modifying dnsapi.dll in XP SP2 (for MS domains in hosts file)

[the xt guy]

As probably many of you know, XP Sp2 and later has modified dnsapi.dll to deliberately ignore any MS domains in the hosts file. (this does not exist in XP Sp1a or lower; or in any version of Win 2000, 98, etc.) This means your computer can now contact MS stealthily and as many times as it wants, without your permission or control. This to me is totally unacceptable. I've read it is possible to modify dnsapi.dll to reverse this.

Is there anyone out there who has successfully does this and would be willing to share details or a modded dnsapi.dll file?

Dirty tricks like this are just one of the many reasons I have stayed away from XP (and no, I don't want to debate the merits of why MS did this, I simply want to be able to control my own computer and if MS doesn't like it they can go straight to a certain "very hot place".)

In my Win2K system I have about 200 various MS domains in the hosts file. Otherwise my system, and all XP and later systems would contact MS everytime they are booted up and send "data" or "stats" and who knows what else is being sent! I know for example that MS Office routinely sends data to MS about how many documents you have opened.

Edited September 25, 2009 by the xt guy

[caps_buster]

Interesting. Can I have the list of the M$ domains you choosed to block? Might be interesting in my Win2k SP4 too... thanks!

As for the original question - tried checking out the reginst sections in regedit? Usually many weird stuff is hidden there, just check out this:

http://www.msfn.org/board/index.php?showtopic=133333

[the xt guy]

caps_buster, I've sent you a PM with the info about the MS domains list.

The MS entries are hard-coded into the new dnsapi.dll file, which will bypass all other settings on the computer (that's why the dns file needs modified.)

[the xt guy]

caps_buster, here is a discussion on a forum topic (2006) covering this same topic:

http://www.dslreports.com/forum/remark,15900699

the string of URL's is hard coded into XP SP2's dnsapi.dll file, it is not present in XP SP1 or any version of 2K.

This is the list of sites coded into the SP2 version of dnsapi,dll:

www.msdn.com

msdn.com

www.msn.com

msn.com

go.microsoft.com

msdn.microsoft.com

office.microsoft.com

microsoftupdate.microsoft.com

wustats.microsoft.com

support.microsoft.com

www.microsoft.com

microsoft.com

update.microsoft.com

download.microsoft.com

microsoftupdate.com

windowsupdate.com

windowsupdate.microsoft.com

You will not be able to stop your computer from connecting with these sites unless you have an external router or other hardware that is specifically set to block these domains.

Edited September 25, 2009 by the xt guy

[caps_buster]

What about disable WFP and use the dnsapi.dll from Win XP SP1.0a ...?

I do worry especially about servers with HIGHLY suspicious names on the first sight, like:

a00000000000000000000000000000000000000000000000000000000000001.ms.a.microsoft.com

a00000000000000000000000000000000000000000000000000000000000002.ms.a.microsoft.com

a00000000000000000000000000000000000000000000000000000000000003.ms.a.microsoft.com

a000000000000000000000000000000000000000000000000000000000001.ms.a.microsoft.com

a00000000000000000000000000000000000000000000000000000000001.ms.a.microsoft.com

a00000000000000000000000000000000000000000000000000000000001337.ms.a.microsoft.com

a0000000000000000000000000000000000000000000000000000000001.ms.a.microsoft.com

a0000000000000000000000001.ms.a.microsoft.com

a0000000000000000000000002.ms.a.microsoft.com

a0000000000000000001.ms.a.microsoft.com

a000000000000000003.ms.a.microsoft.com

a000001.ms.a.microsoft.com

a102.ms.a.microsoft.com

And thanks to the xt guy, I include the compete M$ list. Added to my hosts files to prevent unwanted spying from M$. Enjoy!

ms_hosts.zip