Windows optimize

Quick Tip: Block unwanted sites using the Windows hosts file

By adding entries to the Windows hosts file, you can block access to specific unwanted or known malware-infested websites. Jack Wallen explains how it works.

There are so many sites out there you do not want either your employees or your family to see. There are also equally as many ways to stop those sites from being viewed - from a simple third-party software solution to one involving a hardware proxy. But did you know, there is a very simple solution built right into Microsoft Windows, which allows you to block unwanted sites from being viewed on a Windows 7 PC? That solution is the hosts file.

Simply stated, the Windows hosts file is used to map IP addresses to Human Readable Names. This service is normally handled with a domain name server (DNS), but the hosts file allows you to bypass that server (When, say DNS isn't available). But more importantly, the hosts file is in direct control of what the computer can and cannot see. To this end, a PC can be configured such that it can or cannot see a specific address. That is what I want to address - the blocking of unwanted addresses in the Windows hosts file.

This blog post is also available in the PDF format in a TechRepublic Download. The examples and images used in this blog post regard Windows 7. The hosts file in earlier versions of Windows can be used in a similar fashion, but the configuration may not be exactly the same.

Locating and editing the hosts file

The Windows hosts file is located (Figure A) in C:\Windows\System32\drivers\etc. In order to edit and save the hosts file, administrative rights must be used. Even if a user is logged into an account without administrative privileges, this can be overcome, by following these steps:

1.           Click on Start | All Programs | Accessories

2.           Right-click Notepad

3.           Select Run as Administrator

4.           Click Yes on the popup window

Figure A

Location of hosts file

Now that Notepad is opened with administrative rights, the hosts file can be opened and edited.

There could be one last hiccup in the saving of the hosts file - the hosts file could be set to read-only. If this is the case, that file cannot be edited and saved. To get around this, follow these steps:

1.           Right-click the hosts file from within Windows Explorer

2.           Select Properties

3.           Uncheck Read-only (Figure B)

4.           Click Yes in the UAC (if prompted)

5.           Click OK in the Properties window to complete the process

Figure B

Uncheck read only if it is checked

Format of the hosts file

The format of the entries in the hosts file looks like this (Figure C):

IP_ADDRESS         domain name

Figure C

Format of the entries in the hosts file

That is the basic mapping from IP to domain. Each line represents a single mapping. For example, an internal IP address to a hostname would be made with an entry like this:

192.168.100.21   bodhi-linux

Once the file is saved, the machine at the address 192.168.100.21 can be reached using the name bodhi-linux.

Blocking Adware and/or unwanted sites

This is where the "trick" comes in. There is an address, called the loopback address, on a computer that refers to itself. If the loopback address is pinged, the machine being pinged would be the machine doing the pinging. Make sense? The IP address of the loopback is always 127.0.0.1 (that is the case in Windows, Linux, and Mac.). Using that loopback address, any unwanted domain name can be re-directed back to the local machine. A hosts file entry for this would look like:

127.0.0.1  unwanted.domain

Where unwanted.domain is the domain to be blocked. So what needs to be done with the hosts file is:

1.           Open the hosts file with administrative privileges

2.           Add all of the entries you need to block all of the sites you want to block

3.           Save the hosts file

4.           Reset the hosts file to read-only

There is another issue that can rear its ugly head. When saving the hosts file in Notepad, Notepad is going to want to append the .txt extension to the file. Make sure this doesn't happen by either selecting All Files from the Save as type drop-down, or renaming the file from hosts.txt to hosts from within Explorer.

Another trick

Say there are sites employees are forbidden to visit (Facebook, ebay, etc). To make sure the employees are always aware of the policy, you can set up a Web server that all unwanted URLs can be directed to. On that Web server you would have the company policy regarding unwanted Web surfing available. To set this up in the hosts file add a line similar to the one below (assuming the web server is at address 192.168.100.21):

192.168.100.21   unwanted.domain

Where unwanted.domain is the actual domain to be re-directed. Now, when a user goes to unwanted.domain that user will be automatically directed to 192.168.100.21, which will display the policy.

Pre-set hosts file

For those that do not want to go through and add a ton of unwanted adware sites and other malicious sites to the hosts file on every PC in an organization, this file can be downloaded, unzipped, and put in place of the current hosts file on each PC. Once that file is unzipped, make sure to look it over and make any necessary additions, before putting it into place.

Final thoughts

There are so many ways to block unwanted sites, but it's nice to know the task can be done without having to rely on third-party software. Window's use of the hosts file makes for a very flexible tool to fine-tune what sites a computer can and cannot access.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

38 comments
Gis Bun
Gis Bun

OK. first, I'm not sure if mentioned but it is still good to back up the host file. Host files can only go so far. Other ways is to add sites to the restricted zone in your browser. Use the route command to block some sites. I have blockred the "Russian Business Network" but nothing else with this method. Some premium home routers have the option to block sites as well. A business should be blocking from their firewall. Rediculous to update host files manually. Some free DNS services automatically block known bad sites and you can add to it. It comparison, your typical ISP will do didly squat with their DNS.

maj37
maj37

The hosts file is probably as old as TCP/IP. Yes it is built into Windows 7, it is also built into Windows XP, and earlier versions as well as every OS I have ever worked with that uses TCP/IP. Whether using it to block sites you don't want people visiting is a good idea or not, this might work as long as you don't have a moderately savvy user. maj

learn4ever
learn4ever

But not on a domain with DNS... never. Too hard to maintain on 500+ PC's across 8 sites in our forest as well.

transluc
transluc

This is a trick I used 20 years ago to block ad sites, and I still do. I get irratated when using my wifes PC as she do not want me to modify the host file. Viewing ads is a complete waste of time. Stan

aiellenon
aiellenon

Check out http://hostsfile.org/pac.html will give you all the info you need. Also has a massive hosts file so you don't Need to make your own. ----------------- Posted from my Notion Ink Adam

Spexi
Spexi

It has most of the features a user may ask for, abel to download from own prefered sources beyond these that already is defined within the software like MVPS, hpHosts etc. Perhaps the editors could be even more improved & developed in support more sources and fix som bugs. Otherwise the koncept are really easy to use and has the features a user will need. Automatic download, merge the hostsnames, searching for duplicates, optimization and a resonable simple to use texteditor... Only one problem that might happen after a while for some users like for many of these tools that people "Set & forget" Four months later...Why does Google block me out from this site? Aha, a new censorship with blocked content once again. Google IS Bad :D

jwronski
jwronski

When users (don't) see all the blocked ads on otherwise reputable sites, they'll be calling for support.

sura.jan
sura.jan

to block many of the bad addresses - using Immunize function - it adds them to hosts file. Then install and use Microsoft Fiddler to find all addresses with annoying adds - to add them also to hosts file. Fiddler shows all the Internet communication and you can easely get known which of them is the bad address (you can also try it and delete from hosts file).

DosHog
DosHog

Hostman is listed on the MVPS site, I've been using it for over a year now. It has my host file at just under 3 meg and can be turned off easily to get to a site that is banned or needs one of the banned sites as a jumping point. You can find it at abelhadigital.com

Oh Boy!
Oh Boy!

S&D automatically adds websites to the hosts file.

blaqwolf
blaqwolf

I have used the pre-set file from the link mentioned for years, first while deployed to speed up my personal laptop and then later to help guard against malware on Army machines. I have no proof but I don't remember getting any malware on the machines that had that hosts file on it and most users seemed to think the 'net was faster. As mentioned earlier, it is also great for using at the house to speed up connections between systems on your network. I agree with the DNS server issue but is still another layer of defense against not only malware but crapware and all those annoying ads out there. Good old school tip that most people don't remember anymore.

glnz
glnz

Don't Spybot S&D ("Immunize") and SpywareBlaster do this? Or does this article add something? Thanks.

ian
ian

I think he is talking about the zip file mentioned at the end of the article but there is no link to it. I downloaded the one mentioned by Basil http://www.mvps.org/winhelp2002/hosts.htm and it looks like it has most of them. One more question, can we get rid of a whole domain or must we specify dubdomains? for instance: adsmax.com instead of allchix.adsmax.com and www2.adsmax.com

tjohnson
tjohnson

This has dangers if it is done without a good understanding by all concerned parties - I worked with a company where someone had set up their computers with a host file directory many years ago. Problem was, no one there was aware of this, and as computers were added, moved, and changed, the files became outdated and broke communications between certain machines. I found the culprit fairly quickly, but it cost the company a great deal of downtime, frustration, and eventually, of course, my own fees - to resolve this.

basil.cinnamon
basil.cinnamon

A couple of tips: go to http://www.mvps.org/winhelp2002/hosts.htm and download their hosts.zip; that will contain most unwanted sites. You can then add your own. As well, it is useful to add allowed addresses for named PCs on your LAN, e.g.. 192.168.1.10 Sarah That will redirect any call to the PC named Sarah to that IP. This gets around thorny name issues like WINS, DNS, DHCP, Netbios, Neteui, etc. that supposedly provide name-to-IP mappings but often do not work properly.

ian
ian

My Hosts file is just like the example - empty. What is the best way to populate this with relevant sites? I was thinking maybe copying the DNS to a notepad, weeding through it and then adding sites to Hosts. Is there an easier way? How do I access the DNS to copy data from there? Does this only work for internet or email too (using Outlook) thanks.

kburrows
kburrows

Why not just create a www record in the DNS and point it to the loopback address? Quick and easy way to block sites without having to go to each machine and edit a buried file.

Craig_B
Craig_B

You need two parts to scale this, a GPO and a batch file on a network share. GPO: Computer Configuration - Polices - Windows Settings - Scripts - Startup - Enter file path \\ServerName\ShareName\HostCopy.cmd for example. Batch File: (HostCopy.cmd) xcopy /D /y "\\ServerName\ShareName\HostCopy.cmd" "%SystemRoot%\system32\drivers\etc\" Upon bootup (or reboot) the Hosts files will get updated. You have to do this at boot so that the batch file has the permissions to write to the system folder.

nate.irvin
nate.irvin

This is a perfectly servicable way of blocking some unnecessary/inappropriate traffic. However, there are few problems. For this to work, all but the sysadmins have to be locked out of the hosts file. This is of course feasible, but there are legitimate uses of the hosts file that it might not be good to take away from users. It doesn't seem scalable. For a couple of machines, sure, no problem, but when you're having to update this file on dozens or even hundred of boxes, and still preserve the permissions lock-down, and make sure all the boxes have the same file ... well this starts to sound like the kind of complexity you *want* a third-party app to manage. One drawback that probably doesn't matter in a whole lot of cases is that this won't stop any request that uses an explicit IP address. So it would have less effect against, say, a chat application.

Mark W. Kaelin
Mark W. Kaelin

Have you used the Windows hosts file in this manner? How effective is it?

Gis Bun
Gis Bun

The probvlem is with someone else's host file is that will they block some site that you don't want blocked.

Who Am I Really
Who Am I Really

it does nothing to prohibit access to normal sites that network admins might want to block - youtube, - facebook, etc.

Who Am I Really
Who Am I Really

this mornings immunizations brought the total of "Bad Sites" up to 14,877 that's a heavy load on the hosts file a heavy hosts file always seemed to crash the DNSClient Service on any system that I've ever immunized (especially win2K / XP) immunization is handy for home user / SOHO / setup in a work group config. but there should really be no need in a properly configured Domain environment

mj5410
mj5410

Spybot S&D does put these entries into this file

tjohnson
tjohnson

typically here: C:\Windows\System32\drivers\etc

learn4ever
learn4ever

... don't fix it. Let DNS do it's job.

Justin James
Justin James

If I have GPO, I have a DNS server... and I can just do it at the DNS server and be done with it. J.Ja

Justin James
Justin James

If you have a network where all the desktops are resolving stuff against your ISP's DNS server, I guess this is OK. Not terribly scalable. But as soon as you have a DNS server locally, DON'T DO THIS. Just override the entries on your DNS server. Honestly though, this is really a jury rigged way of doing things. Do you REALLY want to manually maintain a list of malware/banned lists? Any firewall worth its salt can subscribe to such a list automatically, or buy the software for the clients, or buy a dedicated device or software like WebSense. In fact, for the home users or small business user, I wouldn't do this anyways! maintaining the list is a hassle. Is your time SO WORTHLESS that maintaining the list is "cheaper" than spending a few bucks on software that does this? Especially since many browsers automatically do this kind of thing automatically anyways... This is a solution looking for a problem. J.Ja

scpearsall
scpearsall

I first started playing with this years ago when I was teaching A+/Net+ to demonstrate how the loopback address works. Simply blocking some ads was the goal then. Fast forward a few years to supporting users at a large law firm. We were having serious problems with malware/spyware. Part of our solution was to modify Hosts to block all known malware sites and add it to our login script to push it to all users. This has several advantages over adding the entries to DNS. Hosts is read before DNS is queried, and mobile users are protected even when they are using outside DNS servers. It does need updated periodically since the badware sites are always adding new sites, but we have found it to be a very effective piece of our total defense.

pgit
pgit

If you can find a URL for a listing that's updated, and doesn't move off the URL (!) you can periodically rsync it to your DNS server and have a script apply the URLs to the record. I would imagine there's a paid service to do something like this in the windows server world? I've not had to deal with windows server for some time now... :|

Craig_B
Craig_B

Actually we use this configuration for another reason alltogether however it is an easy way to update the hosts file on computers in the enterprise.

pgit
pgit

I view the hosts file as a thing, you use it to add/augment a service. For one thing it'll speed up finding a remote host, faster and less overhead than finding it over netBIOS. Only on rare occasions, though, as folks have mentioned you'd do this when using the ISPs DNS, or a third party like OpenDNS that you haven't gotten around to configuring yet. If there were some way to sync a current, fluid listing of the bad boys the last thing you'd want to do is have it writing to everyone's hosts file. That's a job for your AV or firewall. So being an incomplete and ever changing target I'd save myself the labor and look elsewhere. As Jack says this is a quick and dirty method and it does work, as well as you keep up with the listings anyway. I've seen a lot of home user-types do this. They stumble across the concept on the internet, or hear about it from their geek nephew or similar. I just prefer to keep system files on client machines out of the mix, to the greatest degree possible.