CN1350228A - Automatic WINDOWS NT course protecting system - Google Patents
Automatic WINDOWS NT course protecting system Download PDFInfo
- Publication number
- CN1350228A CN1350228A CN 01139035 CN01139035A CN1350228A CN 1350228 A CN1350228 A CN 1350228A CN 01139035 CN01139035 CN 01139035 CN 01139035 A CN01139035 A CN 01139035A CN 1350228 A CN1350228 A CN 1350228A
- Authority
- CN
- China
- Prior art keywords
- module
- execution module
- windows
- function
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The WINDOWSNT process automatic protection system mainly comprises performance monitoring module, rule matching module and execution module, and is equipped with automatic protection mechanism for protecting process composition. The utilizes the performance monitoring module to monitor and collect the running index of process in the system, and report said running index to rule matching module, and utilizes the rule matching module to make judgement treatment by means of set autoamtic response rule and transfer the process operation command into execution module, then utilizes the execution module to implement starting and stopping operations of said system, and the protection process can be used for monitoring and protection these modules. Said invention possesses double automatic protection action, can be used for monitoring and managing specific service process, and can effectively solve the safety problem of system.
Description
Technical field:
The present invention relates to a kind of automatic protective system of Windows NT platform service process, belong to field of computer technology.
Background technology:
Along with popularizing and development of infotech, more and more Duo business realizes by computer system.By the various application or the service routine that move on the computer system, people can finish a lot of work.
In all computer systems, Microsoft Windows NT system becomes the preferred option of server in the computer system because of the stability of its brilliance, the various value-added services that the WindowsNT system is provided are mainly realized by various processes based on Windows NT architectural framework, for example Internet InformationService provides WWW, FTP, services such as TELNET, Microsoft Exchange then provides the mail and the information interchange service of the LAN (Local Area Network) inside of knowing clearly, also have various database services, mail service etc. also all are to be realized by relevant service processes.These processes, the particularly normal operation of the various service processess of running background, it is the key that guarantees available service in the window networking, in case these programs are because certain reason is out of service, certainly will cause the paralysis of system service, have influence on whole information service flow process, even can make the total system collapse.
The reason that causes these service processess normally to move mainly contain following some:
1. the logic error of service processes itself or mistake is set;
2. associated process makes a mistake or coordinates mutually and goes wrong;
3. the resource of process needs is not being met;
4. be subjected to the attack of other processes, be forced to withdraw from.
Two reasons in front internal factor that is processes wherein can only be by ROMPaq, give the program patch installing or correctly dispose and solve.For two reasons in back, then be the external factor of process, can the resource of process be guaranteed by some monitorings and control method, undesired withdraw from or the like that prevents process, these methods are called as computer processes and control and guard method.
Disclose a kind of method of regulating application program capacity in the digital machine in No. 97197581, the Chinese patent application, monitored and controlled the performance level that is reached when an application program is carried out on computers in real time.Use this property regulation program, can prevent from anyly to be connected in external unit on the computing machine owing to the excessive performance in the application program is transshipped.
Said method has solved the Properties Control problem of single application program, reaches the purpose of other application resources of protection by the Properties Control to the big application program of some resource consumptions.But now; because the raising greatly of software development level; the a plurality of large-scale service processess of operation on a station server; as IIS, database, EXCHANGE or the like; all be possible; only a service processes is carried out Properties Control and can not protect other process unaffected completely, thereby can't guarantee that also total system can provide stable quality services with protection.
In order better to understand the running status of the whole service processess in the computer system, influence to system resource, thereby effectively to the service processes control and management, Windows NT system itself provides a very useful small tool---" Windows NT task manager " (taskmgr.exe), this instrument can be checked all application programs of current operation in the computer system, can check all processes of carrying out in the computer system, and the process number of each process, instant CPU usage, CPU holding time and internal memory operating position can be checked the CPU that whole computer system is instant, internal memory and process threads situation.In addition, this instrument can also be with unusual and take the excessive process of resource to kill the operation that guarantees total system normal.
Task manager can implementation process control and defencive function, but still have following deficiency:
1. task manager can only carry out monitoring the process, need system manager's manual operation for control function, thereby real-time response is indifferent.
2. task manager can only be monitored two major parts (CPU and internal memory) of performance, performance index to other are then powerless, for example the HTTP request surpasses certain limit in the unit interval, IIS just may be attacked, at this moment will take appropriate measures, but just can't find this situation by task manager.
Summary of the invention:
The objective of the invention is to above-mentioned deficiency at prior art; provide a WINDOWS nt server process automatic protective system; by monitoring to the server processes correlated performance; timely discovery process self or outside hidden danger; and automatically by means such as start and stop; make server processes in the server operational process, remain normal state operation.
For realizing such purpose; in technical scheme of the present invention, compositions such as the main do as one likes energy of protection system monitoring modular, rule match module and execution module, and in order to guarantee the normal operation of self; also be provided with a special service process that is called " finger daemon ", constitute the self-protection mechanism.
Performance monitoring module is basis of the present invention, and main effect is various performance index relevant with the ruuning situation of actual motion process in the monitoring system.For example: CPU occupation rate, memory usage, hard drive space residue situation, the performance index that diverse network connects etc.
The rule match module is the core that the present invention handles automatically, by setting automatic rule of response, the rule match module can be carried out judgment processing to the performance index that performance monitoring module was collected, for the situation of offence rule, then will set according to rule, the indication execution module is handled accordingly.
Execution module is functions implementing the present invention, and the order that sends over according to the rule match module is implemented the operation of start and stop to the process that goes wrong, and can move under normal condition to guarantee it.
The main effect of finger daemon is the ruuning situation of monitoring performance monitoring module, rule match module, execution module among the self-protection mechanism, in case one of them module withdraws from for some reason, finger daemon just restarts this module.Simultaneity factor also can withdraw from situation in case meet accident with the object of finger daemon as monitoring, and execution module just can restart finger daemon.
By such design, unless finger daemon and execution module withdraw from simultaneously unusually, otherwise protection system of the present invention can guarantee all to work in system always.
Following core technology has been used in the operation of system of the present invention:
1, obtains the running state of a process method under the Windows NT environment
Performance monitoring module of the present invention obtains system process information by calling the PSAPI function.
The Windows NT development group of Microsoft has been developed own Process Status function, is included in the PSAPI.DLL file, and these functions can use in NT4.0.PSAPI one has 14 functions, and [actual PSAPI.DLL output function has 19, but wherein there are 5 functions that two versions are arranged, be respectively ANSI and Unicode version], by calling these functions, can obtain all information of system process, for example process name, process ID, Parent process ID, process priority, be mapped to module list of the process space or the like.Its concrete steps are as follows:
At first call the EnumProcesses function and obtain the process number of all processes of moving in the system (process identifier)
Carry out following operation for each process:
Call the GetCurrentProcess function and obtain the handle of this process.
Call all modules that the EnumProcessModules function obtains this process.
According to the information that obtains above, call the relevant information that functions such as GetDeviceDriverBaseName, GetDeviceDriverFileName, GetMappedFileName, GetModuleBaseName, GetModuleFileNameEx, GetModuleInformation, GetProcessMemoryInfo, GetWsChanges obtain process respectively.2, obtain the method for system performance under the Windows NT environment
Performance monitoring module of the present invention uses the PDH storehouse of WINDOWS, according to the performance counter of appointment, obtains corresponding performance parameter.
PDH is the abbreviation of English Performance Data Helper, Windows NT is upgrading this database that is called Performance Data always, and this database has comprised a large amount of information, for example CPU usage, memory usage, a lot of Useful Informations of system process information or the like.Because the arrangement information in this database is very complicated, for the use that makes this database becomes easily, MS has developed one group of Performance Data Helper function, is included in the PDH.DLL file.Its concrete steps are as follows:
At first, call inquiry of PdhOpenQuery function creation, this function can return a corresponding query handler.
Then, call the PdhAddCounter function and in inquiry, add a counter.For example to obtain the cpu utilization rate, can use by name " Processor (_ Total) %Processor Time " counter.
After setting the counter that needs, call the PdhCollectQueryData function and collect performance data.
After the collection performance data was finished, data also needed to read one by one by calling the PdhGetFormattedCounterValue function
Close the inquiry of opening by function PdhCloseQuery at last.
3, stop the method for a process operation under the Windows NT environment
It is relatively very simple to kill local process by execution module, obtain process ID after, call the OpenProcess function and open process handle, call the TerminateProcess function then and just can kill process.
But can not directly open process handle in some cases, system process such as WINLOGON for example is because Insufficient privilege.The process authority of lifting earlier in this time itself.
It is as follows to promote the authority process:
1. call the GetCurrentProcess function and obtain the handle of current process;
2. call the access token that OpenProcessToken opens current process;
3. call the LookupPrivilegeValue function and obtain the value of wanting the authority that promotes;
4. calling the AdjustTokenPrivileges function at last increases power for the access token of current process
Limit.
After the SeDebugPrivilege privilege has generally been arranged, just all processes except that Idle can have been killed.
4, the method for a process of program run under the Windows NT environment
The method that restarts a process by execution module is also fairly simple, is knowing process file
The CreateProcess function after the operational mode of system process, just can be called in the path, place,
This process is moved.
Advantage of the present invention is conspicuous, when carrying out Process Protection, does not need to change the original configuration of server, does not also need original service processes is reset and revises, as long as set the title and the corresponding configuration of the process that needs protection.The present invention has double-deck protective effect automatically; can monitor and manage specific service processes; can reset automatically for taking place unusual or being attacked dead process; protected the safety of self simultaneously by the self-protection mechanism; avoid the danger of being broken up one by one, solved the safety problem of system effectively.
Description of drawings and embodiment:
Fig. 1 is system architecture of the present invention and intermodule annexation synoptic diagram.
As shown in the figure, the main do as one likes energy of system of the present invention monitoring modular, rule match module and execution module are formed.The rule match module links to each other with the tension management center, and links to each other with execution module with performance monitoring module respectively, and performance monitoring module then links to each other with operating system with execution module.The rule match module is reported to the tension management center with system alarm, receives the system convention at tension management center and passes to performance monitoring module with under it.The various performance index in the operating system are collected in the performance monitoring module monitoring, and it is reported the rule match module, by the rule match module process operation order are delivered to execution module, and the control operation system carries out the process start stop operation.
Fig. 2 is self-protection mechanism's schematic diagram.
As shown in the figure, introduced a special service processes among the self-protection mechanism of the present invention---guard into Journey, finger daemon link to each other with performance monitoring module, rule match module and Executive Module respectively, carry out process Monitoring and protecting. In case one of them module withdraws from for some reason, finger daemon just restarts this module. Simultaneously System also with the object of finger daemon as monitoring, withdraws from situation in case meet accident, and will be kept by Executive Module The process of protecting restarts. Dotted line among the figure has represented monitoring and the protection relation of process intermodule.
In one embodiment of the invention, network environment: 100 m ethernet, hardware device: web server, 100 m ethernet card, operation platform: Windows NT Server.
Externally implant the NT agency of emergency reaction subsystem in Wang the WEB server.This agency is a service processes that operates under the Windows environment, is arranged to start shooting start automatically, guarantees just to begin at running background when Windows NT system start-up.The main mutual co-ordination of submodule such as this agency's performance monitoring module, rule match module and execution module realizes the effect of protection extranets WEB server security and performance.They all start along with the startup of service processes as the subprocess of NT agency service process, are subjected to the protection of service processes simultaneously again.Wherein NT agency's execution module is total system " a Process Protection program ", by be provided with can protection system in specific process.Agency's service processes itself then is this system " finger daemon ", protects the normal operation of execution module by it.
By NT agency's performance monitoring module the performance of WEB server (comprise the CPU occupation rate, memory usage, the disk space utilization rate, network connects busy situation, performance index such as process working condition) is monitored, realized the function that on time reports.
Set agency's safety rule at the center, instruct the agency under what kind of situation, to offend rule, point out to offend the rule back simultaneously, also will carry out operation how except sending the warning to the center.The rule work that the rule match module that NT acts on behalf of is set and come synchronously according to the center realizes for offending the function that regular situation is reported to the police and instructed execution module work.
The instruction that the instruction that NT agency's execution module sends over according to the emergency reaction center or this agent rule matching module send over is operated accordingly, these operations comprise the specific process of start and stop (native system start and stop IIS service processes), restart computer system etc.
Agency's service processes monitors the ruuning situation of each function subprocess, can make processing timely for unusual function subprocess takes place, and this module of start and stop is to guarantee whole NT agency's normal operation.
Claims (3)
1; a kind of WINDOWS NT process automatic protective system; it is characterized in that main do as one likes energy monitoring modular; rule match module and execution module are formed; and be provided with finger daemon and constitute the self-protection mechanism; the rule match module links to each other with the tension management center; and link to each other with execution module with performance monitoring module respectively; performance monitoring module links to each other with operating system with execution module; do as one likes can monitoring module monitors in the gathering system process operating index and report the rule match module; by setting automatic rule of response index is carried out judgment processing by the rule match module; and the process operation order is delivered to execution module; implement the start stop operation of the normal operation of assurance system by execution module; finger daemon respectively with performance monitoring module; rule match module and execution module link to each other, and carry out the monitoring the process protection.
2, as the said WINDOWS NT of claim 1 process automatic protective system, it is characterized in that performance monitoring module obtains running state of a process information by calling the PSAPI function, use the PDH storehouse of WINDOWS to obtain system performance parameter.
3, as the said WINDOWS NT of claim 1 process automatic protective system; it is characterized in that execution module calls the OpenProcess function behind the process ID and opens process handle by obtaining; call the TerminateProcess function again and stop a process operation, restart process of operation by calling the CreateProcess function.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB011390352A CN1175352C (en) | 2001-12-04 | 2001-12-04 | Automatic WINDOWS NT course protecting system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB011390352A CN1175352C (en) | 2001-12-04 | 2001-12-04 | Automatic WINDOWS NT course protecting system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1350228A true CN1350228A (en) | 2002-05-22 |
CN1175352C CN1175352C (en) | 2004-11-10 |
Family
ID=4674966
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB011390352A Expired - Fee Related CN1175352C (en) | 2001-12-04 | 2001-12-04 | Automatic WINDOWS NT course protecting system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1175352C (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1293473C (en) * | 2002-06-10 | 2007-01-03 | 联想(北京)有限公司 | System process protection method |
CN100382045C (en) * | 2005-08-19 | 2008-04-16 | 英业达股份有限公司 | System of monitoring mode of operation of fan |
CN100410891C (en) * | 2002-12-09 | 2008-08-13 | 联想(北京)有限公司 | Self-debugging and self-restarting method for computer application software |
CN100451984C (en) * | 2003-10-15 | 2009-01-14 | 思科技术公司 | Method and system for reducing the false alarm rate of network intrusion detection systems |
CN102768720A (en) * | 2012-03-20 | 2012-11-07 | 新奥特(北京)视频技术有限公司 | Process protection method |
CN102982283A (en) * | 2012-11-27 | 2013-03-20 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
CN104008030A (en) * | 2013-02-27 | 2014-08-27 | 腾讯科技(深圳)有限公司 | Kernel performance testing method and device |
CN104008029A (en) * | 2013-02-27 | 2014-08-27 | 腾讯科技(深圳)有限公司 | Kernel performance testing method and device |
CN104572395A (en) * | 2014-12-30 | 2015-04-29 | 深圳市科漫达智能管理科技有限公司 | Process monitoring method and device based on adapter |
CN105303103A (en) * | 2015-10-14 | 2016-02-03 | 北京奇虎科技有限公司 | Method for protecting service process in mobile terminal and mobile terminal |
CN107168822A (en) * | 2017-05-08 | 2017-09-15 | 山大地纬软件股份有限公司 | Oracle streams abnormal repair system and method |
CN109117224A (en) * | 2018-07-26 | 2019-01-01 | 深信服科技股份有限公司 | A kind of method and default Virtual terminal for graphically changing configuration in console |
CN109491715A (en) * | 2018-11-06 | 2019-03-19 | 深圳市风云实业有限公司 | Application management method, device and terminal based on Windows NT |
CN111400138A (en) * | 2020-03-17 | 2020-07-10 | 中国建设银行股份有限公司 | Client monitoring method, device and system based on double-layer daemon mechanism |
CN112231190A (en) * | 2020-09-27 | 2021-01-15 | 广州点云科技有限公司 | Windows performance data collection and management device, system and method |
CN112398778A (en) * | 2019-08-12 | 2021-02-23 | 北京优特捷信息技术有限公司 | Method for automatically responding to security problem in modular environment |
-
2001
- 2001-12-04 CN CNB011390352A patent/CN1175352C/en not_active Expired - Fee Related
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1293473C (en) * | 2002-06-10 | 2007-01-03 | 联想(北京)有限公司 | System process protection method |
CN100410891C (en) * | 2002-12-09 | 2008-08-13 | 联想(北京)有限公司 | Self-debugging and self-restarting method for computer application software |
CN100451984C (en) * | 2003-10-15 | 2009-01-14 | 思科技术公司 | Method and system for reducing the false alarm rate of network intrusion detection systems |
CN100382045C (en) * | 2005-08-19 | 2008-04-16 | 英业达股份有限公司 | System of monitoring mode of operation of fan |
CN102768720B (en) * | 2012-03-20 | 2019-02-22 | 新奥特(北京)视频技术有限公司 | A kind of method of Process Protection |
CN102768720A (en) * | 2012-03-20 | 2012-11-07 | 新奥特(北京)视频技术有限公司 | Process protection method |
CN102982283A (en) * | 2012-11-27 | 2013-03-20 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
CN102982283B (en) * | 2012-11-27 | 2015-07-22 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
CN104008030A (en) * | 2013-02-27 | 2014-08-27 | 腾讯科技(深圳)有限公司 | Kernel performance testing method and device |
CN104008029A (en) * | 2013-02-27 | 2014-08-27 | 腾讯科技(深圳)有限公司 | Kernel performance testing method and device |
CN104572395B (en) * | 2014-12-30 | 2019-05-10 | 深圳市科漫达智能管理科技有限公司 | Process monitoring method and device based on adapter |
CN104572395A (en) * | 2014-12-30 | 2015-04-29 | 深圳市科漫达智能管理科技有限公司 | Process monitoring method and device based on adapter |
CN105303103A (en) * | 2015-10-14 | 2016-02-03 | 北京奇虎科技有限公司 | Method for protecting service process in mobile terminal and mobile terminal |
CN107168822A (en) * | 2017-05-08 | 2017-09-15 | 山大地纬软件股份有限公司 | Oracle streams abnormal repair system and method |
CN107168822B (en) * | 2017-05-08 | 2020-01-07 | 山大地纬软件股份有限公司 | Oracle streams exception recovery system and method |
CN109117224A (en) * | 2018-07-26 | 2019-01-01 | 深信服科技股份有限公司 | A kind of method and default Virtual terminal for graphically changing configuration in console |
CN109491715A (en) * | 2018-11-06 | 2019-03-19 | 深圳市风云实业有限公司 | Application management method, device and terminal based on Windows NT |
CN109491715B (en) * | 2018-11-06 | 2021-10-22 | 深圳市风云实业有限公司 | Application management method, device and terminal based on Windows NT |
CN112398778A (en) * | 2019-08-12 | 2021-02-23 | 北京优特捷信息技术有限公司 | Method for automatically responding to security problem in modular environment |
CN112398778B (en) * | 2019-08-12 | 2022-09-20 | 北京优特捷信息技术有限公司 | Method for automatically responding to security problem in modular environment |
CN111400138A (en) * | 2020-03-17 | 2020-07-10 | 中国建设银行股份有限公司 | Client monitoring method, device and system based on double-layer daemon mechanism |
CN112231190A (en) * | 2020-09-27 | 2021-01-15 | 广州点云科技有限公司 | Windows performance data collection and management device, system and method |
Also Published As
Publication number | Publication date |
---|---|
CN1175352C (en) | 2004-11-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1175352C (en) | Automatic WINDOWS NT course protecting system | |
CN101436966B (en) | Network monitoring and analysis system under virtual machine circumstance | |
CN1126033C (en) | System and method for dynamic correlation of events | |
US7167915B2 (en) | Monitoring storage resources used by computer applications distributed across a network | |
CN1266590C (en) | Progress pole/linear procedure pole management method of construction member oriented backbone system internal core | |
CN102480749B (en) | Method, device and system for remotely collecting host process information | |
CN1308834C (en) | Method for getting and outputting information monitored by server through multiple approaches | |
CN1716206A (en) | Support for transitioning to a virtual machine monitor based upon the privilege level of guest software | |
CN1852175A (en) | Data-logging method and system therefor | |
CN102929773A (en) | Information collection method and device | |
CN1752896A (en) | Power source management method of embedded equipment under operation system cooperation and its system | |
CN1175351C (en) | Automatic SOLARIS process protecting system | |
CN1508689A (en) | System and method for long-distace obtaining informtion of monitroed computer | |
CN1946042A (en) | Warning method in large size cluster management monitor system based on AOP technology | |
CN1464397A (en) | System process protection method | |
CN1295903C (en) | A safe system starting method | |
CN1924810A (en) | Distributed control method in priority for operation process | |
CN1100299C (en) | System, method, and article of manufacture for access control on method invocation on protected object in object oriented system | |
CN101039207A (en) | Intelligent optical network equipment having double CPU and method for realizing the same | |
CN1074148C (en) | Data processing system with error detecting processing function | |
CN1152338C (en) | Parallel distributed-data base processing method and device | |
CN110225065A (en) | A kind of network security warning system | |
CN1842011A (en) | Improved method and system for carrying out charging based on flow | |
US20230229545A1 (en) | Intelligent log analysis and retention for microservices applications | |
CN101256506A (en) | System for managing application program of computer network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C06 | Publication | ||
PB01 | Publication | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C17 | Cessation of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20041110 Termination date: 20131204 |