Category: Windows XP

A common spy ware and pop-up tactic these days is hosts file poisoning.  Hosts file poisoning involves injecting new entries for Internet sites into a computer’s hosts file, so that web site requests are either rerouted to another site or simply return a “Page Not Found” error.

I first encountered this little trick when getting rid of some spyware and adware on a friend’s computer.  I tried to go to a popular anti-virus site to download the latest anti-virus definitions, and was constantly routed to another site filled with the typical pop-up ads for a variety of products.  I then did the typical things you’d do to help fix the problem, like dumping the Internet cache, cookies, and history, making sure my DNS was properly configured and working, and checking the browser’s settings.  When that didn’t work, I started looking a little bit deeper.  After a couple of minutes, I realized the problem was a bit simpler than some new form of malware.  It was an issue with the computer’s own hosts file.  For those of you who may not have messed around with the hosts file before, here’s a little background:

In the good old days before DNS was commonly used for host name resolution, computers used host files, which are simple text files, to resolve host names to IP addresses when accessing other computers or Internet sites.  These static text files contained mappings of Internet IP addresses to the destination computer’s host name or web site. When users requested access to those computers by host name, the host file was checked, and if an entry for that computer or site was found, it was resolved to an IP address, just as DNS does today.

As a holdover from those days, Windows computers still have and check the hosts file during the name resolution process. By default, the computer checks the hosts file first, before attempting to resolve the name through DNS.  If it finds an entry for the name, it uses that entry and does not try DNS.  On most computers there are no entries in the hosts file, except for the local loopback address, so name resolution proceeds normally through DNS.

A favorite tactic by those folks who send you tons of pop-ups and other annoying forms of malware is to put entries into the file, so that your computer will resolve certain names with it instead of going on to DNS.  On the computer I mentioned above, I found no less than about 100 entries in this file.  In addition to entries rerouting just about every common page you could think of, like web-based email and news sites, to other sites, the entries also rerouted popular anti-virus sites back to the computer’s own loopback address.  This would result in any attempt to get to those sites being redirected back to the computer itself and getting a “Page Not Found” error.  This meant that my friend would never be able to get updates to his anti-virus software.

The quick solution is to simply get rid of those entries and reboot, so the computer will re-read the file, but that doesn’t permanently fix the problem, of course.  It could get poisoned over and over.  So there are a few other steps you can take to make sure that this tactic can’t be used against you again.

If you don’t really have a need for the file, you could rename it to something else so it wouldn’t be read as the hosts file.  I experimented with this on a Windows XP SP2 box, and it didn’t seem to affect my name resolution.

On computers running Windows NT, 2000, XP, and 2003, this file is located in the %systemroot%\system32\drivers\etc folder. Just rename it; I wouldn’t recommend deleting it entirely, since one day you may actually have a need for it.  Then set the folder containing it to “read only” for the folder and all subfolders and files.

On the other hand, if you think you do have a need for it, at least mark the file as “read only” and change the permissions on it.  This at least may keep it from being altered by anyone except you, if you so desire.

In any case, when trying to get rid of spyware, adware, and those pesky pop-ups, I’d add checking the hosts file to my troubleshooting list, and you’ll have one more way of fighting malware!

Back in the olden days (about 4 operating systems ago!) installation alternatives were more or less limited to those of the manual kind – an endless series of clicks on a “Next” button along with many wasted hours fighting with IRQs, device drivers, and the like. The advent of more intelligent Windows versions has helped to cut down on the number of configuration issues associated with an installation. However, most users still reach for the CD and prepare for at least another boring hour of answering simple questions when an operating system installation is required. Thankfully, Windows XP includes a number of “hidden” utilities that can help you to avoid this monotonous undertaking both at home and in corporate environments.

Installation Options

While a traditional question-and-answer CD-based installation may be the simplest option for new users, Windows XP provides a set of deployment tools that allow more seasoned Windows users to automate the installation process. For example, Windows XP includes a wizard-based tool called Setup Manager than allows you to pre-create a simple text file that answers all of the questions asked during the installation process. This makes Setup Manager an invaluable tool for both home users and those who want to install Windows XP Home or Professional on a large number of machines with the least administrative effort possible. Another valuable deployment utility comes in the form the Sysprep tool. This application is aimed mainly at administrators in domain environments who want to deploy Windows XP Professional using imaging tools like Symantec Ghost. Sysprep automatically removes all of the “unique” configuration information about a machine such as its computer name and security identifiers prior to imaging. This eliminates the need to use utilities such as Ghost Walker after deploying an image to erase and reconfigure unique computer settings.

Deployment Tools

The Windows XP deployment tools can be found buried away on the Windows XP Home or Professional CD in a directory called \Support\Tools. A single file called DEPLOY.CAB includes both the Setup Manager and Sysprep utilities, as well as a variety of other tools aimed at OEM computer resellers. Most importantly, this file also includes extensive documentation on the use of these utilities in the form of Help files. In order to get started, extract the contents of the DEPLOY.CAB file to a unique directory on your hard drive. It’s not worth picking and choosing between the files to extract since multiple files are needed in some cases, such as with Sysprep.

Setup Manager

We’ll start with a look at Setup Manager since the benefits that it provides are applicable to any Windows XP user. Given that the purpose of the program is to help automate the installation of Windows XP, you obviously don’t need to be running Windows XP to use it. Simply click on the file Setupmgr.exe to start the wizard and begin the process. A summary of the steps involved in running Setup Manager is covered at the end up this article.

The Setup Manager tool prompts you to provide answers to all of the questions normally asked during the installation process, including information such as the computer name, administrator password, networking settings, and more. Ultimately, all of these settings are stored in a text file called unattend.txt, as shown below. Setup Manager also creates a helpful batch file called unattend.bat. This file should be used to launch the installation process, as it will use the unattend.txt answer file that was created by the wizard. Once launched, the installation process proceeds onscreen as normal, although when the Fully automated option is chosen, the user is not prompted for input.

Beyond simply creating new answer files, Setup Manager also provides a few additional capabilities. The first is the ability to load and edit existing answer files using the wizard interface. Although these text files can be modified manua