer. It can be used to replace the modified file if you don't want to edit the hosts file on your computer yourself.

What to pay attention to

If this file on your computer is no different from this standard file, then this means that there are no problems on your computer that could arise due to modification of this file by malware.

Pay special attention to the contents of the file after these lines:

# 127.0.0.1 localhost # ::1 localhost

Additional entries can be inserted into the host file, which are added here by some programs.

For example, in this image, you can see that the program has added some entries to the standard contents of the hosts file. Between the commented lines, additional entries have been inserted to perform certain actions. This was done so that during the process of installing programs on my computer, this utility would cut off unwanted software.

There may be additional lines, of this type: first a “set of numbers”, and then after a space, “site name”, added in order, for example, to disable ads in the Skype program, or block access to some site.

If you yourself did not add anything to the hosts file, and do not use the program mentioned in this article (Unchecky), then you can safely remove incomprehensible entries from the host file.

Why change the hosts file

The hosts file is modified in order to block access to a specific resource on the Internet, or in order to redirect the user to another site.

Typically, malicious code is initially executed after a program downloaded from the Internet is launched. At this point, changes are automatically made to the properties of the browser shortcut, and quite often additional lines are added to the hosts file.

To block a site (for example, the VKontakte site), lines of the following type are entered:

127.0.0.1 vk.com

For some sites, two variants of the site name can be entered with or without "www", or without this abbreviation.

You yourself can block unwanted sites on your computer by adding an entry like this to the host file:

127.0.0.1 site_name

In this entry, the IP address (127.0.0.1) is the network address of your computer. Next comes the name of the site that you need to block (for example, pikabu.ru).

As a result, after entering the name of the site, you will see a blank page from your computer, although the name of this web page will be written in the address bar of the browser. This site will be blocked on your computer.

When using a redirect, after entering the name of the desired site, a completely different site will be opened in the user's browser, usually a web page with advertising, or a fake page of a popular resource.

To redirect to another site, entries like this are added to the host file:

157.15.215.69 site_name

First comes a set of numbers - the IP address (I wrote random numbers here for an example), and then, after the space, the name of the site will be written in Latin letters, for example, vk.com or ok.ru.

The scheme of this method is something like this: bad people deliberately create a fake (fake) site, with a dedicated IP address (otherwise this method will not work). Next, an infected application gets onto the user's computer, after launching which changes are made in the hosts file.

As a result, when a user types the name of a popular site in the browser's address bar, instead of the desired site, it is redirected to a completely different site. This could be a fake social network page designed to steal user's personal data, or a site with intrusive ads. Very often, from such a fake site, there are redirects (redirects) to many other specially created pages with advertising.

How to edit the hosts file

You can change the contents of the host file yourself by editing it with a text editor. One of the easiest ways to be able to modify a file is to open the hosts file in Notepad by opening the program as an administrator.

To do this, create a shortcut to the Notepad utility on the Desktop, or run the application in standard programs that are located in the Start menu. To start, first right-click on the program shortcut, and then select "Run as administrator" from the context menu. This will open the Notepad text editor window.

C:\Windows\System32\drivers\etc

After opening the "etc" folder, you will not see the "hosts" file, as the Explorer will display text files. Select the "All Files" setting. After that, the hosts file will be displayed in this folder. You can now open the hosts file in Notepad to edit it.

After editing is complete, changes in the hosts. Please note that the file type when saving must be: "All files".

Article Conclusions

In the event that the malicious program has changed entries in the hosts file, you can replace the modified file with a standard one, or edit the contents of this file by removing unnecessary entries from there.

How to change the hosts file (video)