After some a requests of supports by users, i have found into C:\WINDOWS\system32\drivers\etc\hosts my website, eg.:
127.0.0.1 mywebsite.com
users say they don't have made it, perhaps a third party software (eg. anti virus) has blocked my website for some unknown reason..
There is a way for detect who has changed the hosts file? eg. Event Viewer, logs, etc.
Is there a way for detect who has changed the hosts file? eg. Event Viewer, logs, etc.
tl;dr: Absolutely yes.
If you have money you can use Glasswire without any headache. Glasswire has an option in security settings to monitor 'hosts' and 'lmhosts' file changes.
If you want free solution use TraceView in Windows Driver Kit. Install Windows Driver Kit → run TraceView as administrator → Create New Log Session → Kernel Logger → File I/O → Log Trace Event Data to File → Enter ETL file path as you want.
Use TraceFmt to display and find your required file change.
Required command: tracefmt.exe C:\path\to\ETL-File-Name.etl -displayonly| find /i "hosts"
If you want more free software I have a open-source project TraceEvent @GitHub which is in development.
