The dnsapi.dll, ms domains & hosts file thing...

Discussion in 'privacy problems' started by pjoter, Nov 1, 2014.

  1. pjoter

    pjoter Registered Member

    Joined:
    Nov 1, 2014
    Posts:
    10
    Hi, i don't know if anyone is aware of the dnsapi.dll thing, where certain MS domains are white-listed.
    So even if you block them in the "hosts" file, the dnsapi overrides it and microsoft.com keeps working.

    2K didn't have that yet, and in XP only the SP1 version of the dnsapi.dll is without those exceptions.
    And to remove those domains in the Win 7 dnsapi.dll we need to do some hex editing, replacing in the...

    SysWOW64 6.1.7601.17570 (win7sp1_gdr.110302-1503) dnsapi.dll:
    Code:
    .....www.msdn.com....msdn.com....www.msn.com.msn.com.go.microsoft.com....msdn.microsoft.com..office.microsoft.com....microsoftupdate.microsoft.com...wustats.microsoft.com...support.microsoft.com...www.microsoft.com...microsoft.com...update.microsoft.com....download.microsoft.com..microsoftupdate.com.windowsupdate.com...windowsupdate.microsoft.com
    with:
    Code:
    .....000000000000....00000000....00000000000.0000000.0000000000000000....000000000000000000..00000000000000000000....00000000000000000000000000000...000000000000000000000...000000000000000000000...00000000000000000...0000000000000...00000000000000000000....0000000000000000000000..0000000000000000000.00000000000000000...000000000000000000000000000
    or

    System32 6.1.7601.17570 (win7sp1_gdr.110302-1503) dnsapi.dll:
    Code:
    .....msdn.com........www.msn.com.....msn.com.go.microsoft.com........msdn.microsoft.com......office.microsoft.com....microsoftupdate.microsoft.com...wustats.microsoft.com...support.microsoft.com...www.microsoft.com.......microsoft.com...update.microsoft.com....download.microsoft.com..microsoftupdate.com.....windowsupdate.com.......windowsupdate.microsoft.com
    with:
    Code:
    .....00000000........00000000000.....000000000000000000000000........000000000000000000......00000000000000000000....00000000000000000000000000000...000000000000000000000...000000000000000000000...00000000000000000.......0000000000000...00000000000000000000....0000000000000000000000..0000000000000000000.....00000000000000000.......000000000000000000000000000
    That in combination with this hosts file would then really block all ms domains!
    http://www.angelfire.com/comics2/fatboy9175/MShosts.txt

    While in the newer Win 8 dnsapi.dll, i no longer see those domains in the dnsapi.dll, but they are still white-listed!

    Maybe the domains are now hexadecimal instead of plain text, i don't know... any ideas?

    Thanks! Also, long time lurker, first time poster.

    Edit/addendum:

    It turns out it is still there, even on 10TP, but in unicode, i can't believe unicode derailed me, doh!
    And a big thanks to the folks over at mydigitallife for figuring it out
     
    Last edited: Nov 3, 2014
  2. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    408
    I checked a WinXP Media Center Edition SP3 ( dnsapi.dll is version 5.1.2600.6089 ) PC here and the dll doesn't contain the whitelisted entries.
    FWIW, Skype was never installed to that PC, and BITS along with AutomaticUpdates and other various services remained disabled.
    Along the way, MSIE8 and Windows Media Player 10 were updated, though, so I wonder how it managed to escape having the newer (tainted) dll version pushed onto it.

    Looks like nothing beyond Microsoft.NET v3.5 is installed. Maybe the dll would have been pushed if we had permitted the KBxxxxx updates for "DotNet assemblies" and related cruft.
     
  3. pjoter

    pjoter Registered Member

    Joined:
    Nov 1, 2014
    Posts:
    10
    My dnsapi.dll 5.1.2600.6089 has those domains, i just checked.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Confirmed in versions 5.1.2600.2938 and 5.1.2600.5512 as well.
    I extracted dnsapi.dl_ from both the SP2 and SP3 archives. As extracted, neither contains those strings.
     
    Last edited: Nov 6, 2014
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I've got several in my XP/SP2 !
     
Loading...