<

Using a startup script to monitor for connected Citrix Sessions

Published on
10,289 Points
3,689 Views
1 Endorsement
Last Modified:
Approved
The idea here is that a user has a Windows embedded type terminal used to connect a user to Citrix session, and log them off if they are not connected.

So, the logical question is why does this matter?

The answer is that the Citrix Online Plugin or Receiver can automatically reconnect a user with cached credentials.  In an environment with a generic user login (as most of the terminal based environments have), this means that if User A logs in and gets disconnected, then walks away, User B can reconnect to User A's session, without authentication (default configuration).   In kiosk scenarios, this can range from slightly undesirable, to a major security threat.

Here is the script:
dim bFirstResults, bLastResults, wshShell
dim oWMI, cProcesses

bFirstResults = vbFalse
bLaterResults = vbTrue

'First pass - we do this on the first login to make sure the user has a chance to get logged in.
'The first loop runs until it sees wfica32.exe
'The second loop runs until it *doesn't* see wfica32.exe

Do Until bFirstResults = vbTrue
     wscript.sleep(10000)
     bFirstResults = FirstPass()
Loop

Do
     WScript.Sleep(5000)
     bLaterResults = LaterPass()
Loop Until bLaterResults = vbFalse

Set wshShell = CreateObject("WScript.Shell")
wshShell.Run "logoff.exe", 0, vbFalse

Function FirstPass( ) 
     Set oWMI= GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
 
     Set cProcesses = oWMI.ExecQuery ("SELECT * FROM Win32_Process WHERE Name = 'notepad.exe'")

     If cProcesses.Count=0 Then
          bFirstResults = vbFalse
     else
          bFirstResults = vbTrue
     End if
     FirstPass = bFirstResults 
End Function

Function LaterPass( )
     Set oWMI= GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
 
     Set cProcesses = oWMI.ExecQuery ("SELECT * FROM Win32_Process WHERE Name = 'notepad.exe'")

     If cProcesses.Count=0 Then
          bLaterResults = vbFalse
     Else
          bLaterResults = vbTrue
     End if
	wscript.echo "Later Pass"
     LaterPass = bLaterResults 
End Function 

Open in new window

Now, an explanation of how this works.

First - the user needs time to get logged in.  We start out by assuming they have not logged in:
bFirstResults = vbFalse

Open in new window

If we didn't give them that, they would be stuck in an endless reboot loop, because they couldn't get logged in quickly enough.  With this in mind, the script checks every 10 seconds to see if the wfica32.exe is running (this is Citrix's runtime executable for live ICA connections).  If the user has not logged in, it will continue to loop and check every 10 seconds to see if it is there. By doing this, we are preventing needless reboot cycles.

The key to this is the WMI query. We create a WMI object, and use it to query the running processes to look for wfica32.exe. By using the WHERE clause, we are filtering the list of running processes, and do not need to process the entire list.  

Note: Any running ICA connection will count. The script does not look for a specific wfica32.exe process -- it looks for any wfica32.exe process. Make sure your ICA connections end cleanly!

Once the FirstPass() completes successfully, then we move on to the LaterPass() loop. It is effectively the same loop, and it continues indefinitely. The difference is that now we assume that the user is running a connection
bLaterResults = vbTrue

Open in new window

and when the connection fails, we will log them out of the terminal. The script is configured to check every 5 seconds, but this can be tuned to handle your environment. Once the check fails, we move on to the next line of the script which runs logoff.exe.  With no switches, this automatically logs the user out.

With this, the ideal placement of the script is to make it a startup script for the user account, either by GPO for domain machines, or placing a shortcut to the script in the user's startup directory:
[for Windows 7/2008R2 - %appdata%\microsoft\windows\start menu\programs\startup]
[For Windows XP/2003 - %userprofile%\Start Menu\Programs\Startup]

By placing it in this location, we are exempting the local administrator account from being affected.  

In a domain situation, this script could also be placed by a Group Policy Object as a user level login script.  

Because this script is merely checking to see if a process is running, it can be adapted to any number of other scenarios where a user should be running a process and an action should be taken if they are not.
1
Comment
Author:Coralon
2 Comments
 
LVL 26

Author Comment

by:Coralon
It looks great.  Thank you..

Coralon
0
 
 

Administrative Comment

by:Eric AKA Netminder
Coralon,

Congratulations; your article has been published. As an occasional Citrix user and former admin, I really do appreciate the problem your article resolves.

Thanks!

ericpete
Page Editor
0

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Join & Write a Comment

How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month