CN106201579A - Method and device for deleting registry starting item and electronic equipment - Google Patents

Method and device for deleting registry starting item and electronic equipment Download PDF

Info

Publication number
CN106201579A
CN106201579A CN201610490412.7A CN201610490412A CN106201579A CN 106201579 A CN106201579 A CN 106201579A CN 201610490412 A CN201610490412 A CN 201610490412A CN 106201579 A CN106201579 A CN 106201579A
Authority
CN
China
Prior art keywords
registry
key value
data
value data
item
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610490412.7A
Other languages
Chinese (zh)
Other versions
CN106201579B (en
Inventor
李文靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201610490412.7A priority Critical patent/CN106201579B/en
Publication of CN106201579A publication Critical patent/CN106201579A/en
Application granted granted Critical
Publication of CN106201579B publication Critical patent/CN106201579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot

Abstract

The embodiment of the invention discloses a method and a device for deleting a registry starting item and electronic equipment, relates to a computer software technology, and can solve the problem of low system security caused by the fact that the starting item of a malicious program cannot be deleted in the prior art. The method for deleting the malicious file comprises the following steps: acquiring key value data of each registry under a registry starting item of a system, wherein the key value data of each registry is stored in a pointer of a preset data structure, and the preset data structure also comprises a data length value corresponding to the key value data of each registry; acquiring first registry key value data with a first character as an initial character from the registry key value data; acquiring a data length value of the first registry key value data according to the preset data structure; and if the data length value of the first registry key value data is greater than 0, deleting a first registry starting item corresponding to the first registry key value data. The invention is suitable for antivirus software.

Description

A kind of delete the method for registry boot item, device and electronic equipment
Technical field
The present invention relates to computer software technology, particularly relate to a kind of delete the method for registry boot item, device and electricity Subset.
Background technology
Along with the development of Internet technology, the Malware such as virus, wooden horse emerges in an endless stream.
The registry boot item of general procedure is stored in: HKEY_LOCAL_MACHINE SOFTWARE Microsoft Under Windows CurrentVersion Run, and under it, preserve registration table key assignments, such as " av1 ", the LPCTSTR such as " acb " The character string of type.In C language is developed, character string is all with " 00 " EOC.As certain registration table key assignments is " av1 00 ", can " av1 " be parameter in actual applications, deletes rogue program by deleting function RegDeleteValue Startup item.
But, in a particular application, in order to prevent being deleted, rogue program would generally construct special registration table key assignments, Such as " 00av1 " etc..Owing to this registration table key assignments is that Yi 00 character starts, Er 00 character represents the knot of registration table key assignments Bundle, so, when utilizing RegDeleteValue function to delete startup item, will be considered that registration table key assignments corresponding to this startup item is Empty and the startup item of this rogue program cannot be deleted, thus reduce the safety of system.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of and deletes the method for registry boot item, device and electronic equipment, energy Enough solve problem low owing to security of system that the startup item of rogue program caused cannot be deleted in prior art.
First aspect, the embodiment of the present invention provides a kind of method deleting registry boot item, including:
Obtaining each registry key Value Data under system registry startup item, described each registry key Value Data is saved in pre- If in the pointer of data structure, in described preset data structure, also include that the data that described each registry key Value Data is corresponding are long Angle value;
The first registry key Value Data with the first character as bebinning character is obtained in described each registry key Value Data;
The data length value of described first registry key Value Data is obtained according to described preset data structure;
If the data length value of described first registry key Value Data is more than 0, then delete described first registration table key assignments The first registry boot item that data are corresponding.
In conjunction with first aspect, in the first embodiment of first aspect, under described acquisition system registry startup item Each registry key Value Data include:
The key assignments function NtEnumerateValueKey that enumerates in ndll module is utilized to obtain under system registry startup item Each registry key Value Data.
In conjunction with first aspect, in the first embodiment of first aspect, described first character is " 00 ", described pre- If data structure is _ UNICODE_STRING.
In conjunction with first aspect, in the first embodiment of first aspect, the described first registration table key assignments of described deletion First registry boot item corresponding to data includes: obtain the title of described first registry boot item;By described first registration The title of table startup item is stored in chained list;The deletion key assignments function in ntdll module is called according to described chained list NtDeleteValueKey deletes described first registry boot item.
Second aspect, the embodiment of the present invention provides a kind of device deleting registry boot item, including:
First acquisition module, for obtaining each registry key Value Data under system registry startup item, described each registration Table key assignments data are saved in the pointer of preset data structure, also include described each registry key in described preset data structure The data length value that Value Data is corresponding;
Second acquisition module, for obtaining the with the first character as bebinning character in described each registry key Value Data One registry key Value Data;
3rd acquisition module, for obtaining the data of described first registry key Value Data according to described preset data structure Length value;
Removing module, for when the data length value of described first registry key Value Data is more than 0, deleting described first The first registry boot item that registry key Value Data is corresponding.
In conjunction with second aspect, in the first embodiment of second aspect, described first acquisition module specifically for: profit The each registration table under system registry startup item is obtained with the key assignments function NtEnumerateValueKey that enumerates in ndll module Key assignments data.
In conjunction with second aspect, in the first embodiment of second aspect, described first character is " 00 ", described pre- If data structure is _ UNICODE_STRING.
In conjunction with second aspect, in the first embodiment of second aspect, described removing module includes:
Obtain submodule, for obtaining the title of described first registry boot item;
Sub module stored, for being stored in the title of described first registry boot item in chained list;
Delete submodule, for calling the deletion key assignments function in ntdll module according to described chained list NtDeleteValueKey deletes described first registry boot item.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing, processor, deposit Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges On circuit boards;Power circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing can be held Line program code;Processor runs and executable program code pair by reading the executable program code of storage in memorizer The program answered, is used for performing to operate as follows:
Obtaining each registry key Value Data under system registry startup item, described each registry key Value Data is saved in pre- If in the pointer of data structure, in described preset data structure, also include that the data that described each registry key Value Data is corresponding are long Angle value;
The first registry key Value Data with the first character as bebinning character is obtained in described each registry key Value Data;
The data length value of described first registry key Value Data is obtained according to described preset data structure;
If the data length value of described first registry key Value Data is more than 0, then delete described first registration table key assignments The first registry boot item that data are corresponding.
Fourth aspect, the embodiment of the present invention additionally provides a kind of storage medium, is used for storing application program, described application journey Sequence is for performing a kind of method deleting registry boot item that the embodiment of the present invention is provided.
5th aspect, the embodiment of the present invention additionally provides a kind of application program, and being used for performing the embodiment of the present invention is provided A kind of method deleting registry boot item.
The a kind of of embodiment of the present invention offer deletes the method for registry boot item, device and electronic equipment, obtains each note The first registry key Value Data with the first character as bebinning character in volume table key assignments data, and judge the first registration table key assignments number According to data length value whether be 0.If the data length value of described first registry key Value Data is more than 0, then delete described The first registry boot item that first registry key Value Data is corresponding.Thus, even utilizing the scheme of the embodiment of the present invention to exist Rogue program remains to distinguish the startup item of rogue program and be deleted in the case of constructing special startup item key assignments, it is thus possible to Enough solve problem low owing to security of system that the startup item of rogue program caused cannot be deleted in prior art, it is ensured that The safety of system.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the method deleting registry boot item of embodiments of the invention one;
Fig. 2 is the structural representation of the device deleting registry boot item of embodiments of the invention two;
Fig. 3 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings the embodiment of the present invention is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole embodiments.Base Embodiment in the present invention, those of ordinary skill in the art obtained under not making creative work premise all its Its embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 is the flow chart deleting registry boot item of embodiments of the invention one.As it is shown in figure 1, the present embodiment The method deleting malicious file may include that
Step 101, each registry key Value Data obtained under system registry startup item.
The embodiment of the present invention is applicable to the equipment such as PC.Concrete, in this step, utilize and ndll module enumerates key Value function NtEnumerateValueKey obtains each registry key Value Data under system registry startup item.Concrete, at this By enumerate key assignments function enumerate HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion all registry key Value Datas below Run registry boot item.
The each registry key Value Data obtained by enumerating key assignments function is saved in the pointer of preset data structure, in institute State the data length value also including in preset data structure that described each registry key Value Data is corresponding.Wherein, this preset data knot Structure can be _ UNICODE_STRING type structure, and this pointer is the pointer of PVOID type.
Step 102, in described each registry key Value Data, obtain the first registration table with the first character as bebinning character Key assignments data.
According to the description of background technology, character string is all with " 00 " EOC.Consequently, to facilitate search, in this reality Executing in example, described first character is " 00 ".
Step 103, according to described preset data structure obtain described first registry key Value Data data length value.
According to this preset data structure, the data length value of the first registry key Value Data can be obtained.
If the data length value of the described first registry key Value Data of step 104 is more than 0, then delete described first note The first registry boot item that volume table key assignments data are corresponding.
Concrete, in this step, obtain the title of described first registry boot item, and described first registration table is opened The title of dynamic item is stored in chained list, then calls the deletion key assignments function in ntdll module according to described chained list NtDeleteValueKey deletes described first registry boot item.
As seen from the above, even utilizing the scheme of the embodiment of the present invention to construct special startup item key assignments at rogue program In the case of remain to distinguish the startup item of rogue program and be deleted such that it is able to solve in prior art owing to deleting The problem that the security of system that caused except the startup item of rogue program is low, it is ensured that the safety of system.
In a particular application, start with " 00 " in the rogue program write registry boot item data such as virus, that Conventional deletion mode will be considered that it is empty, so cannot delete.The even REGEDIT of system also cannot show The registry boot item data of virus write.REGEDIT HKEY_LOCAL_MACHINE to be enumerated SOFTWARE Microsoft Windows CurrentVersion Run data below when, an empty registry key can be enumerated Value Data.
In Windows api, it is RegSetValue that routine writes the function of registry key Value Data, and the registration table of write Key assignments is the character string of LPCTSTR type, so this function is to write the startup item key assignments started with " 00 ".So from RegSetValue function sets out, can a NtSetValueKey function in ndll module, this function can be registration table Key assignments data encapsulate, and are packaged into the data structure of one _ UNICODE_STRING type.This data structure includes registration table Key assignments data and registry key Value Data length.So, rogue program just can preserve arbitrary data in this data structure, It is not only character string, and without limited length length.
So, rogue program is the use of the NtSetValueKey function in ndll module, and construct one special _ The structure of UNICODE_STRING type and registry key Value Data is written to startup item, wherein registry key Value Data with " 00 " the registry key Value Data started and data length are not 0.
According to above analysis, in embodiments of the present invention for the problems referred to above, utilize and ndll module enumerates key assignments Function NtEnumerateValueKey obtains each registry key Value Data under system registry startup item.Wherein, pass through NtEnumerateValueKey function obtain information be stored in _ UNICODE_STRING type structure in, including PVOID class The data length value that the pointer of type is corresponding with registry key Value Data, wherein registry key Value Data is stored in PVOID type In pointer.
For obtain _ UNICODE_STRING type structure, then judge registry key Value Data therein.If certain Registry key Value Data is with " 00 " beginning and registry boot item key assignments length more than 0, then this registry key Value Data is corresponding Registry boot item needs to delete.Now, calling the deletion key assignments function NtDeleteValueKey deletion in ntdll module should Registry boot item.
Fig. 2 is the structural representation of the device deleting malicious file of the embodiment of the present invention three.As in figure 2 it is shown, this enforcement The device of example may include that
First acquisition module 201, for obtaining each registry key Value Data under system registry startup item, described each note Volume table key assignments data are saved in the pointer of preset data structure, also include described each registration table in described preset data structure The data length value that key assignments data are corresponding;
Second acquisition module 202, for obtaining with the first character as bebinning character in described each registry key Value Data The first registry key Value Data;
3rd acquisition module 203, for obtaining described first registry key Value Data according to described preset data structure Data length value;
Removing module 204, for when the data length value of described first registry key Value Data is more than 0, deletes described The first registry boot item that first registry key Value Data is corresponding.
Wherein, described first acquisition module 201 specifically for: utilize and ndll module enumerate key assignments function NtEnumerateValueKey obtains each registry key Value Data under system registry startup item.
Concrete, described first character is " 00 ", and described preset data structure is _ UNICODE_STRING.
Concrete, described removing module 204 includes:
Obtain submodule, for obtaining the title of described first registry boot item;Sub module stored, for by described the The title of one registry boot item is stored in chained list;Delete submodule, for calling in ntdll module according to described chained list Delete key assignments function NtDeleteValueKey and delete described first registry boot item.
The device of the present embodiment may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes principle and skill Art effect is similar to, and here is omitted.
As seen from the above, even utilizing the scheme of the embodiment of the present invention to construct special startup item key assignments at rogue program In the case of remain to distinguish the startup item of rogue program and be deleted such that it is able to solve in prior art owing to deleting The problem that the security of system that caused except the startup item of rogue program is low, it is ensured that the safety of system.
It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that Other identical element is there is also in including the process of described key element, method, article or equipment.
Each embodiment in this specification all uses relevant mode to describe, identical similar portion between each embodiment Dividing and see mutually, what each embodiment stressed is the difference with other embodiments.Real especially for device For executing example, owing to it is substantially similar to embodiment of the method, so describe is fairly simple, relevant part sees embodiment of the method Part illustrate.
Represent in flow charts or the logic described otherwise above at this and/or step, for example, it is possible to be considered as to use In the sequencing list of the executable instruction realizing logic function, may be embodied in any computer-readable medium, for Instruction execution system, device or equipment (system such as computer based system, including processor or other can hold from instruction Row system, device or equipment instruction fetch also perform the system instructed) use, or combine these instruction execution systems, device or set Standby and use.For the purpose of this specification, " computer-readable medium " can be any can to comprise, store, communicate, propagate or pass Defeated program is for instruction execution system, device or equipment or combines these instruction execution systems, device or equipment and the dress that uses Put.The more specifically example (non-exhaustive list) of computer-readable medium includes following: have the electricity of one or more wiring Connecting portion (electronic installation), portable computer diskette box (magnetic device), random access memory (RAM), read only memory (ROM), erasable read only memory (EPROM or flash memory), the fiber device edited, and portable optic disk is read-only deposits Reservoir (CDROM).It addition, computer-readable medium can even is that and can print the paper of described program thereon or other are suitable Medium, because then can carry out editing, interpreting or if desired with it such as by paper or other media are carried out optical scanning His suitable method is processed to electronically obtain described program, is then stored in computer storage.
Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.Above-mentioned In embodiment, the software that multiple steps or method in memory and can be performed by suitable instruction execution system with storage Or firmware realizes.Such as, if realized with hardware, with the most the same, available well known in the art under Any one or their combination in row technology realize: have the logic gates for data signal realizes logic function Discrete logic, there is the special IC of suitable combination logic gate circuit, programmable gate array (PGA), on-the-spot Programmable gate array (FPGA) etc..
The embodiment of the present invention also provides for a kind of electronic equipment, and described electronic equipment comprises the dress described in aforementioned any embodiment Put.
Fig. 3 is the structural representation of one embodiment of electronic equipment of the present invention, it is possible to achieve embodiment illustrated in fig. 1 of the present invention Flow process, as it is shown on figure 3, above-mentioned electronic equipment may include that housing 301, processor 302, memorizer 303, circuit board 304 and Power circuit 305, wherein, circuit board 304 is placed in the interior volume that housing 301 surrounds, processor 302 and memorizer 303 and sets Put on circuit board 304;Power circuit 305, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer 303 For storing executable program code;Processor 302 runs by reading the executable program code of storage in memorizer 303 The program corresponding with executable program code, for performing the method described in aforementioned any embodiment.
Processor 302 to concrete process and the processor 302 of performing of above-mentioned steps by running executable program code The step performed further, may refer to the description of embodiment illustrated in fig. 1 of the present invention, does not repeats them here.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset, functional mobile phone, and low End mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and processes merit Can, the most also possess mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes: audio frequency, Video player (such as iPod), handheld device, e-book, and intelligent toy and portable car-mounted navigator.
(3) server: providing the equipment of the service of calculating, the composition of server includes that processor, hard disk, internal memory, system are total Lines etc., server is similar with general computer architecture, but owing to needing to provide highly reliable service, is therefore processing energy The aspects such as power, stability, reliability, safety, extensibility, manageability require higher.
(5) other have the electronic equipment of data interaction function.
Additionally, the embodiment of the present invention additionally provides a kind of storage medium, being used for storing application program, described application program is used In performing a kind of method deleting registry boot item that the embodiment of the present invention is provided.
Additionally, the embodiment of the present invention additionally provides a kind of application program, it is used for performing that the embodiment of the present invention is provided Plant the method deleting registry boot item.
Those skilled in the art are appreciated that and realize all or part of step that above-described embodiment method is carried Suddenly the program that can be by completes to instruct relevant hardware, and described program can be stored in a kind of computer-readable storage medium In matter, this program upon execution, including one or a combination set of the step of embodiment of the method.
For convenience of description, describing apparatus above is to be divided into various units/modules to be respectively described with function.Certainly, exist Implement the function of each unit/module to be realized in same or multiple softwares and/or hardware during the present invention.
As seen through the above description of the embodiments, those skilled in the art it can be understood that to the present invention can The mode adding required general hardware platform by software realizes.Based on such understanding, technical scheme essence On the part that in other words prior art contributed can embody with the form of software product, this computer software product Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer equipment (can be personal computer, server, or the network equipment etc.) performs some of each embodiment of the present invention or embodiment Method described in part.
As seen from the above, even utilizing the scheme of the embodiment of the present invention to construct special startup item key assignments at rogue program In the case of remain to distinguish the startup item of rogue program and be deleted such that it is able to solve in prior art owing to deleting The problem that the security of system that caused except the startup item of rogue program is low, it is ensured that the safety of system.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, be permissible Instructing relevant hardware by computer program to complete, described program can be stored in a computer read/write memory medium In, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic Dish, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc..
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited thereto, and any Those familiar with the art in the technical scope that the invention discloses, the change that can readily occur in or replacement, all answer Contain within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with scope of the claims.

Claims (9)

1. the method deleting registry boot item, it is characterised in that including:
Obtaining each registry key Value Data under system registry startup item, described each registry key Value Data is saved in present count According in the pointer of structure, described preset data structure also includes the data length that described each registry key Value Data is corresponding Value;
The first registry key Value Data with the first character as bebinning character is obtained in described each registry key Value Data:
The data length value of described first registry key Value Data is obtained according to described preset data structure;
If the data length value of described first registry key Value Data is more than 0, then delete described first registry key Value Data The first corresponding registry boot item.
The method of deletion registry boot item the most according to claim 1, it is characterised in that described acquisition system registry Each registry key Value Data under startup item includes:
Utilize in ndll module enumerate that key assignments function NtEnumerateValueKey obtains under system registry startup item each Registry key Value Data.
The method of deletion registry boot item the most according to claim 1, it is characterised in that described first character be " 00 ", described preset data structure is _ UNICODE_STRING.
The method of deletion registry boot item the most according to claim 1, it is characterised in that described first note of described deletion Volume the first registry boot item corresponding to table key assignments data includes:
Obtain the title of described first registry boot item;
The title of described first registry boot item is stored in chained list;
Call the deletion key assignments function NtDeleteValueKey in ntdll module according to described chained list and delete described first registration Table startup item.
5. the device deleting registry boot item, it is characterised in that including:
First acquisition module, for obtaining each registry key Value Data under system registry startup item, described each registry key Value Data is saved in the pointer of preset data structure, also includes described each registration table key assignments number in described preset data structure According to corresponding data length value;
Second acquisition module, for obtaining the first note with the first character as bebinning character in described each registry key Value Data Volume table key assignments data;
3rd acquisition module, for obtaining the data length of described first registry key Value Data according to described preset data structure Value;
Removing module, for when the data length value of described first registry key Value Data is more than 0, deletes described first registration The first registry boot item that table key assignments data are corresponding.
The device of deletion registry boot item the most according to claim 5, it is characterised in that described first acquisition module tool Body is used for: utilize the key assignments function NtEnumerateValueKey that enumerates in ndll module to obtain under system registry startup item Each registry key Value Data.
The device of deletion registry boot item the most according to claim 5, it is characterised in that described first character be " 00 ", described preset data structure is _ UNICODE_STRING.
The device of deletion registry boot item the most according to claim 5, it is characterised in that described removing module includes:
Obtain submodule, for obtaining the title of described first registry boot item;
Sub module stored, for being stored in the title of described first registry boot item in chained list;
Delete submodule, for calling the deletion key assignments function NtDeleteValueKey in ntdll module according to described chained list Delete described first registry boot item.
9. an electronic equipment, it is characterised in that described electronic equipment includes: housing, processor, memorizer, circuit board and electricity Source circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges on circuit boards;Power supply Circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing executable program code;Process Device runs the program corresponding with executable program code by reading the executable program code of storage in memorizer, is used for holding The following operation of row:
Obtaining each registry key Value Data under system registry startup item, described each registry key Value Data is saved in present count According in the pointer of structure, described preset data structure also includes the data length that described each registry key Value Data is corresponding Value;
The first registry key Value Data with the first character as bebinning character is obtained in described each registry key Value Data;
The data length value of described first registry key Value Data is obtained according to described preset data structure;
If the data length value of described first registry key Value Data is more than 0, then delete described first registry key Value Data The first corresponding registry boot item.
CN201610490412.7A 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for deleting registry boot item Active CN106201579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610490412.7A CN106201579B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for deleting registry boot item

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610490412.7A CN106201579B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for deleting registry boot item

Publications (2)

Publication Number Publication Date
CN106201579A true CN106201579A (en) 2016-12-07
CN106201579B CN106201579B (en) 2019-06-21

Family

ID=57461667

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610490412.7A Active CN106201579B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for deleting registry boot item

Country Status (1)

Country Link
CN (1) CN106201579B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113553119A (en) * 2021-06-30 2021-10-26 珠海豹趣科技有限公司 Method and device for monitoring startup self-starting item, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1735029A (en) * 2004-08-12 2006-02-15 海信集团有限公司 Registration form protection System and method
US20060185016A1 (en) * 2005-02-17 2006-08-17 Sitze Richard A System, computer program product and method of selecting sectors of a hard disk on which to perform a virus scan
CN101431521A (en) * 2008-11-26 2009-05-13 北京网康科技有限公司 Anti-Trojan network security system and method
CN103019778A (en) * 2012-11-30 2013-04-03 北京奇虎科技有限公司 Startups cleaning method and device
CN103092726A (en) * 2013-01-16 2013-05-08 厦门市美亚柏科信息股份有限公司 Recovery method and recovery device of registry deleted data

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1735029A (en) * 2004-08-12 2006-02-15 海信集团有限公司 Registration form protection System and method
US20060185016A1 (en) * 2005-02-17 2006-08-17 Sitze Richard A System, computer program product and method of selecting sectors of a hard disk on which to perform a virus scan
CN101431521A (en) * 2008-11-26 2009-05-13 北京网康科技有限公司 Anti-Trojan network security system and method
CN103019778A (en) * 2012-11-30 2013-04-03 北京奇虎科技有限公司 Startups cleaning method and device
CN103092726A (en) * 2013-01-16 2013-05-08 厦门市美亚柏科信息股份有限公司 Recovery method and recovery device of registry deleted data

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113553119A (en) * 2021-06-30 2021-10-26 珠海豹趣科技有限公司 Method and device for monitoring startup self-starting item, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN106201579B (en) 2019-06-21

Similar Documents

Publication Publication Date Title
CN108845933B (en) Method and device for compiling and reviewing software test cases
US20140149322A1 (en) Protecting Contents in a Content Management System by Automatically Determining the Content Security Level
CN106126291A (en) Method and device for deleting malicious file and electronic equipment
CN106126282A (en) Injection method and device for dynamic link library file and terminal equipment
CN106201698A (en) Method and device for managing application program and electronic equipment
CN108959436A (en) Dictionary edit methods and system for voice dialogue platform
CN105912362B (en) A kind of method, apparatus and electronic equipment loading plug-in unit
CN103049708B (en) A kind of audit collocation method of database and system
CN110750530B (en) Service system and data checking method thereof
CN105045928A (en) To-be-cleaned data display method and device and electronic equipment
CN106250182A (en) File processing method and device and electronic equipment
CN108647061A (en) Call method, device and the computing device of system hidden method
CN101399873B (en) Method, apparatus and communication terminal device for processing index information of phone book
CN106203069B (en) A kind of hold-up interception method of dynamic link library file, device and terminal device
CN106022120A (en) File monitoring processing method and device and electronic equipment
CN106201851A (en) The detection method of heap memory operation and device
CN103514004A (en) Method and device for managing system environment under Windows system
CN110652728A (en) Game resource management method and device, electronic equipment and storage medium
CN106020958A (en) Method and device for acquiring file occupation process and electronic equipment
CN106201579A (en) Method and device for deleting registry starting item and electronic equipment
CN105956475A (en) DLL file interception processing method and device and electronic equipment
CN107195314A (en) The method for recording and device of voice data
CN111385661B (en) Method, device, terminal and storage medium for voice control of full screen playing
CN106203119A (en) Processing method and device for hiding cursor and electronic equipment
CN106127029A (en) Starting method and device of security application program and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20190116

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant