Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberCN101065727 A
Publication typeApplication
Application numberCN 200580040872
PCT numberPCT/US2005/034302
Publication date31 Oct 2007
Filing date23 Sep 2005
Priority date30 Sep 2004
Also published asCN100520721C, CN101069156A, CN101069156B, CN101069157A, CN101069157B, CN101073058A, CN101073058B, CN101329636A, CN101329636B, US7676813, US7680758, US8042120, US8132176, US8302101, US8352964, US20060075381, US20060085789, US20060174223, US20060265714, US20070067255, US20070094667, US20110173618
Publication number200580040872.X, CN 101065727 A, CN 101065727A, CN 200580040872, CN-A-101065727, CN101065727 A, CN101065727A, CN200580040872, CN200580040872.X, PCT/2005/34302, PCT/US/2005/034302, PCT/US/2005/34302, PCT/US/5/034302, PCT/US/5/34302, PCT/US2005/034302, PCT/US2005/34302, PCT/US2005034302, PCT/US200534302, PCT/US5/034302, PCT/US5/34302, PCT/US5034302, PCT/US534302
InventorsLG拉波尔茨法尔维, A罗伊乔德里, AG博尔茨基, HC钦, RJ马扎费里
Applicant茨特里克斯系统公司
Export CitationBiBTeX, EndNote, RefMan
External Links: SIPO, Espacenet
Method and apparatus for virtualizing window information
CN 101065727 A
Abstract
A method for moving an executing process from a source isolation scope to a target isolation scope includes the step of determining that the process is in a state suitable for moving. The association of the process changes from a source isolation scope to a target isolation scope. A rule loads in association with the target isolation scope.
Claims(66)  translated from Chinese
1.一种用于虚拟化对窗口访问的方法,该方法包括步骤:从在用户帐号的上下文中执行的进程接收与窗口有关的请求,该请求包括虚拟窗口名称;利用范围特定标识符来确定窗口的真实名称;向操作系统发出包括所确定真实窗口名称的请求;和将窗口句柄与所确定虚拟窗口名称关联。 1. A method for virtual window for access, the method comprising the steps of: receiving a request from the window-related processes executing in the context of a user account, the request includes a virtual window name; use to determine the scope of a specific identifier the real name of the window; the issue, including the name of the request to determine the true window to the operating system; virtual window name and the window handle associated with the OK.
2.权利要求1的方法,其中步骤(a)包括步骤:从在用户帐号的上下文中执行的进程截取与窗口有关的请求,所述请求包括虚拟窗口名称。 2. The method of claim 1, wherein step (a) comprises the steps of: interception and window-related requests from processes executing in the context of a user account, the request includes a virtual window name.
3.权利要求1的方法,其中步骤(a)包括步骤:从在用户帐号的上下文中执行的进程接收寻找窗口的请求,所述请求包括虚拟窗口名称。 3. The method of claim 1, wherein step (a) comprises the steps of: receiving a request to find a window from the process of implementation in the context of a user account, the request includes a virtual window name.
4.权利要求1的方法,其中步骤(a)包括步骤:从在用户帐号的上下文中执行的进程接收创建窗口的请求,所述请求包括虚拟窗口名称之一。 4. The method of claim 1, wherein step (a) comprises the steps of: receiving a request to create a window from the process of implementation in the context of a user account, the request includes a virtual window one name.
5.权利要求1的方法,其中步骤(b)包括:(b-1)确定与包括在请求中的虚拟窗口名称关联的规则;并且(b-2)响应于所确定的规则来确定该窗口的真实名称。 The method of claim 1, wherein step (b) comprises: (b-1) determining the rules included in the request associated with the virtual window name; and (b-2) in response to the determined rules to determine the window The real name.
6.权利要求1的方法,其中步骤(b)包括利用与应用隔离范围关联的范围特定标识符来确定真实窗口名称,做出请求的进程与所述应用隔离范围相关联。 The method of claim 1, wherein step (b) includes the use of application isolation scope associated with the specific identifier to determine the true scope of the name of the window, the process requesting the application isolation scope is associated.
7.权利要求1的方法,其中步骤(d)包括将虚拟窗口名称存储在与窗口句柄关联的映射表中。 The method of claim 1, wherein step (d) comprises the window handle associated with a mapping table stored in the virtual window name.
8.权利要求1的方法,还包括步骤:从操作系统接收对所发出的请求的响应。 The method of claim 1, further comprising the steps of: receiving a response to the request issued from the operating system.
9.权利要求8的方法,还包括步骤:用虚拟窗口名称之一替换响应中所确定的真实窗口名称。 9. The method of claim 8, further comprising the step of: replacing the real name of the response window determined by the window with a virtual one name.
10.一种用于虚拟化对窗口访问的方法,该方法包括步骤:接收识别虚拟窗口名和虚拟窗口类标识符之一的请求,该请求从在用户帐号的上下文中执行的进程接收且包括窗口句柄;确定窗口句柄与所请求的虚拟窗口名和虚拟窗口类标识符之一相关联;和将所确定的窗口信息返回给请求进程。 10. A method for virtual access to the window, the method comprising the steps of: receiving a request to identify the virtual window name and identifier of the virtual window class, the request is received from the process of implementation in the context of the user account and included window Handle; determining a virtual window with window handle and one virtual window class name associated with the identifier of the request; and determined the window information is returned to the requesting process.
11.权利要求10的方法,其中步骤(b)包括确定窗口句柄与所请求的虚拟窗口名和虚拟窗口类标识符之一之间不存在关联关系。 11. The method of claim 10, wherein step (b) comprises determining a relationship does not exist between the window handle virtual window one virtual window class name and identifier of the request.
12.权利要求11的方法,还包括步骤:根据映射表来确定与所请求的虚拟窗口名和虚拟窗口类标识符之一相关联的窗口句柄。 12. The method of claim 11, further comprising: determining and mapping table according to the requested virtual window window handle one virtual window class name and identifier associated.
13.权利要求12的方法,还包括步骤:向请求进程返回从操作系统接收的响应。 13. The method of claim 12, further comprising the steps of: receiving a response to the requesting process returns from the operating system.
14.一种用于虚拟化对窗口访问的设备,包括:挂钩机制,从在用户帐号的上下文中执行的进程接收与窗口有关的请求,该请求包括虚拟窗口名和虚拟窗口类标识符之一;窗口名称虚拟化引擎,利用在请求中接收的虚拟窗口名和虚拟窗口类标识符之一和范围特定标识符来形成窗口的真实名称和真实窗口类标识符之一;和操作系统接口,发出与窗口有关的请求,该请求包括窗口的所形成的真实名称和所形成的真实窗口类标识符之一。 14. A method for virtualization window access devices, including: hook mechanism, receiving a request from the window-related processes executing in the context of the user account, the request includes a virtual window name and one virtual window class identifier; Window Name virtualization engine, using the received virtual window name in the request and one virtual window class identifier and scope specific identifier to form the real name of the window and one of the true window class identifier; and operating system interfaces, and window issue For a request, the request including the real name of the formed window and the window's class one identifier formed.
15.权利要求14的设备,其中挂钩机制截取从由下列项组成的组中选择的请求:寻找窗口、创建窗口、枚举窗口、销毁窗口、设置窗口名称、获取窗口名称、获取与窗口关联的窗口类标识符、注册窗口类、获取与窗口类有关的信息和注销窗口类。 15. The apparatus of claim 14, wherein the hook mechanism intercepts the request selected from the group consisting of the following items: Find window, create a window, the window enumeration, destroy the window, set the window name, get the window name, associated with the acquisition of the window Window class identifier, registered window class to get information about the window class and out the window class.
16.权利要求14的设备,还包括映射表,其存储窗口句柄与虚拟窗口名和虚拟窗口类标识符之一之间的关联关系。 16. The apparatus of claim 14, further comprising a mapping table, and relationship between its virtual store window handle window name and one with a virtual window class identifier.
17.权利要求16的设备,其中映射表与进程相关联。 17. The apparatus of claim 16, wherein the mapping table associated with the process.
18.权利要求17的设备,还包括与第二进程关联的第二映射表。 18. The apparatus of claim 17, further comprising a second mapping table associated with the second process.
19.权利要求15的设备,还包括规则引擎,其包括确定窗口名称虚拟化引擎如何形成窗口的真实名称和窗口的真实窗口类标识符之一的规则。 19. The apparatus of claim 15, further comprising a rules engine, which includes determining how windows form a regular name virtualization engine's window class identifier of the actual name of the window and the window.
20.一种用于虚拟化对窗口访问的方法,该方法包括步骤:从请求者截取涂色窗口标题栏的请求,标题栏包括窗口名称,该请求包括窗口句柄;确定窗口句柄与虚拟窗口名称相关联;利用虚拟窗口名称涂色窗口的标题栏;和对请求者指明标题栏已被涂色。 20. A method for virtual window for access, the method comprising the steps of: coloring intercepts the request from the requester window's title bar, window title bar includes the name, the request includes a window handle; determine the window handle to the virtual window name associated; using virtual window name painted window's title bar; and on the title bar indicates the requester has been painted.
21.一种用于虚拟化对窗口访问的方法,包括步骤:从在用户帐号的上下文中执行的进程接收与窗口类有关的请求,该请求包括虚拟窗口类标识符;利用范围特定的标识符来确定真实窗口类标识符;和向操作系统发出包括所确定的真实窗口类标识符的请求。 Use special identifiers range; receiving a request from the window class-related processes executing in the context of a user account, the request includes a virtual window class identifier: 21. A method for virtual window access, comprising the steps to determine the true window class identifier; and request real window class includes the identifier to determine the operating system.
22.权利要求21的方法,其中步骤(a)包括步骤:从在用户帐号的上下文中执行的进程截取与窗口类有关的请求,所述请求包括虚拟窗口类标识符。 22. The method of claim 21, wherein step (a) comprises the steps of: interception of the window class-related requests from processes executing in the context of a user account, the request includes a virtual window class identifier.
23.权利要求21的方法,其中步骤(a)包括步骤:从在用户帐号的上下文中执行的进程接收寻找窗口的请求,所述请求包括虚拟窗口类标识符。 23. The method of claim 21, wherein step (a) comprises the steps of: receiving a request to find a window from the process of implementation in the context of a user account, the request includes a virtual window class identifier.
24.权利要求21的方法,其中步骤(a)包括步骤:从在用户帐号的上下文中执行的进程接收创建窗口的请求,所述请求包括虚拟窗口类标识符。 24. The method of claim 21, wherein step (a) comprises the steps of: receiving a request to create a window from the process of implementation in the context of a user account, the request includes a virtual window class identifier.
25.权利要求21的方法,其中步骤(b)包括:(b-1)确定与包括在请求中的虚拟窗口类标识符关联的规则;并且(b-2)响应于所确定的规则来确定真实窗口类标识符。 In determining the rules of the determined and (b-2) response; (b-1) determining the class includes a virtual window in the request identifier associated with a rule: 25. The method of claim 21, wherein step (b) comprises real window class identifier.
26.权利要求21的方法,其中步骤(b)包括利用与应用隔离范围关联的范围特定标识符来确定真实窗口类名称,做出请求的进程与所述应用隔离范围相关联。 26. The method of process of claim 21, wherein step (b) comprises the use of the range associated with the application isolation scope by the specific identifier to determine the true window class name, requesting the application isolation scope is associated.
27.权利要求21的方法,其中步骤(d)包括将虚拟窗口类标识符存储在与窗口句柄关联的映射表中。 27. The method of claim 21, wherein step (d) comprises the virtual window class identifier is stored in the mapping table is associated with the window handle.
28.权利要求21的方法,还包括步骤:从操作系统接收对所发出的请求的响应。 28. The method of claim 21, further comprising the steps of: receiving a response to the request issued from the operating system.
29.权利要求28的方法,还包括步骤:用虚拟窗口类标识符替换响应中所确定的真实窗口类标识符。 29. The method of claim 28, further comprising: an identifier determined response replace real window class identifier virtual window class.
30.一种用于将文件的文件类型与一个或多个程序关联的方法,所述方法包括步骤:接收在配置存储器中存储文件类型关联信息的请求;根据该请求来确定要与配置存储器中的文件类型相关联的应用程序;和文件类型与选择器工具的关联关系被写入到配置存储器。 30. A method for the file type associated with one or more programs, said method comprising the steps of: receiving a request associated with the file type information stored in the configuration memory; in accordance with the request to determine where to configuration memory the application associated with the file type; relationship and file types and selection tool is written to the configuration memory.
31.权利要求30的方法,其中步骤(a)还包括通过用户模式挂钩机制、内核模式挂钩机制、文件系统过滤器驱动程序、和微型驱动程序之一来截取请求。 31. The method of claim 30, wherein step (a) further comprises a hook mechanism through user mode, kernel mode hook mechanism, a file system filter driver, and one mini-driver to intercept the request.
32.权利要求30的方法,其中请求包括更新在配置存储器中的文件类型关联关系的条目。 32. The method of claim 30, wherein the request includes updated entries in the configuration memory of the file type association.
33.权利要求30的方法,其中请求包括创建在配置存储器中的文件类型关联关系的新条目。 33. The method of claim 30, wherein the request includes the file type association relationships created in the configuration memory of the new entry.
34.权利要求30的方法,其中选择器工具提供用户接口,其列出一个或多个为访问与文件类型关联的文件而调用的应用程序。 34. The method of claim 30, wherein the selector tool provides a user interface that lists the application of one or more of file access and file type association and invocation.
35.权利要求30的方法,还包括步骤:提供应用程序与在选择器工具配置存储器中的文件类型的关联关系。 35. The method of claim 30, further comprising the steps of: providing an application association with the selection tool configuration memory file types.
36.权利要求35的方法,其中配置存储器包括选择器工具配置存储器。 36. The method of claim 35, wherein the configuration memory comprises a selector tool configuration memory.
37.权利要求30的方法,其中配置存储器包括注册表数据库。 37. The method of claim 30, wherein the configuration memory comprises a registry database.
38.权利要求30的方法,还包括步骤:选择与文件类型关联的文件以调用应用程序,并响应于选择该文件来调用选择器工具。 38. The method of claim 30, further comprising the steps of: selecting a file associated with the file type to the calling application, and in response to selection of the file to invoke the select tool.
39.权利要求30的方法,还包括步骤:通过选择器工具显示与文件类型关联的一个或多个应用程序的列表。 39. The method of claim 30, further comprising: displaying a list of one or more application programs associated with the file type by selecting a tool.
40.权利要求30的方法,还包括步骤:通过选择器工具在系统范围、应用隔离范围、和用户隔离范围之一中调用所选择的应用程序。 40. The method of claim 30, further comprising the step of: calling by selecting a tool in a selected one of the application range of the system, application isolation scope, and the user isolation scope.
41.权利要求30的方法,其中应用程序、文件、配置存储器和选择器工具之一在隔离环境内与系统范围、应用隔离范围、和用户隔离范围之一相关联。 41. The method of claim 30, applications, files, and select one of the memory configuration tool in an isolated environment with system-wide scope of application isolation, and isolation of the range associated with the user.
42.权利要求30的方法,其中选择器工具是与文件类型关联的缺省应用程序。 Selector Tool which is associated with the file type of the default application 42. The method of claim 30.
43.权利要求30的方法,还包括在配置存储器中将第二文件类型与选择器工具关联。 43. The method of claim 30, further comprising the association type and select the tool in the configuration memory in the second file.
44.一种用于调用与文件类型关联的应用程序的方法,该方法包括步骤:选择文件以便调用应用程序,该文件与文件类型关联;响应于选择文件,从配置存储器获得与文件类型关联的对选择器工具的引用,配置存储器包括文件类型关联信息;响应于选择文件来调用选择器工具,选择器工具显示一个或多个访问所选文件的应用程序的列表。 44. A method for the application calls the type associated with the file, the method comprises the steps of: selecting a file to invoke the application, the file associated with the file type; in response to select the file, get associated with the file type from the configuration memory tool selection reference, the configuration memory comprises a file type association information; response to the selection file to call selector tool, the selector tool displays a list of one or more of the selected file access application.
45.权利要求44的方法,其中步骤(a)还包括通过点击文件一次或多次来选择文件,以调用应用程序。 45. The method of claim 44, wherein step (a) further comprises one or more times to select the file by clicking on the file to the calling application.
46.权利要求44的方法,其中步骤(b)还包括从选择器工具配置存储器获得与所选文件的文件类型关联的一个或多个应用程序的列表。 46. The method of claim 44, wherein step (b) further comprises a list of one or more application programs from the memory selector tool configuration obtained with the selected file type associations.
47.权利要求46的方法,其中步骤(c)还包括选择器工具显示与从选择器工具配置存储器获得的文件类型关联的一个或多个应用程序中的至少一个。 47. The method of claim 46, wherein step (c) further comprises selecting the at least one tool to display a selection tool configured to obtain from the memory file type associated with one or more applications.
48.权利要求46的方法,其中配置存储器包括选择器工具配置存储器。 48. The method of claim 46, wherein the configuration memory comprises a selector tool configuration memory.
49.权利要求44的方法,其中配置存储器包括注册表数据库。 49. The method of claim 44, wherein the configuration memory including the registry database.
50.权利要求44的方法,还包括步骤:调用从由选择器工具显示的列表选择的应用程序。 50. The method of claim 44, further comprising the steps of: calling from the list displayed by the selector tool selected application.
51.权利要求50的方法,还包括:在系统范围、应用隔离范围、和用户隔离范围之一中调用所选择的应用程序。 51. The method of claim 50, further comprising: a call to the selected one of the system-wide applications, application isolation scope, and the user isolation scope.
52.权利要求44的方法,其中应用程序、文件、配置存储器和选择器工具之一在隔离环境内与系统范围、应用隔离范围、和用户隔离范围之一相关联。 52. The method of claim 44, applications, files, and select one of the memory configuration tool in an isolated environment with system-wide scope of application isolation, and isolation of the range associated with the user.
53.权利要求44的方法,其中选择器工具是与配置存储器中的文件类型相关联的缺省应用程序。 The default application tool with which you can select the file type configuration memory associated 53. The method of claim 44.
54.一种用于调用与文件类型关联的程序的系统,该系统包括:重定向器,获得在配置存储器中存储文件类型关联信息的请求,并根据该请求来确定要与配置存储器中的应用程序关联的文件类型;选择器工具,被配置成提供一个或多个为访问与文件类型相关联的文件而调用的应用程序的选择;和重定向器,向配置存储器写入以便将文件类型与选择器工具相关联。 54. A system for call associated with the file type of the program, the system comprising: redirector, get the request in the configuration file types stored in memory-related information, and according to the request to determine the application you want to configure memory and file type associated program; picker tool, is configured to provide select one or more of file access and file type for the associated application invoked; and redirector, writing to the memory to configure a file type with Selector Tool associated
55,权利要求54的系统,其中重定向器包括截取请求的下列内容之一:用户模式挂钩机制、内核模式挂钩机制、文件系统过滤器驱动程序、和微型驱动程序。 55. The system of claim 54, wherein the redirector intercepts the request comprises one of the following: the user mode hook mechanism, the kernel mode hook mechanism, a file system filter driver, and minidriver.
56.权利要求54的系统,其中选择器工具包括用户接口,用于显示一个或多个应用程序的选择。 56. The system of claim 54, wherein the selector means comprises a user interface for displaying one or more application programs.
57.权利要求54的系统,包括选择器工具配置存储器,用于存储将文件类型与请求的应用程序关联的条目。 57. The system of claim 54, comprising a selector tool to configure a memory for storing the entry application file type associated with the request.
58.权利要求57的系统,其中重定向器启动将条目写到选择器工具配置存储器的动作。 58. The system of claim 57, wherein the redirector startup entries to select the tool configuration memory operation.
59.权利要求57的系统,其中配置存储器包括选择器工具配置存储器。 59. The system of claim 57, wherein the configuration memory comprises a selector tool configuration memory.
60.权利要求54的系统,其中配置存储器包括注册表数据库。 60. The system of claim 54, wherein the configuration memory comprises a registry database.
61.权利要求57的系统,其中选择器工具显示与从选择器工具配置存储器获得的文件类型关联的至少一个应用程序。 61. The system of claim 57, wherein the selection tool to display at least one application associated with the file type from the selector tool configuration memory obtained.
62.权利要求54的系统,其中选择器工具调用从该列表选择的应用程序。 62. The system of claim 54, wherein the selector tool calls selected from the list of applications.
63.权利要求54的系统,包括隔离环境,用于隔离应用程序对操作系统所提供本地资源的访问。 63. The system of claim 54, comprising an isolated environment for the application of the isolation provided by the operating system to access local resources.
64.权利要求63的系统,其中隔离环境包括系统范围、应用隔离范围、和用户隔离范围之一。 64. The system of claim 63, wherein the isolation environment includes a system-wide, application isolation scope, and one of user isolation scope.
65.权利要求64的系统,其中系统范围、应用隔离范围、和用户隔离范围之一包括应用程序、文件、配置存储器和选择器工具之一。 65. The system of claim 64, wherein one of the system-wide, application isolation scope, and user isolation scope includes applications, files, and select one of the configuration memory tool.
66.权利要求64的系统,其中选择器工具在系统范围、应用隔离范围、和用户隔离范围之一中调用所选择的应用程序。 66. The system of claim 64, wherein the selector tool calls the selected one of the system-wide applications, application isolation scope, and the user isolation scope.
Description  translated from Chinese
虚拟化窗口信息的方法和设备 Window information virtualization method and apparatus

技术领域 FIELD

本发明涉及管理计算机的软件应用的执行,并尤其涉及用于降低不同应用程序之间以及由同一计算机系统执行的同一应用的各个用户之间的兼容性和集群度问题的方法和设备。 The present invention relates to the implementation of the management computer software applications, and particularly relates to a method and apparatus for reducing the degree of compatibility issues between the cluster and the various applications and various users of the same application executed by the same computer system between.

背景技术 BACKGROUND

计算机软件应用程序,在执行和安装期间,利用各种由计算机的操作系统提供的本地资源。 Computer software application during execution and installation, using a variety of local resources provided by the operating system of the computer. 在图1A中描述传统的单用户计算机。 Described conventional single-user computers in Figure 1A. 如图1A所示,由操作系统100提供的本地资源可包括文件系统102、注册表数据库104和对象106。 1A, local resources provided by the operating system 100 may include a file system 102, registry database 104 and the object 106. 文件系统102为应用程序提供打开、创建、读取、复制、修改和删除数据文件150,152的机制。 File system 102 provides applications to open, create, read, copy, modify, and delete data files 150,152 mechanism. 数据文件150、152可在目录160、162的逻辑层次中被分组在一起。 Data files 150, 152 may be grouped together in the directory 160, 162 in the logical hierarchy. 注册表数据库104存储与物理附着到计算机的硬件、已经选择了哪些系统选项、如何安装计算机存储器、应用特定数据的各种项、和什么应用程序在操作系统100启动时应当出现有关的信息。 Registry database 104 stores and physically attached to the computer's hardware, which has been selected system options, how to install computer memory, application-specific data to a variety of items, and what the application should occur when information about the operating system 100 starts. 如图1A所示的,注册表数据库104通常组织在“键”170、172的逻辑层次中,所述键是注册表值的容器。 Shown in Figure 1A, the registry database 104 is typically organized in "key" in the logical hierarchy 170, 172, the key is a container registry value. 操作系统100还可提供多个通信和同步对象106,包括信号灯、段、互斥体、定时器、变异体和管道。 Operating system 100 may also provide a plurality of communication and synchronization objects 106, including lights, sections, mutexes, timers, variants and piping. 通过操作系统100而可用的文件系统102、注册表数据库104、对象106和任何其它本地资源一起在本文献中被称为“系统层”108。 Available through the operating system 100 and file system 102, registry database 104, object 106 and any other local resources together in this document referred to as "system layer" 108. 由系统层108提供的资源可对于任何应用或系统程序112、114可用。 Resources provided by the system layer 108 may 112,114 available to any application or system program.

但是,当试图执行或安装两个不兼容的应用程序112、114时出现问题。 However, there is a problem when trying to execute or install two incompatible applications at 112,114. 如图1A所示,两个应用程序APP1 112和APP2 114在操作系统100“之上”执行,即是,应用程序利用由操作系统提供的函数来访问本地资源。 1A, two applications APP1 112 and APP2 114 in the operating system 100 "above" the execution, i.e., the application provided by the use of an operating system function to access local resources. 当应用程序在执行期间或在安装过程期间以互斥的方式利用本地资源102、104、106时被说成是彼此不兼容的。 When the application during execution or during the installation process with exclusive utilization of local resources when it is said to be 102, 104, is not compatible with each other. APP1 112可要求或试图安装由路径名称c:\windows\system32\msvcrt.dll定位的文件,而APP2 114可要求或试图安装由相同路径名称定位的第二个不同的文件。 APP1 112 may require or attempt to install the path name c: \ windows \ system32 \ msvcrt.dll locate files, while APP2 114 may require or attempt to install a second path to a different file name from the same location. 在该情况下,APP1 112和APP2 114不能在同一计算机上执行并且被说成是彼此不兼容的。 In this case, APP1 112 and APP2 114 can not be executed on the same computer and is said to be incompatible with one another. 对于其它本地资源可遇到类似问题。 For other local resources may encounter similar problems. 这最多给要求在相同操作系统100环境中一起安装或执行APP1 112和APP2 114的计算机用户带来不便。 Up to this requirement to install or execute APP1 112 and APP2 114 computer users inconvenience together in the same operating system 100 environment.

图1B描述的多用户计算机系统,其支持代表若干用户的应用程序112、114、112'、114'并发执行。 Figure 1B describes a multi-user computer system, which supports the user's application on behalf of a number of 112,114,112 ', 114' concurrent execution. 如图1B所示,APP1 112的第一实例和APP2 114的第一实例在第一用户会话110的上下文中执行,APP1112'的第二实例在第二用户会话120的上下文中执行,并且APP2 114'的第二实例在第三用户会话130的上下文中执行。 As shown in Figure 1B, the first instance and the first instance of APP1 112 of APP2 114 session in the context of the first user 110 is performed, APP1112 'the second instance of execution in the context of the second user session 120 and APP2 114 'the second instance of execution in the context of the third user session 130. 在该环境下,如果APP1 112、112'两者的实例和APP2 114、114'两者的实例利用本地资源102、104、106就如同只有单个用户执行应用,则出现问题。 In this environment, if APP1 112,112 'both instances and APP2 114,114' instance 102, 104 of both the use of local resources as if only a single user executes an application, a problem arises. 例如APP1 112可在注册表键170存储应用特定数据。 For example APP1 112 may be specified in the registry key 170 data storage applications. 当在第一用户上下文110中执行的APP1 112的第一实例和在第二用户上下文120中执行的APP1 112'的第二实例都试图存储配置数据到相同的注册表键170时,将为用户之一存储错误的配置数据。 When the first instance in a first execution context of the user 110 APP1 112 and APP1 112 'of the second example in the context of the second user 120 tries to execute the stored configuration data to the same registry key 170, the user will be One wrong configuration data is stored. 类似的问题可能对于其它本地资源出现,比如窗口名称和窗口类信息。 Similar problems may arise for other local resources, such as windows and window class name information.

本发明解决了这些应用程序兼容性和集群度问题并且还提供将多个应用与文件类型关联的能力。 The present invention solves these application compatibility, and cluster level and also provides the ability to issue multiple application associated with the file type.

发明内容 SUMMARY

本发明允许在单个计算机上安装和执行彼此不兼容的应用程序以及同一应用程序的不兼容版本。 The present invention allows the installation and execution of applications that are not compatible with each other and incompatible versions of the same application on a single computer. 此外,其允许在多用户计算机上安装和执行为单用户计算机创建的或在没有考虑当在多用户计算机上执行时会出现问题的情况下创建的程序。 In addition, it allows the installation and on a multi-user computer or execution of the program under consideration appears no problem when executed on a multi-user computer case to create single-user computers created. 所描述的方法和系统可应用于单用户计算环境,其包括多用户一个接一个地使用单个计算机的环境,和多用户计算环境,其中多个用户并发使用单个计算机。 Methods and systems described may be applied to a single-user computing environments, including a multi-user, one by one using a single computer environment, and multi-user computing environments, wherein the plurality of concurrent users using a single computer. 本发明虚拟化用户和应用对本地资源的访问,比如文件系统、注册表数据库、系统对象、窗口类和窗口名称,而不用修改应用程序或底层的操作系统。 The present invention virtualization users and application access to local resources, such as file system, registry database, system objects, window class and window name, without modifying the application or the underlying operating system. 此外,虚拟化的本地资源可用本地格式来存储(即,虚拟化的文件存储在文件系统中,虚拟化的注册表条目存储在注册表数据库中,等),从而允许利用标准工具和技术来完成虚拟化资源的查看和管理。 In addition, virtualization local resources available local storage format (ie, virtual file stored in the file system, virtual registry entries are stored in the registry database, etc.), allowing the use of standard tools and techniques to accomplish View and manage virtualized resources.

在一个方面,本发明涉及用于虚拟化对窗口访问的方法。 In one aspect, the present invention relates to a method for virtualization of the window for access. 从在用户帐号的上下文中执行的进程接收与窗口有关的请求,该请求包括虚拟窗口名称。 Receiving a request from the window-related processes executing in the context of a user account, the request includes a virtual window name. 利用范围特定标识符来确定窗口的真实名称。 Use specific identifiers to determine the true scope of the name of the window. 向操作系统发出包括所确定真实窗口名称的请求。 Issue, including the name of the request to determine the true window to the operating system. 窗口句柄与所确定虚拟窗口名称关联。 Window handle with the determined virtual window name association.

在一个实施例中,从在用户帐号的上下文中执行的进程截取与窗口有关的请求。 In one embodiment, the process performed in the context of the user account in the interception of the window-related requests. 在另一个实施例中,与包括在请求中的虚拟窗口名称关联的规则被确定并用于确定该窗口的真实名称。 In another embodiment, a rule is determined and used to include the name of the associated virtual window in the request to determine the real name of the window. 在一些实施例中,虚拟窗口名称存储在与窗口句柄关联的映射表中。 In some embodiments, the virtual window name is stored in the mapping table in the window handle associated.

在另一方面,本发明涉及用于虚拟化对窗口访问的方法。 In another aspect, the present invention relates to a method for virtualization of a window access. 接收识别虚拟窗口名和虚拟窗口类标识符之一的请求,该请求从在用户帐号的上下文中执行的进程接收且包括窗口句柄。 Receive recognition request virtual window name and identifier of the virtual window class, the request is received from the process of implementation in the context of the user account and included window handle. 确定窗口句柄与所请求的虚拟窗口名和虚拟窗口类标识符之一相关联。 Determine the window handle of the virtual window name and one of the requested class identifier associated with a virtual window. 所确定的窗口信息被返回到请求进程。 The determined window information is returned to the requesting process. 在一个实施例中,根据映射表来确定与所请求的虚拟窗口名和虚拟窗口类标识符之一相关联的窗口句柄。 In one embodiment, according to the mapping table to determine the requested virtual window name and one of the virtual window class identifier associated with the window handle.

在另一方面,本发明涉及用于虚拟化对窗口访问的设备。 In another aspect, the present invention relates to a window for access to the virtualization apparatus. 挂钩机制从在用户帐号的上下文中执行的进程接收与窗口有关的请求,该请求包括虚拟窗口名和虚拟窗口类标识符之一。 Hook mechanism for receiving a request from the window-related processes executing in the context of the user account, the request includes a virtual window name and one of the virtual window class identifier. 窗口名称虚拟化引擎利用在请求中接收的虚拟窗口名和虚拟窗口类标识符之一和范围特定标识符来形成窗口的真实名称和真实窗口类标识符之一。 Window Name Virtualization Engine using the received virtual window name in the request and one virtual window class identifier and scope specific identifier to form the real name of the window and one of the true window class identifier. 操作系统接口发出与窗口有关的请求,该请求包括窗口的所形成的真实名称和所形成的真实窗口类标识符之一。 Operating system interface window associated with the issued request, the request including the real name of the formed window and the window's class one identifier formed.

在一个实施例中,挂钩机制截取从由下列项组成的组中选择的请求:寻找窗口、创建窗口、枚举窗口、销毁窗口、设置窗口名称、获取窗口名称、获取与窗口关联的窗口类标识符、注册窗口类、获取与窗口类有关的信息和注销窗口类。 In one embodiment, the hook mechanism intercepts the request selected from the group consisting of the following items: Find window, create a window, the window enumeration, destroy the window, set the window name, get the window name, get a window associated with the window class ID Fu, register window class to get information about the window class and out the window class. 在另一个实施例中,映射表存储窗口句柄与虚拟窗口名和虚拟窗口类标识符之一之间的关联关系。 Example, the relationship between the mapping table stores the window handle virtual window name and one with a virtual window class identifier implemented in another.

在另一方面,本发明涉及用于虚拟化对窗口访问的方法。 In another aspect, the present invention relates to a method for virtualization of a window access. 从请求者截取涂色窗口标题栏的请求,标题栏包括窗口名称,该请求包括窗口句柄。 Intercepts the request from the requester painted window's title bar, window title bar includes the name, the request includes a window handle. 确定与窗口句柄关联的虚拟窗口名称。 Determine the virtual window name associated with the window handle. 利用虚拟窗口名称涂色窗口的标题栏。 Using virtual window name painted window's title bar. 向请求者指明标题栏已经被涂色。 The title bar indicates the requester has been painted.

在又一个方面,本发明涉及用于虚拟化对窗口访问的方法。 In yet another aspect, the present invention relates to a method for virtualization of the window for access. 从在用户帐号的上下文中执行的进程接收与窗口类有关的请求,该请求包括虚拟窗口类标识符。 Receiving a request from the window class-related processes executing in the context of a user account, the request includes a virtual window class identifier. 利用范围特定的标识符来确定真实窗口类标识符。 Use range of special identifiers to determine the true window class identifier. 请求被发给操作系统,该请求包括所确定的真实窗口类标识符。 Request is sent to the operating system, the request including the determined real window class identifier.

在一个实施例中,与包括在请求中的虚拟窗口类标识符关联的规则被识别并用于响应于所确定的规则来确定真实窗口类标识符。 In one embodiment, the rule includes a virtual window class in the request identifier associated with the identified and in response to the determined rule is used to determine the true window class identifier. 在另一个实施例中,虚拟窗口类标识符存储在与窗口句柄关联的映射表中。 In another embodiment, the virtual window class identifier is stored in the mapping table is associated with the window handle. 在另一个实施例中,虚拟窗口类标识符替换响应中所确定的真实窗口类标识符。 Example, the virtual window class identifier to replace the real response to the determined window class identifier in another embodiment.

在一个方面,本发明涉及用于将文件的文件类型与一个或多个程序关联的方法。 In one aspect, the present invention relates to a method for the file type associated with one or more programs used. 接收在配置存储器中存储文件类型关联信息的请求。 Receiving a request associated with configuration information stored in the memory of the file type. 根据该请求来确定要与配置存储器中的文件类型相关联的应用程序。 According to the request to determine the application that you want to configure memory and associated file types. 文件类型与选择器工具的关联关系被写入到配置存储器。 Relationship file type selection tool is written into the configuration memory.

在另一方面,本发明涉及用于调用与文件类型关联的应用程序的方法。 Another aspect, the present invention relates to a method for invoking an application associated with the file type of the. 选择文件以便调用应用程序。 Select the file to the calling application. 该文件与文件类型关联。 The file associated with the file type. 响应于选择文件,从配置存储器获得与文件类型关联的对选择器工具的引用。 In response to select a file, the file type is associated with a reference to the selector tool from the configuration memory. 配置存储器包括文件类型关联信息。 Configuration memory, including associated file type information. 响应于选择文件来调用选择器工具,并且选择器工具显示一个或多个访问所选文件的应用程序的列表。 Invoked in response to selecting the file selector tool, the selector tool and displays a list of one or more of the selected file to access the application.

在另一个方面,本发明涉及用于调用与文件类型关联的程序的系统。 In another aspect, the present invention relates to a system call for the file type associated with the program. 重定向器获得在配置存储器中存储文件类型关联信息的请求并根据该请求来确定要与配置存储器中的应用程序关联的文件类型。 Redirector get request type to store files related information in the configuration memory and according to the request to determine the file type you want to associate with the configuration memory applications. 选择器工具配置为提供一个或多个为访问与文件类型相关联的文件而调用的应用程序的选择。 Select the tool configuration options to provide for access to one or more file types associated with the file and call the application. 重定向器向配置存储器写入以便将文件类型与选择器工具相关联。 So that the file type is associated with the selection tool redirector to write to the configuration memory.

附图说明 Brief Description

在所附权利要求中特别的指出了本发明。 In the appended claims particularly point out the present invention. 参考下面的描述并结合附图,上述本发明的优点以及本发明的进一步优点可更好地被理解,在附图中:图1A是现有操作系统环境的框图,支持执行代表一个用户的两个应用程序; Reference to the following description and the accompanying drawings, the advantages of the present invention and further advantages of the invention may be better understood, in which: FIG. 1A is a block diagram of an existing operating system environments, to support the implementation of a user's two representatives apps;

图1B是现有操作系统环境的框图,支持并发执行代表若干用户的多个应用程序;图2A是已经降低了应用程序兼容性和集群度问题的计算机系统的一个实施例的框图;图2B是已经降低了应用程序兼容性和集群度问题的计算机系统的一个实施例的示意图;图2C是示出为将进程与隔离范围关联所采取的步骤的一个实施例的流程图;图3A是示出为虚拟化对计算机系统中本地资源的访问所采取的步骤的一个实施例的流程图,图3B是示出为识别执行模式中替换实例所采取的步骤的一个实施例的流程图;图3C是描述在安装模式中当接收打开本地资源的请求时识别真实资源所采取的步骤的一个实施例的流程图,该请求指明资源在有修改它的意图时被打开;图3D是描述在安装模式中当接收创建虚拟资源的请求时识别真实资源所采取的步骤的一个实施例的流程图;图4是描述为在所描述的虚拟化环境中打开文件系统中的条目所采取的步骤的一个实施例的流程图;图5是描述为在所描述的虚拟化环境中从文件系统删除条目所采取的步骤的一个实施例的流程图;图6是描述为在所描述的虚拟化环境中枚举文件系统中的条目所采取的步骤的一个实施例的流程图;图7是描述为在所描述的虚拟化环境中创建在文件系统中的条目所采取的步骤的一个实施例的流程图;图7A是描述为在创建新文件之后分配唯一的短文件名所采取的步骤的一个实施例的流程图;图8是描述为在所描述的虚拟化环境中打开注册表键所采取的步骤的一个实施例的流程图;图9是描述为在所描述的虚拟化环境中删除注册表键所采取的步骤的一个实施例的流程图;图10是描述为在所描述的虚拟化环境中枚举注册表数据库中键的子键所采取的步骤的一个实施例的流程图;图11是描述为在所描述的虚拟化环境中创建注册表键所采取的步骤的一个实施例的流程图;图12是描述为虚拟化对命名对象进行访问所采取的步骤的一个实施例的流程图;图13是描述为在所描述的环境中虚拟化窗口名称和窗口类所采取的步骤的一个实施例的流程图;图13A是描述为确定真实窗口名称和窗口类名称所采取的步骤的一个实施例的流程图;图14是描述为在所描述的虚拟化环境中调用进程外COM服务器所采取的步骤的一个实施例的流程图;图15是描述为利用文件类型关联关系来虚拟化应用调用所采取的步骤的一个实施例的流程图;并且图16是描述为将进程从源隔离范围移动到目标隔离范围所采取的步骤的一个实施例的流程图。 1B is a block diagram of an existing operating system environment to support the concurrent execution of several users on behalf of multiple applications; Fig. 2A is a block diagram has been reduced to one embodiment of the computer system, application compatibility, and a cluster of the problem; Fig. 2B is The computer system has reduced application compatibility and a cluster of problems schematic of an embodiment; FIG. 2C is a diagram showing an embodiment for the process step associated with the embodiment taken isolation scope flowchart; Figure 3A is a diagram illustrating flowchart of the steps for virtual local access to the computer system resources taken one embodiment, FIG. 3B is a flowchart illustrating a procedure for identifying a replacement instance of execution mode taken one embodiment; FIG. 3C is flow diagram of one embodiment described in the installation when the identification mode when receiving the request to open a native resource real resource steps taken, the request indicates resources when there is the intention of modifying it is opened; FIG. 3D is described in the installation mode flow diagram of an embodiment of identifying real resource when receiving a request to create a virtual resource of steps taken; Figure 4 is a description of the steps for opening the file system entry in the virtual environment as described in an embodiment taken flowchart; Figure 5 is a flowchart of one embodiment of steps described in the described virtualized environment remove entries taken from the file system; Figure 6 is described as being in a virtualized environment described enumeration file flow diagram of one embodiment of a system entry step taken; FIG. 7 is a flow chart describing the steps of one embodiment for creating an entry in the file system in the described virtualized environment taken in; Figure 7A is a flow diagram of one embodiment describes steps to assign unique short file name after you create a new file taken; Figure 8 is described as open registry key steps taken in a virtualized environment described in one embodiment flowchart; FIG. 9 is a flowchart of an embodiment of the described steps to delete a registry key in the described virtualized environment as taken; FIG. 10 is described as being in a virtualized environment described in the enumeration registry A flowchart of the steps of the sub-key database key taken embodiment; FIG. 11 is a flow chart describing the steps of an embodiment of creating a registry key in the described virtualized environment taken in; Figure 12 is flow diagram of one embodiment of the steps is described as virtual access to the named object taken; FIG. 13 is described as step window names and window class taken in the environment the described virtualized flow diagram of one embodiment ; is a flowchart of an embodiment of the described steps to determine the true window names and window class names adopted FIG 13A; FIG. 14 is described as an external call in a virtualized environment described in the process steps taken by the COM server flowchart of an embodiment; FIG. 15 is described as using a file type association to the virtual call step taken by applications of the flow diagram of one embodiment; and FIG. 16 is described as the process of moving from the source isolation scope to the target isolation scope flow diagram of one embodiment of the steps taken.

索引1.0 隔离环境的总体概述1.1 应用隔离1.2 用户隔离1.3 本地资源的聚集视图1.4 进程与隔离范围的关联关系1.4.1 范围外进程与隔离范围的关联关系2.0 虚拟化机制概述3.0 安装到隔离环境中4.0 在隔离环境中执行4.1 文件系统虚拟化4.1.1 文件系统打开操作4.1.2 文件系统删除操作4.1.3 文件系统枚举操作4.1.4 文件系统创建操作4.1.5 短文件名管理 Relationship outside the relationship overall index 1.0 Overview 1.1 application isolation environment user isolation isolation 1.2 1.3 1.4 aggregate view of local resources and isolation process 1.4.1 Range Range Range and isolation process virtualization mechanism 2.0 Overview 3.0 installed to isolate the environment 4.0 4.1 file system virtualization perform file system 4.1.1 4.1.2 file open operating system deletes the file system enumeration 4.1.3 4.1.4 4.1.5 file system creation of short file names in an isolated environment management

4.2 注册表虚拟化4.2.1 注册表打开操作4.2.2 注册表删除操作4.2.3 注册表枚举操作4.2.4 注册表创建操作4.3 命名对象虚拟化4.4 窗口名称虚拟化4.5 进程外COM服务器虚拟化4.6 虚拟化的文件类型关联关系4.7 隔离环境之间进程的动态移动具体实施方式1.0 隔离环境的总体概述1.1 应用隔离现在参考图2A,示出了在操作系统100的控制下运行的计算机的一个实施例,该实施例已经降低了应用程序兼容性和集群度的问题。 4.2 registry virtualization 4.2.1 Operation 4.2.2 open registry registry delete registry enumeration 4.2.3 4.2.4 registry creation 4.3 4.4 named objects outside the window name Virtualization Virtualization 4.5-process COM server virtualization general overview of the dynamic movement of 4.6 virtualized file type association relationship between processes 4.7 isolated environment isolated specific embodiments 1.0 1.1 application isolation environment Referring now to Figure 2A, shows a running under the operating system of the computer control 100 embodiment, this embodiment has reduced the problem of application compatibility, and cluster degrees. 操作系统100经由其系统层108使各种本地资源对于应用程序112、114可用。 OS 100 108 applications for a variety of local resources available via its system layer 112,114. 由系统层108体现的资源视图将被称为“系统范围”。 Embodied by the system layer 108 resource view will be called "system-wide." 为了避免应用程序112、114对本地资源102、104、106、107的访问冲突,提供了隔离环境200。 To avoid conflict of application access to local resources 102,104,106,107 112,114, providing isolation environment 200. 如图2A所示,隔离环境200包括应用隔离层220和用户隔离层240。 2A, the isolation environment 200 includes an application isolation layer 220 and the user isolation layer 240. 概念上,隔离环境200经由应用隔离层220为应用程序112、114提供本地资源比如文件系统102、注册表104、对象106和窗口名107的唯一视图。 Conceptually, the isolation environment through application isolation layer 200 220 112,114 applications provide local resources such as the file system 102, the registry 104, 106, and window objects were only 107 of view. 每个隔离层修改提供给应用程序的本地资源的视图。 Each isolation layer modification to the application's view of local resources. 由层提供的本地资源的修改视图被称为层的“隔离范围”。 Modify the view provided by the layer of local resources is called layer "isolation scope." 如图2A所示,应用隔离层包括两个应用隔离范围222、224。 2A, the application isolation layer 222, 224 comprises two application isolation scope. 范围222表示提供给应用112的本地资源的视图,并且范围224表示提供给应用114的本地资源的视图。 Applications range 222 to 112, said to provide a view of local resources, and the application range of 224 to 114, said to provide a view of local resources. 因此,图2A所示的实施例中,APP1112具有文件系统102'的特定视图,而APP2114具有文件系统102'特定于它的另一视图。 Thus, the embodiment shown in FIG. 2A in, APP1112 has the file system 102 'of a particular view, and has the file system 102 APP2114' specific to its other view. 在一些实施例中,应用隔离层220提供本地资源102、104、106、107的特定视图给每个在操作系统100之上执行的单个应用程序。 In some embodiments, the application isolation layer 220 provides a specific view 102,104,106,107 local resources to each operating system 100 on a single application execution. 在其它实施例中,应用程序112、114可分组为集合,并且在这些实施例中,应用隔离层220为应用程序的每个集合提供本地资源的特定视图。 In other embodiments, the application 112, 114 may be grouped into sets, and in these embodiments, the application isolation layer 220 provides a specific view of native resources for each set of the application. 冲突的应用程序可被放入到分离的组中以增强应用程序的兼容性和集群度。 Conflicting applications can be placed into separate groups to enhance the degree of compatibility and cluster applications. 在又进一步的实施例中,属于一个集合的应用可由管理员来配置。 In yet a further embodiment, a collection belonging to the application by the administrator to configure. 在一些实施例中,可定义“穿过”隔离范围,其精确对应于系统范围。 In some embodiments, define the "pass through" isolation scope, which precisely corresponds to the system-wide. 换句话说,在穿过隔离范围内执行的应用直接在系统范围上工作。 In other words, the application within the scope of the work performed through the isolation directly on the system-wide.

在一些实施例中,应用隔离范围还被划分为分层的子范围。 In some embodiments, the application isolation scope is further divided into sub-ranges layered. 主要的子范围包含基础应用隔离范围,并且附加的子范围包含对此范围的各种修改,该范围对于应用的多个执行实例是可见的。 The main sub-range application isolation sub-scope comprises a base range, and additional include various modifications of this range, the range of applications for a plurality of execution instance is visible. 例如,子范围可包含对体现应用补丁等级(patch level)变化的范围的修改,或者附加特征的安装或移除。 For example, the sub-range can contain modifications to reflect changes in the scope of application of patch level (patch level), or install or remove additional features. 在一些实施例中,对于执行应用的实例可看见的附加子范围的集合是可配置的。 In some embodiments, for instance of execution of the application visible additional subranges set is configurable. 在一些实施例中,可见子范围的该集合对于执行应用的所有实例是相同的,而与应用执行所代表的用户无关。 In some embodiments, the visible range of the sub-set for all instances of execution of the application is the same, regardless of the user application execution represented. 在其它实施例中,可见子范围的集合对于执行应用的不同用户可变化。 In other embodiments, the set of visible sub-range for the execution of applications of different users may vary. 在另外其它实施例中,子范围的各种集合被定义且用户可具有与使用哪个集合有关的选择。 In still other embodiments, the various collections of sub-ranges are defined and the user may have to select which of the set associated with the use. 在一些实施例中,在不再需要时可丢弃子范围。 In some embodiments, when no longer needed can be discarded subranges. 在一些实施例中,包含在子范围的集合中的修改可合并在一起以形成单个子范围。 In some embodiments, the sub-range containing the modifications in the collection can be combined to form a single sub-ranges.

1.2用户隔离现在参考图2B,描述已经降低了应用程序兼容性和集群度问题的多用户计算机。 1.2 User Isolation Referring now to Figure 2B, description has reduced the multi-user computer application compatibility issues and cluster level. 多用户计算机包括系统层108中的本地资源102、104、106、107,以及上面刚讨论的隔离环境200。 Multi-user computer system comprises a layer 108 of local resources 102,104,106,107, and isolation environment 200 discussed immediately above. 应用隔离层220如上讨论的那样工作,为应用或一组应用提供本地资源的修改视图。 Application isolation layer 220, as discussed above work, modify the view of local resources to provide for the application or group of applications. 用户隔离层240在概念上为应用程序112、114提供进一步基于用户的用户身份而改变的本地资源的视图,执行该用户所代表的应用。 User isolation layer 240 is based on the concept of providing further user identity of the user to change the view of the 112,114 local resources for your application, execute the application on behalf of the user. 如图2B所示,用户隔离层240可被认为是包括多个用户隔离范围242'、242”、242、242””、242”、242(一般地为242)。 2B, the user isolation layer 240 may be considered to include a plurality of user isolation scope 242 ', 242 ", 242, 242" ", 242" , 242 (generally 242). 用户隔离范围242提供本地资源的应用特定视图的用户特定视图。 User isolation scope 242 provides application-specific view of the local resources of a particular view of the user. 例如,在代表用户“a”的用户会话110中执行的APP1 112具有文件系统视图102'(a),其可由用户隔离范围242'和应用隔离范围222改变或修改。 For example, executed in behalf of the user "a" user session 110 APP1 112 having a file system view 102 '(a), which may be user isolation scope 242' and the application isolation scope 222 changed or modified.

以另一种方式,用户隔离层240通过将由应用特定视图修改“之上”的用户隔离范围242'提供的用户特定视图修改分层来改变每个单独用户的本地资源视图,其中应用特定视图修改由应用隔离范围222提供,其依次位于由系统层提供的本地资源的系统宽视图“之上的层”。 User-specific hierarchical view to modify another way, the user will be applied by the isolation layer 240 to modify a particular view "on the" User Quarantine range 242 'to provide local resources to change the view for each individual user, which modify the application-specific view 222 range provided by the application isolation, which in turn is located in local resources provided by the system layer system wide view "above the floor." 例如,当APP1 112的第一实例访问注册表数据库104中的条目时,特定于第一用户会话和应用104'(a)的注册表数据库的视图被咨询。 For example, when the first instance of APP1 112 visits 104 entries in the registry database, the view is specific to the first user session and application 104 '(a) registry database is consulted. 如果在注册表104'(a)的用户特定视图中找到所请求的注册表键,则将该注册表键返回给APP1 112。 Locate the registry key in the registry if requested 104 '(a) user-specific view, then the registry key to return to the APP1 112. 如果没有,则特定于应用104'的注册表数据库的视图被咨询。 If not, the application-specific 104 'view of the registry database is consulted. 如果在注册表104'的应用特定视图中找到所请求的注册表键,则将该注册表键返回给APP1 112。 If you find the requested registry key in the registry 104 'of the application-specific view, then the registry key to return to the APP1 112. 如果没有,则将在系统层108中的注册表数据库104中存储的注册表键(即本地资源注册表键)返回给APP1 112。 If not, then the system layer 108 registry keys are stored in the registry database 104 (ie, local resource registry key) to return to the APP1 112.

在一些实施例中,用户隔离层240为每个单独用户提供隔离范围。 In some embodiments, the user isolation layer 240 provides isolation scope for each individual user. 在其它实施例中,用户隔离层240为一组用户提供隔离范围,这可由组织内的职能来定义或可由管理员预定。 In other embodiments, the user isolation layer 240 provides isolation scope for a group of users, which can be defined by the administrator or a predetermined function within the organization. 在另外其它的实施例中,不提供用户隔离层240。 In yet other embodiments, the user isolation layer 240 is not provided. 在这些实施例中,由应用程序看到的本地资源视图由应用隔离层220提供。 In these embodiments, the application seen by the local resource view 220 provided by the application isolation layer. 隔离环境200,尽管相对于支持应用程序由不同用户并发执行的多用户计算机作了描述,但还可以用于单用户计算机以解决由于由不同用户在同一计算机系统上顺序执行应用程序所引起的应用程序兼容性和集群度问题,以及由于由同一用户安装和执行不兼容程序所引起的那些问题。 Isolation environment 200, even though has been described with respect to support applications executed concurrently by different users multi-user computer, but also can be used for single-user computers to solve due to the application executing applications by different users on the same order in the computer system caused by degree program compatibility, and cluster issues, and those issues are not compatible due to the installation and implementation of the program caused by the same user.

在一些实施例中,用户隔离范围进一步被划分为子范围。 In some embodiments, the user isolation scope is further divided into sub-ranges. 用户隔离范围对呈现到该范围中执行的应用的视图进行的修改是在该范围中的每个子范围内所包含修改的聚集。 User isolation scope to modify the view of the presentation of the range of applications will be performed within each sub-range is in the range of the aggregated modifications include. 这些子范围分层于彼此之上,并且在聚集视图中,对较高子范围中的资源的修改覆盖了对较低层中的相同资源的修改。 These subranges layered on top of each other, and in the aggregate view, modify the sub-range of higher resources covers the modifications to the lower layer of the same resources.

在这些实施例的一些中,这些子范围的一个或多个可包含对特定于用户的视图的修改。 In some of these embodiments in one or more of these sub-ranges may include modifications to the user-specific view. 在这些实施例的一些中,一个或多个子范围可包含对特定于用户集合的视图的修改,用户集合可由系统管理员定义或在操作系统中被定义为用户组。 In some of these embodiments in one or more sub-range may include modifications to view a collection of user-specific, user-defined set by the system administrator or the operating system is defined as a group of users. 在这些实施例的一些中,这些子范围之一可包含对特定于特殊登录会话的视图的修改,且因此这些修改在会话结束时被丢弃。 In some of these embodiments in one of these sub-scopes may contain modifications specific to a particular logon session view, and therefore such modifications are discarded when the session ends. 在这些实施例的一些中,与用户隔离范围关联的应用实例对本地资源的改变总是影响这些子范围之一,并且在其它实施例中,那些变化可根据改变的特殊资源来影响不同的子范围。 In some of these embodiments of the application examples associated with the user isolation scope changes to local resources always affect one of these sub-ranges, and in other embodiments, those changes can be altered according to particular resource to influence the different sub- range.

1.3本地资源的聚集视图上述的概念体系结构允许代表用户执行的应用以本地资源的聚集、或统一、虚拟化视图来呈现,其特定于应用和用户的组合。 1.3 aggregated view of the conceptual architecture of local resources on behalf of the application allows users to perform to gather local resources, or unified, virtualized view to render its specific combination of applications and users. 该聚集的视图可称为“虚拟范围”。 The aggregate view can be called "Virtual Range." 代表用户执行的应用实例以本地资源的单个视图呈现,该视图反应了本地资源的所有可操作虚拟化实例。 Applications on behalf of the user to perform a single view to presenting local resources, reflecting the view of all operational virtualized instances of local resources. 概念上,该聚集的视图首先包括由系统范围中的操作系统提供的、与可应用于执行应用的应用隔离范围中体现的修改相覆盖的、进一步与可应用于代表用户执行的应用的用户隔离范围中体现的修改相覆盖的本地资源集合。 Conceptually, the aggregate view includes first user isolation provided by the system in the range of the operating system, and execution of the application can be applied in the application isolation scope embodied in modified phase covered, and further can be applied to applications executing on behalf of a user local resources reflect changes in coverage of the collection phase. 除了在操作系统许可拒绝了对特定用户或应用访问的情况之外,系统范围中的本地资源通过对系统上的所有用户和应用是公共的来表征。 In addition to the operating system refused permission for a specific user or circumstances beyond the application to access the system through a range of local resources and applications to all users on the system is common to characterize. 对应用隔离范围中体现的资源视图的修改被表征为对与该应用隔离范围相关联的应用的所有实例是公共的。 Modify the scope of application isolation reflected in the resource view is characterized by all instances of the application isolation scope and application of associated public. 对用户隔离范围中体现的资源视图的修改被表征为对与可应用的应用隔离范围相关联的所有应用是公共的,所述所有应用代表与用户隔离范围关联的用户执行。 Modifications to the user isolation scope is reflected in the resource view and can be characterized as to the scope of application of the associated application isolation are common to all applications, all applications on behalf of the user isolation scope associated with the user to perform.

这个概念被扩展到子范围;对用户子范围中体现的资源视图的修改对于与代表用户或用户组执行的可应用隔离子范围关联的所有应用是公共的,所述用户或用户组与用户隔离子范围关联。 This concept has been extended to sub-range; all applications for users to modify the resource view embodied in sub-range can be applied for on behalf of the spacer and the user or group associated with the implementation of the scope of the public, the user or user group and user isolation associated with the sub-range. 在整个说明书中,应当理解,每当一般引用“范围”时,在子范围存在的情况下还旨在引用子范围。 Throughout the specification, it should be understood that, whenever the general reference "range" is, in the case where the presence of sub-ranges is also intended to refer to the child range.

当应用请求枚举本地资源,比如文件系统或注册表数据库的一部分时,虚拟化枚举通过首先枚举本地资源的“系统范围”实例,即在系统层找到的实例(如果有的话)来构造。 When an application requests enumeration of local resources, such as part of the file system or registry database, virtualization enumeration enumeration of local resources by first "system-wide" instance, that in the instance of the system layer found (if any) to structure. 接下来,枚举请求资源的“应用范围”实例,即在适当应用隔离范围中找到的实例(如果有的话)。 Next, the enumeration of the requested resource "application" examples, that is found in the appropriate application isolation scope instance (if any). 在应用隔离范围中遇到的任何枚举的资源被添加到视图。 Any resources encountered in the application isolation scope is enumerated added to the view. 如果枚举的资源已经存在于视图(因为其也在系统范围中存在),则用应用隔离范围中遇到的资源的实例来替换它。 If the enumeration of the resource already exists in the view (because it is also present in the system-wide), then use the instance resource encountered in the application isolation scope to replace it. 类似地,枚举本地资源的“用户范围”实例,即在适当用户隔离范围中找到的实例(如果有的话)。 Similarly, enumerate local resources "user range" instance, that found in the appropriate user isolation scope instances (if any). 并且,在用户隔离范围中遇到的任何枚举的资源被添加到视图。 And, any resource in the user isolation scope is enumerated encountered added to the view. 如果本地资源已经存在于视图(因为其也在系统范围或适当用户隔离范围中存在),则以用户隔离范围中遇到的资源的实例来替换它。 If local resources already exist in the view (because it is also a system-wide or the appropriate user isolation scope exists), places the user isolation scope instance resource encountered to replace it. 以如此方式,本地资源的任何枚举将正确地反应所枚举的本地资源的虚拟化。 In such a way that any enumeration of local resources will correctly reflect local resources enumerated virtualization. 概念上,相同的方法应用于枚举包括多个子范围的隔离范围。 Conceptually, the same method is applied comprises a plurality of sub-ranges enumeration isolation scope. 用来自更高子范围的资源来枚举各个子范围,更高子范围替换了来自聚集视图中的较低子范围的匹配实例。 Using resources from the higher sub-scope to enumerate the various sub-range, higher sub-range replaces the matching instance aggregate view from the lower sub-range.

在其它实施例中,可从用户隔离范围向下到系统层而不是以相反方向来进行枚举。 In other embodiments, the user may be isolated from the system level down to the range rather than in the opposite direction to enumerate. 在这些实施例中,用户隔离范围被枚举。 In these embodiments, the user isolation scope is enumerated. 接着,应用隔离范围被枚举,并且在应用隔离范围中出现的未在用户隔离范围中被枚举的任何资源实例被添加到在构造中的聚集视图。 Then, the application isolation scope is enumerated and any resource instances are not enumerated in the user isolation scope appears in the application isolation scope are added to the structure of the aggregate view. 对于只在系统范围中出现的资源,可重复类似过程。 For resources that are only present in the system scope, a similar process may be repeated.

在此外的其它实施例中,所有隔离范围可同时被枚举且相应的枚举组合。 In still other embodiments, all isolation scope is enumerated and the corresponding simultaneous enumeration combination.

如果应用试图打开本地资源的现存实例而不是要修改该资源,则返回到应用的特定实例是在虚拟范围找到的实例,或等效地为在所请求资源的双亲的虚拟化枚举中出现的实例。 If an application tries to open local resources rather than to modify an existing instance of the resource, the return to a specific instance of the application is found in the range of virtual instances, or equivalently to appear in the parents virtualized enumeration of the requested resource instance. 从隔离环境的角度看来,应用可说成是请求打开“虚拟资源”,并且用于满足该请求的本地资源的特殊实例被说成是对应于所请求资源的“真实资源”。 From the perspective of the isolation environment opinion, the application can be said to be a request to open a "virtual resources", and specific examples of local resources to meet the request is said to be corresponding to the requested resource "real resource."

如果代表用户执行的应用试图打开资源并指明其正在如此做且要修改该资源,则该应用实例通常被给予要修改的该资源的专用拷贝,因为应用隔离范围和系统范围中的资源对于代表其它用户执行的应用是公共的。 If the application is executed on behalf of the user tries to open the resource and indicate that it is doing so, and to modify the resource, the application examples are usually given special copy of the resource to be modified, because the application isolation scope and system-wide resource for representatives of other application performed by the user is common. 通常进行对资源的用户范围拷贝,除非用户范围实例已经存在。 Usually range of resources users to copy, unless the user scope instance already exists. 由虚拟范围提供的聚集视图的定义是指将应用范围或系统范围资源复制到用户隔离范围的动作对于所涉及的用户和应用不改变虚拟范围提供的聚集视图,对于任何其它用户、以及任何其它应用实例也不改变。 An aggregated view of the definition provided by the virtual range refers to the copy application or system-wide resources to the user isolation scope and application of the action involved for the user does not change the aggregate view provided virtual range, for any other user, as well as any other application Examples are not changed. 代表用户执行的应用实例对所复制资源的后续修改不影响任何其它不共享相同用户隔离范围的应用实例的聚集视图。 Applications on behalf of the user to perform the copy resources without prejudice to any subsequent modification aggregate view other users do not share the same range of applications isolated instance. 换句话说,那些修改对于其它用户或其它不与相同应用隔离范围相关联的应用实例不改变本地资源的聚集视图。 In other words, those modifications with other users or other applications are not isolated instances of the same application does not change the scope of the associated aggregate view of local resources.

1.4进程与隔离范围的关联关系应用可安装在特殊隔离范围中(如下详细描述)。 1.4 Process of relationship with the application isolation scope can be installed in a special isolation range (described in detail below). 安装在隔离范围中的应用总是与该范围关联。 Application installed in the isolation scope are always associated with the range. 可替换地,应用可起动进入特殊隔离范围,或者多个隔离范围。 Alternatively, the application can start to enter the special isolation scope, or a plurality of isolation scope. 实际上,应用被起动且与一个或多个隔离范围关联。 In fact, the range of application is started and associated with one or more insulation. 关联的一个或多个隔离范围为进程提供本地资源的特殊视图。 One or more insulation range associated with the process of providing a special view to local resources. 应用还可起动进入系统范围,即是它们可与隔离范围不关联。 Applications can also start to enter the system-wide, that is they can not be associated with isolated ranges. 这允许在隔离环境内选择性地执行操作系统应用,比如Internet Explore,以及第三方应用。 This allows to selectively execute the operating system in the isolated environment, such as Internet Explore, and third-party applications.

在隔离范围内起动应用而与应用安装的位置无关的能力缓和了应用程序兼容性和集群度问题,而不要求在隔离范围内单独安装应用。 Isolation within the scope of the application with the ability to start position-independent application installed to ease application compatibility issues and cluster level, without requiring isolation within the scope of the installation alone. 选择性地起动在不同隔离范围内安装的应用的能力提供使需要帮助者应用(比如Word、Notepad等)的应用用相同的规则集合来起动那些帮助者应用的能力。 Selectively starting in a different isolation scope installation application provides the ability to make the required helper applications (such as Word, Notepad, etc.) to start the application of the ability of those helper applications with the same set of rules.

此外,在多个隔离环境内起动应用的能力允许隔离的应用和公共的应用之间更好的集成。 In addition, the ability to start at a plurality of application isolation environment allows better integration between isolated applications and public applications.

现在参考图2C,并且概观中,用于将进程与隔离范围关联的方法包括步骤:以挂起状态起动进程(步骤282)。 Referring now to Figure 2C, and the overview, the method of isolating the range associated with the process used to include the steps of: starting the process in a suspended state (step 282). 获取与所期望隔离范围关联的规则(步骤284),并且在存储器元件中存储进程标识符和所获取的规则(步骤286),以及恢复挂起的进程(步骤288)。 Get associated with the desired isolation scope rules (step 284), and stores the acquired process identifier and rules (step 286), and resuming a suspended process in the memory elements (step 288). 截取或钩住由进程作出的用于访问本地资源的随后调用(步骤290),并且如果有的话,用与进程标识符关联的规则来虚拟化对所请求资源的访问(步骤292)。 Interception or hooked subsequent call made by the process (step 290) for access to local resources, and if so, the rules associated with the process identifier to virtualize access (step 292) of the requested resource.

仍然参考图2C且更详细地,在挂起状态下起动进程(步骤282)。 Still referring to Figure 2C more detail, in the suspend state starting process (step 282). 在一些实施例中,客户起动程序用于完成该任务。 In some embodiments, the start-up procedure for the customer to complete the task. 在这些实施例的一些中,起动程序专门设计用于让进程起动进入所选的隔离范围中。 In some of these, starting of a program designed specifically for the embodiment for the process to start to enter the selected isolation scope. 在其它实施例中,例如通过命令行选项,起动程序将所期望的隔离范围的规范作为输入接受。 In other embodiments, for example, by the command line option, the program will start a desired isolation scope specification accept as input.

获取与所期望的隔离范围关联的规则(步骤284)。 Access rules with the desired isolation scope associated (step 284). 在一些实施例中,从永久存储元件中获取规则,比如硬盘驱动器或其它固态存储器元件。 In some embodiments, the access rules from the persistent storage element, such as a hard drive or other solid state memory element. 该规则可作为关系数据库、平面文件数据库、树结构数据库、二叉树结构、或其它永久数据结构来存储。 The rule can be used as a relational database, flat file database, tree structure database, binary tree, or other persistent data structure to store. 在其它实施例中,规则可存储在专门配置为存储它们的数据结构中。 In other embodiments, the rules may be stored in specially configured to store their data structures.

进程的标识符,比如进程id(PID)以及所获取的规则存储在存储器元件中(步骤286)。 Identifier process, such as process id (PID), and stores the obtained rule in the memory elements (step 286). 在一些实施例中,提供内核模式驱动程序来接收与新进程创建有关的操作系统消息。 In some embodiments, provided the kernel mode driver to create a note about the operating system receives a message with the new process. 在这些实施例中,PID和所获取规则可存储在驱动程序的上下文中。 In these embodiments, PID, and rules may be stored in the acquired context-driven program. 在其它实施例中,提供文件系统过滤器驱动程序或微型过滤器来截取本地资源请求。 In other embodiments, there is provided a file system filter driver, or mini-filter to intercept the local resource request. 在这些实施例中,PID和所获取的规则可存储在过滤器中。 In these embodiments, PID, and the acquired rules can be stored in the filter. 在另外其它的实施例中,由用户模式挂钩来执行所有截取且根本不存储PID。 In yet other embodiments, the hook by the user to perform all intercept mode and does not store PID. 由用户模式挂钩装置在进程初始化期间加载规则,并且不需要其它组件知道应用PID的规则,因为规则关联全部在进程中执行。 During the loading process initialization rules, and does not need to know the rules applied to other components of the PID, because association rules fully implemented in user-mode process by linking devices.

恢复挂起的进程(步骤288)且截取或钩住由进程做出的用于访问本地资源的随后调用(步骤290),并且如果有的话,用与进程标识符关联的规则来虚拟化对所请求资源的访问(步骤292)。 Pending recovery process (step 288) and the intercept or hook made by the process used to access local resources and then call (step 290), and, if any, associated with the process identifier rules virtualization to access the requested resource (step 292). 在一些实施例中,文件系统过滤器驱动程序或微型过滤器截取访问本地资源的请求并确定与所截取请求关联的进程标识符是否已经与规则集合关联。 In some embodiments, a file system filter driver or mini-filter intercepts requests to access local resources and to identify processes associated with the interception of the request has been set identifier is associated with the rule. 如果是,与所存储的进程标识符关联的规则可用于虚拟化访问本地资源的请求。 If so, the process identifier stored association rules can be used to access local resources virtualization request. 如果不是,则访问本地资源的请求不经过修改而被传递。 If the request is not, then access to local resources is transmitted without modification. 在其它实施例中,动态链接库被加载到新创建的进程中且所述库加载隔离规则。 In other embodiments, the dynamic link library is loaded into the process of the newly created quarantine rules and the library is loaded. 在另外其它实施例中,内核模式技术(挂钩、过滤器驱动程序、微型过滤器)以及用户模式技术都用于截取用于访问本地资源的调用。 In still other embodiments, the kernel-mode technology (hooks, filter drivers, micro filter) and a user-mode techniques for intercepting calls for access to local resources. 对于文件系统过滤器驱动程序存储规则的实施例,库可从文件系统过滤器驱动程序加载规则。 For a file system filter driver stores the rules embodiment, the library can be loaded from a file system filter rule driver.

作为与隔离范围关联的进程的“孩子”的进程与它们的“双亲”进程的隔离范围关联。 As the scope of the process associated with the isolation of the "child" of the process associated with the isolation of the scope of their "parents" of the process. 在一些实施例中,这是通过内核模式驱动程序通知文件系统过滤器驱动程序何时创建孩子进程来完成的。 In some embodiments, this is done by kernel-mode driver notifies the file system filter driver when to create a child process to complete. 在这些实施例中,文件系统过滤器驱动程序确定双亲进程的进程标识符是否与隔离范围关联。 In these embodiments, a file system filter driver determines whether the process identifier of the parent process associated with the isolation scope. 如果是,文件系统过滤器驱动程序存储新创建的孩子进程的进程标识符与双亲进程的隔离范围之间的关联关系。 If so, the relationship between the scope of the process of isolating the child file system filter driver to store the newly created process identifier of the parent process. 在其它实施例中,可直接从系统调用文件系统过滤器驱动程序而无需使用内核模式驱动程序。 In other embodiments, the system calls directly from the file system filter driver without the use of kernel-mode drivers. 在其它实施例中,在与隔离范围关联的进程中,创建新进程的操作系统函数被钩住或截取。 In other embodiments, the process associated with the isolation scope, create a new process operating system functions are hooked or intercepted. 当从这样的进程接收创建新进程的请求时,新的孩子进程和双亲的隔离范围之间的关联关系被存储。 Upon receiving a request from such a process to create a new process, the relationship between the new child process and the parents of isolation range is stored.

在一些实施例中,范围或子范围可与各个线程而不是与整个进程关联,以允许隔离在每个线程的基础上执行。 In some embodiments, the range or sub-range associated with the various threads rather than with the entire process to allow isolation performed on a per-thread basis. 在一些实施例中,每线程隔离可用于Services与COM+服务器。 In some embodiments, each thread can be used to isolate Services and COM + server.

1.4.1范围外进程与隔离范围关联本发明的另一方面是将任何应用实例与任何应用隔离范围关联而不管应用是安装在该应用隔离范围、还是在另一应用隔离范围中、或没有安装在应用隔离范围中的能力。 1.4.1 range outside the scope of the process associated with the isolation aspect of this invention is any application instance is associated with any application isolation scope and whether the application is installed in the application isolation scope, application isolation scope or in another medium, or is not installed application isolation capabilities range. 没有安装在特殊应用范围中的应用可仍旧代表用户在应用隔离范围以及对应用户隔离范围的上下文中执行,因为其本地资源经由聚集的虚拟范围对于它们是可用的,聚集的虚拟范围是由用户隔离范围、应用隔离范围和系统范围形成的。 No specific application is installed in a range of applications on behalf of the user can still perform in the context of the application isolation scope and the corresponding user isolation scope, since the accumulation of its local resources via the virtual range that they are available for aggregation virtual range is isolated by the user scope, application isolation scope and system-wide formation. 在期望在隔离范围中运行应用的情况下,这为直接安装在系统范围中的应用提供在隔离范围内运行而不要求在隔离范围内单独安装应用的能力。 At a desired operating range of applications in the case of isolation, which is mounted directly on the system application range is provided in the operating range without requiring isolation capability within the isolation scope to install a separate application. 这还为直接安装在系统范围中的应用提供在任何隔离范围的上下文中用作为帮助者应用的能力。 This also provides the ability in the context of any isolation scope used as helper applications for direct application installed in the system in the range.

包括组成执行应用的所有进程的每个应用实例与零个或一个应用隔离范围关联,并且通过扩展只与零个或一个对应的用户隔离范围关联。 Each application instances include all processes executing applications with zero or one application associated isolation scope, and by extending only the user isolation scope or associated with a corresponding zero. 该关联由规则引擎在确定如果有的话将哪个规则应用于资源请求时使用。 The association is determined by the rules engine in use, if any, to which the rule is applied to the resource request. 关联关系不一定是应用安装的应用隔离范围,如果有的话。 Association is not necessarily the application isolation scope in application installation, if any. 安装在隔离范围中的许多应用当在不同隔离范围或不在隔离范围中运行时将不正确工作,因为它们没有找到必须的本地资源。 Many applications are installed in the isolation scope when run incorrectly in a different isolation scope or range is not isolated, since they did not find the local resources required. 但是,因为隔离范围是包括系统范围的资源视图的聚集,因此在系统范围中安装的应用可通常正确地在任何应用隔离范围内工作。 However, because the isolation scope to include system-wide view of gathering resources, and therefore the system-wide application installed correctly can usually work in isolation within any application range. 这意味着帮助者程序,以及进程外COM服务器可由在特殊隔离范围中代表用户执行的应用来调用和执行。 This means helping those outside the program, as well as in-process COM server can be used to call and execute the application on behalf of the user to perform in a special isolation range.

在一些实施例中,安装在系统范围中的应用在隔离范围中执行,以为了识别对计算机的文件和配置设置因为该执行而做出了哪些变化。 In some embodiments, the application installed in the system in the range of the scope of the isolation is performed, that the identification of the computer files and configuration settings because of the implementation of what changes have been made. 因为所有受影响的文件和配置设置隔离在用户隔离范围中,因此这些文件和配置设置是容易识别的。 Because all affected files and configuration settings in the user isolation isolation range, so these files and configuration settings are easily identifiable. 在这些实施例的一些中,使用此以便报告应用对文件和配置设置所做的改变。 In some of these embodiments, the use of this application in order to report on files and configuration settings changes made. 在一些实施例中,在应用执行结束时删除文件和配置设置,这有效地确保了对计算机的文件和配置设置的改变不会作为应用执行的结果存储。 In some embodiments, delete files and configuration settings at the end of the application execution, which effectively ensures that the file and change the configuration settings of the computer will not be executed as a result of the application store. 在另外其它实施例中,在应用执行结束时,文件和配置设置可选择性地被删除或不被删除,这有效地确保了只有一些对计算机文件和配置设置的改变作为应用执行的结果存储。 In still other embodiments, at the end of application execution, files and configuration settings may be selectively deleted or not deleted, which effectively ensures that only some of the changes computer files and configuration settings are stored as a result of application execution.

2.0虚拟化机制概述现在参考图3A,示出在执行模式中虚拟化对本地资源访问所采用的步骤的一个实施例,执行模式将与下面的安装模式相区别。 2.0 Virtualization Mechanism Overview Referring now to Figure 3A, shown in the step execution mode virtual access to local resources used in one embodiment, the execution mode will distinguish the following installation modes. 概观上,访问本地资源的请求被截取和接收(步骤302)。 Overview on request access to local resources being intercepted and receiving (step 302). 该请求识别访问所搜寻的本地资源。 The request to access the search to identify local resources. 确定与如何对待所接收的访问请求有关的可应用规则(步骤304)。 Determining how to treat the applicable rules relating to the received access request (step 304). 如果该规则指明请求应当被忽略,则访问请求不经过修改被传递到系统层(步骤306)并且结果返回到请求者(步骤310)。 If the rule is specified in the request should be ignored, then the access request is passed without modification to the system layer (step 306) and the result is returned to the requestor (step 310). 如果规则指明访问请求应当被重定向或被隔离,则资源满足请求的真实实例被识别(步骤308),真实资源的修改或替换请求被传递到系统层(步骤306)并且结果返回到请求者(步骤310)。 If the rules specified in the access request should be redirected or isolated, the resource to satisfy the request of the real instance is identified (step 308), to modify or replace the real resource request is passed to the system layer (step 306) and the result returned to the requestor ( Step 310).

仍然参考图3且更详细地,识别本地资源的请求被截取或接收(步骤302)。 Still more detail with reference to FIG. 3, the request identifying the local resource is intercepted or received (step 302). 在一些实施例中,通过由操作系统为应用作出本地资源请求而提供的“挂钩”函数来截取本地资源的请求。 In some embodiments, by making the local resource request by the operating system for applications to provide the "hook" function to intercept requests to local resources. 在特定实施例中,这作为动态链接库来实现,该动态链接库被加载到由操作系统创建的每个新进程的地址空间中,并且在其初始化例程期间执行挂钩。 In a particular embodiment, this is achieved as a dynamic link library, the dynamic link library is loaded into the address space of each new process created by the operating system, and performs hook during its initialization routine. 加载DLL到每个进程可通过由操作系统提供的工具来实现,或可替换地通过修改DLL的可执行图像列表以便在磁盘文件或在存储器中输入来实现,因为进程的可执行图像是从磁盘加载的。 DLL is loaded into each process through tools provided by the operating system to achieve, or alternatively, by modifying the executable image list DLL file to disk or in memory at the input to achieve, because the process is an executable image from disk loaded. 在其它实施例中,功能挂钩由服务、驱动程序或后台程序执行。 In other embodiments, the functions performed by the service hook, driver or daemon. 在其它实施例中,由操作系统提供的可执行图像,包括共享库和可执行文件可被修改或打补丁,以便提供功能挂钩或直接体现本发明的逻辑。 In other embodiments, provided by the operating system executable images, including shared libraries and executables can be modified or patched in order to provide hooks or directly reflects the logic functions of the present invention. 对于操作系统是微软WINDOWS操作系统家族的一员的实施例,截取可由内核模式驱动程序钩住系统服务分派表来执行。 For the operating system is an example of Microsoft WINDOWS operating system, a member of the family, the interception by the kernel-mode driver hooked system service dispatch table to perform. 在另外其它实施例中,操作系统可提供工具来允许第三方钩住请求访问本地资源的函数。 In still other embodiments, the operating system may provide tools to allow third parties to access local resources function hooked request. 在这些实施例的一些中,操作系统可经由应用编程接口(API)或调试工具来提供该工具。 In some of these embodiments in the operating system of the tool can be provided via an application programming interface (API) or the debug tool.

在其它实施例中,由与本地资源关联的驱动程序栈或句柄栈中的过滤器截取本地资源请求。 In other embodiments, the driver associated with the local resource handle stacks or stack of filters intercept local resource request. 例如,微软WINDOWS操作系统家族的一些成员提供将第三方过滤器驱动程序或微型过滤器插入到文件系统驱动程序栈的能力,并且文件系统滤器驱动程序或微型过滤器可用于提供下述的隔离功能。 For example, some members of the family of Microsoft WINDOWS operating system to provide third-party filter drivers or micro filter into the capacity of the file system driver stack and file system filter driver or mini-filter can be used to provide the following isolation . 在另外其它实施例中,本发明包括直接合并本发明逻辑的文件系统实现方式。 In still other embodiments, the present invention comprises the present invention is directly merge logic file system implementations. 可替换地,操作系统可被改写以便直接提供下述的功能。 Alternatively, the operating system can be rewritten in order to directly provide the following functionality. 在一些实施例中,可同时使用上面列出的用于截取或接收对资源的请求的一些或所有方法的组合。 In some embodiments, the compositions can be used simultaneously for intercepting or receiving a request for resources of some or all of the methods listed above.

在许多实施例中,只钩住或截取打开现有本地资源或创建新的本地资源的请求。 In many embodiments, the only hook or intercept or open an existing local resources to create a new local resource requests. 在这些实施例中,对本地资源的初始访问是引起资源被虚拟化的访问。 In these embodiments, the initial access to local resources caused resources are virtualized access. 在初始访问后,做出请求的应用程序能够利用句柄或指针或由操作系统提供且直接识别真实资源的其它标识符来与涉及虚拟化资源的操作系统通信。 After the initial access, the requesting application can utilize the handle or pointer or provided directly by the operating system and other identifiers identifying the real resource to communicate with the operating system involved virtualized resources. 在其它实施例中,对虚拟化本地资源进行操作的其它类型的请求也被钩住或截取。 In other embodiments, other types of requests to local resources virtualization operate also hooked or intercepted. 在这些实施例的一些中,由应用打开或创建虚拟资源的请求返回不直接识别真实资源的虚拟句柄,并且隔离环境负责将针对虚拟句柄的后续请求转换为对应的真实资源。 In some of these embodiments of the request to open or create a virtual resource by the application does not directly identify the real return virtual resource handle, and is responsible for the isolation environment is converted to the corresponding real resources for subsequent requests for the virtual handle. 在那些实施例的一些中,附加的虚拟操作可延迟,直到证实为需要。 In some of those embodiments of the additional virtual operation can be delayed until it is verified as required. 例如,将资源的专有可修改拷贝提供给隔离范围的操作可以延迟,直到做出了改变资源的请求,而不是当资源以允许后续修改的模式被打开的时候。 For example, you can modify copies of proprietary resources available to isolate the range of operation can be delayed until the resources to make a change request, rather than when the resources to allow subsequent modification of the mode is turned on when.

一旦本地资源请求被截取或接收,确定如何对待特殊请求的可应用规则被确定(步骤304)。 Once the local resource request is intercepted or received, to determine how to deal with special requests applicable rules are determined (step 304). 最可应用的规则可通过参考规则引擎、规则数据库、或平面文件来确定,平面文件包含利用适当数据结构,比如列表或树结构组织的规则。 The most applicable rules by reference rules engine, a rules database, flat file, or to determine, the use of a flat file that contains the appropriate data structure, such as the list of rules or a tree structure of the organization. 在一些实施例中,规则被给与一优先权,用来确定哪个规则被认为是在两个或多个规则应用时最可应用的。 In some embodiments, a rule is given priority, used to determine which rule is considered to be when two or more rules in the most applicable. 在这些实施例的一些中,规则优先权包括在规则本身中,或可替换地,规则优先权可嵌入在用于存储规则的数据结构中,例如,规则优先权可由规则在树结构中的位置来指示。 In some of these, including the priority rules of the embodiment in the rule itself, or alternatively, the priority rules can be embedded in a data structure for storing the rules, for example, the priority rule by rule position in the tree structure indicated. 所确定的规则可包括与如何处理虚拟化资源请求有关的附加信息,例如将请求重定向到哪个真实资源。 Rules can include additional information to determine how to deal with requests for virtualized resources, for example, which redirects the request to the real resources. 在特定实施例中,规则是包括过滤器字段、动作字段和数据字段的三元组。 In a particular embodiment, the rules include triple filter field, motion fields and data fields. 在该实施例中,过滤器字段包括用于匹配所接收的本地资源请求以确定规则对于所请求的资源名称是否有效的过滤器。 In this embodiment, the filter comprises a local resource field matches the received request to determine the rule for the name of the requested resource is valid filters. 动作字段可以是“忽略”、“重定向”或“隔离”。 Action field can be "ignored", "redirect" or "isolation." 数据字段可以是任何与在规则有效时采取的动作有关的附加信息,包括在规则有效时使用的函数。 Data field can be any additional information when the rule is valid actions taken relating to, including rules effective function when used.

“忽略”的规则动作意思是请求直接对系统范围中所请求的本地资源进行操作。 "Ignore" rule action means that requests directly to local resources requested in a system-wide operation. 即是,将请求不经修改地传递到系统层108(步骤306),并且履行请求就如同没有隔离环境200存在一样。 That is, the request is transmitted without modification to the system layer 108 (step 306), and fulfill requests as if there is no isolation environment 200 exist. 在该情况下,隔离环境被说成是具有一个“孔”,或者请求可称为“穿过”请求。 In this case, the isolation environment is said to have a "hole", or the request may be referred to as "pass through" the request.

如果规则动作指明本地资源请求应当被重定向或隔离,那么满足请求的真实资源被识别(步骤308)。 If the rule action specified in the request of local resources should be redirected or isolated, so to satisfy the request of real resources are identified (step 308).

“重定向”的规则动作意思是请求直接对系统范围本地资源进行操作,即使是与请求中所规定的不同的资源。 "Redirect" rule action means that a request directly to the system-wide local resources to operate, even for different resources as specified in the request. 通过将由所确定规则的数据字段规定或指示的映射函数应用于所请求本地资源的名称来识别真实资源。 Mapping function determined by the rules or instructions by the data field specifies the name of the local resources applied to identify the real resource requests. 在最一般的情况下,真实本地资源可位于系统范围中的任何位置。 In the most general case, the true scope of local resources may be located anywhere in the system. 作为一个简单的例子,规则{prefix_match(“c:\temp\”,资源名称),重定向,replace_prefix(“c:\temp\”,“d:\wutemp\”,资源名称)}将把对文件c:\temp\examples\d1.txt的请求访问重定向到真实文件d:\wutemp\\examples\d1.txt。 As a simple example, the rule {prefix_match ("c: \ temp \", the resource name), redirect, replace_prefix ("c: \ temp \", "d: \ wutemp \", the resource name)} will pair file c: \ temp \ request examples \ d1.txt access redirected to the real file d: \ wutemp \\ examples \ d1.txt. 包括在规则的数据字段中的映射函数以及匹配函数进一步被概括为例如利用正则表达式来支持复杂的行为。 Including the mapping function and matching functions in the data field of the rule is further summarized as, for example the use of regular expressions to support complex behavior. 一些实施例可提供规定映射函数的能力,即在用户隔离范围或可应用于代表用户执行的应用的子范围,或者应用隔离范围或可应用于该应用的子范围内定位真实资源。 Some embodiments may provide a mapping function of a predetermined capacity, i.e. in the user isolation scope or a sub-scope applicable to the application on behalf of the user to perform, or the application isolation scope or may be applied to locate resources within the sub-range of the real application. 另外的实施例可提供规定映射函数的能力,即在可应用于不同应用的应用隔离范围内定位真实资源以便提供隔离应用之间交互的控制形式。 Further embodiments may provide the ability of a predetermined mapping function, i.e., positioned in the real resource can be used in different applications, application isolation scope in order to provide a control in the form of interaction between isolated applications. 在一些特殊实施例中,“重定向”动作可被配置为提供与“忽略”规则动作等效的行为。 In some particular embodiments, "Redirect" action can be configured to provide the "Ignore" rule action equivalent behavior. 在这些实施例中,真实资源就是所请求的本地资源。 In these embodiments, the real resource is requested by local resources. 当该条件被配置时,隔离环境可说成是具有一个“孔”,或者请求可称为“穿过”请求。 When the condition is configured, the isolation environment may be said to have a "hole", or the request may be referred to as "pass through" the request.

“隔离”的规则动作意思是请求对真实资源进行操作,真实资源是利用适当的用户隔离范围和应用隔离范围而被识别的。 "Quarantine" means the rule action is a request for real resources to operate, real resource is the use of the appropriate user isolation scope and application isolation scope is identified. 即是,真实资源的标识符通过修改所请求的本地资源的标识符来确定,所述修改利用了用户隔离范围、应用隔离范围、或两个范围或不利用这两个范围。 That is, the identifier of the real resources of local resources by modifying the requested identifier is determined, utilizing the modified user isolation scope, application isolation scope, range or both with or without the use of these two ranges. 所识别的特殊真实资源取决于所请求访问的类型以及所请求的本地资源的实例是否已经存在于可应用的用户隔离范围、可应用的应用隔离范围和系统范围。 Special real resource depending on whether the identified instance of the requested type of local resources by requesting access to already existing user isolation scope applicable, the applicable application isolation scope and system scope.

图3B描述当接收打开本地资源的请求时,为识别真实资源所采取的步骤的一个实施例(图3A中的步骤306),该请求指明资源正在被打开且要修改它。 3B depicts Upon receiving the open request local resources, one (step 306 in FIG. 3A) Example steps taken to identify the real resource, the request indicates the resource is being opened and to modify it. 简要地,确定所请求的本地资源的用户范围实例,即在可应用的用户范围或用户子范围中存在的实例是否存在(步骤354)。 Briefly, to determine the scope of the user's local instance of the requested resource, i.e. in the range of users or user sub-scope may be present in the instance of the application exists (step 354). 如果是,用户范围实例被识别为请求的真实资源(步骤372),且实例被打开且返回到请求者。 If so, the user is identified as the true scope of the resource instance (step 372) the request, and examples is opened and returned to the requestor. 如果用户范围实例不存在,则确定所请求本地资源的应用范围实例是否存在(步骤356)。 If the user scope instance does not exist, determine the scope of application of the local instance of the requested resource exists (step 356). 如果应用范围实例存在,则将其识别为“候选”资源实例(步骤359),并且与候选实例关联的许可数据被检查以便确定是否允许对该实例的修改(步骤362)。 If the application instance exists, it will be recognized as a "candidate" resource instance (step 359), and is associated with the candidate instance license data is checked to determine whether to modify (step 362) to allow the instance. 如果没有应用范围实例存在,则确定所请求本地资源的系统范围实例是否存在(步骤358)。 If no application instance exists, it is determined that the local system-wide resources requested instance exists (step 358). 如果不是,将错误条件返回给请求者,指明所请求虚拟资源不存在于虚拟范围(步骤360)。 If not, an error condition will be returned to the requestor indicating that the requested resource does not exist in the virtual virtual scope (step 360). 但是,如果系统范围资源存在,将其识别为候选资源实例(步骤361),并且与候选实例关联的许可数据可被检查以便确定该实例的修改是否被允许(步骤362)。 However, if the system-wide resource exists, it is identified as the candidate resource instance (step 361), and permission data associated with the candidate instance may be checked to determine if modification of that instance is allowed (step 362). 如果不是,将错误条件返回给请求者(步骤364),指明不允许对虚拟资源的修改。 If not, an error condition is returned to the requestor (step 364) indicating that modification does not allow virtual resources. 如果许可数据指明候选资源可被修改,则进行对本地资源的候选实例的用户范围复制(步骤370),用户范围实例被识别为请求的真实实例(步骤372),并且被打开且返回给请求者。 If the permission data indicates the candidate resource may be modified, the scope of the user copy of the candidate instance of the native resource (step 370), the user is identified as the true scope of the instance instance (step 372) a request, and is opened and returned to the requester .

仍然参考图3B且更详细地,确定用户范围资源是否存在,或者换句话说,所请求的资源是否存在于可应用的用户范围或子范围(步骤354)。 Still more detail with reference to FIG. 3B, it is determined whether the user range resource exists, or in other words, whether the requested resource exists in the applicable user scope or sub-scope (step 354). 可应用的用户范围或子范围是与用户关联的范围,其位于与做出请求的应用关联的应用隔离范围的上层。 User scope or sub-scope may be applied is in the range associated with the user, which is located in the upper and the requesting application isolation scope associated with the application. 用户隔离范围或子范围在文件系统情况中可以是目录,在用户隔离范围中存在的所有文件都存储在该目录之下。 Scope or user isolation sub-scope in the case of the file system can be a directory, all files that exist in the user isolation scope are stored under this directory. 在这些实施例的一些中,在用户隔离目录之下的目录树结构反应了所请求资源的路径。 In some of these embodiments of the directory tree structure under the user isolation directory reflects the path of the requested resource. 例如,如果所请求的文件是c\temp\test.txt且用户隔离范围目录是d:\user1\app1\,则到用户范围真实文件的路径可以是d:\user1\app1\c\temp\test.txt。 For example, if the requested file is c \ temp \ test.txt and the user isolation scope directory is d: \ user1 \ app1 \, then the path to the user's range of file can be d: \ user1 \ app1 \ c \ temp \ test.txt. 在其它实施例中,到用户范围真实的路径可用本地命名约定来定义。 In other embodiments, the path to the user's range of available local naming conventions to define. 例如,到用户范围真实文件的路径可以是d:\user1\app1\device\hardisk1\temp\test.txt。 For example, the path to the user's range of file can be d: \ user1 \ app1 \ device \ hardisk1 \ temp \ test.txt. 在另外其它实施例中,用户范围文件可以都存储在单个目录下,该单个目录的名称被选择为是唯一的,且数据库可用于存储所请求的文件名与在目录中存储的对应真实文件的名称之间的映射。 In still other embodiments, the user can range files are stored in a single directory, the name of the single directory is selected to be unique, and the database can be used to store the requested file names with the corresponding real file stored in the directory map names. 在另外其它实施例中,真实文件的内容可以存储在数据库中。 In still other embodiments, the contents of the real file may be stored in a database. 在另外其它实施例中,本地文件系统为单个文件提供用于包含多个独立命名的“流”的工具,且用户范围文件的内容作为与文件关联的附加流存储在系统范围中。 In still other embodiments, the local file system provides tools to contain multiple independent named "flow" as a single file, and the file's contents as a range of users with additional stream associated files stored in the system range. 可替换地,真实文件可存储在客户文件系统中,客户文件系统被设计用于优化磁盘使用或其它感兴趣的标准。 Alternatively, files can be stored in the client's file system, the client file system is designed to optimize disk usage or other criteria of interest.

如果用户范围资源实例不存在,则确定应用范围资源是否存在,或者换句话说所请求的资源是否存在于应用隔离范围(步骤356)。 If the user-wide resource instance does not exist, it is determined whether the application resource exists, or in other words whether the requested resource exists in the application isolation scope (step 356). 上述的方法用于做出该确定。 The above-described method for making this determination. 例如,如果所请求的文件是c\temp\test.txt且应用隔离范围目录是e:\app1\,那么到应用范围文件的路径可以是e:\app1\c\temp\test.txt。 For example, if the requested file is c \ temp \ test.txt and the application isolation scope directory is e: \ app1 \, then the path to the application file can be e: \ app1 \ c \ temp \ test.txt. 如上,到应用范围文件的路径可用本地命名约定来存储。 As above, the range of applications available local file path to store the naming conventions. 上述的实施例也可应用于应用隔离范围。 The above-described embodiment can also be applied to the application isolation scope.

如果应用范围资源不存在,则确定系统范围资源是否存在,换句话说,所请求的资源是否存在于系统范围(步骤358)。 If the application resource does not exist, it is determined whether the system-wide resource exists, in other words, whether the requested resource exists in the system scope (step 358). 例如如果所请求的文件是c\temp\test.txt,则到系统范围文件的路径是c\temp\test.txt。 For example, if the requested file is c \ temp \ test.txt, then the path to the system-wide file is c \ temp \ test.txt. 如果所请求的资源不存在于系统范围,则将所请求的资源不存在于虚拟范围的指示返回给请求者(步骤360)。 If the requested resource does not exist in the system scope, then the requested resource does not exist is returned to the requestor (step 360) to the virtual range indication.

所请求资源的候选资源实例是位于应用隔离范围还是在系统范围中,确定是否允许对候选资源实例的修改(步骤362)。 The candidate resource instance of the requested resource is located in the application isolation scope or system scope, it is determined whether to allow modification (step 362) the candidate resource instance. 例如,候选本地资源实例可具有关联的本地许可数据,指明用户不允许修改候选实例。 For example, a candidate may have a local instance of local resources associated license data, indicates that the user is not allowed to modify the candidate instance. 此外,规则引擎可包括配置设置,其指令隔离环境服从或覆盖用于资源虚拟化拷贝的本地许可数据。 In addition, the rules engine may include configuration settings, or to obey its instructions covering isolated environment for local licensed copy of the data resource virtualization. 在一些实施例中,规则可为一些虚拟资源规定修改可发生的范围,例如系统范围或应用隔离范围或子范围,或者用户隔离范围或子范围。 In some embodiments, rules may be specified for some virtual resources the scope of modifications that may occur, such as the system scope or the application isolation scope or sub-scope, or the user isolation scope or a sub-scope. 在一些实施例中,规则引擎可根据层次或所访问资源的类型来规定应用于所虚拟化本地资源的子集的配置设置。 In some embodiments, the rules engine may be based on the type or level of access to a resource to a predetermined configuration settings to the virtual local resource subset. 在这些实施例的一些中,配置设置可特定于每个原子本地资源。 Of these, the configuration settings of some embodiments may be specific to each atomic native resource. 在另一个例子中,规则引擎可包括配置数据,其禁止或允许对文件特定类的修改,比如由操作系统所定义的可执行代码或MIME类型或文件类型。 In another example, the rules engine may include configuration data that prohibits or allows modification of certain classes of files, such as executable code or MIME types or file types as defined by the operating system.

如果在步骤362中确定不允许对候选资源实例的修改,则错误条件返回给请求者,以指明不允许对虚拟资源的写访问(步骤364)。 If it is determined not modify the candidate resource instance in step 362, then an error condition is returned to the requester to indicate that does not allow write access to virtual resources (step 364). 如果在362中确定允许对候选资源实例的修改,则将候选实例复制到适当的用户隔离范围或子范围(步骤370)。 If it is determined at 362 to allow modification of the candidate resource instance, then the candidate instance is copied to the appropriate user isolation scope or a sub-scope (step 370). 对于所请求本地资源的逻辑层次结构不在隔离范围中维护的实施例中,将资源的候选实例复制到用户隔离范围可要求在用户隔离范围内创建层次位置标志符。 For the embodiment of the requested logical hierarchy of local resources are not maintained in isolation range, copy the examples of candidate resources to the user may be required to create a level of isolation range placeholder in the user isolation scope. 层次位置标志符是放置在层次中的节点,用于在隔离范围中正确定位复制的资源。 Hierarchical position identifiers are placed in the hierarchy of node resources for the correct positioning of the isolation scope replication. 层次位置标志符不存储数据,被识别为位置标志符节点,并“不存在”即是其不是返回给请求者的真实资源。 Hierarchy placeholder data is not stored, is identified for the location node identifier, and "does not exist" that is it is not returned to the requestor of the real resource. 在一些实施例中,将节点识别为位置标志符节点是通过将事实记录在元数据中来进行的,所述元数据附着到该节点、或该节点的双亲或在系统层中的一些其它有关实体。 In some embodiments, the node identifier for the location node identifier is obtained by the fact that the recording is performed in the metadata of the metadata attached to the node, or a parent of this node in the system layer or some other relevant entity. 在其它实施例中,维护单独的位置标志符节点名的存储库。 In other embodiments, the maintenance of separate placeholder node name repository.

在一些实施例中,规则可规定对特殊资源的修改可在特殊范围,比如应用隔离范围上进行。 In some embodiments, the rules may provide for a particular resource may be modified in specific range, such as carried out on the application isolation scope. 在那些情况下,步骤370中的复制操作可扩展以便确定对候选资源实例的修改是否在找到其的范围或子范围上被允许。 In those cases, the copy operation in step 370 can be extended in order to determine the modification of the candidate resource instance is found in the range or sub-range thereof is allowed. 如果不是,则候选资源实例被复制到允许修改的范围或子范围,其不总是用户隔离范围,并且新的拷贝被识别为真实资源实例(步骤372)。 If not, then the candidate resource instance is copied to the allowed range or sub-range of modifications, which are not always user isolation scope, and the new copy is identified as the real resource instance (step 372). 如果是,则候选资源实例被识别为真实实例(步骤372),并且被打开且将结果返回给请求者(步骤306)。 If so, the candidate resource instance is identified as the true instance (step 372), and are opened and the results are returned to the requestor (step 306).

参考回图3A,真实资源实例无论在步骤354中定位或在步骤370中创建,被打开(步骤306)且返回给请求者(步骤310)。 Referring back to Figure 3A, the real resource instance in step 354 whether or positioned created in step 370, is turned on (step 306) and returned to the requestor (step 310). 在一些实施例中,这是通过将“打开”命令发给操作系统并向请求者返回来自操作系统对“打开”命令的响应来完成的。 In some embodiments, this is accomplished by the "Open" command issued to the operating system from the operating system returns to the requester in response to the "Open" command to complete.

如果代表用户执行的应用删除本地资源,则呈现给该应用作为虚拟范围的本地资源的聚集视图必须反应该删除。 If you delete a user performs on behalf of the application of local resources, then presented to the application as an aggregate view of the virtual range of local resources should be anti-delete. 删除资源的请求是专门类型修改的请求,尽管是通过将资源的存在性完全移除的修改资源的类型。 Delete the resource request is a specialized type of modification requests, despite the existence of resources by modifying the resource type is completely removed. 概念上,删除资源的请求以类似于图3A中描绘的方式进行,包括按图3B中描绘的来确定真实资源。 Conceptually, a request to delete a resource similar to Figure 3A depicted manner, including the depicted in Figure 3B to determine the real resource. 但是步骤306对于隔离资源和对于重定向或忽略资源有不同的操作。 But the step 306 to isolate or ignore the resources and redirect resources for different operations. 对于重定向和忽略,从系统范围删除真实资源。 For redirect and ignore, delete real resources from the system-wide. 对于隔离,真实资源被“虚拟地”删除,或换句话说,它被删除的事实被记录在用户隔离范围中。 For isolation, the real resource to be "virtually" delete, or in other words, the fact that it is deleted is recorded in the user isolation scope. 删除的节点不包含数据,被识别为被删除的,且它及其所有后代“不存在”。 Delete node does not contain data, is recognized as being erased, and it and all its descendants "does not exist." 换句话说,如果它是满足资源请求的资源或资源的祖先,则“资源未找到错误”被返回到请求者。 In other words, if it is to meet the resource or resource requests ancestor resources, the "resource not found error" is returned to the requestor. 进一步细节将在部分4中描绘。 Further details of the depicted portion 4. 在一些实施例中,节点被识别为删除的节点是通过记录事实到元数据中来完成的,元数据附着到节点、或该节点的双亲或在系统层中的一些其它有关实体。 In some embodiments, the node is recognized as a node deletion is to be accomplished by recording the fact in metadata, the metadata attached to the node, or a parent of this node in the system layer or some other relevant entities. 在其它实施例中,例如在单独的子范围中维护单独的删除节点名的存储库。 In other embodiments, such as maintaining a separate repository delete a node name in a separate sub-range.

3.0安装到隔离环境中上述的应用隔离范围可被认为是关联的应用实例独立于任何用户或等效地代表所有可能用户共享资源的范围,所述资源包括那些应用实例创建的资源。 3.0 installed to isolate the application isolation environment above range may be considered the application associated with the instance is independent of any user or an equivalent representation of all possible range of users to share resources, the resources include resources that the application instance is created. 这种资源的主类是在应用安装到操作系统上时创建的集合。 The main class of such resources in the application to install the operating system when a collection is created. 如图1A所示,两个不兼容应用都不能安装在同一系统范围中,但是该问题可通过安装这些应用的至少一个到隔离环境中来解决。 1A, two incompatible application can not be installed in the same system-wide, but this problem can be at least one isolation environment to be solved by installing these applications.

隔离范围、或与隔离范围关联的应用实例可以“安装模式”操作以支持应用的安装。 Isolation scope or application examples associated with the isolation scope can "install mode" operation to support the installation of applications. 这相对于结合图4-16在下面描述的“执行模式”。 This is compared to 4-16 described below in conjunction with Figure "execution mode." 在安装模式下,应用安装程序与应用隔离范围关联且假定为代表所有用户执行。 In setup mode, the associated application installer and application isolation scope and execution assumed to represent all users. 应用隔离范围对于应用实例动作就如同它是“所有用户”的用户隔离范围一样,并且用户隔离范围对于应用实例不是活动的。 Application examples for application isolation scope action as if it were "all users" like user isolation scope, and user isolation scope for the application instance is not active.

图3C描述在安装模式中当接收打开本地资源的请求时识别真实资源所采取的步骤的一个实施例,该请求指明资源在有修改它的意图时被打开。 The step of identifying when the installation mode when receiving a request to open a local resource real resource taken Figure 3C described one embodiment, the resource specified in the request has the intention to modify it is opened. 简要地,由于没有用户隔离范围是活动的,则首先确定所请求的本地资源的应用范围实例是否存在(步骤374)。 Briefly, as no user isolation scope is active, first determine the scope of application of the requested native resource instance exists (step 374). 如果应用范围实例存在,则将其识别为真实资源实例(步骤384)。 If the application instance exists, it will be recognized as a true resource instance (step 384). 如果没有应用范围实例存在,则确定所请求的本地资源的系统范围实例是否存在(步骤376)。 If no application instance exists, determine the scope of the requested system of local resources instance exists (step 376). 如果不存在,则将错误条件返回给请求者,以指明所请求的虚拟化资源在虚拟范围中不存在(步骤377)。 If not, then an error condition is returned to the requester to virtualized resources requested in the virtual range specified does not exist (step 377). 但是,如果系统范围资源存在,则将其识别为候选资源实例(步骤378),并且与候选实例关联的许可数据被检测以确定该实例的修改是否被允许(步骤380)。 However, if the system-wide resource exists, it is identified as the candidate resource instance (step 378), and permission data associated with the candidate instance is detected to determine whether to modify that instance is allowed (step 380). 如果不,则将错误条件返回给请求者(步骤381),以指明不允许对虚拟化资源的修改。 If not, an error condition is returned to the requestor (step 381) to indicate that does not allow modification of virtualized resources. 如果许可数据指明候选资源可被修改,则因为没有用户隔离范围是活动的,所以进行对本地资源的候选实例的应用范围复制(步骤382),且将应用范围实例识别为请求的真实实例(步骤384)。 If the permission data indicates the candidate resource may be modified, then since no user isolation scope is active, so a copy of the application example of the local resources of the candidate (step 382), and the application instance is identified as the true instance (step requested 384). 在一些实施例中,候选文件可复制到由规则引擎定义的位置。 In some embodiments, the candidate file can be copied to a location defined by the rules engine. 例如,规则可规定文件被复制到应用隔离范围。 For example, the rules may require documents to be copied to the scope of application isolation. 在其它实施例中,规则可规定文件应当被复制到的特殊的应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide file should be copied to the particular application isolation sub-scope or user isolation sub-range. 在文件复制到的隔离范围中没有出现的所请求文件的祖先作为隔离范围中的位置标志符被创建以便在层次中正确地定位复制的实例。 Ancestor of the file in the file copied to the isolation scope that do not appear in the isolation scope in the request as a placeholder in the hierarchy are created in order to correctly locate the copied instance.

图3D示出在安装模式中当接收创建本地资源的请求时识别真实资源所采取的步骤的一个实施例。 Figure 3D shows the step of identifying in the installation mode when receiving a request to create a local resource real resource taken one embodiment. 简要地,由于没有隔离范围是活动的,因此首先确定所请求的本地资源的应用范围实例是否存在(步骤390)。 Briefly, since there is no isolation scope is active, thus first determine the application of the requested native resource instance exists (step 390). 如果应用范围实例存在,则将错误条件返回给请求者,以指明资源由于已经存在而不能被创建(步骤392)。 If the application instance exists, an error condition is returned to the requester to indicate that resources already exist which can not be created due to (step 392). 如果没有应用范围实例存在,则确定所请求的本地资源的系统范围实例是否存在(步骤394)。 If no application instance exists, determine the scope of the requested system of local resources instance exists (step 394). 如果系统范围实例存在,则将错误条件返回给请求者,以指明资源由于已经存在而不能被创建(步骤392)。 If the system-wide instance exists, an error condition is returned to the requester to indicate that resources already exist which can not be created due to (step 392). 在一些实施例中,用于打开资源的请求可规定资源的任何现存的系统范围实例可以被改写。 In some embodiments, for opening the requested resource may require any existing system-wide resource instances can be rewritten. 如果系统范围资源实例不存在,则可将应用范围资源实例识别为将为履行请求而创建的真实实例(步骤396)。 If the system-wide resource instance does not exist, you can identify the true scope of application resource instance examples will fulfill the request created (step 396).

通过比较图3B与图3C和3D,可以看出,安装模式以与执行模式类似的方式操作,并且应用隔离范围代替了用户隔离范围。 By comparing Figure 3B with Figure 3C and 3D, it can be seen, installation mode in a similar manner with the execution mode operation, and application isolation scope instead of the user isolation scope. 换句话说,对永久资源的修改,包括新资源的创建,发生在适当的应用隔离范围而不是适当的用户隔离范围。 In other words, a permanent resource changes, including the creation of new resources, occurred in the appropriate application isolation scope instead of the appropriate user isolation scope. 此外,对现有隔离资源访问的虚拟化还忽略了适当的用户隔离范围并开始在应用隔离范围中搜索候选真实资源。 In addition, the isolation of existing resource access virtualization also ignores the appropriate user isolation scope and start searching for the candidate in the application range of real resource isolation.

存在两个其它情况,其中应用隔离范围以如此方式操作以包含对现有资源的修改和新资源的创建。 There are two other cases, where the application isolation scope in such a manner operates to create a new resource comprises modifying the existing resources and. 首先,可存在配置为在没有用户隔离层的情况下操作的隔离环境,或配置为在没有用户隔离范围的情况下操作的虚拟范围。 First, there may be configured to operate in the case of no user operation of the spacer layer isolated environment, or configured as a virtual range without a user isolation scope of the operation. 在该情况下,应用隔离范围只是隔离范围,其可隔离修改的和新创建的资源。 In this case, the scope of application isolation scope is isolated, it can isolate and modify the newly created resource. 其次,管理虚拟资源特殊集合的规则可规定它们要隔离在适当的应用隔离范围中而不是在适当的用户隔离范围中。 Second, a special set of rules governing the virtual resources may require them to be isolated in the appropriate application isolation scope but not in the appropriate user isolation scope. 并且,这意味着受该规则影响的对资源的修改和资源的创建将隔离到适当的应用隔离范围中,其中它们对于共享该范围的所有应用实例是可见的,而不是隔离在用户隔离范围中,其中它们仅仅对于执行那些应用实例的用户是可见的。 Further, this means that modifications to resources and create resources affected by the rule will be isolated to the appropriate application isolation scope in which they are shared by all application examples for this range is visible and not isolated in the user isolation scope , wherein they are merely examples for the user to execute the application is visible.

在另外其它实施例中,隔离环境可被配置为允许某些资源在系统范围中被共享,即是,隔离环境可对于第一个或多个系统资源动作,就如同没有用户隔离范围也没有应用隔离范围存在一样。 In still other embodiments, the isolation environment may be configured to allow certain resources to be shared in the system scope, that is, the isolation environment may be one or more for the first system resource action, as if there is no user isolation scope are not applied isolation scope exist. 在系统范围中共享的系统资源在有修改意图来访问时绝不会被复制,因为它们由所有应用和所有用户共享,即它们是全局对象。 In the system-wide sharing of system resources have modified intention to visit will not be copied because they are shared by all applications and all users that they are global objects.

4.0详细的虚拟化例子上述的方法和设备可用于虚拟化各种各样的本地资源108。 4.0 Detailed examples of the virtualization methods and apparatus can be used to virtualize various local resources 108. 下面详细描述多个这些方法和设备。 These methods are described in detail below, and a plurality of devices.

4.1文件系统虚拟化上述的方法和设备可用于虚拟化对文件系统的访问。 4.1 file system virtualization methods and apparatus described above can be used to virtualize access to the file system. 如上所述,文件系统通常以目录的逻辑层次来组织,这些目录本身是文件且可包含其它的目录和数据文件。 As described above, the file system is usually a logical hierarchical directory to organize, the directory itself is a file and may contain other directories and data files.

4.1.1文件系统打开操作在概观中,图4描述为在上面所描述的虚拟化环境中打开文件所采取的步骤的一个实施例。 4.1.1 File System Open operation in overview in FIG. 4 as described in the virtualized environment described above in one embodiment the step of opening the file taken by patients. 接收或截取打开文件的请求(步骤402)。 Receive or intercept a file open request (step 402). 请求包含文件名,其由隔离环境当作为虚拟文件名。 The request contains a file name, which consists of an isolated environment when used as a virtual file name. 确定应用于文件系统打开请求的目标的处理规则(步骤404)。 Open the target file system is applied to determine the request processing rules (step 404). 如果规则动作是“重定向”(步骤406),则根据可应用的规则将在请求中提供的虚拟文件名映射到真实文件名(步骤408)。 If the rule action is a virtual file name "redirect" (step 406), then according to the rules applicable will be provided in the request is mapped to the real file name (step 408). 利用真实文件名打开真实文件的请求被传递给操作系统且来自操作系统的结果被返回给请求者(步骤410)。 Use the real filename opens the real file requests are passed to the operating system and the results from the operating system is returned to the requestor (step 410). 而如果规则动作是“忽略”(步骤406),则确定真实文件名就是虚拟文件名(步骤412),并且将打开真实文件的请求传递给操作系统且来自操作系统的结果被返回给请求者(步骤410)。 If the rule action is "ignore" (step 406), then determine the real file name is the virtual file name (step 412), and the request will open the real file is passed to the operating system and the results from the operating system is returned to the requestor ( Step 410). 如果在步骤406中,规则动作是“隔离”,则在用户隔离范围中对应于虚拟文件名的文件名被识别为候选文件名(步骤414)。 If in step 406, the file name of the rule action is "isolate", then the user isolation scope corresponding to the virtual file name is identified as the candidate file name (step 414). 换句话说,候选文件名是通过将虚拟文件名映射到特定于可应用的用户隔离范围的对应的本地文件名来形成的。 In other words, the candidate file name is formed by mapping the virtual file name can be applied to a specific user isolation range corresponding to the formation of a local file name. 候选文件存在的类别是通过检查用户隔离范围和任何与候选文件关联的元数据来确定的(步骤416)。 Category candidate file exists by checking user isolation scope and any metadata associated with the candidate file is determined (step 416). 如果候选文件被确定为具有“否定存在”,因为候选文件或者其在用户隔离范围中的祖先目录之一被标记为删除,这意味着所请求的虚拟文件被认为不存在。 If the candidate file is determined to have "negative existence", because one of the candidate file or its ancestor directories in the user isolation scope is marked as deleted, which means that the requested virtual file is considered non-existent. 在该情况下,指明所请求文件没有找到的错误条件被返回给请求者(步骤422)。 In this case the error condition, indicating the requested file is not found is returned to the requestor (step 422). 而如果在步骤416中候选文件被确定为“肯定存在”,因为候选文件存在于用户隔离范围且没有被标记为位置标志符节点,则所请求的虚拟文件被认为存在。 If is determined to be "positive existence", because the candidate file exists in the user isolation scope and is not marked as placeholders node in step 416 the candidate file, then the requested virtual file is considered to exist. 候选文件被识别为请求的真实文件(步骤418),且发出打开真实文件的请求且将结果返回给请求者(步骤420)。 Candidate file is identified as a real file a request (step 418), and the issue of open real file requests and returns the results to the requester (step 420). 但是,如果在步骤416,候选文件具有“中性存在”,因为候选文件不存在,或者候选文件存在但被标记为位置标志符节点,则还不知道虚拟文件是否存在。 However, if in step 416, the candidate file has "neutral existence" because the candidate file does not exist, or the candidate file exists but is marked as placeholder node, then not known whether the virtual file exists. 在该情况下,对应于虚拟文件名的应用范围文件名被识别为候选文件名(步骤424)。 Applications file name In this case, corresponds to the virtual file name is identified as the candidate file name (step 424). 换句话说,候选文件名是通过将虚拟文件名映射到特定于可应用的应用程序隔离区域的对应本地文件名而形成的。 In other words, the candidate file name is formed by mapping the virtual file name can be applied to a specific application isolation region corresponding local file name is formed. 候选文件存在的类别是通过检查应用隔离范围和任何与候选文件关联的元数据来确定的(步骤426)。 The candidate file exists in the category by examining the application isolation scope and any metadata associated with the candidate file is determined (step 426). 如果候选文件被确定为具有“否定存在”,因为候选文件或者其在应用隔离范围中的祖先目录之一被标记为删除,这意味着所请求的虚拟文件被认为不存在。 If the candidate file is determined to have "negative existence", because one of the candidate file or directory in the application of their ancestors isolation scope is marked as deleted, which means that the requested virtual file is considered non-existent. 在该情况下,指明所请求文件没有找到的错误条件被返回给请求者(步骤422)。 In this case the error condition, indicating the requested file is not found is returned to the requestor (step 422). 而如果在步骤426中候选文件被确定为“肯定存在”,因为候选文件存在于应用隔离范围且没有被标记为位置标志符节点,则所请求的虚拟文件被认为存在。 If is determined to be "positive existence", because the candidate file exists in the application isolation scope and is not marked as a placeholder node in step 426 the candidate file, then the requested virtual file is considered to exist. 检查请求以确定打开请求是否指明修改文件的意图(步骤428)。 Check the request to determine whether the request to open the specified intent (step 428) to modify the file. 如果不是,则候选文件被识别为请求的真实文件(步骤418),并且发出打开真实文件的请求且返回结果给请求者(步骤420)。 If not, the candidate file is identified as a real file a request (step 418), and the real issue open file requests and returns the results to the requester (step 420). 但是,如果在步骤428,确定打开请求指明修改文件的意图,则与文件关联的许可数据被检查以确定文件的修改是否被允许(步骤436)。 However, if you open the intention of the request to modify the file specified in step 428, it is determined, then the license data associated with a file is checked to determine whether to modify the file is allowed (step 436). 如果没有,将错误条件返回给请求者(步骤438)以指明文件的修改不被允许。 If not, an error condition is returned to the requestor (step 438) to modify the specified file is not allowed. 如果许可数据指明文件可被修改,候选文件被复制到用户隔离范围(步骤440)。 If the license data specified file can be modified, the candidate file is copied to the user isolation scope (step 440). 在一些实施例中,候选文件被复制到由规则引擎定义的位置。 In some embodiments, the candidate file is copied to a location defined by the rules engine. 例如,规则可规定文件被复制到应用隔离范围。 For example, the rules may require documents to be copied to the scope of application isolation. 在其它实施例中,规则可规定文件应当被复制到的特殊应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide file should be copied to the particular application isolation sub-scope or user isolation sub-range. 没有在文件复制到的隔离范围中出现的所请求文件的任何祖先作为隔离范围中的位置标志符被创建,以便在层次中正确地定位复制的实例。 Any ancestors of the document does not appear in the isolation scope to which the file copy request as a separator in the range of the position identifier is created, in order to correctly locate the copied instance in the hierarchy. 范围实例被识别为真实文件(步骤442),并且发出打开真实文件的请求且返回结果给请求者(步骤420)。 Examples range is recognized as a real file (step 442), and the real issue open file requests and returns the results to the requester (step 420). 返回步骤426,如果候选文件具有中性存在,因为候选文件不存在,或者候选文件找到但被标记为位置标志符节点,则还不知道虚拟文件是否存在。 Returns to step 426, if the candidate file has neutral existence because the candidate file does not exist, or the candidate file is found but is marked as placeholder node, you do not know the virtual file exists. 在该情况下,对应于虚拟文件名的系统范围文件名被识别为候选文件名(步骤430)。 In this case, the file name corresponds to the system-wide virtual file name is identified as the candidate file name (step 430). 换句话说,候选文件名就是虚拟文件名。 In other words, the candidate file name is the virtual file name. 如果候选文件不存在(步骤432),指明虚拟文件没有找到的错误条件被返回给请求者(步骤434)。 If the candidate file does not exist (step 432), error conditions specified in the virtual file is not found is returned to the requestor (step 434). 另一方面,如果候选文件存在(步骤432),则检查请求以确定打开请求是否指明修改文件的意图(步骤428)。 On the other hand, if the candidate file exists (step 432), then check the request to determine whether the request to open the specified intent (step 428) to modify the file. 如果不是,则候选文件被识别为请求的真实文件(步骤418),并且发出打开真实文件的请求且返回结果给请求者(步骤420)。 If not, the candidate file is identified as a real file a request (step 418), and the real issue open file requests and returns the results to the requester (step 420). 但是,如果在步骤428,确定打开请求指明修改文件的意图,则与文件关联的许可数据被检查以确定文件的修改是否被允许(步骤436)。 However, if you open the intention of the request to modify the file specified in step 428, it is determined, then the license data associated with a file is checked to determine whether to modify the file is allowed (step 436). 如果没有,将错误条件返回给请求者(步骤438)以指明文件的修改不被允许。 If not, an error condition is returned to the requestor (step 438) to modify the specified file is not allowed. 如果许可数据指明文件可被修改,则候选文件被复制到用户隔离范围(步骤440)。 If the license data specified file can be modified, the candidate file is copied to the user isolation scope (step 440). 在一些实施例中,候选文件被复制到由用户引擎定义的位置。 In some embodiments, the candidate file is copied to a location defined by the user engine. 例如,规则可规定文件被复制到应用隔离范围。 For example, the rules may require documents to be copied to the scope of application isolation. 在其它实施例中,规则可规定文件应当被复制到的特殊应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide file should be copied to the particular application isolation sub-scope or user isolation sub-range. 没有在隔离范围中出现的所请求文件的任何祖先作为隔离范围中的位置标志符被创建,以便在层次中正确地定位复制的实例。 Any ancestors of the document does not appear in the isolation scope in the request as a separator in the range of the position identifier is created, in order to correctly locate the copied instance in the hierarchy. 范围实例被识别为真实文件(步骤442),并且发出打开真实文件的请求且返回结果给请求者(步骤420)。 Examples range is recognized as a real file (step 442), and the real issue open file requests and returns the results to the requester (step 420).

这个实施例可以被稍微修改以执行对文件存在而不是打开文件的检查。 This embodiment may be slightly modified to perform the file exists instead of opening the file is examined. 在步骤420中打开真实文件的意图用检查真实文件以及返回给请求者的状态的存在来替换。 Open the real file in step 420 with the intention of checking the state of the real file and return to the requester of the existence to replace.

仍然参考图4且现在更详细地,打开虚拟文件的请求被接收或截取(步骤402)。 Still referring to Figure 4 and is now in more detail, the virtual file open request is received or intercepted (step 402). 对应的真实文件属于用户隔离范围、应用隔离范围或系统范围,或者其范围可以是应用隔离子范围或用户隔离子范围。 Corresponding real file belongs to the user isolation scope, application isolation scope or system-wide, or it can range from application isolation sub-scope or user isolation sub-range. 在一些实施例中,通过替换操作系统函数或用于打开文件的函数的函数来钩住请求。 In some embodiments, the operating system function or functions by replacing a function for opening a file to hook request. 在另一个实施例中,挂钩动态链接库被用来截取请求。 In another embodiment, the hook dynamic link library is used to intercept the request. 挂钩函数可在用户模式或内核模式中执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,这些资源用于为本地文件分派请求。 For Example hook function in kernel mode execution, the hook function operating system resources associated with those resources for dispatching requests to a local file. 对于为每种类型的文件操作提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For providing a separate operating system function for each type of file operation embodiment, each function may be hooked separately. 可替换地,可提供为若干类型的文件操作截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide a single call intercepts create or open hook function for several types of file operations.

请求包含文件名,隔离环境将其当作虚拟文件名。 The request contains a file name, the isolation environment it as a virtual file name. 可应用于文件系统打开请求的处理规则通过咨询规则引擎来确定(步骤404)。 Can be applied to the file system open request processing rule determined by consulting the rules engine (step 404). 在一些实施例中,可应用于打开请求的处理规则是利用包括在打开请求中的虚拟名称来确定的。 In some embodiments, rules may be applied to open the request is to use the open request including the virtual name determined. 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面文件数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table, or a flat file database. 在一些实施例中,为所请求文件提供的虚拟文件名被用作为索引以在规则引擎中定位应用于请求的一个或多个规则。 In some embodiments, the virtual file name provided for the requested file is used as an index to locate in the rule engine applies to requests of one or more rules. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊文件的规则引擎中,并且在这些实施例中,具有与虚拟文件名匹配的最长前缀的规则是应用于请求的规则。 In particular some of the plurality of rules of these embodiments may be present in the rules engine for a particular file, and in these embodiments, the rule having the longest match for the virtual file name is the rule applied to the prefix request . 在其它实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In other embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 尽管在图4中示出了单个数据库事务或文件中的单次查找,但是规则查找可作为一系列规则查找来执行。 Although FIG. 4 shows a single database transaction or single lookup file, but as a series of rules for finding the rule lookup may be performed.

如果规则动作是“重定向”(步骤406),根据可应用的规则,将在请求中提供的虚拟文件名映射到真实文件名(步骤408)。 If the rule action is a virtual file name "redirect" (step 406), according to the rules applicable, will be provided in the request is mapped to the real file name (step 408). 打开由真实文件名识别的真实文件的请求被传递给操作系统且来自操作系统的结果被返回给请求者(步骤410)。 Open a file name from the request to identify the actual real file is passed to the operating system and the result from the operating system is returned to the requestor (step 410). 例如,打开名为“file_1”文件的请求可导致打开名为“Different_file_1”的真实文件。 For example, a request to open the named "file_1" file may lead to real open the file named "Different_file_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to complete. 对于利用文件系统过滤器驱动程序的实施例,利用虚拟文件名打开文件的第一请求导致从文件系统过滤器驱动程序返回指明所确定真实名称的STATUS_REPARSE响应。 For use in Example file system filter driver, using virtual file name to open the first result in the return of the requested file names indicate determined STATUS_REPARSE real response from the file system filter driver. I/O管理器接着重新发出文件打开请求,同时所确定真实名称包括在STATUS_REPARSE响应中。 I / O manager and then reissue the request to open the file, but the name is included in determining the true STATUS_REPARSE response.

而如果规则动作是“忽略”(步骤406),则真实文件名被确定为就是虚拟文件名(步骤412),并且将打开真实文件的请求传递给操作系统且来自操作系统的结果被返回给请求者(步骤410)。 If the rule action is "ignore" (step 406), then the file name is determined to be true is the virtual file name (step 412), and the request is passed to the real file of the operating system is opened and the results from the operating system is returned to the requesting person (step 410). 例如,打开名为“file_1”文件的请求可导致打开名为“file_1”的实际文件。 For example, a request to open the named "file_1" file may lead to open the actual file named "file_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to complete.

如果在步骤406,规则动作是“隔离”,则对应于虚拟文件名的用户范围文件名被识别为候选文件名(步骤414)。 If, at step 406, the rule action is "isolate", then the file name corresponding to the virtual file name of the user range is identified as the candidate file name (step 414). 换句话说,候选文件名是通过将虚拟文件名映射到特定于可应用的用户隔离范围的对应的本地文件名来形成的。 In other words, the candidate file name is formed by mapping the virtual file name can be applied to a specific user isolation range corresponding to the formation of a local file name. 例如,打开名为“file_1”文件的请求可导致打开名为“Isolated_file_1”的真实文件。 For example, a request to open the named "file_1" file may lead to real open the file named "Isolated_file_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to complete. 对于利用文件系统过滤器驱动程序的实施例,利用虚拟文件名打开文件的第一请求导致从文件系统过滤器驱动程序返回指明所确定真实名称的STATUS_REPARSE响应。 For use in Example file system filter driver, using virtual file name to open the first result in the return of the requested file names indicate determined STATUS_REPARSE real response from the file system filter driver. I/O管理器接着重新发出文件打开请求,同时所确定真实名称包括在REPARSE响应中。 I / O manager and then reissue the request to open the file, but the name is included in REPARSE determine the true response.

在一些实施例中,为了隔离所请求的系统文件所形成的真实名称是基于所接收的虚拟文件名和范围特定标识符的。 In some embodiments, the real name of the file system in order to isolate the formed requested is based on the received virtual file name and scope of the specific identifier. 范围特定标识符可以是与应用隔离范围、用户隔离范围、会话隔离范围、应用隔离子范围、用户隔离子范围或上面范围的组合关联的标识符。 Scope and application specific identifier can be isolated from the scope of an identifier associated with a combination of user isolation scope, a session isolation scope, application isolation sub-scope or user isolation sub-ranges of the above range. 范围特定标识符用于“重整”在请求中接收的虚拟名称。 Range specific identifier for the virtual name "reformer" in the request is received.

在其它实施例中,用户隔离范围或子范围可以是目录,在该目录之下存储了用户隔离范围中存在的所有文件。 In other embodiments, the user isolation scope or a sub-scope may be a directory under the directory stores all files that exist in the user isolation scope. 在这些实施例的一些中,在用户隔离目录下的目录树结构反应了所请求资源的路径。 In some of these embodiments of the directory tree structure under the user isolation directory reflects the path of the requested resource. 换句话说,通过将虚拟文件路径映射到用户隔离范围来形成真实文件路径。 In other words, by the virtual file path is mapped to the user isolation scope to form a real file path. 例如,如果所请求的文件是c\temp\test.txt且用户隔离范围目录是d:\user1\app1\,则到用户范围真实文件的路径可以是d:\user1\app1\c\temp\test.txt。 For example, if the requested file is c \ temp \ test.txt and the user isolation scope directory is d: \ user1 \ app1 \, then the path to the user's range of file can be d: \ user1 \ app1 \ c \ temp \ test.txt. 在其它实施例中,到用户范围真实的路径可用本地命名约定来定义。 In other embodiments, the path to the user's range of available local naming conventions to define. 例如,到用户真实文件的路径可以是d:\user1\app1\device\hardisk1\temp\test.txt。 For example, the path to the user's files can be d: \ user1 \ app1 \ device \ hardisk1 \ temp \ test.txt. 在另外其它实施例中,用户范围文件可以都存储在单个目录下,该单个目录的名称被选择为是唯一的,且数据库可用于存储所请求的文件名与在目录中存储的对应真实文件的名称之间的映射。 In still other embodiments, the user can range files are stored in a single directory, the name of the single directory is selected to be unique, and the database can be used to store the requested file names with the corresponding real file stored in the directory map names. 在另外其它实施例中,真实文件的内容可以存储在数据库中。 In still other embodiments, the contents of the real file may be stored in a database. 在另外其它实施例中,本地文件系统为单个文件提供用于包含多个独立命名的“流”的工具,且用户范围文件的内容作为与文件关联的附加流存储在系统范围中。 In still other embodiments, the local file system provides tools to contain multiple independent named "flow" as a single file, and the file's contents as a range of users with additional stream associated files stored in the system range. 可替换地,真实文件可存储在客户文件系统中,客户文件系统被设计用于优化磁盘使用或其它感兴趣的标准。 Alternatively, files can be stored in the client's file system, the client file system is designed to optimize disk usage or other criteria of interest.

候选文件存在的类别是通过检查用户隔离范围和任何与候选文件关联的元数据来确定的(步骤416)。 Category candidate file exists by checking user isolation scope and any metadata associated with the candidate file is determined (step 416). 如果候选文件被确定为具有“否定存在”,因为候选文件或者其在用户隔离范围中的祖先目录之一被标记为删除,这意味着所请求的虚拟文件被认为不存在。 If the candidate file is determined to have "negative existence", because one of the candidate file or its ancestor directories in the user isolation scope is marked as deleted, which means that the requested virtual file is considered non-existent. 在该情况下,指明所请求文件没有找到的错误条件被返回给请求者(步骤422)。 In this case the error condition, indicating the requested file is not found is returned to the requestor (step 422).

在一些实施例中,少量有关文件的元数据被直接存储在真实文件名中,比如将元数据指示符作为虚拟名称的后缀,其中元数据指示符是与特殊元数据状态唯一关联的串。 In some embodiments, a small amount of metadata about the file is stored directly in the real file name, such as metadata indicator fictitious name as a suffix, which metadata indicator is a string with a particular state only associated metadata. 元数据指示符可指示或编码元数据的一个或多个位。 Metadata indicator may indicate or encode one or more bits of metadata. 通过虚拟文件名访问文件的请求检查由于元数据指示符的存在而引起的真实文件名的可能变化,并且获取文件本身名称的请求被钩住或截取以便以真实名称做出响应。 Check for possible variations due to the presence of metadata indicator caused a real file name by requesting the virtual file name to access the file, and acquires the requested file name itself are hooked or intercepted in order to respond to the real name. 在其它实施例中,文件的一个或多个选用名称可由虚拟文件名和元数据指示符来形成,且可利用由文件系统提供的硬链接或软链接工具来创建。 In other embodiments, one or more of the selection by the virtual file name of the file name and metadata indicator is formed, and may utilize a file system provided by the hard link or soft link tool to create. 如果给出的请求是利用链接的名称来访问文件,这些链接的存在可由隔离环境通过指明文件未找到而对于应用隐藏。 If the request is given a name using the link to access the file, the existence of these links may be isolated from the environment by specifying the file was not found for the application to hide. 特殊链接的存在或不存在可为每个元数据指示符指明元数据的一个位,或者可存在具有元数据指示符的链接,其可呈现多个状态来指明元数据的若干位。 The presence or absence of particular links may indicate one bit of metadata for each metadata indicator, or there may be a link having a metadata indicator, which may exhibit multiple states to indicate several bits of metadata. 在另外其它实施例中,其中在文件系统支持变化的文件流的情况,变化的文件流可被创建以体现元数据,以及指明元数据若干位的流尺寸。 In still other embodiments, in which case the file system supports file stream changes, changes in the file stream can be created to reflect the metadata, and metadata specified number of bit stream size. 在另外其它实施例中,文件系统可直接提供将每个文件的一些第三方元数据存储在文件系统中的能力。 In still other embodiments, the file system provides the capability of each third-party metadata file stored in the file system directly.

在这些实施例的特定一些中,删除的文件或文件系统元素的列表可被维护和咨询以优化对删除文件的检查。 Some of these specific embodiments of the list of deleted files or file system elements may be maintained and consulted to optimize the checking of deleted files. 在这些实施例中,如果删除的文件被重建,则从删除文件列表中移除该文件名。 In these embodiments, if the deleted file is rebuilt, delete the file from the list, remove the file name. 在其它这些实施例中,如果列表增长超过某个大小,则从列表移除文件名。 In other such embodiments, if the list grew by more than a certain size, the file name is removed from the list.

而如果在步骤416中,候选文件被确定为“肯定存在”,因为候选文件存在于用户隔离范围且没有被标记为位置标志符节点,则所请求的虚拟文件被认为存在。 If in step 416, the candidate file is determined to be "positive existence", because the candidate file exists in the user isolation scope and is not marked as placeholder node, then the requested virtual file is considered to exist. 候选文件被识别为请求的真实文件(步骤418),且发出打开真实文件的请求且将结果返回给请求者(步骤420)。 Candidate file is identified as a real file a request (step 418), and the issue of open real file requests and returns the results to the requester (step 420).

但是,如果在步骤416,候选文件具有“中性存在”,因为候选文件不存在,或者候选文件存在但被标记为位置标志符节点,则还不知道虚拟文件是否存在。 However, if in step 416, the candidate file has "neutral existence" because the candidate file does not exist, or the candidate file exists but is marked as placeholder node, then not known whether the virtual file exists. 在该情况下,对应于虚拟文件名的应用范围文件名被识别为候选文件名(步骤424)。 Applications file name In this case, corresponds to the virtual file name is identified as the candidate file name (step 424). 换句话说,候选文件名是通过将虚拟文件名映射到特定于可应用的应用程序隔离区域的对应本地文件名而形成的。 In other words, the candidate file name is formed by mapping the virtual file name can be applied to a specific application isolation region corresponding local file name is formed. 候选文件存在的类别是通过检查应用隔离范围和任何与候选文件关联的元数据来确定的(步骤426)。 The candidate file exists in the category by examining the application isolation scope and any metadata associated with the candidate file is determined (step 426).

如果应用范围候选文件被确定为具有“否定存在”,因为候选文件或者其在应用隔离范围中的祖先目录之一被标记为删除,这意味着所请求的虚拟文件被认为不存在。 If the application range of the candidate file is determined to have "negative existence", because one of the candidate file or directory in the application of their ancestors isolation scope is marked as deleted, which means that the requested virtual file is considered non-existent. 在该情况下,指明所请求文件没有找到的错误条件被返回给请求者(步骤422)。 In this case the error condition, indicating the requested file is not found is returned to the requestor (step 422).

如果在步骤426中候选文件被确定为“肯定存在”,因为候选文件存在于应用隔离范围且没有被标记为位置标志符节点,则所请求的虚拟文件被认为存在。 If is determined to be "positive existence", because the candidate file exists in the application isolation scope and is not marked as a placeholder node, then the requested virtual file is considered to exist in step 426 the candidate file. 检查请求以确定打开请求是否指明修改文件的意图(步骤428)。 Check the request to determine whether the request to open the specified intent (step 428) to modify the file. 如果不是,则候选文件被识别为请求的真实文件(步骤418),并且发出打开真实文件的请求且返回结果给请求者(步骤420)。 If not, the candidate file is identified as a real file a request (step 418), and the real issue open file requests and returns the results to the requester (step 420).

但是,如果在步骤428,确定打开请求指明修改文件的意图,则与文件关联的许可数据被检查以确定文件的修改是否被允许(步骤436)。 However, if you open the intention of the request to modify the file specified in step 428, it is determined, then the license data associated with a file is checked to determine whether to modify the file is allowed (step 436). 在一些实施例中,许可数据与应用范围候选文件关联。 In some embodiments, the permission data associated with the application of the candidate file. 在这些实施例的一些中,许可数据存储在规则引擎或与候选文件关联的元数据中。 In these, the license data is stored in some embodiments rules engine or the metadata associated with the candidate file. 在其它实施例中,由操作系统来提供与候选文件关联的许可数据。 In other embodiments, be provided by the operating system associated with the candidate file permission data. 此外,规则引擎可包括配置设置,其指令隔离环境服从或覆盖资源虚拟化拷贝的本地许可数据。 In addition, the rules engine may include configuration settings, isolation environment to obey its instructions or data resources covering local licensed copy of virtualization. 在一些实施例中,规则可为一些虚拟资源规定修改可发生的范围,例如系统范围或应用隔离范围或子范围,或者用户隔离范围或子范围。 In some embodiments, rules may be specified for some virtual resources the scope of modifications that may occur, such as the system scope or the application isolation scope or sub-scope, or the user isolation scope or a sub-scope. 在一些实施例中,规则引擎可根据层次或所访问资源的类型来规定应用于所虚拟化本地资源的子集的配置设置。 In some embodiments, the rules engine may be based on the type or level of access to a resource to a predetermined configuration settings to the virtual local resource subset. 在这些实施例的一些中,配置设置可特定于每个原子本地资源。 Of these, the configuration settings of some embodiments may be specific to each atomic native resource. 在另一个例子中,规则引擎可包括配置数据,其禁止或允许对文件特定类的修改,比如由操作系统所定义的可执行代码或MIME类型或文件类型。 In another example, the rules engine may include configuration data that prohibits or allows modification of certain classes of files, such as executable code or MIME types or file types as defined by the operating system.

如果与候选文件关联的许可数据指明其不可修改,则将错误条件返回给请求者(步骤438)以指明文件修改不被允许。 If the license data associated with the candidate file to indicate its non-modifiable, an error condition is returned to the requestor (step 438) to indicate file modification is not allowed. 如果许可数据指明文件可被修改,则候选文件被复制到用户隔离范围(步骤440)。 If the license data specified file can be modified, the candidate file is copied to the user isolation scope (step 440). 在一些实施例中,候选文件被复制到由规则引擎定义的位置。 In some embodiments, the candidate file is copied to a location defined by the rules engine. 例如,规则可规定文件被复制到另一个应用隔离范围。 For example, the rules may require documents to be copied to another application isolation scope. 在其它实施例中,规则可规定文件应当被复制到的特殊应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide file should be copied to the particular application isolation sub-scope or user isolation sub-range. 没有在文件被复制到的隔离范围中出现的所请求文件的任何祖先作为隔离范围中的位置标志符被创建,以便在层次中正确地定位复制的实例。 Any ancestors of the files that are not present in the file is copied to the isolation scope in the request as a separator in the range of the position identifier is created, in order to correctly locate the copied instance in the hierarchy.

在一些实施例中,元数据与复制到隔离范围的文件关联,隔离范围识别数据和复制文件的时间。 In some embodiments, the metadata is copied to the file associated with the isolation range, temporal isolation range identification data and copying files. 该信息可用于比较与文件的复制实例关联的时间戳和文件的原始实例最后修改的时间戳,或者位于较低隔离范围中文件的另一实例最后修改的时间戳。 The original instance of this information can be used to copy files associated with the instance compare timestamps and file last modification timestamp, or another instance of isolation in the lower range of the file was last modified time stamp. 在这些实施例中,如果文件的原始实例或位于较低隔离范围中文件的实例与比所复制文件的时间戳晚的时间戳相关联,则该文件可复制到隔离范围以更新候选文件。 In these embodiments, examples of the lower range of the file and the isolation ratio of the copied files associated timestamps later timestamp, or if the original instance of the file is located, then the file can be copied to the isolation scope to update the candidate file. 在其它实施例中,隔离范围中文件的复制可与元数据关联,该元数据识别包含所复制的原始文件的范围。 In other embodiments, replication of files in the isolation scope may be associated with the metadata, the metadata identifying the scope containing the original file being copied.

在另外的实施例中,复制到隔离范围的文件由于它们已经以试图修改它们的方式打开,所以监视这些文件以确定它们实际上是否被修改。 In a further embodiment, the files copied to the isolation scope because they have to try to modify the way they open, so that these files are monitored to determine whether they are actually modified. 在一个实施例中,复制的文件与一个标志关联,该标志在文件实际被修改时被设置。 In one embodiment, the copied file is associated with a flag, the flag is set when the file is actually modified. 在这些实施例中,如果复制的文件没有被实际修改,则将其关闭之后从其所复制到的范围移除它,以及与所复制文件关联的任何位置标志符节点。 In these embodiments, if you copy the file is not actually modified, it will be shut down after they are copied from the range to remove it, as well as any placeholder nodes associated with the copy of the file.

范围实例被识别为真实文件(步骤442),并且发出打开真实文件的请求且返回结果给请求者(步骤420)。 Examples range is recognized as a real file (step 442), and the real issue open file requests and returns the results to the requester (step 420).

返回步骤426,如果候选文件具有中性存在,因为候选文件不存在,或者如果候选文件找到但被标记为位置标志符节点,则还不知道虚拟文件是否存在。 Returns to step 426, if the candidate file has neutral existence because the candidate file does not exist, or if the candidate file is found but is marked as placeholder node, you do not know the virtual file exists. 在该情况下,对应于虚拟文件名的系统范围文件名被识别为候选文件名(步骤430)。 In this case, the file name corresponds to the system-wide virtual file name is identified as the candidate file name (step 430). 换句话说,候选文件名就是虚拟文件名。 In other words, the candidate file name is the virtual file name.

如果候选文件不存在(步骤432),指明虚拟文件没有找到的错误条件被返回给请求者(步骤434)。 If the candidate file does not exist (step 432), error conditions specified in the virtual file is not found is returned to the requestor (step 434). 另一方面,如果候选文件存在(步骤432),则检查请求以确定打开请求是否指明修改文件的意图(步骤428)。 On the other hand, if the candidate file exists (step 432), then check the request to determine whether the request to open the specified intent (step 428) to modify the file.

如上所述,如果打开候选文件而没有修改它的意图,则系统范围候选文件被识别为请求的真实文件(步骤418),并且发出打开真实文件的请求且返回结果给请求者(步骤420)。 As described above, if the candidate file is opened without the intent to modify it, the system-wide candidate file is identified as the true file requested (step 418), and issues a request to open the real file and returns the result to the requester (step 420). 但是,如果在步骤428,确定打开请求指明修改文件的意图,则与文件关联的许可数据被检查以确定文件的修改是否被允许(步骤436)。 However, if you open the intention of the request to modify the file specified in step 428, it is determined, then the license data associated with a file is checked to determine whether to modify the file is allowed (step 436). 在一些实施例中,许可数据与系统范围候选文件关联。 In some embodiments, the permission data associated with the system-wide candidate file. 在这些实施例的一些中,许可数据存储在规则引擎或与候选文件关联的元数据中。 In these, the license data is stored in some embodiments rules engine or the metadata associated with the candidate file. 在其它实施例中,由操作系统来提供与候选文件关联的许可数据。 In other embodiments, be provided by the operating system associated with the candidate file permission data.

如果与系统范围候选文件关联的许可数据指明文件不可修改,将错误条件返回给请求者(步骤438)以指明文件修改不允许。 License data indicates that the file system if the associated range of candidate files can not be modified, the error condition is returned to the requestor (step 438) to indicate file modification is not allowed. 但是,如果许可数据指明文件可被修改,则候选文件被复制到用户隔离范围(步骤440)。 However, if the data indicated the license file can be modified, the candidate file is copied to the user isolation scope (step 440). 在一些实施例中,候选文件被复制到由规则引擎定义的位置。 In some embodiments, the candidate file is copied to a location defined by the rules engine. 例如,规则可规定文件被复制到应用隔离范围,或其可留在系统范围中。 For example, the rules may require documents to be copied to the scope of application isolation, or it can remain in the system range. 在其它实施例中,规则可规定文件应当被复制到的特殊应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide file should be copied to the particular application isolation sub-scope or user isolation sub-range. 没有在隔离范围中出现的所请求文件的任何祖先作为隔离范围中的位置标志符被创建,以便在层次中正确地定位复制的实例。 Any ancestors of the document does not appear in the isolation scope in the request as a separator in the range of the position identifier is created, in order to correctly locate the copied instance in the hierarchy.

在一些实施例中,元数据与复制到隔离范围的文件关联,隔离范围识别数据和复制文件的时间。 In some embodiments, the metadata is copied to the file associated with the isolation range, temporal isolation range identification data and copying files. 该信息可用于比较与文件的复制实例关联的时间戳和文件的原始实例最后修改的时间戳。 The original instance of this information can be used to copy files instances compared with associated time stamps and file last modification timestamp. 在这些实施例中,如果文件的原始实例与比所复制文件的时间戳晚的时间戳相关联,则原始文件可复制到隔离范围以更新候选文件。 In these embodiments, if the original instance of the file and the copied file than the timestamp associated timestamps later, the original file can be copied to the isolation scope to update the candidate file. 在其它实施例中,复制到隔离范围的候选文件可与元数据关联,该元数据识别所复制的原始文件来自的范围。 In other embodiments, be copied to the isolation scope may be associated with the candidate file metadata, the metadata identifying the scope of the copy from the original file.

在另外的实施例中,复制到隔离范围的文件由于它们已经以试图修改它们的方式打开,所以监视这些文件以确定它们实际上是否被修改。 In a further embodiment, the files copied to the isolation scope because they have to try to modify the way they open, so that these files are monitored to determine whether they are actually modified. 在一个实施例中,复制的文件与一个标志关联,该标志在文件实际被修改时被设置。 In one embodiment, the copied file is associated with a flag, the flag is set when the file is actually modified. 在这些实施例中,如果复制的文件没有被实际修改,则将其关闭时从其所复制到的范围移除它,以及与所复制文件关联的任何位置标志符节点。 In these embodiments, if you copy the file is not actually modified, it is closed to the range to copy from it to remove it, as well as any placeholder nodes associated with the copy of the file. 在又另外的实施例中,当文件被实际修改时只将文件复制到适当的隔离范围。 In yet another embodiment, when the file is actually modified only copy the files to the appropriate isolation scope.

范围实例被识别为真实文件(步骤442),并且发出打开真实文件的请求且返回结果给请求者(步骤420)。 Examples range is recognized as a real file (step 442), and the real issue open file requests and returns the results to the requester (step 420).

4.1.2文件系统删除操作现在参考图5,并且在概观上,描述了删除文件所采取的步骤的一个实施例。 4.1.2 file system deletes now to Figure 5, and the overview of the steps taken to delete the file describes one embodiment. 接收或截取删除文件的请求(步骤502)。 Receive or intercept a request to delete the file (step 502). 请求包含文件名,隔离环境将该文件名当作虚拟文件名。 The request contains a file name, the file name of the isolation environment as a virtual file name. 规则确定如何处理文件操作(步骤504)。 Rules to determine how to handle file operations (step 504). 如果规则动作是“重定向”(步骤506),则根据规则将虚拟文件名直接映射到真实文件名(步骤508)。 If the rule action is "redirect" (step 506), the virtual file name according to the rules will be directly mapped to the real file name (step 508). 删除真实文件的请求被传递给操作系统,且来自操作系统的结果被返回给请求者(步骤510)。 Real file delete request is passed to the operating system, and the result from the operating system is returned to the requestor (step 510). 如果规则动作是“忽略”(步骤506),则就将真实文件名识别为虚拟文件名(步骤513),并且删除真实文件的请求被传递给操作系统,且来自操作系统的结果被返回给请求者(步骤510)。 If the rule action is "ignore" (step 506), then the file name will be recognized as a real virtual file name (step 513), and delete the actual file request is passed to the operating system, and the result from the operating system is returned to the requesting person (step 510). 如果规则动作是“隔离”(步骤506),则确定虚拟文件存在(步骤514)。 If the rule action is "isolate" (step 506), it is determined that the virtual file exists (step 514). 如果虚拟文件不存在,则将指明虚拟文件不存在的错误条件返回给请求者(步骤516)。 If the virtual file does not exist, an error condition indicating the virtual file does not exist then returned to the requestor (step 516). 如果虚拟文件存在,并且如果虚拟化的文件规定了目录而不是普通的文件,则虚拟目录被咨询以便确定其是否包含任何虚拟文件或虚拟子目录(步骤518)。 If the virtual file exists, and if the file virtualization provides a directory instead of a regular file, the virtual directory to be consulted in order to determine whether it contains any virtual files or virtual subdirectories (step 518). 如果所请求的虚拟化文件是包含任何虚拟文件或虚拟子目录的虚拟目录,则虚拟目录不能被删除,且错误消息被返回(步骤520)。 If the requested file virtualization is any virtual file contains the virtual directory or virtual subdirectories, the virtual directory can not be deleted, and the error message is returned (step 520). 如果所请求的虚拟化文件是普通的文件或没有包含虚拟文件或虚拟子目录的虚拟目录,则识别对应于虚拟文件的真实文件(步骤522)。 If the requested virtual file is an ordinary file or virtual directory does not contain a virtual file or virtual subdirectories, the identification corresponding to the real file virtual file (step 522). 检查与文件关联的许可数据以确定是否允许删除(步骤524)。 Check the license data associated with the file to determine whether to allow the deletion (step 524). 如果不,返回许可错误消息(步骤526)。 If not, return the license error message (step 526). 但是,如果允许删除文件,且真实文件在适当的用户隔离范围中(步骤528),则删除真实文件(步骤534),且在适当的用户隔离范围中创建表示删除的虚拟文件的“删除”节点(步骤536)。 However, if allowed to delete the file, and the real file in the appropriate user isolation scope (step 528), then delete the actual file (step 534), and to create that "delete" virtual node delete files in the appropriate user isolation scope (step 536). 但是,如果在步骤528中确定真实文件不在用户隔离范围中而在适当的应用隔离范围或系统范围中,则还未存在的所请求文件的用户范围实例的每个用户范围祖先的实例被创建且标记为位置标志符(步骤532)。 However, the scope of the user in step 528 it is determined if the file is not true and the user isolation scope in the appropriate application isolation scope or system scope, then the file has not yet exist for each instance of the requested range ancestor user instance is created and marked as placeholders (step 532). 这样做是为了维护用户隔离范围中目录结构的逻辑层次。 This is done to maintain the logical hierarchy user isolation scope directory structure. 接着在适当的用户隔离范围中创建表示所删除虚拟文件的用户范围的“删除”节点(步骤536)。 Then create a representation in the appropriate user isolation scope in the range of users delete the virtual file "Delete" node (step 536).

仍然参考图5且更详细地,删除文件的请求被接收或截取(步骤502)。 Still referring to Figure 5 more in detail, a request to delete a file is received or intercepted (step 502). 该文件属于用户隔离范围、应用隔离范围或系统范围,或者某些可应用的隔离子范围。 This file belongs to the user isolation scope, application isolation scope or system scope, or some applicable isolation sub-range. 在一些实施例中,通过替换操作系统函数或用于删除文件的函数的函数来钩住请求。 In some embodiments, the operating system function or functions by replacing a function for deleting a file to hook request. 在另一个实施例中,挂钩动态链接库被用来截取请求。 In another embodiment, the hook dynamic link library is used to intercept the request. 挂钩函数可在用户模式或内核模式中执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,这些资源用于为本地文件分派请求。 For Example hook function in kernel mode execution, the hook function operating system resources associated with those resources for dispatching requests to a local file. 对于为每种类型的文件提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For providing a separate operating system function for each type of file embodiments, each function may be hooked separately. 可替换地,可提供为若干类型的文件截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide several types of files you create or open a single interception hook function calls.

请求包含文件名,隔离环境将该文件名当作虚拟文件名。 The request contains a file name, the file name of the isolation environment as a virtual file name. 通过咨询规则引擎来确定可应用于删除操作的处理规则(步骤504)。 Delete operations can be applied to determine the handling policy by consulting the rules engine (step 504). 在一些实施例中,为所请求文件提供的虚拟文件名用于在规则引擎中定位应用于请求的规则。 In some embodiments, the virtual file name provided for the requested file is used to locate in the rule engine applies the rule requests. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊文件的规则引擎中,并且在这些实施例的一些中,具有与虚拟文件名匹配的最长前缀的规则是应用于请求的规则。 In some of these particular embodiments, and multiple rules may exist in the rules engine for a particular file, and some of these embodiments in having rules and a virtual file name matches the longest prefix is applied to the request rules. 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面文件数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table, or a flat file database. 在一些实施例中,在请求中提供的虚拟文件名被用作为索引以在规则引擎中定位应用于请求的一个或多个规则。 In some embodiments, the virtual file name provided in the request is used as an index to locate in the rule engine applies to requests of one or more rules. 在其它实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In other embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 尽管在图5中示出了一系列判定,但是规则查找可作为单个数据库事务出现。 Although Figure 5 shows a series of judgment, but the rules look can appear as a single database transaction.

如果规则动作是“重定向”(步骤506),则根据可应用的规则将虚拟文件名直接映射到真实文件名(步骤508)。 If the rule action is "redirect" (step 506), then according to the rules applicable to the virtual file name directly mapped to the real file name (step 508). 删除真实文件的请求被传递给操作系统,且来自操作系统的结果被返回给请求者(步骤510)。 Real file delete request is passed to the operating system, and the result from the operating system is returned to the requestor (step 510). 例如,删除名为“file_1”文件的请求可导致删除名为“Different_file_1”真实文件。 For example, a request to delete the name "file_1" file may lead to delete the name "Different_file_1" real file. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to complete. 对于利用文件系统过滤器驱动程序的实施例,利用虚拟文件名删除文件的第一请求导致从文件系统过滤器驱动程序返回指明所确定真实名称的STATUS_REPARSE响应。 For use in Example file system filter driver, using virtual file name to delete a file specified by the first request results returned STATUS_REPARSE determine the true name of the response from the file system filter driver. I/O管理器接着重新发出文件删除请求,同时所确定真实名称包括在STATUS_REPARSE响应中。 I / O manager and then reissue the request to delete the file, but the name is included in determining the true STATUS_REPARSE response.

在一些实施例中,与真实文件“Different_file_1”关联的操作系统许可可防止真实文件的删除。 In some embodiments, the "Different_file_1" associated with the operating system's file permission prevents the deletion of the real file. 在这些实施例中,返回文件不能被删除的错误消息。 In these embodiments, an error message returns the file can not be deleted.

如果规则动作是“忽略”(步骤506),则就将真实文件名识别为虚拟文件名(步骤513),并且删除真实文件的请求被传递给操作系统,且来自操作系统的结果被返回给请求者(步骤510)。 If the rule action is "ignore" (step 506), then the file name will be recognized as a real virtual file name (step 513), and delete the actual file request is passed to the operating system, and the result from the operating system is returned to the requesting person (step 510). 例如,删除名为“file_1”文件的请求可导致删除名为“file_1”的实际文件。 For example, a request to delete the name "file_1" files may cause the actual file deletion named "file_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to complete. 对于利用文件系统过滤器驱动程序的实施例,利用虚拟文件名删除文件的第一请求导致从文件系统过滤器驱动程序返回指明真实名称的STATUS_REPARSE响应。 For use in Example file system filter driver, delete the file using the virtual file name first request results returned STATUS_REPARSE response indicates the real name of the file system filter driver. I/O管理器接着重新发出文件删除请求,同时所确定真实名称包括在STATUS_REPARSE响应中。 I / O manager and then reissue the request to delete the file, but the name is included in determining the true STATUS_REPARSE response.

在一些实施例中,与真实文件“file_1”关联的操作系统许可可防止真实文件的删除。 In some embodiments, the real file "file_1" delete operating system license files associated prevents true. 在这些实施例中,返回文件不能被删除的错误消息。 In these embodiments, an error message returns the file can not be deleted.

如果规则动作是“隔离”(步骤506),则确定虚拟文件存在(步骤514)。 If the rule action is "isolate" (step 506), it is determined that the virtual file exists (step 514). 如果该文件不存在,则返回指明文件没有找到的错误(步骤516)。 If the file does not exist, an error indicating the file is not found (step 516) is returned.

但是,如果在步骤518确定文件存在但它不是普通的文件且不是空的虚拟目录,即它包含虚拟文件或虚拟子目录,则返回指明文件不可删除的错误消息(步骤520)。 However, if it is determined at step 518 the file exists but it is not a regular file and the virtual directory is not empty, that is, it contains the virtual files or virtual subdirectories, an error message (step 520) indicating the file can not be deleted is returned.

但是,如果确定文件存在,并且如果所请求的虚拟化文件是普通的文件或是空的虚拟目录,即它不包含虚拟文件且不包含虚拟子目录(步骤518),则对应于虚拟文件的真实文件被识别(步骤522)。 However, if it is determined the file exists, and if the requested virtual file is a regular file, or an empty virtual directory, that is, it does not contain a virtual file does not contain a virtual subdirectories (step 518), corresponding to the real virtual file file is identified (step 522). 根据由隔离规则规定的虚拟文件名来确定真实文件名。 According to the virtual file name by quarantine rules to determine the real file name. 例如,删除名为“file_1”文件的请求可导致删除名为“Isolated_file_1”的真实文件。 For example, a request to delete the name "file_1" files can result in the deletion real file named "Isolated_file_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to complete. 对于利用文件系统过滤器驱动程序的实施例,利用虚拟文件名删除文件的第一请求导致从文件系统过滤器驱动程序返回指明真实名称的STATUS_REPARSE响应。 For use in Example file system filter driver, delete the file using the virtual file name first request results returned STATUS_REPARSE response indicates the real name of the file system filter driver. I/O管理器接着重新发出文件删除请求,同时所确定真实名称包括在STATUS_REPARSE响应中。 I / O manager and then reissue the request to delete the file, but the name is included in determining the true STATUS_REPARSE response.

一旦对应于虚拟文件的真实文件被识别,就确定真实文件是否可删除(步骤524)。 Once the virtual file corresponding to the real file is identified, it is determined whether or not the real file can be deleted (step 524). 如果文件不可删除,则指明文件不能被删除的错误被返回(步骤524)。 If the file is not deleted, it indicates that the file can not be deleted error is returned (step 524). 在一些实施例中,许可数据和系统范围候选文件相关联。 In some embodiments, the permission data, and system-wide candidate associated with the file. 在这些实施例的一些中,许可数据存储在规则引擎或与候选文件关联的元数据中。 In these, the license data is stored in some embodiments rules engine or the metadata associated with the candidate file. 在其它实施例中,由操作系统来提供与候选文件关联的许可数据。 In other embodiments, be provided by the operating system associated with the candidate file permission data.

但是,如果允许文件的删除,且如果真实文件在适当的用户隔离范围中(步骤528),则删除真实文件(步骤534),且在适当的用户隔离范围中创建表示删除的虚拟文件的“删除”节点(步骤536)。 However, if allowed to delete the file, and if the real file in the appropriate user isolation scope (step 528), then delete the actual file (step 534), and create the appropriate user isolation scope for "Delete to delete the virtual file "node (step 536).

但是,如果在步骤528中确定真实文件不在用户隔离范围中而在适当的应用隔离范围或系统范围中,则还未存在的所请求文件的用户范围实例的每个用户范围祖先的实例被创建且标记为位置标志符(步骤532)。 However, the scope of the user in step 528 it is determined if the file is not true and the user isolation scope in the appropriate application isolation scope or system scope, then the file has not yet exist for each instance of the requested range ancestor user instance is created and marked as placeholders (step 532). 这样做是为了维护用户隔离范围中目录结构的逻辑层次。 This is done to maintain the logical hierarchy user isolation scope directory structure. 接着在适当的用户隔离范围中创建表示所删除虚拟文件的用户范围的“删除”节点(步骤536)。 Then create a representation in the appropriate user isolation scope in the range of users delete the virtual file "Delete" node (step 536). 在一些实施例中,所删除文件的身份存储在文件或其它缓冲存储器中以优化对删除文件的检查。 In some embodiments, the identity of the deleted file is stored in a file or other buffer memory to optimize the checking of the deleted files.

在一些实施例中,定位的虚拟化文件可与指明已经删除该虚拟化文件的元数据相关联。 In some embodiments, the virtualized files may specify the location of the virtual file has associated metadata deleted. 在其它实施例中,虚拟化文件的祖先(例如包含该文件的更高目录)与指明其可被删除的元数据相关联。 In other embodiments, the ancestor of virtualized files (e.g., the directory containing the file later) and indicate that it may be removed associated metadata. 在这些实施例中,指明虚拟化文件不存在的错误消息被返回。 In these embodiments, an error message indicating that the virtual file does not exist is returned. 在这些实施例的特定一些中,删除文件或文件系统元素的列表被维护和咨询以优化对删除文件的检查。 By maintenance and consulting in the list of some of these specific, delete files or file system elements to optimize embodiment examination of deleted files.

4.1.3文件系统枚举操作现在参考图6,并且在概观上,示出了在所描述的虚拟化环境中枚举目录所采取的步骤的一个实施例。 4.1.3 File System enumeration Referring now to Figure 6, and in the overview showing the steps taken to enumerate a directory in the virtual environment as described in one embodiment. 接收或截取枚举文件的请求(步骤602)。 Receive or intercept a request to enumerate the files (step 602). 请求包含目录名,隔离环境将该目录名当作虚拟目录名。 The request contains a directory name, the directory name as an isolated environment virtual directory name. 概念上,虚拟目录的存在是如部分4.1.1所描述的来确定的(步骤603)。 Conceptually, there is a virtual directory is as described in section 4.1.1 of determined (step 603). 如果虚拟目录不存在,则指明虚拟目录未找到的结果被返回给请求者(步骤620)。 If the virtual directory does not exist, the results indicate a virtual directory not found is returned to the requestor (step 620). 而如果虚拟目录存在,咨询规则引擎以确定为目录在枚举请求中规定的规则(步骤604)。 And if the virtual directory exists, consult the rules engine to determine the rule directory specified in the enumeration request (step 604). 如果规则规定了“重定向”的动作(步骤606),则如规则所规定的来确定对应于虚拟目录名的真实目录名(步骤608),且枚举由真实名称识别的真实目录,以及将枚举结果存储在工作数据存储器中(步骤612),之后跟着在后面描述的步骤630。 If the rules of the action "redirect" (step 606), then, as required by the rules to determine the virtual directory name corresponding to the real directory name (step 608), and enumerated by the identification of the real name of a real directory, and will Step enumeration result is stored in the working data store (step 612), then followed by 630 described later. 如果所规定的规则动作不是“重定向”而是“忽略”(步骤610),则真实目录名就是虚拟目录名(步骤613)且真实目录被枚举,以及将枚举结果存储在工作数据存储器中(步骤612),之后跟着在后面描述的步骤630。 If the rules specified action is not "redirect" but "ignore" (step 610), the real name of the directory is the virtual directory name (step 613) and the real directory are enumerated, and the enumeration results are stored in the working memory data (step 612), then followed by step 630 described later. 但是,如果规则动作规定“隔离”,则首先枚举系统范围;即是,候选目录名就是虚拟目录名,并且如果候选目录存在,则枚举它。 However, if the provisions of rule actions, "isolation", the first enumeration system-wide; that is, the candidate directory name is the virtual directory name, and if the candidate list is present, enumerate it. 将枚举结果存储在工作数据存储器中。 The enumeration results are stored in the working data memory. 如果候选目录不存在,工作数据存储器在该阶段保持为空(步骤614)。 If the candidate directory does not exist, the working data memory is maintained at this stage is empty (step 614). 接着,候选目录被识别为虚拟目录的应用范围实例,并且候选目录存在的类别被确定(步骤615)。 Next, the candidate directory is identified as an instance of the application range of the virtual directory, and the category of existence of the candidate directory is determined (step 615). 如果候选目录具有“否定存在”,即它或其在范围中的祖先之一被标记为删除,则在该范围内认为它被删除,并且这是通过刷新工作数据存储器来指明的(步骤642)。 If the candidate directory has "negative existence", that it or one of its ancestors in the scope is marked for deletion, within the range considered it to be removed, and it is refreshing to work through to the specified data memory (step 642) . 而如果候选目录不具有否定存在,候选目录被枚举且将所获得的任何枚举结果合并到工作数据存储器中。 If the candidate directory does not have negative existence, the candidate directory is enumerated and any enumeration results obtained are merged into the working data store. 尤其为枚举中的每个文件系统元素,确定其存在的类别。 Especially for the enumeration of each file system elements to determine the existence of the category. 从工作数据存储器中移除具有否定存在的元素,并且具有肯定存在的元素,即那些存在且没有被标记为位置标志符和没有被标记为删除的元素被添加到工作数据存储器,如果在工作数据存储器中已经存在对应元素,则替换它(步骤616)。 Removed from the working data memory elements with negative existence, and has elements must exist, i.e., those that exist and are not marked as placeholders and are not marked for deletion of the data elements are added to working memory, if the data in the work already exists in the corresponding memory element, replace it (step 616).

在任何一种情况下,候选目录被识别为虚拟目录的用户范围实例,且候选目录存在的类别被确定(步骤617)。 In either case, the candidate directory is identified as a virtual directory category range of users example, and the existence of the candidate directory is determined (step 617). 如果候选目录具有“否定存在”,即它或其在范围中的祖先之一被标记为删除,则在该范围内认为它被删除,并且这是通过刷新工作数据存储器来指明的(步骤644)。 If the candidate directory has "negative existence", that it or one of its ancestors in the scope is marked for deletion, within the range considered it to be removed, and it is refreshing to work through to the specified data memory (step 644) . 而如果候选目录不具有否定存在,候选目录被枚举且将所获得的任何枚举结果合并到工作数据存储器中。 If the candidate directory does not have negative existence, the candidate directory is enumerated and any enumeration results obtained are merged into the working data store. 尤其为枚举中的每个文件系统元素,确定其存在的类别。 Especially for the enumeration of each file system elements to determine the existence of the category. 从工作数据存储器中移除具有否定存在的元素,并且具有肯定存在的元素,即那些存在且没有被标记为位置标志符和没有被标记为删除的元素被添加到工作数据存储器,如果在工作数据存储器中已经存在对应元素,则替换它(步骤618),之后跟着在后面描述的步骤630。 Removed from the working data memory elements with negative existence, and has elements must exist, i.e., those that exist and are not marked as placeholders and are not marked for deletion of the data elements are added to working memory, if the data in the work already exists in the corresponding memory element, it is replaced (step 618), then followed by the step 630 described later.

接着,对于所有三类规则,来执行步骤630。 Then, for all three types of rules, step 630 is performed. 询问规则引擎以寻找这样的规则集合,该规则集合的过滤器匹配所请求目录的中间孩子,但不匹配所请求的目录本身(步骤630)。 Ask the rule engine to find such a set of rules, the rule set filter matches the requested directory intermediate children, but does not match the requested directory itself (step 630). 对于集合中的每个规则,利用部分4.1.1中描绘的逻辑来询问名称与规则中的名称匹配的虚拟孩子的存在。 For each rule in the collection, use part 4.1.1 depicted logic to ask the name of the rule in the child's name matches the virtual existence. 如果孩子具有肯定存在,其被添加到工作数据存储器,以代替那里已经有相同名称的任何孩子。 If the child has certainly exist, it is added to the working data memory, in lieu of any children there have the same name. 如果孩子具有否定存在,移除工作数据存储器中对应于孩子的条目,如果有的话(步骤632)。 If the child has negative existence, the work of removing the data memory corresponding to the child entry, if any (step 632). 最后,所构造的枚举接着从工作数据存储器返回到请求者(步骤620)。 Finally, the constructed enumeration is then returned from the working data store to the requestor (step 620).

仍然参考图6且更详细地,枚举目录的请求被接收或截取(步骤602)。 The request is still more detail with reference to FIG. 6, is received directory enumeration or intercepted (step 602). 在一些实施例中,通过替换操作系统函数或用于枚举目录的函数的函数来钩住请求。 In some embodiments, the function of the operating system function or functions for enumerating the directory to hook by replacing the request. 在另一个实施例中,挂钩动态链接库被用来截取请求。 In another embodiment, the hook dynamic link library is used to intercept the request. 挂钩函数可在用户模式或内核模式下执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,这些资源用于为文件操作分派请求。 For Example hook function in kernel mode execution, the hook function operating system resources associated with these resources to dispatch requests for file operations. 对于为每种类型的文件操作提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For providing a separate operating system function for each type of file operation embodiment, each function may be hooked separately. 可替换地,可提供为若干类型的文件操作截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide a single call intercepts create or open hook function for several types of file operations.

确定虚拟目录的存在(步骤603)。 Determine the existence of the virtual directory (step 603). 这是如部分4.1.1所描述的来实现的。 This is as described in section 4.1.1 to achieve. 如果虚拟目录不存在,则不枚举它且指明虚拟目录不存在的结果被返回给请求者(步骤620)。 If the virtual directory does not exist, and the results indicate that it is not enumerate virtual directory does not exist is returned to the requestor (step 620).

请求包含目录名,隔离环境将该目录名当作虚拟目录名。 The request contains a directory name, the directory name as an isolated environment virtual directory name. 如果虚拟目录存在,则通过咨询规则引擎以定位确定枚举操作如何被处理的规则(步骤604)。 If the virtual directory exists, by consulting the rules engine to locate determine enumeration rule (step 604) to be processed. 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面文件数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table, or a flat file database. 在一些实施例中,为所请求目录提供的虚拟目录名被用于在规则引擎中定位应用于请求的规则。 In some embodiments, the virtual directory name provided for the requested directory is used to locate in the rule engine applies the rule requests. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊目录的规则引擎中,并且在这些实施例中,具有与虚拟目录名匹配的最长前缀的规则是应用于请求的规则。 In some of these particular embodiments, and multiple rules may exist in the rules engine for a particular directory, and in these embodiments, the rule having the virtual directory name is the longest prefix matching rule applies to the request . 在其它实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In other embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 尽管在图6中示出了单个数据库事务或文件中的单次查找,但是规则查找可作为一系列规则查找来执行。 Although Figure 6 shows a single database transaction or single lookup file, but as a series of rules for finding the rule lookup may be performed.

如果规则动作是“重定向”(步骤606),则根据规则来将虚拟目录名直接映射到真实目录名(步骤608)。 If the rule action is "redirect" (step 606), according to the rules of the virtual directory names are mapped directly to the real directory name (step 608). 将枚举真实目录的请求传递到操作系统(步骤612),并且如后面描述的来执行步骤630。 The real directory enumeration request is transmitted to the operating system (step 612), and as described later to perform step 630. 例如,枚举名为“directory_1”目录的请求可导致枚举名为“Different_directory_1”的真实目录。 For example, the enumeration requests called "directory_1" directory may lead to an enumeration named "Different_directory_1" the real directory. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to complete. 对于利用文件系统过滤器驱动程序的实施例,利用虚拟名称打开枚举目录的第一请求导致指明所确定真实名称的“STATUS_REPARSE”请求响应。 For use in Example file system filter drivers, use the virtual name to open the first request to enumerate the directory specified in the determined cause real name "STATUS_REPARSE" request response. I/O管理器接着重新发出用于枚举的目录打开请求,同时所确定真实名称包括在STATUS_REPARSE响应中。 I / O manager and then reissue the directory open request for enumeration, but identified the real name included in STATUS_REPARSE response.

如果规定动作不是“重定向”(步骤606)而是“忽略”(步骤610),则真实目录名就被识别为虚拟目录名(步骤613),并且将枚举真实目录的请求传递到操作系统(步骤612),并且如后面描述的来执行步骤630。 If the provisions of the action is not "redirect" (step 606) but "ignore" (step 610), the real name of the directory will be identified as a virtual directory name (step 613), and the request is passed to enumerate the real operating system directory (step 612), and as described later is performed in step 630. 例如,枚举名为“directory_1”目录的请求将导致枚举名为“directory_1”的真实目录。 For example, the enumeration requests called "directory_1" directory will lead to an enumeration named "directory_1" the real directory. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to complete. 对于利用文件系统过滤器驱动程序的实施例,利用虚拟名称枚举目录的第一请求由过滤器驱动程序不经修改地传递。 For use in Example file system filter driver, using the first name of the enumeration request virtual directory without modification passed by the filter driver.

如果在步骤610中确定的规则动作不是“忽略”而是“隔离”,则枚举系统范围,即是,在请求中提供的虚拟名称被用来识别枚举的目录(步骤614)。 If it is determined in step 610, the rule action is not "ignore" but "isolation", the enumeration system-wide, that is, the virtual name provided in the request is used to identify the enumerated directory (step 614). 将枚举结果存储在工作数据存储器中。 The enumeration results are stored in the working data memory. 在一些实施例中,工作数据存储器由存储器元件组成。 In some embodiments, the working data memory composed of the memory element. 在其它实施例中,工作数据存储器包括数据库或文件或固态存储器元件或永久数据存储器。 In other embodiments, the working data store comprises a database or a file, or a solid state memory element or a persistent data store.

接着,候选目录被识别为虚拟目录的应用范围实例,并且候选目录存在的类别被确定(步骤615)。 Next, the candidate directory is identified as an instance of the application range of the virtual directory, and the category of existence of the candidate directory is determined (step 615). 如果候选目录具有“否定存在”,即它或其在范围中的祖先之一被标记为删除,则在该范围内认为它被删除,并且这是通过刷新工作数据存储器来指明的(步骤642)。 If the candidate directory has "negative existence", that it or one of its ancestors in the scope is marked for deletion, within the range considered it to be removed, and it is refreshing to work through to the specified data memory (step 642) .

在一些实施例中,少量有关文件的元数据被直接存储在实际文件名中,比如将元数据指示符作为虚拟名称的后缀,其中元数据指示符是与特殊元数据状态唯一关联的串。 In some embodiments, small amounts of metadata about a file is stored directly in the actual file name, for example, the metadata indicator virtual name as a suffix, wherein the metadata indicator is a string uniquely related to the particular state of the associated metadata. 元数据指示符可指示或编码元数据的一个或多个位。 Metadata indicator may indicate or encode one or more bits of metadata. 通过虚拟文件名访问文件的请求检查由于元数据指示符的存在而引起的真实文件名的可能变化,并且获取文件本身名称的请求被钩住或截取以便以真实名称做出响应。 Check for possible variations due to the presence of metadata indicator caused a real file name by requesting the virtual file name to access the file, and acquires the requested file name itself are hooked or intercepted in order to respond to the real name. 在其它实施例中,文件的一个或多个选用名称可由虚拟文件名和元数据指示符来形成,且可利用由文件系统提供的硬链接或软链接工具来创建。 In other embodiments, one or more of the selection by the virtual file name of the file name and metadata indicator is formed, and may utilize a file system provided by the hard link or soft link tool to create. 如果给出的请求是利用链接的名称来访问文件,这些链接的存在可由隔离环境通过指明文件未找到而对于应用隐藏。 If the request is given a name using the link to access the file, the existence of these links may be isolated from the environment by specifying the file was not found for the application to hide. 特殊链接的存在或不存在可为每个元数据指示符指明元数据的一个位,或者可存在具有元数据指示符的链接,其可呈现多个状态来指明元数据的若干位。 The presence or absence of particular links may indicate one bit of metadata for each metadata indicator, or there may be a link having a metadata indicator, which may exhibit multiple states to indicate several bits of metadata. 在另外其它实施例中,在文件系统支持变化的文件流的情况下,变化的文件流可被创建以体现元数据,以及指明元数据若干位的流尺寸。 In still other embodiments, in the case of file system supports file stream changes, changes in the file stream can be created to reflect the metadata, and metadata specified number of bit stream size. 在另外其它实施例中,文件系统可直接提供将每个文件的一些第三方元数据存储在文件系统中的能力。 In still other embodiments, the file system provides the capability of each third-party metadata file stored in the file system directly. 在又其它实施例中,单独的子范围可用于记录删除的文件,并且在该子范围中文件的存在(没有被标记为位置标志符)是为了指出文件被删除。 In yet other embodiments, a separate sub-range can be used to delete a file record, and there is (not marked as placeholders) in order to indicate the file is deleted files in the sub-range.

而如果候选目录不具有否定存在,候选目录被枚举且将所获得的任何枚举结果合并到工作数据存储器中。 If the candidate directory does not have negative existence, the candidate directory is enumerated and any enumeration results obtained are merged into the working data store. 尤其为枚举中的每个文件系统元素,确定其存在的类别。 Especially for the enumeration of each file system elements to determine the existence of the category. 从工作数据存储器中移除具有否定存在的元素,并且具有肯定存在的元素,即那些存在且没有被标记为位置标志符和没有被标记为删除的元素被添加到工作数据存储器,如果在工作数据存储器中已经存在对应元素,则替换它(步骤616)。 Removed from the working data memory elements with negative existence, and has elements must exist, i.e., those that exist and are not marked as placeholders and are not marked for deletion of the data elements are added to working memory, if the data in the work already exists in the corresponding memory element, replace it (step 616).

在任何一种情况下,候选目录被识别为虚拟目录的用户范围实例,且候选目录存在的类别被确定(步骤617)。 In either case, the candidate directory is identified as a virtual directory category range of users example, and the existence of the candidate directory is determined (step 617). 如果候选目录具有“否定存在”,即它或其在范围中的祖先之一被标记为删除,则在该范围内认为它被删除,并且这是通过刷新工作数据存储器来指明的(步骤644)。 If the candidate directory has "negative existence", that it or one of its ancestors in the scope is marked for deletion, within the range considered it to be removed, and it is refreshing to work through to the specified data memory (step 644) . 而如果候选目录不具有否定存在,候选目录被枚举且将所获得的任何枚举结果合并到工作数据存储器中。 If the candidate directory does not have negative existence, the candidate directory is enumerated and any enumeration results obtained are merged into the working data store. 尤其为枚举中的每个文件系统元素,确定其存在的类别。 Especially for the enumeration of each file system elements to determine the existence of the category. 从工作数据存储器中移除具有否定存在的元素,并且具有肯定存在的元素,即那些存在且没有被标记为位置标志符和没有被标记为删除的元素被添加到工作数据存储器,如果在工作数据存储器中已经存在对应元素,则替换它(步骤618),之后跟着在后面描述的步骤630。 Removed from the working data memory elements with negative existence, and has elements must exist, i.e., those that exist and are not marked as placeholders and are not marked for deletion of the data elements are added to working memory, if the data in the work already exists in the corresponding memory element, it is replaced (step 618), then followed by the step 630 described later.

接着,对于所有三类规则,来执行步骤630。 Then, for all three types of rules, step 630 is performed. 询问规则引擎以寻找这样的规则集合,该规则集合的过滤器匹配所请求目录的中间孩子,但不匹配所请求的目录本身(步骤630)。 Ask the rule engine to find such a set of rules, the rule set filter matches the requested directory intermediate children, but does not match the requested directory itself (step 630). 对于集合中的每个规则,利用部分4.1.1中描绘的逻辑来询问名称与规则中的名称匹配的虚拟孩子的存在。 For each rule in the collection, use part 4.1.1 depicted logic to ask the name of the rule in the child's name matches the virtual existence. 如果孩子具有肯定存在,其被添加到工作数据存储器,以代替那里已经有相同名称的任何孩子。 If the child has certainly exist, it is added to the working data memory, in lieu of any children there have the same name. 如果孩子具有否定存在,移除工作数据存储器中对应于孩子的条目,如果有的话(步骤632)。 If the child has negative existence, the work of removing the data memory corresponding to the child entry, if any (step 632). 最后,所构造的枚举接着从工作数据存储器返回到请求者(步骤620)。 Finally, the constructed enumeration is then returned from the working data store to the requestor (step 620).

本领域技术人员将认识到,上述的分层枚举过程可与较少修改一起应用于枚举单个隔离范围的操作,该单个隔离范围包括多个隔离子范围。 Those skilled in the art will recognize that the layered enumeration process described above can be applied together with less modified enumeration single isolation scope operation, a single isolation scope which comprises a plurality of isolation sub-scope. 工作数据存储器被创建,相继的子范围被枚举且结果合并到工作数据存储器以形成隔离范围的聚集枚举。 Work data memory is created, successive sub-ranges are enumerated and the results incorporated into the working range of the data memory to form the isolation gathering enumeration.

4.1.4文件系统创建操作现在参考图7,并且在概观上,示出了在隔离环境中创建文件所采取的步骤的一个实施例。 4.1.4 file system creation is now 7, and in the overview, shows the steps to create files in an isolated environment taken to one embodiment. 接收或截取创建文件的请求(步骤702)。 Receive or intercept a request to create a file (step 702). 请求包含文件名,隔离环境将该文件名当作虚拟文件名。 The request contains a file name, the file name of the isolation environment as a virtual file name. 利用完全虚拟化打开所请求的文件的意图利用了可应用的规则,即利用了适当的用户和应用隔离范围,如部分4.1.1所描述的(步骤704)。 Intent to file using full virtualization open the requested use of the rule can be applied, namely the use of the appropriate user and application isolation scope, as described in section 4.1.1 (step 704). 如果访问被拒绝(步骤706),访问拒绝错误被返回给请求者(步骤709)。 If access is denied (step 706), an access denied error is returned to the requestor (step 709). 如果访问被准许(步骤706),并且所访问的文件被成功打开(步骤710),所请求的文件被返回到请求者(步骤712)。 If access is permitted (step 706), and the file is successfully opened access (step 710), the requested file is returned to the requestor (step 712). 但是,如果访问被准许(步骤706),但是所请求的文件没有被成功打开(步骤710),那么如果所请求的文件的双亲也不存在(步骤714),则适于请求语义的错误被发给请求者(步骤716)。 However, if access is granted (step 706), but the requested file is not opened successfully (step 710), then the parents if the requested file does not exist (step 714), then the error is adapted to send the request semantics to the requestor (step 716). 另一方面,如果利用适当的用户和应用范围在完全虚拟化视图中找到所请求的文件的双亲(步骤714),则规则接着确定文件操作如何被处理(步骤718)。 On the other hand, if the use of the appropriate users and applications to find the parents of the requested documents (step 714), the rule in a fully virtualized view then determines how the file operation is processed (step 718). 如果规则动作是“重定向”或“忽略”(步骤720),则根据规则将虚拟文件名直接映射到真实文件名。 If the rule action is "redirect" or "ignore" (step 720), the virtual file name according to the rules will be directly mapped to the real file name. 具体地,如果规则动作是“忽略”,则真实文件名就被识别为虚拟文件名。 Specifically, if the rule action is "ignore", the actual file name will be identified as a virtual file name. 而如果规则动作是“重定向”,则根据规则所规定的虚拟文件名来确定真实文件名。 If the rule action is "redirect", according to the virtual file name required by the rules to determine the real file name. 接着创建真实文件的请求被传递给操作系统,并且结果被返回到请求者(步骤724)。 Then create true file request is passed to the operating system, and the result is returned to the requestor (step 724). 另一方面,如果在步骤720中确定的规则动作是“隔离”,则真实文件名被识别为虚拟文件名在用户隔离范围中的实例。 On the other hand, if it is determined in step 720 the rule action is "isolate", then the actual file name is identified as a virtual file name in the user isolation scope instance. 如果真实文件已经存在,但与指明其是位置标志符或其被删除的元数据相关联,则关联的元数据被修改以移除那些指示,并且确保文件为空。 If the real file already exists, but it is a meta-data indicates placeholders or deleted metadata associated, the association is modified to remove those instructions, and make sure the file is empty. 在另一情况下,打开真实文件的请求被传递给操作系统(步骤726)。 In another case, the true file open request is passed to the operating system (step 726). 如果真实文件被成功打开(步骤728),则真实文件被返回到请求者(730)。 If the actual file is successfully opened (step 728), then the actual file is returned to the requestor (730). 另一方面,如果在步骤728中,所请求的文件未能打开,则当前不存在于用户隔离范围中的真实文件的每个祖先的位置标志符(步骤732),并且利用真实名称创建真实文件的请求被传递给操作系统且返回结果到请求者(步骤734)。 On the other hand, if in step 728, the requested file could not be opened, the current user does not exist in isolation in the range of each ancestor's real file location identifier (step 732), and use the real name of the file to create a real The request is passed to the operating system and the result returned to the requestor (step 734).

仍然参考图7且更详细地,创建文件的请求被接收或截取(步骤702)。 Still more detail with reference to FIG. 7, a request to create a file is received or intercepted (step 702). 在一些实施例中,通过替换操作系统函数或用于创建文件的函数的函数来钩住请求。 In some embodiments, the operating system function or functions by replacing a function to create a file for hooking request. 在另一个实施例中,挂钩动态链接库被用来截取请求。 In another embodiment, the hook dynamic link library is used to intercept the request. 挂钩函数可在用户模式或内核模式中执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,该资源用于为文件分派请求。 For Example hook function in kernel mode execution hook function can be associated with an operating system resource, which is used for file allocation requests. 对于为每种类型的文件操作提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For providing a separate operating system function for each type of file operation embodiment, each function may be hooked separately. 可替换地,可提供为若干类型的文件操作截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide a single call intercepts create or open hook function for several types of file operations.

请求包含文件名,隔离环境将该文件名当作虚拟文件名。 The request contains a file name, the file name of the isolation environment as a virtual file name. 请求者试图利用完全虚拟化来打开所请求的文件,这利用了可应用的规则,即利用了适当的用户和应用隔离范围,如部分4.1.1所描述的(步骤704)。 Requestor tried to use to open the file completely virtualized requested, which takes advantage of the rule can be applied, namely the use of the appropriate user and application isolation scope, as described in section 4.1.1 (step 704). 如果在完全虚拟化打开操作期间访问被拒绝(步骤706),访问拒绝错误被返回给请求者(步骤709)。 If, during operation of a fully virtualized open access is denied (step 706), an access denied error is returned to the requestor (step 709). 如果访问被准许(步骤706),并且所请求的虚拟文件被成功打开(步骤710),对应的真实文件被返回到请求者(步骤712)。 If access is permitted (step 706), and the requested virtual file is successfully opened (step 710), corresponding to the real file is returned to the requestor (step 712). 但是,如果访问被准许(步骤706),但是所请求的文件没有被成功打开(步骤710),那么虚拟文件被确定为不存在。 However, if access is granted (step 706), but the requested file was not opened successfully (step 710), then the virtual file is determined to be non-existent. 如果所请求的虚拟文件的虚拟双亲也不存在,如部分4.1.1中的过程所确定的(步骤714),则适于请求语义的错误被发给请求者(步骤716)。 If the virtual parent of the requested virtual file does not exist, the process as part of the 4.1.1 determined (step 714), then adapted to request semantics error is sent to the requestor (step 716). 另一方面,如果利用适当的用户和应用隔离范围在完全虚拟化视图中找到所请求的虚拟文件的虚拟双亲(步骤714),则通过咨询规则引擎来定位确定如何处理创建操作的规则(步骤718)。 On the other hand, if you use the appropriate user and application isolation scope of the requested virtual file found in a fully virtualized view virtual parents (step 714), then by consulting the rules engine to locate determined (step 718 of the rules of how to handle the creation ). 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面文件数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table, or a flat file database. 在一些实施例中,为所请求文件提供的虚拟文件名被用作在规则引擎中定位应用于请求的规则。 In some embodiments, the virtual file name provided for the requested file is used as the rules in the rule engine applies positioned requested. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊文件的规则引擎中,并且在这些实施例的一些中,具有与虚拟文件名匹配的最长前缀的规则是应用于请求的规则。 In some of these particular embodiments, and multiple rules may exist in the rules engine for a particular file, and some of these embodiments in having rules and a virtual file name matches the longest prefix is applied to the request rules. 在一些实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In some embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 尽管在图7中示出了单个数据库事务或文件中的单次查找,但是规则查找可作为一系列规则查找来执行。 Although Figure 7 shows a single database transaction or single lookup file, but as a series of rules for finding the rule lookup may be performed.

如果规则动作是“重定向”或“忽略”(步骤720),则根据规则将虚拟文件名直接映射到真实文件名(步骤724)。 If the rule action is "redirect" or "ignore" (step 720), the virtual file name according to the rules will be directly mapped to the real file name (step 724). 如果规则动作是“重定向”(步骤720),则根据规则所规定的虚拟文件名来确定真实文件名(步骤724)。 If the rule action is "redirect" (step 720), according to the rules specified in the virtual file name to determine the real file name (step 724). 如果规则动作是“忽略”(步骤720),则真实文件名就被识别为虚拟文件名(步骤724)。 If the rule action is "ignore" (step 720), then the actual file name will be identified as a virtual file name (step 724). 如果规则动作是“忽略”或者规则动作是“重定向”,则将利用所确定的真实文件名创建真实文件的请求传递给操作系统,并且来自操作系统的结果被返回到请求者(步骤724)。 If the rule action is "ignore" or the rule action is "redirect", the use of the real file name identified in the request to create a real file passed to the operating system, and the results from the operating system is returned to the requestor (step 724) . 例如,创建名为“file_1”虚拟文件的请求可导致创建名为“Different_file_1”的真实文件。 For example, create a file named request "file_1" virtual files can lead to create real file named "Different_file_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实文件名作为参数传递给该函数来完成的(步骤724)。 In one embodiment, this is the real file name by calling the hook function of the original version, and will form as a parameter passed to the function to be completed (step 724). 对于利用文件系统过滤器驱动程序的实施例,利用虚拟文件名打开文件的第一请求导致指明所确定真实名称的“STATUS_REPARSE”请求响应。 For use in Example file system filter driver, using virtual file name to open the first request led to specify the file to determine the true name of "STATUS_REPARSE" request response. I/O管理器接着重新发出文件打开请求,同时所确定真实名称包括在STATUS_REPARSE响应中。 I / O manager and then reissue the request to open the file, but the name is included in determining the true STATUS_REPARSE response.

如果在步骤720中所确定的规则动作不是“忽略”或“重定向”,而是“隔离”,则真实文件名被识别为虚拟文件名在用户隔离范围中的实例。 If determined at step 720 the rule action is not "ignore" or "redirect" but "isolation", the real file name is recognized as a virtual file name in the user isolation scope instance. 如果真实文件已经存在,但与指明其是位置标志符或其被删除的元数据相关联,则关联的元数据被修改以移除那些指示,并且确保文件为空。 If the real file already exists, but it is a meta-data indicates placeholders or deleted metadata associated, the association is modified to remove those instructions, and make sure the file is empty.

在一些实施例中,少量有关文件的元数据被直接存储在实际文件名中,比如将元数据指示符作为虚拟名称的后缀,其中元数据指示符是与特殊元数据状态唯一关联的串。 In some embodiments, small amounts of metadata about a file is stored directly in the actual file name, for example, the metadata indicator virtual name as a suffix, wherein the metadata indicator is a string uniquely related to the particular state of the associated metadata. 元数据指示符可指示或编码元数据的一个或多个位。 Metadata indicator may indicate or encode one or more bits of metadata. 通过虚拟文件名访问文件的请求检查由于元数据指示符的存在而引起的真实文件名的可能变化,并且获取文件本身名称的请求被钩住或截取以便以真实名称做出响应。 Check for possible variations due to the presence of metadata indicator caused a real file name by requesting the virtual file name to access the file, and acquires the requested file name itself are hooked or intercepted in order to respond to the real name. 在其它实施例中,文件的一个或多个选用名称可由虚拟文件名和元数据指示符来形成,且可利用由文件系统提供的硬链接或软链接工具来创建。 In other embodiments, one or more of the selection by the virtual file name of the file name and metadata indicator is formed, and may utilize a file system provided by the hard link or soft link tool to create. 如果给出的请求是利用链接的名称来访问文件,这些链接的存在可由隔离环境通过指明文件未找到而对于应用隐藏。 If the request is given a name using the link to access the file, the existence of these links may be isolated from the environment by specifying the file was not found for the application to hide. 特殊链接的存在或不存在可为每个元数据指示符指明元数据的一个位,或者可存在具有元数据指示符的链接,其可呈现多个状态来指明元数据的若干位。 The presence or absence of particular links may indicate one bit of metadata for each metadata indicator, or there may be a link having a metadata indicator, which may exhibit multiple states to indicate several bits of metadata. 在另外其它实施例中,在文件系统支持变化的文件流的情况下,变化的文件流可被创建以体现元数据,以及指明元数据若干位的流尺寸。 In still other embodiments, in the case of file system supports file stream changes, changes in the file stream can be created to reflect the metadata, and metadata specified number of bit stream size. 在另外其它实施例中,文件系统可直接提供将每个文件的一些第三方元数据存储在文件系统中的能力。 In still other embodiments, the file system provides the capability of each third-party metadata file stored in the file system directly.

在这些实施例的特定一些中,删除的文件或文件系统元素的列表可被维护和咨询以优化对删除文件的检查。 Some of these specific embodiments of the list of deleted files or file system elements may be maintained and consulted to optimize the checking of deleted files. 在这些实施例中,如果删除的文件被重建,则从删除文件列表中移除该文件名。 In these embodiments, if the deleted file is rebuilt, delete the file from the list, remove the file name. 在其它这些实施例中,如果列表增长超过某个大小,则从列表移除文件名。 In other such embodiments, if the list grew by more than a certain size, the file name is removed from the list.

在另一情况下,打开用户范围真实文件的请求被传递给操作系统(步骤726)。 In another case, the true scope of the requesting user to open the file is passed to the operating system (step 726). 在一些实施例中,规则可规定对应于虚拟文件的真实文件应当在用户隔离范围以外的范围中被创建,比如应用隔离范围、系统范围、用户隔离子范围或应用隔离子范围。 In some embodiments, the rules may provide a true virtual file corresponding to the file should be created outside the scope of user isolation scope, such as the scope of application isolation, system-wide, user isolation sub-scope or application isolation sub-range.

如果真实文件被成功打开(步骤728),则真实文件被返回到请求者(730)。 If the actual file is successfully opened (step 728), then the actual file is returned to the requestor (730). 另一方面,如果在步骤728中,所请求的文件未能打开,则为当前不存在于用户隔离范围中的真实文件的每个祖先创建位置标志符(步骤732),并且利用真实名称创建真实文件的请求被传递给操作系统且返回结果到请求者(步骤734)。 On the other hand, if in step 728, the requested file could not be opened, for the current user does not exist in every ancestor isolate the true scope of the file created placeholder (step 732), and the use of real names to create a real request file is transmitted to the operating system and the result returned to the requestor (step 734).

该实施例用于这样的操作系统,该操作系统具有只支持创建每调入/调用一级的API或工具。 This embodiment for such an operating system, the operating system has only supports the creation of each transferred / or an API call to a tool. 到每调入/调用多级的扩展对于本领域技术人员是显而易见的。 To each of the transferred / call multistage expansion skilled personnel is obvious.

4.1.5短文件名管理在一些文件系统中,给予每个文件短的和长的文件名。 4.1.5 short file name in some file management system, give each file a short and long file names. 每种名称可用于以上述任何文件操作来访问文件。 Each name can be used with any of the above file operation to access the files. 对于拥有短和长文件名的每个文件,这隐含地创建了分配给该文件的短的和长的文件名之间的关联关系。 To have short and long file name for each file, which creates a relationship implicitly assigned to the short and long file name of the file between. 在这些文件系统的一些中,由文件系统自动地将短名称分配给利用长文件名创建的文件。 In some of these file systems, the file system will automatically assign the short name of the file to use long file names created. 如果短的和长的文件名之间的关联关系不是由隔离环境维护的,则在同一目录中但在不同范围级中具有不同长名称的文件可能具有相同的短文件名,导致如果用短文件名来访问虚拟文件时出现混淆。 If the file association of short and long file names not by isolation between environmental maintenance, the long name but with different stages in different areas in the same directory might have the same short file names that result if you use short file confusion when accessing the virtual file name. 可替换地,当文件被复制到用户隔离范围以便修改时,短文件名可能改变,意味着虚拟文件不再能够利用原始短文件名来访问。 Alternatively, when a file is copied to the user isolation scope for modifying the short file name may change, which means no longer able to use the virtual file original short file name to access.

为了防止这些问题,首先,以修改“更高”范围的意图复制所打开的文件实例的文件系统操作保留与所复制的实例关联的短的和长的文件名之间的关联关系。 In order to prevent the relationship of short and long file names of these problems, first of all, the file system operations reserved to modify the "higher" wide open file replication intention instance associated with the replication between instances. 其次,为新创建的隔离文件创建唯一短名称,以替代由操作系统分配的文件名。 Second, create a unique short name for the newly created quarantine file to replace the file name assigned by the operating system. 所生成的短文件名应当满足所生成的文件名不匹配相同隔离范围中同一目录中或“较低”隔离范围中同一目录中的任何已有短文件名。 The generated short file name should meet the generated file name does not match the same range in the same directory as isolated or "lower" in the same directory as the isolation scope of any existing short file name. 例如,为位于用户隔离中的文件实例所生成的短文件名不应当匹配在目录的应用范围实例中或目录的系统范围实例中的已有短文件名。 For example, the files in the user quarantine instances generated short file name should not match the scope of application examples directory or system-wide instance already short filename directory.

现在参考图7A,示出在创建新文件之后分配唯一的短文件名所采取的步骤的一个实施例。 Referring now to Figure 7A, shows the distribution step only taken a short file name to create a new file after an embodiment. 在概观上,进行检查以确定是否应当生成短文件名(步骤752)。 In the overview, check to determine whether it should generate short file name (step 752). 如果不是,返回指明将不生成短文件名的状态(步骤754)。 If not, return the state will not be generated indicating the short file name (step 754). 否则,检查文件名以根据文件系统确定其是否已经是合法的短文件名(步骤756)。 Otherwise, check the file name based on the file system to determine whether it has a legitimate short file name (step 756). 如果其已经是合法的短文件名,则返回指明将不生成短文件名的状态(步骤754)。 If it is already a legal short file name is returned indicating the state will not generate short file name (step 754). 否则,构建合适的短文件名(步骤758)。 Otherwise, the construction of an appropriate short file name (step 758).

仍然参考图7A且更详细地,进行检查以确定是否应当生成短文件名(步骤752)。 Still more detail with reference to FIG. 7A, a check to determine if short filenames should be generated (step 752). 在一些实施例中,根据存储文件名所指的文件的设备来做出判断。 In some embodiments, the device according to the file name of the file stored within the meaning of making judgments. 在其它实施例中,对于特定范围或子范围,或对于整个隔离环境能够生成短文件名。 In other embodiments, for a specific range or sub-ranges, or for the entire isolation environment can generate short filenames. 在这些实施例的一些中,注册表设置可规定是否将为特殊文件名生成短文件名。 In some of these embodiments of the registry settings can specify whether the short file name will generate a special file name. 如果不应当生成短文件名,则返回将不生成短文件名的状态(步骤754)。 If you should not generate short file names, the return will not generate short file name (step 754).

否则,检查文件名以确定其是否已经是合法的短文件名(步骤756)。 Otherwise, check the file name to determine if it has a legitimate short file name (step 756). 在一些实施例中,合法的短文件名包含在文件名中的八个字符以及在可选扩展名中的三个字符。 In some embodiments, legal short file name in the file name contains eight characters, and an optional three-character extension of. 在一些实施例中,合法的短文件名只包含合法字符,比如AZ、az、0-9、`、~、! In some embodiments, legal short file name contains only valid characters, such as AZ, az, 0-9, `, ~ ,! 、@、#、$、%、^、&、*、(、)、-、_、'、{、和}。 , @, #, $,%, ^, & Amp;, *, (,), -, _, ', {, and}. 在一些实施例中,前导空格或“.”或一个以上的“.”是非法的。 In some embodiments, the leading spaces, or "." Or more than one. "" Is illegal. 如果所提供的文件名已经是合法的短文件名,则返回将不生成短文件名的状态(步骤754)。 If the file name is already provided legal short file name, the return will not generate state short file names (step 754).

否则,如果在步骤756中确定文件名是非法的短文件名,则构造适合的短文件名(步骤758)。 Otherwise, if the file name is determined in step 756 is illegal short file name, the structure for the short file name (step 758). 在一些实施例中,这是通过利用在短文件名中使用合法的长文件名的某些部分来实现的,并组合编码的重复计数以形成候选短文件名。 In some embodiments, this is achieved by the use of certain parts of the legitimate use of long file names in the short file name to achieve, and combined to form a repeat count coding candidate short file name. 重复计数被增加直到关联的候选短文件名合适,即其是合法的短文件名,该合法的短文件名没有被相同范围中的同一目录中,或较低范围中的同一目录中的任何其它文件使用。 Repeat count is increased until a candidate short file names associated with the right, that it is a legitimate short file name, the legal short file name is not in the same range in the same directory, or the lower range of the same directory as any other files. 在其它实施例中,长文件名被重整或散列并被编码,并且与编码的重复计数组合以形成候选短文件名。 In other embodiments, the long file name to be reformed or hash and encoded, and the repeat count encoded combined to form a candidate short file name. 重复计数被增加直到关联的候选短文件名合适,即其是合法的短文件名,该合法的短文件名没有被相同范围中的同一目录中,或较低范围中的同一目录中的任何其它文件使用。 Repeat count is increased until a candidate short file names associated with the right, that it is a legitimate short file name, the legal short file name is not in the same range in the same directory, or the lower range of the same directory as any other files. 在所有这些实施例中,范围特定的串可合并到候选短文件名中以增加以低重复计数找到合适的候选短文件名的可能性。 In all these examples, the scope of a particular string can be incorporated into the candidate short file names in order to increase the likelihood of a low repetition count to find a suitable candidate for the short file name.

4.2注册表虚拟化上述的方法和设备可用于虚拟化对注册表数据库的访问。 4.2 registry virtualization method and apparatus described above can be used to virtualize access to the registry database. 如上所述,注册表数据库存储与物理附着到计算机的硬件、已经选择了哪些系统选项、如何安装计算机存储器、应用特定数据的各种项、和什么应用程序在操作系统启动时应当出现有关的信息。 As mentioned above, the registry database is stored and physically attached to the computer's hardware, which has been selected system options, how to install computer memory, a variety of application-specific data items, and what application when the operating system starts relevant information should appear . 寄存器数据库通常以“键”170、172的逻辑层次来组织,这些键是用于注册表值的容器。 Register database is usually a logical level "key" 170,172 to organize, these keys are used for container registry values.

4.2.1注册表键打开操作在概观中,图8描述为在上述隔离环境中打开注册表键所采取的步骤的一个实施例。 4.2.1 registry keys to open operations in the overview in Figure 8 is described as open registry key step taken in the above embodiment, an isolated environment. 接收或截取打开注册表键的请求,请求包含注册表键名,其由隔离环境当作为虚拟键名(步骤802)。 Receive or intercept requests to open registry key, the request contains the registry key name, which consists of an isolated environment when used as a virtual key name (step 802). 请求中可应用于虚拟名称的处理规则确定如何处理注册表键操作(步骤804)。 The request can be applied to the virtual name of processing rules to determine how to handle the registry key operation (step 804). 如果动作是“重定向”(步骤806),则将在请求中提供的虚拟键名映射到如可应用规则规定的真实键名(步骤808)。 If the action is a virtual key name "redirect" (step 806), will be provided in the request is mapped to the real key name (step 808) as applicable Rules. 利用真实键名打开真实注册表键的请求被传递给操作系统且来自操作系统的结果被返回给请求者(步骤810)。 Utilizing the real key to open the real name registry key request is passed to the operating system and the result from the operating system is returned to the requestor (step 810). 如果规则动作不是“重定向”而是“忽略”(步骤806),则虚拟键名被识别为真实键名(步骤812),并且将打开真实注册表键的请求传递给操作系统且来自操作系统的结果被返回给请求者(步骤810)。 If the rule action is not "redirect" but is "ignore" (step 806), the virtual key name is identified as the true key name (step 812), and the requested registry key is passed to the real operating system from the operating system to open and The result is returned to the requestor (step 810). 如果在步骤806中确定的规则动作不是“重定向”且不是“忽略”而是“隔离”,则将请求中提供的虚拟键名映射到用户范围候选键名,其是与特定于可应用用户隔离范围的虚拟键名对应的键名(步骤814)。 If it is determined in step 806 the rule action is not "redirect" and is not "ignore" but is "isolate", then the virtual key name provided in the request is mapped to a range of users candidate key name, which is specific to the applicable user Isolation range corresponding virtual keys keys (step 814). 用户范围候选键存在的类型通过检查用户隔离范围和与候选键关联的任何元数据来确定(步骤816)。 Types range of users by checking the existence of a candidate key user isolation scope and associated with any candidate key metadata to determine (step 816). 如果候选键被确定为具有“否定存在”,因为候选键或者其在用户隔离范围中的祖先键之一被标记为删除,这意味着所请求的虚拟注册表键被认为不存在。 If the candidate key is determined to have "negative existence", because one of the candidate keys or its ancestor keys in the user isolation scope is marked as deleted, which means that the virtual registry key request is considered non-existent. 在该情况下,指明所请求文件没有找到的错误条件被返回给请求者(步骤822)。 In this case the error condition, indicating the requested file is not found is returned to the requestor (step 822). 而如果在步骤816中候选键被确定为具有“肯定存在”,因为候选键存在于用户隔离范围且没有被标记为位置标志符节点,则所请求的虚拟键被认为存在。 If the candidate key is determined to have "positive existence", because the candidate key exists in the user isolation scope and is not marked as placeholders node in step 816, then the requested virtual key is considered to exist. 候选键被识别为请求的真实键(步骤818),且发出打开真实键的请求且将结果返回给请求者(步骤820)。 Candidate key is identified as the true key (step 818) the request, and a request issued to open the real key and the result returned to the requestor (step 820). 但是,如果在步骤816,候选键具有“中性存在”,因为候选键不存在,或者候选键存在但被标记为位置标志符节点,则还不知道虚拟键是否存在。 However, if in step 816, the candidate key has "neutral existence" because the candidate key does not exist, or the candidate key exists but is marked as a placeholder node, it is not known whether the virtual key exists. 在该情况下,对应于虚拟键名的应用范围键名被识别为候选键名(步骤824)。 In this case, the virtual key name corresponding to the application key name is identified as the candidate key name (step 824). 换句话说,候选键名是通过将虚拟键名映射到特定于可应用的应用隔离范围的对应本地键名而形成的。 In other words, the candidate keys is through the virtual keys are mapped to specific applications can be isolated from the scope of application of the corresponding local keys formed. 候选键存在的类别是通过检查应用隔离范围和任何与候选键关联的元数据来确定的(步骤826)。 Category is a candidate key exists (step 826) by examining the application isolation scope and any metadata associated with the candidate key determined. 如果候选键被确定为具有“否定存在”,因为候选键或者其在应用隔离范围中的祖先键之一被标记为删除,这意味着所请求的虚拟键被认为不存在。 If the candidate key is determined to have "negative existence", because one of the candidate keys or its ancestor keys in the application isolation scope is marked as deleted, which means that the requested virtual key is considered not to exist. 在该情况下,指明所请求键没有找到的错误条件被返回给请求者(步骤822)。 In this case, the error condition specified key is not found in the request is returned to the requestor (step 822). 而如果在步骤826中候选键被确定为具有“肯定存在”,因为候选键存在于应用隔离范围且没有被标记为位置标志符节点,则所请求的虚拟键被认为存在。 If the candidate key is determined to have "positive existence", because the candidate key exists in the application isolation scope and is not marked as placeholders node in step 826, then the requested virtual key is considered to exist. 检查请求以确定打开请求是否指明修改键的意图(步骤828)。 Check the request to determine whether the request to open the intent specified modifier keys (step 828). 如果不是,则候选键被识别为请求的真实键(步骤818),并且发出打开真实键的请求且返回结果给请求者(步骤820)。 If not, the candidate key is identified as the true key (step 818) the request, and issues a request to open the real key and the result returned to the requestor (step 820). 但是,如果在步骤828,确定打开请求指明修改键的意图,则与键关联的许可数据被检查以确定键的修改是否被允许(步骤836)。 However, if the intent of the request to open the specified modifier keys in step 828, it is determined, then the license key associated data is checked to determine whether the modifier key is allowed (step 836). 如果没有,将错误条件返回给请求者(步骤838)以指明键修改不被允许。 If not, an error condition is returned to the requestor (step 838) to indicate that the key modification is not allowed. 如果许可数据指明键可被修改,候选键被复制到用户隔离范围(步骤840)。 If the permission data indicates the key may be modified, the candidate key is copied to the user isolation scope (step 840). 在一些实施例中,候选键被复制到由规则引擎定义的位置。 In some embodiments, the candidate key is copied to a location defined by the rules engine. 例如,规则可规定键被复制到应用隔离范围。 For example, the rules may provide key is copied to the scope of application isolation. 在其它实施例中,规则可规定键应当被复制到的特殊应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide the key should be copied to the particular application isolation sub-scope or user isolation sub-scope. 没有在键复制到的隔离范围中出现的所请求键的任何祖先作为隔离范围中的位置标志符被创建,以便在层次中正确地定位复制的实例。 Any ancestors does not appear in the key is copied to the isolation scope are created as the request key isolated range position identifier, in order to correctly locate the copied instance in the hierarchy. 新复制的范围实例被识别为真实键(步骤842),并且发出打开真实键的请求且返回结果给请求者(步骤820)。 Copy the scope of the new instance is identified as the real key (step 842), and issues a request to open the real key and returns the results to the requester (step 820). 返回步骤826,如果候选键具有中性存在,因为候选键不存在,或者因为候选键找到但被标记为位置标志符节点,则还不知道虚拟键是否存在。 Returning to step 826, if the candidate key has neutral existence because the candidate key does not exist, or because the candidate key is found but marked as a placeholder node, it is not known whether the virtual key exists. 在该情况下,对应于虚拟键名的系统范围键名被识别为候选键名(步骤830)。 In this case, the virtual key name corresponding to the system-wide key name is identified as the candidate key name (step 830). 换句话说,候选键名就是虚拟键名。 In other words, the candidate key name is the virtual key name. 如果候选键不存在(步骤832),指明虚拟键没有找到的错误条件被返回给请求者(步骤834)。 If the candidate key does not exist (step 832), the error did not find the conditions specified virtual key is returned to the requestor (step 834). 另一方面,如果候选键存在(步骤832),则检查请求以确定打开请求是否指明修改键的意图(步骤828)。 On the other hand, if the candidate key exists (step 832), then check the request to determine whether the request to open the intent specified modifier keys (step 828). 如果不是,则候选键被识别为请求的真实键(步骤818),并且发出打开真实键的请求且返回结果给请求者(步骤820)。 If not, the candidate key is identified as the true key (step 818) the request, and issues a request to open the real key and the result returned to the requestor (step 820). 但是,如果在步骤828,确定打开请求指明修改键的意图,则与键关联的许可数据被检查以确定键的修改是否被允许(步骤836)。 However, if the intent of the request to open the specified modifier keys in step 828, it is determined, then the license key associated data is checked to determine whether the modifier key is allowed (step 836). 如果没有,将错误条件返回给请求者(步骤838)以指明键的修改不被允许。 If not, an error condition is returned to the requestor (step 838) to indicate the key changes allowed. 如果许可数据指明键可被修改,则候选键被复制到用户隔离范围(步骤840)。 If the permission data indicates the key may be modified, the candidate key is copied to the user isolation scope (step 840). 在一些实施例中,候选数据被复制到由规则引擎定义的位置。 In some embodiments, the candidate data is copied to the location defined by the rules engine. 例如,规则可规定键被复制到应用隔离范围。 For example, the rules may provide key is copied to the scope of application isolation. 在其它实施例中,规则可规定键应当被复制到的特殊应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide the key should be copied to the particular application isolation sub-scope or user isolation sub-scope. 没有在隔离范围中出现的所请求键的任何祖先作为隔离范围中的位置标志符被创建,以便在层次中正确地定位复制的实例。 Any ancestors does not appear in the isolation scope are created as the request key isolated range position identifier, in order to correctly locate the copied instance in the hierarchy. 新复制的范围实例被识别为真实键(步骤842),并且发出打开真实键的请求且返回结果给请求者(步骤820)。 Copy the scope of the new instance is identified as the real key (step 842), and issues a request to open the real key and returns the results to the requester (step 820).

仍然参考图8且现在更详细地,打开虚拟注册表键的请求被接收或截取(步骤802)。 Still referring to FIG. 8 and is now in more detail, a request to open the virtual registry key is received or intercepted (step 802). 对应的真实注册表键属于用户隔离范围、应用隔离范围或系统范围,或者其范围可以是应用隔离子范围或用户隔离子范围。 Corresponding true registry key belongs to the user isolation scope, application isolation scope or system scope, or it may be an application isolation sub-scope or user isolation sub-scope range. 在一些实施例中,通过替换操作系统函数或用于打开注册表键的函数的函数来钩住请求。 In some embodiments, the operating system functions to open the function by replacing the registry key or a function to hook the request. 在另一个实施例中,挂钩动态链接库被用来截取请求。 In another embodiment, the hook dynamic link library is used to intercept the request. 挂钩函数可在用户模式或内核模式中执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,这些资源用于为本地注册表键分派请求。 For Example hook function in kernel mode execution, the hook function operating system resources associated with those resources for dispatching requests for local registry keys. 对于为每种类型的键操作提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For providing a separate operating system function keys for each type of operation of the embodiment, each function may be hooked separately. 可替换地,可提供为若干类型的注册表键操作截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide several types of registry key operation to intercept calls to create or open a single hook function.

请求包含注册表键名,隔离环境将其当作虚拟注册表键名。 The request contains the registry keys, isolated environment it as the virtual registry key name. 可应用于注册表键打开请求的处理规则通过咨询规则引擎来确定(步骤804)。 Registry keys can be used to open the request processing rules by consulting the rules engine to determine (step 804). 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面文件数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table, or a flat file database. 在一些实施例中,为所请求注册表键提供的虚拟注册表键名被用于在规则引擎中定位应用于请求的规则。 In some embodiments, the virtual registry key name provided for the requested registry key is used to locate in the rule engine applies the rule requests. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊注册表键的规则引擎中,并且在这些实施例中,具有与虚拟注册表键名匹配的最长前缀的规则是应用于请求的规则。 In particular some of the plurality of rules of these embodiments may be present in the registry keys for special rules engine, and in these embodiments, the rule having the longest prefix match with the virtual registry key name is the application of the rules of the request. 在其它实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In other embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 尽管在图8中示出了单个数据库事务或文件中的单次查找,但是规则查找可作为一系列规则查找来执行。 Although Figure 8 shows a single database transaction or single lookup file, but as a series of rules for finding the rule lookup may be performed.

如果规则动作是“重定向”(步骤806),根据可应用的规则,将在请求中提供的虚拟注册表键名映射到真实注册表键名(步骤808)。 If the rule action is a virtual registry key name "redirect" (step 806), in accordance with applicable rules, will be provided in the request is mapped to the real registry key name (step 808). 使用真实注册表键名打开真实注册表键的请求被传递给操作系统且来自操作系统的结果被返回给请求者(步骤810)。 Using real registry keys to open the registry key real request is passed to the operating system from the operating system and the results are returned to the requestor (step 810). 例如,打开名为“registry_key_1”注册表键的请求可导致打开名为“Different_registry_key_1”的真实注册表键。 For example, open a request called "registry_key_1" registry key can cause real open registry key named "Different_registry_key_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实名称作为参数传递给该函数来完成的。 In one embodiment, this is the real name of the hook function by calling the original version, and will form as a parameter passed to the function to complete. 在其它实施例中,概念上类似于文件系统过滤器驱动程序工具的注册表过滤器驱动程序工具可由操作系统提供。 In other embodiments, the registry filter is conceptually similar to a file system filter driver tool driver tools provided by the operating system. 在这些实施例中,打开真实注册表键可通过应答打开虚拟键的原始请求来实现,所述应答是通过向注册表过滤器管理器发信号以利用所确定的真实键名重新解析该请求来进行的。 In these embodiments, a registry key can open the real response of the original request to open the virtual key to achieve, by the response to the registry filter manager to signal the true keys to use the determined re-parse the request carried out. 而如果规则动作是“忽略”(步骤806),则真实注册表键名被确定为就是虚拟注册表键名(步骤812),并且将打开真实注册表键的请求传递给操作系统且来自操作系统的结果被返回给请求者(步骤810)。 If the rule action is "ignore" (step 806), then the real registry key name is determined to be that the virtual registry key name (step 812), and the requested registry key is passed to the real operating system from the operating system to open and The result is returned to the requestor (step 810). 例如,打开名为“registry_key_1”注册表键的请求可导致打开名为“registry_key_1”的真实注册表键。 For example, open a request called "registry_key_1" registry key can cause real open registry key named "registry_key_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实名作为参数传递给该函数来完成的。 In one embodiment, this is the real name of the hook function by calling the original version, and will form as a parameter passed to the function to complete. 在另一个实施例中,这是通过向注册表过滤器管理器发信号以便继续以正常方式处理原始的未修改请求来完成的。 In another embodiment, this is done by the registry filter manager to send a signal to continue in the normal manner of the original unmodified request to complete.

如果在步骤806,规则动作是“隔离”,则对应于虚拟注册表键名的用户范围注册表键名被识别为候选注册表键名(步骤814)。 If, at step 806, the rule action is "Quarantine", the range corresponding to the user virtual registry key name registry key name is identified as a candidate for the registry key name (step 814). 换句话说,候选注册表键名是通过将虚拟注册表键名映射到特定于可应用的用户隔离范围的对应的本地注册表键名来形成的。 In other words, the candidate registry key name by the virtual registry keys are mapped to specific user isolation scope applicable local registry key that corresponds to the formation of the name. 例如,打开名为“registry_key_1”注册表键的请求可导致打开名为“Isolated_UserScope_UserA_registry_key_1”的真实注册表键。 For example, open a request called "registry_key_1" registry key can cause real open registry key named "Isolated_UserScope_UserA_registry_key_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实名作为参数传递给该函数来完成的。 In one embodiment, this is the real name of the hook function by calling the original version, and will form as a parameter passed to the function to complete. 在其它实施例中,打开真实注册表键可通过应答打开虚拟键的原始请求来实现,所述应答是通过向注册表过滤器管理器发信号以利用所确定的真实键名重新解析该请求来进行的。 In other embodiments, a registry key can open the real response of the original request to open the virtual key to achieve, by the response to the registry filter manager to signal the true keys to use the determined re-parse the request carried out.

在一些实施例中,为了隔离所请求的虚拟注册表键所形成的真实名称可基于所接收的虚拟注册表键名和范围特定标识符。 In some embodiments, the real name in order to isolate the requested virtual registry key may be formed based on the received virtual registry key name and scope of the specific identifier. 范围特定标识符可以是与应用隔离范围、用户隔离范围、会话隔离范围、应用隔离子范围、用户隔离子范围或上面范围的某些组合关联的标识符。 Scope and application specific identifier can be isolated from the scope of the identifier associated with certain combinations of user isolation scope, a session isolation scope, application isolation sub-scope or user isolation sub-ranges of the above range. 范围特定标识符用于“重整”在请求中接收的虚拟名称。 Range specific identifier for the virtual name "reformer" in the request is received.

在其它实施例中,用户隔离范围或子范围可以是注册表键,在该注册表键之下存储了用户隔离范围中存在的所有键。 In other embodiments, the user isolation scope or a sub-range may be a registry key, under the registry key stores all keys that exist in the user isolation scope. 在这些实施例的一些中,在用户隔离键下的键层次反应了所请求资源的路径。 In some of these embodiments in, the user isolation key in the key hierarchy under the reaction path of the requested resource. 换句话说,通过将虚拟键路径映射到用户隔离范围来形成真实键路径。 In other words, the path through the virtual keys are mapped to user isolation scope to form a real bond path. 例如,如果所请求的键是HKLM\Software\Citrix\Mykey且用户隔离范围键是HKCU\Software\UserScope\,则到用户范围真实键的路径可以是HKCU\Software\UserScope\HKLM\Software\Citrix\Mykey。 For example, if the requested key is HKLM \ Software \ Citrix \ Mykey and user isolation scope key is HKCU \ Software \ UserScope \, is the real key to the user's range of paths can be HKCU \ Software \ UserScope \ HKLM \ Software \ Citrix \ Mykey. 在其它实施例中,到用户范围真实的路径可用本地命名约定来定义。 In other embodiments, the path to the user's range of available local naming conventions to define. 例如,到用户真实键的路径可以是HKCU\Software\UserScope\Registry\Machine\Software\Citrix\Mykey。 For example, the path to the user can be a real key HKCU \ Software \ UserScope \ Registry \ Machine \ Software \ Citrix \ Mykey. 在另外其它实施例中,用户范围键可以都存储在单个键下,该单个键的名称被选择为是唯一的,且数据库可用于存储所请求的键名与在用户隔离键中存储的对应实际键的名称之间的映射。 In still other embodiments, the user range key are stored under a single key, the name of the single key is selected to be the only, and the database can be used to correspond to the actual key name storing the requested key stored in the user isolation of mapping between the name of the key. 在另外其它的实施例中,真实键的内容可以存储在数据库或文件存储器中。 In yet other embodiments, the content key may be stored in the real database or file memory.

候选键存在的类别是通过检查用户隔离范围和任何与候选键关联的元数据来确定的(步骤816)。 Candidate key categories exist by checking the user isolation scope and any metadata associated with the candidate key is determined (step 816). 如果候选键被确定为具有“否定存在”,因为候选键或者其在用户隔离范围中的祖先键之一被标记为删除,这意味着所请求的虚拟键被认为不存在。 If the candidate key is determined to have "negative existence", because one of the candidate keys or its ancestor keys in the user isolation scope is marked as deleted, which means that the requested virtual key is considered not to exist. 在该情况下,指明所请求键没有找到的错误条件被返回给请求者(步骤822)。 In this case, the error condition specified key is not found in the request is returned to the requestor (step 822).

在一些实施例中,真实注册表键可与元数据关联,该元数据指明虚拟化注册表键已经被删除。 In some embodiments, the real registry keys associated with the metadata, the metadata specified virtualized registry key has been removed. 在一些实施例中,与注册表键有关的元数据可作为由该键保存的区别值来存储,并且该值的存在对于注册表API的普通应用使用是隐藏的。 In some embodiments, the metadata associated with the registry keys can be used as the key to save the difference between the value to store, and there is the value of using the registry API for common applications are hidden. 在一些实施例中,少量有关注册表键的元数据被直接存储在真实键名中,比如将元数据指示符做为虚拟名称的后缀,其中元数据指示符是与特殊元数据状态唯一关联的串。 In some embodiments, small amounts of metadata about a registry key is directly stored in the real key names, such as the metadata indicator virtual name suffix, wherein the metadata indicator is uniquely associated with a particular metadata state string. 元数据指示符可指示或编码元数据的一个或多个位。 Metadata indicator may indicate or encode one or more bits of metadata. 通过虚拟名称访问键的请求检查由于元数据指示符的存在而引起的真实键名的可能变化,并且获取键本身名称的请求被钩住或截取以便以真实名称做出响应。 Request the access key by virtual name check for possible variations due to the presence of metadata indicator caused a real key name, and the name acquisition request key itself is hooked or intercepted in order to respond to the real name. 在其它实施例中,元数据指示符可用子键名或注册表值名称而不是用键名本身来编码。 In other embodiments, the metadata indicator available subkey name or a registry value name instead of the name itself is encoded using the key. 在又其它实施例中,注册表键系统可直接提供为每个键存储一些第三方元数据的能力。 In yet other embodiments, the system can provide direct registry key for each key storage capacity of some third-party metadata. 在一些实施例中,元数据存储在数据库或与注册表数据库分离的其它知识库中。 Other Knowledge In some embodiments, metadata is stored in a separate database or registry database. 在一些实施例中,分离的子范围可用于存储标记为删除的键。 In some embodiments, the isolated sub-ranges can be used to store keys marked for deletion. 键在子范围中的存在指明该键被标记为删除。 Key presence in the sub-range indicate that the key is marked for deletion.

在这些实施例的特定一些中,删除的键或键系统元素的列表可被维护和咨询以优化对删除键的检查。 In some of these specific embodiments in, a list of keys or key system elements may be deleted in order to optimize the maintenance and inspection of the advisory delete key. 在这些实施例中,如果删除的键被重建,则从删除键列表中移除该键名。 In these embodiments, if you delete the key is rebuilt from the delete key to remove the key names in the list. 在其它这些实施例中,如果列表增长超过某个大小,则从列表移除键名。 In other such embodiments, if the list grew by more than a certain size, remove the key from the list of names.

而如果在步骤816中,候选键被确定为具有“肯定存在”,因为候选键存在于用户隔离范围且没有被标记为位置标志符节点,则所请求的虚拟键被认为存在。 If in step 816, the candidate key is determined to have "positive existence", because the candidate key exists in the user isolation scope and is not marked as placeholder node, then the requested virtual key is considered to exist. 候选键被识别为请求的真实键(步骤818),且发出打开真实键的请求且将结果返回给请求者(步骤820)。 Candidate key is identified as the true key (step 818) the request, and a request issued to open the real key and the result returned to the requestor (step 820).

但是,如果在步骤816,候选键具有“中性存在”,因为候选键不存在,或者候选键存在但被标记为位置标志符节点,则还不知道虚拟键是否存在。 However, if in step 816, the candidate key has "neutral existence" because the candidate key does not exist, or the candidate key exists but is marked as a placeholder node, it is not known whether the virtual key exists. 在该情况下,对应于虚拟键名的应用范围键名被识别为候选键名(步骤824)。 In this case, the virtual key name corresponding to the application key name is identified as the candidate key name (step 824). 换句话说,候选键名是通过将虚拟键名映射到特定于可应用的应用隔离范围的对应本地键名而形成的。 In other words, the candidate keys is through the virtual keys are mapped to specific applications can be isolated from the scope of application of the corresponding local keys formed. 候选键存在的类别是通过检查应用隔离范围和任何与候选键关联的元数据来确定的(步骤826)。 Category is a candidate key exists (step 826) by examining the application isolation scope and any metadata associated with the candidate key determined.

如果应用范围候选键被确定为具有“否定存在”,因为候选键或者其在应用隔离范围中的祖先键之一被标记为删除,这意味着所请求的虚拟键被认为不存在。 If the application range of the candidate key is determined to have "negative existence", because one of the candidate keys or its ancestor keys in the application isolation scope is marked as deleted, which means that the requested virtual key is considered not to exist. 在该情况下,指明所请求键没有找到的错误条件被返回给请求者(步骤822)。 In this case, the error condition specified key is not found in the request is returned to the requestor (step 822).

但是,如果在步骤826中候选键被确定为具有“肯定存在”,因为候选键存在于应用隔离范围且没有被标记为位置标志符节点,则所请求的虚拟键被认为存在。 However, if the candidate key is determined to have "positive existence", because the candidate key exists in the application isolation scope and is not marked as a placeholder node in step 826, then the requested virtual key is considered to exist. 检查请求以确定打开请求是否指明修改键的意图(步骤828)。 Check the request to determine whether the request to open the intent specified modifier keys (step 828). 如果不是,则候选键被识别为请求的真实键(步骤818),并且发出打开真实键的请求且返回结果给请求者(步骤820)。 If not, the candidate key is identified as the true key (step 818) the request, and issues a request to open the real key and the result returned to the requestor (step 820).

但是,如果在步骤828,确定打开请求指明修改键的意图,则与键关联的许可数据被检查以确定键的修改是否被允许(步骤836)。 However, if the intent of the request to open the specified modifier keys in step 828, it is determined, then the license key associated data is checked to determine whether the modifier key is allowed (step 836). 在一些实施例中,许可数据与应用范围候选键关联。 In some embodiments, the permission data associated with the application of a candidate key. 在这些实施例的一些中,许可数据存储在规则引擎或与候选键关联的元数据中。 In these, the license number of the data storage embodiment rules engine or in metadata associated with the candidate key. 在其它实施例中,由操作系统来提供与候选键关联的许可数据。 In other embodiments, the candidate key is provided with permission data associated with the operating system. 此外,规则引擎可包括配置设置,其指令隔离环境服从或覆盖资源虚拟化拷贝的本地许可数据。 In addition, the rules engine may include configuration settings, isolation environment to obey its instructions or data resources covering local licensed copy of virtualization. 在一些实施例中,规则可为一些虚拟资源规定修改可发生的范围,例如系统范围或应用隔离范围或子范围,或者用户隔离范围或子范围。 In some embodiments, rules may be specified for some virtual resources the scope of modifications that may occur, such as the system scope or the application isolation scope or sub-scope, or the user isolation scope or a sub-scope. 在一些实施例中,规则引擎可根据层次来规定应用于所虚拟化本地资源的子集的配置设置。 In some embodiments, the rules engine may be a predetermined level according to the configuration settings are applied to the virtual local resource subset. 在这些实施例的一些中,配置设置可特定于每个原子本地资源。 Of these, the configuration settings of some embodiments may be specific to each atomic native resource.

如果与候选键关联的许可数据指明其不可修改,则将错误条件返回给请求者(步骤838)以指明键修改不被允许。 If the license associated with the candidate key data indicate that it can not be modified, then an error condition is returned to the requestor (step 838) to indicate that the key modification is not allowed. 如果许可数据指明键可被修改,则候选键被复制到用户隔离范围(步骤840)。 If the permission data indicates the key may be modified, the candidate key is copied to the user isolation scope (step 840). 在一些实施例中,候选数据被复制到由规则引擎定义的位置。 In some embodiments, the candidate data is copied to the location defined by the rules engine. 例如,规则可规定键被复制到另一个应用隔离范围。 For example, the rules may provide key is copied to another application isolation scope. 在其它实施例中,规则可规定键应当被复制到的特殊应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide the key should be copied to the particular application isolation sub-scope or user isolation sub-scope. 没有在键复制到的隔离范围中出现的所请求键的任何祖先作为隔离范围中的位置标志符被创建,以便在层次中正确地定位复制的实例。 Any ancestors does not appear in the key is copied to the isolation scope are created as the request key isolated range position identifier, in order to correctly locate the copied instance in the hierarchy.

在一些实施例中,元数据与复制到隔离范围的键关联,元数据识别复制键的日期和时间。 In some embodiments, the metadata associated with a copy to the key range of isolation, identification metadata copy key date and time. 该信息可用于比较与键的复制实例关联的时间戳和键的原始实例最后修改的时间戳,或者位于较低隔离范围中键的另一实例最后修改的时间戳。 Timestamp and original examples of this information can be used to compare with the key replication instances associated keys last modification timestamp, or in the lower range of other isolated instances bonds last modification timestamp. 在这些实施例中,如果键的原始实例或位于较低隔离范围中键的实例与比所复制键的时间戳晚的时间戳相关联,则该键可复制到隔离范围以更新候选键。 In these embodiments, if the original instance of the key or keys located in the lower range of the isolation ratio of the copy key with the instance of time stamps associated timestamps, the key can be copied to the isolation scope to update the candidate key. 在其它实施例中,隔离范围中键的复制可与元数据关联,该元数据识别包含所复制的原始键的范围。 In other embodiments, replication of the keys in the isolation scope may be associated with the metadata, the metadata identifying the scope containing the original copy of the key.

在另外的实施例中,复制到隔离范围的键由于它们已经以试图修改它们的方式打开,所以监视这些键以确定它们实际上是否被修改。 In a further embodiment, the keys copied to the isolation scope because they have to try to modify the way they open, so that these keys are monitored to determine whether they are actually modified. 在一个实施例中,复制的键与一个标志关联,该标志在键实际被修改时被设置。 In one embodiment, a copy of the key is associated with a flag, the flag is set when the key is actually modified. 在这些实施例中,如果复制的键没有被实际修改,则将其关闭之后从其所复制到的范围移除它,以及与所复制键关联的任何位置标志符节点。 In these embodiments, if the key is not to copy the actual modification, it will be shut down after they are copied from the range to remove it, as well as any placeholder nodes associated with the copied key.

范围实例被识别为真实键(步骤842),并且发出打开真实键的请求且返回结果给请求者(步骤820)。 Examples range is identified as the true key (step 842), and issues a request to open the real key and the result returned to the requestor (step 820).

返回步骤826,如果候选键具有中性存在,因为候选键不存在,或者如果候选键找到但被标记为位置标志符节点,则还不知道虚拟键是否存在。 Returning to step 826, if the candidate key has neutral existence because the candidate key does not exist, or if the candidate key is found but marked as a placeholder node, it is not known whether the virtual key exists. 在该情况下,对应于虚拟键名的系统范围键名被识别为候选键名(步骤830)。 In this case, the virtual key name corresponding to the system-wide key name is identified as the candidate key name (step 830). 换句话说,候选键名就是虚拟键名。 In other words, the candidate key name is the virtual key name.

如果候选键不存在(步骤832),指明虚拟键没有找到的错误条件被返回给请求者(步骤834)。 If the candidate key does not exist (step 832), the error did not find the conditions specified virtual key is returned to the requestor (step 834). 另一方面,如果候选键存在(步骤832),则检查请求以确定打开请求是否指明修改键的意图(步骤828)。 On the other hand, if the candidate key exists (step 832), then check the request to determine whether the request to open the intent specified modifier keys (step 828).

如上所述,如果打开候选键而没有修改它的意图,则系统范围候选键被识别为请求的真实键(步骤818),并且发出打开真实键的请求且返回结果给请求者(步骤820)。 As described above, if the candidate key opened without the intent to modify it, the system-wide candidate key is identified as the true key (step 818) the request, and issues a request to open the real key and the result returned to the requestor (step 820). 但是,如果在步骤828,确定打开请求指明修改键的意图,则与键关联的许可数据被检查以确定键的修改是否被允许(步骤836)。 However, if the intent of the request to open the specified modifier keys in step 828, it is determined, then the license key associated data is checked to determine whether the modifier key is allowed (step 836). 在一些实施例中,许可数据与应用范围候选键关联。 In some embodiments, the permission data associated with the application of a candidate key. 在这些实施例的一些中,许可数据存储在规则引擎或与候选键关联的元数据中。 In these, the license number of the data storage embodiment rules engine or in metadata associated with the candidate key. 在其它实施例中,由操作系统来提供与候选键关联的许可数据。 In other embodiments, the candidate key is provided with permission data associated with the operating system. 此外,规则引擎可包括配置设置,其指令隔离环境服从或覆盖资源虚拟化拷贝的本地许可数据。 In addition, the rules engine may include configuration settings, isolation environment to obey its instructions or data resources covering local licensed copy of virtualization. 在一些实施例中,规则可为一些虚拟资源规定修改可发生的范围,例如系统范围或应用隔离范围或子范围,或者用户隔离范围或子范围。 In some embodiments, rules may be specified for some virtual resources the scope of modifications that may occur, such as the system scope or the application isolation scope or sub-scope, or the user isolation scope or a sub-scope. 在一些实施例中,规则引擎可根据层次来规定应用于所虚拟化本地资源的子集的配置设置。 In some embodiments, the rules engine may be a predetermined level according to the configuration settings are applied to the virtual local resource subset. 在这些实施例的一些中,配置设置可特定于每个原子本地资源。 Of these, the configuration settings of some embodiments may be specific to each atomic native resource.

如果与系统范围候选键关联的许可数据指明键不可修改,将错误条件返回给请求者(步骤838)以指明键修改不允许。 If the candidate key is associated with a system-wide license key can not modify data indicate the error condition is returned to the requestor (step 838) to indicate that the key modification is not allowed. 但是,如果许可数据指明键可被修改,则候选键被复制到用户隔离范围(步骤840)。 However, if the data specified in the license key may be modified, the candidate key is copied to the user isolation scope (step 840). 在一些实施例中,候选数据被复制到由规则引擎定义的位置。 In some embodiments, the candidate data is copied to the location defined by the rules engine. 例如,规则可规定键被复制到应用隔离范围,或其可留在系统范围中。 For example, the rules may provide key is copied to an application isolation scope, or it may remain in the system scope. 在其它实施例中,规则可规定键应当被复制到的特殊应用隔离子范围或用户隔离子范围。 In other embodiments, the rules may provide the key should be copied to the particular application isolation sub-scope or user isolation sub-scope. 没有在隔离范围中出现的所请求键的任何祖先作为隔离范围中的位置标志符被创建,以便在层次中正确地定位复制的实例。 Any ancestors does not appear in the isolation scope are created as the request key isolated range position identifier, in order to correctly locate the copied instance in the hierarchy.

在一些实施例中,元数据与复制到隔离范围的键关联,元数据识别复制键的日期和时间。 In some embodiments, the metadata associated with a copy to the key range of isolation, identification metadata copy key date and time. 该信息可用于比较与键的复制实例关联的时间戳和键的原始实例最后修改的时间戳。 Timestamp and original examples of this information can be used to compare with the key replication instances associated keys last modification timestamp. 在这些实施例中,如果键的原始实例与比所复制键的时间戳晚的时间戳相关联,则原始键可复制到隔离范围以更新候选键。 In these embodiments, if the original instance of the key with the ratio of the copy key of the time stamp on the associated timestamp, then the original key to be copied to the isolation scope to update the candidate key. 在其它实施例中,复制到隔离范围的候选键可与元数据关联,该元数据识别所复制的原始键来自的范围。 In other embodiments, be copied to the isolation scope may be associated with the candidate key metadata, the metadata identifying the scope of the copied from the original key.

在另外的实施例中,复制到隔离范围的键由于它们已经以试图修改它们的方式打开,所以监视这些键以确定它们实际上是否被修改。 In a further embodiment, the keys copied to the isolation scope because they have to try to modify the way they open, so that these keys are monitored to determine whether they are actually modified. 在一个实施例中,复制的键与一个标志关联,该标志在键实际被修改时被设置。 In one embodiment, a copy of the key is associated with a flag, the flag is set when the key is actually modified. 在这些实施例中,如果复制的键没有被实际修改,则当其关闭时从其所复制到的范围移除它,以及与所复制键关联的任何位置标志符节点。 In these embodiments, if the key is not actually copied modified, copied from when it closed its scope to remove it, as well as any placeholder nodes associated with the copied key. 在又另外的实施例中,当键被实际修改时只将键复制到适当的隔离范围。 In yet another embodiment, when the key is actually modified copy key only to the appropriate isolation scope.

范围实例被识别为真实键(步骤842),并且发出打开真实键的请求且返回结果给请求者(步骤820)。 Examples range is identified as the true key (step 842), and issues a request to open the real key and the result returned to the requestor (step 820).

4.2.2注册表键删除操作现在参考图9,并且在概观上,描述了删除注册表键所采取的步骤的一个实施例。 4.2.2 delete registry keys Referring now to FIG. 9, and in the overview of the steps taken to remove the registry keys described in one embodiment. 在键可被删除之前,必须以删除访问来首先成功地打开键(步骤901)。 Before the key can be removed in order to remove the access must be the first successful open key (step 901). 如果键没有被成功打开,则返回错误(步骤916)。 If the key is not opened successfully, an error is returned (step 916). 如果成功打开虚拟键,则接收或截取删除虚拟化注册表键的请求,请求包括对应于虚拟键的真实键的句柄(步骤902)。 If successful, the virtual key, the receiver or intercept delete virtualized registry key request, the request includes a virtual key corresponding to the real key handle (step 902). 规则确定如何处理注册表键操作(步骤904)。 Rules to determine how to handle the registry key operation (step 904). 除了可应用于要删除的键的规则之外,检查任何可应用于中间子键的其它规则(步骤905)。 In addition to the rules can be applied to remove the key, and check for any other rules (step 905) can be applied to the intermediate sub-keys. 对于所找到的可应用于中间子键的每个规则,试图打开虚拟子键,虚拟子键的名称由在步骤905中找到的规则所给定的名称规定。 Found for each rule can be applied to the intermediate sub-key, trying to open the virtual sub-key, virtual sub-key name by the rules found in step 905, the name given requirements. 如果具有对应于在步骤905中找到的规则之一的名称的子键被成功打开(步骤906),则虚拟键被认为是具有子键,这意味着其不能被删除,并且返回错误(步骤907)。 If you have a name found in step 905, one of the rules corresponding to the sub-key is successfully opened (step 906), the virtual key is considered to have sub-keys, which means that it can not be deleted, and returns an error (step 907 ).

如果在已经试图打开步骤905中提取的所有虚拟键名(步骤906)之后,没有发现存在虚拟键,则要求进一步检查。 If you open all the steps have been trying to 905 virtual keys extracted (step 906), the virtual keys found no presence, requires further examination. 如果规则动作不是“隔离”而是“重定向”,或者是“忽略”(步骤908),则删除实际注册表键的请求被传递给操作系统,且来自操作系统的结果被返回给请求者(步骤911)。 If the rule action is not "isolated" but "redirect" or "ignore" (step 908), then the actual request to delete the registry key is passed to the operating system, and the results from the operating system is returned to the requestor ( Step 911). 但是,如果在步骤908中确定的规则动作是“隔离”,则聚集的虚拟化注册表键被咨询以确定其是否包含任何虚拟子键(步骤914)。 However, if it is determined at step 908 the rule action is "Quarantine", the aggregated virtualized registry key is consulted to determine if it contains any virtual sub-key (step 914). 如果虚拟化键具有虚拟子键,则删除不能继续,并且返回指明键还不能被删除的错误(步骤920)。 If the virtual key has a virtual sub-key, then delete can not continue, and return the specified key can not be deleted in error (step 920). 如果虚拟化键不具有虚拟子键,则对应于虚拟键的真实键被检查以确定其是否在另一范围级中用相同虚拟名称掩盖了范围键(922)。 If the virtualized key does not have virtual subkeys, then the virtual key corresponding to the real key is checked to determine if it is in another range of the same level with the virtual key name masked range (922). 如果对应于虚拟键的真实键不用相同虚拟名称掩盖不同范围的键,则删除对应于虚拟键的真实键,且返回结果(步骤926)。 If the virtual keys corresponding to the same virtual real key not conceal a diverse range of key name, delete the virtual key corresponding to the real key, and returns the result (step 926). 如果对应于虚拟键的真实键用相同虚拟名称掩盖不同范围的键,则对应于虚拟键的真实键被指明其可被删除的值来标记,并且成功的结果返回给调用者(步骤924)。 If the key corresponding to the virtual key with the same virtual name real hide different range of keys, the corresponding value is indicated which can be deleted in the virtual keys to mark the real key, and a successful result is returned to the caller (step 924).

仍然参考图9且更详细地,为了删除键,就必须首先以删除访问来打开它(步骤901)。 Still more detail with reference to FIG. 9, in order to remove the key, it is necessary first to remove access to open it (step 901). 以删除访问来打开键的请求包括隔离环境作为虚拟名称对待的键名。 To remove access to open key request includes an isolated environment treated as a virtual key name names. 如部分4.2.1中描述的来执行完全虚拟化键的打开。 As described in section 4.2.1 to perform open fully virtualized keys. 如果虚拟化打开操作失败,错误被返回给请求者(步骤916)。 If the virtualized open operation fails, an error is returned to the requestor (step 916). 如果虚拟化打开操作成功,则对应于虚拟键的真实键的句柄被返回给请求者。 If the virtualized open operation succeeds, the handle of the key corresponding to the virtual real key is returned to the requestor. 随后,在步骤901中删除所打开的注册表键的请求被接收或截取(步骤902)。 Subsequently, in step 901 a request to delete the opened registry key is received or intercepted (step 902). 所打开的真实注册表键属于用户隔离范围、应用隔离范围或系统范围,或者某些可应用的隔离子范围。 The open registry key part of the real user isolation scope, application isolation scope or system scope, or some applicable isolation sub-range. 在一些实施例中,通过替换操作系统函数或用于删除注册表键的函数的函数来钩住删除请求。 In some embodiments, by replacing the operating system functions or function to delete the registry key for a function to hook removal requests. 在另一个实施例中,挂钩动态链接库被用来截取删除请求。 In another embodiment, the hook dynamic link library is used to intercept the deletion request. 挂钩函数可在用户模式或内核模式中执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,这些资源用于为本地注册表键分派请求。 For Example hook function in kernel mode execution, the hook function operating system resources associated with those resources for dispatching requests for local registry keys. 在其它实施例中,概念上类似于文件系统过滤器驱动程序工具的注册表过滤器驱动程序工具可由操作系统提供。 In other embodiments, the registry filter is conceptually similar to a file system filter driver tool driver tools provided by the operating system. 本领域技术人员可创建操作系统传递请求所到达的注册表过滤器驱动程序,以执行注册表操作,从而提供截取注册表操作请求的机制。 Skilled in the art can create an operating system transfer request arrives registry filter driver to perform registry operations, thus providing a mechanism to intercept registry operation requests. 对于为每种类型的注册表键函数提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For providing a separate embodiment operating system functions for each type of registry key function, each function may be hooked separately. 可替换地,可提供为若干类型的注册表键操作截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide several types of registry key operation to intercept calls to create or open a single hook function.

删除请求包含真实键句柄。 Delete request contains real key handle. 通过向操作系统询问与该句柄关联的真实名称来确定与该句柄关联的虚拟键名。 By asking the real name of the operating system associated with the handle to determine the handle associated with the virtual keys. 通过咨询规则引擎来确定与真实名称关联的虚拟名称,如果有的话。 To determine the virtual name associated with the real name by consulting the rules engine, if any. 通过咨询规则引擎来获得确定如何处理注册表键操作的规则(步骤904)。 Determine how to handle the registry to get the key operation of the rules (step 904) by consulting the rules engine. 在一些实施例中,要删除的注册表键的虚拟键名用于在规则引擎中定位应用于请求的规则。 In some embodiments, to remove the registry key name for the virtual key position in the rule engine rules apply to the request. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊虚拟注册表键的规则引擎中,并且在这些实施例的一些中,具有与虚拟键名匹配的最长前缀的规则是应用于请求的规则。 In some of these special, multiple rules may exist in the embodiment for a particular virtual registry key rules engine, and some of these embodiments in having rules and the virtual key name is the longest prefix match rules apply to the request. 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面注册表键数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table or a flat registry key database. 在一些实施例中,对应于请求中虚拟键句柄的虚拟键名被用作为索引以在规则引擎中定位应用于请求的一个或多个规则。 In some embodiments, the request corresponding to the virtual key handle to the virtual key name is used as an index to locate in the rule engine applies to requests of one or more rules. 在一些实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In some embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 规则查找可作为一系列判定出现,或规则查找可作为单个数据库事务出现。 Find judgment rule may appear as a series, or the rules for finding may appear as a single database transaction.

要删除的键的虚拟名称用于咨询规则引擎以定位可应用于要删除的虚拟键的任何中间孩子键而不可应用于要删除的虚拟键的规则集合。 Virtual key rules virtual name for the key to be removed in order to consult the rules engine positioning can be applied to delete any middle child keys of the virtual keys to be deleted and can not be applied to a collection. 该规则集合被定位出那些孩子键是否存在(步骤905)。 The rule set is positioned out of those kids key exists (step 905). 如果可应用于中间孩子键的规则集合不为空,则这些规则的每一个的虚拟名称都被提取。 If the child can be applied to the rules in the middle of the set of keys is not empty, then each virtual name these rules are extracted. 依次试图完全虚拟化打开所提取的每个虚拟孩子键名(步骤906)。 Trying to turn full virtualization Each virtual child key name (step 906) to open the extracted. 如果对应于这些虚拟名称的任何虚拟键可被成功地打开,则这意味着虚拟子键存在。 If these virtual names corresponding to any virtual keys can be successfully opened, this means that the virtual sub-key presence. 这意味着虚拟键不能被删除,因为其具有存在的虚拟孩子,且返回错误(步骤907)。 This means that the virtual key can not be removed because it has the presence of a virtual child, and returns an error (step 907). 如果在检查可应用于虚拟键的中间孩子的所有规则集合(步骤905)之后,没有找到存在的虚拟子键,则能够继续删除。 If the inspection can be applied to all rules of the virtual key intermediate child set (step 905), the virtual sub did not find the presence of the key, it is possible to continue to remove. 例如,具有虚拟名称“key_1”的键可具有可应用于“key1\subkey_1”和“key1\subkey_2”的孩子规则。 For example, the key has a virtual name "key_1" may have can be applied to "key1 \ subkey_1" and "key1 \ subkey_2" kids rule. 在该步骤中,试图虚拟化打开“key1\subkey_1”和“key1\subkey_2”。 In this step, an attempt to open the virtual "key1 \ subkey_1" and "key1 \ subkey_2". 如果这些虚拟子键中的任意一个可被成功地打开,则删除将失败,并且返回错误(步骤907)。 If these virtual keys to any one child can be successfully opened, the deletion will fail and return an error (step 907). 仅当这些虚拟子键都不存在时,删除才可继续。 Only when these virtual sub keys do not exist, delete before continuing.

如果规则动作不是“隔离”而是“重定向”,或者是“忽略”(步骤908),则利用真实键句柄删除实际注册表键的请求被传递给操作系统,且来自操作系统的结果被返回给请求者(步骤911)。 If the rule action is not "isolated" but "redirect" or "ignore" (step 908), then use the real key to delete the actual registry key handles requests are passed to the operating system, and the results are returned from the operating system to the requestor (step 911). 如果真实键包含真实子键,则请求将失败。 If the real key contains subkeys true, the request will fail. 在一个实施例中,删除真实注册表键的请求是通过调用挂钩函数的原始版本且将真实键句柄作为参数传递给该函数来完成的。 In one embodiment, a request to delete the real registry key hook function by calling the original version and the real key to handle as a parameter passed to the function to complete. 在利用注册表过滤器驱动程序的实施例中,这是通过应答具有完成状态的请求来实现的,该完成状态向操作系统发信号以执行对请求的正常处理。 In embodiments utilizing registry filter driver, this is by having a completion status request response achieved, the completion status signal to the operating system to perform the normal processing of the request. 在一些实施例中,与真实注册表键关联的操作系统许可可防止其的删除。 In some embodiments, the registry key is associated with the actual operating system license prevents its deletion. 在这些实施例中,返回虚拟注册表键不能被删除的错误消息。 In these embodiments, the return to the virtual registry key can not be removed error message.

如果在步骤908中确定的规则动作是“隔离”,则聚集的虚拟化注册表键被咨询以确定其是否包含任何虚拟子键(步骤914)。 If it is determined at step 908 the rule action is "Quarantine", the aggregated virtualized registry key is consulted to determine if it contains any virtual sub-key (step 914). 如果所请求的虚拟注册表键包含虚拟子键,则不能删除该虚拟键,并且返回错误给调用者(步骤920)。 If the requested virtual registry key contains the virtual sub-key, you can not delete the virtual keys, and return an error to the caller (step 920).

如果所请求的虚拟注册表键不包含虚拟子键,则可删除虚拟键。 If the requested virtual registry key does not contain a virtual sub-key, you can delete the virtual keys. 接下来采取的动作取决于包含要删除的真实键的范围。 The next action taken depends on the range that contains the real key to be deleted. 例如,删除虚拟注册表键的请求可导致应用范围真实键的删除。 For example, a request to delete the virtual registry keys can cause real key to delete the application range. 包含真实键的范围可通过向规则引擎咨询到真实键的完整路径来确定。 Range includes real keys can be determined by consulting the rules engine to the full path of the real keys.

如果在特殊范围中找到要删除的真实键,且该真实键掩盖在另一范围中相同虚拟名称的另一个键,则要删除的真实键被标记为删除,且返回结果给请求者(步骤924)。 If you find you want to remove the real key in the special range, and the real key to conceal the same virtual name in another scope in another key, will have to delete the real key is marked for deletion, and returns the results to the requester (step 924 ). 例如,如果具有相同虚拟名称的对应应用范围键或者具有相同虚拟名称的对应系统范围键具有“肯定存在”,即在范围中存在,且没有被标记为位置标志符,且没有被认为是被删除,则对应于用户范围真实键的虚拟键被认为掩盖不同范围的键。 For example, if the scope of the corresponding application with the same name of the virtual keys or with the same name of the corresponding system-wide virtual key has "certainly exists" that exist in the range and is not marked as placeholders and are not considered to be deleted , corresponding to the user's key range virtual key is considered to mask the different ranges of keys. 类似地,如果系统范围键存在且不认为是被删除,则应用范围键被认为掩盖了对应于相同虚拟名称的系统范围键。 Similarly, if the system-wide key exists and is not considered to be deleted, the application is considered to mask the key corresponding to the same virtual name of the system-wide keys.

如果要删除的真实键被发现不掩盖在另一范围中相同虚拟名称的另一个键,则要删除的真实键被实际删除且结果被返回(步骤926)。 If you want to remove the real key is found not to cover up the same virtual name in another scope in another key, will have to delete the real key is actually deleted and the result is returned (step 926).

在一些实施例中,与真实注册表键关联的操作系统许可可防止真实注册表键的删除。 In some embodiments, the registry key is associated with the actual operating system prevents the deletion of the true license registry key. 在这些实施例中,返回虚拟注册表键不能被删除的错误消息。 In these embodiments, the return to the virtual registry key can not be removed error message.

在一些实施例中,真实注册表键可与元数据关联,该元数据指明虚拟化注册表键已经被删除。 In some embodiments, the real registry keys associated with the metadata, the metadata specified virtualized registry key has been removed. 在一些实施例中,与注册表键有关的元数据可作为由该键保存的区别值来存储,并且该值的存在对于注册表API的普通应用使用是隐藏的。 In some embodiments, the metadata associated with the registry keys can be used as the key to save the difference between the value to store, and there is the value of using the registry API for common applications are hidden. 在一些实施例中,少量有关注册表键的元数据被直接存储在实际键名中,比如将元数据指示符作为虚拟名称的后缀,其中元数据指示符是与特殊元数据状态唯一关联的串。 In some embodiments, small amounts of metadata about a registry key is directly stored in the actual key name, such as the metadata indicator virtual name as a suffix, wherein the metadata indicator is a string uniquely related to the particular state of the associated metadata . 元数据指示符可指示或编码元数据的一个或多个位。 Metadata indicator may indicate or encode one or more bits of metadata. 通过虚拟名称访问键的请求检查由于元数据指示符的存在而引起的真实键名的可能变化,并且获取键本身名称的请求被钩住或截取以便以真实名称做出响应。 Request the access key by virtual name check for possible variations due to the presence of metadata indicator caused a real key name, and the name acquisition request key itself is hooked or intercepted in order to respond to the real name. 在其它实施例中,元数据指示符可用子键名或注册表值名称而不是用键名本身来编码。 In other embodiments, the metadata indicator available subkey name or a registry value name instead of the name itself is encoded using the key. 在又其它实施例中,注册表键系统可直接提供为每个键存储一些第三方元数据的能力。 In yet other embodiments, the system can provide direct registry key for each key storage capacity of some third-party metadata. 在一些实施例中,元数据存储在数据库或与注册表数据库分离的其它知识库中。 Other Knowledge In some embodiments, metadata is stored in a separate database or registry database. 在一些实施例中,分离的子范围可用于存储标记为删除的键。 In some embodiments, the isolated sub-ranges can be used to store keys marked for deletion. 键在子范围中的存在指明该键被标记为删除。 Key presence in the sub-range indicate that the key is marked for deletion.

在这些实施例的特定一些中,删除的键或键系统元素的列表可被维护和咨询以优化对删除键的检查。 In some of these specific embodiments in, a list of keys or key system elements may be deleted in order to optimize the maintenance and inspection of the advisory delete key. 在这些实施例中,如果删除的键被重建,则从删除键列表中移除该键名。 In these embodiments, if you delete the key is rebuilt from the delete key to remove the key names in the list. 在其它这些实施例中,如果列表增长超过某个大小,则从列表移除键名。 In other such embodiments, if the list grew by more than a certain size, remove the key from the list of names.

在一些实施例中,真实注册表键在相同范围中的祖先与指明其被删除的元数据关联,或其否则被指明为被删除。 In some embodiments, the true scope of the registry key in the same ancestor and which is specified in the metadata associated with the deleted, or otherwise is specified as being deleted. 在这些实施例中,指明虚拟化注册表键不存在的错误消息可被返回。 In these embodiments, an error message indicating virtualized registry key does not exist can be returned. 在这些实施例的特定一些中,所删除的注册表键或注册表键系统元素的列表可被维护和咨询以优化对所删除注册表键的检查。 And counseling can be maintained in the list of some of these particular embodiments, the deleted registry keys or registry key system elements to optimize the inspection of the deleted registry keys.

4.2.3注册表键枚举操作现在参考图10,并且在概观上,示出了在所描述的虚拟化环境中枚举键所采取的步骤的一个实施例。 4.2.3 registry key enumeration is now 10, and in the overview, showing enumerate key step in a virtualized environment described as an embodiment taken. 在键可被枚举之前,必须以枚举访问来首先成功地打开键(步骤1001)。 Can be enumerated before the key must be to enumerate the first successful open access to key (step 1001). 如果键没有被成功打开,则返回错误(步骤1040)。 If the key is not opened successfully, an error is returned (step 1040). 如果成功打开虚拟键,则接收或截取枚举的请求,请求包括对应于虚拟键的真实键的句柄(步骤1002)。 If successful, the virtual key, the enumeration request is received or intercepted, the request includes a virtual key corresponding to the real key handle (step 1002).

对应于句柄的虚拟键名被确定,并且规则引擎被咨询以确定在枚举请求中为键规定的规则(步骤1004)。 Corresponding to the virtual key handle name is determined, and the rules engine is consulted to determine the rule in the enumeration request for a predetermined key (step 1004). 如果规则没有规定“隔离”动作,而是规定“忽略”或规定“重定向”(步骤1006),则枚举由真实键句柄识别的真实键,以及将枚举结果存储在工作数据存储器中(步骤1012),之后跟着在后面描述的步骤1030。 If the rule does not require "isolation" action, but the provisions of the "Ignore" or regulations "redirect" (step 1006), the real key to handle enumerated by identifying the true keys, and the enumeration results are stored in the working data memory ( step 1012), then followed by the step 1030 described later.

但是,如果规则动作规定“隔离”,则首先枚举系统范围;即是,候选键名就是虚拟键名,并且如果候选键存在,则枚举它。 However, if the provisions of rule actions, "isolation", the first enumeration system-wide; that is, the candidate key name is the virtual key names, and if the candidate key exists, then enumerate it. 将枚举结果存储在工作数据存储器中。 The enumeration results are stored in the working data memory. 如果候选键不存在,工作数据存储器在该阶段保持为空(步骤1014)。 If the candidate key does not exist, the work of the data memory remain empty (step 1014) at this stage. 接着,候选键被识别为虚拟键的应用范围实例,并且候选键存在的类别被确定(步骤1015)。 Next, the candidate key is identified as a range of examples of the application of virtual key, and the category of existence of the candidate key is determined (step 1015). 如果候选键具有“否定存在”,即它或其在范围中的祖先之一被标记为删除,则在该范围内认为它被删除,并且这是通过刷新工作数据存储器来指明的(步骤1042)。 If the candidate key has "negative existence", that it or one of its ancestors in the scope is marked for deletion, within the range considered it to be removed, and it is refreshing to work through to the specified data memory (step 1042) . 而如果候选键不具有否定存在,候选键被枚举且将所获得的任何枚举结果合并到工作数据存储器中。 If a candidate does not have to deny the existence key candidate key is enumerated and any enumeration results obtained data into the working memory. 尤其为枚举中的每个子键,确定其存在的类别。 In particular, for each sub-enumeration key categories to determine its existence. 从工作数据存储器中移除具有否定存在的子键,并且具有肯定存在的子键,即那些存在且没有被标记为位置标志符和没有被标记为删除的子键被添加到工作数据存储器,如果在工作数据存储器中已经存在对应子键,则替换它(步骤1016)。 Removed from the working data memory has denied the existence of sub-keys, and has affirmed the existence of sub-keys, and those that exist have not been marked as placeholders and are not marked for deletion sub key is added to the working data memory, if the corresponding data in the working memory sub-key already exists, it is replaced (step 1016).

在任何一种情况下,候选键被识别为虚拟键的用户范围实例,且候选键存在的类别被确定(步骤1017)。 In either case, the candidate key is identified as a range of examples of virtual keys the user, and the existence of the candidate key category is determined (step 1017). 如果候选键具有“否定存在”,即它或其在范围中的祖先之一被标记为删除,则在该范围内认为它被删除,并且这是通过刷新工作数据存储器来指明的(步骤1044)。 If the candidate key has "negative existence", that it or one of its ancestors in the scope is marked for deletion, within the range considered it to be removed, and it is refreshing to work through to the specified data memory (step 1044) . 而如果候选键不具有否定存在,候选键被枚举且将所获得的任何枚举结果合并到工作数据存储器中。 If a candidate does not have to deny the existence key candidate key is enumerated and any enumeration results obtained data into the working memory. 尤其为枚举中的每个子键,确定其存在的类别。 In particular, for each sub-enumeration key categories to determine its existence. 从工作数据存储器中移除具有否定存在的子键,并且具有肯定存在的子键,即那些存在且没有被标记为位置标志符和没有被标记为删除的子键被添加到工作数据存储器,如果在工作数据存储器中已经存在对应子键,则替换它(步骤1018),之后跟着在后面描述的步骤1030。 Removed from the working data memory has denied the existence of sub-keys, and has affirmed the existence of sub-keys, and those that exist have not been marked as placeholders and are not marked for deletion sub key is added to the working data memory, if the corresponding data in the working memory sub-key already exists, it is replaced (step 1018), followed by the steps described later after 1030.

接着,对于所有三类规则,来执行步骤1030。 Then, for all three types of rules, step 1030 is performed. 询问规则引擎以寻找这样的规则集合,该规则集合的过滤器匹配所请求虚拟键名的中间孩子,但不匹配所请求的虚拟键名本身(步骤1030)。 Ask a rules engine to find such a set of rules, the middle child of virtual key names that match the filter of the rule set of the request, but does not match the requested virtual key name itself (step 1030). 对于集合中的每个规则,确定名称与规则中的名称匹配的虚拟孩子的存在。 For each set of rules that determine the name of the rule in the child's name matches the virtual existence. 如果孩子具有肯定存在,其被添加到工作数据存储器,以代替那里已经有相同名称的任何孩子。 If the child has certainly exist, it is added to the working data memory, in lieu of any children there have the same name. 如果孩子具有否定存在,移除工作数据存储器中对应于孩子的条目,如果有的话(步骤1032)。 If the child has negative existence, the work of removing the data memory corresponding to the child entry, if any (step 1032). 最后,所构造的枚举接着从工作数据存储器返回到请求者(步骤1020)。 Finally, the constructed enumeration is then returned from the working data store to the requestor (step 1020).

仍然参考图10且更详细地,为了枚举键,就必须首先以枚举访问来打开它(步骤1001)。 Still more detail with reference to FIG. 10, in order to enumerate the key, it is necessary first to open it to enumerate access (step 1001). 以枚举访问来打开键的请求包括隔离环境作为虚拟名称对待的键名。 To enumerate the keys to open access request includes an isolated environment treated as a virtual key name names. 如部分4.2.1中描述的来执行完全虚拟化键的打开。 As described in section 4.2.1 to perform open fully virtualized keys. 如果虚拟化打开操作失败,错误被返回给请求者(步骤1040)。 If the virtualized open operation fails, an error is returned to the requestor (step 1040). 如果虚拟化打开操作成功,则对应于虚拟键的真实键的句柄被返回给请求者。 If the virtualized open operation succeeds, the handle of the key corresponding to the virtual real key is returned to the requestor. 随后,在步骤1001中枚举所打开的注册表键的请求被接收或截取(步骤1002)。 Subsequently, the registry key steps enumerated in the 1001 open request is received or intercepted (step 1002). 所打开的真实注册表键属于用户隔离范围、应用隔离范围或系统范围,或者某些可应用的隔离子范围。 The open registry key part of the real user isolation scope, application isolation scope or system scope, or some applicable isolation sub-range. 在一些实施例中,通过替换操作系统函数或用于枚举注册表键的函数的函数来钩住枚举请求。 In some embodiments, the operating system function or functions by replacing function used to enumerate registry key hook enumeration requests. 在另一个实施例中,挂钩动态链接库被用来截取枚举请求。 In another embodiment, the hook dynamic link library is used to intercept enumeration requests. 挂钩函数可在用户模式或内核模式中执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,该资源用于为本地注册表键分派请求。 For Example hook function in kernel mode execution hook function can be associated with an operating system resource, which is used to dispatch the request to the local registry key. 在其它实施例中,概念上类似于文件系统过滤器驱动程序工具的注册表过滤器驱动程序工具可由操作系统提供。 In other embodiments, the registry filter is conceptually similar to a file system filter driver tool driver tools provided by the operating system. 本领域技术人员可创建操作系统传递请求所到达的注册表过滤器驱动程序,以执行注册表操作,从而提供截取注册表操作请求的机制。 Skilled in the art can create an operating system transfer request arrives registry filter driver to perform registry operations, thus providing a mechanism to intercept registry operation requests. 对于为每种类型的注册表键函数提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For providing a separate embodiment operating system functions for each type of registry key function, each function may be hooked separately. 可替换地,可提供为若干类型的注册表键函数截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide several types of registry key functions to create or open a single call interception hook function.

枚举请求包含真实键句柄。 Enumerate request contains real key handle. 通过向操作系统询问与该句柄关联的真实名称来确定与该句柄关联的虚拟键名。 By asking the real name of the operating system associated with the handle to determine the handle associated with the virtual keys. 通过咨询规则引擎来确定与真实名称关联的虚拟名称,如果有的话。 To determine the virtual name associated with the real name by consulting the rules engine, if any.

通过咨询规则引擎来获得确定如何处理注册表键操作的规则(步骤1004)。 Determine how to handle the registry to get the key operation of the rules (step 1004) by consulting the rules engine. 在一些实施例中,要枚举的虚拟注册表键的虚拟键名用于在规则引擎中定位应用于请求的规则。 In some embodiments, the virtual key name of the virtual registry key to enumerate the rules for the rule engine applies positioning request. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊虚拟注册表键的规则引擎中,并且在这些实施例的一些中,具有与虚拟注册表键名匹配的最长前缀的规则是应用于请求的规则。 In some of these particular embodiments, and multiple rules may exist for a particular virtual registry key in the rules engine, and some of these embodiments in having the longest prefix match with the virtual key name in the registry Rules are rules apply to the request. 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面注册表键数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table or a flat registry key database. 在一些实施例中,对应于请求中虚拟键句柄的虚拟键名被用作为索引以在规则引擎中定位应用于请求的一个或多个规则。 In some embodiments, the request corresponding to the virtual key handle to the virtual key name is used as an index to locate in the rule engine applies to requests of one or more rules. 在一些实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In some embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 规则查找可作为一系列判定出现,或规则查找可作为单个数据库事务出现。 Find judgment rule may appear as a series, or the rules for finding may appear as a single database transaction.

如果规则动作不是“隔离”(步骤1006),而是“忽略”或是“重定向”,则利用真实键句柄将枚举真实键的请求传递到操作系统,以及将枚举结果存储在工作数据存储器中(步骤1012),如果有的话,并执行在后面描述的步骤1030。 If the rule action is not "isolate" (step 1006), but "ignore" or "redirect", the use of the real keys to handle the real key enumeration requests passed to the operating system, and the result is stored in the working data enumeration memory (step 1012), if any, and perform step 1030 described later.

在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实名称作为参数传递给该函数来完成的。 In one embodiment, this is the real name of the hook function by calling the original version, and will form as a parameter passed to the function to complete. 在其它实施例中,概念上类似于文件系统过滤器驱动程序工具的注册表过滤器驱动程序工具可由操作系统提供。 In other embodiments, the registry filter is conceptually similar to a file system filter driver tool driver tools provided by the operating system. 在这些实施例中,枚举真实注册表键可通过应答枚举键的原始请求来实现的,所述应答是通过向注册表过滤器管理器发信号以用正常方式来处理未修改的请求来进行的。 In these embodiments, the enumeration's registry key from the original key of the enumeration request response achieved, the response by the registry filter manager to signal in the normal way to deal with a request to the unmodified carried out.

如果在步骤1010中确定的规则动作是“隔离”,则枚举系统范围。 If it is determined in step 1010, the rule action is "Quarantine", the enumeration system-wide. 为了实现此,候选键被识别为对应于要枚举的虚拟键的系统范围键。 To achieve this, the candidate key is identified as corresponding to the virtual key to enumerate a system-wide key. 枚举候选键,且将枚举结果存储在工作数据存储器中(步骤1014)。 Enumeration candidate key, and the enumeration results stored in the work data memory (step 1014). 在一些实施例中,工作数据存储器由存储器元件组成。 In some embodiments, the working data memory composed of the memory element. 在其它实施例中,工作数据存储器包括数据库或键或固态存储器元件或永久数据存储器。 In other embodiments, the working data store comprises a database or a key or a solid state memory element or a persistent data store.

接着,候选键被识别为虚拟键的应用范围实例,并且候选键存在的类别被确定(步骤1015)。 Next, the candidate key is identified as a range of examples of the application of virtual key, and the category of existence of the candidate key is determined (step 1015). 如果候选键具有“否定存在”,即它或其在范围中的祖先之一被标记为删除,则在该范围内认为它被删除,并且这是通过刷新工作数据存储器来指明的(步骤1042)。 If the candidate key has "negative existence", that it or one of its ancestors in the scope is marked for deletion, within the range considered it to be removed, and it is refreshing to work through to the specified data memory (step 1042) .

在一些实施例中,候选注册表键可与元数据关联,该元数据指明候选注册表键已经被删除。 In some embodiments, the candidate registry keys associated with the metadata, the metadata indicating the candidate registry key has been removed. 在一些实施例中,与注册表键有关的元数据可作为由该键保存的区别值来存储,并且该值的存在对于注册表API的普通应用使用是隐藏的。 In some embodiments, the metadata associated with the registry keys can be used as the key to save the difference between the value to store, and there is the value of using the registry API for common applications are hidden. 在一些实施例中,少量有关注册表键的元数据被直接存储在真实键名中,比如将元数据指示符作为虚拟名称的后缀,其中元数据指示符是与特殊元数据状态唯一关联的串。 In some embodiments, small amounts of metadata about a registry key is directly stored in the real key name, such as the metadata indicator virtual name as a suffix, wherein the metadata indicator is a string uniquely related to the particular state of the associated metadata . 元数据指示符可指示或编码元数据的一个或多个位。 Metadata indicator may indicate or encode one or more bits of metadata. 通过虚拟名称访问键的请求检查由于元数据指示符的存在而引起的真实键名的可能变化,并且获取键本身名称的请求被钩住或截取以便以真实名称做出响应。 Request the access key by virtual name check for possible variations due to the presence of metadata indicator caused a real key name, and the name acquisition request key itself is hooked or intercepted in order to respond to the real name. 在其它实施例中,元数据指示符可用子键名或注册表值名称而不是用键名本身来编码。 In other embodiments, the metadata indicator available subkey name or a registry value name instead of the name itself is encoded using the key. 在又其它实施例中,注册表键系统可直接提供为每个键存储一些第三方元数据的能力。 In yet other embodiments, the system can provide direct registry key for each key storage capacity of some third-party metadata. 在一些实施例中,元数据存储在数据库或与注册表数据库分离的其它知识库中。 Other Knowledge In some embodiments, metadata is stored in a separate database or registry database. 在一些实施例中,分离的子范围可用于存储标记为删除的键。 In some embodiments, the isolated sub-ranges can be used to store keys marked for deletion. 键在子范围中的存在指明该键被标记为删除。 Key presence in the sub-range indicate that the key is marked for deletion.

而如果在步骤1015中,候选键不具有否定存在,候选键被枚举且将所获得的任何枚举结果合并到工作数据存储器中。 If in step 1015, the candidate key does not have negative existence, the candidate key is enumerated and any enumeration results obtained are merged into the working data store. 尤其为枚举中的每个子键,确定其存在的类别。 In particular, for each sub-enumeration key categories to determine its existence. 从工作数据存储器中移除具有否定存在的子键,并且具有肯定存在的子键,即那些存在且没有被标记为位置标志符和没有被标记为删除的子键被添加到工作数据存储器,如果在工作数据存储器中已经存在对应子键,则替换它(步骤1016)。 Removed from the working data memory has denied the existence of sub-keys, and has affirmed the existence of sub-keys, and those that exist have not been marked as placeholders and are not marked for deletion sub key is added to the working data memory, if the corresponding data in the working memory sub-key already exists, it is replaced (step 1016).

在任何一种情况下,候选键被识别为虚拟键的用户范围实例,且候选键存在的类别被确定(步骤1017)。 In either case, the candidate key is identified as a range of examples of virtual keys the user, and the existence of the candidate key category is determined (step 1017). 如果候选键具有“否定存在”,即它或其在范围中的祖先之一被标记为删除,则在该范围内认为它被删除,并且这是通过刷新工作数据存储器来指明的(步骤1044)。 If the candidate key has "negative existence", that it or one of its ancestors in the scope is marked for deletion, within the range considered it to be removed, and it is refreshing to work through to the specified data memory (step 1044) . 而如果候选键不具有否定存在,候选键被枚举且将所获得的任何枚举结果合并到工作数据存储器中。 If a candidate does not have to deny the existence key candidate key is enumerated and any enumeration results obtained data into the working memory. 尤其为枚举中的每个子键,确定其存在的类别。 In particular, for each sub-enumeration key categories to determine its existence. 从工作数据存储器中移除具有否定存在的子键,并且具有肯定存在的子键,即那些存在且没有被标记为位置标志符和没有被标记为删除的子键被添加到工作数据存储器,如果在工作数据存储器中已经存在对应子键,则替换它(步骤1018),之后跟着在后面描述的步骤1030。 Removed from the working data memory has denied the existence of sub-keys, and has affirmed the existence of sub-keys, and those that exist have not been marked as placeholders and are not marked for deletion sub key is added to the working data memory, if the corresponding data in the working memory sub-key already exists, it is replaced (step 1018), followed by the steps described later after 1030.

接着,对于所有三类规则,来执行步骤1030。 Then, for all three types of rules, step 1030 is performed. 询问规则引擎以寻找这样的规则集合,该规则集合的过滤器匹配所请求键的中间孩子,但不匹配所请求的键本身(步骤1030)。 Ask a rules engine to find such a set of rules, filter matches the rule set in the middle of the requested key children, but does not match the requested key itself (step 1030). 对于集合中的每个规则,确定名称与规则中的名称相匹配的虚拟孩子的存在。 For each set of rules that determine the name of the rule that matches the name of the child's virtual presence. 在一些实施例中,这是通过检查与虚拟孩子关联的适当隔离范围和元数据来确定的。 In some embodiments, this is accomplished by appropriate isolation scope and metadata associated with the virtual child checking determined. 在其它实施例中,这是通过试图打开键来确定的。 In other embodiments, this is done by trying to open the key determined. 如果打开请求成功,则虚拟孩子具有肯定存在。 If you open the request is successful, the virtual child has certainly exist. 如果打开请求失败并指明虚拟孩子不存在,则虚拟孩子具有否定存在。 If you open the request fails and indicates a virtual child does not exist, has denied the existence of the virtual child.

如果孩子具有肯定存在,其被添加到工作数据存储器,以代替那里已经有相同名称的任何孩子。 If the child has certainly exist, it is added to the working data memory, in lieu of any children there have the same name. 如果孩子具有否定存在,移除工作数据存储器中对应于虚拟孩子的孩子,如果有的话(步骤1032)。 If the child has negative existence, work to remove the data memory corresponding to the virtual children's children, if any, (step 1032). 最后,所构造的枚举接着从工作数据存储器返回到请求者(步骤1020)。 Finally, the constructed enumeration is then returned from the working data store to the requestor (step 1020).

本领域技术人员将认识到,上述的分层枚举过程可与较小修改一起应用于枚举单个隔离范围的操作,该单个隔离范围包括多个隔离子范围。 Those skilled in the art will recognize that the layered enumeration process described above can be applied together with the minor modification of the operation enumeration single isolation scope, a single isolation scope which comprises a plurality of isolation sub-scope. 工作数据存储器被创建,相继的子范围被枚举且结果合并到工作数据存储器以形成隔离范围的聚集枚举。 Work data memory is created, successive sub-ranges are enumerated and the results incorporated into the working range of the data memory to form the isolation gathering enumeration.

4.2.4注册表创建操作现在参考图11,并且在概观上,示出了在隔离环境中创建键所采取的步骤的一个实施例。 4.2.4 registry creation now 11, and in the overview shows the key steps taken to create the environment in isolation to one embodiment. 接收或截取创建键的请求(步骤1102)。 Receive or intercept a request to create a key (step 1102). 请求包含键名,隔离环境将该键名当作虚拟键名。 The request contains key names, isolated virtual environment, the key name as the key name. 利用完全虚拟化打开所请求的键的意图利用了可应用的规则,即利用了适当的用户和应用隔离范围,如部分4.2.1所描述的(步骤1104)。 Intent key using full virtualization open the requested use of the rule can be applied, namely the use of the appropriate user and application isolation scope, as described in section 4.2.1 (step 1104). 如果访问被拒绝(步骤1106),访问拒绝错误被返回给请求者(步骤1109)。 If access is denied (step 1106), an access denied error is returned to the requestor (step 1109). 如果访问被准许(步骤1106),并且所访问的键被成功打开(步骤1110),所请求的键被返回到请求者(步骤1112)。 If access is permitted (step 1106), and the access key is successfully opened (step 1110), the requested key is returned to the requestor (step 1112). 但是,如果访问被准许(步骤1106),但是所请求的键没有被成功打开(步骤1110),那么如果所请求的键的双亲也不存在(步骤1114),则适于请求语义的错误被发给请求者(步骤1116)。 However, if access is granted (step 1106), but the requested key is not opened successfully (step 1110), then if the parent of the requested key is not present (step 1114), then the error is adapted to send the request semantics to the requestor (step 1116). 另一方面,如果利用适当的用户和应用范围在完全虚拟化视图中找到所请求的键的双亲(步骤1114),则规则接着确定键操作如何被处理(步骤1118)。 On the other hand, if the use of the appropriate users and applications to find the parents of the requested key (step 1114), the rule in a fully virtualized view then determine how key operation is processed (step 1118). 如果规则动作是“重定向”或“忽略”(步骤1120),则根据规则将虚拟键名直接映射到真实键名。 If the rule action is "redirect" or "ignore" (step 1120), then in accordance with the rules of the virtual keys are mapped directly to the real keys. 具体地,如果规则动作是“忽略”,则真实键名就被识别为虚拟键名。 Specifically, if the rule action is "ignore", the real key name to be recognized as a virtual key name. 而如果规则动作是“重定向”,则根据规则所规定的虚拟键名来确定真实键名。 If the rule action is "redirect", according to the virtual keys required by the rules to determine the true keys. 接着创建真实键的请求被传递给操作系统,并且结果被返回到请求者(步骤1124)。 Then create true key request is passed to the operating system, and the result is returned to the requestor (step 1124). 另一方面,如果在步骤1120中确定的规则动作是“隔离”,则真实键名被识别为虚拟键名在用户隔离范围中的实例。 On the other hand, if it is determined in step 1120 the rule action is "isolate", then the key name is identified as a real virtual key name in the user isolation scope instance. 如果真实键已经存在,但与指明其是位置标志符或其被删除的元数据相关联,则关联的元数据被修改以移除那些指示,并且确保键为空。 If the actual key already exists, but it is the metadata indicating the location or the identifier is deleted the associated metadata is modified to remove the association of those directions, and to ensure that the key is empty. 在另一情况下,打开真实键的请求被传递给操作系统(步骤1126)。 In another case, the real key to open request is transmitted to the operating system (step 1126). 如果真实键被成功打开(步骤1128),则真实键被返回到请求者(1130)。 If the real key is successfully opened (step 1128), the real key is returned to the requestor (1130). 另一方面,如果在步骤1128中,所请求的键未能打开,则当前不存在于用户隔离范围中的真实键的每个祖先的位置标志符(步骤1132),并且利用真实名称创建真实键的请求被传递给操作系统且返回结果到请求者(步骤1134)。 On the other hand, if in step 1128, the requested key fails to open, the current does not exist in the user isolation scope for each ancestor of the actual position of the key identifier (step 1132), and the use of the real name to create the real key The request is passed to the operating system and the result returned to the requestor (step 1134).

仍然参考图11且更详细地,创建键的请求被接收或截取(步骤1102)。 Still more detail with reference to FIG. 11, to create key request is received or intercepted (step 1102). 在一些实施例中,通过替换操作系统函数或用于创建键的函数的函数来钩住请求。 In some embodiments, the operating system function or by replacing a function of creating a function key is used to hook the request. 在另一个实施例中,挂钩动态链接库被用来截取请求。 In another embodiment, the hook dynamic link library is used to intercept the request. 挂钩函数可在用户模式或内核模式中执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,该资源用于为键操作分派请求。 For Example hook function in kernel mode execution hook function can be associated with an operating system resource, which is used to dispatch the request for key operation. 对于为每种类型的键操作提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For providing a separate operating system function keys for each type of operation of the embodiment, each function may be hooked separately. 可替换地,可提供为若干类型的键操作截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide a single call intercepts create or open hook function for several types of keys.

请求包含键名,隔离环境将该键名当作虚拟键名。 The request contains key names, isolated virtual environment, the key name as the key name. 在一些实施例中,虚拟键名可被表达为到双亲键的句柄以及到后代键的相对路径名称的组合。 In some embodiments, the virtual key name may be expressed as a handle to a parent key and a combination of a relative path name offspring bond. 双亲键句柄与真实键名关联,真实键名本身与虚拟键名关联。 Parents key handle keys associated with the true, real key name itself is associated with the virtual keys. 请求者试图利用完全虚拟化来打开虚拟键,这利用了可应用的规则,即利用了适当的用户和应用隔离范围,如部分4.2.1所描述的(步骤1104)。 Requestor tried to use to open a fully virtualized virtual keys, which can be applied to the use of the rule, namely the use of the appropriate user and application isolation scope, as described in section 4.2.1 (step 1104). 如果在完全虚拟化打开操作期间访问被拒绝(步骤1106),访问拒绝错误被返回给请求者(步骤1109)。 If, during operation of a fully virtualized open access denied (1106), an access denied error is returned to the requestor (step 1109). 如果访问被准许(步骤1106),并且所请求的虚拟键被成功打开(步骤1110),对应的真实键被返回到请求者(步骤1112)。 If access is permitted (step 1106), and the requested virtual key is successfully opened (step 1110), corresponding to the real key is returned to the requestor (step 1112). 但是,如果访问被准许(步骤1106),但是虚拟键没有被成功打开(步骤1110),那么虚拟键被确定为不存在。 However, if access is granted (step 1106), but the virtual key is not opened successfully (step 1110), then the virtual key is determined not to exist. 如果所请求的虚拟键的虚拟双亲也不存在,如部分4.2.1中的过程所确定的(步骤1114),则适于请求语义的错误被发给请求者(步骤1116)。 If the virtual parent of the requested virtual key does not exist, as in the process determination section 4.2.1 (step 1114), then adapted to request semantics error is sent to the requestor (step 1116). 另一方面,如果利用适当的用户和应用范围在完全虚拟化视图中找到所请求的虚拟键的虚拟双亲(步骤1114),则通过咨询规则引擎来定位确定如何处理创建操作的规则(步骤1118)。 On the other hand, if the use of the appropriate users and applications to find the requested virtual key in a fully virtualized view virtual parents (step 1114), then by consulting the rules engine to locate determine how to handle the creation of rules (step 1118) . 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面键数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table or flat key database. 在一些实施例中,为所请求键提供的虚拟键名被用作在规则引擎中定位应用于请求的规则。 In some embodiments, the virtual key name provided for the requested key is used as the positioning rule applies to requests in the rule engine. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊键的规则引擎中,并且在这些实施例的一些中,具有与虚拟键名匹配的最长前缀的规则是应用于请求的规则。 In particular some of the plurality of rules of these embodiments may be present in the rules engine for a particular key, and some of these embodiments in having the longest prefix of the rule matching the virtual key name is applied to the request rules. 在一些实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In some embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 尽管在图11中示出了单个数据库事务或键中的单次查找,但是规则查找可作为一系列规则查找来执行。 Although Figure 11 shows a single database transaction or single lookup keys, but the rules to find a set of rules as to perform lookup.

如果规则动作是“重定向”或“忽略”(步骤1120),则根据规则将虚拟键名直接映射到真实键名(步骤1124)。 If the rule action is "redirect" or "ignore" (step 1120), then in accordance with the rules of the virtual keys are mapped directly to the real key name (step 1124). 如果规则动作是“重定向”(步骤1120),则根据规则所规定的虚拟键名来确定真实键名(步骤1124)。 If the rule action is "redirect" (step 1120), according to the virtual keys required by the rules to determine the true key name (step 1124). 如果规则动作是“忽略”(步骤1120),则真实键名就被确定为虚拟键名(步骤1124)。 If the rule action is "ignore" (step 1120), the real key name is determined to be a virtual key name (step 1124). 如果规则动作是“忽略”或者规则动作是“重定向”,则将利用所确定的真实键名创建真实键的请求传递给操作系统,并且从操作系统的结果被返回到请求者(步骤1124)。 If the rule action is "ignore" or the rule action is "redirect", the use of actual keys determined actual key creation request to the operating system, and the result is returned from the operating system to the requestor (step 1124) . 例如,创建名为“key_1”虚拟键的请求可导致创建名为“Different_key_1”的真实键。 For example, create a file named "key_1" request may result in the creation of virtual keys real key named "Different_key_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实键名作为参数传递给该函数来完成的(步骤1124)。 In one embodiment, this is the real key name by calling the hook function of the original version, and will form as a parameter passed to the function to be completed (step 1124). 在其它实施例中,概念上类似于文件系统过滤器驱动程序工具的注册表过滤器驱动程序工具可由操作系统提供。 In other embodiments, the registry filter is conceptually similar to a file system filter driver tool driver tools provided by the operating system. 在这些实施例中,创建真实注册表键可通过应答创建虚拟键的原始请求来实现,所述应答是通过向注册表过滤器管理器发信号以利用所确定的真实键名重新解析该请求来进行的。 In these embodiments, the registry key created by the real response of the original request to create the virtual key to achieve, by the response to the registry filter manager to signal the true keys to use the determined re-parse the request carried out.

如果在步骤1120中所确定的规则动作不是“忽略”或“重定向”,而是“隔离”,则真实键名被识别为虚拟键名在用户隔离范围中的实例。 If determined in step 1120 rule action is not "ignore" or "redirect" but "isolation", the real key name is identified as a virtual key name in the user isolation scope instance. 如果真实键已经存在,但与指明其是位置标志符或其被删除的元数据相关联,则关联的元数据被修改以移除那些指示,并且确保键为空。 If the actual key already exists, but it is the metadata indicating the location or the identifier is deleted the associated metadata is modified to remove the association of those directions, and to ensure that the key is empty.

在一些实施例中,与注册表键有关的元数据可作为由该键保存的区别值来存储,并且该值的存在对于注册表API的普通应用使用是隐藏的。 In some embodiments, the metadata associated with the registry keys can be used as the key to save the difference between the value to store, and there is the value of using the registry API for common applications are hidden. 在一些实施例中,少量有关注册表键的元数据被直接存储在真实键名中,比如将元数据指示符作为虚拟名称的后缀,其中元数据指示符是与特殊元数据状态唯一关联的串。 In some embodiments, small amounts of metadata about a registry key is directly stored in the real key name, such as the metadata indicator virtual name as a suffix, wherein the metadata indicator is a string uniquely related to the particular state of the associated metadata . 元数据指示符可指示或编码元数据的一个或多个位。 Metadata indicator may indicate or encode one or more bits of metadata. 通过虚拟名称访问键的请求检查由于元数据指示符的存在而引起的真实键名的可能变化,并且获取键本身名称的请求被钩住或截取以便以真实名称做出响应。 Request the access key by virtual name check for possible variations due to the presence of metadata indicator caused a real key name, and the name acquisition request key itself is hooked or intercepted in order to respond to the real name. 在其它实施例中,元数据指示符可用子键名或注册表值名称而不是用键名本身来编码。 In other embodiments, the metadata indicator available subkey name or a registry value name instead of the name itself is encoded using the key. 在又其它实施例中,注册表键系统可直接提供为每个键存储一些第三方元数据的能力。 In yet other embodiments, the system can provide direct registry key for each key storage capacity of some third-party metadata. 在一些实施例中,元数据存储在数据库或与注册表数据库分离的其它知识库中。 Other Knowledge In some embodiments, metadata is stored in a separate database or registry database. 在一些实施例中,分离的子范围可用于存储标记为删除的键。 In some embodiments, the isolated sub-ranges can be used to store keys marked for deletion. 键在子范围中的存在指明该键被标记为删除。 Key presence in the sub-range indicate that the key is marked for deletion.

在这些实施例的特定一些中,删除的键或键系统元素的列表可被维护和咨询以优化对删除键的检查。 In some of these specific embodiments in, a list of keys or key system elements may be deleted in order to optimize the maintenance and inspection of the advisory delete key. 在这些实施例中,如果删除的键被重建,则从删除键列表中移除该键名。 In these embodiments, if you delete the key is rebuilt from the delete key to remove the key names in the list. 在其它这些实施例中,如果列表增长超过某个大小,则从列表移除键名。 In other such embodiments, if the list grew by more than a certain size, remove the key from the list of names.

在另一情况下,打开用户范围真实键的请求被传递给操作系统(步骤1126)。 In another case, the request to open the user's key range is transmitted to the operating system (step 1126). 在一些实施例中,规则可规定对应于虚拟键的真实键应当在用户隔离范围以外的范围中被创建,比如应用隔离范围、系统范围、用户隔离子范围或应用隔离子范围。 In some embodiments, the rules may provide for a virtual key corresponding to the real key should be created in a range outside the user isolation scope, such as the application isolation scope, system scope, a user isolation sub-scope or an application isolation sub-scope.

如果真实键被成功打开(步骤1128),则真实键被返回到请求者(1130)。 If the real key is successfully opened (step 1128), the real key is returned to the requestor (1130). 另一方面,如果在步骤1128中,所请求的键未能打开,则为当前不存在于用户隔离范围中的真实键的每个祖先创建位置标志符(步骤1132),并且利用真实名称创建真实键的请求被传递给操作系统且返回结果到请求者(步骤1134)。 On the other hand, if in step 1128, the requested key failed to open, for the ancestors of each user does not currently exist in isolation in the range of real keys to create placeholders (step 1132), and the use of real names to create a real key request is passed to the operating system and the result returned to the requestor (step 1134).

该实施例用于这样的操作系统,该操作系统具有只支持创建每调入/调用一级的API或工具。 This embodiment for such an operating system, the operating system has only supports the creation of each transferred / or an API call to a tool. 到每调入/调用多级的扩展对于本领域技术人员是显而易见的。 To each of the transferred / call multistage expansion skilled personnel is obvious.

4.3命名对象虚拟化利用上述技术可虚拟化的系统范围资源的另一类是命名对象,其包括信号灯、互斥体、变异体、可等待定时器、事件、作业对象、段、命名管道和mailslot。 Another 4.3 Virtualization named objects using the above techniques can be virtualized system-wide resources is named objects, including semaphores, mutex, variants, can wait for a timer, events, job objects, sections, named pipes and mailslot . 这些对象的特征在于,它们通常只存在于创建它们的进程的持续期间。 Characteristics of these objects is that they are usually only present in the duration of the process that created them. 这些对象的命名空间可在整个计算机上是有效的(全局范围)或者只在单个用户会话中有效(会话范围)。 Namespace for these objects can be effective on the entire computer (global scope) or only valid (session range) in a single user session.

现在参考图12,且在概观上,接收或截取创建或打开命名对象的请求(步骤1202)。 Referring now to FIG. 12, and in the overview, receive or intercept create or open request (step 1202) named object. 请求包含对象名,隔离环境将该对象名称当作虚拟名称。 The request contains the object name, the name of the object isolated environment as a virtual name. 确定确定如何对待请求的规则(步骤1204)。 Determining rules determine how to treat the request (step 1204). 如果规则指明请求应当被忽略(步骤1206),则真实对象名被确定为虚拟名称(1207),并且将创建或打开真实对象的请求发给操作系统(1214)。 If the rules specified in the request should be ignored (step 1206), the real name of the object is determined to be fictitious name (1207), and will create or open a request sent to the real object operating system (1214). 如果所确定的规则不是忽略请求,而是指明请求应当被重定向(步骤1208),则根据如重定向规则规定的虚拟名称来确定真实对象名(步骤1210),并且真实对象的创建或打开请求被发给操作系统(步骤1214)。 If the rules are not determined to ignore the request, but indicated the request should be redirected (step 1208), according to the virtual name such as redirection rules to determine the true name of the object (step 1210), and to create a real object or open request is sent to the operating system (step 1214). 如果规则不指明请求应当被重定向(步骤1208),而是指明请求应当被隔离,则根据如隔离规则规定的虚拟名称来确定真实对象名(步骤1212),并且真实对象的创建或打开命令被发给操作系统(步骤1214)。 If the rule does not specify the request should be redirected (step 1208), but indicated the request should be isolated, according to the virtual name as quarantine rules to determine the true name of the object (step 1212), and to create a real object or open command is issued to the operating system (step 1214). 响应于所发出的创建或打开命令而由操作系统返回的真实对象的句柄被返回给请求创建或打开虚拟对象的程序(步骤1216)。 Founded in response to or open a command issued by the operating system and handles the real object is returned back to the request to create or open a virtual object program (step 1216).

仍然参考图12且更详细地,截取创建或打开命名对象的进程的请求(步骤1202)。 The request is still more detail with reference to FIG. 12, the interception create or open a named object process (step 1202). 命名对象可属于会话范围或其可属于全局范围。 Named objects can belong to the session scope or it may belong to the global scope. 在一些实施例中,通过替换操作系统函数或用于创建或打开命名对象的函数的函数来钩住请求。 In some embodiments, the function or functions of the operating system functions to create or open a named object by replacing the request to hook. 在另一个实施例中,挂钩动态链接库被用来截取请求。 In another embodiment, the hook dynamic link library is used to intercept the request. 挂钩函数可在用户模式或内核模式中执行。 Hook function can be executed in user mode or kernel mode. 对于挂钩函数以用户模式执行的实施例,当创建进程时,挂钩函数可被加载到该进程的地址空间。 For the embodiment of the hook function to be executed in user mode, when a process is created, the hook function can be loaded into the process address space. 对于挂钩函数以内核模式执行的实施例,挂钩函数可与操作系统资源相关联,该资源用于为系统对象分派请求。 For Example hook function in kernel mode execution, the hook function operating system resources associated with the resource for dispatching requests for system objects. 创建或打开命名对象的请求可指各种各样系统范围资源中的任意一个,系统范围资源用于进程间通信和同步并且由唯一的标识符来识别,包括信号灯、互斥体、变异体、可等待定时器、文件映射对象、事件、作业对象、段、命名管道和mailslot。 Create or open a named object request may refer to a variety of system-wide resources, any one, system-wide inter-process communication and synchronization resources and be identified by a unique identifier, including semaphores, mutexes, mutants thereof, can wait for a timer, file mapping objects, events, job objects, sections, named pipes and mailslot. 对于为每种类型的对象提供单独的操作系统函数的实施例,每个函数可被分别钩住。 For a separate operating system function is provided for each type of object in the embodiment, each function may be hooked separately. 可替换地,可提供为若干类型的对象截取创建或打开调用的单个挂钩函数。 Alternatively, you can provide several types of objects you create or open a single interception hook function calls.

截取的请求包含对象名,隔离环境将该对象名当作虚拟名称。 Intercepted request contains an object name, the name of the object isolated environment as a virtual name. 通过咨询规则引擎来确定如何对待用于对象的请求的规则(步骤1204)。 By consulting the rules engine to determine how to deal with the rules for the subject of the request (step 1204). 在一些实施例中,规则引擎可作为关系数据库提供。 In some embodiments, the rules engine may be provided as a relational database. 在其它实施例中,规则引擎可以是树结构数据库、散列表或平面文件数据库。 In other embodiments, the rules engine may be a tree structure database, a hash table, or a flat file database. 在一些实施例中,为所请求对象提供的虚拟名称被用作在规则引擎中定位应用于请求的规则。 In some embodiments, the virtual name provided for the requested object is used as a rule in the rule engine applies positioned requested. 在这些实施例的特殊的一些中,多个规则可存在于用于特殊对象的规则引擎中,并且在这些实施例中,具有与虚拟名称匹配的最长前缀的规则是应用于请求的规则。 In some of these particular embodiments, and multiple rules may exist in the rules engine for a particular object, and in these embodiments, the rule having the longest prefix that matches the virtual name is the rule applied to the request. 在一些实施例中,进程标识符用于在规则引擎中定位应用于请求的规则,如果其存在的话。 In some embodiments, a process identifier is used to locate in the rule engine rules apply to the request, if it exists. 与请求关联的规则可以是忽略请求、重定向请求、或隔离请求。 And the rules associated with the request may be to ignore the request, redirect the request, or isolate the request. 尽管在图12中作为一系列判定示出,但是规则查找可作为单个数据库事务出现。 Although shown as a series of judgment, but appear as a rule to find a single database transaction in Figure 12.

如果规则指明请求应当被忽略(步骤1206),则真实对象名被确定为虚拟名称,并且将创建或打开真实对象的请求发给操作系统(1214)。 If the rules specified in the request should be ignored (step 1206), the real name of the object is determined to be fictitious name, and will create or open a request sent to the real object operating system (1214). 例如,创建或打开名为“Object_1”命名对象的请求可导致创建名为“Object_1”的实际对象。 For example, create or open requests, called "Object_1" naming objects can lead to create the actual object named "Object_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实名称作为参数传递给该函数来完成的。 In one embodiment, this is the real name of the hook function by calling the original version, and will form as a parameter passed to the function to complete.

如果通过访问规则引擎所确定的规则不是忽略请求,而是指明请求应当被重定向(步骤1208),则根据如重定向规则规定的虚拟名称来确定真实对象名(步骤1210),并且真实对象的创建或打开请求被发给操作系统(步骤1214)。 If the rules are determined by accessing the rule engine is not to ignore the request, but identifying the request should be redirected (step 1208), according to the virtual name as redirection rules to determine the true object name (step 1210), and the real object Create or open a request is sent to the operating system (step 1214). 例如,创建或打开名为“Object_1”命名对象的请求可导致创建名为“Different_Object_1”的实际对象。 For example, create or open requests, called "Object_1" naming objects can lead to create the actual object named "Different_Object_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实名称作为参数传递给该函数来完成的。 In one embodiment, this is the real name of the hook function by calling the original version, and will form as a parameter passed to the function to complete.

如果规则不指明请求应当被重定向(步骤1208),而是指明请求应当被隔离,则根据如隔离规则规定的虚拟名称来确定真实对象名(步骤1212),并且真实对象的创建或打开命令被发给操作系统(步骤1214)。 If the rule does not specify the request should be redirected (step 1208), but indicated the request should be isolated, according to the virtual name as quarantine rules to determine the true name of the object (step 1212), and to create a real object or open command is issued to the operating system (step 1214). 例如,创建或打开名为“Object_1”命名对象的请求可导致创建名为“Isolated_Object_1”的实际对象。 For example, create or open requests, called "Object_1" naming objects can lead to create the actual object named "Isolated_Object_1" of. 在一个实施例中,这是通过调用挂钩函数的原始版本且将形成的真实名称作为参数传递给该函数来完成的。 In one embodiment, this is the real name of the hook function by calling the original version, and will form as a parameter passed to the function to complete.

为了隔离所请求的系统对象所形成的真实名称可基于所接收的虚拟名称和范围特定标识符。 In order to isolate the real name system, the requested object can be formed based on the received virtual name and scope of a specific identifier. 范围特定标识符可以是与应用隔离范围、用户隔离范围、会话隔离范围、或这三者的组合相关联的标识符。 Range specific identifier may be an application isolation scope, a user isolation scope, a session isolation scope, or a combination of the three associated with the identifier. 范围特定标识符用于“重整”在请求中接收的虚拟名称。 Range specific identifier for the virtual name "reformer" in the request is received. 例如,如果对命名对象“Object_1”的请求对于关联标识符是“SA1”的应用隔离范围是隔离的,则真实名称可以是“Isolated_AppScope_SA1_Object_1”。 For example, if the request for the named object "Object_1" for the association identifier is "SA1" The application isolation scope is isolated, the actual name could be "Isolated_AppScope_SA1_Object_1". 下面的表格识别重整具有会话隔离范围或用户隔离范围,以及应用隔离范围的对象名称的效果。 The following tables identify the reformer has a session isolation scope or user isolation scope, application isolation scope and effect of the object name. 对范围组合的重整合并了在表中列出的限制。 The scope of the portfolio restructuring merger restrictions listed in the table.

对于操作系统是WINDOWS家族操作系统之一的实施例,通过切换与对象关联的全局/局部名称前缀来修改对象范围,对于隔离的应用,该前缀具有与重整具有对话特定标识符的对象名称相同的效果。 For WINDOWS operating system is an example of one of the family of operating systems, to modify the target range through the global switch associated with the object / local name prefix, for isolated applications, the prefix has the object name and reorganization have the same dialogue specific identifier effect. 但是,切换全局/局部名称前缀还影响非隔离应用的对象范围。 However, switching global / local name prefix also affects the target range of non-isolated applications.

响应于在步骤1214所发出的创建或打开命名对象的命令而由操作系统返回的真实对象的句柄被返回给请求创建或打开虚拟对象的程序(步骤1216)。 In response to the real object command to create or open a named object emitted in step 1214 and returned by the operating system handle is returned to the program (step 1216) a request to create or open a virtual object.

4.4窗口名称虚拟化利用上述技术可虚拟化的系统范围资源的其它类是窗口名称和窗口类名称。 Other categories 4.4 Window Name Virtualization using the above techniques can be virtualized system-wide resources is the window name and window class name. 图形软件应用使用窗口的名称或其窗口类作为识别应用程序是否已经正在运行的方式,或用于其它的同步形式。 Window class name or use graphics software application window as identifying whether the application is already running mode, or for other forms of synchronization. 现在参考图13,并且在概观上,与窗口名称或窗口类有关的请求被接收或截取(步骤1302)。 Referring now to FIG. 13, and in the overview, the window name or window class-related request is received or intercepted (step 1302). 请求可以是Win32 API调用的形式或窗口消息的形式。 Request may be in the form of a window in the form of a message or Win32 API calls. 这两种类型的请求被处理。 These two types of requests to be processed. 那些请求包含,或请求获取由隔离环境作为虚拟名称对待的窗口名称和/或窗口类名称。 Those requests contain, or request to obtain the name of the isolation environment as a virtual treated window name and / or window class name. 如果请求是要获取由句柄所识别的窗口的窗口名称或窗口类(步骤1304),则窗口映射表被咨询以确定句柄和所请求的与窗口有关的信息是否已知(步骤1306)。 If the request is to get a handle to the identified window by window name or window class (step 1304), then the window mapping table is consulted to determine the window handle and the requested information about whether a known (step 1306). 如果是,来自窗口映射表的所请求的信息被返回给请求者(步骤1308)。 If so, the information from the window mapping table is returned to the requester requests (step 1308). 如果不是,请求被传递到操作系统(步骤1310),且结果返回给请求者(步骤1314)。 If not, the request is passed to the operating system (step 1310), and the result returned to the requestor (step 1314). 如果在步骤1304,请求提供窗口名称或窗口类,则检查请求以确定其是否规定了由操作系统定义的窗口类之一(步骤1320)。 If you provide a window or window class name in step 1304, the request, the request is checked to determine whether it provides a window defined by the operating system type one (step 1320). 如果是,则请求被发给操作系统,且从操作系统返回的结果被返回给请求者(步骤1322)。 If so, the request is sent to the operating system, and is returned to the requestor (step 1322) from the result returned by the operating system. 如果请求没有规定由操作系统定义的窗口类之一,则基于虚拟类名和规则来确定真实类名(步骤1324)且基于虚拟窗口名称和规则来确定真实窗口名称(步骤1326)。 If the request does not specify the operating system from one window class definition, the name-based virtual classes and rules to determine the true name of the class (step 1324), and to determine the real window name (step 1326) and rule-based virtual window name. 接着利用真实窗口和真实类名将请求传递到操作系统(步骤1328)。 Then take advantage of the real and true window class name request is passed to the operating system (step 1328). 如果在步骤1324和1326确定的真实窗口名称或真实窗口类名不同于对应的虚拟名称,则窗口句柄的窗口映射表条目被更新以记录在请求中提供的虚拟窗口名称或虚拟类名(步骤1330)。 If the steps 1324 and 1326 to determine the true window name or window class name is different from the corresponding real virtual name, the window mapping table entry window handle is updated virtual window name or virtual class name to the record provided in the request (step 1330 ). 如果来自操作系统的响应包括本地窗口名称或类的本地标识,则它们被在请求中提供的虚拟窗口名称或虚拟类名替换(步骤1312)且将结果返回给请求者(步骤1314)。 Virtual window name or virtual class name if the response from the operating system includes native identify the local window name or class, they are provided in the request to replace (step 1312) and the results are returned to the requestor (step 1314).

仍然参考图13且更详细地,与窗口名称或窗口类有关的请求被接收或截取(步骤1302)。 Still more detail with reference to FIG. 13, the window name or window class-related request is received or intercepted (step 1302). 那些请求包含,或请求获取由隔离环境作为虚拟名称对待的窗口名称和/或窗口类名称。 Those requests contain, or request to obtain the name of the isolation environment as a virtual treated window name and / or window class name.

如果请求是要获取由句柄所识别的窗口的窗口名称或窗口类(步骤1304),则窗口映射表被咨询以确定句柄和所请求的与窗口有关的信息是否已知(步骤1306)。 If the request is to get a handle to the identified window by window name or window class (step 1304), then the window mapping table is consulted to determine the window handle and the requested information about whether a known (step 1306). 在一些实施例中,替代映射表,利用由操作系统提供的工具为每个窗口和窗口类存储附加的数据。 In some embodiments, the alternative mapping tables, use the tools provided by the operating system for each window and window class to store additional data.

如果是,来自窗口映射表的所请求的信息被返回给请求者(步骤1308)。 If so, the information from the window mapping table is returned to the requester requests (step 1308). 如果不是,请求被传递到操作系统(步骤1310),且请求返回给请求者(步骤1314)。 If not, the request is passed to the operating system (step 1310), and the request is returned to the requestor (step 1314).

如果在步骤1304,请求提供窗口名称或窗口类,则检查请求以确定其是否规定了由操作系统定义的窗口类之一(步骤1320)。 If you provide a window or window class name in step 1304, the request, the request is checked to determine whether it provides a window defined by the operating system type one (step 1320). 如果是,则请求被传递到操作系统,且从操作系统返回的结果被返回给请求者(步骤1322)。 If so, the request is passed to the operating system, and is returned to the requestor (step 1322) from the result returned by the operating system.

如果请求没有规定由操作系统定义的窗口类之一,则基于虚拟类名和规则来确定真实类名(步骤1324)且基于虚拟窗口名称和规则来确定真实窗口名称(步骤1326)。 If the request does not specify the operating system from one window class definition, the name-based virtual classes and rules to determine the true name of the class (step 1324), and to determine the real window name (step 1326) and rule-based virtual window name. 接着利用真实窗口和真实类名将请求传递到操作系统(步骤1328)。 Then take advantage of the real and true window class name request is passed to the operating system (step 1328). 在一些实施例中,窗口名称和窗口类名可是原子(atom),而不是字符串文字。 In some embodiments, the window name and window class name but atom (atom), rather than a string literal. 通常,应用将串放置在原子表中且接收16位整数,调用可用于访问串的原子。 Typically, the application will be placed in the string atom table and receives 16-bit integers, the call can be used to access the string of atoms.

如果在步骤1324和1326确定的真实窗口名称或真实窗口类名不同于对应的虚拟名称,则窗口句柄的窗口映射表条目被更新以记录在请求中提供的虚拟窗口名称或虚拟类名(步骤1330)。 If the steps 1324 and 1326 to determine the true window name or window class name is different from the corresponding real virtual name, the window mapping table entry window handle is updated virtual window name or virtual class name to the record provided in the request (step 1330 ).

如果来自操作系统的响应包括本地窗口名称或类的本地标识,则它们被在请求中提供的虚拟窗口名称或虚拟类名替换(步骤1312)且将结果返回给请求者(步骤1314)。 Virtual window name or virtual class name if the response from the operating system includes native identify the local window name or class, they are provided in the request to replace (step 1312) and the results are returned to the requestor (step 1314).

现在参考图13A,如这里所示的来确定真实窗口名称或窗口类名。 Referring now to Figure 13A, as shown here to determine the true window name or window class name. 咨询规则引擎以确定应用于请求的规则(步骤1352)。 Consult the rules engine to determine the rules apply to the request (step 1352). 如果规则动作是“忽略”(步骤1354),则真实名称等于虚拟名称(步骤1356)。 If the rule action is "ignore" (step 1354), the real name is equal to the virtual name (step 1356). 但是,如果规则动作不是“忽略”而是“重定向”(步骤1358),则如由重定向规则规定的根据虚拟名称来确定真实名称(步骤1360)。 However, if the rule action is not "ignore" but "redirect" (step 1358), then as the redirection rules to determine the true name based virtual name (step 1360). 但是,如果规则动作不是“重定向”而是“隔离”,则利用范围特定标识符根据虚拟名称确定真实名称(步骤1362)。 However, if the rule action is not "redirect" but "isolation", the use of a specific identifier to determine the true scope name based virtual name (step 1362).

在一些实施例中,特殊的范围特定标识符在规则中规定。 In some embodiments, the scope of the particular specific identifier specified in the rule. 在其它实施例中,所使用的范围特定标识符与应用隔离范围关联,该应用隔离范围与请求进程关联。 In other embodiments, the range for the particular identifier associated with the use application isolation scope, application isolation scope of the process associated with the request. 这允许窗口或窗口类由任何其它与相同应用隔离范围关联的应用来使用。 This allows the window or window class by any other application associated with the same application isolation scope to use. 在诸如许多微软WINDOWS操作系统家族的操作系统中,窗口名称和窗口类已经在会话中被隔离,这意味着只有在与相同应用隔离范围关联的相同会话中执行的应用才能使用窗口名称或窗口类。 Many operating systems such as Microsoft WINDOWS family of operating systems, the window and the window class name has been isolated in the session, which means that the application is only in the same session with the same range of the associated application isolation can be performed using a window or window class name .

在微软WINDOWS操作系统家族的一些中,窗口名称用作为标题栏中窗口的标题。 In the window name Microsoft WINDOWS operating system family as the title bar of a window of a few titles available. 所期望的是,处理非客户区画图窗口消息以确保在窗口标题栏中显示的窗口标题反应虚拟名称而不是特殊窗口的真实名称。 The expectation is that the processing of non-client area of the drawing window message to ensure that in the window title bar of the window title reflect the true name of the virtual name instead of a special window. 当非客户区画图消息被截取时,从映射表获取与窗口关联的虚拟名称,如果有的话。 When the non-client area paint message is intercepted, get associated with a virtual window from the mapping table name, if any. 如果获取虚拟名称,则利用虚拟名称作为窗口标题来画图非客户区,且指明已经处理了请求消息。 If you get a virtual name, then use the virtual name as the window title to draw non-client area, and indicates the message has been processed the request. 如果没有获取虚拟名称,则将请求指明为未被处理,利用窗口的真实名称将请求传递到画图标题栏的原始函数。 If you do not get the virtual name, the request was not processed specified, use the real name of the window passes the request to draw the title bar of the original function.

4.5进程外COM服务器虚拟化软件组件技术,比如COM、CORBA、.NET以及其它允许软件组件作为离散单元被开发、部署、寄存、发现、激活或实例化及利用。 External 4.5-process COM server virtualization software component technology, such as COM, CORBA, .NET and other software components as discrete units allowed to be developed, deployed, Storage, found that activation or instantiate and use. 在多数组件模型中,组件可以在调用者的进程中或在相同计算机或分离计算机的分离进程中整体地执行,尽管一些组件只支持这些情况的子集。 Most components in the model, or the whole assembly may be performed in the separation process of the same computer or in separate computers in the caller's process, although some components only a subset of these situations support.

一个或多个唯一标识符识别这些组件。 One or more unique identifiers identify these components. 通常,组件基础结构提供代理激活请求的服务或守护程序。 Typically, component infrastructure to provide services or daemons proxy activation requests. 希望利用组件启动的软件进程将请求传递给代理以便激活由组件标识符规定的组件。 Hopes to use the software components to start the process of passing the request to the agent in order to activate the component specified by the component identifier. 代理激活所请求的组件,如果可能的话,且返回对所激活实例的引用。 Proxy component activation requested, if possible, and returns a reference to an instance of the activation. 在这些组件基础结构的一些中,相同组件的多个版本可能不共存,因为组件标识符在版本之间仍然相同。 May not co-exist in some of the multiple versions of the same basic structural components of these components, since the components between the version identifier remains the same.

微软WINDOWS操作系统家族的一些成员提供称为COM的组件基础结构。 Some members of the family of Microsoft WINDOWS operating system provides a COM component infrastructure called. COM组件(“COM服务器”)由称为类标识符(CLSID)的GUID来识别,并且每个组件提供一个或多个接口,每个接口具有其自己的唯一接口标识符(UIID)。 COM component ("COM Server") is called by the class identifier GUID (CLSID) to identify, and each component provides one or more interfaces, each with its own unique interface identifier (UIID). COM服务器控制管理器(CSCM)是用于进程外激活请求的代理,并且它提供允许调用者请求经由CLSID激活COM服务器的接口。 COM Server Control Manager (CSCM) is used in the process of activation requests outside the agency, and it provides allows the caller to request activation of COM server via CLSID interface. 尽管下面的描述将在COM服务器和COM客户端方面来叙述,但是本领域技术人员将理解其可应用于CORBA、.NET和其它为软件组件提供动态激活的软件架构。 Although the following description in the COM server and COM client side to describe, but skilled in the art will understand that it can be applied to CORBA, .NET, and other dynamic activation of software component software architecture.

当COM组件被安装到计算机时,它们在注册表数据库的已知部分中注册它们的CLSID,以及CSCM起动COM服务器新实例所需要的信息。 Information When COM components are installed in the computer, they register their CLSID in the known part of the registry database, as well as a new instance of the COM server start CSCM need. 对于进程外COM服务器,这可包括使可执行程序运行的路径和命令行参数。 For process COM server, which can include running executable path and command line parameters. 相同COM服务器的多个版本共享相同的CLSID,因此一次只有一个版本可以安装到计算机上。 Multiple versions of the same COM server share the same CLSID, and therefore only one version can be installed on your computer.

在某些实施例中,应用(作为COM客户端)通过调用COM API(例如CoCreateInstance()或CoCreateInstanceEx())来实例化COM服务器。 In some embodiments, the application (as a COM client) by calling the COM API (such as CoCreateInstance () or CoCreateInstanceEx ()) to instantiate a COM server. 对该调用的参数规定了所期望的激活上下文:进程中;在相同计算机上的进程外;在远程计算机上的进程外;或允许COM子系统确定使用这三种情况的哪种。 Parameter specifies the call to activate the desired context: the process; external processes on the same machine; external processes on a remote computer; or allow the COM subsystem to determine which of these three cases. 如果确定要求进程外激活,则包括CLSID的请求被传递到CSCM。 If it is determined outside the process requires active, including the CLSID of the request is passed to the CSCM. CSCM使用注册表数据库来定位起动在COM服务器中驻留的可执行程序所需要的路径和参数。 CSCM use the registry database to locate starter path and parameters COM server executable resides in need. 当起动该可执行程序时,其利用COM API CoRegisterClassObject()向CSCM注册其支持的所有COM服务器的所有CLSID。 When starting the executable program, which utilizes COM API CoRegisterClassObject () all CLSID to CSCM register their support for all COM servers. 如果所请求的CLSID被注册,CSCM返回对该COM服务器的引用到调用者。 If the requested CLSID is registered, CSCM returns a reference to the COM server to the caller. COM客户端和COM服务器之间的所有后续交互独立于CSCM发生。 All subsequent interactions between the COM client and COM server occurs independently of the CSCM.

先前描述的隔离环境允许具有相同CLSID的COM服务器的多个实例安装在计算机上,每一个在不同的隔离范围中(其中是系统范围的不超过一个)。 Previously described isolation environment allows COM servers have multiple instances of the same CLSID installed on the computer, each one in a different isolation scope (which is no more than one system-wide). 但是,仅此将不会使那些COM服务器对于COM客户端可用。 However, this alone will not make those COM servers available to COM clients.

图14描述为虚拟化对COM服务器访问所采取步骤的一个实施例。 Figure 14 is described as a COM server access virtualization steps taken to one embodiment. 在概观上,为每个在隔离范围中起动的进程外COM服务器创建新的CLSID,之后称作隔离CLSID(或ICLSID)(步骤1402)。 In the overview, created for each starter in isolation outside the scope of the new process COM server CLSID, later known as isolation CLSID (or ICLSID) (step 1402). 通过定义,这就是CLSID,且因此必须在所有其它CLSID中是唯一的,换句话说,其必须具有GUID的属性。 By definition, this is the CLSID, and thus must be unique in all the other CLSID, in other words, it must have a GUID attribute. 创建将所述对(CLSID,应用隔离范围)映射到ICLSID的映射表。 Creating the right (CLSID, application isolation scope) is mapped to ICLSID mapping table. 为ICLSID创建COM服务器注册表条目,其描述如何用起动参数起动COM服务器,起动参数启动在适当应用隔离范围中可执行的COM服务器(步骤1404)。 ICLSID create a COM server registry entries, which describe how to start with the starting parameters COM server, start arguments start in the appropriate application isolation scope executable COM server (step 1404). 由COM客户端对诸如CoCreateInstance()或CoCreateInstanceEx()的COM API的调用被钩住或截取(步骤1406)。 By COM clients to call as CoCreateInstance () or CoCreateInstanceEx () of the COM API is caught or intercepted (step 1406). 如果确定(a)请求通过进程中COM服务器满足或(b)COM客户端和COM服务器都不与任何隔离范围关联,则将请求不经修改地传递到原始COM API且将结果返回给调用者(步骤1408)。 If it is determined (a) request COM server meets or (b) COM client and COM server is not associated with any isolation by the scope of the process, the request is passed without modification to the original COM API and the result is returned to the caller ( Step 1408). 要使用的COM服务器的适当实例被识别(步骤1410)。 Examples of appropriate COM server to use is identified (step 1410). 如果所选择的COM服务器实例在应用隔离环境中,则利用上面描绘的数据结构来确定其ICLSID。 If the selected COM server instance in the application isolation environment, the use of the data structure depicted above, to determine its ICLSID. 否则,使用请求中的CLSID(步骤1412)。 Otherwise, use the request CLSID (step 1412). 如果在步骤1412中识别ICLSID,则利用ICLSID调用原始的CoCreateInstance()或CoCreateInstanceEx()函数。 If in step 1412 identified ICLSID, then call the original use ICLSID CoCreateInstance () or CoCreateInstanceEx () function. 这将把请求传递给CSCM(步骤1414)。 This will pass the request to the CSCM (step 1414). CSCM通过为确定起动参数在注册表中查找所请求的CLSID来寻找并且起动可以正常方式执行的COM服务器。 To determine the starting parameters by CSCM find the requested CLSID in the registry to find and start the COM server can perform the normal way. 如果ICLSID被请求,则在步骤1404中描述的ICLSID系统范围注册表条目被找到且在适当的应用隔离范围中起动COM服务器(步骤1416)。 If ICLSID requested, ICLSID system range is described in step 1404 the registry entry is found and the starter COM server (step 1416) in the appropriate application isolation scope. 所起动的COM可执行程序用其所支持的COM服务器的CLSID来调用所钩住的CoRegisterClassObject()API,并且将其转换为适当的ICLSID,将该ICLSID传递到原始CoRegisterClassObject()API(步骤1418)。 The COM executable program started with it supports COM server CLSID to call the hooked CoRegisterClassObject () API, and convert it to the proper ICLSID, ICLSID passed to the original CoRegisterClassObject () API (step 1418) . 当CSCM从具有所期望的ICLSID的CoRegisterClassObject()调用接收响应时,其将对COM服务器实例的引用返回给调用者(步骤1420)。 When the CSCM from having the desired ICLSID of CoRegisterClassObject () call to receive a response, it will be a reference to a COM server instance is returned to the caller (step 1420).

仍然参考图14且更详细地,为每个在隔离范围中起动的进程外COM服务器创建ICLSID(步骤1402)。 Still more detail with reference to FIG. 14, COM server creates ICLSID (step 1402) for each starter in isolation outside the scope of the process. 在一些实施例中,在安装COM服务器期间创建ICLSID。 In some embodiments, the creation ICLSID COM server during installation. 在其它实施例中,在安装之后立即创建ICLSID。 In other embodiments, created after the installation ICLSID immediately. 在又其它实施例中,在将COM服务器起动到隔离范围中之前创建ICLSID。 In yet other embodiments, the COM server before starting to create isolation range ICLSID. 在所有这些实施例中,可通过钩住或截取创建或询问注册表数据库中的CLSID条目的系统请求来创建ICLSID。 In all these examples, by hook or intercept requests to create or ask your system registry database CLSID entry to create ICLSID. 可替换地,可通过钩住或截取创建COM服务器实例的COM API调用,比如CoCreateInstance()或CoCreateInstanceEx()来创建ICLSID。 COM API Alternatively, by hook or intercept calls to create a COM server instances, such as CoCreateInstance () or CoCreateInstanceEx () to create ICLSID. 可替换地,可在已经进行安装之后观察注册表数据库的CLSID特定部分的变化。 Alternatively, changes can be observed CLSID of a specific portion of the registry database after it has been installed.

创建将所述对(CLSID,应用隔离范围)映射到ICLSID的映射表,以及具有该ICLSID的COM服务器的适当注册表条目,ICLSID描述如何用起动参数来起动COM服务器,起动参数启动在适当应用隔离范围中可执行的COM服务器(步骤1404)。 Creating the pair (CLSID, application isolation scope) is mapped to ICLSID mapping table, and with the appropriate registry entry for the ICLSID the COM server, ICLSID describes how to start the COM server startup parameters, start-up parameters to start the appropriate application isolation COM server (step 1404) range executable. 在许多实施例中,该表存储在永久存储器元件中,比如硬盘驱动器或固态存储器元件。 In many embodiments, the permanent memory element, such as a hard disk drive or solid state memory element of the table is stored. 在其它实施例中,该表可存储在注册表、平面文件、数据库或易失性存储器元件中。 In other embodiments, the table can be stored in the registry, flat files, databases, or volatile memory element. 在又其它实施例中,例如通过将特定于该目的的新子键添加到由CLSID识别的每个适当COM服务器条目,来在整个注册表数据库的COM特定部分分布所述表。 In yet other embodiments, for example by adding specific for this purpose a new sub-key to each appropriate COM server entry identified by CLSID, COM entire registry database to a specific part of the distribution of the table. 可在安装期间或在安装之后立即通过钩住或截取创建注册表数据库中CLSID条目的调用、或者通过观察在安装进行之后注册表数据库的CLSID特定部分的变化、或者通过钩住或截取创建COM服务器实例的COM API调用,比如CoCreateInstance()或CoCreateInstanceEx()来创建该表中的条目。 Available during installation or after installation immediately created by hooking or intercepting calls CLSID registry entries in the database, or by observing changes in the registry database specific part CLSID after installation, or create a COM server or intercepted by hooking Examples of the COM API calls, such as CoCreateInstance () or CoCreateInstanceEx () to create the entries in the table. COM服务器到特定隔离范围中的安装可以被永久地记录。 COM server may be permanently recorded to a specific range of isolation mounting. 可替换地,特殊COM服务器和隔离范围到ICLSID的映射可被动态地创建且作为条目存储在非永久数据库中,或注册表数据库中。 Alternatively, a special COM server and isolation scope to ICLSID mapping can be dynamically created and stored as an entry in the non-permanent database or registry database.

COM客户端对COM API的调用,诸如CoCreateInstance()或CoCreateInstanceEx()被钩住或截取(步骤1406)。 COM client calls to the COM API, such as CoCreateInstance () or CoCreateInstanceEx () is caught or intercepted (step 1406). 如果确定(a)请求通过进程中COM服务器满足或(b)COM客户端和COM服务器驻留在系统范围中(步骤1407),则将请求不经修改地传递到原始COM API且将结果返回给调用者(步骤1408)。 If it is determined (a) a request by the process COM server meets or (b) COM client and COM server resides in the system range (step 1407), the request is passed without modification to the original COM API and returns the results to the caller (step 1408).

如果请求不能通过进程中COM服务器来满足且COM客户端或者COM服务器不驻留在系统范围中(步骤1407),则识别要使用的COM服务器的适当实例(步骤1410)。 If the request can not process COM servers to meet clients or COM and COM server does not reside in the system range (step 1407), the identification of appropriate instance (step 1410) COM server to use. 对于COM客户端在特殊隔离范围中执行的实施例,优选将COM服务器安装在相同的应用隔离范围中,随后将它们安装在系统范围中(可能在客户端的应用隔离范围中执行),随后将COM服务器安装到其它应用隔离范围中。 For Example COM client to perform in a special isolation range, preferably the COM server is installed on the same application isolation scope, and then install them (probably executed in the client application isolation scope) in the system range, then COM server installation to another application isolation scope. 在这些实施例的一些中,安装在系统范围中的COM服务器可在相同的应用隔离范围中作为COM客户端执行。 In some of these embodiments in, COM server is installed in the system range as COM client performs the same application isolation scope. 这由规则引擎和管理设置控制以允许这对于以该模式正确执行的COM服务器发生,并对于不如此执行的COM服务器不发生。 This is controlled by the rules engine and administrative settings to allow this COM server for proper execution of the pattern occurs, and for the implementation of such a COM server does not occur. 对于COM客户端在系统范围中执行的实施例,优选系统范围COM服务器,随后是隔离范围中的COM服务器。 For Example COM client executes in the system scope, the preferred system-wide COM server, followed by isolation of the COM server range. COM客户端可规定COM服务器在创建COM服务器的实例的调用中使用。 COM clients can use the server specified in the call to create COM COM server instance. 可替换地,配置存储器可存储识别要实例化的COM服务器的信息。 Information Alternatively, the configuration memory can store identification to instantiate a COM server. 在一些实施例中,规定的COM服务器在另一计算机上驻留,该计算机是分离的、物理机器或虚拟机。 In some embodiments, COM predetermined server resides on another computer, the computer is a separate, physical machine or a virtual machine. 在上面结合步骤1404所述的映射表可用于寻找可应用的COM服务器集合且(如果需要)基于规则来计算优选。 Above in connection with the step of mapping table 1404 can be used to find the set of applicable COM server and (if required) is preferably calculated based on the rules.

对于可应用的COM服务器存在于另一计算机上的实施例,可向在相同远程计算机上执行的服务或守护程序询问要使用的ICLSID。 For COM server applications exist on another computer embodiment can be made to the service or daemon on a remote computer to execute the same query ICLSID to use. 如果COM客户端挂钩确定远程COM服务器被要求,则COM客户端挂钩首先询问服务或守护程序以确定要使用的CLSID/ICLSID。 If the COM client hooks were asked to determine the remote COM server, COM client hook first asks service or daemon to be used to determine the CLSID / ICLSID. 服务或守护程序确定与在请求中给定的CLSID相对应的ICLSID。 Service or daemon determines the request given CLSID corresponding ICLSID. 在一些实施例中,可基于管理员定义的配置数据、包含在规则引擎中的规则、或内置的硬编码逻辑来选择或创建由服务或守护程序返回的ICLSID。 In some embodiments, may be based on administrator-defined configuration data, including rule in the rule engine, or a built-in hard-coded logic to select or create the service or daemon returns ICLSID. 在其它实施例中,请求可规定服务器上要使用的隔离范围。 In other embodiments, the request may be isolated from the scope of the provisions on the server you want to use. 在又其它实施例中,所请求的COM服务器可与服务器的系统范围相关联,在该情况下,与COM服务器关联的CLSID被返回。 In yet other embodiments, COM server requests the server system may be associated with the range, in this case, is associated with the CLSID COM server is returned. 在又其它实施例中,所请求的COM服务器可与服务器的隔离范围之一相关联,在该情况下,其返回与COM服务器的实例和隔离范围关联的ICLSID。 In yet other embodiments, COM server requests can isolate one of the areas associated with the server, in this case, the return ICLSID associated with isolated instances and scope of the COM server. 在一些实施例中,上述的服务或守护程序可用于支持起动本地的进程外COM服务器。 In some embodiments, the above-mentioned services or daemons can be used to support the process of starting outside the local COM server.

如果所选择的COM服务器实例在本地计算机的应用隔离环境中,则利用上面结合步骤1404描述的数据结构来确定其ICLSID。 If the selected COM server instance on the local computer application isolation environment, the use of 1404 in conjunction with steps described above, the data structure to determine its ICLSID. 相反,如果所选择的COM服务器实例在本地计算机上的系统范围中,则使用请求中的CLSID(步骤1412)。 Instead, COM server instance if the selected range in the system on the local computer, use the request CLSID (step 1412). 在这些实施例的一些中,可动态创建利用ICLSID的COM服务器的条目。 In some of these embodiments in, you can create a COM server utilization ICLSID dynamic entries.

如果返回ICLSID,则将其传递到原始COM API以替换原始的CLSID。 If the return ICLSID, then pass it to the original COM API to replace the original CLSID. 例如,所确定的ICLSID可被传递到原始的CoCreateInstance()或CoCreateInstanceEx()函数,该函数将请求传递给CSCM(步骤1414)。 For example, as determined ICLSID can be delivered to the original CoCreateInstance () or CoCreateInstanceEx () function, which passes the request to the CSCM (step 1414). 对于COM服务器在另一计算机上驻留的实施例,CSCM将ICLSID传递给承载COM服务器的计算机,其中该计算机的CSCM处理COM服务器的起动。 For the COM server on another computer embodiment resides, CSCM will ICLSID passed to the computer that hosts the COM server, where the computer CSCM process COM server start.

CSCM通过为确定起动参数在注册表中查找所请求的CLSID或ICLSID来寻找并且起动可以正常方式执行的COM服务器。 CSCM by starting parameters for determining Find CLSID or ICLSID requested in the registry to find and start the COM server can perform the normal way. 如果ICLSID被请求,则在步骤1404中描述的ICLSID系统范围注册表条目被找到且在适当的应用隔离范围中起动COM服务器(步骤1416)。 If ICLSID requested, ICLSID system range is described in step 1404 the registry entry is found and the starter COM server (step 1416) in the appropriate application isolation scope.

如果所起动的COM服务器实例在应用隔离范围中执行(无论是安装在该范围中还是安装在系统范围中),钩住或截取COM服务器实例的CoRegisterClassObject()的COM API函数。 If the COM server instance start execution CoRegisterClassObject (whether it is installed in the scope or range installed in the system), hooked or intercepted COM server instance in the application isolation range () function in the COM API. 利用如在步骤1404中定义的映射表,将传递到CoRegisterClassObject()的每个CLSID映射到对应的ICLSID,用该ICLSID来调用原始的CoRegisterClassObject()API(步骤1418)。 Use as defined in the mapping table in step 1404, passes to CoRegisterClassObject () each mapped to a corresponding CLSID ICLSID, with the ICLSID to call the original CoRegisterClassObject () API (step 1418).

当CSCM从具有所期望的ICLSID的CoRegisterClassObject()调用接收响应时,其将对COM服务器实例的引用返回给调用者(步骤1420)。 When the CSCM from having the desired ICLSID of CoRegisterClassObject () call to receive a response, it will be a reference to a COM server instance is returned to the caller (step 1420).

当COM客户端和COM服务器在应用隔离范围(包括不同范围)和系统范围的任何组合中执行时,该技术支持COM服务器的执行。 When the application isolation scope (including different ranges) and any combination of system-wide implementation of a COM client and COM server, the technical support for the implementation of the COM server. ICLSID特定于服务器(由CLSID识别)和所期望的适当隔离范围的组合。 And combinations ICLSID specific server (identified by CLSID) proper isolation of the desired range. 客户端只需要确定正确的ICLSID(或者,如果服务器安装在系统范围中且在其中执行,则只确定原始CLSID)。 Clients only need to determine the correct ICLSID (or, if the server is installed in a system in which the scope and execution, only to determine the original CLSID).

4.6虚拟化的文件类型关联关系(FTA)文件类型关联关系是已知的图形用户接口技术,用于调用应用程序的执行。 4.6 virtual file type association association (FTA) is a known relationship between the file type graphical user interface technology for the calling application. 向用户呈现表示数据文件的图形图标。 The user is presented with a graphical representation of the data file icon. 用户利用键盘命令或利用指针设备,诸如鼠标来选择数据文件,且在图标上点击或双击以指明用户想要打开文件。 Users use keyboard commands or use a pointing device such as a mouse to select the data file, and click or double-click the file to indicate that the user wants to open on the icon. 可替换地,在一些计算环境中,用户在命令行提示而不是以命令来输入到文件的路径。 Alternatively, in some computing environments, the user rather than the command line prompt to enter commands to the file path. 文件通常具有关联的文件类型指示,该指示用于确定在打开文件时要使用的应用程序。 Files typically have an associated file type indication which is used to determine the application when you open the file you want to use. 这通常是利用将文件类型指示映射到特定应用的表来完成的。 This is generally the use of the file type mapped to a table indicating specific application to complete. 在微软WINDOWS操作系统家族的许多成员中,该映射通常以元组存储在注册表数据库中,元组包括识别要执行应用的文件类型指示符和完整路径名,并且只有一个应用程序可与任何特殊文件类型关联。 In many members of the Microsoft WINDOWS family of operating systems, this mapping is usually stored in the registry database tuple, the tuple including identifying the file type you want to perform, and the full path name of the application indicator, and only one application can be used with any special file type association.

在所述的隔离环境中,可在单个计算机上安装和执行应用的多个版本。 The isolation environment, you can install and execute multiple versions of applications on a single computer. 因此,在这些环境中,文件类型和关联的应用程序之间的关系不再是一对一的关系,而是一对多的关系。 Therefore, in these circumstances, the relationship between the application and the associated file type is no longer between one to one relationship, but many relationship. 类似问题对于MIME附件类型也存在。 Similar problems exist for MIME attachment types. 在这些环境中,该问题是通过在选择给定文件类型时替换识别要起动的应用程序的路径名来解决的。 In these environments, the problem is solved by replacing the identification of the application to be started at the time of selecting the type of a given file path name to be resolved. 路径名用选择器工具的路径名来替换,选择器工具给予用户对要起动的应用程序的选择。 Pathname with the Select tool path name to replace, select the tool you want to give the user the choice of starting the application.

现在参考图15,且在概观上,截取将文件类型关联数据写到配置存储器的请求(步骤1502)。 Referring now to FIG. 15, and in the overview, the interception of data is written to the file type association request (step 1502) configuration memory. 确定该请求是否正在更新配置存储器中的文件类型关联信息(步骤1504)。 Determine whether the request is updating the configuration memory associated with the file type information (step 1504). 如果不是,即如果条目已经存在,则没有更新发生(步骤1506)。 If not, i.e., if the entry already exists, then no update occurs (step 1506). 否则,利用上面在部分4.1.4或4.2.4中描述的虚拟化技术来创建新条目,或更新已有的条目(步骤1508)。 Otherwise, the use of virtualization technology in section 4.1.4 or 4.2.4 above described to create a new entry or update an existing entry (step 1508). 为适当的隔离范围虚拟化的新的或更新的条目将文件类型映射到选择器工具,选择器工具允许用户选择在观看或编辑文件时使用多个应用程序中的哪个。 Appropriate isolation scope virtualization new or updated entries to select the file type mapping tool, select the tool allows the user to choose which of multiple applications when viewing or editing files.

仍然参考图15且更详细地,截取将文件类型关联数据写到配置存储器的请求(步骤1502)。 Still more detail with reference to FIG. 15, the interception of data written to the file type association request configuration memory (step 1502). 在一些实施例中,配置存储器是WINDOWS注册表数据库。 In some embodiments, the configuration memory is WINDOWS registry database. 将数据写到配置存储器的请求可由用户模式挂钩函数、内核模式挂钩函数、文件系统过滤器驱动程序或微型驱动程序来截取。 The data is written to the configuration memory of the request by the user hook function mode, kernel mode hook function, the file system filter driver or mini-driver to intercept.

确定该请求是否试图更新配置存储器中的文件类型关联信息(步骤1504)。 Determine whether the request is trying to update the associated configuration memory file type information (step 1504). 在一个实施例中,这是通过检测所截取的请求是否指明其试图修改配置存储器来完成的。 In one embodiment, this is accomplished by detecting the intercepted request is specified in its attempt to modify the configuration memory to complete. 在另一个实施例中,请求的目标与包括在请求中的信息相比较,以确定请求是否正在试图修改配置存储器。 In another embodiment, the target of the request and the in