CN108287779A - A kind of Windows startup items monitoring method and system - Google Patents

A kind of Windows startup items monitoring method and system Download PDF

Info

Publication number
CN108287779A
CN108287779A CN201810068132.6A CN201810068132A CN108287779A CN 108287779 A CN108287779 A CN 108287779A CN 201810068132 A CN201810068132 A CN 201810068132A CN 108287779 A CN108287779 A CN 108287779A
Authority
CN
China
Prior art keywords
monitoring
startup item
kernel
windows
startup
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810068132.6A
Other languages
Chinese (zh)
Other versions
CN108287779B (en
Inventor
吴振刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201810068132.6A priority Critical patent/CN108287779B/en
Publication of CN108287779A publication Critical patent/CN108287779A/en
Application granted granted Critical
Publication of CN108287779B publication Critical patent/CN108287779B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/865Monitoring of software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention discloses a kind of Windows startup items monitoring method and systems, in the form of being serviced by Windows, one Resident Process X of pull-up, and the process X of protection is not terminated;Under different monitoring strategies, process X monitors the registry directory of startup item in real time.The process for realizing service pull-up is no longer dependent on user's login, and startup item can still be protected to change extremely in the case where user is not logged in.The startup item that all users can be managed accomplishes the startup item operation of full user.Three kinds of monitoring modes are more humane, can meet different application scene, such as calculator normal operating phase, can keep normal mode;Computer is installed, and maintenance phase can keep monitoring mode;Computer is permitted disk, investigates problem temporarily, and stop mode can be kept.

Description

A kind of Windows startup items monitoring method and system
Technical field
The present invention relates to startup item monitoring technology field, specifically a kind of Windows startup items monitoring method and it is System.
Background technology
Operating system is loaded with many programs, that is, so-called startup item automatically when starting.Many programs Self-starting brings many convenience to us, this is undisputable fact, but not to be the program of each self-starting have us With;What is more, perhaps there are virus or wooden horse in self-starting ranks.It is that the operation of startup item is advised for this purpose, being monitored to startup item Determine the critical function that permission is security software.The safety method that can implement operation to startup item at present has:
MSConfig tools, task manager, a kind of startup item maintenance tool that Microsoft provides, can support user to look into It askes, start, startup item information is specified in pause.The interception of startup item is cannot achieve, the operation of all startup items is all let pass, and only one Kind adviser tool.
Existing general security software supports the inquiry, startup, pause of startup item to specify startup item such as 360, safety dog Information.The interception of startup item may be implemented, but interception strategy is single, can not be directed to plurality of application scenes.It is operated in user mode Under, it can not be operated for full user.
Invention content
A kind of Windows startup items monitoring method and system are provided in the embodiment of the present invention, to solve in the prior art It cannot achieve the interception of startup item or startup item intercept the single problem of strategy.
In order to solve the above-mentioned technical problem, the embodiment of the invention discloses following technical solutions:
First aspect present invention provides a kind of Windows startup items monitoring method, includes the following steps:
In the form of Windows is serviced, one Resident Process X of pull-up, and the process X of protection is not terminated;
Under different monitoring strategies, process X monitors the registry directory of startup item in real time.
With reference to first aspect, in first aspect in the first possible realization method, the methods that are not terminated of protection process X It specifically includes:Windows kernels protect finger daemon using SSDT HOOK technologies, and the process of guarantee is not terminated;If process exception It terminates, can pull-up again be serviced by Windows.
With reference to first aspect, in second of possible realization method of first aspect, the monitoring strategies include normal Pattern, monitoring mode, stop mode.
With reference to first aspect, in first aspect in the third possible realization method, process X monitors the note of startup item in real time Volume entry record method include:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel prevents relevant operation, and remembers Record violation daily record.
With reference to first aspect, in the 4th kind of possible realization method of first aspect, in the monitoring mode, process X is real-time The method of registry directory for monitoring startup item includes:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel preferentially prevents relevant operation.
With reference to first aspect, in the 5th kind of possible realization method of first aspect, kernel preferentially prevents relevant operation from having Body is:
If logged in without user, kernel keeps preventing operation;After the user logs, kernel provides prevention record, can It chooses whether to restore by user;
If there is user logs in, then kernel prompts the user whether to let pass, and provides the extent of injury of clearance, when user selects After clearance, kernel clearance relevant operation.
With reference to first aspect, in the 6th kind of possible realization method of first aspect, in stopped mode, process X is real-time The method of registry directory for monitoring startup item includes:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel clearance relevant operation is not remembered Record violation daily record.
Second aspect of the present invention provides a kind of Windows startup items monitoring system, including monitoring module, for monitoring There is startup item information;With,
Management module is used for management and monitoring strategy, can modify to the monitoring strategy of startup item;With,
Public's enquiry module, the startup item information for the public startup item of the system of checking and all users;With,
Database, the daily record for storing monitoring startup item.
In conjunction with second aspect, in second aspect in the first possible realization method, management module is managed monitoring plan It slightly needs password login system and is verified.
The Windows startup items monitoring system of second aspect of the present invention can realize first aspect and first aspect Method in each realization method, and obtain identical effect.
By above technical scheme as it can be seen that in the present invention in the form of Windows is serviced, one Resident Process X of pull-up.By interior Core protects finger daemon, and the process of guarantee is not terminated.Process exception terminates, and can be serviced pull-up again.Service the process of pull-up It is no longer dependent on user's login, startup item can still be protected to change extremely in the case where user is not logged in.Institute can be managed The startup item for having user accomplishes the startup item operation of full user.
Three kinds of monitoring modes are more humane, can meet different application scene, such as calculator normal operating phase, Ke Yibao Hold normal mode;Computer is installed, and maintenance phase can keep monitoring mode;Computer is permitted disk, investigates problem temporarily, Ke Yibao Hold stop mode.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, for those of ordinary skill in the art Speech, without creative efforts, other drawings may also be obtained based on these drawings.
Fig. 1 is a kind of Windows startup items monitoring method flow diagram;
A kind of structural schematic diagram for Windows startup items monitoring system that Fig. 2 is applied by the embodiment of the present invention.
Specific implementation mode
In order to make those skilled in the art more fully understand the technical solution in the present invention, below in conjunction with of the invention real The attached drawing in example is applied, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described implementation Example is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, this field is common The every other embodiment that technical staff is obtained without making creative work, should all belong to protection of the present invention Range.
As shown in Figure 1, a kind of Windows startup items monitoring method, includes the following steps:
S1, in the form of Windows is serviced, one Resident Process X of pull-up, and the process X of protection is not terminated;
S2, under different monitoring strategies, process X monitors the registry directory of startup item in real time.
The method that protection process X is not terminated is specially:Windows kernels protect finger daemon using SSDT HOOK technologies, The process of guarantee is not terminated;If process exception terminates, can pull-up again be serviced by Windows.
Monitoring strategies include normal mode, monitoring mode, stop mode.
In the normal mode, the method that process X monitors the registry directory of startup item in real time includes:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel prevents relevant operation, and remembers Record violation daily record.
In the monitoring mode, the method that process X monitors the registry directory of startup item in real time includes:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel preferentially prevents relevant operation.
Kernel preferentially prevents the relevant operation from being specially:
If logged in without user, kernel keeps preventing operation;After the user logs, kernel provides prevention record, can It chooses whether to restore by user;
If there is user logs in, then kernel prompts the user whether to let pass, and provides the extent of injury of clearance, when user selects After clearance, kernel clearance relevant operation.
In stopped mode, the method that process X monitors the registry directory of startup item in real time includes:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel clearance relevant operation is not remembered Record violation daily record.
As shown in Fig. 2, a kind of Windows startup items monitoring system, including monitoring module, for monitoring all startup item letters Breath;With, management module, it is used for management and monitoring strategy, can be modified to the monitoring strategy of startup item;With public's inquiry mould Block, the startup item information for the public startup item of the system of checking and all users;With database, for storing monitoring startup item Daily record.
Management module is managed monitoring strategies and needs password login system and be verified.
The above is only the specific implementation mode of the present invention, is made skilled artisans appreciate that or realizing this hair It is bright.Various modifications to these embodiments will be apparent to one skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest range caused.

Claims (9)

1. a kind of Windows startup items monitoring method, characterized in that include the following steps:
In the form of Windows is serviced, one Resident Process X of pull-up, and the process X of protection is not terminated;
Under different monitoring strategies, process X monitors the registry directory of startup item in real time.
2. according to the method described in claim 1, it is characterized in that, the methods that are not terminated of protection process X specifically include: Windows kernels protect finger daemon using SSDT HOOK technologies, and the process of guarantee is not terminated;It, can be with if process exception terminates Pull-up again is serviced by Windows.
3. according to the method described in claim 1, it is characterized in that, the monitoring strategies include normal mode, monitoring mode, stop Only pattern.
4. according to the method described in claim 3, it is characterized in that, in the normal mode, process X monitors the registration of startup item in real time Entry record method include:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel prevents relevant operation, and records and disobey Advise daily record.
5. according to the method described in claim 3, it is characterized in that, in the monitoring mode, process X monitors the registration of startup item in real time Entry record method include:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel preferentially prevents relevant operation.
6. according to the method described in claim 5, it is characterized in that, kernel preferentially prevents the relevant operation from being specially:
If logged in without user, kernel keeps preventing operation;After the user logs, kernel provide prevention record, can by with Family chooses whether to restore;
If there is user logs in, then kernel prompts the user whether to let pass, and provides the extent of injury of clearance, when user selects to let pass Afterwards, kernel clearance relevant operation.
7. according to the method described in claim 3, it is characterized in that, in stopped mode, process X monitors the registration of startup item in real time Entry record method include:
When having newly-increased, modification, delete operation under system monitoring to pertinent registration table, kernel clearance relevant operation does not record separated Advise daily record.
8. a kind of Windows startup items monitoring system, utilizes the method described in claim 1 to 7 any one, characterized in that Including monitoring module, for monitoring all startup item information;With,
Management module is used for management and monitoring strategy, can modify to the monitoring strategy of startup item;With,
Public's enquiry module, the startup item information for the public startup item of the system of checking and all users;With,
Database, the daily record for storing monitoring startup item.
9. system according to claim 8, characterized in that management module is managed monitoring strategies and needs password login system It unites and is verified.
CN201810068132.6A 2018-01-24 2018-01-24 Windows startup item monitoring method and system Active CN108287779B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810068132.6A CN108287779B (en) 2018-01-24 2018-01-24 Windows startup item monitoring method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810068132.6A CN108287779B (en) 2018-01-24 2018-01-24 Windows startup item monitoring method and system

Publications (2)

Publication Number Publication Date
CN108287779A true CN108287779A (en) 2018-07-17
CN108287779B CN108287779B (en) 2021-07-27

Family

ID=62835682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810068132.6A Active CN108287779B (en) 2018-01-24 2018-01-24 Windows startup item monitoring method and system

Country Status (1)

Country Link
CN (1) CN108287779B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109032895A (en) * 2018-07-26 2018-12-18 郑州云海信息技术有限公司 A kind of detection method, device, equipment and storage medium monitoring fuse process
CN109491715A (en) * 2018-11-06 2019-03-19 深圳市风云实业有限公司 Application management method, device and terminal based on Windows NT
CN110119622A (en) * 2019-05-15 2019-08-13 苏州浪潮智能科技有限公司 A kind of registration table Integrity Management method, system and equipment
CN110688274A (en) * 2019-08-30 2020-01-14 平安科技(深圳)有限公司 Active directory monitoring method based on Windows Server operating system and related equipment

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050289357A1 (en) * 2004-06-25 2005-12-29 Samsung Electronics Co., Ltd. Apparatus and method for securely and conveniently rebooting a computer system
CN102314577A (en) * 2011-09-23 2012-01-11 深圳市万兴软件有限公司 Method for real-time monitoring and protecting boot-starting items of registry
CN102542182A (en) * 2010-12-15 2012-07-04 苏州凌霄科技有限公司 Device and method for controlling mandatory access based on Windows platform
CN104503807A (en) * 2014-12-31 2015-04-08 北京奇虎科技有限公司 Management method and device of starting items
US9239922B1 (en) * 2013-03-11 2016-01-19 Trend Micro Inc. Document exploit detection using baseline comparison
CN105354498A (en) * 2015-10-30 2016-02-24 珠海市君天电子科技有限公司 Operation method of registry, related device and equipment
US20160239377A1 (en) * 2003-08-11 2016-08-18 Triumfant, Inc. System for Automated Computer Support
CN106980564A (en) * 2017-03-16 2017-07-25 北京科皓世纪科技有限公司 Process behavior monitoring method based on kernel hook
CN107463839A (en) * 2017-08-16 2017-12-12 郑州云海信息技术有限公司 A kind of system and method for managing application program

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160239377A1 (en) * 2003-08-11 2016-08-18 Triumfant, Inc. System for Automated Computer Support
US20050289357A1 (en) * 2004-06-25 2005-12-29 Samsung Electronics Co., Ltd. Apparatus and method for securely and conveniently rebooting a computer system
CN102542182A (en) * 2010-12-15 2012-07-04 苏州凌霄科技有限公司 Device and method for controlling mandatory access based on Windows platform
CN102314577A (en) * 2011-09-23 2012-01-11 深圳市万兴软件有限公司 Method for real-time monitoring and protecting boot-starting items of registry
US9239922B1 (en) * 2013-03-11 2016-01-19 Trend Micro Inc. Document exploit detection using baseline comparison
CN104503807A (en) * 2014-12-31 2015-04-08 北京奇虎科技有限公司 Management method and device of starting items
CN105354498A (en) * 2015-10-30 2016-02-24 珠海市君天电子科技有限公司 Operation method of registry, related device and equipment
CN106980564A (en) * 2017-03-16 2017-07-25 北京科皓世纪科技有限公司 Process behavior monitoring method based on kernel hook
CN107463839A (en) * 2017-08-16 2017-12-12 郑州云海信息技术有限公司 A kind of system and method for managing application program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李珂泂 等: "恶意脚本程序研究以及基于API HOOK的注册表监控技术", 《计算机应用》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109032895A (en) * 2018-07-26 2018-12-18 郑州云海信息技术有限公司 A kind of detection method, device, equipment and storage medium monitoring fuse process
CN109491715A (en) * 2018-11-06 2019-03-19 深圳市风云实业有限公司 Application management method, device and terminal based on Windows NT
CN109491715B (en) * 2018-11-06 2021-10-22 深圳市风云实业有限公司 Application management method, device and terminal based on Windows NT
CN110119622A (en) * 2019-05-15 2019-08-13 苏州浪潮智能科技有限公司 A kind of registration table Integrity Management method, system and equipment
CN110688274A (en) * 2019-08-30 2020-01-14 平安科技(深圳)有限公司 Active directory monitoring method based on Windows Server operating system and related equipment

Also Published As

Publication number Publication date
CN108287779B (en) 2021-07-27

Similar Documents

Publication Publication Date Title
CN108287779A (en) A kind of Windows startup items monitoring method and system
CN106326699B (en) Server reinforcing method based on file access control and process access control
US5774650A (en) Control of access to a networked system
US5347578A (en) Computer system security
US8326872B2 (en) Database sandbox
US7698744B2 (en) Secure system for allowing the execution of authorized computer program code
RU2004135454A (en) SECURITY-related SOFTWARE INTERFACE
CN108683652A (en) A kind of method and device of the processing attack of Behavior-based control permission
KR20000022057A (en) Method and apparatus for data processing.
US20040193606A1 (en) Policy setting support tool
US20100100929A1 (en) Apparatus and method for security managing of information terminal
GB2411988A (en) Preventing programs from accessing communication channels withut user permission
AU1329601A (en) System and method for providing data security
CN103246849A (en) Safe running method based on ROST under Windows
CN106228078A (en) Method for safe operation based on enhancement mode ROST under a kind of Linux
CN106127031A (en) Method and device for protecting process and electronic equipment
US20120144502A1 (en) Directory service distributed product activation
CN101324913B (en) Method and apparatus for protecting computer file
JP4122042B1 (en) Access authority control system
CN106933605A (en) A kind of intelligent progress recognizing control method and system
CN105893376A (en) Database access supervision method
CN112364328A (en) Computer network information safety monitoring system
CN109815735A (en) To the management-control method and system of different user access same asset file permission
US11151274B2 (en) Enhanced computer objects security
US20080068183A1 (en) Methods and apparatus for accessing, or providing access to, user-configurable or different response policies for different duress codes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant