Access denied when using xcopy to overwrite hosts file

I tested the script and it worked for me

Check if you can even perform the same operation manually in windows.

You have to have elevated user permissions to save changes to the Hosts file. So open Notepad using Run as Administrator and test this. You now should be able to save changes to Hosts.

So if that works, you may have to run the script as Adminstator.

.. Thinkpads_User

You have uac above the bottom setting so it needs admin rights to run

Maybe your  "c:Windows\System32\drivers\etc\hosts" file is read only. Should not be but who knows?
Maybe changing the location of your "C:\Hosts" to "C:\Temp\Hosts"

You need to change the user rights for the file using icacls and takedown from the console.

Cd windows/system32/drivers/etc
takeown /f hosts && icacls hosts /grant administrators:F

Select allOpen in new window

As long as your in the administrator group you can now edit the hosts file.

Also you may want to use attrib -h -s +r hosts just incase.

You should find plenty of information here:
http://www.mvps.org/winhelp2002/hosts.htm
They have made an "ad-blocking" HOSTS file available for years along with a batch file to "install" the most recent version from the unpacked Zip file downloadable from their site.
Special considerations for Windows 7:
http://www.mvps.org/winhelp2002/hostswin7.htm
http://support.microsoft.com/kb/923947

I want to deploy the batch file using LANDesk.  So I don't want to touch each individual pc to change the UAC or run the DOS prompt as admin.  I tried changing the attributes, but that didn't help. Is it possible to use a script that will run as administrator?  

Russel,
Is there a way to put that into a script that I can run?

You can try running the script via Scheduler that should allow you to elevate permissions.

... Thinkpads_User

Can I deploy a scheduled task to a group of computer's.  I'm really kind of dense when it comes to this.

You need to open Scheduler and look at the options. I have used it on a local computer for this purpose but not running out to a group of computers. ... Thinkpads_User

So there is not an easy way to overwrite a system file with a basic text command?

No, not in Windows 7, at least in my experience with Hosts files (I do use them). It requires elevated permission on Windows 7 to do it.  ... Thinkpads_User

Also, don't forget that malware uses the Hosts file to prevent users from getting proper Internet support and further steering computers to malware sites.

So protecting this file is an excellent idea. .... Thinkpads_User

As for me, I think your issue is accessing the file located on the root dir.

Why don't you try something.

Simply open a dos window and type or copy/past:
ECHO 127.0.0.1     LOCALHOST2>>"C:\Windows\System32\drivers\etc\hosts"

Go see the hosts file. Was "ECHO 127.0.0.1     LOCALHOST2" added?

Oh, I forgot to mention, I did try this on my Windows 7 PC but UAC is disabled.

So, figuring out how to deploy a scheduled task would be the way to go?  Does anyone know the command line to schedule a task?  On a different note, is there a way to increase the number of points you want to award a answer to a question once you have asked it?

ReneGe,
What would your script look like for just one computer?  LANDesk will allow me to then select multiple computers once I have the basic batch/script.

I tried your copy/paste and it gave "Access Denied" as expected.

Windows 7 got UAC correct and it should not be disabled. Of course you can copy anything to anywhere with UAC disabled, but this is a very bad idea in general and an unforgivable idea for user machines. I wouldn't do it.


... Thinkpads_User

Your right. I don't want to do that.  

http://support.microsoft.com/kb/313565

Could be something like this.

Look here for all your options:
http://support.microsoft.com/kb/313565 

 

@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		ECHO %%B | FINDSTR /i RENE >NUL || (
			ECHO "%%B"
			AT %%B 16:00 \\Server\NETLOGON\SchedBatchFile.bat
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Select allOpen in new window

I don't know LANDesk but the command line could be:

AT 16:00 "\\Server\NETLOGON\SchedBatchFile.bat"

There you go!!

Note that the password structure suggested by subhashchy is: password@RemoteComputerName

what is 10.10.8.210?  The ip of the client?  How could I make it without using a specific client?  Could I replace the IP address with something like %localhost%

subhashchy:  is that a DOS, VB, or Powershell script?

That is a dos command line and my script is a batch file.

What subhashchy was suggesting here, is that you setup a tast on a PC with it's IP address. For the example, he put any IP address. You put the one that you wish to create a sched. task.

For creating the task on the localhost, just remove "/s ipaddress" from the command line.

For doing it on several PC use my script and replace the IP address with !PC!.

To customize the SCHTASKS command see:
"http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/schtasks.mspx?mfr=true"

 

@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		SET PC=%%B
		REM REMOVING \\ FROM THE PC NAME
		SET PC=!PC:\\=!
		REM EXCLUDE TASK FOR PCs NAME CONTAINING THE WORD SERVER
		ECHO %%B | FINDSTR /i SERVER >NUL || (
			ECHO [%%B] [!PC!]
			REM THIS IS ASSUMING THAT ALL PCs HAVE THE SAME ADMIN PASSWORD.
			SCHTASKS /run /s !PC! /u administrator@!PC! /p averystrongpassword /tn \\SERVER\BATCHFILES\THETASK.BAT
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Select allOpen in new window

Okay.  Thanks!  Give me a day or so to try that out.

Yep.Sorry for Late response. I m in different time zone I guess.

I was not sure how you were going to deploy the script. So if you want to deploy the script using GP or something then you can remove the /S switch. If you are going to run the script from a single computer on all computers in network then use a batch file as suggested by ReneGe and place the commands in end.
I did tested it on my windows 2008 server and seems to work fine.Hope it works.

Thanks ReneGe for clarifying :)

You should use both the lines mentioned in my earlier post . the first line wil scheudle the task and 2nd will run it.

@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		SET PC=%%B
		REM REMOVING \\ FROM THE PC NAME
		SET PC=!PC:\\=!
		REM EXCLUDE TASK FOR PCs NAME CONTAINING THE WORD SERVER
		ECHO %%B | FINDSTR /i SERVER >NUL || (
			ECHO [%%B] [!PC!]
			REM THIS IS ASSUMING THAT ALL PCs HAVE THE SAME ADMIN PASSWORD.
			SCHTASKS /Create /S !PC! /U administrator@!PC! /P a@123 /RU administrator /rp a@123 /SC HOURLY /TN task2 /TR "cmd.exe /c \\SERVER\BATCHFILES\THETASK.BAT"
			SCHTASKS /run /s !PC! /u administrator@!PC! /p averystrongpassword /tn task2
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Select allOpen in new window

If it runs fine,let me know so i can give you another script which will delete this task as cleanup.Otherwise it will run each hour on the server.

@subhashchy

Team work ;-)

Thank you both.

I still have to test it, but I will soon.

I tried the following batch file:
@echo
SCHTASKS /Create /RU administrator /rp xxxxx /SC ONCE /ST 13:30:00 /TN Hostsupdate /TR "cmd.exe /c hosts_update.bat "

I got an access denied error, but I am not sure what is being denied - the admin logon or the path to hosts_update.bat?
C:\Install>create_schd.bat
ECHO is on.

C:\Install>SCHTASKS /Create /RU administrator /rp xxxxx /SC ONCE /ST 13:30:
00 /TN Hostsupdate /TR "cmd.exe /c hosts_update.bat "
ERROR: Access is denied.

C:\Install>

I also tried:
@echo
SCHTASKS /Create /S 192.168.130.109 /U tma0258 /P xxxxx /RU administrator /rp xxxxx /SC HOURLY /TN hostsupdate /TR "cmd.exe /c c:\install\hosts_update.bat"

and got:
C:\Install>create_schd2.bat
ECHO is on.

C:\Install>SCHTASKS /Create /S 192.168.130.109 /U tma0258 /P xxxxx /RU adm
inistrator /rp xxxxx /SC HOURLY /TN hostsupdate /TR "cmd.exe /c c:\install\
hosts_update.bat"
ERROR: User credentials are not allowed on the local machine.
C:\Install>

if I run the schtasks from an administrator command prompt it works.  

Hmmm.. the problem is UAC here.. UAC does not allow schtasks to be executed from a non admin command line and thats where the batch runs..

Alright , Can you answer this question ?

You want to run the batch file on each system  which will modify the host ?
or run the batch file on one system which will modify the host on all systems ?

want to run the batch file on each system  which will modify the host remotely with LANDesk

Are you saying: "By using LANDesk, you want to run the batch file on each PCs?"

yes, landesk will run the batch file with the local system account by default

I am experimenting with it now.  seems like I may get it to work.

This is the only way I have been able to successfully create the schedule from an administrator prompt.  In Win7, you are able to export a task as an XML file.  Do you think I could use this to create the scheduled task?
@echo
SCHTASKS /Create /S 192.168.130.109 /SC HOURLY /TN hostsupdate2 /TR "cmd.exe /c c:\install\hosts_update.bat"

c:\Install>create_schd3
ECHO is on.

c:\Install>SCHTASKS /Create /S 192.168.130.109 /SC HOURLY /TN hostsupdate2 /TR "
cmd.exe /c c:\install\hosts_update.bat"
SUCCESS: The scheduled task "hostsupdate2" has successfully been created.

c:\Install>

Wow, thanks Russell.  I think that is what I was looking for.  I'll give it a try after I resolve some emergencies.

Russell, does PSEXEC need to be on each client?

@Rusell
Is there a reason to run PSEXEC in the remote system account, while specifying a username and password? Why not just run it in the system account? I'm asking this because the -h will let him run with the elevated token anyway?

Also, in PSEXEC, since -h will run the command with the elevated token, why not just copying the hosts file directly by using PCEXEC.

Also, you may need to run PSEXEC directly on each PC at least once.  It will present you with the EULA. Click OK and done. Me, I added a REG add command in the logon script. This I did not need to do this manually on each PCs.

Cheers,
Rene

@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		SET PC=%%B
		REM REMOVING \\ FROM THE PC NAME
		SET PC=!PC:\\=!
		REM EXCLUDE TASK FOR PCs NAME CONTAINING THE WORD SERVER
		ECHO %%B | FINDSTR /i SERVER >NUL || (
			ECHO [%%B] [!PC!]
			REM THIS IS ASSUMING THAT ALL PCs HAVE THE SAME ADMIN PASSWORD.
			PSEXEC %%A -s -h COPY /S "\\Server\Share\hosts" "C:\Windows\System32\drivers\etc\hosts"
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Select allOpen in new window

PSEXEC does not need to be installed on each client.
But like I said earlyer, you may need to run it locally at lease once to accept the EULA.

But the batch file will be run locally from each computer instead of from my computer.  Does that make a difference?

Open a DOS prompt and run the following on any PC:
psexec -i \\127.0.0.1 notepad.exe
- this should open notepad
- If it's the first time you run PSEXEC, it should ask you to accept the EULA.

Then run this:
PSEXEC \\127.0.0.1 -s -h ECHO 127.0.0.1     localhost1>> "C:\Windows\System32\drivers\etc\hosts"

This should add "ECHO 127.0.0.1     localhost1" as the last line of your hosts file.

Then, open the hosts file and confirm it's there.

Don't forget to manually remove this last line we just added.

Did it work?

Okay, I need to try some of this out within LANDesk.  Thanks for your help so far ReneGe.

Also, I while looking arround to find alternatives, I found this:
http://www.winability.com/elevate/

I dont know if it works but if you are currious, have a try and please share your findings.

ReneGe,
I had to run this from an administrative command prompt to get this to work:
psexec -i \\127.0.0.1 notepad.exe

testing it in LANDesk now

@ReneGe, to answer your question about running ad service it's just more preferred as system has more power as far as access goes and when you do a remote of psexec it sends a resource exe from within the psexec executable itself and connects, copys, installs, and runs psexsvc.exe on that host allow it to run with system.

The user credentials is for login into the machine as administrator as it is still required for installing, starting, stopping processes, and system is not allowed to be logged into for major security reasons.

Btw, that is a good point to bring up about the EULA that pops up thr first time. I keep forgetting about that! Really good catch! Nice script too.

@Tmaususet,
Even though he answered your question previously I will still answer it. Yes you do need to do this for all clients, but good news is it does not require you to acknowledge UAC prompts. You will need to copy the file over to the remote pc and then use psexec as a service using the  -h -s switches to run your the command to install your schedule. As that can be done simply with psexec. Also note that
your comment needs to be

Psexec -i -h -u <admin> <pass> notepad.exe , because you are initiating a process through logononasuserw and as stated above when starting a new process with higher credentials higher credentials are needed to prove you have athority and access rights to execute these commands in a UAC bypass way.

ReneGe,
Is this where I would have to enter each computer on my domain?

FOR %%A IN (PC1-,PC2-) DO (

Would enter something like FOR %%A IN (pcname1, pcname2, pcname3, pcname4, pcname5)

Is there a way to make an answer file?  I really don't know alot about scripting.

Well actually, it's how your computer names starts. In your example, since all your PCs starts with "pcname", there wouls only be one entry:

FOR %%A IN (pcname)

This is because if you ommit this line, the command line will run on anything that is outputted from the command NET VIEW, including servers...

Oh, we start our computer names with the users last name.  Some server names start 'server...' and others with 'TMA...'

Then, I could modify the script to run on all PCs except the servers.

 

@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs EXCLUDING THE SERVERS. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (Server,TMA) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\') DO (
		SET PC=%%B
		REM REMOVING \\ FROM THE PC NAME
		SET PC=!PC:\\=!
		REM EXCLUDE TASK FOR PCs NAME CONTAINING THE WORD SERVER
		ECHO %%B | FINDSTR /i "%%A" >NUL || (
			ECHO [%%B] [!PC!]
			REM THIS IS ASSUMING THAT ALL PCs HAVE THE SAME ADMIN PASSWORD.
			PSEXEC %%A -s -h COPY /S "\\Server\Share\hosts" "C:\Windows\System32\drivers\etc\hosts"
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Select allOpen in new window

I'm still working on this.  I was pulled away for awhile.

I got.  I made a syntax error.  Thanks for all of your help.  I learned alot.