Windows host name resolution

Question

I was wondering how the windows host-name resolution system works.
More precisely I wonder about the use, or lack thereof, of local caching in the process.
According to Microsoft TCP/IP Host Name Resolution Order, the process is as follows:

1. The client checks to see if the name queried is its own.
2. The client then searches a local Hosts file, a list of IP address and names stored on the local computer.
3. Domain Name System (DNS) servers are queried.
4. If the name is still not resolved, NetBIOS name resolution sequence is used as a backup. This order can be changed by configuring the NetBIOS node type of the client.

What I was wondering is, whether stage (2) is cached in some way.
The sudden interest arose this last few days, as I installed a malware protection (SpyBot) that utilizes the HOSTS file. In fact, it is now 14K entries big, and counting...
The file is currently sorted according to host name, but this of course doesn't have to be.
lg(14K), means 14 steps through the file for each resolution request. These request probably arrive at a rate of a few every second, and usually to the same few hundred hosts (tops).

My view of how this should work is like this:

1. On system startup the windows DNS-resolution mechanism loads the HOSTS file a single time.
2. It commits a single iteration over it that sorts file. A working copy is loaded into memory.
   The original HOSTS file, will not be further read throughout the resolution's process' life.
3. All network-processes (IE, Firefox, MSN...) work via this process/mechanism.
   No other process directly interfaces/reads HOSTS file.
4. Upon receiving a name resolution request, the process check its memory-resident cache.
   If it finds the proper IP then is answers appropriately.
5. Otherwise (it's not cached), the resolution process continues to the memory resident (sorted) HOSTS file, and does a quick binary search over it. From here on, the process continues as originally described.
   The result of the resolution is cached for further use.

Though I am not sure as to the significance of these, I would really appreciate an answer.
I just want to see if my reasoning is right, and if not, why so?
I am aware that in this age of always-on PCs the cache must be periodically (or incrementally) purged. I ignore this for now.

Answer 1

In the DNS Client service (dnsrslvr) you can see a function called LoadHostFileIntoCache. It goes something like this:

file = HostsFile_Open(...);

if (file)
{
    while (HostsFile_ReadLine(...))
    {
        Cache_RecordList(...);
        ...
    }

    HostsFile_Close(...);
}

So how does the service know when the hosts file has been changed? At startup a thread is created which executes NotifyThread, and it calls CreateHostsFileChangeHandle, which calls FindFirstChangeNotificationW to start monitoring the drivers\etc directory. When there's a change the thread clears the cache using Cache_Flush.