Search

CN-121996261-A - Software uninstalling method and device of Windows operating system, storage medium and terminal

CN121996261ACN 121996261 ACN121996261 ACN 121996261ACN-121996261-A

Abstract

The invention discloses a software uninstalling method and device of a Windows operating system, a storage medium and a terminal, relates to the technical field of software engineering, and mainly aims to solve the problem of low software uninstalling efficiency in the existing Windows operating system. The method mainly comprises the steps of monitoring system events in real time to capture process event information of a software installation process, responding to a process end event of the software installation process, conducting multidimensional feature matching on the process event information and software matching information of blacklist software, taking the on-installation software as target software under the condition that the on-installation software corresponds to the process event information, and conducting reverse cleaning operation on the target software according to the software matching information and the process event information of the target software so as to uninstall the target software. The method is mainly used for automatically unloading the software.

Inventors

  • WANG XIN
  • TIAN YE
  • HE SHIWEI

Assignees

  • 成都米加游科技有限公司

Dates

Publication Date
20260508
Application Date
20251226

Claims (10)

  1. 1. A method for software uninstalling of a Windows operating system, comprising: monitoring system events in real time to capture process event information of a software installation process; Responding to a process ending event of the software installation process, and carrying out multidimensional feature matching on the process event information and software matching information of the blacklist software so as to take the on-installation software as target software under the condition of the on-installation software corresponding to the process event information; And performing reverse cleaning operation on the target software according to the software matching information and the process event information of the target software so as to uninstall the target software.
  2. 2. The method of claim 1, wherein prior to multi-dimensional feature matching the process event information with the software matching information of the blacklist software, the method further comprises: Responding to the update of the software blacklist, and acquiring newly added blacklist software; Scanning the uninstalled items in the Windows registry of the running device, obtaining an installed software list, and calling a software installation catalog of the newly added blacklist software from the installed software list; analyzing the file format of the file in the software installation directory to identify an executable file; And enumerating the services and the drivers through the service manager to associate the identified executable file to the newly added blacklist software according to the executable file path of the services or the drivers, and taking the identified executable file as software matching information of the newly added blacklist software.
  3. 3. The method of claim 1, wherein monitoring system events in real time to capture process event information of a software installation process comprises: Starting and processing a kernel event tracking session to capture an event stream of a software installation process; analyzing the event stream to extract a process identifier, a process life cycle event, a registry operation event and a file operation event, and obtaining process event information; after the process event information is obtained, the method further comprises the step of storing the process event information into a cache space.
  4. 4. The method of claim 3, wherein the software installation process comprises an installation main process and an installation sub-process, the method further comprising: Responding to a process creation event, traversing and searching a parent process according to a process identifier of the process being created; If the parent process is found, associating the process identifier of the creating process with the process identifier of the parent process so as to update a process tree of the parent process; if the parent process is not found, the creating process is used as the parent process to construct a new process tree.
  5. 5. A method according to claim 3, wherein the multidimensional feature matching is performed on the process event information and the software matching information of the blacklist software, so that in the case of installing the software corresponding to the process event information, the on-installation software is taken as the target software, and the method comprises the steps of: Extracting a root path and a sub path of an operated registry from the process event information, and extracting a file full path of an operated file from the process event information; Extracting executable file characteristics from the executable file pointed by the file full path, and extracting path behavior characteristics according to the root path, the sub path and the file full path; if the executable file characteristic and the path behavior characteristic are matched with the software matching information of any blacklist software, the software is taken as target software; And if the target software is not determined from the blacklist software through multidimensional feature matching, the process event information is cleared from the cache space.
  6. 6. The method of claim 5, wherein the executable file features include a digital signature feature, a company name feature, a filename feature, and a version number feature, wherein each feature corresponds to a base weight; and if the executable file feature and the path behavior feature match the software matching information of any blacklist software, the software is taken as target software to be installed, and the method comprises the following steps: Constructing a structured context information set containing process topology, operation sequence, path type and signature state according to the process event information; if the structured context information set characterizes that the created target file is placed in a temporary directory or a system directory and the company name of the target file is not consistent with the directory context, positively adjusting the dynamic weight of the path behavior feature, negatively adjusting the dynamic weight of the company name feature, and performing anti-counterfeiting verification on the digital signature feature so as to adjust the basic weight of the digital signature feature based on a verification result; If the structured context information set represents that the digital signature is in a valid state and the digital signature features comprise abnormal features, negatively adjusting the dynamic weight of the digital signature features, introducing at least one additional verification feature, and distributing temporary weight for the additional verification feature; If the structural context information set characterizes that a conflict exists among process nodes in a target process tree to which a creating process belongs, calculating the overall behavioral abnormality degree and the digital signature consistency of the target process tree, and negatively adjusting the dynamic weight of conflict characteristic items according to the conflict level among the process nodes; And calculating the matching degree between the installation software and different blacklist software according to the basic weight and the adjusted dynamic weight of each feature, and determining the installation software as target software when the matching degree is greater than a preset threshold value.
  7. 7. The method of claim 1, wherein the performing a reverse cleaning operation on the target software according to the software matching information and the process event information of the target software comprises: extracting a service and drive name list, a software related registry item set and a software installation directory path according to the historical operation data of the target software stored in the software matching information; Invoking a handle matching the service and the drive name list, deleting the service and the drive registered by the target software, recursively deleting all registry entries and sub-entries in the software-related registry entry set, and deleting all files and sub-directories under the software installation directory path; and generating a rollback list of the creating process according to the process event information, and executing point-to-point deleting operation according to the rollback list so as to delete the files and the list created in the creating process.
  8. 8. A software uninstaller for a Windows operating system, comprising: the real-time monitoring module is used for monitoring system events in real time to capture process event information of a software installation process; The feature matching module is used for responding to a process end event of the software installation process, carrying out multidimensional feature matching on the process event information and the software matching information of the blacklist software, so that under the condition of the installed software corresponding to the process event information, the installed software is used as target software; and the unloading module is used for carrying out reverse cleaning operation on the target software according to the software matching information and the process event information of the target software so as to unload the target software.
  9. 9. A storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the software uninstallation method of the Windows operating system as recited in any one of claims 1 to 7.
  10. 10. The terminal is characterized by comprising a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus; The memory is configured to store at least one executable instruction, where the executable instruction causes the processor to perform an operation corresponding to the software uninstalling method of the Windows operating system according to any one of claims 1 to 7.

Description

Software uninstalling method and device of Windows operating system, storage medium and terminal Technical Field The present invention relates to the field of software engineering technologies, and in particular, to a method and apparatus for unloading software of a Windows operating system, a storage medium, and a terminal. Background With the popularity of computer technology, the amount of software installed on user devices has proliferated without starving a significant amount of unnecessary, redundant, and even malicious software. The software not only occupies precious system resources (such as disk space, memory and CPU), but also can reside in the system in the forms of registry entries, system services, background processes and the like, so that the performance of the equipment is reduced and the operation is blocked. Especially for enterprise-level devices or public terminals, unauthorized software may introduce security holes, privacy leakage risks, even as a springboard for malicious code propagation, seriously threatening network security and data security. Therefore, the method for effectively and thoroughly unloading the non-compliance or blackened software is a rigid requirement for guaranteeing the purity of the equipment performance, maintaining the safety and stability of the system and realizing the management strategy, and is also a key link in a terminal safety management system. Currently, in the context of Windows operating systems, the core dilemma faced by software offloading is its passivity and surface nature. Existing uninstallers are highly dependent on the uninstaller or system standard interface provided by the software itself, essentially in a "request-response" mode. The mode has the fundamental defects that firstly, the thoroughly of unloading cannot be ensured, a large number of residual files, registry entries, background services and other 'digital remains' are reserved for a long time, so that predatory resources are buried more safely and carelessly, secondly, aiming at the situation that malicious software, rogue plugins and the like are deliberately avoided or the unloading is resisted, the traditional method almost fails and cannot penetrate through a self-protection mechanism, and more importantly, the whole process lacks active discovery and accurate clearing capability, cannot be identified and intervened when software installation behaviors occur, and can only implement lagged and low-efficiency clearing after the problems are accumulated. Disclosure of Invention In view of this, the present invention provides a method and apparatus for unloading software of a Windows operating system, a storage medium, and a terminal, and aims to solve the problem of low software unloading efficiency in the existing Windows operating system. According to one aspect of the present invention, there is provided a software uninstalling method of a Windows operating system, including: monitoring system events in real time to capture process event information of a software installation process; Responding to a process ending event of the software installation process, and carrying out multidimensional feature matching on the process event information and software matching information of the blacklist software so as to take the on-installation software as target software under the condition of the on-installation software corresponding to the process event information; And performing reverse cleaning operation on the target software according to the software matching information and the process event information of the target software so as to uninstall the target software. Further, before the process event information is subjected to multidimensional feature matching with the software matching information of the blacklist software, the method further comprises: Responding to the update of the software blacklist, and acquiring newly added blacklist software; Scanning the uninstalled items in the Windows registry of the running device, obtaining an installed software list, and calling a software installation catalog of the newly added blacklist software from the installed software list; analyzing the file format of the file in the software installation directory to identify an executable file; And enumerating the services and the drivers through the service manager to associate the identified executable file to the newly added blacklist software according to the executable file path of the services or the drivers, and taking the identified executable file as software matching information of the newly added blacklist software. Further, the real-time monitoring of system events to capture process event information of a software installation process includes: Starting and processing a kernel event tracking session to capture an event stream of a software installation process; analyzing the event stream to extract a process identifier, a process life cycle event, a registry operation even