Windows Hosts file snafu

[Belonging to Abba]

I have been using the following strategy to block web-sites where there could be temptation.

Blocking Websites Using the Windows Hosts File

This strategy involves modifying the Windows Hosts file to block web-sites. Before it required the administrator password to modify the hosts file. Because my mom has the administrator password, this means that I am not able to go back in and remove the block on web-sites that are blocked without her typing the password. Until recently. I found that if I copy the hosts file to my desktop and change it and copy it into the folder that it is originally stored in, when it asks for the Administrator password I can simply click "Skip" and it copies fine. Also, I can do it faster just by opening the hosts file in notepad from the containing folder in Windows system folder, modify it and click "save" and it will save fine without Administrator credentials.

Since I think I am using a limited account, the question is why am I allowed to modify the hosts file without the administrator password, and can I change any settings in Windows to make it more secure so that the Administator password is required upon any attempt to modify the Windows hosts file?

It is very important that the block on these specific web-sites is maintained a that I am not able to simply go in and change it with a limited account. This is important in order to stay away from temptation.

 

[Wookiee]

Are you sure your account is definitely not an administrator? You should be getting a permission denied error.

 

[Belonging to Abba]

I checked and it says "local account" not Administrator under account name under user accounts in control panel.

Also I forgot to mention that I'm using Windows 10.

 

[Wookiee]

If you go to the file (C:\Windows\System32\drivers\etc) you can try denying yourself permissions.

Right click -> Properties -> Security

Make sure "Users" only has the "Read/Execute" permissions and your user (ie DESKTOP-JFHD\Isaiah) also only has those ticked. Untick "Write" and "Modify" for your user.

It's possible when it was modified at some point the permissions also changed.

Also, just remember this can only really work as blacklist, meaning if you find something else you'd still have to add that.

Another option if you don't have it in place is to try OpenDNS... if you have a static IP address this works fairly well (and is generally better than using your ISP's DNS anyway):
Cloud Delivered Enterprise Security by OpenDNS

The new version of Edge (which is based off Chromium, so fairly usable) also has Family filter options you could try.

 

[Belonging to Abba]

I checked and the hosts file under its properties has my limited account username listed under security. However other files in the "etc" folder do not have my personal username listed. When I tried to remove my username from the host file properties I got the following error message: "You can't remove "username" because this object is inheriting permissions from its parent. To remove "username" you must prevent this object from inheriting permissions. Turn off the option for inheriting permissions and than try removing "username" again."

Another thing I am wondering about is when I had my mom type the Administrator password in order to modify the hosts file when I was using the limited account, maybe this changed the permission for all time for me to modify the hosts file with the limited account?

 

[Wookiee]

I checked and the hosts file under its properties has my limited account username listed under security. However other files in the "etc" folder do not have my personal username listed. When I tried to remove my username from the host file properties I got the following error message: "You can't remove "username" because this object is inheriting permissions from its parent. To remove "username" you must prevent this object from inheriting permissions. Turn off the option for inheriting permissions and than try removing "username" again."

So if you go back to the Security tab then click "Advanced" you should be able to click "Disable Inheritance" in the "Permissions" tab".

Also make sure your account isn't listed as "Owner" (change it to your mom's account if it is).

Another thing I am wondering about is when I had my mom type the Administrator password in order to modify the hosts file when I was using the limited account, maybe this changed the permission for all time for me to modify the hosts file with the limited account?

It shouldn't have, because when you do that, it's running it as an administrator. But I guess it could have when you saved it.

If all goes wrong, the hosts file is something you can safely delete and can recreate from your mom's account (and Windows will usually automatically recreate it if it's missing during build updates or file integrity checks anyway).

 

[Belonging to Abba]

Thanks for the info. What I am wondering about is if I go into the administrator account and make changes to the properties is there any way I could mess up the hosts file? I mean I wonder if the limited account still needs some of the permissions to read and run the hosts file and if I make the wrong selection I don't want to mess up the computer.

 

[Wookiee]

Thanks for the info. What I am wondering about is if I go into the administrator account and make changes to the properties is there any way I could mess up the hosts file? I mean I wonder if the limited account still needs some of the permissions to read and run the hosts file and if I make the wrong selection I don't want to mess up the computer.

Short answer: not really.

Basically Windows just checks the Hosts file when looking up hostnames (or web addresses) and says "Oh, christianforums.com is actually on the IP address 127.0.0.1, I'll load that up" (and 127.0.0.1 is your computer's IP). The only thing that can be broken by it being unavailable is the default entry of "127.0.0.1 localhost" and that's only if your computer is trying to look for a particular page or service on itself (which is unlikely under usual circumstances).

To make use of the hosts file properly, everything needs to be able to at least Read it, but not having a Hosts file won't permanently break anything. And there are guides for recreating it around.

 

[Belonging to Abba]

Thank you for your help. I made the changes you suggested, but some of the messages were confusing. I did find my limited username was the owner of the file. I removed this and tried to change it to Admin which is the username of the Administrator account. However Administrator and Administrators were also choices.

When I removed permissions there were two choices:
1. Convert inherited permissions into explicit permissions on this object
2. Remove all inherited permissions from this object

I chose the first choice and got this message which I said "yes" to: "You are about to change the permission settings on system folders. This can reduce the security of your computer and cause users to have problems accessing files. Do you want to continue?"

Because of having accountability software installed on the computer and also my mom holding the password to be able to use the computer, it is not very likely that I will find more web-sites that need to be added to the web-sites blocked by the Windows hosts file soon. I also did setup OpenDNS Family Shield settings to block objectionable content.

 

[Belonging to Abba]

I removed the limited account as owner and tried to change it to either Admin, Administrator, or Administrators. Now when I try to edit the hosts file while logged into Admin account, I get the following error message:
You don't have permission to save in this location. Contact the administrator to obtain permission. Would you like to save in the Documents folder instead?

 

[Belonging to Abba]

Nevermind. I found that by copying and pasting the file to Admin's desktop, that I was able to edit it and than copy and paste back into the etc folder. This changed the permission too and I think this process is how the limited user account got control of the file.

 

[Sketcher]

On a Windows machine, keep the hosts file read-only. This is so that malware can't write its own entries into it to redirect people to phishing sites. If you or your mom do need to make legitimate edits, then the administrator account should be able to modify the file's properties before and after the edit in question.

But I really don't recommend using the hosts file this way. There's always another porn site out there, as I am sure you have figured out already.

 

[Belonging to Abba]

I hope you don't mind me writing a reply after so long but we recently encountered the following problem. In order to remove the limited account from having permissions on the hosts file, I disabled inheritance when I was in Administrator account. However for some reason I managed to remove most or all of the permissions, so that practically no users can even open the file to read it. I think even the system may not have permission to read the file. I was wondering how to restore the original permissions on the hosts file?

The idea I was considering is maybe make a copy to the desktop of one of the other system files when I am in the administrator account, that using notepad copy the text that is contained in the hosts file, and then change the name of that file to hosts and copying and pasting it into the “etc” folder. Do you think this would work?

What I tried is using system restore to go back to an older restore point, but after the restore operation, the operating system became unstable and would not load at all, so I undid the restore operation.

 

[Wookiee]

Just delete it altogether, and then run an SFC scan (Use the SFC /Scannow Command to Repair Windows Files) and it should rebuild it back to default (reboot after it's finished). You can make a backup of your modified one or copy and paste the text to another place so you don't have to manually retype it.

Then the easiest thing to do is run Notepad as administrator (Right click -> Run as Administrator) and then open the Hosts file directly from its location. Then it won't screw around with permissions.

 

[Belonging to Abba]

Thank you so much for your help.