[go: up one dir, main page]

CN1173269C - Monitoring method for unloading - Google Patents

Monitoring method for unloading Download PDF

Info

Publication number
CN1173269C
CN1173269C CNB011033460A CN01103346A CN1173269C CN 1173269 C CN1173269 C CN 1173269C CN B011033460 A CNB011033460 A CN B011033460A CN 01103346 A CN01103346 A CN 01103346A CN 1173269 C CN1173269 C CN 1173269C
Authority
CN
China
Prior art keywords
record
file
new
monitoring method
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB011033460A
Other languages
Chinese (zh)
Other versions
CN1368679A (en
Inventor
陈玄同
林光信
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inventec Corp
Original Assignee
Inventec Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inventec Corp filed Critical Inventec Corp
Priority to CNB011033460A priority Critical patent/CN1173269C/en
Publication of CN1368679A publication Critical patent/CN1368679A/en
Application granted granted Critical
Publication of CN1173269C publication Critical patent/CN1173269C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A monitoring method for unloading is to convert the file record and log-in record in Ring0 layer to Ring3 layer for operation and calling, then to execute detection, monitor installation program and record the changed file and set content by the support of task monitoring, file record, log-in record and restart protection, at the same time, since the restart protection part will intercept the system start function, the data recorded in the installation process will not be lost, and since each installation program can correspond to a Ring3 layer file record and log-in record, the invention can monitor several installation programs at the same time without error of installation record.

Description

The method for supervising that is used to unload
Technical field
The present invention relates to a kind of method for supervising that is used to unload, particularly a kind ofly can monitor a plurality of installation procedures simultaneously, and be not subjected to the method for supervising of other operating influences of user at monitoring period.
Background technology
In general, if want in computer system, to use a certain software, need from disk or CD, to carry out earlier an installation procedure (install.exe or setup.exe), software data is deposited in the associative directory of hard disk, could normally carry out this software afterwards, above-mentioned course of action is called installation (install or setup).One computer software is installed just its file data is not copied among the hard disk, can revise the relevant environment of operating system simultaneously and set; On the contrary, if will be with software by removing in the computer system, only the place directory delete with this software is not enough, also must remove some and set in operating system (the especially this integrated environment as Windows), otherwise software can remove very untotally.Remove totally though the relevant environment of software is set, for the moment computer is made mistakes, but get off for a long time, carry out many unnecessary setting contents always by the what computer, therefore can serious waste system resource and influence the computer operational paradigm, Hou even can make computer often fall machine.
For avoiding above-mentioned problem to take place,, therefore a kind of releasing installation procedure occurred, or be called unloading (uninstall) program so that allow the user from hard disk, remove institute's installed software is complete.When carrying out the action of removing installation, must know to remove which catalogue and environment set data relevant by the what Uninstaller,, allow Uninstaller can monitor and write down its setting content so before software is installed, need to start this Uninstaller earlier with this software.And present installation monitoring technique is mostly based on " snapshot relatively ", that is to say: Uninstaller can be before software be installed, earlier the directory path of being correlated with in the computer system, the setting content of logining and may being modified are done once scanning and record, afterwards after the software installation, scanning and directory path, login and the setting content of noting down a computer system again, two compare under, Uninstaller is just known the environmental system setting that this software increased or changed is installed.
The characteristics of above-mentioned known method are: can only monitor an installation procedure at one time, and require the user any modification action can not be arranged at monitoring period, otherwise can cause the monitoring record mistake, cause the failure of installation process, if installation procedure has restart function, then can make and lose record in the monitor procedure, thereby can not obtain correct monitored results.
Summary of the invention
Supervise in this, the object of the present invention is to provide a kind of method for supervising that is used to unload, design a kind of Uninstaller that can monitor a plurality of install software simultaneously, and the record of its monitoring period is not subjected to other operating influences of user yet.
Purpose according to the invention described above; a kind of method for supervising that is used to unload provided by the invention is applied to monitor the installation process of at least one installation procedure; to remove the foundation of data as unloading (Uninstall) time shift; with the file record (File Record) and login record (Registry Record) of script in Ring0 layer access rights; but be converted to a new file record and a new login record in Ring3 layer access rights also operation calls; utilize the executory process of Mission Monitor module monitors whether installation procedure is arranged then; once find have installation procedure in computer system, to start; then the circular document recording module with the login recording module; respectively content before and after the change of file system data and logon data is backed up and notes down; by restarting protection module intercepting system start-up routine, cause the loss that the record data are installed to avoid computer to restart at last.Its concrete steps comprise: the process identification code (Process ID) of software during interception one is carried out, and confirm that this software is this installation procedure; With the file record (File Record) and a login record (Registry Record) of the Ring0 layer access rights of position what CPU (central processing unit) (CPU), but be converted to a new file record and a new login record in Ring3 layer access rights also operation calls; Monitor this installation procedure to I/O (I/O) operation of this new file record with a file system, and to the content backup of this new file record with this document system; Monitor of I/O (I/O) operation of this installation procedure to this new login record, and to the content backup of this new login record; And one of utilize in this installation procedure redirect (Jump) order and the system start-up function of interception computer.
Because the present invention allows the file record and the login record of the corresponding Ring3 layer of each installation procedure, therefore can allow a plurality of installation procedures carry out installation procedure simultaneously and can be mistaken with record is installed.
Description of drawings
For above-mentioned and other purposes of the present invention, feature and advantage can be become apparent, a preferred embodiment cited below particularly, and conjunction with figs. is described in detail below.
Figure 1A shows high-level schematic functional block diagram of the present invention;
Figure 1B shows that the present invention will note down the synoptic diagram that is converted to Ring3 layer access rights by Ring0 layer access rights;
Fig. 2 shows the process flow diagram of Mission Monitor among the present invention;
Fig. 3 shows the process flow diagram of file record among the present invention;
Fig. 4 shows the process flow diagram of login record operation among the present invention;
Fig. 5 shows the process flow diagram of restarting protection among the present invention; And
Fig. 6 shows among the present invention by the data-switching process flow diagram of Ring0 layer to the Ring3 layer.
The reference numeral explanation
100.................Ring0 layer
101................. file record
102................. login record
110.................Ring3 layer
111................. file record
112................. login record
120.................Ring0 layer is to Ring3 layer data modular converter
130................. Mission Monitor module
140................. file recording module
150................. login recording module
160................. restart protection module
Embodiment
Please refer to Figure 1A, show among the figure that installation monitoring function of the present invention is partly supported by four, be i.e. Mission Monitor module 130, file logging module 140, login record module 150 and restart protection module 160; In addition; please refer to Figure 1B; the present invention also must be in addition with the file logging (File Record) and the login record (Registry Record) of Ring0 layer; utilize a data conversion module 120 to convert the file logging and the login record of Ring3 layer to; afterwards, again by above-mentioned four functional modules: Mission Monitor module 130, file logging module 140, login record module 150 and restart protection module 160 and finish the function that monitoring is installed jointly.
Details are as follows as for the operating process separately of above-mentioned four functional modules:
Mission Monitor module 130
Please refer to Fig. 2, this module 130 is by the interception to Win32API, finish monitoring to system task (Task), at first call the establishment process function (CreateProcess) (step 201) relevant with processed process, read the identification code (Process ID) (step 202) of current process then, and from the original function value of feedback, take out the identification code of the process that is created, simultaneously this identification code ID is sent to primary control program (step 203), judge by primary control program whether this process is installation procedure process (step 204), if, then notifying primary control program is new record (step 205) of this task creation, if not, then return, continue to wait for next time and call (step 206).
File logging module 140
Please refer to Fig. 3, at first call the interception function, I/O operation (step 301) with the interception file system, do you judge the program carried out at present whether monitored (step 302) then? if, judge then whether current operation is file opening (Open File) operation (step 303), if also be, then analyze its access (Access) operating right (step 309), judge simultaneously whether it is destructive procedure (step 310), if be again, then back up this document content (step 306), program is returned; If not, then direct termination routine.If before judge that present operation is not file opening operation, continue then to judge whether current operation is that (step 304) operated in deletion (Delete), if, backup file content (step 308) then; If not, judge further then whether current operation is rename (Rename) operation (step 305), if, backup this document content (step 306), if still be not, it is invalid then to be considered as current operation, program is returned, and waits for next operation (step 307);
Login record module 150
Please refer to Fig. 4, the present invention is by I/O (I/O) monitoring to login (Registry), to write down installation procedure to its modification of being made.At first call the interception function, the entry address (step 401) of displacement Ring0 layer and Ring3 layer, tackle I/O (I/O) operation (step 402) then, judge whether current operation has the login of modification (step 403), if, then write down the retouching operation result (step 404) who is done, and note raw data (step 405); If current login is unmodified, then program is returned (step 406), waits for next login of interception.
Restart protection module 160
Please refer to Fig. 5, this module can prevent in the installation process, restarts the installation record data degradation that computer causes by the what installation procedure.At first seek installation procedure original function address (step 501), read redirect (JUMP) order (step 502) under it, and with the sensing of the jump address in this skip command interception function (step 503), right Hou intercepting system starts function (step 504), waits for and is called (step 505) by outer field installation procedure; If receive call operation (step 506), whether the program of then judging operation this moment monitored (step 507), if, then not influencing the function call (step 509) of this moment, program is returned; If not, then restart computer (step 508).
In addition, the Ring0 layer please refer to Fig. 6 to the data conversion module 120 of Ring3 layer, can finish data-switching from the Ring0 layer to the Ring3 layer by this module, so that the file logging of Ring0 layer and login record data can be called by the Ring3 layer operation.Initialization function (step 601) at first, read first Ring3 layer process (Process) (step 602), be converted into TDB (task description piece) address (step 603), right Hou is read Ring0 layer ID identification code (step 604), judge whether to equate with it (step 605), if then return this ID (step 606); If not, then take off an ID (step 607), judge whether this ID exists (step 608),, then continue to convert thereof into the TDB address, repeat to be converted to TDB address (step 603) to the operation of returning (step 609) if exist; If there is no, then program is returned, and shows operation empty (step 609).
Following spy is an example with the installation process of WinZip software, and installation monitor procedure of the present invention is described:
At first start installation procedure; at this moment; Mission Monitor module provided by the present invention is called; intercept current process identification code (Process ID); the prompting primary control program finds that the current process of moving is an installation procedure; whether inquire record; after the affirmation, begin to set up new record, next startup file system monitoring and login watchdog routine for current task; tackle I/O (I/O) operation of file system and login respectively; carry out back-up processing at its different situations, convert file logging of Ring0 layer and login record to the file logging of Ring3 layer and login record accordingly, start and restart protection; trace daemon changes; write down the change to file system and login that task produced thus, the source document that backup is modified is after the installation; show the record of being done, for user's reference.
Because the file that the present invention will carry out at the Ring0 layer is originally noted down the modification action with login record, be converted at the Ring3 layer and carry out, and the file record and the login record of the corresponding one group of Ring3 layer of each installation procedure, therefore can monitor a plurality of installation procedures simultaneously, and in monitor procedure, not influence other operations of user.
Moreover the present invention can monitor user's the request of restarting automatically, when the user is restarted installation procedure, can not cause the wrong or loss that record is installed, and also supports DOS operation and 16 Windows procedure operation simultaneously.
Though by the present invention having been done diagram and description with reference to a preferred embodiment of the present invention, so it is not to be used to limit the present invention.Will be appreciated by those skilled in the art that and to do various changes and modification to it and do not depart from the spirit and scope that the appended claim book is limited.Therefore protection scope of the present invention should be as the criterion with accompanying claims institute restricted portion.

Claims (10)

1、一种用于卸载的监控方法,应用于监控至少一安装程序的安装过程,以作为卸载时移除数据的依据,其包括:1. A monitoring method for uninstallation, applied to monitor the installation process of at least one installer, as a basis for removing data during uninstallation, comprising: 拦截一执行中软件的进程识别码,并确认该软件为该安装程序;Intercepting the process identification code of an executing software, and confirming that the software is the installation program; 将位于中央处理单元的Ring0层访问权限的一文件纪录与一登录记录,转换为在Ring3层访问权限也可操作调用的一新文件纪录与一新登录记录;Converting a file record and a login record located at the Ring0 layer access authority of the central processing unit into a new file record and a new login record that are also operable and callable at the Ring3 layer access authority; 监测该安装程序对该新文件纪录与一文件系统的输入/输出操作,并且对该新文件纪录与该文件系统的内容备份;monitoring the installation program's input/output operations on the new file record and a file system, and backing up the contents of the new file record and the file system; 监测该安装程序对该新登录记录的输入/输出操作,并且对该新登录记录的内容备份;以及monitoring the installer's input/output operations on the new log entry, and backing up the contents of the new log entry; and 利用该安装程序中之一跳转命令而拦截电脑的系统启动函数。Utilize one of the jump commands in the installer to intercept the system startup function of the computer. 2、如权利要求1所述的用于卸载的监控方法,其中透过拦截应用程序界面,来达到对该安装程序的任务监控。2. The monitoring method for uninstallation according to claim 1, wherein the task monitoring of the installation program is achieved by intercepting the application program interface. 3、如权利要求1所述的用于卸载的监控方法,其中该进程识别码由与该软件相关的创建进程函数中取得。3. The monitoring method for uninstallation as claimed in claim 1, wherein the process identification code is obtained from a process creation function related to the software. 4、如权利要求1所述的用于卸载的监控方法,其中监测该安装程序对该新文件纪录与该文件系统的输入/输出操作,还包含下列步骤:4. The monitoring method for uninstalling as claimed in claim 1, wherein monitoring the installation program's input/output operations on the new file record and the file system further comprises the following steps: 拦截该新文件纪录与该文件系统的输入/输出操作;以及intercepting I/O operations of the new file record with the file system; and 判断对该新文件纪录与该文件系统进行存取的程序是否被监控。It is judged whether the program for accessing the new file record and the file system is monitored. 5、如权利要求4所述的用于卸载的监控方法,其中该输入/输出操作包括开启文件操作、删除文件操作与重命名操作组合的其中之一。5. The monitoring method for uninstallation as claimed in claim 4, wherein the input/output operation comprises one of a combination of an open file operation, a delete file operation and a rename operation. 6、如权利要求5所述的用于卸载的监控方法,其中若该输入/输出操作为该开启文件操作,则还增加一分析该操作的存取权限是否为一破坏性操作的步骤。6. The monitoring method for uninstallation as claimed in claim 5, wherein if the input/output operation is the file opening operation, a step of analyzing whether the access authority of the operation is a destructive operation is added. 7、如权利要求1所述的用于卸载的监控方法,其中监测该安装程序对该新登录记录的输入/输出操作,还包含下列步骤:7. The monitoring method for uninstallation as claimed in claim 1, wherein monitoring the input/output operation of the installation program to the new login record further comprises the following steps: 置换该登录纪录与该新登录纪录的地址;replace the address of the entry with the new entry; 拦截该新登录纪录的输入/输出操作;以及Intercept input/output operations for the new login record; and 判断该输入/输出操作是否修改该新登录纪录。It is judged whether the input/output operation modifies the new login record. 8、如权利要求1所述的用于卸载的监控方法,其中对该新登录记录的内容备份包括:8. The monitoring method for uninstalling as claimed in claim 1, wherein the content backup of the new login record comprises: 存储该新登录记录的原始数据;以及store the raw data for that new login record; and 存储该输入/输出操作的内容。Store the contents of this I/O operation. 9、如权利要求1所述的用于卸载的监控方法,其中拦截电脑的系统启动函数,还包含下列步骤:9. The monitoring method for uninstallation according to claim 1, wherein intercepting the system startup function of the computer further comprises the following steps: 读取该安装程序下的该跳转命令;以及read the jump command under the installer; and 将该跳转命令中的跳转地址转换为一拦截函数的地址。The jump address in the jump command is converted into an address of an intercepting function. 10、如权利要求1所述的用于卸载的监控方法,其中将数据由Ring0层访问权限转换为Ring3层访问权限,还包含下列步骤:10. The monitoring method for unloading as claimed in claim 1, wherein converting the data from the Ring0 layer access authority to the Ring3 layer access authority further comprises the following steps: 读取一Ring3层的进程,并将其转换为任务描述块地址;以及Read a Ring3 layer process and convert it into a task description block address; and 读取该进程的相对Ring0层的识别码,并判断是否与该进程的识别码相同。Read the identification code of the relative Ring0 layer of the process, and judge whether it is the same as the identification code of the process.
CNB011033460A 2001-02-01 2001-02-01 Monitoring method for unloading Expired - Fee Related CN1173269C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB011033460A CN1173269C (en) 2001-02-01 2001-02-01 Monitoring method for unloading

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB011033460A CN1173269C (en) 2001-02-01 2001-02-01 Monitoring method for unloading

Publications (2)

Publication Number Publication Date
CN1368679A CN1368679A (en) 2002-09-11
CN1173269C true CN1173269C (en) 2004-10-27

Family

ID=4653224

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB011033460A Expired - Fee Related CN1173269C (en) 2001-02-01 2001-02-01 Monitoring method for unloading

Country Status (1)

Country Link
CN (1) CN1173269C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012071897A1 (en) * 2010-11-30 2012-06-07 中兴通讯股份有限公司 Method and device for uninstalling software based on apple operating system

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE528897T1 (en) * 2003-09-10 2011-10-15 Microsoft Corp MULTIPLE OFFLOADING OF NETWORK STATUS OBJECTS WITH FAILOVER EVENT SUPPORT
EP2107489A3 (en) * 2006-12-21 2009-11-04 Telefonaktiebolaget L M Ericsson (PUBL) Obfuscating computer program code
CN104090903B (en) * 2012-01-29 2017-12-19 北京奇虎科技有限公司 Document handling method
CN103309729A (en) * 2012-03-15 2013-09-18 宇龙计算机通信科技(深圳)有限公司 Terminal and application program management method
CN103761178B (en) * 2014-01-17 2017-12-01 北京奇虎科技有限公司 A kind of method realized using unloading investigation

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012071897A1 (en) * 2010-11-30 2012-06-07 中兴通讯股份有限公司 Method and device for uninstalling software based on apple operating system

Also Published As

Publication number Publication date
CN1368679A (en) 2002-09-11

Similar Documents

Publication Publication Date Title
US7185335B2 (en) Programmatic application installation diagnosis and cleaning
US7757291B2 (en) Malware containment by application encapsulation
US7114184B2 (en) System and method for restoring computer systems damaged by a malicious computer program
CN1251074C (en) Restarting method for computer
JP5095717B2 (en) Method, system, program and computer readable medium having instructions for performing said method for installing a reduced operating system image on a target medium
US6802025B1 (en) Restoration of a computer to a previous working state
US8286154B2 (en) Apparatus and method for live loading of version upgrades in a process control environment
US20080104441A1 (en) Data processing system and method
AU2002250453A1 (en) System and method for restoring computer systems damaged by a malicious computer program
WO1997046953A1 (en) Detecting significant file system alterations during execution of a storage media software utility
CN1506813A (en) Reliably and securely update and restore firmware from mass storage devices
CN101046752A (en) System and method for guiding standby MBR during virus attack
WO2007109650A1 (en) Apparatus and method for capabilities verification and restriction of managed applications in an execution environment
CN1740945A (en) Manage spyware and unwanted software with autostart extensibility points
CN1173269C (en) Monitoring method for unloading
US7631357B1 (en) Detecting and removing rootkits from within an infected computing system
US8140475B1 (en) Dynamic configuration archival and retrieval
CN103019706A (en) Method and device for processing startup item
CN1308846C (en) Method and apparatus for realizing protection of computer operation system in hard disk
CN1779594A (en) Method for searching and killing virus and computer therefor
CN1570884A (en) Multiple OS bootloading methods
CN1815445A (en) Application programme detecting and installing method
CN1818824A (en) High-reliable personal computer and operating system thereof
CN1866211A (en) Method for forced unloading of file system
CN1848086A (en) Method and apparatus for executing application in system having nand flash memory

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20041027

Termination date: 20110201