CN108287779B - Windows startup item monitoring method and system - Google Patents
Windows startup item monitoring method and system Download PDFInfo
- Publication number
- CN108287779B CN108287779B CN201810068132.6A CN201810068132A CN108287779B CN 108287779 B CN108287779 B CN 108287779B CN 201810068132 A CN201810068132 A CN 201810068132A CN 108287779 B CN108287779 B CN 108287779B
- Authority
- CN
- China
- Prior art keywords
- monitoring
- kernel
- item
- windows
- registry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 62
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000000903 blocking effect Effects 0.000 claims description 4
- 238000012423 maintenance Methods 0.000 abstract description 3
- 230000002159 abnormal effect Effects 0.000 abstract description 2
- 230000001419 dependent effect Effects 0.000 abstract description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
- G06F2201/865—Monitoring of software
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the invention discloses a Windows startup item monitoring method and a system, which pull up a resident process X in a Windows service form and protect the process X from being terminated; under different monitoring strategies, process X monitors the registry directory of startup entries in real time. The service pull-up process is not dependent on user login any more, and abnormal change of the starting item can be still protected under the condition that the user does not log in. The starting items of all users can be managed, and the starting item operation of all users is achieved. The three monitoring modes are more humanized, different application scenes can be met, for example, the normal operation stage of the calculator can be kept, and the normal mode can be kept; the computer can be installed and maintained in a monitoring mode in a maintenance stage; the computer permits disks and temporarily checks problems, and can keep a stop mode.
Description
Technical Field
The invention relates to the technical field of startup item monitoring, in particular to a method and a system for monitoring a Windows startup item.
Background
When the operating system is started, many programs are automatically loaded, namely, so-called starting items. The self-starting of many programs brings great convenience to us, which is a fact that it is not contended, but not every self-starting program is useful to us; further, there may be viruses or trojans in the self-priming row. For this reason, monitoring the startup item, and specifying the authority for the operation of the startup item is an important function of the security software. Currently, the security methods that can be used to perform operations on the boot item include:
MSConfig tool, task manager, a start item maintenance tool provided by Microsoft, which can support user to inquire, start and pause the information of specified start items. The interception of the startup items cannot be realized, and the operation of all the startup items is released, which is just a monitoring tool.
The current general safety software, such as 360, safety dog, supports the inquiry, start and pause of the starting item and appoints the information of the starting item. The interception of the startup items can be realized, but the interception strategy is single, and the interception cannot be directed at various application scenes. When the system works in a user mode, the system cannot operate for all users.
Disclosure of Invention
The embodiment of the invention provides a method and a system for monitoring Windows startup items, which aim to solve the problem that the interception of the startup items cannot be realized or the interception strategy of the startup items is single in the prior art.
In order to solve the technical problem, the embodiment of the invention discloses the following technical scheme:
the invention provides a Windows startup item monitoring method in a first aspect, which comprises the following steps:
in the form of Windows service, a resident process X is pulled up and protected from being terminated;
under different monitoring strategies, process X monitors the registry directory of startup entries in real time.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the method for protecting the process X from being terminated specifically includes: the Windows kernel uses SSDT HOOK technology to protect the daemon, and ensures that the process is not terminated; if the process terminates abnormally, it can be pulled up again by the Windows service.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the monitoring policy includes a normal mode, a monitoring mode, and a stop mode.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the method for monitoring, by the process X, the registry directory of the startup item in real time includes:
when the system monitors that the operations of adding, modifying and deleting are carried out under the relevant registry, the kernel stops the relevant operations and records the violation log.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, in the monitoring mode, the method for monitoring, by the process X, the registry directory of the startup item in real time includes:
when the system monitors that the operations of adding, modifying and deleting are carried out under the relevant registry, the kernel preferentially stops the relevant operations.
With reference to the first aspect, in a fifth possible implementation manner of the first aspect, the preferentially preventing, by the kernel, the relevant operations is specifically:
if no user logs in, the kernel keeps preventing operation; after the user logs in, the kernel gives a blocking record, and the user can select whether to recover or not;
and if the user logs in, the kernel prompts the user whether to pass or not, gives the degree of harm of the passing, and after the user selects the passing, the kernel passes the related operation.
With reference to the first aspect, in a sixth possible implementation manner of the first aspect, in the stop mode, the method for monitoring, by the process X, the registry directory of the start item in real time includes:
when the system monitors that the operations of adding, modifying and deleting are carried out under the relevant registry, the kernel releases the relevant operations and does not record the violation log.
The second aspect of the invention provides a Windows startup item monitoring system, which comprises a monitoring module, a display module and a display module, wherein the monitoring module is used for monitoring all startup item information; and the combination of (a) and (b),
the management module is used for managing the monitoring strategy and modifying the monitoring strategy of the starting item; and the combination of (a) and (b),
the public query module is used for viewing the public startup items of the system and the startup item information of all users; and the combination of (a) and (b),
and the database is used for storing the log of the monitoring starting item.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the management module needs to log in the system and verify the system with a password for managing the monitoring policy.
The Windows startup item monitoring system of the second aspect of the present invention can implement the methods of the first aspect and the implementation manners of the first aspect, and achieve the same effect.
According to the technical scheme, the resident process X is pulled up in the form of Windows service. The kernel conserves the process to ensure that the process is not terminated. The process terminates abnormally and may be pulled up again by the service. The process of service pull-up is not dependent on user login any more, and the abnormal change of the starting item can still be protected under the condition that the user does not log in. The starting items of all users can be managed, and the starting item operation of all users is achieved.
The three monitoring modes are more humanized, different application scenes can be met, for example, the normal operation stage of the calculator can be kept, and the normal mode can be kept; the computer can be installed and maintained in a monitoring mode in a maintenance stage; the computer permits disks and temporarily checks problems, and can keep a stop mode.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a flow chart of a Windows booting item monitoring method;
fig. 2 is a schematic structural diagram of a Windows boot entry monitoring system applied in the embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, a Windows boot item monitoring method includes the following steps:
s1, in the form of Windows service, pulling up a resident process X and protecting the process X from being terminated;
s2, under different monitoring strategies, the process X monitors the registry directory of the startup items in real time.
The method for protecting the process X from being terminated specifically includes: the Windows kernel uses SSDT HOOK technology to protect the daemon, and ensures that the process is not terminated; if the process terminates abnormally, it can be pulled up again by the Windows service.
The monitoring strategy comprises a normal mode, a monitoring mode and a stop mode.
In the normal mode, the method for monitoring the registry directory of the starting item in real time by the process X comprises the following steps:
when the system monitors that the operations of adding, modifying and deleting are carried out under the relevant registry, the kernel stops the relevant operations and records the violation log.
In the monitoring mode, the method for monitoring the registry directory of the starting item in real time by the process X comprises the following steps:
when the system monitors that the operations of adding, modifying and deleting are carried out under the relevant registry, the kernel preferentially stops the relevant operations.
The kernel-first-blocking related operations are specifically:
if no user logs in, the kernel keeps preventing operation; after the user logs in, the kernel gives a blocking record, and the user can select whether to recover or not;
and if the user logs in, the kernel prompts the user whether to pass or not, gives the degree of harm of the passing, and after the user selects the passing, the kernel passes the related operation.
In the stop mode, the method for monitoring the registry directory of the start item in real time by the process X comprises the following steps:
when the system monitors that the operations of adding, modifying and deleting are carried out under the relevant registry, the kernel releases the relevant operations and does not record the violation log.
As shown in fig. 2, a Windows startup item monitoring system includes a monitoring module for monitoring all startup item information; the management module is used for managing the monitoring strategy and modifying the monitoring strategy of the starting item; the public query module is used for viewing the public startup items of the system and the startup item information of all users; and the database is used for storing the log of the monitoring starting item.
The management module manages the monitoring strategy and needs a password to log in the system and pass the verification.
The foregoing are merely exemplary embodiments of the present invention, which enable those skilled in the art to understand or practice the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (5)
1. A Windows startup item monitoring method is characterized by comprising the following steps:
in the form of Windows service, a resident process X is pulled up and protected from being terminated;
under three monitoring strategies of a normal mode, a monitoring mode and a stopping mode, a process X monitors a registry directory of starting items in real time;
in the normal mode, the method for monitoring the registry directory of the startup item in real time by the process X includes:
when the system monitors that the newly adding, modifying and deleting operations exist in the relevant registry, the kernel stops the relevant operations and records the violation log;
in the monitoring mode, the method for monitoring the registry directory of the starting item in real time by the process X comprises the following steps:
when the system monitors that the operations of adding, modifying and deleting are carried out under the relevant registry, the kernel preferentially stops the relevant operations;
in the stop mode, the method for monitoring the registry directory of the start item in real time by the process X comprises the following steps:
when the system monitors that the operations of adding, modifying and deleting are carried out under the relevant registry, the kernel releases the relevant operations and does not record the violation log.
2. The method of claim 1, wherein the method of protecting process X from termination comprises: the Windows kernel uses SSDT HOOK technology to protect the daemon, and ensures that the process is not terminated; if the process terminates abnormally, it can be pulled up again by the Windows service.
3. The method according to claim 1, wherein in the monitoring mode, the kernel-first blocking of the associated operation is specifically:
if no user logs in, the kernel keeps preventing operation; after the user logs in, the kernel gives a blocking record, and the user can select whether to recover or not;
and if the user logs in, the kernel prompts the user whether to pass or not, gives the degree of harm of the passing, and after the user selects the passing, the kernel passes the related operation.
4. A Windows startup item monitoring system using the method of any one of claims 1 to 3, comprising a monitoring module for monitoring all startup item information; and the combination of (a) and (b),
the management module is used for managing the monitoring strategy and modifying the monitoring strategy of the starting item; and the combination of (a) and (b),
the public query module is used for viewing the public startup items of the system and the startup item information of all users; and the combination of (a) and (b),
and the database is used for storing the log of the monitoring starting item.
5. The system of claim 4, wherein the administration module is configured to administer the monitoring policy by requiring a password to log into the system and be authenticated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810068132.6A CN108287779B (en) | 2018-01-24 | 2018-01-24 | Windows startup item monitoring method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810068132.6A CN108287779B (en) | 2018-01-24 | 2018-01-24 | Windows startup item monitoring method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108287779A CN108287779A (en) | 2018-07-17 |
| CN108287779B true CN108287779B (en) | 2021-07-27 |
Family
ID=62835682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810068132.6A Active CN108287779B (en) | 2018-01-24 | 2018-01-24 | Windows startup item monitoring method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108287779B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109032895A (en) * | 2018-07-26 | 2018-12-18 | 郑州云海信息技术有限公司 | A kind of detection method, device, equipment and storage medium monitoring fuse process |
| CN109491715B (en) * | 2018-11-06 | 2021-10-22 | 深圳市风云实业有限公司 | Application management method, device and terminal based on Windows NT |
| CN110119622A (en) * | 2019-05-15 | 2019-08-13 | 苏州浪潮智能科技有限公司 | A kind of registration table Integrity Management method, system and equipment |
| CN110688274B (en) * | 2019-08-30 | 2022-04-12 | 平安科技(深圳)有限公司 | Active directory monitoring method based on Windows Server operating system and related equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102314577A (en) * | 2011-09-23 | 2012-01-11 | 深圳市万兴软件有限公司 | Method for real-time monitoring and protecting boot-starting items of registry |
| CN102542182A (en) * | 2010-12-15 | 2012-07-04 | 苏州凌霄科技有限公司 | Device and method for controlling mandatory access based on Windows platform |
| US9239922B1 (en) * | 2013-03-11 | 2016-01-19 | Trend Micro Inc. | Document exploit detection using baseline comparison |
| CN105354498A (en) * | 2015-10-30 | 2016-02-24 | 珠海市君天电子科技有限公司 | Operation method of registry, related device and equipment |
| CN106980564A (en) * | 2017-03-16 | 2017-07-25 | 北京科皓世纪科技有限公司 | Process behavior monitoring method based on kernel hook |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7593936B2 (en) * | 2003-08-11 | 2009-09-22 | Triumfant, Inc. | Systems and methods for automated computer support |
| KR100678974B1 (en) * | 2004-06-25 | 2007-02-07 | 삼성전자주식회사 | Apparatus and method for security and user comfortability in rebooting computer system |
| CN104503807B (en) * | 2014-12-31 | 2018-05-25 | 北京奇虎科技有限公司 | The management method and device of startup item |
| CN107463839A (en) * | 2017-08-16 | 2017-12-12 | 郑州云海信息技术有限公司 | A kind of system and method for managing application program |
-
2018
- 2018-01-24 CN CN201810068132.6A patent/CN108287779B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102542182A (en) * | 2010-12-15 | 2012-07-04 | 苏州凌霄科技有限公司 | Device and method for controlling mandatory access based on Windows platform |
| CN102314577A (en) * | 2011-09-23 | 2012-01-11 | 深圳市万兴软件有限公司 | Method for real-time monitoring and protecting boot-starting items of registry |
| US9239922B1 (en) * | 2013-03-11 | 2016-01-19 | Trend Micro Inc. | Document exploit detection using baseline comparison |
| CN105354498A (en) * | 2015-10-30 | 2016-02-24 | 珠海市君天电子科技有限公司 | Operation method of registry, related device and equipment |
| CN106980564A (en) * | 2017-03-16 | 2017-07-25 | 北京科皓世纪科技有限公司 | Process behavior monitoring method based on kernel hook |
Non-Patent Citations (1)
| Title |
|---|
| 恶意脚本程序研究以及基于API HOOK的注册表监控技术;李珂泂 等;《计算机应用》;20091201;第29卷(第12期);3197-3200 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108287779A (en) | 2018-07-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108287779B (en) | Windows startup item monitoring method and system | |
| US9798879B2 (en) | Apparatus, system, and method for protecting against keylogging malware | |
| US8316445B2 (en) | System and method for protecting against malware utilizing key loggers | |
| US8650578B1 (en) | System and method for intercepting process creation events | |
| EP2681689B1 (en) | Protecting operating system configuration values | |
| US7975302B2 (en) | System for real-time detection of computer system files intrusion | |
| US9015829B2 (en) | Preventing and responding to disabling of malware protection software | |
| CN100504899C (en) | Software watchdog system and method | |
| US9129114B2 (en) | Preboot environment with system security check | |
| US11468181B2 (en) | Secure access to accessory device resources | |
| CN103530559A (en) | Integrity protection system of Android system | |
| KR101308703B1 (en) | Security system for electronic commerce and method thereof | |
| WO2021227524A1 (en) | Network edge storage apparatus having security feature | |
| US20070005668A1 (en) | System for security management of a server | |
| US20130145459A1 (en) | Information Processing Device, Control Method and Program | |
| CN109583206B (en) | Method, device, equipment and storage medium for monitoring access process of application program | |
| CN113127823B (en) | Method, system and medium for managing local serial port login and authority | |
| CN114861160A (en) | Method, device, equipment and storage medium for improving non-administrator account authority | |
| US20230418933A1 (en) | Systems and methods for folder and file sequestration | |
| US20240272996A1 (en) | Computer-implemented system and method for recovering data in case of a computer network failure | |
| JP2012078979A (en) | Uninstallation execution propriety control method of information leakage prevention program and information leakage prevention system | |
| CN114117417A (en) | Program protection method and system | |
| CN117235818A (en) | Encryption authentication method and device based on solid state disk, computer equipment and medium | |
| CN117240449A (en) | Cloud host starting method and device based on cloud host password protection | |
| CN114880655A (en) | High-performance computation-oriented content-based safety protection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |