TW552522B - System and method for real time monitoring and control of networked computers - Google Patents

Abstract

A method of real time monitoring and control of networked computers, includes: providing a monitoring computer unit and client computer unit both capable of being communicatively coupled to a network system; and detecting states in the client computer and transmitting the detected states to the monitoring computer unit via the network system.

Description

V. Description of the Invention (1) Field of the Invention The present invention generally relates to the field of development of utility programs (operating system) applications, more specifically, but not limited to, real-time monitoring, recording and / or controlling a computer unit Systems and methods for internal environment, such as activities in a personal computer (PC) machine. BACKGROUND OF THE INVENTION As the use of technology extends to businesses and organizations, it increasingly requires managing employees to effectively track and control the internal PC machine activities (environment) of the company's technology. For example, a PC has an internal operating system (0 / S), which is started when the PC is "powered on" from its internal hard disk. This ο / s contains a series of hundreds of programs that can manage all third-party application (program) activities and all user activities. Each action (event) performed by an end user can generate an internal response (another event) within the 0 / S to execute the user's request. Each action (event) initiated by a third-party program can generate an internal reaction (another event) within the ο / s to execute the request of the program, sometimes to modify the internal ο / s environment of the computer unit (structure). One of the most critical aspects of a PC o / s and all third-party applications is the startup phase of the o / s and all third-party applications. This startup phase includes key files and / or registrations, which are read by an internal program relative to the o / s and third-party applications, which can guide the ο / s and third-party applications, which These “files” are “needed” when “booting” or when third-party applications (programs) are executed. These key files and registrations are considered as “soft forms”, which allow the revision of paper sizes to apply Chinese national standards ( CNS) A4 specification (210 X 297 mm) 552522 A7 R7 V. Description of invention (2) Change, so an o / s or third-party application can modify its internal operating environment to meet the computer unit and end user Specific needs. These key files and registrations are very flexible. It is possible to start a computer program on a computer unit, but the end user does not know that it can be significantly modified, from collection, reporting, starting a job, or destroying information. The registration is part of ο / s, its definition and start a new program, which can happen automatically without the user's knowledge. This registration can be used as a " lead " for real o / s. When certain defined elements of a program are written into a specific part of the registration, the O / S will automatically start the program without notifying the user. Based on the development of Internet technology, it can automatically transmit data from one computer unit to another computer unit in a compressed format. It is possible to "disguise" the program in the form of general data, which will be on a computer unit. Start to modify a key o / s or third-party application startup file, or load it into the registration, then start an unknown program on a computer unit to collect, report, start a job or destroy information. All of these possibilities can occur without the knowledge of the end user or anyone within a business or organization. Therefore, there is a need for an instant tracking tool that allows an efficient, non-aggressive way to manage the records of each computer unit, monitor and report on the internal environment. Furthermore, it requires an instant tool to automatically reverse any "internal changes" and report these changes to the managers of an enterprise or organization. Summary of the Invention In a specific embodiment, the present invention provides a real-time monitoring and control. -5- The paper size applies the Chinese National Standard (CNS) A4 specification (210X 297 mm) binding

k 552522 V. Description of the invention (3 The method of computer connected to the network, the client computer unit, which can all recite; 3: Provide a monitoring computer unit and a communication system coupled to a network system; and detect

The state of the brain, the state of the side is transmitted to the monitoring computer unit D through the network line. In the embodiment, the present invention provides an electronic " map, a real-time method of the hard disk of the computer unit 'for recording The ο / s and third-party application startup environment 'include. (A) Analyze the existence of all key directories and building cases on the hard disk; ⑻ record important statistics of all directory information, file number, directory size, and other information; ⑷ Record the important statistics of each key file, such as the time when the file was generated, the last modification time, and the size of the building case; ⑷ Record the important statistics of the internal registration of the power unit. In another specific embodiment, the present invention also provides a real-time method to detect the status initiated by the internal computer unit environment, which includes: (check the window task manager during all activities that can recognize the window code; (... Intercept all operating system messages, which can be transmitted between third-party applications (programs) and the 0 / s; (C) detect any changes in a key o / s file or third-party startup file; (d) detect Detect any changes in key aspects of the registration; (e) send an internal processing communication message to any identifiable window code, which is present in the activity job manager; (f) send an instant identification report to a monitor Station, which defines the status of the detection. ^ In another embodiment, the present invention also provides a real-time method to transmit and store this important information to a storage device (monitoring station). In one aspect of the present invention, the The recorded and stored data can be transmitted by a client computer unit and received by a second computer unit (monitoring station), which can allow -6-This paper size applies to China National Standard (CNS) Α4 specifications (2 10 X 297 mm) 552522 A7 R7 V. Description of the invention (4) Management view The current internal operating environment of the client computer unit can be managed and controlled by the second computer unit (monitoring station).

Another aspect of the invention may include being able to report to the monitoring station in an instant environment, regarding any unknown changes to the key 0 / S, registration, or application startup files by unknown programs, and reversing those changes back to their original status. Another aspect of the present invention may include a "through-through pattern" capable of recording and analyzing an unknown program that attempts to significantly modify, collect, report, initiate a job, or destroy information on a computer unit. Another aspect of the invention may include the ability to transmit this "penetration pattern" to the monitoring station and analyze the pattern with all additional computer units to determine the best way to stop the automated modification, which can be used throughout the regional network LAN (LAN) or Wide Area Network (WAN). Schematic illustration

Non-limiting and non-exhaustive specific embodiments of the present invention are described with reference to the following drawings, wherein like reference numerals represent similar parts throughout the different drawings unless otherwise specified. FIG. 1 is a flowchart of a network system capable of implementing a specific embodiment of the present invention. Figure 2 shows the "electronic mapping" flow chart of the internal registration information of the computer unit, which is related to the startup of a computer unit and the startup of all third-party applications. Figure 3 shows a computer unit Flowchart of "electronic mapping" of all key directories and files of the unit startup (" startup "). Figure 4 shows all the keys related to the launch of all third-party applications (programs). The paper size applies to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522

V. Description of the invention

Directory and floor plan, electronic mapping, and flowchart. Figure 5 'is a flowchart of a method of intercepting all messages produced between the operating system and the third-party application. The second method in Figure 6 is a process diagram of the method of transmitting communication messages between any suitable processes to any recognizable window. It exists in the task manager list during the activity. Figure 7 is a flowchart of the process of collecting all computer units in the internal computer unit (machine environment factory Beixun), and organize this information 'in a way that this data can be automatically transmitted to a monitoring station. Figure 8 It is a flowchart of the process of automatically collecting all the electric unit (machine environment) data by all the electric units on the _LAN or WAN. Figure 9 is not a kind of automatic analysis of foreign entity programs. " Penetration style "process flow chart 'It can penetrate a computer unit to collect, report, start a job or destroy information on a computer unit. Figure 10 is not an automatic reversal of any computer unit ( Machine environment) The flow chart of the processing of the change 'The physical program can be started in the actual computer unit. Figure 11 is not a block diagram of a structured signal file, which captures all relative to the & quot "Penetration pattern" identification data, which is transmitted and stored in the monitoring station 0 Figure 12 shows a flowchart of automatically detecting any unauthorized repairs in a real-time environment. Figure 13 shows a flowchart in a real-time environment Automatically detect any unauthorized repairs -8-This paper size applies to China National Standard (CNS) A4 (210 X 297 mm)

Binding

k 552522 A7 _____ B7 _ V. Flow chart of the process of paragraph (6) of the description of the invention. FIG. 14 is a flowchart showing a process of automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Run registration section in a real-time environment. FIG. 15 is a flowchart showing a process of automatically detecting any unauthorized modification of the HKEY_CLASSES_ROT: CLSID registration section in a real-time environment. Figure 16 shows a flowchart of a process for automatically detecting any unauthorized modification of the HKEY-CLASSES-ROOT: CID registration section (if any) in a live environment. Figure 17 shows an automatic detection of any unauthorized changes in the immediate environment. The HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ Shell Extensions \ Approved registration section

Management flowchart. Figure 18 shows a flowchart of the process of automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ Current Version \ Run registration section in a real-time environment. Figure 19 shows a flowchart of the process of automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce registration section in a real-time environment. Figure 20 shows a flowchart of the process of automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ RunOnceEx registration section in a real-time environment. -9- This paper is timely in size ® ® Home Standard (CNS) A4 specification (21G X 297 public directors) '~' 552522 A7 R7 V. Description of the invention (7) Figure 21 shows an automatic detection in an instant environment. Measure the flowchart of the processing of any unauthorized modification of the HKEY_CURRENT_USER: Software registration section. Figure 22 shows a block diagram of different methods of "protective umbrellas" used to initiate the entire PC desktop environment. Figure 23 shows a flow chart of the parallel series controlled by a main application series of the monitoring station. FIG. 24 shows a detailed flowchart of the comparative analysis of the forensic penetration data. Detailed description of specific embodiments In the description herein, many specific details are provided, such as descriptions of systems, components, methods, and processes to provide a complete understanding of the specific embodiments of the present invention. However, those skilled in the relevant art will recognize that the invention may be practiced without one or more of the specific details, or with other methods, elements, materials, parts, or the like. In other cases, well-known structures, materials or operations have not been shown or described in detail to avoid confusing the scope of the present invention. Reference to "a specific embodiment" in the entire specification refers to the special features, structures, or characteristics described in conjunction with this embodiment, which are included in at least one specific embodiment of the invention. Therefore, in this specification The expression " in a specific embodiment " in many places does not necessarily all represent the same specific embodiment. Furthermore, the particular feature, structure or characteristic may be combined in any suitable manner in one or more specific implementations. In summary, a specific embodiment of the present invention provides a system and method for real-time monitoring, recording, and / or controlling the internal environment, such as an actual -10- This paper size applies to the Chinese National Standard (CNS ) A4 size (210 X 297 mm) binding

552522 A7 R7 V. Description of the invention (8 Personal computer (PC) machine (computer unit) activities, which are related to the activities listed in the work manager can identify the window② code, in all applications (programs) and the operating system Windows messages processed between them, all key operating systems broadcast the 'start-up program and all key independent application (program) file registrations' which controls the startup (initialization) of a computer unit, and controls the installation of the computer This startup (initialization) of all applications (programs) on the unit. Although the different embodiments and features of the present invention are described in the context of the Windows operating system, the invention described in this disclosure is different The specific embodiments and features can be applied to other applications, which are not intended to be limited to the environment of the Windows operating system. Please refer to FIG. 1 for an example of a network system that can implement the present invention. For example, the network system 100 includes a plurality of computer units (or workstations) 105a-105d and 108, and a network server Server 125. The computer units 105 and 108 may include personal computers, workstations, notebook computers 'servers' and / or other suitable computing devices. The network server 125 may also be implemented as, for example, a server, a computer unit Workstation, or other suitable device. For example, according to a specific embodiment of the present invention, each of the computer units 105a-105d may include a client application (probe utility) 110a-110d, and some computer units 1 〇5 may not include a client application 110. However, any computer unit 105 in FIG. 1 may or may not implement the client application 110. To assist in explaining the functions of different embodiments of the present invention, any or all computers 105a- 105d—generally referred to as computer 105, and any or all customer applications 110a-110d—generally referred to as customer applications (probes for public probes) 110. -11-This paper standard applies to the Chinese National Standard (CNS ) A4 size (210 X 297 mm) binding

k 552522 A7 R7 V. Description of the invention (9 Some computer grassroots according to a specific embodiment of the present invention may include a manager (monitoring) application 115. In the example of FIG. 1, the computer unit (monitoring station) 1 8 The manager application 115 is included. However, any other computer unit in Figure 1 can also implement the manager (monitoring) application 115. The computer unit in Figure 1 can be combined with, for example, a line hub 120. A conventional network An interface card or LAN adapter (not shown) is basically implemented in each computer unit of FIG. 1 to operate each computer unit in the network system. A network interface card is basically made An interface between a given power unit and the horizon in the network system. A network interface card uses a special processor and program to move data in the memory of a given computer unit, and attach Between the network cables of the given computer unit. In a specific embodiment, the invention allows tracking of all internal machine configuration profiles (startups) in the computer unit 105 with the client application 110. All internal Machine activity , Or changes in these activities are monitored by the client application u〇. The client application 110 co-exists in an operating system of a computer unit 05 and is monitored as a non-intrusive machine activity. For example Suppose the electric contact unit 105 starts a third-party program 130, and the program activities and their startup information are monitored in the computer unit 105. The client application 110 in the computer unit 105 will determine each activity The status and whether the activity status is normal for daily operations. The client application 110 cycles cyclically and compares the initially recorded internal configuration profile with its current profile building when the computer unit 105 executes. In a specific embodiment The client application 110 is a public application.

It is based on Microsoft Visual C ++ and Microsoft 32-bit API -12- Each paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) binding

k 552522 A7 R7 V. Design and development in 1G environment. The client application 110 accesses the conventional Windows operating system information in two different ways, which is 1) via a fully reusable C ++ library, known as the Microsoft Foundation Class (MFC): or 2 ) Through the direct interface with the original function of the operating system, it is called the Microsoft Application Programming Interface (API). The MFC hides the basic, (high-level) application programming interface (API), in which a programmer usually uses and provides a summary development layer that allows a programmer to design / develop a Micro soft Windows multiple serial utility application, and It is not necessary to know the actual details of each of the original independent APIs within this Microsoft operating system. It is also stated that the MFC is a group of APIs, which makes it easier for programmers to perform software design and development. In developing programs, as is well known to those skilled in the art, a series is a part of a program, which can independently execute other parts. An operating system that supports multiple serializations allows programmers to design programs whose serialized parts can be executed simultaneously by the operating system. As mentioned above, this MFC is used for "high-level" operating system functions. For the 0 " low-level "function, the original independent function of the actual Windows operating system is used to use a Microsoft 32-bit API interface to obtain the current operating system machine configuration and activity status. Now summarize the manager application The operation of a specific embodiment of the program 115. The monitoring station (or manager application program) 108 may exist in, for example, a standard computer unit PC or a web server, collect and maintain all configurations, and identify data And management strategies, which are implemented in the entire network environment with the customer application 110. -13- This paper size applies the Chinese National Standard (CNS) A4 specification (21〇x 297 mm) 552522 A7 ____R7 Five invention descriptions ( 11) " ~ " As shown in FIG. 23, when the monitoring station 115 is started, the main application sequence starts a series of sub-series (" parallel series ··), which are all parallel And controlled by the main application series. Each initial parallel series designates a job to collect and record data relative to each client application's operating environment. The first parallel series designates to query (2 3 10) the Any structured signal file in the road system 100 can contain configuration data on each computer unit 105 running a customer application no. When this first parallel series collects configuration data, this series is Analyze (23 15) the configuration data, and store (2320) the configuration data at the local location of the management application 115. This data is the complete configuration environment of the client application 110, which defines all 0 / S files " Electronic footprint, 'so " third party " startup data, and all computer registration data. The second parallel string is designated to query (2325) any structured signal file in the network system 100, which can Each computer unit 105 running a client application 110 contains identification or "penetration patterns", data. When the second parallel series polls the network system 100, if the identification data is transmitted by the client application 110, the management application 115 will collect and store (2 320) the data to be displayed in the management application 115 (2325) Information, which is needed (selected) by the manager (or user). The third parallel serial designation is used to transmit (2340) the configuration and operation policy structured signal file to each individual client application 110 or to all client applications as a whole. The series transmits the structured signal file, wherein the manager (or user) has generated and defined a policy structured signal file, and chooses to transmit (expand) the policy via the network system 100. The fourth, fifth and sixth parallel series are a series of instructions and control results. -14- This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522 A7 one -__ B7_ __ five, Description of the Invention (12) A structured signal file is transmitted (expanded) to each client application 110, which terminates (2345) the client application under certain conditions. Each " shutdown " or abort signal has a different effect on a customer application 110. Once a client application 110 is restarted or started, the client application 100 can: (丨) continue its normal activities; (2) initialize its installation sequence and collect new configuration data on its associated computer unit 105 ; And / or (3) remain suspended until a " recovery " structured signal file is transmitted by the management application UI 5. The rest of the series and programs in the management application 115 (not shown in Figure 23) perform routine management functions, such as displaying data, archiving data, and allowing users to export or erase information as needed . Please refer to FIG. 2 'for discussing the functional mechanism of the client application according to a specific embodiment of the present invention. In particular, FIG. 2 is a flow chart of "electronic mapping" of the internal registration information of a computer unit, which is about the startup of a computer unit 105 and the startup of all third-party applications (for example, The third-party application 130 in Figure 1). It may be noted that a third-party application may be installed in any computer unit 105 by a user, for example, or may be downloaded from a data network to any computer unit 105, such as the Internet. Once a client application 110 is started, the client application executes a series of parallel serial functions, which polls to query the operating system for high-level information, and executes a series of independent 32-bit API DLLs to collect low-level Information. As known to those skilled in the art, a dynamic link library (DLL) is a repository of executable functions or data 'which can be used by Windows applications. Basically, a DLL provides one or more special functions and a program to access the function by Yu Sheng statically or dynamically linking to the DLL. A static link in process -15- This paper size applies Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522 A7 B7 Five invention descriptions 13) GTclsid.dll, GTDrvQry.dll, GTMicrRun.dlL GTRgstry.dll , GTShell.dll, GTCUSoft.dll, GTKillAp.dll, GTRegSoft.dll, GTRunWat.dll, GTShellNme.dll are maintained fixed during execution, and a dynamic link is generated by the program as needed. DLLs can also contain data only. The linker automatically searches the library for procedures not found elsewhere. In the MS-Windows environment, the library file has a .dll extension. The high-level information it polls contains the active program memory stack, which lists all the active programs " codes " currently in memory. The " focus window 'f " in the activity goes to the " terminal " The user " the application currently in use. The independent API DLLs executed may include the following: GTApprvd.dll, GTCmpNm.dll, GTKeyBrd.dll, GTRegQry.dll, GTRunExe.dll, GTShellExt.dll, GTSysMsg.dll, and GTTaskBar.dU. Each independent DLL is controlled by a high-level parallel series. Examples of the low-level data (information) it collects are all registered configuration data. In this 0 / S and relative to the window object, All real-time " core " system messages processed between third-party applications 130, window types, mouse movements, mouse selections, and I / O operations. Additional low-level data that can be collected can include keyboard interrupts, registration status ( Different key paragraphs that are important for program initialization), application instructions, and control signals sent to the application, program manager, and taskbar. During the initial installation of a client application 110, a series of parallel The function is started (block 201), which starts the 32-bit API DLL, as described here, designed and developed by the inventor, and it acquires all the contents of a computer unit 丨 05-this paper Standards apply to national standards (cnS) A4 (210 X 297 mm)

Binding

552522 A7 R7

V. Description of the invention (14 pieces of registration information. The internal machine registration of the computer unit 105 maintains the initialization list of each program and utility program required for proper initialization reading of the computer unit 105, so as to run the basic Windows operating system and all Those programs are needed for the initial privatization of the third-party application 130. Some third-party applications 130 require certain programs to be started when the operating system fails initially, and others only need to start the third-party when the user starts An additional program is required only in the application. In a specific embodiment, once the registration information of the computer unit is obtained by the read client application 110, the registration information is stored in the memory array and written into a structured ASC file, which is stored In the computer unit 1 () 5. Once all configuration data is collected by the computer unit 105, the data is stored in the computer unit 105 itself, and the following function is started: All registered CLASS configurations are loaded Function that starts when data is entered into the memory array (box 211). Loads all registered CURRENT configuration data into the memory array (box 212) starts a function. When loading all registered LOCAL MACHINE configuration data into the memory array (block 213), starts a function. Loading all registered USERS configuration data into the memory array (block 214) ) Starts a function. Once all registration data is loaded into memory, a parallel series starts (block 215) of the series of low-level API 32-bit DLLs, which polls each defined registration paragraph to determine If any registration data has been modified (block 216). If the function in box 2 16 determines whether a registration modification has been made and it recognizes a modification, the function generates and transmits a structured Letter-17- This paper size applies the Chinese National Standard (CNS) A4 specification (210X 297 mm) 552522 A7 B7 V. Invention Description (15) file (box 21 8) to report (alert) to the management application 115. If no registration modification has been made, continue by returning to the function in block 215 (21 7) to poll the defined registration paragraph. In block 218, the structured ASC file can be obtained electronically by the computer unit 105 , And to the monitoring station 115 by the network The route manager performs a detailed analysis. The client application (probe utility application) 110 is initiated in block 200. After the initial record of the registration information (block 220), the parallel string (block 210), which Instructs the independent 32-bit API DLL designed and developed by the inventor to start a series of secondary functions (as described in blocks 2 11 to 2 18 above), which monitors the real-time changes in the computer unit 105 environment All registration information of. If a program to modify any internal registration environment is started, the client application 110 generates an internal message to the home screen of the computer unit, warns the end user, and generates (transmits) a signal to the Monitoring station. If the registration modification is an unauthorized change unknown to the user or network management, the modified internal registration information is reverted back to its original state. The configuration file is stored in the computer unit 105, and the defined configuration of the computer unit 105 is maintained. When a modification occurs, the client application 110 refers to the stored configuration data and will restore the computer unit 105 back to its original state, which was recorded before the unauthorized modification. The changed characteristic is then recorded in a structured ASC file and recorded as a penetration pattern. Then the computer unit 105 generates (transmits) the penetrating pattern file to the monitoring station-18. This paper is again applicable to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522 A7 R7 5. Description of the invention ( 16) From 115, the monitoring station will make further comparative analysis. The comparison analysis initiated by the monitoring station is a series of parallel serial functions that compares the penetration patterns (customer application 110) received by all computer units 105, and sends information to the monitoring station 115. As shown in Figure 24, the comparative analysis is performed by analyzing each structured signal file containing forensic penetration data. The file is first analyzed to establish the unauthorized modification and defined in the forensic file. Each unauthorized modification is compared (2400) with forensic data from another computer unit 105 with a client application 110 to create a " horizontal pattern ", or it occurs in the entire network system 100 Consistency in authorized modifications. The next analysis (2405) is to determine the "window code" status of each computer unit 105 when unauthorized modification occurs. By analyzing (2405) the "window code status", a "style" to the "user conditions" can be created, which initiates an unauthorized modification of the computer unit 105. When performing such a modification Automated analysis and user environment where the modification is initiated in a real-time environment, the management application 115 can quickly develop a "policy" and expand (transmit) the policy to the entire network system 100 to automatically Stop unauthorized modification in each computer unit (block 2410). As shown in FIG. 2, when the client application 110 is installed in a computer unit 105, the client application 110 will start a parallel series (block 201) , It will start a series of sub-series, which can collect the registration information of the different defined paragraphs registered throughout the computer unit 105. The parallel series 201 is started during the initial installation or re-initialization, if the computer unit When 105 is updated with new authorized software. -19-This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) binding

552522 A7 R7 V. Description of the invention (17 Each sub-string starts the independent 32-bit API DLL, which collects registration information in a defined paragraph. A sub-string (block 202) starts the 32-bit API DLL, It collects all registration data on the HKEY_CLASSES_ROOT registration key. A sub-series (block 203) starts the 32-bit API DLL, which collects all registration data on the HKEY ^ CURRENT_USER registration key. A sub-series ( Block 204) starts the 32-bit API DLL, which collects all registered data on the HKEY_LOC AL-MACHNE registration key. A sub-series (block 205) starts the 32-bit API DLL, which is collected in the HKEY_USERS All registration data on the registration key. All the data collected by each 32-bit API DLL is combined by a function (block 206), which stores the data in the local computer unit 105. Once the data has been stored, the A function is started (block 207), which transmits all registered configuration data to the management unit 108 with the monitoring application 115. Please refer to FIG. 3 for a discussion of the client application 110 according to a specific embodiment of the present invention Function mechanism In particular, FIG. 3 is a flowchart of “electronic mapping” of all key directories and files of the startup " boot " relative to a computer unit 105. During the initial installation of a client application 110, it starts An additional parallel serial function (block 340), which obtains all the internal directory and file information of the computer unit that is needed when the operating system starts during the startup (initial " boot "). The internal machine hard disk maintains a directory structure for proper storage, classification, and partitioning of all directories and files, which is needed to start the computer unit 105 to perform the basic ...

552522 A7 R7 V. Description of the invention (18) Those programs needed for startup time execution to start third-party applications 130. Once the directory and file information is obtained by the client application 110, the directory information is stored in the memory array and written into a structured ASC file, which is stored in the computer unit 105. The structured ASC file can be obtained electronically from the computer unit 105 to the monitoring station 115, and detailed analysis is performed by the network administrator. After the initial recording of the directory and file information, the parallel series (block 310) instructs these initial functions, starts a series of secondary functions, and then monitors for immediate changes within the environment of the computer unit 105 All directory and file information for. Once the main parallel series controlling the directory environment is started (block 3 10), a function is started to load all stored directory configurations from the data file into the memory array (block 311). When the memory array is loaded, a parallel series is started, which will cycle the directory structure of the computer unit 105 and analyze any possible structural changes of the computer unit 105 in the defined directory structure. If a new directory is detected, the probe function (block 3 12) analyzes the contents of the directory; it searches for any possible unauthorized programs (block 313). If an unauthorized program is detected, a structure identification signal file is generated and transmitted back to the computer unit (block 315). If no unauthorized program is detected, the probe will > loop " return to the query function (block 313) and continue to analyze possible unauthorized programs in the directory structure. If a program is started (where the program modifies any internal directory or file environment), the client application 110 generates an internal message to the home screen of the computer unit, warns the end user, and generates (transmits) a signal到 -21-21-This paper size applies to China National Standard (CNS) A4 (210 X 297 mm)

Binding

552522 A7 R7 V. Description of the invention (19) Watch station (block 315). If the modification is an unauthorized change unknown to the user and / or network management, the internal directory and / or file information of the modified computer unit is reversed back to its original state. If an unauthorized program is detected in a directory, the function of analyzing the directory refers to the stored configuration data, which defines the directory structure before detecting the unauthorized program. Then analyze the defined directory structure to "reverse" or remove the new directory containing the unauthorized program. The reversal function starts by comparing the previous architectural "footprint" of the directory with the new (unknown Authorization) "footprint" and execute the inversion function by removing the new directory with the unauthorized program, or if an unauthorized program is moved to an existing directory, only the unauthorized program is removed The changed characteristic is then recorded in a structured ASC file and registered as a penetration pattern. The computer unit 105 then generates (transmits) the penetration pattern file to the monitoring station 115 for the monitoring Station 115 for further comparative analysis. The comparative analysis initiated by the monitoring station 115 is a series of parallel serial functions that compares all penetrations received by all computer units 105 (customer application 110) Pattern, which sends information to the monitoring station 115. When the client application 110 is installed in the computer unit 105, a main parallel series is started (block 340), which starts a series of secondary functions to scan the entire Computer unit 105, It is used to record all existing directories (folders) and subdirectories (subfolders). A function is started (block 341) to analyze the 0 / S directory structure and the "root" existing on the computer unit 105 ", all catalogs and sub-catalogs (block 342). -22- The meaning of this paper applies to China National Standard (CNS) Α4 specification (210 X 297 mm) binding

552522 A7 R7 5. Description of the invention (20) After this analysis is completed, a function is started (block 343), which combines and stores the data to the local computer unit 105. Once all the data has been combined and stored in the local computer unit 105 and transmitted to the management unit 115, a function (block 344) starts the main polling sequence (block 310) to analyze whether the computer unit 105 has any A new directory containing an unauthorized program. Please refer to FIG. 4 to discuss the functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 4 is a " electronic mapping " flow chart of all key directories and files relative to the launch of all third party applications (programs) 130. During the initial installation of a client application 110 and the initiation of an additional parallel serial function (block 440), it obtains all the third-party programs required to install the operating system at the start of the computer unit Computer unit content directory and file information. The internal machine hard disk of the computer unit 105 maintains a directory structure for properly storing, sorting, and separating all directories and files, which needs to start each third-party program, and when the third-party application starts All those extra programs needed. The directory can be scanned using any known suitable method to look for possible modifications that could include a new unauthorized program installation. Once the third-party directory and file information is obtained by the client application 110, the directory information is stored in the memory array and written into a structured ASC file, which can be stored in the computer unit 105. The structured ASC file can be obtained electronically from the computer unit 105 to the monitoring station 115 for detailed analysis by the network administrator. -23- This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522 A7 __B7_ V. Description of the invention (21) _ After the initial record of the catalogue and building case information, 'The Parallel_Column' ( Block 410) Start a series of secondary functions (Block 413), which monitors all directory and file information for immediate changes to any third-party applications that are initiated within the computer unit environment. If a program starts and modifies any internal directory or file environment, the client application 110 generates an internal message to the computer unit 105, warns the end user, and generates (transmits) a signal to the monitor Station 115. If the modification is an unauthorized change unknown to the user and / or network management, the modified internal directory and / or file information is reverted back to its original state. The changed characteristics are then recorded in a structured ASC file and registered as a penetration pattern. The computer unit 105 then generates (transmits) the penetration pattern file to the monitoring station 115 for further comparison and analysis. The comparison analysis initiated by the monitoring station 115 is a series of parallel serial functions that compares all penetration patterns received from the computer unit 105 (customer application 110), and sends information to the monitoring station 115 . This comparative analysis is described previously. When the parallel series is started (block 410), the function in block 411 is started, and this function loads all third party " startup " information into the memory array. Once the function (in block 411) has completed its operation, an additional function is started (block 412) that loads all third-party " .ini "(initial > [dagger] files of this key " File signature " to memory array. After all information is loaded into memory, the parallel sequence of the above functions is started (4 13)-the polling function (block 414), which loops cyclically Compared with -24-552522 A7 R7 V. Invention description (22) Compared with all third parties " start " information " .m " file information, to the previously recorded information which is stored in the memory array. If detected Upon an unauthorized modification, the function (in block 414) generates a structured signal file and sends the structured signal file to the management application 115. If unauthorized modification is not detected, the function continues the loop ( (Block 415) Return to its polling function initiated in Block 414. A series of additional parallel strings begin to collect and manage all operating system (0 / S) messages, which are generated at the O / S and all third-party applications. These series start a series MFC functions and / or independent 32-bit API DLLs designed and developed by the inventors. These MFC functions and 32-bit API DLLs start a series of operating systems (O / S) " and MFC mutual Link, which monitors and collects real-time data from the memory buffer, its information about mouse movement, application to O / S messages, device access, keyboard access, port access, Internet browser access, Application focus, email management, disk file movement, active window code task bar, drive (media) management, task bar management, and program manager management. When the client application 110 is installed on the computer unit 105, a parallel series is started (block 440), which initializes a function (block 441), which scans all the computer units 105 that may exist in the computer unit " Third party " "startup" file. When the function (block 441) has completed, initialize an additional function (block 442) which scans all " .ini "(initialization) files in the computer And record the "key file signature" of each file in the computer unit 105. When the function (box 442) is completed, a function (box 443) unites the asset-25-this paper standard applies China National Standard (CNS) A4 Specification (210 X 297 mm) 552522 A7 R7 V. Description of Invention (23) Information, and store all the information in the physical building case in the computer unit 105. After completing the solution in Fang Yuan 443 Wu Shi 'an additional function (block 444) is started' and begins the maintenance polling sequence as described at block 410. Now refer to FIG. 5 to discuss the customer use 110 according to a specific embodiment of the present invention Additional functional mechanisms. In particular, 'Figure $ is A flowchart of the method of copper intercepting all messages generated between the operating system 129 and the third-party application 130. The start of a series of MF C functions and 32-bit API DLLs designed and developed by the inventor (Block 505) A series of operating systems (0 / S) " Hang Jun "and MFC are linked together, which monitors and collects real-time data from the memory boat buffer on mouse movement and application to O / S messages. The hook is part of the "open architecture" development of Mierosoft Windows. Figure 5 shows a "hook" sequence to the actual Microsoft 0/3 core, which can include at least the following parts: all window object identification (Ids), window object type, mouse movement, slide Mouse commands' and integer passing are processed between the 0/3 core and all application activities. A parallel serial start (500) 'It starts the independent 32-bit API DLL (505), which is designed and developed by the inventor, and it establishes a " hook " to the actual 0 / S core . The "hook" establishes an interconnection with the WH_SYSMSG ID (block 510), which monitors the core break of mouse movement and mouse activity (block 515), dialog box, menu, list box activity , Which defines the window object ID and the window object type (block 520), and receives a 10 / S message as the mechanism operation being performed by the core (block 525). Based on the received under the WH_SYSMSG ID Information, the "quoting" can be -26- This paper size applies Chinese National Standard (CNS) A4 specification (210 X 297 mm)

Binding

k 552522 A7 R7 V. Description of the invention (%) Send its IΓ> (block 535) to the WH-CBT ID to collect more information about the core mechanism of 0 / S 'It is starting in an immediate environment By. The information received by the core system " hook " is compared to other information, which blocks it, and high-level " 0 / s information, such as analyzing the window code list in the event, and the window focus code in the event 'As well as a memory array that currently stores all registrations, o / s and third parties, " information, it represents an image, ..., intercepted by the client application 110, as an actual "real-time" machine And user conditions (or events), which started on the computer unit (block 545). The 32-bit API DLL designed and developed by the inventor passes all intercepted signal messages' including window object storage Take, window object type (520), menu or dialog box object ID, mouse movement and position. Based on the signal (integer) received by the API, the MFC parallel string managing the central processing unit (CPU) can be determined by The action process initiated by the user. This information (525) is then processed (545) in a real-time environment to determine the user ' s " intent " and whether the user action is authorized or unauthorized. right now Referring to FIG. 6, an additional functional mechanism of the client application 110 according to a specific embodiment of the present invention is discussed. In particular, FIG. 6 is a flowchart of a method for transmitting an inter-process communication message to any identifiable window code. In the activity manager list. The independent 32-bit API DLL designed and developed by the inventor receives real-time status information from the existing MFC parallel series, which determines whether the user action or internal program activity is legal Or illegal. The legitimacy is determined by comparing the actual activity with all parallel strings (Figures 1 to 5), which monitors the registration, O / S, third-party integration, and operation of the computer unit 105 System-27- This paper size applies Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522 A7 _R7__ V. Description of the invention (25) The core message. If the user or program activity is judged to be illegal, the parallel The serialization started the independent 32-bit API designed and developed by the inventor, which terminated the program activity that is currently the main focus of the user or unmanned computer. A parallel series Start (block 605), which loops the window management worksheet list of the activity in which the code is recognizable in all the activities in the computer unit 105. This parallel string is fixedly looped and the window 1/0 is monitored (block 610) And monitor the actual window code focused on by the user of the computer unit. Based on the information processed as described in Figures 1 to 5, if an unauthorized event is being initiated in the computer unit 105, the parallel string The column (block 610) will send an automatic inter-process communication (IPC) signal message WM_QUIT (block 615) to the independent 32-bit API DLL designed and developed by the inventor (block 620), which will accept the IPC and sends the WM_QUIT message (block 625) to the active window code that the user is currently focusing on. The API will then check the status of the IPC to determine if the transmitted IPC is successful, and then send all information back to the main parallel string, which will determine if additional actions (block 630) are necessary to stop the computer unit 105 The unauthorized event that occurred within. Please refer to FIG. 7 to discuss the functional mechanism of the client application according to a specific embodiment of the present invention. FIG. 7 is a flowchart of the process of collecting all computer unit (machine environment) information in the internal computer unit 105, and organize this information to automatically transmit this data to a monitoring station 115. Automatically collect the computer unit (machine environment) data on the internal computer 105 and organize the information to be automatically or "on request" transmitted to a monitoring station-28- This paper size applies Chinese National Standard (CNS) A4 Specifications (210 X 297 mm) Staple

k 552522 A7 ^^ ___— _____B7 V. Processing of invention description (26) 115 'It is managed by a parallel series (block 700) and it receives a structured file signal from the monitoring station 丨 丨 5, as above As described. If a signal has been received from the monitoring station 115, the parallel series starts the _MFC function, which sends (block 750) all configuration data to the monitoring station 115. The function in block 705, and the information represented in blocks 710 & 71 (1), are similar to those described above with respect to Figure 2. The function in block 715, and The information represented in 720b is similar to that described above with respect to Figure 3. The functions in block 725, and the information represented in boxes 7300 & 7315 are similar to those described above with respect to FIG. 4. The collected computer unit (machine environment) data is stored and updated in the probe (block 740). If the monitoring station 115 receives a structural file signal (block 745), as described above The collected machine environment data is transferred to the monitoring station 115. Please refer to FIG. 8 to discuss the functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 8 is automatically collected A flowchart of all computer units (machine environment) data of all computer units 105 in a local area network (LAN) or a wide area network (WAN) (such as a network system). The monitoring station 115 has the ability to Paper data is automatically received by a computer unit 105. Transmission-Structure signal (started by the administrator, so all configuration data is required to be transmitted to the monitoring station 115. Figure 8 shows the management application 115 installed on the network system 100, and a guest application 110 A flowchart of a job after installation on the network system 100 and if the network path has been set correctly, the customer applies -29- 552522 A7

Effectively communicate with the management application 115. Some M ^ ^ ^-1 λ c 'After the client application 110 performs analysis of his computer as early as 7G105, 樘 Tomb, 廿 Yan 掖 Zhang Guci w 丨 1 ^ Save all Pui Xun to his data coffin case' and Relying on the _memory list (money :: block 835), it starts to poll the status of the network connection, and witnesses: 1 = the user should use U0 to establish all appropriate paths to communicate with this. If the parallel string (block 84G) detects the existence of the network, the right path has been established correctly, and the client application UG will send all data to the official application 115 (block 845). The management application 115 will also start a parallel series (block 802), which will poll (block 805) to check the status of the network and whether the defined network path is established. If the overall network status is correct, the management application 5 will automatically receive the structural file signal information from the client application 110. In the event that certain commands and control instructions are initiated by the management application through the user, such as-an update request, the m-type (block 810) will initiate the structured signal file, which will then be transmitted to the client Apply ιιο (block 815). In a specific embodiment, the structured signal file is transmitted by using a network production directory (block 825), which may be located, for example, locally on the computer unit 105. The function sends the information back to the main parallel series, and it will then receive and process the information received from the client application (block 82). Reference is now made to FIG. 9 to discuss additional functional mechanisms of the client application 110 according to an embodiment of the present invention. In particular, FIG. 9 is a flowchart of processing the foreign entity program automatically, penetrating style, and processing. It will penetrate an electric exhibition unit to collect, report, start a job or destroy an electric contact unit. -30 above-This paper size applies to Chinese National Standard (CNS) A4 (21 × 297 mm) 552522 A7 R7 V. Description of the invention (28) Information. The utility application 110 is started, thereby initializing the probe function described above (block 200). The function of block 905 represents the data collection function performed by blocks 201 · 206 (Figure 2), blocks 340-343 (Figure 3), and blocks 440-443 (Figure 4). The function at block 910 represents the function executed by blocks 2 10-2 15 (Figure 2). The check functions of blocks 91 5-920 are represented by the functions of blocks 216-21 7. The function at block 925 represents the function performed by blocks 310-312 (Figure 3). The check function of this block 930-935 is represented by the function of this block 313-3-14. The function of block 940 represents the function performed by blocks 410-413 (Figure 4). The check functions of blocks 945-950 are represented by the functions of blocks 414-415. The function of block 955 is represented by the functions of blocks 21 8, 315, and 416, as previously described. Therefore, FIG. 9 shows an overview of a penetration pattern analysis, which is received from each computer unit 110 and transmits data to the monitoring station 115. Please refer to FIG. 10 to discuss the functional mechanism of the client application according to a specific embodiment of the present invention. In particular, FIG. 10 is a flowchart of a process for automatically reversing any computer unit (machine environment) change, which is a foreign utility program that can be started in the actual computer unit 110. The functions in blocks 1005 to 1050 are described previously and are the same as blocks 905-950 in Figure 9. In block 1055, the client application 110 searches a local data dictionary on the client computer 105, and if there is an unauthorized modification in the framework by a foreign utility program initiated in the computer unit 105, the client The application 110 will reverse the architecture back to the architecture defined before the unauthorized modification. -31-This paper size is applicable to National Standards (CNS) A4 (210 X 297 mm)

Hold

k 552522 A7 B7 V. Description of the Invention (29) Please refer to FIG. 11 to discuss the functional mechanism of the client application according to a specific embodiment of the present invention. In particular, FIG. 11 is a block diagram of a structured signal file, which captures all the identification data about the “penetration pattern”, which is transmitted and stored in the monitoring station 115. The structured file 1100 is generated, and the client application 110 transmits all "penetration patterns" (identification) data to the monitoring station 115. As shown in FIG. 11, the following is shown in the data structure 1100, which allows a computer forensic design to operate in a real-time environment. SOT [cr] [lf]

Date = CCYY \ MM \ DD [cr] [lf]

Time = HH: MM: SS [cr] [lf] 3Wind = Variable Up To 500 Characters [cr] [If] 2Wind = Variable Up To 500 Characters [cr] [If] 1 Wind = Variable Up To 500 Characters [cr] [If]

Mssg-Variable Up To 500 Characters [cr] [lf] EOT [cr] [lf] The above parameters are defined as follows: SOT —Start transmission; [cr] -line feed ASCII control character; [If] -line feed ASCII control word Yuan; EOT-end of transmission; 3Wind-previous window code focused before 2Wind; 2Wind-previous window code focused before IWind; 1 Wind-window code focused on unauthorized activity; and -32- paper size Applicable to China National Standard (CNS) A4 (210X 297mm)

Binding

552522 A7 B7 V. Description of the invention (30)

Mssg-Definition of unauthorized activity. Please refer now to FIG. 12 to discuss the client application ... capability mechanism in a specific embodiment of the present invention. In particular, the map automatically detects hkey_l0c al MACHINE in any real-time environment:

Software registration process flowchart. This flowchart illustrates a "penetration style" process for automatically analyzing the foreign utility program, which can penetrate a computer unit 105 to collect, report the start of a job, or destroy information on a computer card 105 The transmission pattern analysis available data received from each computer unit 105 is transmitted to the monitoring station 115. After collecting all internal registration data transmitted from a client computer 105 to the monitoring station 115, a 'pC probe (belonging to The client application 11) starts an additional parallel serial function (block 1205) designed and developed by the inventor, and the additional parallel serial function starts an additional parallel serial function designed and developed by the inventor Independent 21 API DLL 'It analyzes this HKEY-LOCAL-MACHINE: Software' (hereafter referred to as the definition paragraph DEFINED SEGMENT), which is a paragraph of the internal registration. An example of the above pC probe is located in A form provided by Granite Technologies, Tennessee, USA. The analysis includes a method to open the actual registration key, and to open and query for any information in this particular area of the registration Possible unauthorized changes to this definition paragraph. The internal registration is a database (such as Windows 95 and NT) used by the Windows operating system to store configuration information. The registration basically contains the following main sections ... (( 1) HKEY_Classes_Root-File association and object linking and embedding-33- This paper size applies to China National Standard (CNS) A4 (210 x 297 mm)

Η

552522 A7 _R7__ V. Description of the invention (31) (OLE) information; (2) HKEY—Current_User—All the favorite combinations of the current user; (3) HKEY—User—The information of all current users of each user of the system Information; (4) HKEY—Local_Machine—settings for hardware, operating system, and installed applications; (5) HKEY—Current—Configuration—settings for the display and lister; (6) HKEY_Dyn—Data—performance data. Most Windows applications write data to this registration, at least during installation. The registration can be edited directly using the registration editor (regEdit.exe) provided by the operating system. Therefore, this Windows registration stores system configuration details, so Windows views and runs the way it wants. The registration stores user profile information in a file called "user.dat", such as background patterns, color schemes, and desktop layouts, and stores specific hardware details and specific software details in a system called "system.dat" ; Files, such as device management and file extension associations. In many ways, this registration replaces the functions of win.ini and system.ini from earlier versions of Windows, although these files still exist because many Windows applications reference To them. The registration is opened by the 32-bit API function call that was originally defined in the Microsoft API development environment. At the time when the registration was opened, the definition paragraph was passed by parameter to successfully open the special paragraph of the registration. This parameter is included in the 32-bit API function (from the Microsoft API development environment), which was started to open a note -34- This paper size applies to the Chinese National Standard (CNS) A4 specification (210 X 297 (Mm)

Hold

552522 A7 R7 V. Description of Invention (32) Book paragraph. The method consists of establishing a "basic count" of all authorized registrations in this special paragraph of the registration. The "base count" is the total number of registrations recorded in the definition section of the registration. After the "base count" is established, a numeric integer of the "base count" is stored in memory (such as RAM) . Then the MFC parallel string (block 1215) is a 32-bit API designed and developed by the present inventor. It starts an algorithm to calculate the "basic count" of this registered special-defined paragraph. Any changes have occurred. The actual function of the 32-bit API design is described below. A sub-series (block 1240) starts the 32-bit API DLL, which collects all the registration information in the HKEY_L0CALJV1ACHINE: S0FTWARE registration section The execution of the other functions in Figure 12 is similar to the corresponding similar functions described in the previous figure. The algorithm method designed by the inventor queries the definition section of the registration in a way that does not actually There will be resource utilization registered in the CPU. Because it is in the definition section of the registration, it is possible that the login will not be listed in a special order and is random in nature. At the same time, The actual O / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates the maximum of all registrations in the registration paragraph defined here. " Basic Count "(integer), minus the " Basic Count " minus 2. The "basic count" is decremented by two, which is equal to the starting position indicator, where the algorithm continues to count the remaining entries, and the last "date time modification" within this special definition part of the registration paragraph. When the When the algorithm starts its counting at the starting position indicator, the calculation -35- This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522 A7 R7 V. Description of the invention (33) Count the remaining registrations in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration section has been manually edited by the user or intruded by an unauthorized program modification For example, HKEY_LOCAL_MACHINE: Software can contain 50 logins, which record the different applications installed in the computer. The 32-bit API DLL that monitors and controls this environment will poll this paragraph and use In order to detect an unauthorized registration login or deletion every 5 to 8 seconds. If the registration paragraph is modified, the unauthorized modification will be detected, and the trip will be reported to the owner who started the 32-bit API DLL Parallel string. The pre-calculated result guarantees 100% correct results from the query (where the query is the registration paragraph itself called through a 32 API function from the Microsoft 32-bit API development environment) because the The algorithm is designed to query the defined paragraph, for example approximately every 5 to 8 seconds. The rate of the query makes it impossible for a user to divide or add a new one without being intercepted by the algorithm. Log in to the definition section. The rate and accuracy in about 5 to 8 seconds is sufficient, because any attempt to delete and then add an unauthorized program or user recorded to a registration section will force the registration section To a " update loop " whereby it performs its internal " housekeeping action ". The "steward action" takes about 4 to 6 seconds to mechanize its internal operations. Furthermore, the unauthorized program performs a calculation to add to a defined area registered in the registration, which enables the nose acting method designed by the inventor to 100% accurately deal with unauthorized program activities. Finally, the registration protection, as well as the protection of the Ο / S and third-party startup environment -36-

Standard (CNS) A4 (210X297 public love) This paper is applicable to 552522 A7 B7 V. Description of the invention (34) The remaining functions can provide a multilayer protective posture to protect the computer unit 105. Unauthorized modification of all weaknesses. The above-mentioned parallel series can execute the polling function without causing a shock or damage to the resources used by the CPU clock. This benefit can be achieved by designing an automatic dormant state in the loop of parallel serial execution states, and based on the importance of the special serial, so the system operation will not slow down. Please refer to Figure 13, To discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 13 is a flowchart of a process of automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft registration section in a real-time environment. After the collection of all internal registration data is transmitted to the monitoring station 115, the PC probe in the client application 110 starts an additional parallel serial function designed and developed by the inventor, which can start An additional independent 21 API DLL designed and developed by the inventor, analyzes the internally registered HKEY_LOCAL_MACHINE: Software \ Microsoft section. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes establishing the "base count" for all authorized logins in this special paragraph of the registration. After the "base count" is established, the numeric integer of the "base count" is stored in RAM. Then the MFC parallel string is a 32-bit API designed and developed by the inventor. It starts an algorithm to calculate the special definition paragraph of the registration, the basic count " whether it is issued -37- this paper The dimensions are applicable to the Chinese National Standard (CNS) A4 specification (210 X 297 public love) 552522 A7 R7 5. Description of the invention (35 any changes. Then the parallel MFC (block 13 15) was designed and developed by the inventor The 32-bit API starts with an algorithm to calculate whether there are any changes to the "basic count" of this specially defined paragraph of the registration. The actual functions of the 32-bit API design are further explained below. A substring The column (box ^ 40) starts the 32-bit API DLL, which collects all the login information on the HKEY_LOCAL__MACHINE: Software \ Microsoft registration section. The execution of other functions in Figure 13 is similar to that in the The corresponding function described in the previous figure is described. The algorithm method designed by the present inventor queries the definition paragraph of the registration in such a way that no resource utilization is actually registered in the CPU. Because it is In the definition segment of the registration, "It is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual '0 / S' must be checked in each registration paragraph of the entire registration to establish And maintain its programming environment, the method designed and developed by the present inventor is an algorithm that calculates the maximum "base count" (integer) of all registrations within the registration paragraph defined here, minus the "base count", 'Minus 2 ^ this' basic count " minus 2 is equal to the starting position indicator, where the algorithm continues to count the remaining entries and the last " date time modification within this special definition part of the registration paragraph ". When the algorithm starts its count at the start position indicator, the algorithm will count the remaining entries in the definition section of the registration. If the maximum count Equation, which is not equal to the result of the pre-calculation. The definition registration segment has been manually edited by the user or modified by an unauthorized program. -38- This paper size applies to China National Standard (CNS) A4 specifications (210 X 297 mm)

Binding

Line 552522 A7 R7 5. Description of the invention (Invasion 0 This pre-calculated result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph about every 5 to 8 seconds. The query Rate makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, an unauthorized program performs a calculation to add the entry to the registration. A defined area that allows the algorithm designed by the inventor to deal with unauthorized program activities 100% accurately. Now please refer to FIG. 14 to discuss the additional functionality of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 14 is a flowchart of a process for automatically detecting any unauthorized modification to the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Ruii registration section in a real-time environment. Registering data in all internal After the collection is transmitted to the monitoring station 115, the PC probe in the client application 110 starts an additional parallel serial function designed and developed by the inventor. It can start an additional independent 21 API DLL designed and developed by the inventor, which analyzes the internally registered HKEY_LOC AL-MACHINE: Software \ Microsoft \ Ruii paragraph. This analysis includes a way to open the actual registration key Method, and open and query for any possible unauthorized changes in this special area of the registration in this paragraph. This method includes the "basic count" of all authorized logins established in this special section of the registration. After establishing the "Basic Count", the numerical integer of the "Basic Count" is stored in RAM. Then the MFC parallel string starts a 32-bit API designed and developed by the inventor. Qishiyi • 39- This paper size is applicable to the national standard (CNS) A4 specification (210 X 297 mm) V. Description of the invention (37) Algorithm to calculate the "basic count" of this specially defined paragraph of the registration Whether any changes have occurred. Then the MFC parallel string (block 14 5) starts the 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate the registered Are there any changes to the "basic count" in the special definition paragraph. The actual function of the 32-bit API design is further explained below. A sub-series (block 1440) starts the 32-bit API DLL, which is collected in the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Run All registration information on the registration section. The execution of the other functions in Figure 14 is similar to that described in the previous figure for similar functions. The algorithm method designed by the present inventor queries the definition paragraph of the registration in such a way that no resource utilization is actually registered in the CPU. Because in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual O / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. The maximum " base count "(integer), minus the " base count" minus 2. The "basic count" minus 2 is equal to the starting position index, in which the algorithm continues to count the remaining entries and the last "date time modification" in this special definition part of the registration paragraph. When the algorithm starts its count at the starting position indicator, the algorithm will count the remaining entries in the definition paragraph of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition is registered -40- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) 552522 A7 R7 V. Description of the invention (38 paragraphs have been edited by the user or intruded by an unauthorized program modification. The pre-calculated result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph about every 5 to 8 seconds. The rate of the query makes it impossible for a user to come Delete and add a new entry to the definition's paragraph without being intercepted by the algorithm. Furthermore, an unauthorized program performs a calculation to add a registration to a definition area of the registration Domain, which allows the algorithm designed by the inventor to deal with unauthorized program activities 100% accurately. Now please refer to FIG. 15 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 15 is a flowchart of a process for automatically detecting any unauthorized modification of the HKEY-CLASSES ROOT: CLSID registration paragraph in an instant environment. The collection of all internal registration data is transmitted to the After monitoring station 115, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can start an additional independent 21 API DLL designed and developed by the inventor. Analyze the HKEY—CLASSES_ROOT: CLSID section of the internal registration. This analysis includes a method to turn on the actual registration key, and open and query any possible unauthorized changes in this section in this special area of the registration. This method Contains the "Basic Count" of all authorized logins established in this special paragraph of the registration, ... After establishing the "Basic Count", the & qu ot; the basic integer is a wrong integer stored in RAM. Then the MFC parallel string was designed by the inventor and -41-This paper size applies to China National Standard (CNS) A4 (210 X 297) (Centimeter)

Binding

k 552522 A7 B7 V. Description of Invention (39) A 32-bit API developed by an algorithm to calculate whether the "basic count" of this specially defined paragraph of the registration has changed. Then the MFC parallel string (block 1515) starts the 32-bit API designed and developed by the inventor, and starts an algorithm to calculate the "basic count" of this registered special-defined paragraph. Any change. The actual functions of the 32-bit API design are further explained below. A sub-series (block 1540) starts the 32-bit API DLL, which collects all the registration information on the HKEY_CLASSES_ROOT: CLSID registration section. The execution of the other functions in Fig. 15 is similar to that described by the similar function corresponding to the previous drawing. The algorithm method designed by the present inventor queries the definition paragraph of the registration in such a way that no resource utilization is actually registered in the CPU. Because in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual O / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. The maximum " base count "(integer), minus the " base count" minus 2. The " basic count " minus two is equal to the starting position index, where the algorithm continues to count the remaining entries and the last " datetime modification " within this special definition part of the registration paragraph. When the algorithm starts its counting at the start position indicator, the algorithm will count the remaining registrations within the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition is registered -42- This paper size is applicable to the ten national standards (CNS) A4 specifications (210 X 297 mm) 552522 A7 I — __R7____ V. Invention The paragraph (40) has been edited by the user or intruded by an unauthorized program. This pre-computed result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph at approximately every 5 to 8 seconds. The rate of the query makes it impossible for a user to delete and add a new entry to the defined paragraph without being blocked by the algorithm. Furthermore, the unauthorized program performs a calculation to add a defined area registered to the registration, which allows the algorithm designed by the inventor to deal with unauthorized program activity with 100% accuracy. Please refer to FIG. 16 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 16 is a flowchart of a process for automatically detecting any unauthorized modification of the HKEY_CLASSES_ROOT: CID registration section (if any) in an instant environment. After the collection of all the internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can be started to be designed and developed by the inventor An additional independent 21 API DLL that analyzes the HKEY_CLASSESJlOOT: CID section of the internal manual. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes the "basic count" of all authorized logins established in this special paragraph of the registration. After the " basic count " is established, the numerical integer of the " basic count " remains in RAM. Then the MFC parallel tandem was started by the inventors to design and -43- this paper size is applicable to national standards < CNS) A4 specifications (210X297 public directors) 552522 A7 R7 V. Description of the invention (41) The 32-bit API starts with an algorithm to calculate whether the "basic count" of this specially defined paragraph of the registration has changed. Then the MFC parallel string (blocks 16 to 15) starts the 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate whether the "basic count" of this specially defined paragraph of the registration occurs Any changes. The actual function of the 32-bit API design is further explained below. A sub-series (block 1640) starts the 32-bit API DLL, which collects all the login information on the HKEY_CLASSES_ROOT: CID registration section. In The execution of the other functions in Fig. 16 is similar to that described by the similar function corresponding to the previous drawing. The algorithm method designed by the inventor queries the defined paragraph of the registration in such a way that it will not actually Some resources are registered in the CPU. Because it is in the definition section of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual O / S must be Query every registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all the information in the registration paragraph defined here. Maximum log " substantially count " (an integer), subtracting the "base count " minus 2. The "basic count" is reduced by "2", which is equal to the starting position indicator, in which the algorithm continues to count the remaining entries and the last "date and time modification" in this special definition part of the registration paragraph. When the algorithm starts its counting at the start position indicator, the algorithm will count the remaining registrations within the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition is registered -44-This paper size is applicable to the Chinese National Standard (CNS) A4 specification (21〇x 297 mm) 552522 A7 R7 5. Description of the invention ( 42) The paragraph has been edited by the user or intruded by an unauthorized program. This pre-computed result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph at approximately every 5 to 8 seconds. The rate of this query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add a defined area registered to the registration, which allows the algorithm designed by the inventor to deal with unauthorized program activity with 100% accuracy. Referring now to FIG. 17, the additional functional mechanism of the client application 115 is discussed in accordance with a specific embodiment of the present invention. In particular, FIG. 17 is a flowchart of a process for automatically detecting any unauthorized modification to the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows' CurrentVersion \ Shell Extensions \ Approved registration section in an instant environment. After the collection of all the internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can be started to be designed and developed by the inventor An additional independent 21 API DLL that analyzes the internally registered HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ Shell Extensions \ Approved paragraph. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes all authorized registrations established in this special paragraph of the registration. -45- This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm)

Hold

552522 A7 _R7__ 5. Description of the Invention (43) Basic Count ". After the" Basic Count "is established, the value integer of the" Basic Count "is stored in RAM. Then, the MFC parallel series starts a 32-bit API designed and developed by the inventor, and starts an algorithm to calculate whether there is any change in the "basic count" of this specially defined paragraph of the registration. Then the MFC parallel string (block 1715) starts the 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate whether the "basic count" of this specially defined paragraph of the registration occurs. Change. The actual functions of the 32-bit API design are further explained below. A sub-series (block 1740) starts the 32-bit API DLL, which is collected in the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ Current Version \ Shell Extensions'Approved all the registration information on the registration paragraph. The execution of the other functions in Figure 17 is similar to that described by the similar function corresponding to the previous drawing. The algorithm designed by the inventor queries the registration The definition paragraph of the method is that no resource utilization is actually registered in the CPU. Because it is in the definition paragraph of the registration, it is possible that the login will not be listed in a special order and is qualitative in nature It is random. At the same time, the actual O / S must query each registered paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor As a algorithm that calculates the maximum & quot defined in this paragraph all registered log; substantially count " (an integer), subtracting the "base count " minus 2. The "basic count" minus 2 is equal to the starting position indicator, in which the algorithm continues to count the remaining registrations, and the most -46- in this special definition part of the registration paragraph. This paper size applies Chinese national standards ( CNS) A4 size (210 X 297 mm)

552522 A7 R7 V. After the description of the invention (44) "Date Time Modification". When the algorithm starts its counting at the start position indicator, the algorithm will count the remaining entries in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. This pre-computed result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph at approximately every 5 to 8 seconds. The rate of the query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, an unauthorized program performs a calculation to add the entry to the definition. A defined area of registration, which allows the algorithm designed by the inventor to deal with unauthorized program activities with 100% accuracy. Please refer to FIG. 18 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 18 is a method for automatically detecting the HKEY_LOCAL_MACHINE: Software \ Microsoft \ in a real-time environment. Windows \

Flowchart of any unauthorized modification of the Current Version \ Run registration section. After the collection of all the internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can be started to be designed and developed by the inventor An additional independent 21 API DLL, which analyzes the internally registered HKEY_LOC AL_MACHINE: Software \ Microsoft \ Windows \ -47-This paper wave standard is applicable to China National Standards (CNS) A4 specifications (210X297 mm) 552522 A7 __R7____ 5 Description of the invention (45)

CurrentVersion \ Run paragraph. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes " basic count " for all authorized logins established in this special paragraph of the registration. After the "Basic Count" is established, the numerical integer of the "Basic Count" is stored in RAM. Then, the MFC parallel string starts a 32-bit API designed and developed by the inventor. The first algorithm calculates whether the "basic count" for this specially defined paragraph of the registration has changed. Then the MFC parallel string (block 1815) starts the 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate the "basic count" of this special definition paragraph of the registration, and whether it occurs Any change. The actual functions of the 32-bit API design are further explained below. A sub-series (block 1840) starts the 32-bit API DLL, which collects all the login information on the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ Current Version \ Run registration section. The execution of the other functions in Figure 18 is similar to that described in the previous figure for similar functions. The algorithm method designed by the present inventor queries the registered paragraph of the registration in such a way that no resource utilization is actually registered in the CPUR. Because in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual O / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here.的 -48- This paper size applies Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522 A7 __ R7 I. Description of the invention (46) Maximum "basic count" (integer), minus the "basic" Count " Subtract 2. The " basic count " minus two is equal to the starting position index, where the algorithm continues to count the remaining entries and the last " datetime modification " within this special definition part of the registration paragraph. When the algorithm starts its counting at the start position indicator, the algorithm will count the remaining registrations within the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. This pre-computed result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph at approximately every 5 to 8 seconds. The rate of this query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add a defined area registered to the registration, which allows the algorithm designed by the inventor to deal with unauthorized program activity with 100% accuracy. Referring now to FIG. 19, an additional functional mechanism of the client application is discussed in accordance with a specific embodiment of the present invention. In particular, FIG. 19 is an automatic detection in a real-time environment. For the HKEY—LOCAL_MACHINE: Software \ Microsoft \ Windows'

Flowchart for the processing of any unauthorized modification of the CurrentVersion \ RunOnce registration paragraph. After the collection of all internal registration data was transmitted to the monitoring station 115, the PC probe started an extra parallel string designed and developed by the inventor. -49- This paper size applies Chinese National Standard (CNS) A4 Specifications (210 X 297 mm) 552522 A7 __ R7__ V. Description of the invention (47) A function that can start an additional independent 21 API DLL designed and developed by the inventor, which analyzes the internally registered HKEY_LOC AL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce paragraph. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area in the registration in this paragraph. The method includes " basic count " for all authorized logins established in this special paragraph of the registration. After establishing the " basic count ", the numerical integer of the " basic count " is stored in RAM. Then, the MFC parallel string starts a 32-bit API designed and developed by the inventor. The first algorithm calculates whether there is any change in the "basic count" of this specially defined paragraph of the registration. Then the MFC parallel string (block 1915) starts the 32-bit API designed and developed by the inventor , It starts an algorithm to calculate whether there is any change in the "basic count" of this special definition section of the registration. The actual functions of the 32-bit API design are further explained below. A sub-series (block 1940) starts the 32-bit API DLL, which is collected in the HKEY_LOCALJMACHINE: Software \ Microsoft \ Wind〇ws \

All the login details on the CurrentVersion \ RunOnce registration section. The execution of the other functions in Figure 19 is similar to that described by the similar function in the previous figure. The algorithm method designed by the present inventor queries the definition paragraph of the registration in such a way that no resource utilization is actually registered in the CPU. Because in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. -50- This paper size is in accordance with Chinese National Standard (CNS) A4 (210 X 297 mm) 552522 A7 B7 V. Description of the invention (48) At the same time, the actual o / s must be checked in each registration section of the entire registration. To establish and maintain its programming environment, the method designed and developed by the present inventor is an algorithm that calculates the maximum " basic count π (integer) of all registrations in the registration paragraph defined here, minus the " basic count "Minus 2 〇 The" Basic Count "minus 2 is equal to the starting position indicator, in which the algorithm continues to count the remaining entries, and the last " date time modification within this special definition part of the registration paragraph ". When the algorithm starts its counting at the start position indicator, the algorithm will count the remaining entries in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. This pre-computed result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph at approximately every 5 to 8 seconds. The rate of this query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add a defined area registered to the registration, which allows the algorithm designed by the inventor to deal with unauthorized program activity with 100% accuracy. Referring now to FIG. 20, an additional functional mechanism of the client application 110 is discussed in accordance with a specific embodiment of the present invention. In particular, Figure 20 is an automatic detection of any unauthorized modification of the HKEY_LOC AL_MACHINE: Software \ Microsoft \ Windows 'CurrentVersion' RunOnceEx registration paragraph in a real-time environment. -51-This paper standard applies to the Chinese National Standard (CNS ) A4 size (210X 297mm)

Hold

k 552522 A7 ___ R7 V. Flow chart of the process of the invention description (49). After the collection of all the internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can be started to be designed and developed by the inventor An additional independent 32-bit API DLL that analyzes the internally registered HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ RunOnceEx paragraph. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes the "basic count" of all authorized logins established in this special paragraph of the registration. After the "basic count" is established, a numeric integer of the "basic count" is stored in RAM. Then, the MFC parallel string starts a 32-bit API designed and developed by the inventor, and starts an algorithm to calculate whether there is any change in the "basic count" of this special definition paragraph of the registration. Then the MFC parallel string (block 2015) starts the 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate whether the "basic count" of this special definition paragraph of the registration occurs Any changes. The actual functions of the 32-bit API design are further explained below. A sub-series (block 2040) starts the 32-bit API DLL, which is collected in the HKEYJLOCAL_MACHINE: Software \ Microsoft \ Wmdows \ CurrentVersion \ RunOnceEx registration All registration information on the paragraph. The execution of the other functions in Figure 20 is similar to that described in the similar function corresponding to the previous drawing. Algorithmic method to query the definition of the registration paragraph -52-

Binding

k

This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 552522 A7 R7 V. Description of the invention (50), in a way that no resource utilization is actually registered in the CPU. Because it is in the definition section of the registration, it is possible that the registration will not be listed in a special order, and is random in nature. At the same time, the actual o / s must be checked in each registration section of the entire registration. To establish and maintain its programming environment, the method designed and developed by the inventor is an algorithm that calculates the maximum " basic count " (integer) of all registrations within the registration paragraph defined here, minus the " basic Count " Subtract 2. The " basic count " minus two is equal to the starting position index, where the algorithm continues to count the remaining entries and the last " datetime modification " within this special definition part of the registration paragraph. When the algorithm starts its counting at the start position indicator, the algorithm will count the remaining entries in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. This pre-computed result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph at approximately every 5 to 8 seconds. The rate of this query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add a defined area registered to the registration, which allows the algorithm designed by the inventor to deal with unauthorized program activity with 100% accuracy. Please refer to FIG. 21 to discuss the additional functional mechanism of the client application UI0 according to a specific embodiment of the present invention. In particular, Figure 21 shows a paper size of -53- which applies to China National Standards (CNS) Α4 (210 X 297 mm).

Hold

552522

AT B7 V. Description of the Invention (51) Flow chart of the process of automatically detecting any unauthorized modification of the HKEY_CURRENT_USER: Software registration section in the immediate environment. After the collection of all the internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can be started to be designed and developed by the inventor An additional independent 32-bit API DLL that analyzes the internally registered HKEY_CURRENT_USER: Software section. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. This method includes the "Basic Count" of all authorized logins established in this special paragraph of the registration. After the "Basic Count" is established, a numeric integer of the "Basic Count" is stored in RAM. Then, the MFC parallel string starts a 32-bit API designed and developed by the inventor, and starts an algorithm to calculate whether there is any change in the "basic count" of this registered special definition paragraph. The MFC parallel string (block 2115) starts the 32-bit API designed and developed by the present inventor. It starts an algorithm to calculate the "basic count" of this special definition paragraph of the registration. Changes. The actual functions of the 32-bit API design are further explained below. A sub-series (block 2140) starts the 32-bit API DLL, which collects all the login information on the HKEY_CURRENT_USER: Software registration section. In the figure The execution of the other functions in 21 is similar to that described in the similar function corresponding to the previous drawing. The algorithm method designed by the inventor queries the definition of the registration paragraph -54- This paper standard applies to China Standard (CNS) A4 (210X 297 mm)

Binding

552522 A7 B7 5. Description of the invention (52), the way is that no resource utilization is actually registered in the CPU. Because in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual o / s must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. The maximum "basic count" (integer), minus the "basic count" minus 2. The "basic count" minus 2, is equal to the starting position index, where the algorithm continues to count the remaining entries , And the last "Date Time Modification" within this special definition section of the registration paragraph. When the algorithm starts its counting at the start position indicator, the algorithm will count the definitions in the registration The remaining entries in the paragraph. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been manually edited by the user or intruded by an unauthorized program modification. The pre-calculated result can guarantee The results from this query are 100% correct, because the algorithm is designed to query the defined paragraph approximately every 5 to 8 seconds. The rate of this query makes it It is impossible for a user to delete and add a newly registered paragraph to the definition without being intercepted by the algorithm. Furthermore, an unauthorized program performs a calculation to add a registration to a defined area of the registration, It allows the algorithm designed by the inventor to deal with unauthorized program activities 100% accurately. Now please refer to FIG. 22 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular Figure 22 shows the paper size used for -55- this paper size applies to the National Standard of China (CNS) A4 specification (210 × 297 mm)

Hold

line

552522 A7 B7 V. Description of the Invention (53) A block diagram of different methods of "protective umbrella" that starts the entire PC desktop environment. The parallel series and all 32-bit API DLLs designed and developed by the inventor are executed together with the client application 110, and a "protective umbrella" or "immune system" is deployed on the entire PC client computer environment. ;. The client application 110 is fixedly polled by the O / S file (22 15) and the configuration of the "third party" ("22 10)" to query each major key paragraph of the client computer to generate new Directory or folder (2220), generating new programs and maintaining the configuration of the computer registration (2205). The registration 2225 is also discussed in the different sections above. Furthermore, at least a part of the present invention can be implemented by using a programmable general purpose digital computer, applying a specific integrated circuit, or a field programmable gate array, or a network of interconnected components and circuits. Implementation. The connection can be wired, wireless, via a modem or the like. It is also within the scope of the present invention to implement a program or code that can be stored on a machine-readable medium, which allows a computer to perform any of the above methods. The foregoing description of specific embodiments of the invention, which are included in the abstract, is not intended to be exhaustive or to limit the invention to the precise form disclosed. The specific embodiments and examples of the present invention disclosed herein are for illustrative purposes, and those skilled in the art will appreciate that many equivalent modifications are possible within the scope of the present invention. These modifications can be made within the light of the above detailed description of the invention. The terms used in the following patent application scope should not be regarded as limiting the specific embodiments disclosed in the specification and patent application scope of the present invention. -56- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm)

Binding

552522 A7 R7 Five invention descriptions (54 Instead, the scope of the invention is completely determined by the scope of the following patent applications, which should be regarded as the principles established based on the interpretation of the scope of patent applications. -57- This paper is applicable again China National Standard (CNS) A4 (210 X 297 mm)

Claims (1)

552522 A8 B8 C8 D8 Patent Application Park 1. A system for real-time monitoring and control of computers connected to a network, the system includes: a monitoring computer unit that can be communicatively coupled to a network system; and a customer A computer unit that can be communicatively coupled to a network system. The client computer includes a client application that can detect the status in the client computer and send the detected status to the monitor through the network system. Computer unit. 2. If the system of item 1 of the patent scope is applied, wherein the monitoring computer unit includes a manager application, which can analyze the detection status of the transmission. 3. If the system of claim 2 is applied, the manager application can send a command signal to control the client computer unit in response to a specially detected state in the client computer unit. 4. A method for real-time monitoring and controlling computers connected to a network, the method comprising: providing a monitoring computer unit and a client computer unit, both of which can be communicatively coupled to a network system; and detecting the client computer The status of the alarm is transmitted to the monitoring computer unit through the network system. -58- The size of this paper is suitable for China A & J &CN; Α4 size (210 X 297 mm)