[sugarfactory]

I had been doing this until some time ago to block ads and to prevent Google from collecting my web browsing history via Google Analytics. During the time I witnessed a strange phenomenon. Every time I added "127.0.0.1 www.google-analytics.com" to C:\Windows\System32\Drivers\etc\hosts. I saw the line removed from the file some hours later. Although I had added tens of lines I only saw the Google Analytics line removed. IIRC finally I decided to figure out whet caused the removal. I used Filemon to watch file changes, though the line got removed again while watching the file and nothing appeared on the log. I suspected Ring-0 processes were secretly running and causing the removal, but I knew nothing about the Windows kernel so I gave up here. I wonder what was the cause to this day.

[c0nsumer]

Instead of Filemon I'd suggest firing up Process Monitor [1] with a filter of "path contains system32\drivers\etc\hosts" and then Filter -> Drop Filtered Events.

Let this run while you go about your normal work, then check back after you notice the change. Look through the Operation column for WriteFile or something similar, then see what Process Name did it. This'll let you figure out what's actually making the change and you can appropriately assign blame.

[1] https://technet.microsoft.com/en-us/sysinternals/processmoni...

[rasz_pl]

on the subject of sysinternals Process Monitor. Did you know procmon.exe REQUIRES Workstation service running in order to start. It uses it to enumerate something and will silently die without it. This is not documented anywhere and pretty bogus.

Older versions worked fine without this service. It was silently added somewhere between win7 and win8 releases.

[c0nsumer]

Hmm, interesting. No I didn't... I'll poke with this and maybe open a Premier ticket on it.

[praseodym]

Some security products (like Windows Defender) as well as some VPN applications are known to modify the hosts file. Might be worth checking out.

Also see: http://security.stackexchange.com/questions/6883/something-i...

[derFunk]

Did you have local Google services running, like the Google Updater (afaik also comes with Chrome). Google also adds some entries into the task planner, you can also check there what is getting called.

Though I believe you should have seen something in Filemon.

[pauly]

I thought I had similar, we use Junos Pulse and it rewrites your /etc/hosts file. I think it takes a backup at some point and rebuilds the file from that when it needs to. This means some local changes just disappear. Nothing sinister though afaik.

[saltvedt]

Probably anti-virus software preventing malware from hijacking google analytics.

[benten10]

Hopefully all the child posts will see this too.

TO edit the hosts file, you need to have admin privileges. That means closing whatever editor you're using, reopening it with 'run as administrator', and then opening the hosts file. You need to do this even if you are an admin account.

Another way to do it is to open the hosts file under normal editing privileges, editing it, saving it somewhere else, and pasting it into the drivers folder. The system will ask you if you want to run as admin, and you need to say 'yes'.

Nothing could (or should, I guess) be changing the hosts file otherwise (AFAIK, my source being many, many SO posts and random forums) without it being given explicit admin privileges when it attempts to change the file.

[faragon]

Just put the entries in the "hosts" file at router-level (e.g. using OpenWRT).

[cptskippy]

And duct tape said router to your laptop so you can take it with you every where you go?

[Spivak]

Running a local dnsmasq server is effectively the same thing.

[cptskippy]

Yup. You could also use something like PeerBlock which gives you a little easier control.

[rasz_pl]

In Win10 fontdrvhost.exe tries to modify windows Firewall rules every single day to whitelist itself :o

``` A change was made to the Windows Firewall exception list. A rule was added.

Profile Changed: All

Added Rule: Rule ID: {59F33BF3-EAFF-424C-BB26-C2DF4A709398} Rule Name: Usermode Font Driver Host ```

Why would a simple Usermode Font Driver Host need internet access??!?!

binisoft.org Windows Firewall Control has an option to safeguard firewall rules and automagically deletes all unauthorized (by the only person that matters - ME) rules.

[icelancer]

Wow, really? Can anyone back up a similar story? That's really interesting if so.

[yeukhon]

Mine is the reverse. I have this line added to /etc/hosts on my mac, a local A record I want to play with. Now, I am done with my project, and I wanted to remove the A record. I keep rebooting and that line persists. God knows why.

[testerooooooo]

Honest question. why use 127.0.0.1 instead of 0.0.0.0?

EDIT: Now I've read the discussion below regarding this matter. No need to answer, I guess. I asked before reading all the comments, sorry.

[roddux]

Assuming you meant why not: "Using 0.0.0.0 is faster because you don't have to wait for a timeout. It also does not interfere with a web server that may be running on the local PC."

[testerooooooo]

He said he used 127.0.0.1 for google analytics. I was asking why he used 127.0.0.1 and not 0.0.0.0, exactly for the reasons you wrote. Sorry if that wasn't clear.

[thomasahle]

Maybe ad-malware?