Windows XP not using the hosts file

dgingeri

dgingeri

2[H]4U
Joined
Dec 5, 2004
Messages
2,830
I have a strange issue with 2 machines here that I have not been able to find a fix for. I work as computer support for a company, and have been doing support for over 11 years now. These systems simply won't use the hosts file for address lookup.

I have seen this happen before, but in those cases, it was a registry setting changed by spyware or hack. The registry setting is just fine on these. They just refuse to use the hosts file at all.

I have tried deleing and rebuilding the hosts file, no good. I tried looking for other hosts files to see if they had been redirect some other way. Found nothing. I tried searching the registry for anything else that might have redirected the hosts file location. Still, nothing.

The bad part about this is these guys are new QA people for our web sites. they regularly make changes to their hosts file to test out new sites to make sure they work right before they go live. the hosts file changes are from another machine that works just fine.

The systems are fresh builds as of last week.

Has anyone seen this before?
 
I have just tried using that same hosts info, copying from the other hosts file into my own, and the info works fine. I tried copying the file itself over (thinking of corruption in the file that notepad might not show) and that worked fine on mine as well.

I'm really racking my brain on this one. By all rights, it should work fine on these other 2 machines, but won't.
 
Check the Advanced options under TCP/IP on the network card in question. Make sure "Use LMHOSTS" is enabled.

Also, try doing "ipconfig /flushdns" then "ipconfig /registerdns"

If neither of these work, try doing a "route print" to see if you have any persistent routes set up somehow.
 
Tried the first 2. Sorry I didn't mention that. (Oddly, the LMHosts file works just fine, but not the Hosts. Unfortunately, IE looks at the DNS server before the LMHosts file, so it won't work for this use. I can add extra name resolution from the LMHosts file, but not change ones that exist on the DNS server.)

"route print" gives me nothing except a route to the gateway and out to the rest of the internet.
 
Well, my manager is contacting Microsoft and using one of our 4 pre-paid incidents we get per year thanks to our Select Agreement. Perhaps MS can figure out what is going on.
 
Don't hold your breath. I've put in a support incident for this very thing. My remote clients have trouble connecting to internal resources by name. I started using HOST files, and it works for about a week or two, and then stops doing so.
 
I haven't seen this particular issue before and we use host files frequently at work. We often have several XP Pro machines that reference 2003 Server R2 machines in the network. I know one thing that we always do is keep all firewalls shutdown. Our networks are completely isolated from the internet and all other networks. Keep us updated if you find out anything from Microsoft. Thanks.
 
SpaceHonkey said:
LMHOSTS is for netbios name resolution, not DNS. That's why IE doesn't 'use' it.
Click to expand...

This is correct.

Something you may try, if these people are doing testing and not needing to access anything that is NOT in your HOSTS file, is to set your DNS server to 127.0.0.1 and then run ipconfig /flushdns. I guarantee it will use the HOSTS file then. But you will get no other name resolution. We used to do this to people that we wanted to give access to specific sites and no others.
 
Well, we don't have any available MS support cases. I guess it was 4 every 3 years, not every year.

I'm going to try setting them up with virtual machines to get them through their current testing, and experiment with another system of the same model. I have found that all our recently built desktop machines are affected by this, it just doesn't matter to most users. The only reason these 2 noticed it was because they were QA users.

I have all the latest patches up through December slipstreamed into my RIS deployment image, so it might be a recent patch that is causing this. I'm going to have to look through it.
 
MS actually could not come up with anything. their recommendation was to format the hard drive and reinstall the OS. (They actually had the balls to charge us for that garbage!)

That technically fixed it, but I still want to know what caused it. I kept the old OS drive from the affected computers, and put one of them in an identical machine. I have it powered up and it is still not looking at the hosts file.
 
Thanks for letting us know, MS havent finished in my view, you should go back to them with your new result.
 
xxEIEIOxx said:
This is correct.

Something you may try, if these people are doing testing and not needing to access anything that is NOT in your HOSTS file, is to set your DNS server to 127.0.0.1 and then run ipconfig /flushdns. I guarantee it will use the HOSTS file then. But you will get no other name resolution. We used to do this to people that we wanted to give access to specific sites and no others.
Click to expand...

Oh, btw, I tried this, and it still wouldn't even look at the hosts file. It just would just error out that it couldn't find any web sites, even the ones we had defined in the hosts file.
 
Did you look and see if anything has hooked the Winsock stack? You might just make sure LSPFix doesn't show any hooks.
 
Had this happen before and it ended up being the way the file was formatted for us. Working fine on one machine, copied it over to another and it wouldn't work. Removed all remarks from the host file and it worked fine on that PC.
 
Eickst said:
Had this happen before and it ended up being the way the file was formatted for us. Working fine on one machine, copied it over to another and it wouldn't work. Removed all remarks from the host file and it worked fine on that PC.
Click to expand...

Possibly sounds like an ansi vs ascii situation. Could be the editor. I like to use PSPad for such things. It is also good to make sure nobody accidentally added a file extension to it, such as .txt, which wouldn't show if file extensions are hidden.
 
xxEIEIOxx said:
Possibly sounds like an ansi vs ascii situation. Could be the editor. I like to use PSPad for such things. It is also good to make sure nobody accidentally added a file extension to it, such as .txt, which wouldn't show if file extensions are hidden.
Click to expand...

Hmm, along similar lines, I wonder if the file was converted to Unicode and this is preventing it from being interpreted?
I recently tried to save a character string using notepad that asked me the following:

"This file contains characters in Unicode format which will be lost if you save this file as an ANSI encoded text file. to keep the Unicode information, click Cancel below qand then select one of the Unicode options from the Encoding drop down list. Continue?"

Maybe the hosts file has previously been saved as Unicode and is now permanently encoded as such.
If so, a quick fix is to create another .txt file, copy the contents of hosts file and paste it in.
Save and rename to hosts.
 
I tried deleting the file and recreating it in Notepad with just the one test line:

192.168.XX.XXX secure.XXXXX.com

It still looked up that web address at the production IP address starting with 216 instead of the 192.168 QA address.

How do I check if something hooked into the Winsock stack?
 
That's a useful page. I saw some stuff at the end that will allow me to look and see what might be causing this. I'll hook that system up again in a little bit and take a look. (I'm currently rebuilding a training machine, so that other system has been put on the back burner for now.)
 
dgingeri said:
I tried deleting the file and recreating it in Notepad with just the one test line:

192.168.XX.XXX secure.XXXXX.com

It still looked up that web address at the production IP address starting with 216 instead of the 192.168 QA address.

How do I check if something hooked into the Winsock stack?
Click to expand...

What is the EXACT domain in the url that you are using to access the site?
HTTP://secure.XXXXX.com/whatever/the/link/is.html
HTTP://secure/whatever/the/link/is.html

I'm thinking that if you were browsing without the domain suffix (.xxxx.com), then windows is unable to resolve it because, in regards to the host file, http://secure is not the same as http://secure.xxxx.com.

So my guess is windows would try to resolve secure, and be unable to via the host file. It will then query DNS for secure, and it will probably fail as well (unless you have a record for secure). The machine will then append the domain suffix for the workstation, and if it's in the same domain as the secure host, it will resolve it. If it's not (or it can't resolve it), it will walk through the domain suffixes that you've specified in the TCP/IP options and try to resolve it using each suffix until it either succeeds or fails.

It might be worth standing up wireshark on the machine and watching it query DNS and see what it's actually trying to resolve.

I've seen this a million times. Two users next to each other, and they SWEAR that it works for one and not the other. The problem is, they got the links from different places, and one link specifies the domain name, the other doesn't. So one user can resolve it, but the other can't, and they SWEAR they're using the same link.

So double and triple check that the two machines are using the same exact link and that the link is using the same exact name for the domain name as you specified in the hosts file.
 
I'm just using ping, not a full URL. I can't reveal the full real address of the server we are trying to reach because it is an internal company resource used by our main web servers for other information. I'm not privy to all the details of how it works, since I'm not a web server admin or web page designer. I'm just the desktop support guy here.

here is my testing sequence:
bring up Filemon.exe (sysinternals is great!)
bring up a commend prompt
bring up the etc folder where the hosts file is
open hosts in notepad
edit hosts to add the QA address for secure
save the file
type "ping secure.XXXXX.com" in the command prompt

Filemon shows no program trying to access the hosts file at all during that time, or any other time. If ping doesn't see it, then IE doesn't either. That I have confirmed.

Out TCP/IP config pushed by our AD options includes adding the domain suffixes for our internal AD domain, our internal Dev domain, and our external production domain. These work properly, but it simply doesn't try looking up the address in the hosts file. typing in "ping secure" will resolve properly to "secure.XXXXX.com" and its production address, but when "secure.XXXXX.com" is put in the hosts file witht he QA address, it just won't use that address.

Also: when I put a fake server name in the hosts fiel, godly.XXXXX.com at the same address, and try to ping it, it just says it can't find godly.XXXXX.com. If I put it in the lmhosts file, it will find it.
 
dgingeri said:
I'm just using ping, not a full URL. I can't reveal the full real address of the server we are trying to reach because it is an internal company resource used by our main web servers for other information.
Click to expand...

Nah, thats not what I was getting at. I wanted to make sure that in your host file AND in your URL, you are entering the SAME exact thing.

So make sure you're not entering "Server.mydomain.com" and entering "http://server" in your browser.

here is my testing sequence:
bring up Filemon.exe (sysinternals is great!)
bring up a commend prompt
bring up the etc folder where the hosts file is
open hosts in notepad
edit hosts to add the QA address for secure
save the file
type "ping secure.XXXXX.com" in the command prompt

Filemon shows no program trying to access the hosts file at all during that time, or any other time. If ping doesn't see it, then IE doesn't either. That I have confirmed.
Click to expand...

If filemon isn't showing anything, something else is wrong. You should see notepad opening and closing the file.

I'd also double check and make sure you're not saving it as hosts.txt by accident -- notepad likes to do that. To be sure, you can just put quotes around the name when you save it.

Are you using a proxy server?
 
Oh, yeah, I'm sure I'm entering the FQDN into both the ping command and the browser. I know that's not what is going wrong.

Also, yeah, Filemon does show the notepad access for the file, and the file is named properly. (I "grew up" in the DOS days. I'm very aware, far more than most Windows users today, of the importance of file names.) I should have been clear about that. My mistake. Half the time, I'm not even changing the hosts file back because I know the machine isn't going to use it anyway. However, that is all it shows. the hosts file is not being accessed at all by the OS.

We aren't using any sort of proxy server, just NAT.

I also just ran a "netsh winsock reset" and rebooted, and it did not help.
 
I just had this problem this afternoon.
I would modify the hosts file to redirect a specific hostname to my local machine, like this:
127.0.0.1 hostA.localmachine.local
and it just wouldn't take...

After looking here and at some of the usual places for solutions (registry, ect), I looked at the permissions on the hosts file: my userid didn't have full control on the file, and for some reason, it would let me edit it, it *looked* like it wad keeping my changes, but in the end it didn't.

I added my user in the security tab of the file properties window, gave myself Full Control, and now it works.

Hope this can help someone else :)
 
Found this thread yesterday when I was dealing with the same problem. In my case it turns out that windows 2000 had been reinstalled into an alternate directory (winnt2) and I had been editing the wrong hosts file.

You can see your system variables by typing "set" at a command prompt.
 
holy thread necro batman.

bumping a 2.5+ yr old thread? really?
 
xxEIEIOxx said:
Possibly sounds like an ansi vs ascii situation. Could be the editor. I like to use PSPad for such things. It is also good to make sure nobody accidentally added a file extension to it, such as .txt, which wouldn't show if file extensions are hidden.
Click to expand...

FINALLY! thank you... i never thought to check the encoding. I'm using N++ and i've even re-created it several times, but the default file format i guess was ansi, not utf. Setting my encoding to UTF fixed shtuff... thank you!
 
You must log in or register to reply here.
Back
Top