CN103019778B

CN103019778B - The method for cleaning of starting up's item and device

Info

Publication number: CN103019778B
Application number: CN201210506572.8A
Authority: CN
Inventors: 刘智锋
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2012-11-30
Filing date: 2012-11-30
Publication date: 2016-05-25
Anticipated expiration: 2032-11-30
Also published as: CN103019778A

Abstract

The embodiment of the present invention provides a kind of method for cleaning and device of starting up's item, and described method comprises: obtain the progress information loading in computer booting process, described progress information comprises the program file that process order line and process load; Described progress information is mated with the startup item information of computer operating system record, obtain the program file that starting up's item loads, described startup item information comprises starting up's item and corresponding process order line; Obtain the security attribute of described program file, and according to the security attribute of described program file, corresponding starting up's item is cleared up. When the embodiment of the present invention can be avoided starting shooting, the rogue program such as wooden horse is kidnapped dll file, and after startup item is complete, the rogue programs such as wooden horse exit startup item, now cannot find out the problem of the associated documents that wooden horse kidnaps.

Description

The method for cleaning of starting up's item and device

Technical field

The embodiment of the present invention relates to field of computer technology, particularly relates to a kind of method for cleaning and dress of starting up's itemPut.

Background technology

Starting up's item is the very common function of the Windows system next one, it allow some application programs along withThe startup of Windows system and starting. By some conventional programs, and the DLL calling in these program loading procedures(DynamicLinkLibrary, dynamic link library) file etc. adds in starting up's item, and these conventional programs are existedWhen start, just operation, manually boots without user, very convenient.

In actual conditions, the function of starting up's item can by some abuse of process even malice use, some programs withoutUser allows, and just, by self or other program, dll file, joins in starting up's item of user, wherein may depositAt viral trojan horse program or file, thereby bring certain danger to subscriber computer.

After computer booting, in the startup item file of system or relevant registration table, record each startup item. ExistingIn technology, many by judging the harmful grade of each startup item file in above-mentioned position, further clear up suspicious startup item.But the rogue program of some wooden horse or other types can disguise oneself as and seem normal, relevant to certain program dll fileBe added in startup item, when start, this program operation, the dll file that this wooden horse is kidnapped also can move, and after operation isCan exit voluntarily startup item. After start in sweep start item file or relevant registration table, all startup item literary compositionsPart is all secure file, cannot find out the associated documents that wooden horse is kidnapped, and therefore, this manner of cleaning up has hysteresis quality.

Summary of the invention

In view of the above problems, the present invention has been proposed to provide one to overcome the problems referred to above or solve at least in partState method for cleaning and the device of starting up's item of problem.

According to an aspect of the present invention, provide a kind of method for cleaning of starting up's item, having comprised:

Obtain the progress information loading in computer booting process, described progress information comprises process order line and processThe program file loading;

Described progress information is mated with the startup item information of computer operating system record, obtain starting up's itemThe program file loading, described startup item information comprises starting up's item and corresponding process order line;

Obtain the security attribute of described program file, and according to the security attribute of described program file, corresponding start is openedClear up for moving.

In the embodiment of the present invention, described program file comprises the executable file of establishment process and/or moving of process loadingState chained library file.

In the embodiment of the present invention, the described startup item information by progress information and computer operating system record is carried outJoin, the step of the program file that acquisition starting up item loads comprises:

Read the startup item information of computer operating system record;

Process order line in described startup item information is mated with the process order line in described progress information;

From described startup item information, search the starting up item corresponding with the process order line matching, and from described enterIn journey information, search the program file corresponding with the described process order line matching, draw what described starting up's item loadedProgram file.

In the embodiment of the present invention, described in read the startup item information of computer operating system record step comprise:

Read the key assignments item in computer operating system startup item registration table, wherein, the name of described key assignments item is called startStartup item, the key assignments of described key assignments item is corresponding process order line;

And/or, read each file in the startup item file under computer operating system catalogue, wherein, file nameFor starting up's item, the attribute information of file comprises corresponding process order line.

In the embodiment of the present invention, the described security attribute according to program file is cleared up corresponding starting up's itemStep comprises:

Determine the security attribute of corresponding starting up's item according to the security attribute of described program file;

Security attribute according to each starting up's item is determined starting up's item for clearance;

The key assignments of starting up's item for clearance in deletion system startup item registration table;

And/or, each file corresponding to startup item for clearance in startup item file under deletion system catalogue.

In the embodiment of the present invention, the security attribute of the each starting up's item of described foundation is determined starting up's item for clearanceStep comprises:

If the security attribute of starting up's item is secure file or unknown file, described starting up's item is not for clearanceStarting up's item;

If the security attribute of starting up's item is dangerous file, described starting up's item is starting up for clearance.

In the embodiment of the present invention, described startup item information comprises the process order line that each parent process is corresponding, described in enterJourney information comprises the program file that parent process and/or subprocess load, and also comprises parent process and son in described progress informationThe corresponding relation of process.

In the embodiment of the present invention, the described startup item information by progress information and computer operating system record is carried outJoin, the step of the program file that acquisition starting up item loads also comprises:

According to the corresponding relation of parent process in progress information and subprocess, extract the program literary composition of subprocess corresponding to parent processPart, distinguishes the program file of corresponding program file as starting up's item correspondence using described parent process and subprocess.

In the embodiment of the present invention, before the step of the described security attribute that obtains program file, described method also comprises:

Remove the program file that possesses same names with system file;

And/or, remove the corresponding program file of preset key assignments item in system startup item registration table.

In the embodiment of the present invention, described method also comprises:

Calling process information recording drives and communicates by letter with computer operating system, in logger computer start process, loadsProgress information;

The described step of obtaining the progress information loading in computer booting process comprises:

Call network service driving and drive and communicate by letter with described progress information record, obtain the driving of described progress information record and rememberThe progress information of record.

In the embodiment of the present invention, described in obtain the security attribute of program file step comprise:

By the described program file characteristic of correspondence information end of uploading onto the server, server end is at preset First Characteristic letterIn breath database, search the security attribute of described program file according to described characteristic information;

Or, in the local preset Second Characteristic information database of computer, according to described program file characteristic of correspondenceThe security attribute of program file described in information searching.

According to another aspect of the present invention, provide a kind of cleaning plant of starting up's item, having comprised:

Progress information acquisition module, is suitable for obtaining the progress information loading in computer booting process, described process letterBreath comprises the program file that process order line and process load;

Matching module, is suitable for described progress information to mate with the startup item information of computer operating system record,Obtain the program file that starting up's item loads, described startup item information comprises starting up's item and corresponding process orderOK;

Security attribute acquisition module, is suitable for obtaining the security attribute of described program file;

Cleaning module, is suitable for according to the security attribute of described program file, corresponding starting up's item being cleared up.

In the embodiment of the present invention, described matching module comprises:

Reading submodule, is suitable for reading the startup item information that computer operating system records;

Order line matched sub-block, is suitable in the process order line in described startup item information and described progress informationProcess order line is mated;

Program file obtains submodule, is suitable for searching from described startup item information corresponding with the process order line matchingStarting up's item, and from described progress information, search the program file corresponding with the described process order line matching,Go out the program file that described starting up's item loads.

In the embodiment of the present invention, described reading submodule reads the key assignments in computer operating system startup item registration table, wherein, the name of described key assignments item is called starting up's item, and the key assignments of described key assignments item is corresponding process order line;

In the embodiment of the present invention, described cleaning module comprises:

Attribute is determined submodule, is suitable for determining according to the security attribute of described program file the peace of corresponding starting up's itemFull attribute;

Cleaning startup item is determined submodule, is suitable for security attribute according to each starting up's item and determines that start for clearance opensMoving;

Delete submodule, be suitable for the key assignments of starting up's item for clearance in deletion system startup item registration table; And/or,Each file corresponding to startup item for clearance in startup item file under deletion system catalogue.

In the embodiment of the present invention, described cleaning startup item determines that submodule is also suitable for:

In the embodiment of the present invention, described matching module also comprises:

Subprocess program file extracts submodule, is suitable for the corresponding relation according to parent process in progress information and subprocess,Extract the program file of subprocess corresponding to parent process, using described parent process and subprocess respectively corresponding program file as openingThe program file that machine startup item is corresponding.

In the embodiment of the present invention, described device also comprises:

Remove module, be suitable for removing the program file that possesses same names with system file; And/or removal system startsThe corresponding program file of preset key assignments item in item registration table.

In the embodiment of the present invention, described device also comprises:

Logging modle, is suitable for the driving of calling process information recording and communicates by letter with computer operating system, logger computer startThe progress information loading in process;

Described progress information acquisition module calls network service driving and drives and communicate by letter with described progress information record, obtains instituteState the progress information that progress information records activation record.

In the embodiment of the present invention, described security attribute acquisition module comprises:

Service end is obtained submodule, is suitable for by the described program file characteristic of correspondence information end of uploading onto the server serviceDevice end, in preset First Characteristic information database, is searched the security attribute of described program file according to described characteristic information;

Or this locality obtains submodule, be suitable in the local preset Second Characteristic information database of computer, according to described inThe security attribute of program file described in program file characteristic of correspondence information searching.

According to the embodiment of the present invention, the journey loading by loading process order line and process in logger computer start processPreface part, comprising the rogue programs such as the wooden horse that may load when starting up kidnap dll file, with computer operation beThe startup item information of system record is mated, and draws in computer booting start-up course the program literary composition that starting up's item loadsPart, and then by the security of determining program file, startup item is cleared up, compared with background technology, the embodiment of the present invention canKidnap file with rogue programs such as wooden horses after avoiding starting shooting and exit startup item, cannot find out asking of associated documents that wooden horse kidnapsTopic.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention,And can be implemented according to the content of description, and for allow above and other objects of the present invention, feature and advantage canBecome apparent, below especially exemplified by the specific embodiment of the present invention.

Certainly, implement arbitrary product of the present invention and not necessarily need to reach above-described all advantages simultaneously. Accompanying drawing is saidBright

By reading below detailed description of the preferred embodiment, various other advantage and benefits are common for this areaIt is cheer and bright that technical staff will become. Accompanying drawing is only for the object of preferred embodiment is shown, and do not think the present inventionRestriction. And in whole accompanying drawing, represent identical parts by identical reference symbol. In the accompanying drawings:

Fig. 1 shows the flow chart of the method for cleaning embodiment of a kind of starting up's item according to the present invention;

Fig. 2 shows the structured flowchart of a kind of processing method embodiment of start process according to the present invention;

Fig. 3 shows the structured flowchart of the cleaning plant embodiment of a kind of starting up's item according to the present invention;

Fig. 4 shows the structured flowchart of a kind for the treatment of system embodiment of start process according to the present invention;

Fig. 5 shows according to a kind of structured flowchart of clearing up system embodiment of the present invention;

Fig. 6 shows the schematic diagram of certain registration table relevant to startup item.

Detailed description of the invention

Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail. Although shown the disclosure in accompanying drawingExemplary embodiment, but should be appreciated that and can realize the disclosure and the embodiment that should do not set forth here with various formsInstitute limits. On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can be by the scope of the present disclosureComplete convey to those skilled in the art.

The embodiment of the present invention can be applied to computer system/server, its can with numerous other universal or special calculatingSystem environments or configuration operation together. The well-known computing system, the ring that are suitable for using together with computer system/serverThe example of border and/or configuration includes but not limited to: personal computer system, server computer system, thin client, thick clientMachine, hand-held or laptop computer, the system based on microprocessor, Set Top Box, programmable consumer electronics, network individual electricityBrain, minicomputer system, large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.Deng.

Computer system/server can be in the computer system executable instruction of being carried out by computer system (such as journeyOrder module) general linguistic context under describe. Conventionally, program module can comprise routine, program, target program, assembly, logic, numberAccording to structure etc., they are carried out specific task or realize specific abstract data type. Computer system/server canIn distributed cloud computing environment, implement, in distributed cloud computing environment, task is by the long-range place linking by communication networkReason computer is carried out. In distributed cloud computing environment, program module can be positioned at and comprise the local or far away of storage computerOn journey computing system storage medium.

With reference to figure 1, show the flow chart of the method for cleaning embodiment of a kind of starting up's item of the embodiment of the present invention, toolBody can comprise the following steps:

Step 100, obtains the progress information loading in computer booting process, and described progress information comprises process orderThe program file that row and process load.

In computer booting process, process order line corresponding to each program in starting up's item, by loading this journeyThe EXE executable program file of order creates corresponding process, and process is a program executed activity on computers, operation oneIndividual program has just started a process. Some processes also may further create corresponding subprocess, after login completes, enterIn journey table, just there is a lot of processes.

When each process operation, also can further load relevant dynamic link library file, i.e. dll file, dll file is notBe executable file, comprised code and the data that can be called by multiple programs simultaneously.

In the embodiment of the present invention, the corresponding program file loading of process order line comprises EXE executable file (process literary compositionPart), and/or the dll file of process loading. In concrete realization, what in progress information, comprise is EXE file and/or DLL literary compositionThe file path of part.

For example, in certain start process, the progress information that progress information records activation record comprises, the order of processOK " c: test testrun.exe "/startup), the EXE file path of loading be c: test testrun.exe, loadDll file path comprise c: windows system32 advapi32.dll, c: windows system32Ntdll.dll and c: test testrun.exe.

In the embodiment of the present invention, in the time of start, move preset progress information record and drive, remember by calling process informationRecord drives and communicates by letter with computer operating system, and the progress information loading in logger computer start process, is obtaining computerIn start process, load progress information time, drive and communicate by letter by calling preset network service driving and progress information recordRelevant information, record the progress information of activation record to obtain progress information. In concrete realization, progress information record drivesThe qutmdrv.sys that can be security procedure drives, and network service drives as qutmload.dll drives, and qutmload.dll drivesMoving can communication with qutmdrv.sys driving obtained progress information from qutmdrv.sys drives.

Step 102, mates described progress information with the startup item information of computer operating system record, acquisition is openedThe program file that machine startup item loads, described startup item information comprises starting up's item and corresponding process order line.

The relevant information that also has startup item recording in computer operating system, wherein correspondingly can obtain starting up, and corresponding process order line, by startup item information is mated with progress information, can further determine eachThe corresponding program file loading of startup item.

Particularly, step S12 can comprise:

Sub-step 1021, reads the startup item information that computer operating system records;

Sub-step 1022, by the process order line in the process order line in described startup item information and described progress informationMate;

Sub-step 1023 is searched the starting up corresponding with the process order line matching from described startup item information, and from described progress information, search the program file corresponding with the described process order line matching, draw described startThe program file that startup item loads.

In progress information and startup item information, include process order line corresponding to each process, by progress information with openProcess order line in a moving information is mated, and finds out the order line matching, and in progress information and startup item information, is total toWith the process order line comprising; Then find out from startup item information starting up's item corresponding to order line matching, from processIn information, find out program file corresponding to process order line matching, can obtain the program literary composition that starting up's item loadsPart.

In the embodiment of the present invention, the step that reads the startup item information of computer operating system record can specifically comprise:

Sub-step 1021-1, reads the key assignments item in computer operating system startup item registration table, wherein, and described key assignments itemName be called starting up's item, the key assignments of described key assignments item is corresponding process order line;

And/or sub-step 1021-2, reads each file in the startup item file under computer operating system catalogue,Wherein, file name is starting up's item, and the attribute information of file comprises corresponding process order line.

In the relevant registration table of operating system and file, record the relevant information of startup item, in the embodiment of the present invention,Can obtain startup item information by relevant startup item registration table and the startup item file of read operation system.

The registration table relevant with startup item has multiple, is illustrated in figure 6 the signal of certain registration table relevant to startup itemFigure, path be HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows the registration of CurrentVersionTable, comprises multiple key assignments items under Run key, the title of key assignments item is starting up's item, and the key assignments of key assignments item is for entering accordinglyJourney order line, in Fig. 3, key assignments item title testrun corresponds to a startup item, key assignments " the c: test of key assignments itemTestrun.exe "/startup " correspond to process order line.

Run key be not only positioned at registration table HKEY_LOCAL_MACHINE Software Microsoft WindowsUnder CurrentVersion, be also positioned at registration table HKEY_CURRENT_USER Software Microsoft WindowsUnder CurrentVersion. The difference of HKEY_CURRNT_USER and HKEY_LOCAL_MACHINE is that the former is for current useFamily is effective, and the latter is effective for all users. Therefore, registration table HKEY_CURRENT_USER SoftwareMicrosoft Windows under CurrentVersion, also can use the same method and read startup item information.

In addition, in concrete realization, " RunServicesOnce " son that can also be under above two registration tabliesIn key, " RunServices " sub-key, " RunOnce Setup " sub-key and " RunOnce " sub-key, adopting uses the same method readsGet the relevant information of startup item.

In relevant startup file folder under operating system catalogue, also record relevant startup item information, in startup file folderComprise one or more files, be specially the EXE program file of loading in the time of start or the shortcut of program, file nameCorrespond to starting up's item, the attribute information of file has comprised corresponding process order line. Fast in startup file folderPrompt mode,--> attribute--> target by clicking shortcut by right key, target is process order line, presss from both sides for startup fileIn EXE file, file name corresponds to startup item, the path of current file is added to filename is this startup item correspondingProcess order line.

In the embodiment of the present invention, startup item file comprises the self-triggered program in startup file folder and AllUsersFile, startup item file is positioned at " documentsandSettings--> User--> (beginning) menu--> program "Under catalogue, self-triggered program file be positioned at " documentsandSettings--> AllUser--> (beginning) menu--> program " under catalogue.

In concrete realization, what in startup item information, record can be process order line corresponding to each parent process, andWhat in progress information, record can be the program file that parent process and/or subprocess load, by progress information and startup item letterWhat after breath coupling, obtain is program file corresponding to parent process that startup item loads.

In the embodiment of the present invention, in progress information, can further include the corresponding relation of parent process and subprocess, stepRapid 1021 can also comprise:

Sub-step 1021-3, according to the corresponding relation of parent process in progress information and subprocess, extracts parent process correspondingThe program file of subprocess, distinguishes the journey of corresponding program file as starting up's item correspondence using described parent process and subprocessPreface part.

Progress information record drives in the time obtaining the corresponding program file loading of each process, can also be further to eachThe numbering that course allocation is unique, wherein, the numbering of subprocess generates according to the numbering of parent process. In the embodiment of the present invention, rightAfter progress information and startup item information are mated, can be further according to the corresponding relation of the numbering of process, can be furtherFind all subprocess corresponding to certain parent process, and then can obtain the program that all processes corresponding to startup item loadFile.

Step 104, obtains the security attribute of described program file, and according to the security attribute of described program file to correspondingStarting up's item clear up.

Obtain after one or more program files of each startup item loading in start process, can further obtainThe security attribute of the program file that startup item loads. Particularly, can be by the corresponding characteristic information of program file be enteredThe security attribute of program file is obtained in row identification.

In embodiments of the present invention, the step of obtaining the security attribute of described program file can comprise:

Sub-step 1041, by the described program file characteristic of correspondence information end of uploading onto the server, server end is presetFirst Characteristic information database in, search the security attribute of described program file according to described characteristic information;

Or sub-step 1042, in the local preset Second Characteristic information database of computer, according to described program fileThe security attribute of program file described in characteristic of correspondence information searching.

In the embodiment of the present invention, what program file recorded may be the file path of EXE file and/or dll file, thisIn situation, also need further to obtain corresponding EXE file and/or dll file according to file path. The feature letter of program fileBreath can obtain after program file is processed, particularly, program file comprise MS-DOS can carry out body, file header, canThe structure compositions such as choosing head, data directory, section header and joint. Wherein, in file header, comprise following structure:

1) which type of system " Machine (machine) ", be used to refer to this binary file predetermined running in;

2) " NumberOfSections (joint number) ", it is the number immediately following the joint after head;

3) " TimeDateStamp (timestamp) ", is used for providing time of file set up;

4-5) " PointerToSymbolTable (symbolic table pointer) " and " NumberOfSymbols (symbolic number) " (all32) all for Debugging message;

6) " SizeOfOptionalHeader (optional head size) " is that " IMAGE_OPTIONAL_HEADER is (optionalHead) " item size, can go to verify with it the correctness of PE file structure;

7) " Characteristics (characteristic) " is one 16, and the set being formed by many flag bits forms, but largeMost flag bits are only effective to file destination and library file.

The embodiment of the present invention can be changed program file by preset algorithm, and using the file after conversion as journeyPreface part characteristic of correspondence information. In a kind of preferred embodiment, can adopt message digest algorithm to carry out program fileConversion, message digest algorithm is MD5 (Message-DigestAlgorithm5), the effect of MD5 is to allow large capacity information useBefore digital signature software signature private key, being become a kind of secret form by " compression ", is exactly the byte serial of a random lengthBe transformed into the hexadecimal number word string of a fixed length, can guarantee that communication is complete consistent.

In a preferred embodiment of the present invention, the end of the characteristic information of program file can being uploaded onto the server is knownNot, server end presets First Characteristic information database, comprising the characteristic information of program and the security attribute of programCorresponding relation. Security attribute can comprise dangerous file, secure file and unknown file, in concrete realization, and can be by peaceFull attribute is set to black file, text of an annotated book part and grey file accordingly more specifically. In concrete realization, security attribute is concreteKind and number also can be set as required, and the present invention does not limit this.

In another kind of preferred embodiment of the present invention, also can carry out the security attribute of characteristic information in computer this localityJudgement, computer this locality can preset Second Characteristic information database, has wherein comprised characteristic information and the safe class of programCorresponding relation. In the time that computer cannot Connection Service end, can be at local Second Characteristic information database, search program literary compositionThe safe class of the program file that the characteristic information of part is corresponding.

The step of according to the security attribute of program file, corresponding starting up's item being cleared up in embodiments of the present invention,Suddenly can comprise:

Sub-step 1043, the security attribute of the described program file of foundation is determined the security attribute of corresponding starting up's item;

Sub-step 1044, determines starting up's item for clearance according to the security attribute of each starting up's item;

Sub-step 1045, in deletion system startup item registration table the key assignments of starting up's item for clearance and/or, delete systemEach file corresponding to startup item for clearance in startup item file under system catalogue.

After having determined the security attribute of each program file, can be further true according to the security attribute of program fileDetermine the security attribute of starting up's item, in the embodiment of the present invention, starting up's item load program file can comprise one orMultiple, the security attribute of starting up's item can be that in corresponding one or more program files, the minimum safety of security belongs toProperty.

For example,, if certain startup item has loaded an EXE file and a dll file, the characteristic information correspondence of EXE fileSecurity attribute be black file, the security attribute corresponding to characteristic information of dll file is grey file, the security attribute of black file is lowIn the security attribute of grey file, the security attribute of startup item can be defined as black file.

Obtain after the security attribute of starting up's item, can further determine and treat according to the security attribute of starting up's itemStarting up's item of cleaning, particularly:

In concrete scale removal process, for the starting up's item in system registry, can be by deleting startup item journeyThe key assignments of the registration table that ordered pair is answered moves this startup item while forbidding starting shooting, for example, what need to delete testrun.exe program isSystem startup item, can HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersionUnder Run catalogue, searching and delete startup item registry name is the key assignments item of testrun, and so fg is except the key assignments of this key assignments itemc：\test\testrun.exe。

For starting up's item for clearance in startup item file under system directory, can directly delete starting up's itemCorresponding EXE program file or shortcut, thus while forbidding starting shooting, move this startup item.

In concrete realization, before described step 104, described method can also comprise:

Remove the program file that possesses same names with system file;

In step 102, obtain after program file, obtaining before the security attribute of program file, can first get rid ofKnown security procedure file, specifically can comprise the program file of the same name with system file, and some large multiprograms can addThe program file carrying.

In concrete realization, can collect in advance multiple system files and add in system file list, when certain programWhen certain system file in file and system file list is of the same name, can further judge security attribute, to be identifiedProgram file in remove this program file.

At registration table, some important key assignments Xiang Zhonghui records the program file that some large multiprograms can load. For example, existPath be HKEY_LOCAL_MACHINE SOFTWARE Microsoft WindowsNT CurrentVersion WindowsRegistration table under, in the corresponding key assignments of [AppInit_DLLs] key assignments item, comprise a dll file name or one group of dll fileName (separating with space or comma). When there being program to load when User32.dll, User32.dll can load here allDLL. Because interface program big city uses User32.dll, so the DLL under this registry-location can be by most journeyOrder loads. Therefore, can collect some special key assignments items, for the corresponding program file of these key assignments items, without entering oneStep judges security attribute, can from program file to be identified, remove this program file.

In sum, according to the embodiment of the present invention, by loading process order line in logger computer start process and enteringThe program file that journey loads, comprising the rogue programs such as the wooden horse that may load when starting up kidnap dll file, with meterThe startup item information of calculating machine operation system log (SYSLOG) is mated, and draws in computer booting start-up course starting up Xiang SuojiaThe program file carrying, and then by the security of determining program file, startup item is cleared up, compared with background technology, thisAfter bright embodiment can avoid starting shooting, the rogue program such as wooden horse is kidnapped file and is exited startup item, cannot find out relevant that wooden horse kidnapsThe problem of file.

It should be noted that, for aforesaid embodiment of the method, for simple description, therefore it is all expressed as a series ofCombination of actions, but those skilled in the art should know, the application is not subject to the restriction of described sequence of movement, because comply withAccording to the application, some step can adopt other orders or carry out simultaneously. Secondly, those skilled in the art also should know,Embodiment described in description all belongs to preferred embodiment, and related action might not be that the application is necessary.

With reference to figure 2, show the flow chart of the processing method embodiment of a kind of start process of the embodiment of the present invention, concreteCan comprise the following steps:

Step 200, obtains the progress information loading in computer booting process, and described progress information comprises process orderThe program file that row and process load;

Step 202, mates described progress information with the startup item information of computer operating system record, acquisition is openedThe program file that machine startup item loads, described startup item information comprises starting up's item and corresponding process order line;

Step 204, obtains the security attribute of described program file;

Step 206, clears up corresponding starting up's item according to the security attribute of described program file, and according to instituteState the security attribute of program file, and the preset program Prune Policies corresponding with described security attribute, to each program literary compositionPart is cleared up.

Different from last embodiment, in the present embodiment, can also be further according to the security attribute pair of program fileProgram file is cleared up. In a preferred embodiment of the present invention, the security attribute of program file can comprise dangerous literary compositionPart, secure file and unknown file, the security attribute of application program and program Prune Policies can have following corresponding relation:

In the time that the security attribute of program file is dangerous file, corresponding Prune Policies is that deletion is relevant to program fileAll Files;

In the time that the security attribute of program file is secure file or unknown file, corresponding Prune Policies is not for doing any placeReason.

In concrete realization, the corresponding relation of the classification of program file security attribute and program Prune Policies can basisApplied environment and demand arrange flexibly.

Wherein, the partial content of step 200-206 can, with reference to the description of each step in Fig. 1, repeat no more herein.

With reference to figure 3, show the structured flowchart of the cleaning plant embodiment of a kind of starting up's item of the application, specifically canTo comprise with lower module:

Progress information acquisition module 10, is suitable for obtaining the progress information loading in computer booting process, described processInformation comprises the program file that process order line and process load;

Matching module 12, is suitable for the startup item information of described progress information and computer operating system record to carry outJoin, obtain the program file that starting up's item loads, described startup item information comprises starting up's item and corresponding process lifeOrder row;

Security attribute acquisition module 14, is suitable for obtaining the security attribute of described program file;

Cleaning module 16, is suitable for according to the security attribute of described program file, corresponding starting up's item being cleared up.

In the embodiment of the present invention, described program file can comprise the executable file of establishment process and moving of process loadingState chained library file.

In the embodiment of the present invention, described matching module can comprise:

In the embodiment of the present invention, described reading submodule can read the key in computer operating system startup item registration tableValue, wherein, the name of described key assignments item is called starting up's item, and the key assignments of described key assignments item is corresponding process order line;

In the embodiment of the present invention, described cleaning module can comprise:

In the embodiment of the present invention, described cleaning startup item determines that submodule can also be suitable for:

In the embodiment of the present invention, in described startup item information, can comprise the process order line that each parent process is corresponding, instituteState the program file that progress information comprises that parent process and/or subprocess load, in described progress information, also comprise parent processCorresponding relation with subprocess.

In the embodiment of the present invention, described matching module can also comprise:

In the embodiment of the present invention, described device can also comprise:

In the embodiment of the present invention, described security attribute acquisition module can comprise:

Service end is obtained submodule, is suitable for by the described program file characteristic of correspondence information end of uploading onto the server serviceDevice end is in preset First Characteristic information database transverse and longitudinal, and the safety of searching described program file according to described characteristic information belongs toProperty;

With reference to figure 4, show the structured flowchart of the treatment system embodiment of a kind of start process of the application, specifically canComprise with lower module:

Progress information acquisition module 20, is suitable for obtaining the progress information loading in computer booting process, described processInformation comprises the program file that process order line and process load;

Matching module 22, is suitable for the startup item information of described progress information and computer operating system record to carry outJoin, obtain the program file that starting up's item loads, described startup item information comprises starting up's item and corresponding process lifeOrder row;

Security attribute acquisition module 24, is suitable for obtaining the security attribute of described program file;

Startup item cleaning module 26, is suitable for according to the security attribute of described program file, corresponding starting up's item being carried outCleaning;

Program file cleaning module 28, is suitable for the security attribute according to described program file, and preset and described peaceThe program Prune Policies that full Attribute Relative is answered, clears up each program file.

Wherein, module 20-26 can, with reference to the description of modules in Fig. 3, repeat no more herein.

With reference to figure 5, show a kind of structured flowchart of clearing up system embodiment of the application, specifically can comprise:

Computer 31 and server 32;

Described computer 31 comprise progress information acquisition module 311, matching module 312, program attribute acquisition module 313,Startup item attribute determination module 314, cleaning startup item determination module 315, startup item cleaning module 316 and program file cleaning mouldPiece 317;

Described progress information acquisition module 311, is suitable for obtaining the progress information loading in computer booting process, described inProgress information comprises the program file that process order line and process load;

Described matching module 312, is suitable for the startup item information of described progress information and computer operating system record to enterRow coupling, obtains the program file that starting up's item loads, and described startup item information comprises starting up's item and corresponding enteringJourney order line;

Described program attribute acquisition module 313, the characteristic information that is suitable for extracting described program file sends to server, andAccept the security attribute of server according to the definite program file of described characteristic information;

Described startup item attribute determination module 314, is suitable for determining corresponding opening according to the security attribute of described program fileThe security attribute of machine startup item;

Described cleaning startup item determination module 315, determines start for clearance according to the security attribute of each starting up's itemStartup item;

Described startup item cleaning module 316, is suitable for starting up's item for clearance in deletion system startup item registration tableKey assignments, and/or, each file corresponding to startup item for clearance in startup item file under deletion system catalogue;

Described program file cleaning module 317, is suitable for the security attribute according to described program file, and preset and instituteState the corresponding program Prune Policies of security attribute, each program file is cleared up.

Described server 32 comprises performance of program information database 321, program attribute enquiry module 322;

Described program attribute enquiry module 322, is suitable for the program literary composition that loads of starting up's item that receiving computer sendsThe characteristic information of part, and search the security attribute that described characteristic information is corresponding in described characteristic information database.

Wherein, the modules in the embodiment of the present invention can be with reference to the description of each embodiment of Fig. 1-4, herein no longerRepeat.

For the treatment system of the cleaning plant of above-mentioned starting up's item, start process and the embodiment of cleaning system andSpeech, because it is substantially similar to embodiment of the method, so description is fairly simple, relevant part is referring to method shown in Fig. 1 and Fig. 2The part explanation of embodiment.

Each embodiment in this description all adopts the mode of going forward one by one to describe, what each embodiment stressed is withThe difference of other embodiment, between each embodiment identical similar part mutually referring to.

Those skilled in the art are easy to expect: any combination application of above-mentioned each embodiment is all feasible, thereforeAny combination between above-mentioned each embodiment is all the application's embodiment, but this description exists as space is limited,This has not just described in detail one by one.

The algorithm providing at this and show not with any certain computer, virtual system or the intrinsic phase of other computerClose. Various general-purpose systems also can with based on using together with this teaching. According to description above, construct this type systematic and wantThe structure of asking is apparent. In addition, the present invention is not also for any certain programmed language. It should be understood that and can utilize respectivelyPlant programming language and realize content of the present invention described here, and the description of above language-specific being done is in order to disclose thisThe preferred forms of invention.

In the description that provided herein, a large amount of details are described. But, can understand enforcement of the present inventionExample can be put into practice in the situation that there is no these details. In some instances, be not shown specifically known method, structureAnd technology, so that not fuzzy understanding of this description.

Similarly, should be appreciated that in order to simplify the disclosure and to help to understand one or more in each inventive aspect,To in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes aboveExample, figure or in its description. But, the method for the disclosure should be construed to the following intention of reflection: require to protectThe present invention who protects requires than the more feature of the feature of clearly recording in each claim. Or rather, as belowClaims reflect like that, inventive aspect is to be less than all features of disclosed single embodiment above. Therefore,Claims of following detailed description of the invention are incorporated to this detailed description of the invention thus clearly, wherein each claim itselfAll as independent embodiment of the present invention.

Those skilled in the art are appreciated that and can carry out adaptivity to the module in the computer in embodimentGround changes and they is arranged in one or more computers different from this embodiment. Can be the module in embodimentOr unit or assembly be combined into a module or unit or assembly, and can put them in addition multiple submodules or son is singleUnit or sub-component. At least some in such feature and/or process or unit are, mutually repelling, can adoptAny combination is to disclosed all features and so open in this description (comprising claim, summary and the accompanying drawing followed)Any method or all processes or the unit of computer combine. Unless clearly statement in addition, this description (comprises companionWith claim, summary and accompanying drawing) in disclosed each feature can be by providing identical, be equal to or the alternative spy of similar objectLevy to replace.

In addition, although those skilled in the art will appreciate that embodiment more described herein comprise other embodimentIn included some feature instead of further feature, but the combination of the feature of different embodiment means in of the present inventionWithin scope and form different embodiment. For example, in the following claims, embodiment required for protection appointsOne of meaning can be used with combination arbitrarily.

All parts embodiment of the present invention can realize with hardware, or to move on one or more processorSoftware module realize, or with they combination realize. It will be understood by those of skill in the art that and can use in practiceMicroprocessor or digital signal processor (DSP) are realized according in the cleaning plant of starting up's item of the embodiment of the present inventionThe some or all functions of some or all parts. The present invention can also be embodied as for carrying out side as described hereinThe computer of part or all of method or device program (for example, computer program and computer program). Like thisRealize program of the present invention and can be stored on computer-readable medium, or can there is the shape of one or more signalFormula. Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or with any other shapeFormula provides.

It should be noted above-described embodiment the present invention will be described instead of limit the invention, and abilityField technique personnel can design alternative embodiment in the case of not departing from the scope of claims. In the claims,Any reference symbol between bracket should be configured to limitations on claims. Word " comprises " does not get rid of existence notRow element or step in the claims. Be positioned at word " " before element or " one " do not get rid of exist multiple suchElement. The present invention can be by means of including the hardware of some different elements and coming real by means of the computer of suitably programmingExisting. In the unit claim of having enumerated some devices, several in these devices can be by same hardware branchCarry out imbody. The use of word first, second and C grade does not represent any order. These word explanations can be run after fameClaim.

The method for cleaning that herein disclosed is A1, a kind of starting up's item, comprising: obtain in computer booting process and loadProgress information, described progress information comprises the program file that process order line and process load; By described progress information and meterThe startup item information of calculating machine operation system log (SYSLOG) is mated, and obtains the program file that starting up's item loads, described startupItem information comprises starting up's item and corresponding process order line; Obtain the security attribute of described program file, and described in foundationThe security attribute of program file is cleared up corresponding starting up's item. A2, according to the method described in A1, described program fileComprise the executable file of establishment process and/or the dynamic link library file that process loads. A3, according to the method described in A1, instituteState progress information is mated with the startup item information of computer operating system record, obtain the journey that starting up's item loadsThe step of preface part comprises: the startup item information that reads computer operating system record; By the process in described startup item informationOrder line is mated with the process order line in described progress information; From described startup item information, search and entering of matchingStarting up's item that journey order line is corresponding, and from described progress information, search corresponding with the described process order line matchingProgram file, draws the program file that described starting up's item loads. A4, according to the method described in A3, described in read calculatingThe step of the startup item information of machine operation system log (SYSLOG) comprises: read the key assignments in computer operating system startup item registration table, wherein, the name of described key assignments item is called starting up's item, and the key assignments of described key assignments item is corresponding process order line; With/Or, read each file in the startup item file under computer operating system catalogue, wherein, file name is starting up, the attribute information of file comprises corresponding process order line. A5, according to the method described in A4, described according to program fileSecurity attribute step that corresponding starting up's item is cleared up comprise: the security attribute according to described program file is determinedThe security attribute of corresponding starting up's item; Security attribute according to each starting up's item is determined starting up's item for clearance;The key assignments of starting up's item for clearance in deletion system startup item registration table; And/or, startup item file under deletion system catalogueEach file corresponding to startup item for clearance in folder. A6, according to the method described in A5, the peace of the each starting up's item of described foundationFull attribute determines that the step of starting up's item for clearance comprises: if the security attribute of starting up's item is secure file or the unknownFile, described starting up's item is not starting up's item for clearance; If the security attribute of starting up's item is dangerous file,Described starting up's item is starting up's item for clearance. A7, according to the method described in A3, described startup item information comprisesThe process order line that each parent process is corresponding, described progress information comprises the program literary composition that parent process and/or subprocess loadPart, also comprises the corresponding relation of parent process and subprocess in described progress information. A8, according to the method described in A7, describedly will enterJourney information is mated with the startup item information of computer operating system record, obtains the program file that starting up's item loadsStep also comprise: according to the corresponding relation of parent process in progress information and subprocess, extract subprocess corresponding to parent processProgram file, distinguishes the program file of corresponding program file as starting up's item correspondence using described parent process and subprocess.A9, according to the method described in A1, before the step of the described security attribute that obtains program file, described method also comprises: goRemove the program file that possesses same names with system file; And/or, remove in system startup item registration table preset key assignments item institute rightThe program file of answering. A10, according to the method described in A1, also comprise: calling process information recording drive and computer operating systemCommunication, the progress information loading in logger computer start process; Described the entering of loading in computer booting process that obtainThe step of journey information comprises: call network service driving and drive and communicate by letter with described progress information record, obtain described progress informationRecord the progress information of activation record. A11, according to the method described in A1, described in obtain the step of the security attribute of program fileComprise: by the described program file characteristic of correspondence information end of uploading onto the server, server end is in preset First Characteristic informationIn database, search the security attribute of described program file according to described characteristic information; Or, at computer local preset secondIn characteristic information database, according to the security attribute of program file described in described program file characteristic of correspondence information searching.

The cleaning plant that herein disclosed is B12, a kind of starting up's item, comprising: progress information acquisition module, is suitable for obtainingThe progress information loading in computer booting process, described progress information comprises the program literary composition that process order line and process loadPart; Matching module, is suitable for described progress information to mate with the startup item information of computer operating system record, and acquisition is openedThe program file that machine startup item loads, described startup item information comprises starting up's item and corresponding process order line; SafetyAttribute acquisition module, is suitable for obtaining the security attribute of described program file; Cleaning module, is suitable for the peace according to described program fileFull attribute is cleared up corresponding starting up's item. B13, according to the device described in B12, described program file comprise create intoThe dynamic link library file that the executable file of journey and/or process load. B14, according to the device described in B12, described coupling mouldPiece comprises: reading submodule, is suitable for reading the startup item information that computer operating system records; Order line matched sub-block, suitableIn the process order line in described startup item information is mated with the process order line in described progress information; Program fileObtain submodule, be suitable for searching the starting up item corresponding with the process order line matching from described startup item information, andFrom described progress information, search the program file corresponding with the described process order line matching, draw described starting up's itemThe program file loading. B15, according to the device described in B14, described reading submodule reads computer operating system startup itemKey assignments item in registration table, wherein, the name of described key assignments item is called starting up's item, and the key assignments of described key assignments item is for entering accordinglyJourney order line; And/or, read each file in the startup item file under computer operating system catalogue, wherein, file nameFor starting up's item, the attribute information of file comprises corresponding process order line. B16, according to the device described in B15, described inCleaning module comprises: attribute is determined submodule, is suitable for determining corresponding starting up according to the security attribute of described program fileThe security attribute of item; Cleaning startup item is determined submodule, is suitable for determining for clearance according to the security attribute of each starting up's itemStarting up's item; Delete submodule, be suitable for the key assignments of starting up's item for clearance in deletion system startup item registration table; With/Or, each file corresponding to startup item for clearance in startup item file under deletion system catalogue. B17, according to described in B16Device, described cleaning startup item determines that submodule is also suitable for: if the security attribute of starting up's item is secure file or unknown literary compositionPart, described starting up's item is not starting up's item for clearance; If the security attribute of starting up's item is dangerous file,Described starting up's item is starting up's item for clearance. B18, according to the device described in B14, described startup item information comprisesThe process order line that each parent process is corresponding, described progress information comprises the program literary composition that parent process and/or subprocess loadPart, also comprises the corresponding relation of parent process and subprocess in described progress information. B19, according to the device described in B18, describedJoining module also comprises: subprocess program file extracts submodule, is suitable for the correspondence according to parent process in progress information and subprocessRelation, extracts the program file of subprocess corresponding to parent process, by described parent process and subprocess corresponding program file respectivelyAs the program file of starting up's item correspondence. B20, according to the device described in B12, also comprise: remove module, be suitable for remove withSystem file possesses the program file of same names; And/or preset key assignments item is corresponding in removal system startup item registration tableProgram file. B21, according to the device described in B12, also comprise: logging modle, be suitable for calling process information recording drive with calculateMachine operation system communication, the progress information loading in logger computer start process; Described progress information acquisition module callsNetwork service drives with described progress information record and drives and communicate by letter, and obtains the process that described progress information records activation record and believesBreath. B22, according to the device described in B12, described security attribute acquisition module comprises: service end is obtained submodule, is suitable for describedThe program file characteristic of correspondence information end of uploading onto the server, server end, in preset First Characteristic information database, is complied withSearch the security attribute of described program file according to described characteristic information; Or this locality obtains submodule, be suitable at computer local pre-In the Second Characteristic information database of putting, according to the safety of program file described in described program file characteristic of correspondence information searchingAttribute.

Claims

1. a method for cleaning for starting up's item, comprising:

Obtain the progress information loading in computer booting process, described progress information comprises that process order line and process loadProgram file;

Described progress information is mated with the startup item information of computer operating system record, obtain starting up Xiang SuojiaThe program file carrying, described startup item information comprises starting up's item and corresponding process order line; Further comprise: read meterCalculate the startup item information of machine operation system log (SYSLOG); By in the process order line in described startup item information and described progress informationProcess order line is mated; From described startup item information, search the starting up corresponding with the process order line matching, and from described progress information, search the program file corresponding with the described process order line matching, draw described startThe program file that startup item loads;

Remove the program file that possesses same names with system file, and/or, remove preset key assignments in system startup item registration tableThe corresponding program file of item;

Obtain the security attribute of the program file that described starting up's item loads, and load according to described starting up's itemThe security attribute of program file is cleared up corresponding starting up's item.

2. method according to claim 1, what the program file that described starting up's item loads comprised establishment process canThe dynamic link library file that execute file and/or process load.

3. method according to claim 1, described in read the step bag of the startup item information of computer operating system recordDraw together:

Read the key assignments item in computer operating system startup item registration table, wherein, the name of described key assignments item is called starting up, the key assignments of described key assignments item is corresponding process order line;

And/or, read each file in the startup item file under computer operating system catalogue, wherein, file name is for openingMachine startup item, the attribute information of file comprises corresponding process order line.

4. method according to claim 3, the safety of the program file that the described starting up's item of described foundation loads belongs toThe step that property is cleared up corresponding starting up's item comprises:

The security attribute of the program file loading according to described starting up's item determines that the safety of corresponding starting up's item belongs toProperty;

5. method according to claim 4, the security attribute of the each starting up's item of described foundation is determined start for clearanceThe step of startup item comprises:

If the security attribute of starting up's item is secure file or unknown file, described starting up's item is not for clearance openingMachine startup item;

If the security attribute of starting up's item is dangerous file, described starting up's item is starting up's item for clearance.

6. method according to claim 1, described startup item information comprises the process order line that each parent process is corresponding,Described progress information comprises the program file that parent process and/or subprocess load, and also comprises that father enters in described progress informationThe corresponding relation of journey and subprocess.

7. method according to claim 6, described by the startup item information of progress information and computer operating system recordMate, the step of the program file that acquisition starting up item loads also comprises:

According to the corresponding relation of parent process in progress information and subprocess, extract the program file of subprocess corresponding to parent process,Described parent process and subprocess are distinguished to the program file of corresponding program file as starting up's item correspondence.

8. method according to claim 1, also comprises:

Calling process information recording drives and communicates by letter with computer operating system, the process loading in logger computer start processInformation;

Call network service and drive with the driving of described progress information record and communicate by letter, obtain described progress information and record activation recordProgress information.

9. method according to claim 1, described in obtain the program file that described starting up's item loads safety belong toThe step of property comprises:

The program file characteristic of correspondence information that described starting up's item the is loaded end of uploading onto the server, server end is in advanceIn the First Characteristic information database of putting, search according to described characteristic information program file that described starting up's item loadsSecurity attribute;

Or, in the local preset Second Characteristic information database of computer, the program loading according to described starting up's itemThe security attribute of the program file that described in file characteristic of correspondence information searching, starting up's item loads.

10. a cleaning plant for starting up's item, comprising:

Progress information acquisition module, is suitable for obtaining the progress information loading in computer booting process, described progress information bagDraw together the program file that process order line and process load;

Matching module, is suitable for described progress information to mate with the startup item information of computer operating system record, obtainsThe program file that starting up's item loads, described startup item information comprises starting up's item and corresponding process order line;

Security attribute acquisition module, is suitable for obtaining the security attribute of the program file that described starting up's item loads;

Remove module, be suitable for removing the program file that possesses same names with system file, and/or, remove system startup item noteThe corresponding program file of preset key assignments item in volume table;

Cleaning module, is suitable for the security attribute of the program file loading according to described starting up's item to corresponding starting upItem is cleared up;

Wherein, described matching module comprises:

Order line matched sub-block, is suitable for the process in the process order line in described startup item information and described progress informationOrder line is mated;

Program file obtains submodule, is suitable for searching from described startup item information and corresponding the opening of process order line matchingMachine startup item, and from described progress information, search the program file corresponding with the described process order line matching, draw instituteState the program file that starting up's item loads.

11. devices according to claim 10, program file that described starting up's item loads comprises establishment processThe dynamic link library file that executable file and/or process load.

12. devices according to claim 10, described reading submodule reads computer operating system startup item registration tableIn key assignments item, wherein, described key assignments item name be called starting up's item, the key assignments of described key assignments item is corresponding process orderOK;

13. devices according to claim 12, described cleaning module comprises:

Attribute is determined submodule, and the security attribute that is suitable for the program file loading according to described starting up's item is determined correspondingThe security attribute of starting up's item;

Cleaning startup item is determined submodule, is suitable for determining starting up for clearance according to the security attribute of each starting up's item;

Delete submodule, be suitable for the key assignments of starting up's item for clearance in deletion system startup item registration table; And/or, deleteEach file corresponding to startup item for clearance in startup item file under system directory.

14. devices according to claim 13, described cleaning startup item determines that submodule is also suitable for:

15. devices according to claim 10, described startup item information comprises the process order that each parent process is correspondingOK, described progress information comprises the program file that parent process and/or subprocess load, and also comprises father in described progress informationThe corresponding relation of process and subprocess.

16. devices according to claim 15, described matching module also comprises:

Subprocess program file extracts submodule, is suitable for the corresponding relation according to parent process in progress information and subprocess, extractsThe program file of subprocess corresponding to parent process, using described parent process and subprocess respectively corresponding program file open as startMoving corresponding program file.