TW574645B - System and method for real time monitoring and control of a computer machine environment and configuration profile - Google Patents

Description

574645 A7 B7 V. Description of the invention (1) The invention is generally related to the field of development of running programs (operating system) applications, more specifically, but not limited to real-time monitoring, recording and / Or systems and methods that control the internal environment of a computer unit, such as activities in a personal computer (PC) machine. BACKGROUND OF THE INVENTION As the use of technology extends to businesses and organizations, it increasingly requires managing employees to effectively track and control the internal machinery activities (environment) of a company's technology. For example, 'A PC has an internal operating system (0 / s), which is started when the PC is "booted from its internal hard disk. This 0/8 contains a series of hundreds of programs." Depends on third-party application (program) activities and all user activities. Each action (event) performed by an end user can generate an internal response (another event) within the 0 / s. Execute the user's request. Each action (event) initiated by a 30,000 program can generate an internal reaction d event within the 0 / s) to execute the program's request, sometimes to modify the computer Unit's internal ο / s environment (structure).-One of the most critical aspects of PC ο / s and all third-party applications is the startup phase of the 所有 and all third-party applications. This startup phase includes key building cases and / Or registration, which is read by a program relative to the platform and third-party applications, which can guide the platform and third-party applications 'it is the 0 / s' boot, when or When a third-party application (program) is executed, it is required. These key building cases and registered green systems are considered as "soft forms", which can be modified

574645

Change ’so -o / s or third-party applications can modify their internal operating environment to meet the specific needs of the computer unit and end user. These key files and registrations are very flexible. It is possible to start a computer program on a computer unit, but the end user does not know. It can obviously change, collect, report, start a job, or destroy. Information. The registration is part of ο / s, its definition and start a new program, which can happen automatically without the user's knowledge. The registration can be used as a true guide. "When certain defined elements of a program are written to a specific part of the human book, the ο / s will automatically start the program without notifying the user. Based on With the development of Internet technology, it can automatically transmit data from a computer unit to another computer unit in a compressed format. It is possible to "masquerade," a program, which will be on a computer unit in the form of general data. Start to modify-key ο / s or third-party application startup files, or load into the registration, and then start an unknown program to collect, report, start a job or destroy information on a computer unit. Therefore, these possibilities can occur without the knowledge of the end user or anyone within the business or organization. Therefore, there is a need for a real-time tracking tool that allows an efficient, non-monetary way to manage the records of each computer unit, monitor and report the internal soil. Furthermore, there is a need for an instant tool to automatically "reverse" any unauthorized internal changes' and report these changes to management within a business or organization. Summary of the Invention In a specific embodiment, the present invention provides an electronic `` mapping, '' a computer sheet-5- this paper is again applicable to the important statistics registered by the Chinese National Standard (CNS) A4 specification (210 X 297 public directors) The real-time method of the household spoon is used to record the ο / s and third-party application startup ring. It contains: (a) analysis of the existence of all key directories and files on the hard disk; (b 2 the importance of all directory information Statistics, the number of M cases, the size of the project, and other information; (C) Record the important statistics of each key file, such as the time when the file was produced, and the last modification, M, the size of the case; ⑹ record the internal -Implementation, the present invention also provides a time-based method to detect and measure the status initiated by the internal computer unit environment, which includes: looking at all window task managers who can identify all window code activities; (OS message , Which can be transmitted between a third-party application (program) and the ⑽. ⑷ Detect any changes in the -key dwelling case or the third-party startup case | ⑹Detect any key aspects of the child? change; Send an internal processing communication message to any recognizable window code 'It exists in the activity job manager; (0) Send an instant identification report to the -monitoring station, which determines the status of the detection. I am in another- With the embodiment of the present invention, the present invention also provides a real-time method to transmit and store this important information to a storage device (monitoring station).

In one aspect of the present invention, the recorded and stored data can be transmitted by a client computer unit and received by a second computer unit (monitoring station), which can manage and observe the current internal operating environment of the client computer unit. It can be managed and controlled by a second computer unit (monitoring station). This invention ™ 'can include the ability to report to the monitoring station in a real-time environment' regarding any unknown changes to the key by unknown programs, register 'or application launch projects' and reverse these changes back to their original state Neng-6- 574645 A7 B7 V. Description of the invention (4 forces. On the other hand, the invention can include a `` penetration pattern '' that can record and analyze an unknown program, in order to try to modify, collect, and report substantially. Initiating an operation or destroying information on a computer unit. In another aspect of the invention, it may include the ability to transmit this `` penetration pattern, to the monitoring station '' and analyze the pattern with all additional computer units, By deciding the best way to stop this automated modification, it can be performed on the entire local area network (LAN) or wide area network (WAN). Explicit brief descriptions illustrate non-limiting and non-exhaustive specific embodiments of the present invention. Refer to the following drawings to explain 'where similar reference numerals represent similar parts throughout the different drawings, unless otherwise specified. Figure 1 shows a specific embodiment of the present invention can be implemented The flowchart of the network system. Figure 2 shows the flowchart of the "electronic mapping" of the internal registration information of the computer unit. It is about the startup of a computer unit and the startup of all third-party applications. It is a flowchart of "electronic mapping" of all the key projects and files related to the startup of a computer unit ("Startup,"). Figure 4 shows all the key directories and the startup of all third-party applications (programs). "Electronic mapping of files," flowchart. Figure 5 shows a flowchart of a method for intercepting all messages generated between the operating system and the third-party application. Figure 6 shows sending a communication message between processes to Any identifiable window code This paper size applies the Chinese National Standard (CNS) A4 specification (210X 297 mm) 574645 A7 B7 V. Flow chart of the method of invention description (5), which exists in the list of active job administrators Figure 7 shows a flowchart of the process of collecting all computer unit (machine environment) information in the internal computer unit, and organizes this information in a way that automatically transmits this data Go to a monitoring station. Figure 8 shows a flowchart of the process of automatically collecting all computer unit (machine environment) data from all computer units on a local area network (LAN) or wide area network (WAN). Figure 9 shows It is a flowchart of the process of automatically analyzing the "penetration pattern" of foreign physical programs, which can penetrate a computer unit to collect, report, start a job or destroy information on a computer unit. Figure 10 shows a kind of A flowchart that automatically reverses the process of any computer unit (machine environment) change, where an external physical program can be started in the actual computer unit. Figure 11 shows a block diagram of a structured signal file that captures all relative to The "penetration style" identification data is transmitted and stored at the monitoring station. Figure 12 shows a flowchart of a process for automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software registration section in a real-time environment. . Figure 13 shows a flowchart of a process for automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft registration section in a live environment. Fig. 14 shows a flowchart of a process for automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Run registration section in a real-time environment. -8- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm)

Binding

574645 A7 _____B7_ V. Description of the Invention (6) Figure 15 shows a flowchart of a process for automatically detecting any unauthorized modification of the HKEY_CLASS_ROOT: CLSID registration section in a real-time environment. Figure 16 shows a flow chart of a process for automatically detecting any unauthorized modification of the HKEY-CLASSES_ROOT: CID registration section (if any) in the immediate environment. FIG. 17 shows a flowchart of a process of automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ Shell Extensions \ Approved registration section in a real-time environment. FIG. 18 is a flowchart of a process for automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Soflware \ Microsoft \ Windows \ CurrentVersion \ Run registration section in a real-time environment. FIG. 19 is a flowchart of a process of automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHESfE: Software \ Microsofl \ Windows \ CurrentVersion \ RunOnce registration section in a real-time environment. FIG. 20 shows a flowchart of a process for automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Softwar € \ Microsoft \ Windows \ CurrentVersion \ RunOnceEx registration section in a real-time environment. FIG. 21 is a flowchart showing a process of automatically detecting any unauthorized modification of the HKEY_CURRENTJJSER: Software registration section in a real-time environment. Figure 22 shows a block diagram of different methods of "protective umbrellas" used to start the entire PC desktop environment. Figure 23 shows the parallel series controlled by a main application of the monitoring station Figure 24 shows the detailed flow chart of the comparative analysis of the forensic penetrating data. -9- This paper size applies to China National Standard (CNS) A4 (210X297 mm) 574645 A7

The detailed description of Μ is provided in the description. Many specific details are provided, such as the description of the system, components, and methods to provide a complete understanding of the specific embodiments of the present invention. However, professionals of related skills It will be understood that the present invention can be implemented without JL: or more specific details, or using other methods, components: materials' parts or similar β in other conditions, well-known or operations are not shown in detail Take the description to avoid confusing the scope of this post. Throughout the specification, reference is made to "a specific embodiment," which refers to the description of the specific embodiment: the special feature 'structure or characteristic' is included in at least one specific embodiment of the present invention. Therefore, in this specification The appearance of the word "in-specific embodiment" in many places does not necessarily all represent the same specific embodiment. Furthermore, 'the particular feature, structure, or characteristic may be combined in any suitable manner in one or more specific embodiments. In summary, a specific embodiment of the present invention provides a system and method for real-time monitoring, recording green and / or controlling the internal environment, such as an actual personal computer (PC) machine (computer unit) activity, which is Regarding the activities listed in the task manager, Wind0w® codes are recognized, window messages processed between all applications (programs) and the operating system, all critical operating system files, startup programs, and all critical stand-alone applications ( Program) file registration green, which controls the startup (initialization) of a computer unit, and controls the computer unit installed The startup (initialization) of all the applications (programs) on the above. Although the different specific embodiments and features of the present invention are described in this disclosure with the %% of the Windows operating system, 'this document described in this disclosure Different specific embodiments and features of the invention can be applied to other applications, which are not intended. -10- This paper size applies to China National Standard (CNS) A4 specification (210X 297 mm) 574645 A7 ____B7 V. Description of the invention (8 ~) " ~ --- Limited to the Windows operating system environment. Now please refer to Figure 丨, which shows an example of a network system that can implement the present invention. In this specific embodiment, the network system 1〇 〇 Contains multiple computer units (or workstations) 105a 105d and 108, and a network server 125. The computer units 105 and 108 may include personal computers, workstations, notebook computers, servers, and / or other appropriate Computing device. The network server 125 may also be implemented as, for example, a servo server, a computer unit, a workstation, or other suitable device. For example, according to a specific embodiment of the present invention, the computer server Each element 105a_105d may include a client application (probe utility) 11a_U〇d, and some computer units 105 may not include a client application no. However, any computer unit in FIG. 105 may or may not implement the guest application 11. In order to assist in explaining the functions of the different specific embodiments described in this description, any or all computers 105d may be generally referred to as computer 105, and any or all customer applications u 〇a_u〇d can generally be referred to as a client application (probe utility) u. Some computer units may include a supervisor (monitoring) application 115 according to a specific embodiment of the present invention. In the example of the figure, the computer The unit (monitoring station) 108 contains the manager application 115. However, any other computer unit in Figure 1 can also implement the supervisor (watch) application U5. 'The electronic knowledge unit of FIG. 1 may be attached to, for example, a line hub 120. A conventional network interface card or LAN adapter (not shown) is basically implemented in each computer unit of FIG. 1 to operate each computer unit in the network system. A network interface card is basically used as an interface between a given computer unit and the cable in the network system. A network interface card uses a special processor and program to move data in the memory of a given computer unit. 11-This paper size applies to China National Standard (CNS) A4 specifications (210X 297 mm) 574645 A7 B7 5 The invention description (9) body and the network cable attached to the given computer unit. In a specific embodiment, the present invention allows tracking of all internal machine configuration profiles (start-up) in the computer unit 105 having the client application 110. All internal machine activities, or changes in these activities, are monitored by the customer application 110. The client application 110 co-exists in the operating system of a computer unit 105 and is monitored as a non-intrusive machine activity. For example, it is assumed that the computer unit 105 starts a third-party program 130, and the program activity and its startup information are monitored in the computer unit 105. The client application 110 in the computer unit 105 will determine each activity state and whether the activity state is normal for daily operations. The client application 110 cycles cyclically and compares the internal configuration profile of the initial record with its current profile when the computer unit 105 executes. In a specific embodiment, the client application 110 is a public application program, which is designed and developed in Microsoft Visual C ++ and Microsoft 32 Bit API environment. The client application 110 accesses the conventional Windows operating system information in two different ways, which is 1) via a fully reusable C ++ library, known as the Microsoft Foundation Class (MFC); or 2 ) Through the direct interface with the original function of the operating system, it is called the Microsoft Application Programming Interface (API). The MFC hides the basic, (high-level) application programming interface (API), in which a programmer usually uses and provides a summary development layer that allows a programmer to design / develop a Microsoft Windows multiple serial utility application without You need to know the actual details of each of the original independent APIs within this Microsoft operating system. What's more, the MFC is a group of APIs, which makes it easier for programmers to design and develop software. In the development of the program, as is well known to those skilled in the art, ♦ is listed as a journey -12- This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm)

Binding

574645

-Partial 'which can independently execute other parts. A job system that supports multiple serializations allows programmers to design processes ^, and a part of them can be executed simultaneously by the job system. As mentioned above, the MFC is used for "high-level, operating system functions. For this low-level function, a Micmsoft 32-bit ΑΠ interface is used by the actual WindOws operating system original independent function to Obtain the current operating system machine configuration and activity status. The operation of a specific embodiment of the manager application 115 is now outlined. The monitoring station (or manager application) 108 may exist in, for example, a standard computer unit PC Or network server to collect and maintain all configurations, identification data and management strategies, which are implemented in the entire network environment with the client application 1 〇. As shown in Figure 23, when the monitoring station 115 is started At the beginning, the main application_column starts a series of sub-strings ("parallel strings,"), which are all parallel and controlled by the main application string. Each starting parallel series specifies a job to collect and record data relative to the operating environment of each client application 110. The first parallel series is designated to query (2310) any structured signal file in the network system 100, which may include configuration data on each computer unit 105 running a client application u0. When this first parallel series collects configuration data, this series analyzes (2315) the configuration data, and stores (2320) the configuration data at the local position of the management application 1 15. This information is the full configuration environment for the customer's application of 1Q, which defines the "electronic footprint" of all 0 / S files, so "third party" startup data, and all computer registration data. The second parallel serial designation To query (2325) any structured signal file in the network system 100, which can be used in each computer unit 105 of a customer application 110 -13- This paper size applies to Chinese national standards ((:; 1 ^ 3) A4 specification (210 X 297 mm) 574645 A7 B7 11 V. The invention description (including identification or "penetration pattern," data. When this second parallel series polls the network system 100, if the identification data is The client application 110 transmits, and the management application 115 knows that the receiving and storage (2320) data to be displayed in the management application i5 is printed on 25), which is required (selected) by the manager (or user). The second parallel serial designation is to transfer (234) the structured file of configuration and operation policies to each individual customer application 11 or to all of the customer applications as a whole. The serial delivery structured file in which the manager (or User) has been generated and sufficient Create a policy structured signal file, and choose to transmit (expand) the policy via the network system 100. The fourth, fifth, and sixth are serially arranged as a series of instructions, and control structured code ^ case, which The system transmits (expands) to each client application 1 10, which terminates (2345) the client application u0 under certain conditions. Each "shutdown" or suspension signal has a different effect on a client application 110. Once When a client application restarts or starts, the client application 100 can: (丨) continue its normal activities, (2) initialize its installation sequence, and collect new groups on its related computer unit ι05. The sad page material, and / or (3) remain suspended until a "recovery," and the structured signal file is transmitted by the management application 115. The remaining sequences and programs in the management application 115 (not shown in Figure 23) It performs routine management functions, such as displaying data, archiving data, and allowing users to export or erase information as needed. Please refer to FIG. 2 for a discussion of this method according to a specific embodiment of the present invention. Customer application Functional mechanism. In particular, Figure 2 shows the flow chart of `` electronic mapping '' of 1 book information inside the computer unit. It is a flowchart about the startup of a computer unit 105, and all This launch of the three-party application (for example, in Figure 1 -14-574645 A7 ____ B7__ V. Third-party application 130 of the invention description (12)). It may be noted that a third-party application may be installed by any user, for example, on any Computer unit 105, or downloaded from a data network to any computer unit 105, such as the Internet. Once a client application is launched, the client application 110 executes a series of parallel series Function that polls the operating system for high-level information and executes a series of independent 32-bit API DLLs to collect low-level information. As known to those skilled in the art, a dynamic link library (DLL) is a repository of executable functions or data, which can be used by Windows applications. Basically, a DLL provides one or more special functions and a program to access the function by generating a static or dynamic link to the DLL. A static link is maintained fixed during program execution, while a dynamic link is generated by the program as needed. DLLs can also contain information only. The linker automatically searches the library for procedures not found elsewhere. In the MS-Windows environment, the library file has a different extension. The high-level information it polls contains the active program memory stack, which lists all the active program "codes" currently in memory. In this event, the "focus window" "points" to the application currently used by the "end user". The independent API DLLs executed may include the following: GTApprvd.dll, GTclsid.dll, GTCmpNm.dll, GTCUSoft. dll, GTDrvQry.dll GTKeyBrd.dll, GTKillAp.dll, GTMicrRun.dll, GTRegQry.dll, GTRegSoft.dll, GTRgstry.dll, GTRunExe.dll, GTRunWat.dll, GTShell.dll, GTShellExt.dll, GTShellNme.dll, GTSysMsg .dll, and GTTaskBar.dll 〇 Each independent DLL is controlled by a high-level parallel series. Examples of the low-level data (information) it collects are all registered configuration data. -15- This paper size applies to Chinese National Standard (CNS) A4 (210 X 297 mm) 574645 A7 _____B7 V. Description of the invention (13) ~~ B-For third-party applications of window objects 丨 3 〇 All the real-time "core system flood information, window types, mouse movement, mouse selection and 1 / 〇 operation. Additional low-level data that can be collected can include keyboard interrupts, registration status (different key paragraphs important for program initialization), application commands, and control signals sent to the application, program manager, and taskbar. During the initial installation of a client application 110, a parallel serial function is started (block 201), which starts the 32-bit API DLL, as described herein, 'designed and developed by the inventor, and obtained All internal registration information of a computer unit 105. The internal machine registration of the computer unit 105 maintains an initialization list of each program entity program required to properly initialize the computer unit 105, so as to run the basic Windows operating system and all those programs, which are used to initialize third-party applications 130. need. Some second-party applications 13 require certain programs to be started when the operating system is initially started, while others only require additional programs when the user starts the third-party application. In a specific embodiment, once the registration information of the computer unit is obtained by the client application 110, the registration information is stored in the memory array and written into a structured ASC file, which is stored in the computer unit 105 .

Once all configuration data is collected by the computer unit 105, the data is stored in the child computer unit 105 and the following function is started. A function is initiated when all registered CLASS configuration data is loaded into the memory array (block 211). A function starts when all registered CURRENT (current user) configuration data is loaded into the memory array (block 212). When loading all registered L〇CAL -16-t scales, the Chinese National Standard (CNS) A4 regulations are applicable: (2ι〇χ 跗 7mm) ~ ^-574645 A7 ---- B7 V. Description of the invention ( (M) The group complains that a function is started when a memory array (blocks 2 to 3) is found. A function is initiated when all Wang Book USERS configuration data is loaded into the memory array (block 214). Once all registration data is loaded into memory, a parallel low-level API 32-bit DLL starts (block 215), which polls each defined registration paragraph to determine if any registration data has been modified (Block 216). If the function in block 216 determines whether a registration modification has been made and it recognizes a modification, the function reports (alerts) to the function by generating and transmitting a structured signal case (block 218). Management application U5. If there is no registration modification ', then return to the function in block 215 to continue (217) to poll the full registration paragraph. In block 218, the structured ASC file may be obtained electronically by the computer unit 105, and the monitoring station U5 may be analyzed in detail by the network administrator. The client application (probe application for probes) 丨 10 represents the start of block 200. After the initial record of the registration information (block 220), the parallel string (block 210) 'its command is to start a series of secondary functions by the independent 32-bit ALP DLL designed and developed by the inventor (as above Blocks 211 to 218), which monitors all registration information that changes in real time in the 105 environment of the computer unit. If a program to modify any internal registration environment is initiated, the client application 110 generates an internal message to the main screen of the computer unit, warns the end user, and generates (transmits) a signal to the monitoring station. If the registration modification is an unauthorized change unknown to the user or network management, the modified internal registration information is reverted back to its original state. The configuration file is stored in the computer unit 105 to maintain the computer-17- This paper size applies to the Chinese National Standard (CNS) A4 specification (210X 297 mm) 574645 A7 B7 V. Description of the invention (15) " ^ " The meaning of a single 7L 105. When a modification occurs, the client refers to the stored group complaints and returns the computer unit to its original state, which was recorded before the unauthorized modification. The changed characteristic 2 is then stored in a structured ASC crotch case and recorded as a penetration pattern. The computer unit 105 then generates (transmits) the penetrating style building case to the monitoring station i, 115 for further comparison and analysis by the monitoring station. The comparison and analysis initiated by the monitoring station is a series of parallel_column functions that compare the tooth penetration patterns received by all computer units 105 (customer application 11), which sends information to the monitoring station 115. As shown in Fig. 24, this comparative analysis is performed by analyzing each structured signal file containing forensic penetration data. The building case was first analyzed to establish the unresolved amendments and defined in the forensic file. Each unauthorized modification is compared (2400) with the identification information from other computer units 1050 with a client application 1110 to create a horizontal pattern ", or it occurs in the entire network system 10 〇 Consistency in unauthorized modification. The next analysis (2405) is to determine the "window code" status of each computer unit 105 when unauthorized modification occurs. By analyzing (2405) the "window code status", it is possible to establish a "style, to the" user conditions, which initiates an unauthorized modification of the computer unit 105. This modification is being performed Automated analysis and user environment where the modification was initiated in an immediate environment, the manager can quickly develop a "policy" using U5 and launch (transmit) the policy to the entire network system. Automatically stop unauthorized modification in each computer unit (block 2410). As shown in FIG. 2, when the client application 110 is installed in a computer unit 105, the client application 110 will start a parallel series Column (box 201), which will start a series of sub-strings, which can collect the different defined segments registered by the entire computer unit 105-18-This paper size applies to the Chinese National Standard (CNS) M specifications (21GX297 public I) 574645 A7 B7 V. Registration information of the invention description (l6). The parallel column 201 is activated during the initial installation or re-initialization. If the computer unit 105 is updated with new authorized software When each sub-string starts this independent 3 A 2-bit API DLL that collects registration information in a defined section. A sub-series (block 202) starts the 32-bit API DLL that collects all registration data on the HKEY_CLASSES_ROOT registration key. A sub-string Column (block 203) starts the 32-bit API DLL, which collects all registered data on the HKEY_CURRENTJJSER registration key. A sub-string (block 204) starts the 32-bit API DLL, which collects the HKEY_LOCAL_MACHINE registration All registration data on the key. A sub-series (block 205) starts the 32-bit API DLL, which collects all the registration data on the HKEYJJSERS registration key. All the data collected by each 32-bit API DLL is Combined by a function (block 206), it stores the data to the local computer unit 105. Once the data has been stored, a function is started (block 207), which sends all registered configuration data to the system that has the watch The management unit 108 of the application 115. Please refer to FIG. 3 for discussing the function mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. "Electronic Mapping" flowchart of all key directories and files. During the initial installation of a client application 110, it initiates an additional parallel serial function (block 340), which is obtained when the operating system is launched (Initial "boot") All required internal directory and file information for the computer unit at the start of the period. The computer unit's internal machine hard drive maintains a directory structure for proper -19-

Binding

The thread paper is again applicable to the Chinese National Standard (CNS) A4 specification (210X297 mm). It also stores' classification and partitioning of all directories and files, which are required to start the computer unit 5 in order to properly implement the basic Add milk operation system and those programs needed to run at X time to start third-party applications. Once the directory and file information is obtained by the client application 110, the directory /, Λ is stored. It is stored in the memory array and written in a structured file. The second line is stored in the 1g computer unit 105. The structured file can be obtained by the computer from 05 to 05, and the network manager will make a detailed analysis. After the initial recording of the side catalog and building case information, the parallel series (box: 0) 'which instructs these initial functions' starts a series of secondary functions, and then is monitored in the environment of the computer unit 105 All directory and case information that changes instantly. Once the main parallel control of the directory environment is started (block 31), a function is initiated to load all stored directory configurations from the data file into the memory array (block 311). When the memory array is loaded, a parallel series is started, which will cycle the directory structure of the computer unit ⑽ and analyze any possible structural changes of the computer unit 105 in the defined directory structure. If a new directory is detected, the probe function (block 312) will analyze the contents of the directory: and search for any possible unauthorized programs (block 313). If an unweighted program is detected, a structural identification signal token is generated and transmitted back to the computer unit (block 315). If an unauthorized program is not detected, the probe will "return," return to the query function (block 313), and continue to analyze possible unauthorized programs in the directory structure. If you start a program (where the program Modify any internal catalog or building case-20- This paper is applicable in China Standard (CNS) A4 specification (21GX297 mm) —------------ 574645

Environment), that is, the client application uo generates an internal message to the Wang Ping of the computer unit, warns the end user, and generates (transmits) a signal to the monitoring station (block 315). If the modification is an unauthorized change k 'unknown to the user and / or network management, the internal directory and / or file information of the modified computer unit is reversed back to its original state. If an unauthorized program is detected in a directory, the function that analyzes the directory refers to the configuration data stored by the child, and it defines the directory structure when detecting the unauthorized program. The defined directory structure is then analyzed to "reverse" or remove a new directory containing the unauthorized program. The inversion function begins by comparing the previous architectural "footprint" of the directory with a new (unauthorized) "footprint" and executing the inversion function by erasing the program with the unauthorized program. The new directory, or if an unauthorized program is moved to an existing directory, 'the unauthorized program is only removed. The changed characteristics are then recorded in a structured ASC file and registered as a penetration style . Then the computer unit 105 generates (transmits) the penetration pattern file to the monitoring station 115 for further comparison and analysis by the monitoring station U5. The comparative analysis initiated by the monitoring station 115 is a This series of parallel serial functions compares all penetration patterns received from all computer units 105 (customer application u〇) and sends information to the monitoring station 115. When the customer application U0 is installed on the computer At unit 105, a major parallel series is started (block 340). It starts a series of secondary functions to scan the entire computer unit 105 to record all existing directories (building folders) and subdirectories. (Sub file missing). One function started Box 341) to analyze the Ο / S green mesh structure, and keep -21-- scale of this paper applies the "National Standards (CNS) A4 size (2iGχ tear Kimiyoshi) -----__ 574645 A7

574645 A7 B7 V. Description of the invention (20) Western analysis. After the initial recording of the directory and file information, the parallel series (block 410) starts a series of secondary functions (block 413), which monitors all the directory and file information for real-time changes to start on the computer Any third-party application within the unit environment. If a program starts and modifies any internal directory or file environment, the client application 110 generates an internal message to the computer unit 105 main screen, warns the end user, and generates (transmits) a signal to the monitor Look at station 115. If the modification is an unauthorized change unknown to the user and / or network management, the internal directory and / or building case information that was modified is reversed back to its original state. The changed characteristics are then recorded in a structured Asc file and registered as a penetration pattern. The computer unit 105 then generates (transmits) the penetration pattern file to the monitoring station 115 for further comparison and analysis by the monitoring station U5. The comparison analysis initiated by monitoring station 115 is a series of parallel serial functions that compares all penetration patterns received from all computer units 105 (customer application 11), and sends information to The monitoring station 115. This comparative analysis is described previously.

Binding

When starting the parallel series (block 410), the line starts in block 411, and this function loads all third-party "starts, information to the memory array. Once the function (in line 411) has passed, After completing its work, start—extra i (block 41—) it loads all third-party "such" (initialization) cases into the memory array. All information is loaded into memory After that, the above-mentioned functions are started. -23- 574645 A7 B7 V. The description of the invention (21) The line is started (413)-the polling function (block 414), which loops steadily and compares all third parties " Startup, information, and "_ini," file information, to previously recorded information stored in the memory array. If an unauthorized modification is detected, the function (in block 414) generates a structured signal file, And sends the structured signal file to the management application 5. If unauthorized modification is not detected, the function continues the loop (block 415) to return to its polling function initiated in block 414. A series of additional Began to collect and manage all works System (ο / s) messages, which are generated between the 0 / s and all third-party applications. These columns start a series of MFC functions and / or unique 32-bit units designed and developed by the inventor. API DLLs. These MFC functions and 32-bit API DLLs start a series of operating system (OO / S) "hooks," and MFC interconnects to monitor and collect real-time data from the memory buffer. Hide and move, apply to 0 / s flood, device access, keyboard access, port access, Internet browser access, application focus, email management, disk file movement, active window code work List, drive (media) management, taskbar management, and program administrator management. When the client application 110 is installed on the computer unit 105, a parallel string 1J (block 440) is initiated, which initializes a function (block 441), which scans the computer unit 105 that may exist in a remote computer unit All "third-party," "launched," floor cases. When the function (block 441) has been completed, an additional function is initialized (block 442) 'It scans all "· ini" (initialization) cases in the computer and records every green in the remote computer unit 105 The signature of the key files of the files, When the function (box 442) is unsuccessful, a function (box 443) combines the information. This paper size applies the Chinese National Standard (CNS) A4 specification (21〇X 297: ^ ---- 574645 A7 __B7 5 The invention description (22) and stores all data in the physical file of the computer unit 105. When the function in block 443 is completed, an additional function (block 444) is started and begins as described in block 410 Maintain the polling rate column. Please refer to FIG. 5 ′ to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 5 is a block diagram of the operating system 129 and the third-party application 130. The flow of the method of all the messages generated between the series of MFC functions and 32-bit API DLL designed and developed by the inventor (block 505)-a series of operating systems (〇 / S) "hook, and MFC It is interconnected, which monitors and collects real-time data from the memory buffer on mouse movement and application to 0 / S messages. This hook is part of the "open architecture" development of Microsoft Windows. Figure 5 shows A "hook," the sequence goes to the real Microsoft Ο / S core, which can be extended to at least one of the following: all window object identification (ID), type of window object, mouse movement, mouse command, and integer transfer, which are based on the 〇 / S core And all application activities. A parallel serial start (500), which starts the independent 32-bit API DLL (505), which was designed and developed by the inventor, which established a "hook" To the actual 0 / S core. The "hook" establishes an interconnection with the WH_SYSMSG ID (block 510), which monitors the core break of mouse movement and mouse activity (block 515), dialog box, Function table, list box activity, which defines the window object ID and the window object type (block 520), and receives a 10 / S message as the mechanism operation being performed by the core (block 525). The information received under the WH_SYSMSG ID, the "hook," can send its ID (block 535) to the WH_CBT ID to collect more information about the 〇 / S core machine-25- This paper standard applies to the Chinese National Standard ) A4 size (210 X 297 mm) binding

Line 574645

Controlled information is the one who is starting in an immediate environment. The core system is "linked", and the received information is compared to other information and intercepts the "high-level" 0 / S information, such as analyzing the window code table of the event, the focus code of the window, and all registration statuses currently stored. The memory array of the "startup" information of the third party and the younger party indicates that the customer should request the "image" that is intercepted as the actual "real-time, machine and user status (or event)", which is in progress. The computer unit starts (block 545). Determine the course of action initiated by the user. This information (525) then processes (545) 'in a real-time environment to determine the user's "intent," and whether the user's actions are authorized or unauthorized. The 32-bit designed and developed by the inventor Yuan milk rainbow, pass all the suspended signal messages' including window object access, window object type (52), menu or dialog box object ID, mouse movement and position. Based on the signal received by this Αρι (integer) The MP c parallel string that manages the central processing unit (cpu) can now refer to FIG. 6 to discuss the purpose of the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 6 is A flow chart of a method for transmitting inter-process communication messages to any recognizable window code, which exists in the active job manager list. An independent 32-bit Api DLL designed and developed by the inventor receives parallel data from the existing MFC. Real-time status information of the sequence, which determines whether the user action or internal rights-based activity is legal or illegal. The legitimacy is determined by comparing the actual activity with all parallel sequences (Figures 1 to 5), which monitors the registration, ο / s, third-party integration, and the core message of the operating system of the computer unit 05. If 4 users or program activities are determined to be illegal, the parallel_列 启 -26- This paper size applies to Chinese National Standard (CNS) A4 (210 X 297 public directors) 574645

The independent 32-bit Αρι, which was originally designed and developed by the present inventor, terminates the program activity which is the main focus of the user or unmanned computer. A parallel column is started (block 605), which loops through the window management worksheet columns of all activities in the computer unit ι5 with identifiable codes. This parallel sequence S1 $ ground loop, monitor the window 1/0 (block 610), and monitor the actual window code focused by the user of the computer unit. Based on the information processed as described in Figures 1 to 5, if an unauthorized event is being initiated in the child computer unit 105, the parallel string (block 61) will transmit an automatic inter-process communication (IPC) signal message Medical-QUT (block 615) to the independent 32-bit Api DLL (block 62) designed and developed by the present inventor, which will accept the IPC and send the wm-quh message (block 625) to the user The window code for the event that is currently focused. Rong AΠ will then check the status of the ipc to determine if the transmitted message ipc was successful, and then send all information back to the main parallel column, which will determine if additional actions (block 630) are necessary to stop at the computer unit 1 The unauthorized event occurred within 05. Please refer to FIG. 7 to discuss the functional mechanism of the client application according to a specific embodiment of the present invention. Figure 7 is a flowchart of the process of collecting all computer unit (machine environment) information in the internal computer unit 105, and organize this information to automatically transmit this data to a monitoring station. Automatically collect computer unit (machine environment) data on the internal computer 105 and organize the information to automatically or "as required, send it to a monitoring station 115 for processing, which consists of a parallel series (block 7〇〇) management, which receives a structural file signal from the monitoring station 115, as described above. If it has been bound from the

k -27-

574645 A7

The monitoring station 115 receives a signal, and the parallel series starts an MFC function, which sends (block 750) all configuration data to the monitoring station 5. The function in block 705, and the data represented in blocks 71 to 71d, are similar to those described above with respect to FIG. The function in block 715 and the data represented in blocks 720a to 720b are similar to those described above with respect to FIG. The function in block 725, and the data represented in blocks 730 & 730b, are similar to those described above with respect to FIG. 4. The collected computer unit (machine environment) data is stored locally for probe retrieval and update (block 740). If a structural file signal is received by the monitoring station 115 (block 745), as described above, the collected machine environmental data is transferred to the monitoring station 115. Please refer to FIG. 8 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 8 is a process for automatically collecting all computer unit (machine environment) data of all computer units 105 on a local area network (LAN) or a wide area network (WAN) (such as a network system). flow chart. The child monitoring station 115 has the ability to automatically receive all configuration data from a computer unit 105, or send a structure signal file (started by the administrator) to request all configuration data to be transmitted to the monitoring station. Station 115. FIG. 8 is a flowchart of an operation after the management application 115 is installed on the network system 100 and a client application 110 is installed on the network system 100, and if the network path has been correctly set, The client application 110 can effectively communicate with the management application 115. Basically, after the customer uses UG to perform the analysis of his computer unit 105, all the information is stored in his data file. -28- This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 574645

And convert all data to the memory array (block 83), a parallel column (block 835) starts to poll the status of the network connection, and ensures that all appropriate paths are established with the client application 110 to Communicate with the management application U5. If the parallel string (block 840) detects the existence of the network, that is, all defined paths have been established correctly, the client application 10 will send all data to the management application 115 (block 845). The child management application 115 will also start a parallel series (block 802), which will poll (block 805) to check the status of the network and whether the defined network path is established. If the overall network status is correct, the management application 115 will automatically receive structural file signal information from the client application 110. In the event that certain commands and control instructions are initiated by the management application 115 via the user, such as an update request, an internal function (block 810) will initiate the structured signal file, which will then be sent to The client application 110 (block 815). In a specific embodiment, the structured signal file is transmitted by using a network production directory (block 825), which may be located, for example, at the computer unit 105. The function sends the information back to the main parallel series, and it will then receive and process the information received from the client application (block 82). Reference is now made to FIG. 9 to discuss additional functional mechanisms of the client application 110 according to an embodiment of the present invention. In particular, FIG. 9 is a flowchart of a process of automatically analyzing a “penetration pattern” of a foreign entity program, which penetrates a computer unit to collect, report, start a job, or destroy information on a computer unit. The physical program application 110 is started, thereby initializing the probe function described above (block 200). The function of block 905 represents the data collection function performed by blocks 201 · 206 (Figure 2), blocks 340-343 (Figure 3), and blocks 440-443 (Figure 4). -29 · This paper size applies Chinese National Standard (CNS) A4 specification (210X 297 male #) '----- *-574645 A7 B7 V. Description of the invention (27) The function of block 910 is represented by block 210 Function executed by -215 (Figure 2). The check functions of blocks 915-920 are represented by the functions of blocks 216-217. The function of block 925 represents the function performed by blocks 310-312 (Figure 3). The check functions of blocks 930-935 are represented by the functions of blocks 313-314. The function of block 940 represents the function performed by blocks 410-413 (Figure 4). The check functions of blocks 945-950 are represented by the functions of blocks 414-415. The function of block 955 is represented by the functions of blocks 218, 315, and 416, as described earlier. Therefore, FIG. 9 shows an overview of a penetration pattern analysis, which is received from each computer unit 110 and transmitted to the monitoring station 115. Please refer to FIG. 10 'to discuss the functional mechanism of the customer application according to a specific embodiment of the present invention. In particular, FIG. 10 is a flowchart of a process for automatically reversing changes in any computer unit (machine environment), which is a foreign entity program that can be started in the actual computer unit 110. The functions in blocks 1050 are described previously and are the same as blocks 905-950 in Figure 9. In block 1055, the client application 110 searches for a local data dictionary on the client's computer 05 and if there is unauthorized modification by a foreign entity program initiated in the computer unit 105 in the remote architecture, then The client application 110 will reverse the architecture back to the architecture defined before the unauthorized modification. Please refer to FIG. 11 'to discuss the functional mechanism of the client application according to a specific embodiment of the present invention. In particular, FIG. 11 is a block diagram of a structured signal building that captures all forensic information about the “penetration pattern”, which is transmitted and stored at the monitoring station 115. The residential structure case 1100 was generated ’and the client application transmitted all“ penetration patterns ”(identification) data to the monitoring station 115. As shown in Figure u, the following are -30- This paper size applies to the Chinese National Standard (CNS) A4 specification (210X297 mm) 574645 A7 B7 V. Description of the invention (28) is shown in the data structure 1100, which can allow one Computer forensics is designed to operate in an immediate environment. SOT [cr] [If]

Date = CCYY \ MM \ DD [cr] [If]

Time = HH: MM: SS [cr] [If] 3 Wind = Variable Up To 500 Characters [cr] [If] 2Wind = Variable Up To 500 Characters [cr] [If] lWind = Variable Up To 500 Characters [cr] [If]

Mssg-Variable Up To 500 Characters [cr] [If] EOT [cr] [If] The above parameters are defined as follows: SOT-start transmission; [cr]-newline ASCII control character; [If]-newline ASCII control word Yuan; EOT-end of transmission; 3Wind-previous window code focused before 2Wind; 2Wind-previous window code focused before 1 Wind; 1 Wind-window code focused on unauthorized activity; and Mssg-unauthorized activity Definition. Please refer to FIG. 12 to discuss the functional mechanism of the client application according to a specific embodiment of the present invention. In particular, FIG. 12 is a flowchart of a process for automatically detecting unauthorized modification of the HKEY_LOCAL_MACHINE: Software registration section in an instant environment. This flowchart illustrates a process that automatically analyzes the "penetration pattern" of the foreign entity program, which can penetrate a computer unit -31-This paper size applies to China National Standard (CNS) A4 (210 X 297 mm)

Binding

Line 574645 A7 B7 V. Invention Description (29 105 to collect, report, start a job, or destroy information on a computer unit 105. The penetration pattern analysis received from each computer unit 105 can be transmitted to The monitoring station 115. After collecting all the internal registration data transmitted from a client computer 105 to the monitoring station 115, a PC probe (belonging to the client application 110) starts a design and development by the inventor. An additional parallel serial function (block 1205), and the additional parallel serial function started with an additional independent 21 API DLL designed and developed by the inventor, which analyzes the HKEYJLOCAL_MACHINE: Softwaire, (hereinafter referred to as PEFINED SEGMENT)), which is a paragraph of the internal registration. An example of the above PC probe is the format provided by Granite Technologies, Tennessee, USA. The analysis includes a method to open the actual registration key, and to open and query the definition paragraph for any possible unauthorized changes in this special area of the registration. The internal registration is a database (such as Windows 95 and NT) used by the Windows operating system to store configuration information. The registration basically includes the following main sections: ⑴HKEY_Classes_Root _file association and object linking and embedding (OLE) information, (2) HKEY_CurrentJLJser-all favorite combinations of current users; (3) HKEYJUser-each user of the system Information of all current users; (4) HKEY_Local_Machine-settings of hardware, operating system, and installed applications; (5) HKEY_Current_Configuration-settings of the display and list machine; -32-

Binding

LINE This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) 574645 A7 B7 V. Description of the invention (30) (6) HKEYJ ^ yn—Data-Performance data. Most Windows applications write data to this registration, at least during installation. The registration can be edited directly using the registration editor (regA / zY.exe) provided by the operating system. Therefore, this Windows registration is storing the system configuration details, so Windows is viewing and running in the desired way. The registration stores user profile information in a file called "user.dat", such as background patterns, color schemes, and desktop configurations, and stores specific hardware details and specific software details in a system called "system.dat" , Such as device management and extension extensions. In many ways, this registration replaces the functionality of win.ini and system.ini from earlier versions of Windows, although these cases still exist because many Windows applications refer to them. The registration is started by the 32-bit API function call that was originally defined in the Microsoft API development environment. At the time when the registration is opened, the definition paragraph is passed as a parameter to successfully open the special section of the registration. This parameter is included in the 32 API function (from the Microsoft API development environment), which is started to open a registration section. The method involves establishing a "basic count" of all authorized registrations in this particular paragraph of the registration. The "base count" is the total number of entries recorded in the definition section of the registration. After the "basic count" is established, a numerical integer of the "base count" is stored in a memory (for example, RAM). Then the MFC parallel string | J (block 1215) is a 32-bit API designed and developed by the present inventor. It starts an algorithm to calculate whether there is a "basic count" for this specially defined paragraph of the registration. Any change. The actual function of the 32-bit API design is described below. A sub-series (block 1240) started the 32-bit API DLL, which was collected at -33- This paper size applies to China National Standard (CNS) A4 specification (210X297 mm)

Binding

Line 574645 A7 ------- B7 V. Description of the invention (31) HKEY—LOCAL_MACHINE: SOFTWARE All registration materials in the registration paragraph. The execution of the other functions in Figure 12 is similar to the corresponding similar functions described in the previous figure. The algorithm method designed by the inventor inquires the definition paragraph of the registration in such a way that no resource utilization is actually registered in the CPu. Because it is in the definition section of the child registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual 0 / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. The maximum "base count" (integer) minus the "base count, minus 2. The" base count minus 2 "is equal to the starting position indicator, where the algorithm continues to count the remaining logins, and in the registration The last `` date time '' in this special definition section of the paragraph is modified. When the algorithm starts its counting at the start position indicator, the algorithm will count the number of times in the definition section of the column. Remaining registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. For example, HKEY_LOCAL_MACHINE : Software can contain 50 logins. 1 of them has different applications installed in this computer. The 32-bit API DLL that monitors and controls this environment will poll this section , Used to detect an unauthorized registration login or deletion every 5 to 8 seconds. If the registration paragraph is modified, it will detect 'the unauthorized modification and report to the start of the 32-bit Api DLL Main Ping-34- This paper is suitable for financial standards 8 @ 家 标准 (CNS) M specifications (2ig χ Where to read) 574645 A7 B7 V. Description of the invention (32) Rows and columns. The pre-calculated result can be guaranteed from the query as 100% correct result (where the query is the registration paragraph itself called through a 32 API function from the Microsoft 32-bit API development environment), because the algorithm is designed to query the defined paragraph, for example about every 5 to 8 seconds. The rate of this query makes it impossible for a user to delete or add a new login to the defined paragraph without being intercepted by the algorithm. The rate and accuracy at about 5 to 8 seconds Sex is sufficient, because any unauthorized program or user who attempts to delete 'then adding a record to a registration paragraph will force the registration paragraph to an "update cycle," whereby it executes its internal "steward action". The "steward action" takes about 4 to 6 seconds to mechanize its internal operations. Furthermore, an unauthorized program performs a calculation to join a defined area registered in the registration, which makes the algorithm designed by the inventor Can deal with unauthorized program activities with 100% accuracy. Finally, 'the 1 book protection' and the remaining functions to protect the 0 / s and third-party startup environment, can provide a multilayer protection posture to protect the computer unit 105 The computer unit will deal with all the weaknesses of unauthorized modification. The above-mentioned parallel series can execute the polling function without causing a shock or damage to the source of the clock used by the CPU clock. This benefit can be designed by There is an automatic dormant state in the loop of the order execution state, and it is achieved based on the importance of the special sequence, so the system operation will not slow down. Dan> Consider Figure 13 for the sake of discussion According to a specific embodiment of the present invention, the additional function of the customer application 110 is a secret knife mechanism. In particular, FIG. 13 is a real-time environment. A7 B7 V. Flow chart of the process of automatically detecting any unauthorized modification of the HKEY_LOCAL_MACHINE: Software \ Microsoft registration paragraph in the description of the invention (33). After the collection of all internal registration data is transmitted to the monitoring station 115 The PC probe in the client application 110 starts an additional parallel serial function designed and developed by the inventor, which can start an additional independent 21 API DLL designed and developed by the inventor. Analyze the HKEY_LOCAI ^ MACHINE: Soflware \ Microsoft section of the internal registration. This analysis includes a way to turn on the actual registration key, and open and query any possible unauthorized changes in this section in this special area of the registration. The method includes the "basic count" of all authorized logins established in this special paragraph of the registration. After the "basic count" is established, the numeric integer of the "basic count" is stored in RAM. Then the MFC parallel string The column is a 32-bit API designed and developed by the inventor. It starts an algorithm to calculate this special definition of the registration. Is there any change in the "basic count"? Then the MFC parallel string (block 1315) starts the 32-bit API designed and developed by the inventor, and it starts an algorithm to calculate this special registration. Defines the "base count" of a paragraph, whether any changes have occurred. The actual functions of this 32-bit API design are further explained below. A sub-series (block 1340) starts the 32-bit API DLL, which collects all the login information on the HKEY_LOCAL_MACHINE: Software \ MiciOsoft registration section. The execution of the other functions in Fig. 13 is similar to that described by the similar function corresponding to the previous drawing. The algorithm method designed by the inventor inquires the definition of the registration in a manner that, in practice, no resource utilization is registered in the CPU. Because it is in the definition paragraph of the registration, it is possible that the registration will not follow the special -36- This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 574645 A7 B7 V. Description of the invention (34 ), And are random in nature. At the same time, the actual ο / s must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. The maximum "base count" (integer), minus the "base count," minus 2. The "base count" minus 2, is equal to the starting position indicator, where the algorithm continues to count the remaining logins, and in the registration The last "datetime modification" in this special definition part of the paragraph. When the algorithm starts its counting at the start position indicator, the algorithm will count the remaining entries in the definition section of the registration. If The maximum counting equation is not equal to the pre-calculated result. The definition registration paragraph has been manually edited by the user or intruded by an unauthorized program modification. 0 The pre-calculated result can guarantee that the query result is 1. 〇% correct result 'because the algorithm is designed to query the defined paragraph about every 5 to 8 seconds. It is not possible to delete and add a newly registered paragraph to the definition without being intercepted by the algorithm. Furthermore, an unauthorized program performs a calculation to add a registration to a defined area of the registration, which makes this The algorithm designed by the inventor can deal with unauthorized program activities with 100% accuracy. Now refer to FIG. 14 to discuss the additional functional mechanism of the client application no according to a specific embodiment of the present invention. In particular, FIG. 14 For—kind of _immediate%! Brother automatically detects

Flow chart of the processing of any unauthorized modification of the Mi⑽SOft \ Run registration section. -37-

574645 A7 B7 V. Description of the invention (35) After the collection of all internal registration data is transmitted to the monitoring station 115, the PC probe in the client application 110 starts an additional design and development by the inventor A parallel serial function, which can start an additional independent 21 API DLL designed and developed by the inventor, which analyzes the internally registered HKEY_LOCAL_MACHINE: Software \ Microsoft \ Run paragraph. This analysis includes a way to turn on the actual registration key, and turn on and query for any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes a "basic count" of all authorized logins established in this special paragraph of the registration. After the "base count" is established, the integer value of the "base count" is stored in the RAM. Then, the MFC parallel series starts a 32-bit API designed and developed by the inventor, and starts an algorithm to calculate whether there is any change in the "base count" of this registered special-defined paragraph. Then the MFC parallel string (block 1415) starts the 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate whether there is any change in the "basic count" of this specially defined paragraph of the registration . The actual functionality of this 32-bit API design is further explained below. A sub-series (block 1440) starts the 32-bit API DLL, which collects all the registration information in the HKEY_LOCAL_MACHINE: Soflware \ Microsoft \ Run registration section. The execution of the other functions in FIG. 14 is similar to that described by the similar function corresponding to the previous drawing. The algorithm method designed by the inventor inquires the definition of the registration in a manner that, in practice, no resource utilization is registered in the CPU. Because it is in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual O / S must be checked in each registration paragraph of the entire registration. -38- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm)

Binding

k 574645 A7 B7 V. Description of the invention (%) ----- To establish and maintain its programming environment, the method designed and developed by the present inventor is a shoulder method, which calculates all the registrations in the registration paragraph defined here The maximum "base count" (integer), minus the "base count," and subtract 2. The "basic count minus 2" is equal to the starting position indicator, in which the algorithm continues to count the remaining entries and the last '' date time modification 'within this special definition part of the registration paragraph. When the algorithm starts its count at the start position index, the algorithm will count the remaining entries in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. 0 The pre-calculated result can guarantee that the query comes from 1. 〇〇% correct result 'Because the algorithm is designed to query the defined paragraph about every 5 to 8 seconds. The rate of querying makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add to a defined area registered in the registration, which allows the algorithm designed by the inventor to 100% accurately deal with unauthorized program activities. Please refer to FIG. 15 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 15 is a flowchart of a process for automatically detecting any unauthorized modification of the HKEY_CLASSES_R00T: CLSID registration section in an instant; After the collection of all internal registration information of the child is transmitted to the monitoring station n5, the child PC probe starts an additional parallel string designed and developed by the inventor. Superman 574645 A7 B7 V. Description of the invention (37) A function that can start an additional independent 21 API DLL designed and developed by the inventor, which analyzes the internally registered HKEY_CLASSES_R〇〇T: CLSID Paragraph. This analysis includes a method to turn on the actual registration key, and to open and query any possible unauthorized changes in this paragraph in this special area of the registration. This method includes the establishment in this special paragraph of the registration The "basic count" of all authorized registrations. After the "basic count" is established, the integer value of the "basic count" is stored in the RAM. Then the MFC parallel string starts a 32-bit designed and developed by the inventor. Bit API, which starts an algorithm to calculate whether any change has occurred to the "basic count" of this specially defined paragraph of the registration. Then the MFC parallel string (block 1515) starts The 32-bit API, which was originally designed and developed by the present inventor, starts an algorithm to calculate whether the "basic count" of this specially defined paragraph of the registration has changed. The actual function of the 32-bit API design further Illustrated below. A sub-series (block 1540) starts the 32-bit API DLL, which collects all the login information on the HKEY_CLASSES_ROOT: CLSID registration section. The execution of other functions in Figure 15 is similar to It is described by the similar function corresponding to the previous figure. The algorithm method designed by the present inventor queries the definition of the registration in a way that no resource utilization is actually registered in the CPU. Because It is within the definition paragraph of the registration, it is possible that the registration will not be listed in a special order, and is random in nature. At the same time, the actual O / S must query each registration paragraph in the entire registration to Establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all -40 registered in the registration paragraph defined here. This paper size applies National Standards (CNS) A4 size (210 X 297 mm) stapling

Line 574645 A7

θ, Large. Basic Count "(integer), minus the" Basic Count "minus 2. The" Basic Count "5 'is equal to the starting position refers to #, where the algorithm continues to count the remaining greens, and The last "datetime modification," in this special definition section of the registration paragraph. When the 凊 algorithm starts its counting at the start position index, the algorithm will count the remaining entries in the definition section of the registration. If the = big count equation, it is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. 0 The pre-calculated result can guarantee that the query comes from 100% correct result 'because the algorithm is designed to query the defined paragraph at approximately every 5 to 8 seconds. The rate of the search makes it impossible for a user to delete and add a login to a child-defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add to a defined area registered in the registration, which allows the algorithm designed by the inventor to 100% accurately deal with unauthorized program activities. Please refer to FIG. 16 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 16 is a flowchart of a process for automatically detecting any unauthorized modification of the HKEY-CLASSES_ROT: CID registration section (if any) in an instant environment. After the collection of all internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel ratio function designed and developed by the inventor, which can be initiated by the inventor. And development of an additional independent 9 1

API DLL, which analyzes the internally registered HKEYJXASSESJROOTXID -41-This paper size applies to the Chinese National Standard (CNS) A4 specification (210X 297 mm) 574645 A7 B7 V. Paragraph (39) of the invention description. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes a "basic count" of all authorized logins established in this special paragraph of the registration. After the "basic count" is established, a numerical integer of the "base count" is stored in the RAM. Then the%? (: Parallel contention is a 32-bit Αρι designed and developed by the present inventor, which starts an algorithm to calculate the "basic count of this special definition paragraph of the registration, whether any occurrence of Change. Then the MFC parallel string (block 1615) starts the 32-bit API designed and developed by the inventor, which starts an algorithm to calculate the "basic count of this registered special-defined paragraph," whether or not Any changes have occurred. The actual function of the 32-bit APH design is further explained below. A sub-series (block 164) starts the p-hai 32-bit API DLL 'which is collected in the | HKEY-CLASSES ROOT.CID registration paragraph All the login information on. The execution of other functions in Figure 16 is similar to that described by the similar function corresponding to the previous drawing. The algorithm method designed by the inventor queries the definition of the registration paragraph The method is that no resource utilization is actually registered in the CPU. Because it is in the definition section of the registration, it is possible that the login will not be listed in a special order, and the nature is At the same time, the actual O / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm 'whose calculation is within the registration paragraph defined here The maximum "base count" (integer) of all logins, minus the "base count" minus 2. The "base count" minus 2 is equal to the starting position indicator, where the algorithm continues to count the remaining -42- Applicable to China National Standard (CNS) A4 (210X 297mm)

Binding

Line 574645 A7 B7 V. Description of the invention (40) The remaining registration, and the last "date time modification" in this special definition part of the registration paragraph. When the algorithm starts its count at the start position index, the algorithm will count the remaining entries in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration segment has been manually edited by the user or intruded by an unauthorized program modification. This pre-computed result guarantees 100% correct results from the query, because the algorithm is designed to query the defined paragraph about every 5 to 8 seconds. The rate of the query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add to a defined area registered in the registration, which allows the algorithm designed by the inventor to 100% accurately deal with unauthorized program activities. Referring now to FIG. 17, an additional functional mechanism of the customer application 115 is discussed in accordance with a specific embodiment of the present invention. In particular, FIG. 17 is a flowchart of a process for automatically detecting any unauthorized modification to the HKEY_LOCAL_MACHINE: Software \ Microsoft, Windows \ CurrentVersion \ Shell Extensions \ Approved registration section in an instant environment. After the collection of all the internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can be initiated by the inventor's design and development An additional independent 21 API DLL, which analyzes the internally registered HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ Shell Extensions \ Approved paragraph -43- This paper standard applies to the Chinese National Standard (CNS) A4 specification (210 X 297 mm)

Binding

Line 574645 A7 B7 V. Description of the invention (41) Drop. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes a "basic count" of all authorized entries established in this particular paragraph of the registration. After the "base count" is established, the integer value of the "base count" is stored in the RAM. Then the MFC parallel column starts a 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate whether there is any change in the "base count" of this specially defined paragraph of the registration. Then the MFC parallel string (block 1715) starts the 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate whether there is any change in the "basic count" of this specially defined paragraph of the registration . The actual functionality of this 32-bit API design is further explained below. A sub-series (block 1740) starts the 32-bit API DLL, which collects all the login information on the HKEY_LOCAL_MACHINE: Software \ MicrosoftWindows \ CurrentVersion \ Shell Extensions \ Approved registration section. The execution of the other functions in Fig. 17 is similar to that described by the similar functions in the previous figure. The algorithm method designed by the inventor inquires the definition of the registration in a manner that, in practice, no resource utilization is registered in the CPU. Because it is in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual 0 / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. The maximum "base count" (integer), minus the "base count" minus 2. The "Basic Count -44- This paper size applies to China National Standard (CNS) A4 specifications (210 X 297 mm)

Hold

574645 A7 B7 V. Description of the invention (42 digits minus 2 'is equal to the starting position indicator, in which the algorithm continues to count the remaining entries, and the last "date time modification" in this special definition part of the registration paragraph, When the algorithm starts its counting at the starting position indicator, the algorithm will count the remaining entries in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result The definition registration paragraph has been manually edited by the user or intruded by an unauthorized program modification. 0 The pre-calculation result can guarantee that the query is a correct result of 丨 〇〇 ′ because the algorithm is designed to The defined paragraph is queried approximately every 5 to 8 seconds. The rate of the query makes it impossible for a user to delete and add a new login to the defined paragraph without being intercepted by the algorithm. Furthermore The unauthorized program performs a calculation to join a defined area registered in the registration, which allows the algorithm designed by the inventor to deal with unauthorized programs 100% accurately. Please refer to FIG. 18 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 18 is a method for automatically detecting the HKEY_LOCAL in an instant environment. —MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ Run flowchart of any unauthorized modification of the registration paragraph. After the collection of all internal registration data is transmitted to the monitoring station 115, the PC probe starts An additional parallel serial function designed and developed by the inventor can start an additional independent 21 API DLL designed and developed by the inventor, which analyzes the internally registered HKEYJLOCAL MACHINCE. -45-

Binding

Line This paper size is applicable to China National Standard (CNS) A4 (210 X 297 mm) 574645 A7 B7 V. Description of the invention (43)

Software \ Microsoft \ Windows \ CurrentVersion \ Run paragraph. This analysis includes a way to turn on the actual registration key, and turn on and query any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes the "basic count" of all authorized logins established in this special paragraph of the registration. After the "basic count" is established, the numeric integer of the "base count" is stored in the RAM. Then the MFC parallel column starts a 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate whether there is any change in the "basic count" of this specially defined paragraph of the registration. Then the MFC parallel string (block 1815) starts the 32-bit API designed and developed by the inventor, which starts an algorithm to calculate whether the "basic count" of this specially defined paragraph of the registration has changed. . The actual functionality of this 32-bit API design is further explained below. A sub-series (block 1840) starts the 32-bit API DLL, which collects all registration information in the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ Run registration section. The execution of the other functions in Fig. 18 is similar to that described in the similar function corresponding to the previous drawing. The algorithm method designed by the inventor inquires the definition of the registration in a manner that, in practice, no resource utilization is registered in the CPU. Because it is in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual O / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. Green's maximum "base count" (integer), minus that "base count" minus two. The "Basic Count -46- This paper size applies to China National Standard (CNS) A4 specifications (210X297 mm)

Binding

Line 574645 A7 ___ B7 V. Invention 44 " " ") ^ ~ The number "minus 2 'is equal to the starting position index' where the algorithm counts the remaining ㈣ following the mackerel 'and this special definition in the registration section The last "Date Time Modification," in the copy. When the child algorithm starts counting at the start position index, the algorithm will count the remaining entries in the definition section of the registration. If the large counting equation is not equal to the pre-calculated result, the definition registration paragraph has been manually edited by the user or intruded by an unauthorized program modification. 涊 The pre-calculated result can guarantee that the query comes from丨 〇〇% correct results, because the algorithm is designed to query the definition of the paragraph about every 5 to 8 seconds. The rate of the query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, it does not mean that the right program performs a calculation to add to a defined area registered in the registration, which allows the algorithm designed by the inventor to 100% accurately deal with unauthorized program activities. Please refer to FIG. 19 to discuss the functional mechanism of the customer application according to a specific embodiment of the present invention. In particular, FIG. 19 is a flowchart of a process for automatically detecting any unauthorized modification to the HKEYJLOCAL_MACHINE: Sftft \ Microsft \ Windows \ CurrentVersion \ RunOnce registration section in an instant environment. After the collection of all internal registration data is transmitted to the monitoring station U5, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can be initiated by the inventor's design and development An additional independent 9 1 API DLL 'which analyzes the internally registered HKEY ^ LOCAL ^ MACHII ^ -47- This paper size applies to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 574645 A7 B7 V. Description of the invention (45)

Software \ Microsoft \ Winclows \ CurrentVersion \ RunOnce paragraph. This analysis includes a way to turn on the actual registration key, and turn on and query for any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes a "basic count" of all authorized logins established in this special paragraph of the registration. After the "base count" is established, the integer value of the "base count" is stored in the RAM. Then, the MFC parallel series starts a 32-bit API designed and developed by the inventor, and starts an algorithm to calculate whether there is any change in the "base count" of this registered special-defined paragraph. Then the MFC parallel string (block 1915) starts the 32-bit API designed and developed by the present inventor, which starts an algorithm to calculate whether there is any change in the "basic count" of this specially defined paragraph of the registration . The actual functionality of this 32-bit API design is further explained below. A sub-series (block 1940) starts the 32-bit API DLL, which collects all the login data in the HKEYJLOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce registration section. The execution of the other functions in FIG. 19 is similar to that described by the similar function corresponding to the previous drawing. The algorithm method designed by the inventor inquires the definition of the registration in a manner that, in practice, no resource utilization is registered in the CPU. Because it is in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual O / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. The maximum "base count" (integer), minus the "base count" minus 2. The "Basic Count -48- This paper size applies to China National Standard (CNS) A4 specifications (210 X 297 mm)

Hold

574645 A7 B7 V. Description of the invention (46) The number "minus 2" is equal to the starting position index, in which the algorithm continues to count the remaining entries and the last "date time" in this special definition part of the registration paragraph modify''. When the algorithm starts its count at the start position index, the algorithm will count the remaining entries in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. 0 The pre-calculated result can guarantee that the query is 100. % Correct result, because the algorithm is designed to query the defined paragraph about every 5 to 8 seconds. The rate of the query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add to a defined area registered in the registration, which allows the algorithm designed by the inventor to 100% accurately deal with unauthorized program activities. Referring now to FIG. 20, an additional functional mechanism of the client application 110 is discussed in accordance with a specific embodiment of the present invention. In particular, FIG. 20 is a flowchart of a process for automatically detecting any unauthorized modification to the HKEY_LOCAL_MACHINE: Software \ MicrosoftWindows \ CurrentVersion \ RunOnceEx registration section in an instant environment.

After the collection of all the internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel serial function designed and developed by the inventor, which can be initiated by the inventor's design and development An additional independent 32-bit API DLL that analyzes the internally registered HKEY_LOCAL_MACHINR -49- This paper size applies to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) binding

Line 574645 A7 B7 V. Description of the invention (47)

Software \ Microsoft \ Windows \ CurrentVersion \ RunOnceEx paragraph. This analysis includes a way to turn on the inter-registration key, and turn on and query for any possible unauthorized changes in this particular area of the registration in this paragraph. The method includes a "basic count" of all authorized logins established in this special paragraph of the registration. After the "basic count" is established, the numerical value of the "basic count" is stored in the RAM. Then, the MFC parallel string starts a 32-bit API designed and developed by the inventor. Algorithm to calculate the "basic count" for this specially defined paragraph of the registration, whether any changes have occurred. Then the MFC parallel tandem (block 2015) started the 32-bit API designed and developed by the inventor, and it started an algorithm to calculate whether there was any change to the "basic count" of this specially defined paragraph of the registration . The actual functionality of this 32-bit API design is further explained below. A sub-series (block 2040) starts the 32-bit API DLL, which collects all the registration information on the HKEY_LOCAL_MACHINE: Software \ Microsoft \ Windows \ CurrentVersion \ Run〇nceEx registration section. The execution of the other functions in Fig. 20 is similar to that described by the similar function corresponding to the previous drawing. The algorithm method designed by the present inventor queries the definition paragraph of the registration in such a manner that virtually no resource utilization is registered in the CPU. Because it is in the definition paragraph of the registration, it is possible that the registration will not be listed in a special order and is random in nature. At the same time, the actual O / S must query each registration paragraph in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates all registrations in the registration paragraph defined here. The maximum "base count," (integer), minus the "base count," minus 2. The "Basic Count -50-This paper size applies to China National Standard (CNS) A4 specifications (210X 297 mm) 574645 A7 ___ B7 V. Description of the invention (48) The number minus 2 'is equal to the starting position index, where the calculation The method continues to count the remaining cowpea green, and the last "date time modification," in this special definition of Luo in the book's main section. When the algorithm starts its count at the start position index, the algorithm will count the remaining entries in the definition section of the registration. If the maximum counting equation is not equal to the pre-calculated result, the definition registration paragraph has been edited by the user or intruded by an unauthorized program modification. 0 The pre-calculated result can guarantee the correctness from the query. The result 'because the algorithm is designed to query the defined paragraph about every 5 to 8 seconds. The rate of querying makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add to a defined area registered in the registration, which allows the algorithm designed by the inventor to deal with unauthorized program activities with 100% accuracy. Please refer to FIG. 21 to discuss the additional functional mechanism of the client application 110 according to a specific embodiment of the present invention. In particular, FIG. 21 is a flowchart of a process for automatically detecting any unauthorized modification to the HKEY_CURR £ NT_USER: sftware registration section in an instant environment. After the collection of all internal registration data is transmitted to the monitoring station 115, the PC probe starts an additional parallel dispute function designed and developed by the inventor, which can be started by the inventor design and An additional independent 32-bit API DLL was developed which analyzes the hkey_current user Software section of the internal registration. This analysis includes a method to turn on the actual registration key, and -51-This paper size applies to China National Standard (CNS) A4 specification (210X297 public love) 574645 A7

Open and check in this paragraph in this special area of the registration, any possible unauthorized changes. The method includes establishing the "basic count" of all authorized registrations in this special paragraph of the registration. After establishing the "basic count," the numeric integer of the "basic count" is stored in the weave. Then the Listening to the parallel series is the start-up & design of the present inventor & Αρι, whose start-up algorithm calculates the "basic count" of this specially defined paragraph of the registration, whether any changes have occurred. Then the MFC parallel series (block 2U5) starts the 32-bit API designed and developed by the inventor, and its start-calculus algorithm calculates the "basic count of this registered special-defined paragraph, whether any Changes. The actual functions of the 32-bit Αρι design are further explained below. A sub-series (block 214) starts the 32-bit API DLL, which collects all the login information on the HKEY_CURRENT_USER: Software registration section The execution of other functions in FIG. 21 is similar to that described by the similar function corresponding to the previous drawing. The algorithm method designed by the present inventor queries the defined paragraph of the registration in a manner that is actually No resource utilization will be registered in the CPU. Because it is in the definition section of the registration, it is possible that the login will not be listed in a special order and is random in nature. At the same time, the actual ο / s must query each registration section in the entire registration to establish and maintain its programming environment. The method designed and developed by the inventor is an algorithm that calculates the registration section defined here All the maximum registered in a "base count ,, (integer), by subtracting the" base count "minus 2. The "Basic Count" minus 2 is equal to the starting position indicator, in which the algorithm continues to count the remaining greens, and the last "Day-52-This paper size applies to China in this special definition part of the registration paragraph National Standard (CNS) A4 (210 X 297 mm) 574645

Period modification ',. When the field / angle algorithm starts its counting at the starting position indicator, the Xiyin reward method will count the remaining greens within the definition section of the registration. If = the maximum counting equation, which is not equal to the result of the pre-calculation, the definition registration = has been manually edited by the user, or modified by an unauthorized program ^.垓 Pre-calculated results can guarantee 100% correct results from the query, because the algorithm is designed to query the defined paragraphs about every 5 to 8 seconds. The rate of the query makes it impossible for a user to delete and add a new entry to the defined paragraph without being intercepted by the algorithm. Furthermore, the unauthorized program performs a calculation to add to a defined area registered in the registration, which allows the algorithm designed by the inventor to 100% accurately deal with unauthorized program activities. Referring now to FIG. 22 ', an additional functional mechanism of the customer application 110 is discussed in accordance with a specific embodiment of the present invention. In particular, FIG. 22 is a block diagram of a different method of starting a 'protection umbrella' for the entire PC desktop environment. The parallel series and all 32-bit API DLLs designed and developed by the inventor are executed together with the client application 110, and a `` protective umbrella '' or `` immune system '' is deployed on the entire PC client computer environment. The client application 110 is fixedly started by the 0 / S file (2215) and the third party '', (2210) configuration to poll and query each major key paragraph of the client computer 'to generate a new directory Or folder (2220) to generate new programs and maintain the configuration of the computer registration (2205). The registration 2225 is also discussed in the above different sections. Furthermore, at least a part of the composition of the present invention can be implemented by Use One Programmable -53- This paper size is applicable to China National Standard (CNS) A4 (210 X 297 mm)

Binding

Line 574645 A7

It can be implemented with the purpose of a digital computer 'using a specific integrated circuit, or a field programmable array I' or-interconnected components and circuits. The connection can be,, spring, code line, through a modem or the like. Within the scope of the present invention, this miscellaneous. Gangmen J Dagger. She can store programs or codes on a machine-readable medium, and can perform any of the above methods using a computer. • The above description of specific embodiments of the present invention is included in The summary is not intended to be exhaustive or to limit the invention to the precise form disclosed. The specific embodiments and examples of the present invention disclosed herein are for illustrative purposes, and those skilled in the art will appreciate that many equivalent modifications are possible within the scope of the present invention. These modifications can be made under the enlightenment detailed above in the present invention. The terms used in the following patent application scope should not be considered as limiting the specific embodiments disclosed in the specification and patent application scope of the present invention. Instead, the scope of the present invention is completely determined by the scope of the following patent applications, which should be regarded as the principles established based on the interpretation of the scope of patent applications. -54- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm)

Claims (1)

574645 f __— 一 —_ No. 〇09 丨 1〇6841 Patent Application Zhonghua, P In Amendment _ and apply for a replacement scope of the patent (October 1992 or, " Supplementary Exemption VI. Patent Application Scope A method for measuring a state activated by a computer unit, the method comprising: checking a set of values in a memory area of the computer unit or in a dedicated file stored in the computer unit, each set of values corresponding to A state activated by a remote computer unit; and capturing each set of values to determine each state initiated by the computer unit. 2. As in the method of the first scope of the patent application, the checking of the set of values includes: Paragraphs and columns of parallel registration. 3. If the method of applying for the scope of the second item of the patent, the sequence of the parallel registration paragraphs initiating includes: Collecting registration information. The set of values includes the paragraph sequence of starting a parallel operating system. 5. If the method of the scope of patent application No. 4 is used, the paragraph sequence of starting the parallel operating system includes: analysis of at least one Operating system directory structure, "root," and all green and subdirectories. 6. If the method of applying for the oldest patent scope, where the check of the set of values includes: starting a parallel third-party paragraph string. 7. If applying The method of item 6 of the patent, wherein the starting of the parallel third-party paragraph series includes: scanning all third-party startup files and all initialization files. 8. If the method of applying for the oldest of the patent scope, wherein the check of the set of values contains : Initiating a polling column. The method of declaring item 8 of the patent scope, wherein the initiating the polling is in series with a paper ruler, a paper ruler, a ss, miscellaneous standard (CNS), A4 specification, ^ 0X297 mm) Contains: Load configuration data into memory. 10. If the power of item 8 in the scope of patent application is applied, the polling sequence includes: loading the saved configuration data into the memory. U. The method according to item 8 of the scope of patent application, wherein the initiating the polling sequence includes: loading third-party startup information into the memory. U. The method of claim 8 in which the initiation of the polling sequence includes: detecting an unauthorized modification. For example, the method in the patent application scope item} further includes: transmitting each set of values to a remote computing unit. 14. · An article of manufacture comprising: a machine-readable medium having instructions stored thereon to: check a group in a memory area of the computer unit or in a dedicated file stored in the computer unit Values, each set of values corresponding to a state activated by the computer unit; and capturing each set of values to determine each state activated by the computer unit. 15 · —A device for detecting a state started by a computer unit, the device comprising: a device for checking a set of values in a memory area of the computer unit or in a dedicated file stored in the computer unit , Each set of values corresponds to a state activated by the computer unit; and communicably coupled to the inspection device to capture each set of values to determine -2-This paper size applies to China National Standards (CNS) A4 size (210 X 297 mm) 装置 Every state device activated by the computer unit. A method of bunning mapping a computer unit's hard disk to record an operating system and a third-party application startup environment. The method includes: (a) analyzing all key directories and files existing in a memory; (b) recording Select important statistical information of the information; (c) Record the important statistical information of each key file; and (Φ record the important statistical information registered in an internal unit of the computer unit. 17. If the method of the 16th scope of the patent application, Each of these steps is executed in real time. A method for detecting the status of activation in an internal computer unit environment, the method includes: (a) an active window that monitors all recognizable window codes Task manager; (b) intercept operating system messages transmitted between a third-party application and an operating system; (c) detect changes in a critical operating system file or third-party startup file; (d) detect Changes in a key aspect of the registration in the internal computer unit environment; (e) sending an internal processing communication message to any identifiable video present in the activity manager Code; ⑴ Send a real-time identification report to a monitoring station, the real-time identification report defines the status of the detection. 19. A method to deal with the electricity 5 master book; Beixun's method to detect an unauthorized act or the paper Standards apply to China National Standard (CNS) A4 (210 X 297 mm) 574645 A8 B8 C8 An unauthorized software program, which contains ... stores all computer registration information in memory; and records the computer registration information in a structured file for transmission to allow detection of an unauthorized behavior or an unauthorized software program. 20 · —A method of checking all computer registration information in an instant environment to detect an unauthorized behavior or an unauthorized software program, the method includes: comparing the current computer unit machine registration activity status with the previous green registration Status to detect unauthorized changes to a registration of the computer unit, including calculating a maximum cardinality for the input of defined registration segments. 21. A method of electronically storing mapped directories and files, to Detecting an unauthorized behavior or an unauthorized software program, the method includes: providing an electronically mapped directory, which is required for the startup of the third-party application to be installed in a computer unit; mapping the directory to a structured building Calculate a maximum cardinality for the input of a defined registration segment. 22 · —A method for checking computer startup directories and files, which includes: comparing the current computer unit machine directory and file activity status with the previously recorded directory and file status to detect the startup target for a computer unit: and the case Unauthorized changes include calculating a maximum cardinality for the input of a defined registration segment. · 23. —A method of monitoring operating system messages to detect an unauthorized activity or an unauthorized software program, which includes: comparing messages with an authorized activity list file to detect unauthorized activity-4- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) Involving includes calculating a maximum cardinality for the loss of an adequately registered segment 24. A method of reporting unauthorized internal activities in a computer unit, a farmer's book. Detecting unauthorized activities in the computer unit, which The method is to compare the current state of the computer unit machine injection with the previous state of the green unit registration and to detect the unauthorized changes in the registration of one of the computer units, and to send a report of the activity to a second computer unit. A maximum cardinality is calculated for the input of a defined registration segment to allow detection of unauthorized activity in the computer unit. 25 · —A method for detecting unauthorized activities in a computer unit, including: Wang Bao, a focus window code in an activity, and in a real-time environment by comparing the message with an authorized activity list file Detecting unauthorized activities, including calculating a maximum cardinality for the input of a defined registration segment. 26. A device for detecting a state activated by a computer unit, the device comprising: a first engine capable of inspecting a memory area in the computer unit or an exclusive file stored in the computer unit A set of values, each set of values corresponding to a state started by the computer unit; and a second engine communicatively coupled to the first engine to capture each set of values to determine the start of the computer unit Every state. 27. The device as claimed in claim 26, wherein each state corresponds to a special activity initiated by the computer unit. 28. The device of claim 26, wherein the first engine starts a series of parallel registration paragraphs. This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) 574645 A8 B8 C8 29. The device according to item 28 of the scope of patent application, wherein the parallel registration paragraph rate column can collect registration data. 30. The device of claim 26, wherein the first engine starts a parallel operating system paragraph sequence. 31. For the device in the scope of patent application No. 30, the parallel operating system segments can be used to analyze at least one operating system directory structure, "root" and all directories and subdirectories. 32. The device of claim 26, wherein the first engine starts a series of parallel third-party paragraphs. 33. The device of claim 26, wherein the parallel third-party paragraph sequence can scan all third-party startup files and all initialization files. 34. For the device under the scope of application for patent No. 26, the first engine starts a polling column. 35. For the device in the scope of patent application No. 34, the polling sequence can load configuration data into memory. 36. The device according to item 34 of the patent application scope, wherein the polling sequence can load the stored directory configuration data into the memory. 37. The device according to item 34 of the patent application, wherein the polling sequence contains the ability to load third-party startup information into memory. 38. The device of claim 34, wherein the polling sequence is capable of detecting an unauthorized modification. 39. The device of claim 26, further comprising: a third engine capable of transmitting each set of values to a remote computing unit. -6-This paper is a standard Sin towel S S standard (CNS) Α4 size (21QX297 male ^