CN106201579B - A kind of method, apparatus and electronic equipment for deleting registry boot item - Google Patents

A kind of method, apparatus and electronic equipment for deleting registry boot item Download PDF

Info

Publication number
CN106201579B
CN106201579B CN201610490412.7A CN201610490412A CN106201579B CN 106201579 B CN106201579 B CN 106201579B CN 201610490412 A CN201610490412 A CN 201610490412A CN 106201579 B CN106201579 B CN 106201579B
Authority
CN
China
Prior art keywords
registry
key value
data
value data
item
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610490412.7A
Other languages
Chinese (zh)
Other versions
CN106201579A (en
Inventor
李文靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Zhuhai Seal Interest Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Seal Interest Technology Co Ltd filed Critical Zhuhai Seal Interest Technology Co Ltd
Priority to CN201610490412.7A priority Critical patent/CN106201579B/en
Publication of CN106201579A publication Critical patent/CN106201579A/en
Application granted granted Critical
Publication of CN106201579B publication Critical patent/CN106201579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot

Abstract

The embodiment of the present invention discloses a kind of method, apparatus and electronic equipment for deleting registry boot item, is related to computer software technology, is able to solve the low problem of security of system caused by the startup item due to that can not delete rogue program in the prior art.The method for deleting malicious file includes: each registry key Value Data obtained under system registry startup item, each registry key Value Data is stored in the pointer of preset data structure, further includes the corresponding data length value of each registry key Value Data in the preset data structure;It obtains in each registry key Value Data using the first character as the first registry key Value Data of bebinning character;The data length value of the first registry key Value Data is obtained according to the preset data structure;If the data length value of the first registry key Value Data is greater than 0, the corresponding first registry boot item of the first registry key Value Data is deleted.The present invention is suitable for antivirus software.

Description

A kind of method, apparatus and electronic equipment for deleting registry boot item
Technical field
The present invention relates to computer software technology more particularly to a kind of method, apparatus and electricity for deleting registry boot item Sub- equipment.
Background technique
With the development of internet technology, the Malwares such as virus, wooden horse emerge one after another.
The registry boot item of general procedure is stored in: HKEY_LOCAL_MACHINE SOFTWARE Microsoft Under Windows CurrentVersion Run, and registration table key assignments is preserved under it, such as " av1 ", the LPCTSTR such as " acb " The character string of type.In C language exploitation, character string is all with " 00 " character ends.As some registration table key assignments is " av1 00 ", in practical applications can " av1 " be parameter, pass through and delete function RegDeleteValue and delete rogue program Startup item.
But in a particular application, it being deleted in order to prevent, rogue program would generally construct special registration table key assignments, Such as " 00av1 ".Since the registration table key assignments is that 00 character of Yi starts, Er 00 character of represents the knot of registration table key assignments Beam, so, when deleting startup item using RegDeleteValue function, it will be considered that the corresponding registration table key assignments of the startup item is Startup item empty that the rogue program deletes, to reduce the safety of system.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of method, apparatus and electronic equipment for deleting registry boot item, energy Enough solve the problems, such as that security of system caused by the startup item due to that can not delete rogue program in the prior art is low.
In a first aspect, the embodiment of the present invention provides a kind of method for deleting registry boot item, comprising:
Each registry key Value Data under system registry startup item is obtained, each registry key Value Data is stored in pre- If further including that the corresponding data of each registry key Value Data are long in the preset data structure in the pointer of data structure Angle value;
It obtains in each registry key Value Data using the first character as the first registry key Value Data of bebinning character;
The data length value of the first registry key Value Data is obtained according to the preset data structure;
If the data length value of the first registry key Value Data is greater than 0, the first registration table key assignments is deleted The corresponding first registry boot item of data.
With reference to first aspect, in the first embodiment of first aspect, under the acquisition system registry startup item Each registry key Value Data include:
System registry startup item is obtained using the key assignments function NtEnumerateValueKey that enumerates in ntdll module Under each registry key Value Data.
With reference to first aspect, in the first embodiment of first aspect, first character is " 00 ", described pre- If data structure is _ UNICODE_STRING.
With reference to first aspect, described to delete the first registration table key assignments in the first embodiment of first aspect The corresponding first registry boot item of data includes: the title for obtaining the first registry boot item;Described first is registered The title of table startup item is stored in chained list;The delete key value function in ntdll module is called according to the chained list NtDeleteValueKey deletes the first registry boot item.
Second aspect, the embodiment of the present invention provide a kind of device for deleting registry boot item, comprising:
First obtains module, for obtaining each registry key Value Data under system registry startup item, each registration Table key assignments data are stored in the pointer of preset data structure, further include each registry key in the preset data structure The corresponding data length value of Value Data;
Second obtains module, for obtaining the using the first character as bebinning character in each registry key Value Data One registry key Value Data;
Third obtains module, for obtaining the data of the first registry key Value Data according to the preset data structure Length value;
Removing module when being greater than 0 for the data length value in the first registry key Value Data, deletes described first The corresponding first registry boot item of registry key Value Data.
In conjunction with second aspect, in the first embodiment of second aspect, the first acquisition module is specifically used for: benefit With each registration enumerated under key assignments function NtEnumerateValueKey acquisition system registry startup item in ntdll module Table key assignments data.
In conjunction with second aspect, in the first embodiment of second aspect, first character is " 00 ", described pre- If data structure is _ UNICODE_STRING.
In conjunction with second aspect, in the first embodiment of second aspect, the removing module includes:
Acquisition submodule, for obtaining the title of the first registry boot item;
Sub-module stored, for the title of the first registry boot item to be stored in chained list;
Submodule is deleted, for calling the delete key value function in ntd11 module according to the chained list NtDeleteValueKey deletes the first registry boot item.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, and the electronic equipment includes: shell, processor, deposits Reservoir, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory setting On circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing and can hold Line program code;Processor is run and executable program code pair by reading the executable program code stored in memory The program answered, for performing the following operations:
Each registry key Value Data under system registry startup item is obtained, each registry key Value Data is stored in pre- If further including that the corresponding data of each registry key Value Data are long in the preset data structure in the pointer of data structure Angle value;
It obtains in each registry key Value Data using the first character as the first registry key Value Data of bebinning character;
The data length value of the first registry key Value Data is obtained according to the preset data structure;
If the data length value of the first registry key Value Data is greater than 0, the first registration table key assignments is deleted The corresponding first registry boot item of data.
Fourth aspect, the embodiment of the invention also provides a kind of storage mediums, described to apply journey for storing application program Sequence is used to execute a kind of method for deleting registry boot item provided by the embodiment of the present invention.
5th aspect, the embodiment of the invention also provides a kind of application programs, are provided for executing the embodiment of the present invention A kind of deletion registry boot item method.
A kind of method, apparatus and electronic equipment for deleting registry boot item provided in an embodiment of the present invention, obtains each note Using the first character as the first registry key Value Data of bebinning character in volume table key assignments data, and judge the first registration table key assignments number According to data length value whether be 0.If the data length value of the first registry key Value Data be greater than 0, delete described in The corresponding first registry boot item of first registry key Value Data.Thus, even the scheme using the embodiment of the present invention exists Rogue program remains to distinguish the startup item of rogue program and is deleted in the case where constructing special startup item key assignments, so as to It enough solves the problems, such as that security of system caused by the startup item due to that can not delete rogue program in the prior art is low, ensure that The safety of system.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow chart of the method for the deletion registry boot item of the embodiment of the present invention one;
Fig. 2 is the structural schematic diagram of the device of the deletion registry boot item of the embodiment of the present invention two;
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its Its embodiment, shall fall within the protection scope of the present invention.
Fig. 1 is the flow chart of the deletion registry boot item of the embodiment of the present invention one.As shown in Figure 1, the present embodiment Delete malicious file method may include:
Each registry key Value Data under step 101, acquisition system registry startup item.
The embodiment of the present invention is applicable to the equipment such as PC.Specifically, in this step, utilizing enumerating in ntdll module Key assignments function NtEnumerateValueKey obtains each registry key Value Data under system registry startup item.Specifically, This by enumerate key assignments function enumerate HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion all registry key Value Datas below Run registry boot item.
Each registry key Value Data by enumerating the acquisition of key assignments function is stored in the pointer of preset data structure, in institute Stating in preset data structure further includes the corresponding data length value of each registry key Value Data.Wherein, the preset data knot Structure can be _ UNICODE_STRING type structure, which is the pointer of PVOID type.
Step 102 obtains in each registry key Value Data using the first character as the first registration table of bebinning character Key assignments data.
According to the description of background technique, character string is all with " 00 " character ends.Consequently, to facilitate searching, in this reality It applies in example, first character is " 00 ".
Step 103, the data length value that the first registry key Value Data is obtained according to the preset data structure.
According to the preset data structure, the data length value of available first registry key Value Data.
If the data length value of step 104, the first registry key Value Data is greater than 0, first note is deleted The corresponding first registry boot item of volume table key assignments data.
Specifically, in this step, obtaining the title of the first registry boot item, and first registration table is opened The title of dynamic item is stored in chained list, and the delete key value function in ntdll module is then called according to the chained list NtDeleteValueKey deletes the first registry boot item.
From the above, it can be seen that even the scheme using the embodiment of the present invention constructs special startup item key assignments in rogue program In the case where remain to distinguish the startup item of rogue program and be deleted, so as to solve in the prior art due to that can not delete The low problem of security of system caused by startup item except rogue program, ensure that the safety of system.
In a particular application, be in the rogue programs such as virus write-in registry boot item data with " 00 " beginning, that Conventional deletion mode will be considered that it is empty, so can not delete.The Registry Editor of even system can not also be shown The registry boot item data of virus write-in.Registry Editor to enumerate HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion data below Run when, an empty registry key can be enumerated Value Data.
In Windows api, the function for routinely writing registry key Value Data is RegSetValue, and the registration table being written Key assignments is the character string of LPCTSTR type, so this function can not be written with the startup item key assignments of " 00 " beginning.So from RegSetValue function sets out, can be by a NtSetValueKey function in ntdll module, this function can be registration table The encapsulation of key assignments data, is packaged into the data structure of one _ UNICODE_STRING type.It include registration table in this data structure Key assignments data and registry key Value Data length.In this way, rogue program can save arbitrary data in the data structure, Not just character string, and it is not necessarily to limited length length.
So rogue program is the NtSetValueKey function used in ntdll module, and construct one it is special _ The structure of UNICODE_STRING type and registry key Value Data is written to startup item, wherein registry key Value Data with " The registry key Value Data and data length of 00 " beginning are not 0.
According to above analysis, in embodiments of the present invention in view of the above-mentioned problems, enumerating key assignments using in ntdll module Function NtEnumerateValueKey obtains each registry key Value Data under system registry startup item.Wherein, pass through The information that NtEnumerateValueKey function obtains is stored in _ UNICODE_STRING type structure in, including PVOID class The pointer and the corresponding data length value of registry key Value Data of type, wherein registry key Value Data is stored in PVOID type In pointer.
For acquisition _ UNICODE_STRING type structure, then judge registry key Value Data therein.If some Registry key Value Data is with " 00 " beginning and registry boot item key assignments length is greater than 0, then the registry key Value Data is corresponding Registry boot item needs to delete.It should at this point, the delete key value function NtDeleteValueKey in ntdll module is called to delete Registry boot item.
Fig. 2 is the structural schematic diagram of the device of the deletion malicious file of the embodiment of the present invention three.As shown in Fig. 2, this implementation Example device may include:
First obtains module 201, for obtaining each registry key Value Data under system registry startup item, each note Volume table key assignments data are stored in the pointer of preset data structure, further include each registration table in the preset data structure The corresponding data length value of key assignments data;
Second obtains module 202, for obtaining in each registry key Value Data using the first character as bebinning character The first registry key Value Data;
Third obtains module 203, for obtaining the first registry key Value Data according to the preset data structure Data length value;
Removing module 204, when being greater than 0 for the data length value in the first registry key Value Data, described in deletion The corresponding first registry boot item of first registry key Value Data.
Wherein, the first acquisition module 201 is specifically used for: enumerating key assignments function using in ntdll module NtEnumerateValueKey obtains each registry key Value Data under system registry startup item.
Specifically, first character is " 00 ", the preset data structure is _ UNICODE_STRING.
Specifically, the removing module 204 includes:
Acquisition submodule, for obtaining the title of the first registry boot item;Sub-module stored, for by described the The title of one registry boot item is stored in chained list;Submodule is deleted, for calling in ntdll module according to the chained list Delete key value function NtDeleteValueKey deletes the first registry boot item.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill Art effect is similar, and details are not described herein again.
From the above, it can be seen that even the scheme using the embodiment of the present invention constructs special startup item key assignments in rogue program In the case where remain to distinguish the startup item of rogue program and be deleted, so as to solve in the prior art due to that can not delete The low problem of security of system caused by startup item except rogue program, ensure that the safety of system.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence " including one ... ", it is not excluded that There is also other identical elements in the process, method, article or apparatus that includes the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method Part explanation.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory (ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
The embodiment of the present invention also provides a kind of electronic equipment, and the electronic equipment includes dress described in aforementioned any embodiment It sets.
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention, and embodiment illustrated in fig. 1 of the present invention may be implemented Process, as shown in figure 3, above-mentioned electronic equipment may include: shell 301, processor 302, memory 303,304 and of circuit board Power circuit 305, wherein circuit board 304 is placed in the space interior that shell 301 surrounds, and processor 302 and memory 303 are set It sets on circuit board 304;Power circuit 305, for each circuit or the device power supply for above-mentioned electronic equipment;Memory 303 For storing executable program code;Processor 302 is run by reading the executable program code stored in memory 303 Program corresponding with executable program code, for executing method described in aforementioned any embodiment.
Processor 302 passes through operation executable program code to the specific implementation procedure and processor 302 of above-mentioned steps Come the step of further executing, the description of embodiment illustrated in fig. 1 of the present invention may refer to, details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio, Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(3) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
In addition, for storing application program, the application program is used the embodiment of the invention also provides a kind of storage medium In a kind of method for deleting registry boot item provided by the embodiment of the present invention that executes.
In addition, the embodiment of the invention also provides a kind of application program, for executing one provided by the embodiment of the present invention The method that kind deletes registry boot item.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can It realizes by means of software and necessary general hardware platform.Based on this understanding, technical solution of the present invention essence On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the certain of each embodiment or embodiment of the invention Method described in part.
From the above, it can be seen that even the scheme using the embodiment of the present invention constructs special startup item key assignments in rogue program In the case where remain to distinguish the startup item of rogue program and be deleted, so as to solve in the prior art due to that can not delete The low problem of security of system caused by startup item except rogue program, ensure that the safety of system.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.

Claims (9)

1. a kind of method for deleting registry boot item characterized by comprising
Each registry key Value Data under system registry startup item is obtained, each registry key Value Data is stored in present count According in the pointer of structure, further including the corresponding data length of each registry key Value Data in the preset data structure Value;
It obtains in each registry key Value Data using the first character as the first registry key Value Data of bebinning character;
The data length value of the first registry key Value Data is obtained according to the preset data structure;
If the data length value of the first registry key Value Data is greater than 0, the first registry key Value Data is deleted Corresponding first registry boot item.
2. the method according to claim 1 for deleting registry boot item, which is characterized in that the acquisition system registry Each registry key Value Data under startup item includes:
It is obtained under system registry startup item using the key assignments function NtEnumerateValueKey that enumerates in ntdll module Each registry key Value Data.
3. it is according to claim 1 delete registry boot item method, which is characterized in that first character be " 00 ", the preset data structure is _ UNICODE_STRING.
4. the method according to claim 1 for deleting registry boot item, which is characterized in that described to delete first note The corresponding first registry boot item of volume table key assignments data includes:
Obtain the title of the first registry boot item;
The title of the first registry boot item is stored in chained list;
The delete key value function NtDeleteValueKey in ntdll module is called to delete first registration according to the chained list Table startup item.
5. a kind of device for deleting registry boot item characterized by comprising
First obtains module, for obtaining each registry key Value Data under system registry startup item, each registry key Value Data is stored in the pointer of preset data structure, further includes each registration table key assignments number in the preset data structure According to corresponding data length value;
Second obtains module, for obtaining in each registry key Value Data using the first character as the first note of bebinning character Volume table key assignments data;
Third obtains module, for obtaining the data length of the first registry key Value Data according to the preset data structure Value;
Removing module when being greater than 0 for the data length value in the first registry key Value Data, deletes first registration The corresponding first registry boot item of table key assignments data.
6. the device according to claim 5 for deleting registry boot item, which is characterized in that described first obtains module tool Body is used for: being obtained under system registry startup item using the key assignments function NtEnumerateValueKey that enumerates in ntdll module Each registry key Value Data.
7. it is according to claim 5 delete registry boot item device, which is characterized in that first character be " 00 ", the preset data structure is _ UNICODE_STRING.
8. the device according to claim 5 for deleting registry boot item, which is characterized in that the removing module includes:
Acquisition submodule, for obtaining the title of the first registry boot item;
Sub-module stored, for the title of the first registry boot item to be stored in chained list;
Submodule is deleted, for calling the delete key value function NtDeleteValueKey in ntdll module according to the chained list Delete the first registry boot item.
9. a kind of electronic equipment, which is characterized in that the electronic equipment includes: shell, processor, memory, circuit board and electricity Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding The following operation of row:
Each registry key Value Data under system registry startup item is obtained, each registry key Value Data is stored in present count According in the pointer of structure, further including the corresponding data length of each registry key Value Data in the preset data structure Value;
It obtains in each registry key Value Data using the first character as the first registry key Value Data of bebinning character;
The data length value of the first registry key Value Data is obtained according to the preset data structure;
If the data length value of the first registry key Value Data is greater than 0, the first registry key Value Data is deleted Corresponding first registry boot item.
CN201610490412.7A 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for deleting registry boot item Active CN106201579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610490412.7A CN106201579B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for deleting registry boot item

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610490412.7A CN106201579B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for deleting registry boot item

Publications (2)

Publication Number Publication Date
CN106201579A CN106201579A (en) 2016-12-07
CN106201579B true CN106201579B (en) 2019-06-21

Family

ID=57461667

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610490412.7A Active CN106201579B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for deleting registry boot item

Country Status (1)

Country Link
CN (1) CN106201579B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113553119A (en) * 2021-06-30 2021-10-26 珠海豹趣科技有限公司 Method and device for monitoring startup self-starting item, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1735029A (en) * 2004-08-12 2006-02-15 海信集团有限公司 Registration form protection System and method
CN101431521A (en) * 2008-11-26 2009-05-13 北京网康科技有限公司 Anti-Trojan network security system and method
CN103019778A (en) * 2012-11-30 2013-04-03 北京奇虎科技有限公司 Startups cleaning method and device
CN103092726A (en) * 2013-01-16 2013-05-08 厦门市美亚柏科信息股份有限公司 Recovery method and recovery device of registry deleted data

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7581250B2 (en) * 2005-02-17 2009-08-25 Lenovo (Singapore) Pte Ltd System, computer program product and method of selecting sectors of a hard disk on which to perform a virus scan

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1735029A (en) * 2004-08-12 2006-02-15 海信集团有限公司 Registration form protection System and method
CN101431521A (en) * 2008-11-26 2009-05-13 北京网康科技有限公司 Anti-Trojan network security system and method
CN103019778A (en) * 2012-11-30 2013-04-03 北京奇虎科技有限公司 Startups cleaning method and device
CN103092726A (en) * 2013-01-16 2013-05-08 厦门市美亚柏科信息股份有限公司 Recovery method and recovery device of registry deleted data

Also Published As

Publication number Publication date
CN106201579A (en) 2016-12-07

Similar Documents

Publication Publication Date Title
CN103092456B (en) A kind of text box input method and system
US8521513B2 (en) Localization for interactive voice response systems
CN107341014A (en) Electronic equipment, the generation method of technical documentation and device
CN106126291B (en) A kind of method, apparatus and electronic equipment for deleting malicious file
CN105912362B (en) A kind of method, apparatus and electronic equipment loading plug-in unit
US20090249248A1 (en) User directed refinement of search results while preserving the scope of the initial search
US9451423B2 (en) Method and apparatus for recording information during a call
US20170237816A1 (en) Method and electronic device for identifying device
CN106126282A (en) Injection method and device for dynamic link library file and terminal equipment
US20170150214A1 (en) Method and apparatus for data processing
CN106503069A (en) File sharing method and device
CN111680079A (en) Method and device for converting Json data into dictionary data and electronic equipment
CN106203069B (en) A kind of hold-up interception method of dynamic link library file, device and terminal device
CN110652728B (en) Game resource management method and device, electronic equipment and storage medium
CN106201579B (en) A kind of method, apparatus and electronic equipment for deleting registry boot item
CN106201851A (en) The detection method of heap memory operation and device
US20100242027A1 (en) Identifying groups and subgroups
US20180341426A1 (en) Method and device for clearing data and electronic device
CN106127029B (en) A kind of the starting method, apparatus and electronic equipment of security application
WO2017166640A1 (en) Application calling method and terminal
CN112036132B (en) Method and device for editing header and footer of document and electronic equipment
CN105956475A (en) DLL file interception processing method and device and electronic equipment
CN109240660B (en) Access method of advertisement data, storage medium, electronic device and system
CN105653339A (en) Application process starting method and application process starting device
KR101923011B1 (en) Scene image generator

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20190116

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant