Access denied when using xcopy to overwrite hosts file

I want a batch file to copy two files.  I want to placed an updated copy of the 'hosts' and 'lmhosts.sam' files to the c:Windows\System32\drivers\etc\ directory.  The lmhosts.sam file will copy fine.  However the batch file returns an 'access denied' error when copying the hosts file.  Below is the batch file and the batch file output.  Is there a way to overwrite the hosts file?

@echo
xcopy hosts C:\Windows\System32\drivers\etc\ /Y
xcopy lmhosts.sam c:Windows\System32\drivers\etc\ /Y

C:\Install>host_update.bat
ECHO is on.

C:\Install>xcopy hosts C:\Windows\System32\drivers\etc\ /Y
C:hosts
Access denied

C:\Install>xcopy lmhosts.sam c:Windows\System32\drivers\etc\ /Y
C:lmhosts.sam
1 File(s) copied

C:\Install>
tmaususerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaximumIQCommented:
I tested the script and it worked for me

Check if you can even perform the same operation manually in windows.

0
JohnBusiness Consultant (Owner)Commented:
You have to have elevated user permissions to save changes to the Hosts file. So open Notepad using Run as Administrator and test this. You now should be able to save changes to Hosts.

So if that works, you may have to run the script as Adminstator.

.. Thinkpads_User
0
Aaron TomoskySD-WAN SimplifiedCommented:
You have uac above the bottom setting so it needs admin rights to run
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ReneGeCommented:
Maybe your  "c:Windows\System32\drivers\etc\hosts" file is read only. Should not be but who knows?
Maybe changing the location of your "C:\Hosts" to "C:\Temp\Hosts"
0
Russell_VenableCommented:
You need to change the user rights for the file using icacls and takedown from the console.

Cd windows/system32/drivers/etc
takeown /f hosts && icacls hosts /grant administrators:F

Open in new window


As long as your in the administrator group you can now edit the hosts file.
0
Russell_VenableCommented:
Also you may want to use attrib -h -s +r hosts just incase.
0
BillDLCommented:
You should find plenty of information here:
http://www.mvps.org/winhelp2002/hosts.htm
They have made an "ad-blocking" HOSTS file available for years along with a batch file to "install" the most recent version from the unpacked Zip file downloadable from their site.
Special considerations for Windows 7:
http://www.mvps.org/winhelp2002/hostswin7.htm
http://support.microsoft.com/kb/923947
0
tmaususerAuthor Commented:
I want to deploy the batch file using LANDesk.  So I don't want to touch each individual pc to change the UAC or run the DOS prompt as admin.  I tried changing the attributes, but that didn't help. Is it possible to use a script that will run as administrator?  

Russel,
Is there a way to put that into a script that I can run?
0
JohnBusiness Consultant (Owner)Commented:
You can try running the script via Scheduler that should allow you to elevate permissions.

... Thinkpads_User
0
tmaususerAuthor Commented:
Can I deploy a scheduled task to a group of computer's.  I'm really kind of dense when it comes to this.
0
JohnBusiness Consultant (Owner)Commented:
You need to open Scheduler and look at the options. I have used it on a local computer for this purpose but not running out to a group of computers. ... Thinkpads_User
0
ReneGeCommented:
Here is a batch file that will let you add sched task on a bunch PCs.

I'll let someone else figure out the command line.

 
@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		ECHO %%B | FINDSTR /i RENE >NUL || (
			ECHO "%%B"
			REM PLACE THE COMMAND LINE HERE
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tmaususerAuthor Commented:
So there is not an easy way to overwrite a system file with a basic text command?
0
JohnBusiness Consultant (Owner)Commented:
No, not in Windows 7, at least in my experience with Hosts files (I do use them). It requires elevated permission on Windows 7 to do it.  ... Thinkpads_User
0
JohnBusiness Consultant (Owner)Commented:
Also, don't forget that malware uses the Hosts file to prevent users from getting proper Internet support and further steering computers to malware sites.

So protecting this file is an excellent idea. .... Thinkpads_User
0
ReneGeCommented:
As for me, I think your issue is accessing the file located on the root dir.

Why don't you try something.

Simply open a dos window and type or copy/past:
ECHO 127.0.0.1     LOCALHOST2>>"C:\Windows\System32\drivers\etc\hosts"

Go see the hosts file. Was "ECHO 127.0.0.1     LOCALHOST2" added?

0
ReneGeCommented:
Oh, I forgot to mention, I did try this on my Windows 7 PC but UAC is disabled.
0
tmaususerAuthor Commented:
So, figuring out how to deploy a scheduled task would be the way to go?  Does anyone know the command line to schedule a task?  On a different note, is there a way to increase the number of points you want to award a answer to a question once you have asked it?

ReneGe,
What would your script look like for just one computer?  LANDesk will allow me to then select multiple computers once I have the basic batch/script.
0
JohnBusiness Consultant (Owner)Commented:
I tried your copy/paste and it gave "Access Denied" as expected.

Windows 7 got UAC correct and it should not be disabled. Of course you can copy anything to anywhere with UAC disabled, but this is a very bad idea in general and an unforgivable idea for user machines. I wouldn't do it.


... Thinkpads_User
0
tmaususerAuthor Commented:
Your right. I don't want to do that.  
0
ReneGeCommented:
0
ReneGeCommented:
Could be something like this.

Look here for all your options:
http://support.microsoft.com/kb/313565 

 
@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		ECHO %%B | FINDSTR /i RENE >NUL || (
			ECHO "%%B"
			AT %%B 16:00 \\Server\NETLOGON\SchedBatchFile.bat
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Open in new window

0
ReneGeCommented:
I don't know LANDesk but the command line could be:

AT 16:00 "\\Server\NETLOGON\SchedBatchFile.bat"
0
subhashchyCommented:
Check out below cmmand line..It will schedule a task and then run it with the specified user privilege.


SCHTASKS /Create /S 10.10.8.210 /U administrator /P supernova@123 /RU administrator /rp a@123 /SC HOURLY /TN task2 /TR "cmd.exe /c yourbatchfilename"

SCHTASKS /run /s 10.10.8.210 /u administrator /p a@123 /tn task2

Open in new window



0
ReneGeCommented:
There you go!!

Note that the password structure suggested by subhashchy is: password@RemoteComputerName
0
tmaususerAuthor Commented:
what is 10.10.8.210?  The ip of the client?  How could I make it without using a specific client?  Could I replace the IP address with something like %localhost%
0
tmaususerAuthor Commented:
subhashchy:  is that a DOS, VB, or Powershell script?
0
ReneGeCommented:
That is a dos command line and my script is a batch file.

What subhashchy was suggesting here, is that you setup a tast on a PC with it's IP address. For the example, he put any IP address. You put the one that you wish to create a sched. task.

For creating the task on the localhost, just remove "/s ipaddress" from the command line.

For doing it on several PC use my script and replace the IP address with !PC!.

To customize the SCHTASKS command see:
"http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/schtasks.mspx?mfr=true"

 
@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		SET PC=%%B
		REM REMOVING \\ FROM THE PC NAME
		SET PC=!PC:\\=!
		REM EXCLUDE TASK FOR PCs NAME CONTAINING THE WORD SERVER
		ECHO %%B | FINDSTR /i SERVER >NUL || (
			ECHO [%%B] [!PC!]
			REM THIS IS ASSUMING THAT ALL PCs HAVE THE SAME ADMIN PASSWORD.
			SCHTASKS /run /s !PC! /u administrator@!PC! /p averystrongpassword /tn \\SERVER\BATCHFILES\THETASK.BAT
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Open in new window

0
tmaususerAuthor Commented:
Okay.  Thanks!  Give me a day or so to try that out.
0
subhashchyCommented:
Yep.Sorry for Late response. I m in different time zone I guess.

I was not sure how you were going to deploy the script. So if you want to deploy the script using GP or something then you can remove the /S switch. If you are going to run the script from a single computer on all computers in network then use a batch file as suggested by ReneGe and place the commands in end.
I did tested it on my windows 2008 server and seems to work fine.Hope it works.

Thanks ReneGe for clarifying :)
0
subhashchyCommented:
You should use both the lines mentioned in my earlier post . the first line wil scheudle the task and 2nd will run it.

@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		SET PC=%%B
		REM REMOVING \\ FROM THE PC NAME
		SET PC=!PC:\\=!
		REM EXCLUDE TASK FOR PCs NAME CONTAINING THE WORD SERVER
		ECHO %%B | FINDSTR /i SERVER >NUL || (
			ECHO [%%B] [!PC!]
			REM THIS IS ASSUMING THAT ALL PCs HAVE THE SAME ADMIN PASSWORD.
			SCHTASKS /Create /S !PC! /U administrator@!PC! /P a@123 /RU administrator /rp a@123 /SC HOURLY /TN task2 /TR "cmd.exe /c \\SERVER\BATCHFILES\THETASK.BAT"
			SCHTASKS /run /s !PC! /u administrator@!PC! /p averystrongpassword /tn task2
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Open in new window



If it runs fine,let me know so i can give you another script which will delete this task as cleanup.Otherwise it will run each hour on the server.

0
ReneGeCommented:
@subhashchy

Team work ;-)
0
tmaususerAuthor Commented:
Thank you both.
0
tmaususerAuthor Commented:
I still have to test it, but I will soon.
0
tmaususerAuthor Commented:
I tried the following batch file:
@echo
SCHTASKS /Create /RU administrator /rp xxxxx /SC ONCE /ST 13:30:00 /TN Hostsupdate /TR "cmd.exe /c hosts_update.bat "

I got an access denied error, but I am not sure what is being denied - the admin logon or the path to hosts_update.bat?
C:\Install>create_schd.bat
ECHO is on.

C:\Install>SCHTASKS /Create /RU administrator /rp xxxxx /SC ONCE /ST 13:30:
00 /TN Hostsupdate /TR "cmd.exe /c hosts_update.bat "
ERROR: Access is denied.

C:\Install>
0
tmaususerAuthor Commented:
I also tried:
@echo
SCHTASKS /Create /S 192.168.130.109 /U tma0258 /P xxxxx /RU administrator /rp xxxxx /SC HOURLY /TN hostsupdate /TR "cmd.exe /c c:\install\hosts_update.bat"

and got:
C:\Install>create_schd2.bat
ECHO is on.

C:\Install>SCHTASKS /Create /S 192.168.130.109 /U tma0258 /P xxxxx /RU adm
inistrator /rp xxxxx /SC HOURLY /TN hostsupdate /TR "cmd.exe /c c:\install\
hosts_update.bat"
ERROR: User credentials are not allowed on the local machine.
C:\Install>
0
tmaususerAuthor Commented:
if I run the schtasks from an administrator command prompt it works.  
0
subhashchyCommented:
Hmmm.. the problem is UAC here.. UAC does not allow schtasks to be executed from a non admin command line and thats where the batch runs..

Alright , Can you answer this question ?

You want to run the batch file on each system  which will modify the host ?
or run the batch file on one system which will modify the host on all systems ?

0
tmaususerAuthor Commented:
want to run the batch file on each system  which will modify the host remotely with LANDesk
0
ReneGeCommented:
Are you saying: "By using LANDesk, you want to run the batch file on each PCs?"
0
tmaususerAuthor Commented:
yes, landesk will run the batch file with the local system account by default
0
tmaususerAuthor Commented:
I am experimenting with it now.  seems like I may get it to work.
0
tmaususerAuthor Commented:
This is the only way I have been able to successfully create the schedule from an administrator prompt.  In Win7, you are able to export a task as an XML file.  Do you think I could use this to create the scheduled task?
@echo
SCHTASKS /Create /S 192.168.130.109 /SC HOURLY /TN hostsupdate2 /TR "cmd.exe /c c:\install\hosts_update.bat"

c:\Install>create_schd3
ECHO is on.

c:\Install>SCHTASKS /Create /S 192.168.130.109 /SC HOURLY /TN hostsupdate2 /TR "
cmd.exe /c c:\install\hosts_update.bat"
SUCCESS: The scheduled task "hostsupdate2" has successfully been created.

c:\Install>
0
Russell_VenableCommented:
Are you using resource sharing? AKA; RPC and IPC enabled? If so, you can use
@echo off
psexec  \\%1 -s -h -u %2 -p %3 XCopy -v \\%4\C$\install\hosts \\%1\Admin$\Drivers\etc

Open in new window

Usage: sched.cmd <remote computer> <admin> <pass> <local ip>

You can also setup the schedule service.
@echo off
psexec \\%2 -s -h -u %3 -p %4 Schtasks /create /sc hourly /tn hostsupdate2 /tr "cmd /c c:\install\hosts_update.bat"

Open in new window

This should get you past UAC with your valid administrator credentials.
0
tmaususerAuthor Commented:
Wow, thanks Russell.  I think that is what I was looking for.  I'll give it a try after I resolve some emergencies.
0
tmaususerAuthor Commented:
Russell, does PSEXEC need to be on each client?
0
ReneGeCommented:
@Rusell
Is there a reason to run PSEXEC in the remote system account, while specifying a username and password? Why not just run it in the system account? I'm asking this because the -h will let him run with the elevated token anyway?

Also, in PSEXEC, since -h will run the command with the elevated token, why not just copying the hosts file directly by using PCEXEC.

Also, you may need to run PSEXEC directly on each PC at least once.  It will present you with the EULA. Click OK and done. Me, I added a REG add command in the logon script. This I did not need to do this manually on each PCs.

Cheers,
Rene
@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs STARTING PC1- AND PC2-. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (PC1-,PC2-) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\%%A') DO (
		SET PC=%%B
		REM REMOVING \\ FROM THE PC NAME
		SET PC=!PC:\\=!
		REM EXCLUDE TASK FOR PCs NAME CONTAINING THE WORD SERVER
		ECHO %%B | FINDSTR /i SERVER >NUL || (
			ECHO [%%B] [!PC!]
			REM THIS IS ASSUMING THAT ALL PCs HAVE THE SAME ADMIN PASSWORD.
			PSEXEC %%A -s -h COPY /S "\\Server\Share\hosts" "C:\Windows\System32\drivers\etc\hosts"
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Open in new window

0
ReneGeCommented:
PSEXEC does not need to be installed on each client.
But like I said earlyer, you may need to run it locally at lease once to accept the EULA.
0
tmaususerAuthor Commented:
But the batch file will be run locally from each computer instead of from my computer.  Does that make a difference?
0
ReneGeCommented:
Open a DOS prompt and run the following on any PC:
psexec -i \\127.0.0.1 notepad.exe
- this should open notepad
- If it's the first time you run PSEXEC, it should ask you to accept the EULA.

Then run this:
PSEXEC \\127.0.0.1 -s -h ECHO 127.0.0.1     localhost1>> "C:\Windows\System32\drivers\etc\hosts"

This should add "ECHO 127.0.0.1     localhost1" as the last line of your hosts file.

Then, open the hosts file and confirm it's there.

Don't forget to manually remove this last line we just added.

Did it work?
0
tmaususerAuthor Commented:
Okay, I need to try some of this out within LANDesk.  Thanks for your help so far ReneGe.
0
ReneGeCommented:
Also, I while looking arround to find alternatives, I found this:
http://www.winability.com/elevate/

I dont know if it works but if you are currious, have a try and please share your findings.
0
tmaususerAuthor Commented:
ReneGe,
I had to run this from an administrative command prompt to get this to work:
psexec -i \\127.0.0.1 notepad.exe
0
tmaususerAuthor Commented:
testing it in LANDesk now
0
Russell_VenableCommented:
@ReneGe, to answer your question about running ad service it's just more preferred as system has more power as far as access goes and when you do a remote of psexec it sends a resource exe from within the psexec executable itself and connects, copys, installs, and runs psexsvc.exe on that host allow it to run with system.

The user credentials is for login into the machine as administrator as it is still required for installing, starting, stopping processes, and system is not allowed to be logged into for major security reasons.

Btw, that is a good point to bring up about the EULA that pops up thr first time. I keep forgetting about that! Really good catch! Nice script too.

@Tmaususet,
Even though he answered your question previously I will still answer it. Yes you do need to do this for all clients, but good news is it does not require you to acknowledge UAC prompts. You will need to copy the file over to the remote pc and then use psexec as a service using the  -h -s switches to run your the command to install your schedule. As that can be done simply with psexec. Also note that
your comment needs to be

Psexec -i -h -u <admin> <pass> notepad.exe , because you are initiating a process through logononasuserw and as stated above when starting a new process with higher credentials higher credentials are needed to prove you have athority and access rights to execute these commands in a UAC bypass way.
0
tmaususerAuthor Commented:
ReneGe,
Is this where I would have to enter each computer on my domain?

FOR %%A IN (PC1-,PC2-) DO (

Would enter something like FOR %%A IN (pcname1, pcname2, pcname3, pcname4, pcname5)

Is there a way to make an answer file?  I really don't know alot about scripting.
0
ReneGeCommented:
Well actually, it's how your computer names starts. In your example, since all your PCs starts with "pcname", there wouls only be one entry:

FOR %%A IN (pcname)

This is because if you ommit this line, the command line will run on anything that is outputted from the command NET VIEW, including servers...
0
tmaususerAuthor Commented:
Oh, we start our computer names with the users last name.  Some server names start 'server...' and others with 'TMA...'
0
ReneGeCommented:
Then, I could modify the script to run on all PCs except the servers.

 
@ECHO OFF

SETLOCAL enabledelayedexpansion

CHOICE /D N /T 5 /M "THIS WILL DO SOMETING ON ALL PCs EXCLUDING THE SERVERS. PLEASE CONFIRM"
IF !errorlevel! == 2 EXIT
ECHO.
PAUSE

FOR %%A IN (Server,TMA) DO (
	FOR /F %%B IN ('NET VIEW ^| FINDSTR -i \\') DO (
		SET PC=%%B
		REM REMOVING \\ FROM THE PC NAME
		SET PC=!PC:\\=!
		REM EXCLUDE TASK FOR PCs NAME CONTAINING THE WORD SERVER
		ECHO %%B | FINDSTR /i "%%A" >NUL || (
			ECHO [%%B] [!PC!]
			REM THIS IS ASSUMING THAT ALL PCs HAVE THE SAME ADMIN PASSWORD.
			PSEXEC %%A -s -h COPY /S "\\Server\Share\hosts" "C:\Windows\System32\drivers\etc\hosts"
			ECHO [!errorlevel!] %%B>>"%~n0.log" 
		)
	)
)

PAUSE

Open in new window

0
tmaususerAuthor Commented:
I'm still working on this.  I was pulled away for awhile.
0
tmaususerAuthor Commented:
I got.  I made a syntax error.  Thanks for all of your help.  I learned alot.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft DOS

From novice to tech pro — start learning today.