CN103034513B

CN103034513B - The processing method of start process and system

Info

Publication number: CN103034513B
Application number: CN201210506930.5A
Authority: CN
Inventors: 刘智锋
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2012-11-30
Filing date: 2012-11-30
Publication date: 2016-05-25
Anticipated expiration: 2032-11-30
Also published as: CN103034513A

Abstract

The embodiment of the present invention provides a kind of processing method and system of start process, and described system comprises: progress information acquisition module, is suitable for obtaining the progress information loading in computer booting process; Matching module, is suitable for described progress information to mate with the startup item information of computer operating system record, obtains the program file that starting up's item loads; Security attribute acquisition module, is suitable for obtaining the security attribute of described program file; Startup item cleaning module, is suitable for according to the security attribute of described program file, corresponding starting up's item being cleared up; Program file cleaning module, is suitable for the security attribute according to program file, and the preset program Prune Policies corresponding with described security attribute, and each program file is cleared up. When the embodiment of the present invention can be avoided starting shooting, the rogue program such as wooden horse is kidnapped dll file, and after startup item is complete, the rogue programs such as wooden horse exit startup item, now cannot find out the problem of the associated documents that wooden horse kidnaps.

Description

The processing method of start process and system

Technical field

The embodiment of the present invention relates to field of computer technology, particularly relates to a kind of processing of start processMethod and system.

Background technology

Starting up's item is the very common function of the Windows system next one, and it allows some application programsStart along with the startup of Windows system. By some conventional programs, and these programs loadedThe DLL(DynamicLinkLibrary calling in journey, dynamic link library) file etc. adds start to and opensIn moving, make the just operation in the time of start of these conventional programs, manually boot without user, very convenient.

In actual conditions, the function of starting up's item can be by the even malice use of some abuse of process, someProgram allows without user, just, by self or other program, dll file, joins opening of userIn machine startup item, wherein may there is viral trojan horse program or file, thereby bring to subscriber computerCertain danger.

After computer booting, in the startup item file of system or relevant registration table, record each startup. In prior art, many by judging the harmful grade of each startup item file in above-mentioned position, enterOne step is cleared up suspicious startup item. But the rogue program of some wooden horse or other types can disguise oneself asSeem normal, the dll file relevant to certain program and be added in startup item, when start,This program operation, the dll file that this wooden horse is kidnapped also can move, and can exit voluntarily after operationStartup item. After start in sweep start item file or relevant registration table, all startup itemsFile is all secure file, cannot find out the associated documents that wooden horse is kidnapped, therefore, and this manner of cleaning up toolThere is hysteresis quality.

Summary of the invention

In view of the above problems, the present invention has been proposed to provide one to overcome the problems referred to above or at leastThe processing method of the start process partly addressing the above problem and system.

According to an aspect of the present invention, provide a kind of processing method of start process, having comprised:

Obtain the progress information loading in computer booting process, described progress information comprises processThe program file that order line and process load;

Described progress information is mated with the startup item information of computer operating system record, obtainObtain the program file that starting up's item loads, described startup item information comprises starting up's item and rightThe process order line of answering;

Obtain the security attribute of described program file;

Security attribute according to described program file is cleared up corresponding starting up's item, and complies withAccording to the security attribute of described program file, and the preset program corresponding with described security attributePrune Policies, clears up each program file.

In the embodiment of the present invention, described by the startup item of progress information and computer operating system recordInformation is mated, and the step of the program file that acquisition starting up item loads comprises:

Read the startup item information of computer operating system record;

By the process order line in the process order line in described startup item information and described progress informationMate;

From described startup item information, search the starting up item corresponding with the process order line matching,And from described progress information, search the program file corresponding with the described process order line matching,Draw the program file that described starting up's item loads.

In the embodiment of the present invention, described in read the step of the startup item information of computer operating system recordSuddenly comprise:

Read the key assignments item in computer operating system startup item registration table, wherein, described key assignments itemName be called starting up's item, the key assignments of described key assignments item is corresponding process order line;

And/or, read each file in the startup item file under computer operating system catalogue, itsIn, file name is starting up's item, the attribute information of file comprises corresponding process order line.

In the embodiment of the present invention, the described security attribute according to program file is to corresponding starting upThe step that item is cleared up comprises:

Determine the security attribute of corresponding starting up's item according to the security attribute of described program file;

Security attribute according to each starting up's item is determined starting up's item for clearance;

The key assignments of starting up's item for clearance in deletion system startup item registration table;

And/or, corresponding each of startup item for clearance in startup item file under deletion system catalogueFile.

In the embodiment of the present invention, the security attribute of the each starting up's item of described foundation is determined for clearanceThe step of starting up's item comprises:

If the security attribute of starting up's item is secure file or unknown file, described starting upItem is not starting up's item for clearance;

If the security attribute of starting up's item is dangerous file, described starting up's item is for clearanceStarting up's item.

In the embodiment of the present invention, described startup item information comprises the process life that each parent process is correspondingOrder row, described progress information comprises the program file that parent process and/or subprocess load, described inIn progress information, also comprise the corresponding relation of parent process and subprocess.

In the embodiment of the present invention, described by the startup item of progress information and computer operating system recordInformation is mated, and the step of the program file that acquisition starting up item loads also comprises:

According to the corresponding relation of parent process in progress information and subprocess, extract son corresponding to parent processThe program file of process, distinguishes corresponding program file as start using described parent process and subprocessThe program file that startup item is corresponding.

In the embodiment of the present invention, before the step of the described security attribute that obtains program file, instituteThe method of stating also comprises:

Remove the program file that possesses same names with system file;

And/or, remove the corresponding program file of preset key assignments item in system startup item registration table.

In the embodiment of the present invention, described method also comprises:

Calling process information recording drives and communicates by letter with computer operating system, and logger computer was started shootingThe progress information loading in journey;

The described step of obtaining the progress information loading in computer booting process comprises:

Call network service driving and drive and communicate by letter with described progress information record, obtain described process letterBreath records the progress information of activation record.

In the embodiment of the present invention, described in obtain the security attribute of program file step comprise:

By the described program file characteristic of correspondence information end of uploading onto the server, server end is presetFirst Characteristic information database in, according to described characteristic information search described program file safety belong toProperty;

Or, in the local preset Second Characteristic information database of computer, according to described program literary compositionThe security attribute of program file described in part characteristic of correspondence information searching.

According to another aspect of the present invention, provide a kind for the treatment of system of start process, having comprised:

Progress information acquisition module, is suitable for obtaining the progress information loading in computer booting process,Described progress information comprises the program file that process order line and process load;

Matching module, is suitable for the startup item letter of described progress information and computer operating system recordBreath mates, and obtains the program file that starting up's item loads, and described startup item information comprisesStarting up's item and corresponding process order line;

Security attribute acquisition module, is suitable for obtaining the security attribute of described program file;

Startup item cleaning module, is suitable for the security attribute of the described program file of foundation to corresponding startStartup item is cleared up;

Program file cleaning module, is suitable for the security attribute according to described program file, and presetThe program Prune Policies corresponding with described security attribute, each program file is cleared up.

In the embodiment of the present invention, described program file comprises the executable file of establishment process and/or entersThe dynamic link library file that journey loads.

In the embodiment of the present invention, described matching module comprises:

Reading submodule, is suitable for reading the startup item information that computer operating system records;

Order line matched sub-block, be suitable for by the process order line in described startup item information with described inProcess order line in progress information is mated;

Program file obtains submodule, is suitable for searching and entering of matching from described startup item informationStarting up's item that journey order line is corresponding, and from described progress information, search with described and matchThe program file that process order line is corresponding, draws the program file that described starting up's item loads.

In the embodiment of the present invention, described reading submodule reads the registration of computer operating system startup itemKey assignments item in table, wherein, the name of described key assignments item is called starting up's item, described key assignments itemKey assignments is corresponding process order line;

In the embodiment of the present invention, described startup item cleaning module comprises:

Attribute is determined submodule, is suitable for determining corresponding opening according to the security attribute of described program fileThe security attribute of machine startup item;

Cleaning startup item is determined submodule, is suitable for determining and treating according to the security attribute of each starting up's itemStarting up's item of cleaning;

Delete submodule, be suitable for starting up's item for clearance in deletion system startup item registration tableKey assignments; And/or, corresponding each of startup item for clearance in startup item file under deletion system catalogueIndividual file.

In the embodiment of the present invention, described cleaning startup item determines that submodule is also suitable for:

In the embodiment of the present invention, described matching module also comprises:

Subprocess program file extracts submodule, is suitable for according to parent process in progress information and subprocessCorresponding relation, extract the program file of subprocess corresponding to parent process, by described parent process and sonProcess is distinguished the program file of corresponding program file as starting up's item correspondence.

In the embodiment of the present invention, described device also comprises:

Remove module, be suitable for removing the program file that possesses same names with system file; And/or,The corresponding program file of preset key assignments item in removal system startup item registration table.

In the embodiment of the present invention, described device also comprises:

Logging modle, is suitable for the driving of calling process information recording and communicates by letter with computer operating system, noteThe progress information loading in record computer booting process;

Described progress information acquisition module calls network service and drives and the driving of described progress information recordCommunication, obtains described progress information and records the progress information of activation record.

In the embodiment of the present invention, described security attribute acquisition module comprises:

Service end is obtained submodule, is suitable for described program file characteristic of correspondence information to upload to clothesBusiness device end, server end is in preset First Characteristic information database, according to described characteristic informationSearch the security attribute of described program file;

Or this locality obtains submodule, be suitable in the local preset Second Characteristic information data of computerIn storehouse, according to the security attribute of program file described in described program file characteristic of correspondence information searching.

According to the embodiment of the present invention, by logger computer start process, load process order line andThe program file that process loads, comprising malice journeys such as the wooden horses that may load when starting upOrder is kidnapped dll file, mates with the startup item information of computer operating system record, drawsIn computer booting start-up course, the program file that starting up's item loads, and then by judgementThe security of program file is cleared up startup item, compared with background technology, and the embodiment of the present inventionAfter can avoiding starting shooting, the rogue program such as wooden horse is kidnapped file and is exited startup item, cannot find out wooden horse and robThe problem of the associated documents of holding.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand the present inventionTechnological means, and can be implemented according to the content of description, and for allow of the present invention onState with other objects, features and advantages and can become apparent, below especially exemplified by concrete reality of the present inventionExecute mode.

Certainly, implement arbitrary product of the present invention and not necessarily need to reach above-described all advantages simultaneously.

Brief description of the drawings

By reading below detailed description of the preferred embodiment, various other advantage and benefit for thisIt is cheer and bright that field those of ordinary skill will become. Accompanying drawing is only for the object of preferred embodiment is shown,And do not think limitation of the present invention. And in whole accompanying drawing, represent by identical reference symbolIdentical parts. In the accompanying drawings:

Fig. 1 shows the flow chart of the method for cleaning embodiment of a kind of starting up's item according to the present invention;

Fig. 2 shows the structured flowchart of a kind of processing method embodiment of start process according to the present invention;

Fig. 3 shows the structured flowchart of the cleaning plant embodiment of a kind of starting up's item according to the present invention;

Fig. 4 shows the structured flowchart of a kind for the treatment of system embodiment of start process according to the present invention;

Fig. 5 shows according to a kind of structured flowchart of clearing up system embodiment of the present invention;

Fig. 6 shows the schematic diagram of certain registration table relevant to startup item.

Detailed description of the invention

Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail. Although show in accompanying drawingExemplary embodiment of the present disclosure, but should be appreciated that and can realize the disclosure and not with various formsThe embodiment that should be set forth here limits. On the contrary, providing these embodiment is for can be more thoroughlyUnderstand the disclosure, and can be by the those skilled in the art that conveys to complete the scope of the present disclosure.

The embodiment of the present invention can be applied to computer system/server, and it can be with numerous other be general or specialWith computing system environment or configuration operation together. The many institutes that are suitable for using together with computer system/serverThe example of known computing system, environment and/or configuration includes but not limited to: personal computer system, clothesBusiness device computer system, thin client, thick client computer, hand-held or laptop computer, based on microprocessorSystem, Set Top Box, programmable consumer electronics, NetPC Network PC, little type Ji calculate machine Xi Tong ﹑Large computer system and the distributed cloud computing technology environment that comprises above-mentioned any system, etc.

The computer system executable instruction that computer system/server can carried out by computer systemUnder the general linguistic context of (such as program module), describe. Conventionally, program module can comprise routine, program,Target program, assembly, logic, data structure etc., they are carried out specific task or realize specificAbstract data type. Computer system/server can be implemented in distributed cloud computing environment, distributesIn formula cloud computing environment, task is to be carried out by the teleprocessing computer linking by communication network. ?In distributed cloud computing environment, program module can be positioned at and comprise that the Local or Remote of storing computer calculatesOn system storage medium.

With reference to figure 1, show the method for cleaning embodiment of a kind of starting up's item of the embodiment of the present inventionFlow chart, specifically can comprise the following steps:

Step 100, obtains the progress information loading in computer booting process, described progress informationComprise the program file that process order line and process load.

In computer booting process, process order line corresponding to each program in starting up's item,Create corresponding process by the EXE executable program file that loads this program, process is that program existsAn executed activity on computer, moves a program and has just started a process. Some processesAlso may further create corresponding subprocess, after login completes, in plan, just occurA lot of processes.

When each process operation, also can further load relevant dynamic link library file, i.e. DLLFile, dll file is not executable file, has comprised the code that can simultaneously be called by multiple programsAnd data.

In the embodiment of the present invention, the corresponding program file loading of process order line comprises that EXE can carry outFile (process file), and/or the dll file of process loading. In concrete realization, processWhat in information, comprise is the file path of EXE file and/or dll file.

For example, in certain start process, the progress information that progress information records activation record comprises,The order line of process " c: test testrun.exe "/startup), the EXE file path of loading isC: test testrun.exe, the dll file path of loading comprise c: windows system32Advapi32.dll, c: windows system32 ntdll.dll and c: test testrun.exe.

In the embodiment of the present invention, in the time of start, move preset progress information record and drive, by adjustingDrive and communicate by letter with computer operating system with progress information record, institute in logger computer start processThe progress information loading, in the time obtaining the progress information loading in computer booting process, passes throughCall preset network service driving and drive the relevant information of communicating by letter with progress information record, to obtainProgress information records the progress information of activation record. In concrete realization, progress information record drivesThe qutmdrv.sys that can be security procedure drives, and network service drives as qutmload.dll drives,Qutmload.dll drives and can drive and communicate by letter with qutmdrv.sys, from qutmdrv.sys drives, obtainsProgress information.

Step 102, carries out the startup item information of described progress information and computer operating system recordCoupling, obtains the program file that starting up item loads, and described startup item information comprises that start opensMoving and corresponding process order line.

The relevant information that also has startup item recording in computer operating system, wherein corresponding canObtain starting up's item, and corresponding process order line, by startup item information and process are believedBreath mates, and can further determine the corresponding program file loading of each startup item.

Particularly, step S12 can comprise:

Sub-step 1021, reads the startup item information that computer operating system records;

Sub-step 1022, by the process order line in described startup item information and described progress informationProcess order line mate;

Sub-step 1023 is searched corresponding with the process order line matching from described startup item informationStarting up's item, and from described progress information, search and the described process order line pair matchingThe program file of answering, draws the program file that described starting up's item loads.

In progress information and startup item information, include process order line corresponding to each process, willProgress information mates with the process order line in startup item information, finds out the order line matching,It is the process order line jointly comprising in progress information and startup item information; Then from startup item informationFind out starting up's item corresponding to order line matching, from progress information, find out entering of matchingThe program file that journey order line is corresponding, can obtain the program file that starting up's item loads.

In the embodiment of the present invention, the step that reads the startup item information of computer operating system record canSpecifically to comprise:

Sub-step 1021-1, reads the key assignments item in computer operating system startup item registration table, itsIn, the name of described key assignments item is called starting up's item, and the key assignments of described key assignments item is corresponding processOrder line;

And/or sub-step 1021-2, reads the startup item file under computer operating system catalogueIn each file, wherein, file name is starting up's item, the attribute information of file comprises phaseThe process order line of answering.

In the relevant registration table of operating system and file, record the relevant information of startup item, thisIn bright embodiment, can pass through relevant startup item registration table and the startup item file of read operation systemFolder obtains startup item information.

The registration table relevant with startup item has multiple, is illustrated in figure 6 that certain is relevant to startup itemThe schematic diagram of registration table, path be HKEY_LOCAL_MACHINE SOFTWAREMicrosoft Windows the registration table of CurrentVersion, under Run key, comprise multiple key assignments items,The title of key assignments item is starting up's item, and the key assignments of key assignments item is corresponding process order line, Fig. 3Middle key assignments item title testrun corresponds to a startup item, the key assignments " c: test testrun.exe " of key assignments item/ startup " correspond to process order line.

Run key be not only positioned at registration table HKEY_LOCAL_MACHINE Software MicroSoft Windows under CurrentVersion, be also positioned at registration table HKEY_CURRENT_USERSoftware Microsoft Windows under CurrentVersion. HKEY_CURRNT_USERWith the difference of HKEY_LOCAL_MACHINE be that the former is effective for active user, the latter coupleAll effective in all users. Therefore, registration table HKEY_CURRENT_USERSoftware Microsoft Windows under CurrentVersion, also can use the same method and readStartup item information.

In addition, in concrete realization, can also be under above two registration tablies" RunServicesOnce " sub-key, " RunServices " sub-key, " RunOnce Setup " sub-keyAnd in " RunOnce " sub-key, adopting uses the same method reads the relevant information of startup item.

In relevant startup file folder under operating system catalogue, also record relevant startup item information,Startup file folder comprises one or more files, is specially the EXE program literary composition loading in the time of startPart or the shortcut of program, file name corresponds to starting up's item, the attribute information of fileComprise corresponding process order line. For the shortcut in startup file folder, pass through right buttonClick shortcut--> attribute--> target, target is process order line, for starting literary compositionEXE file in part folder, file name corresponds to startup item, and the path of current file is added abovePart name is process order line corresponding to this startup item.

In the embodiment of the present invention, startup item file comprises in startup file folder and AllUsersSelf-triggered program file, startup item file be positioned at " documentsandSettings--> User--> (beginning) menu--> program " under catalogue, self-triggered program file is positioned at " documentsAndSettings--> AllUser--> (beginning) menu--> program " under catalogue.

In concrete realization, what in startup item information, record can be corresponding the entering of each parent processJourney order line, and what in progress information, record can be the program that parent process and/or subprocess loadFile is the parent process that startup item loads by what obtain after progress information and startup item information matchesCorresponding program file.

In the embodiment of the present invention, in progress information, can further include parent process and subprocessCorresponding relation, step 1021 can also comprise:

Sub-step 1021-3, according to the corresponding relation of parent process in progress information and subprocess, extractsThe program file of subprocess corresponding to parent process, by described parent process and subprocess corresponding journey respectivelyPreface part is as the program file of starting up's item correspondence.

Progress information record drives in the time obtaining the corresponding program file loading of each process, all rightThe further numbering unique to each course allocation, wherein, the numbering of subprocess is according to parent processNumbering generates. In the embodiment of the present invention, after progress information and startup item information are mated,Can be further according to the corresponding relation of the numbering of process, can further find certain parent processCorresponding all subprocess, and then can obtain the program that all processes corresponding to startup item loadFile.

Step 104, obtains the security attribute of described program file, and according to the peace of described program fileFull attribute is cleared up corresponding starting up's item.

Obtain after one or more program files of each startup item loading in start process, canThe security attribute of program file loading further to obtain startup item. Particularly, can pass throughThe corresponding characteristic information of program file is identified to obtain to the security attribute of program file.

In embodiments of the present invention, the step of obtaining the security attribute of described program file can comprise:

Sub-step 1041, by the described program file characteristic of correspondence information end of uploading onto the server, clothesBusiness device end, in preset First Characteristic information database, is searched described journey according to described characteristic informationThe security attribute of preface part;

Or sub-step 1042, in the local preset Second Characteristic information database of computer, complies withAccording to the security attribute of program file described in described program file characteristic of correspondence information searching.

In the embodiment of the present invention, what program file recorded may be EXE file and/or dll fileFile path, in this case, also needs further to obtain corresponding EXE literary composition according to file pathPart and/or dll file. The characteristic information of program file can obtain after program file is processed,Particularly, program file comprise MS-DOS can carry out body, file header, optional head, data directory,The structure such as section header and joint composition. Wherein, in file header, comprise following structure:

1) " Machine(machine) ", be used to refer to this binary file predetermined running in which type ofSystem;

2) " NumberOfSections(joint number) ", it is the number immediately following the joint after head;

3) " TimeDateStamp(timestamp) ", is used for providing time of file set up;

4-5) " PointerToSymbolTable(symbolic table pointer) " and " NumberOfSymbols(symbolNumber number) " (being all 32) all for Debugging message;

6) " the optional head size of SizeOfOptionalHeader() " be " IMAGE_OPTIONAL_The optional head of HEADER() " item size, can go to verify with it the correctness of PE file structure;

7) " Characteristics(characteristic) " be one 16, the set being formed by many flag bitsComposition, but most of flag bit is only effective to file destination and library file.

The embodiment of the present invention can be changed program file by preset algorithm, and by the literary composition after conversionPart is as program file characteristic of correspondence information. In a kind of preferred embodiment, can employing information pluckWant algorithm to change program file, message digest algorithm is MD5(Message-DigestAlgorithm5), the effect of MD5 is to allow large capacity information sign private key with digital signature softwareFront quilt " compression " becomes a kind of secret form, exactly the byte serial of a random length is transformed into a fixed lengthHexadecimal number word string, can guarantee that communication is complete consistent.

In a preferred embodiment of the present invention, the characteristic information of program file can be uploaded onto the serverEnd is identified, and server end presets First Characteristic information database, comprising the feature letter of programThe corresponding relation of the security attribute of breath and program. Security attribute can comprise dangerous file, secure file andUnknown file, in concrete realization, security attribute can be set to accordingly more specifically black file,Text of an annotated book part and grey file. In concrete realization, the kind that security attribute is concrete and number also can basesNeed to set, the present invention does not limit this.

In another kind of preferred embodiment of the present invention, also can be in computer this locality the safety to characteristic informationAttribute judges, computer this locality can preset Second Characteristic information database, has wherein comprised programCharacteristic information and the corresponding relation of safe class. In the time that computer cannot Connection Service end, can be at thisThe Second Characteristic information database on ground, the peace of the program file that the characteristic information of search program file is correspondingCongruence level.

In embodiments of the present invention, according to the security attribute of program file to corresponding starting up's itemThe step of clearing up can comprise:

Sub-step 1043, determines corresponding starting up's item according to the security attribute of described program fileSecurity attribute;

Sub-step 1044, determines starting up for clearance according to the security attribute of each starting up's item;

Sub-step 1045, the key assignments of starting up's item for clearance in deletion system startup item registration tableAnd/or, each file corresponding to startup item for clearance in startup item file under deletion system catalogue.

After having determined the security attribute of each program file, can be further according to the peace of program fileFull attribute is determined the security attribute of starting up's item, in the embodiment of the present invention, and the journey that starting up's item loadsPreface part can comprise one or more, and the security attribute of starting up's item can be corresponding one or manyThe minimum security attribute of security in individual program file.

For example,, if certain startup item has loaded an EXE file and a dll file, EXE fileSecurity attribute corresponding to characteristic information be black file, the security attribute corresponding to characteristic information of dll fileFor grey file, the security attribute of black file is lower than the security attribute of grey file, and the security attribute of startup item canTo be defined as black file.

Obtained after the security attribute of starting up's item, can be further according to the safety of starting up's itemAttribute is determined starting up's item for clearance, particularly:

In concrete scale removal process, for the starting up's item in system registry, can pass throughThe key assignments of deleting registration table corresponding to startup item program moves this startup item while forbidding starting shooting, for example,Need to delete the system startup item of testrun.exe program, can be at HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion under Run catalogue,To search and delete startup item registry name be the key assignments item of testrun, then deletes this key assignments itemKey assignments c: test testrun.exe.

For starting up's item for clearance in startup item file under system directory, can directly deleteExcept corresponding EXE program file or the shortcut of start startup item, thus operation while forbidding starting shootingThis startup item.

In concrete realization, before described step 104, described method can also comprise:

Remove the program file that possesses same names with system file;

In step 102, obtain after program file, obtaining before the security attribute of program file,Can first get rid of some known security procedure files, specifically can comprise with system file of the same nameProgram file, and some large multiprograms program file that can load.

In concrete realization, can collect in advance multiple system files and add in system file list,In the time that certain system file in certain program file and system file list is of the same name, can enterOne step judges security attribute, removes this program file from program file to be identified.

At registration table, some important key assignments Xiang Zhonghui records the program literary composition that some large multiprograms can loadPart. For example, in path be HKEY_LOCAL_MACHINE SOFTWARE MicrosoftWindowsNT CurrentVersion Windows registration table under, [AppInit_DLLs] key assignments itemIn corresponding key assignments, comprise a dll file name or one group of dll file name (with space orComma separates). In the time having program to load User32.dll, User32.dll can load thisAll DLL of the inside. Because interface program big city uses User32.dll, so this registration tableDLL under position can be loaded by most program. Therefore, can collect some special key assignments, for the corresponding program file of these key assignments items, without further judging security attribute, canTo remove this program file from program file to be identified.

In sum, according to the embodiment of the present invention, by logger computer start process, load intoThe program file that journey order line and process load, comprising the wood that may load when starting upThe rogue program such as horse is kidnapped dll file, carries out with the startup item information of computer operating system recordJoin, draw in computer booting start-up course, the program file that starting up's item loads, and thenSecurity by determining program file is cleared up startup item, compared with background technology, thisAfter bright embodiment can avoid starting shooting, the rogue program such as wooden horse is kidnapped file and is exited startup item, cannot look forGo out the problem of the associated documents of wooden horse abduction.

It should be noted that, for aforesaid embodiment of the method, for simple description, therefore it is all explainedFor a series of combination of actions, but those skilled in the art should know, the application be not subject to describeThe restriction of sequence of movement because according to the application, some step can adopt other orders or simultaneouslyCarry out. Secondly, those skilled in the art also should know, the embodiment described in description all belongs toPreferred embodiment, related action might not be that the application is necessary.

With reference to figure 2, show the processing method embodiment's of a kind of start process of the embodiment of the present inventionFlow chart, specifically can comprise the following steps:

Step 200, obtains the progress information loading in computer booting process, described progress informationComprise the program file that process order line and process load;

Step 202, carries out the startup item information of described progress information and computer operating system recordCoupling, obtains the program file that starting up item loads, and described startup item information comprises that start opensMoving and corresponding process order line;

Step 204, obtains the security attribute of described program file;

Step 206, carries out clearly corresponding starting up's item according to the security attribute of described program fileReason, and according to the security attribute of described program file, and preset relative with described security attributeThe program Prune Policies of answering, clears up each program file.

Different from last embodiment, in the present embodiment, can also be further according to program fileSecurity attribute program file is cleared up. In a preferred embodiment of the present invention, program literary compositionThe security attribute of part can comprise dangerous file, secure file and unknown file, and the safety of application program belongs toProperty and program Prune Policies can have following corresponding relation:

In the time that the security attribute of program file is dangerous file, corresponding Prune Policies is for deleting and programThe All Files that file is relevant;

In the time that the security attribute of program file is secure file or unknown file, corresponding Prune Policies isBe left intact.

In concrete realization, the corresponding relation of the classification of program file security attribute and program Prune PoliciesCan arrange flexibly according to applied environment and demand.

Wherein, the partial content of step 200-206 can be with reference to the description of each step in Fig. 1, thisPlace repeats no more.

With reference to figure 3, show the structure of the cleaning plant embodiment of a kind of starting up's item of the applicationBlock diagram, specifically can comprise with lower module:

Progress information acquisition module 10, is suitable for obtaining the process letter loading in computer booting processBreath, described progress information comprises the program file that process order line and process load;

Matching module 12, is suitable for the startup item of described progress information and computer operating system recordInformation is mated, and obtains the program file that starting up's item loads, described startup item packets of informationDraw together starting up's item and corresponding process order line;

Security attribute acquisition module 14, is suitable for obtaining the security attribute of described program file;

Cleaning module 16, is suitable for the security attribute of the described program file of foundation to corresponding starting upItem is cleared up.

In the embodiment of the present invention, described program file can comprise establishment process executable file andThe dynamic link library file that process loads.

In the embodiment of the present invention, described matching module can comprise:

In the embodiment of the present invention, described reading submodule can read computer operating system startup itemKey assignments item in registration table, wherein, the name of described key assignments item is called starting up's item, described key assignmentsThe key assignments of item is corresponding process order line;

In the embodiment of the present invention, described cleaning module can comprise:

In the embodiment of the present invention, described cleaning startup item determines that submodule can also be suitable for:

In the embodiment of the present invention, in described startup item information, can comprise corresponding the entering of each parent processJourney order line, described progress information comprises the program file that parent process and/or subprocess load,In described progress information, also comprise the corresponding relation of parent process and subprocess.

In the embodiment of the present invention, described matching module can also comprise:

In the embodiment of the present invention, described device can also comprise:

In the embodiment of the present invention, described security attribute acquisition module can comprise:

Service end is obtained submodule, is suitable for described program file characteristic of correspondence information to upload to clothesBusiness device end, server end is in preset First Characteristic information database transverse and longitudinal, according to described feature letterBreath is searched the security attribute of described program file;

With reference to figure 4, show the structural frames of the treatment system embodiment of a kind of start process of the applicationFigure, specifically can comprise with lower module:

Progress information acquisition module 20, is suitable for obtaining the process letter loading in computer booting processBreath, described progress information comprises the program file that process order line and process load;

Matching module 22, is suitable for the startup item of described progress information and computer operating system recordInformation is mated, and obtains the program file that starting up's item loads, described startup item packets of informationDraw together starting up's item and corresponding process order line;

Security attribute acquisition module 24, is suitable for obtaining the security attribute of described program file;

Startup item cleaning module 26, is suitable for the security attribute of the described program file of foundation to opening accordinglyMachine startup item is cleared up;

Program file cleaning module 28, is suitable for the security attribute according to described program file, and pre-The program Prune Policies corresponding with described security attribute of putting, clears up each program file.

Alternatively, described program file comprises what the executable file of establishment process and/or process loadedDynamic link library file.

Alternatively, described matching module comprises: reading submodule, is suitable for reading computer operation systemThe startup item information of system record; Order line matched sub-block, is suitable in described startup item informationProcess order line is mated with the process order line in described progress information; Program file obtains sonModule, is suitable for searching the start corresponding with the process order line matching from described startup item informationStartup item, and from described progress information, search the journey corresponding with the described process order line matchingPreface part, draws the program file that described starting up's item loads.

Alternatively, described reading submodule reads the key in computer operating system startup item registration tableValue, wherein, the name of described key assignments item is called starting up's item, and the key assignments of described key assignments item is phaseThe process order line of answering;

Alternatively, described startup item cleaning module comprises: attribute is determined submodule, is suitable for according to instituteThe security attribute of stating program file is determined the security attribute of corresponding starting up's item; Cleaning startup itemDetermine submodule, be suitable for determining starting up for clearance according to the security attribute of each starting up's item;

Alternatively, described cleaning startup item determines that submodule is also suitable for: if the safety of starting up's itemAttribute is secure file or unknown file, and described starting up's item is not starting up for clearance; If the security attribute of starting up's item is dangerous file, described starting up's item is for clearanceStarting up's item.

Alternatively, described startup item information comprises the process order line that each parent process is corresponding, instituteState the program file that progress information comprises that parent process and/or subprocess load, described progress informationIn also comprise the corresponding relation of parent process and subprocess.

Alternatively, described matching module also comprises: subprocess program file extracts submodule, is suitable forAccording to the corresponding relation of parent process in progress information and subprocess, extract subprocess corresponding to parent processProgram file, using described parent process and subprocess respectively corresponding program file as starting upThe program file that item is corresponding.

Alternatively, described treatment system also comprises: remove module, be suitable for removing and system file toolThe program file of standby same names; And/or, remove preset key assignments item institute in system startup item registration tableCorresponding program file.

With reference to figure 5, show a kind of structured flowchart of clearing up system embodiment of the application, specifically canTo comprise:

Computer 31 and server 32;

Described computer 31 comprises that progress information acquisition module 311, matching module 312, program belong toProperty acquisition module 313, startup item attribute determination module 314, cleaning startup item determination module 315,Startup item cleaning module 316 and program file cleaning module 317;

Described progress information acquisition module 311, is suitable for obtaining entering of loading in computer booting processJourney information, described progress information comprises the program file that process order line and process load;

Described matching module 312, is suitable for opening described progress information and computer operating system recordA moving information is mated, and obtains the program file that starting up's item loads, described startup item letterBreath comprises starting up's item and corresponding process order line;

Described program attribute acquisition module 313, the characteristic information transmission that is suitable for extracting described program fileTo server, and accept the security attribute of server according to the definite program file of described characteristic information;

Described startup item attribute determination module 314, is suitable for according to the security attribute of described program file trueThe security attribute of fixed corresponding starting up's item;

Described cleaning startup item determination module 315, determines and treats according to the security attribute of each starting up's itemStarting up's item of cleaning;

Described startup item cleaning module 316, is suitable for for clearance opening in deletion system startup item registration tableThe key assignments of machine startup item, and/or, startup for clearance in startup item file under deletion system catalogueEach file that item is corresponding;

Described program file cleaning module 317, is suitable for the security attribute according to described program file, withAnd the preset program Prune Policies corresponding with described security attribute, each program file is carried out clearlyReason.

Described server 32 comprises performance of program information database 321, program attribute enquiry module 322;

Described program attribute enquiry module 322, is suitable for the starting up Xiang Suojia that receiving computer sendsThe characteristic information of the program file carrying, and in described characteristic information database, search described feature letterCease corresponding security attribute.

Wherein, the modules in the embodiment of the present invention can retouching with reference to each embodiment of Fig. 1-4State, repeat no more herein.

For the treatment system of the cleaning plant of above-mentioned starting up's item, start process and cleaning systemEmbodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, is correlated with itPlace is referring to the part explanation of embodiment of the method shown in Fig. 1 and Fig. 2.

Each embodiment in this description all adopts the mode of going forward one by one to describe, and each embodiment stressesBe all and the difference of other embodiment, between each embodiment identical similar part mutually referring to.

Those skilled in the art are easy to expect: any combination of above-mentioned each embodiment is applied allFeasible, therefore any combination between above-mentioned each embodiment is all the application's embodiment,But this description has not just described in detail one by one at this as space is limited.

The algorithm providing at this and show not with any certain computer, virtual system or other computerIntrinsic relevant. Various general-purpose systems also can with based on using together with this teaching. According to retouching aboveState, it is apparent constructing the desired structure of this type systematic. In addition, the present invention is not also for anyCertain programmed language. It should be understood that can to utilize various programming languages to realize described here of the present inventionContent, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.

In the description that provided herein, a large amount of details are described. But, can understand, thisInventive embodiment can be put into practice in the situation that there is no these details. In some instances, notBe shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, should be appreciated that in order to simplify the disclosure and to help to understand in each inventive aspectOr multiple, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is sometimesBe grouped together into single embodiment, figure or in its description. But, should be by the disclosureMethod be construed to the following intention of reflection: the present invention for required protection requires than in each claimThe more feature of the middle feature of clearly recording. Or rather, as claims below reflectLike that, inventive aspect is to be less than all features of disclosed single embodiment above. Therefore, followClaims of detailed description of the invention are incorporated to this detailed description of the invention, wherein each right thus clearlyRequirement itself is all as independent embodiment of the present invention.

Those skilled in the art are appreciated that and can carry out the module in the computer in embodimentAdaptively change and they are arranged in one or more computers different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and thisCan put them into multiple submodules or subelement or sub-component outward. Except such feature and/or processOr at least some in unit are outside mutually repelling, and can adopt any combination to this description (bagDraw together claim, summary and the accompanying drawing followed) in disclosed all features and like this disclosed any sideAll processes or the unit of method or computer combine. Unless clearly statement in addition, this description (bagDraw together claim, summary and the accompanying drawing followed) in disclosed each feature can be by providing identical, being equal toOr the alternative features of similar object replaces.

In addition, although those skilled in the art will appreciate that embodiment more described herein comprise itIncluded some feature instead of further feature in its embodiment, but the group of the feature of different embodimentClose and mean within scope of the present invention and form different embodiment. For example, power belowIn profit claim, the one of any of embodiment required for protection can make with combination arbitrarilyWith.

All parts embodiment of the present invention can realize with hardware, or with in one or more processingThe software module of moving on device realizes, or realizes with their combination. Those skilled in the art shouldUnderstand, can use in practice microprocessor or digital signal processor (DSP) to realize basisSome of some or all parts in the treatment system of the start process of the embodiment of the present invention or completePortion's function. The present invention can also be embodied as for carrying out part or all of method as described hereinComputer or device program (for example, computer program and computer program). Such realityExisting program of the present invention can be stored on computer-readable medium, or can have one or moreThe form of signal. Such signal can be downloaded and obtain from internet website, or on carrier signalProvide, or provide with any other form.

It should be noted above-described embodiment the present invention will be described instead of limit the invention,And those skilled in the art can design replacement in the case of not departing from the scope of claimsEmbodiment. In the claims, any reference symbol between bracket should be configured to rightThe restriction requiring. Word " comprises " not to be got rid of existence and is not listed as element or step in the claims. PositionWord " one " before the element or " one " do not get rid of and have multiple such elements. The present invention canWith by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim of having enumerated some devices, several in these devices can be by sameIndividual hardware branch carrys out imbody. The use of word first, second and C grade does not represent any order.Can be title by these word explanations.

The processing method that herein disclosed is A1, a kind of start process, comprising: obtain computer bootingThe progress information loading in process, described progress information comprises what process order line and process loadedProgram file; The startup item information of described progress information and computer operating system record is carried outJoin, obtain the program file that starting up's item loads, described startup item information comprises starting upItem and corresponding process order line; Obtain the security attribute of described program file; According to described programThe security attribute of file is cleared up corresponding starting up's item, and the described program file of foundationSecurity attribute, and the preset program Prune Policies corresponding with described security attribute, to each journeyPreface part is cleared up. A2, according to the method described in A1, described program file comprises establishment processExecutable file and/or process load dynamic link library file. A3, according to the method described in A1,The described startup item information by progress information and computer operating system record is mated, and acquisition is openedThe step of the program file that machine startup item loads comprises: read opening of computer operating system recordA moving information; By the process in the process order line in described startup item information and described progress informationOrder line is mated; From described startup item information, search corresponding with the process order line matchingStarting up's item, and from described progress information, search and the described process order line pair matchingThe program file of answering, draws the program file that described starting up's item loads. A4, according to A3Described method, described in read the startup item information of computer operating system record step comprise:Read the key assignments item in computer operating system startup item registration table, wherein, the name of described key assignments itemBe called starting up's item, the key assignments of described key assignments item is corresponding process order line; And/or, readEach file in startup item file under computer operating system catalogue, wherein, file name isStarting up's item, the attribute information of file comprises corresponding process order line. A5, according to A4Described method, the described security attribute according to program file carries out clearly corresponding starting up's itemThe step of reason comprises: determine corresponding starting up's item according to the security attribute of described program fileSecurity attribute; Security attribute according to each starting up's item is determined starting up's item for clearance; DeleteExcept the key assignments of starting up's item for clearance in system startup item registration table; And/or, deletion system orderEach file corresponding to startup item for clearance in the lower startup item file of record. A6, according to described in A5Method, the security attribute of the each starting up's item of described foundation is determined starting up's item for clearanceStep comprises: if the security attribute of starting up's item is secure file or unknown file, open described inMachine startup item is not starting up's item for clearance; If the security attribute of starting up's item is dangerous literary compositionPart, described starting up's item is starting up's item for clearance. A7, according to the method described in A3,Described startup item information comprises the process order line that each parent process is corresponding, in described progress informationComprise the program file that parent process and/or subprocess load, in described progress information, also comprise that father entersThe corresponding relation of journey and subprocess. A8, according to the method described in A7, described by progress information and meterThe startup item information of calculating machine operation system log (SYSLOG) is mated, and obtains the journey that starting up's item loadsThe step of preface part also comprises: according to the corresponding relation of parent process in progress information and subprocess, carryGet the program file of subprocess corresponding to parent process, described parent process and subprocess is corresponding respectivelyProgram file is as the program file of starting up's item correspondence. A9, according to the method described in A1,Before the step of the described security attribute that obtains program file, described method also comprises: remove and beSystem file possesses the program file of same names; And/or, remove in system startup item registration table presetThe corresponding program file of key assignments item. A10, according to the method described in A1, also comprise: call intoJourney information recording drives and communicates by letter with computer operating system, in logger computer start process, loadsProgress information; The described step of obtaining the progress information loading in computer booting process comprises:Call network service driving and drive and communicate by letter with described progress information record, obtain described progress information noteThe progress information of record activation record. A11, according to the method described in A1, described in obtain program fileThe step of security attribute comprise: described program file characteristic of correspondence information is uploaded onto the serverEnd, server end, in preset First Characteristic information database, is searched according to described characteristic informationThe security attribute of described program file; Or, at the local preset Second Characteristic information database of computerIn, according to the security attribute of program file described in described program file characteristic of correspondence information searching.

The treatment system that herein disclosed is B12, a kind of start process, comprising: progress information obtains mouldPiece, is suitable for obtaining the progress information loading in computer booting process, and described progress information comprisesThe program file that process order line and process load; Matching module, be suitable for by described progress information withThe startup item information of computer operating system record is mated, and acquisition starting up item loadsProgram file, described startup item information comprises starting up's item and corresponding process order line; SafetyAttribute acquisition module, is suitable for obtaining the security attribute of described program file; Startup item cleaning module,Be suitable for according to the security attribute of described program file, corresponding starting up's item being cleared up; ProgramFile clean-up module, is suitable for the security attribute according to described program file, and preset with describedThe program Prune Policies that security attribute is corresponding, clears up each program file. B13, basisTreatment system described in B12, described program file comprises the executable file of establishment process and/or entersThe dynamic link library file that journey loads. B14, according to the treatment system described in B12, described coupling mouldPiece comprises: reading submodule, is suitable for reading the startup item information that computer operating system records; LifeMake row matched sub-block, be suitable for the process order line in described startup item information and described process letterProcess order line in breath is mated; Program file obtains submodule, is suitable for from described startup itemStarting up's item corresponding to process order line of searching in information and match, and from described process letterIn breath, search the program file corresponding with the described process order line matching, show that described start opensThe program file that moving item loads. B15, according to the treatment system described in B14, described in read submodulePiece reads the key assignments item in computer operating system startup item registration table, wherein, and described key assignments itemName is called starting up's item, and the key assignments of described key assignments item is corresponding process order line; And/or, readGet each file in the startup item file under computer operating system catalogue, wherein, file nameFor starting up's item, the attribute information of file comprises corresponding process order line. B16, basisTreatment system described in B15, described startup item cleaning module comprises: attribute is determined submodule, is suitable forDetermine the security attribute of corresponding starting up's item according to the security attribute of described program file; CleaningStartup item is determined submodule, is suitable for determining for clearance opening according to the security attribute of each starting up's itemMachine startup item; Delete submodule, be suitable for start for clearance in deletion system startup item registration table and openThe key assignments of moving; And/or, startup item pair for clearance in startup item file under deletion system catalogueEach file of answering. B17, according to the treatment system described in B16, described cleaning startup item determine sonModule is also suitable for: if the security attribute of starting up's item is secure file or unknown file, described inStarting up's item is not starting up's item for clearance; If the security attribute of starting up's item is dangerousFile, described starting up's item is starting up's item for clearance. B18, according to described in B14Treatment system, described startup item information comprises the process order line that each parent process is corresponding, described inProgress information comprises the program file that parent process and/or subprocess load, in described progress informationAlso comprise the corresponding relation of parent process and subprocess. B19, according to the treatment system described in B18, instituteStating matching module also comprises: subprocess program file extracts submodule, is suitable for according in progress informationThe corresponding relation of parent process and subprocess, extracts the program file of subprocess corresponding to parent process, willDescribed parent process and subprocess are distinguished the program literary composition of corresponding program file as starting up's item correspondencePart. B20, according to the treatment system described in B12, also comprise: remove module, be suitable for remove beSystem file possesses the program file of same names; And/or, remove in system startup item registration table presetThe corresponding program file of key assignments item. B21, according to the treatment system described in B12, also comprise: noteRecord module, is suitable for the driving of calling process information recording and communicates by letter with computer operating system, and record calculatesThe progress information loading in machine start process; Described progress information acquisition module calls network serviceDrive with the driving of described progress information record and communicate by letter, obtain described progress information and record activation recordProgress information. B22, according to the treatment system described in B12, described security attribute acquisition module comprises:Service end is obtained submodule, is suitable for described program file characteristic of correspondence information to upload onto the serverEnd, server end, in preset First Characteristic information database, is searched according to described characteristic informationThe security attribute of described program file; Or this locality obtains submodule, be suitable in computer this locality presetSecond Characteristic information database in, according to described in described program file characteristic of correspondence information searchingThe security attribute of program file.

Claims

1. a processing method for start process, comprising:

Described progress information is mated with the startup item information of computer operating system record, obtainObtain the program file that starting up's item loads, further comprise: read computer operating system noteThe startup item information of record; By in the process order line in described startup item information and described progress informationProcess order line mate; From described startup item information, search and the process order matchingStarting up's item that row is corresponding, and from described progress information, search and the described process life matchingThe program file that order row is corresponding, draws the program file that described starting up's item loads; Described openingA moving information comprises starting up's item and corresponding process order line;

Obtain the security attribute of the program file that described starting up's item loads;

The security attribute of the program file loading according to described starting up's item opens corresponding startClear up for moving, and the security attribute of the program file loading according to described starting up's item,And the preset program Prune Policies corresponding with described security attribute, each program file is carried outCleaning.

2. method according to claim 1, the program file that described starting up's item loadsComprise the executable file of establishment process and/or the dynamic link library file that process loads.

3. method according to claim 1, described in read opening of computer operating system recordThe step of a moving information comprises:

4. method according to claim 3, the described starting up's item of described foundation loadsThe step that the security attribute of program file is cleared up corresponding starting up's item comprises:

The security attribute of the program file loading according to described starting up's item is determined corresponding startThe security attribute of startup item;

5. method according to claim 4, the security attribute of the each starting up's item of described foundationThe step of determining starting up's item for clearance comprises:

6. method according to claim 1, described startup item information comprises each parent processCorresponding process order line, described progress information comprises the journey that parent process and/or subprocess loadPreface part, also comprises the corresponding relation of parent process and subprocess in described progress information.

7. method according to claim 6, described by progress information and computer operating systemThe startup item information of record is mated, the step of the program file that acquisition starting up item loadsAlso comprise:

8. method according to claim 1, at the described security attribute that obtains program fileBefore step, described method also comprises:

Remove the program file that possesses same names with system file;

9. method according to claim 1, also comprises:

10. method according to claim 1, described in obtain described starting up's item and loadThe step of security attribute of program file comprise:

The program file characteristic of correspondence information that described starting up's item is loaded is uploaded onto the serverEnd, server end, in preset First Characteristic information database, is searched according to described characteristic informationThe security attribute of the program file that described starting up's item loads;

The treatment system of 11. 1 kinds of start process, comprising:

Matching module, is suitable for the startup item letter of described progress information and computer operating system recordBreath mates, and obtains the program file that starting up's item loads, and is further adapted for and reads calculatingThe startup item information of machine operation system log (SYSLOG); Be suitable for the process order line in described startup item informationMate with the process order line in described progress information; Be suitable for looking into from described startup item informationStarting up's item corresponding to process order line of looking for and match, and search from described progress informationThe program file corresponding with the described process order line matching, draws described starting up Xiang SuojiaThe program file carrying; Described startup item information comprises starting up's item and corresponding process order line;

Security attribute acquisition module, is suitable for obtaining program file that described starting up's item loadsSecurity attribute;

Startup item is cleared up module, is suitable for the peace of the program file loading according to described starting up's itemFull attribute is cleared up corresponding starting up's item;

Program file cleaning module, is suitable for the program file that loads according to described starting up's itemSecurity attribute, and the preset program Prune Policies corresponding with described security attribute, to each journeyPreface part is cleared up.

12. treatment systems according to claim 11, the journey that described starting up's item loadsPreface part comprises the executable file of establishment process and/or the dynamic link library file that process loads.

13. treatment systems according to claim 11, described matching module comprises and reads submodulePiece; Described reading submodule reads the key assignments item in computer operating system startup item registration table, itsIn, the name of described key assignments item is called starting up's item, and the key assignments of described key assignments item is corresponding processOrder line;

14. treatment systems according to claim 13, described startup item cleaning module comprises:

Attribute is determined submodule, is suitable for the peace of the program file loading according to described starting up's itemFull attribute is determined the security attribute of corresponding starting up's item;

15. treatment systems according to claim 14, described cleaning startup item is determined submoduleAlso be suitable for:

16. treatment systems according to claim 11, described startup item information comprises eachThe process order line that parent process is corresponding, described progress information comprises that parent process and/or subprocess addThe program file carrying, also comprises the corresponding relation of parent process and subprocess in described progress information.

17. treatment systems according to claim 16, described matching module also comprises:

18. treatment systems according to claim 11, also comprise: