Skip to main content

Identifying Citrix / RDS User Sessions & Processes

  • by Helge Klein
  • January 30, 2017

Citrix XenApp and other multi-user systems based on Remote Desktop Services host dozens or even hundreds of user sessions concurrently. Being able to reliably identify individual sessions and the processes running in them is a necessity for a variety of security, monitoring and capacity planning use cases. That is, however, much more difficult than it sounds because the operating system’s session and process IDs are not suitable. uberAgent helps.

Why Session IDs are not Suitable for Monitoring

Each user session is assigned a 32-bit session identifier (RDS session ID). The first user session to launch typically gets the ID 1, the second session the ID 2 and so on. Session ID 0 is reserved for services and other system processes.

The reason why RDS session IDs are not very useful for monitoring and analytics is simple: they are reused. When user Peter logs on his session might get the ID 1. When he logs off, ID 1 becomes available again. When user Mary logs on only seconds later, her session also gets the ID 1. If you used RDS session IDs to distinguish between individual sessions Peter’s and Mary’s sessions would show up as one, not two sessions. So that does not work.

Session IDs are unique for concurrent sessions on a single machine, but not over time and not on more than one computer.

But what if you combined the session ID with the user name and tracked sessions that way? In above example we could clearly differentiate between sessions Peter-1 and Mary-1. That sounds good at first, but it does not work in practice, either. Consider the following example:

Paul logs on and the OS assigns the ID 1 to his session. When his work is done, he logs off. A little later, he logs on once again. This new, second session, also gets the ID 1. In our monitoring system both Paul’s sessions would show up as Paul-1.

uberAgent’s Better Session IDs

uberAgent generates unique IDs per user session. These so-called SessionGUIDs are never reused and guaranteed to be unique even with very large numbers of computers.

uberAgent’s SessionGUIDs enable a plethora of powerful use cases like the following:

  • Counting the number of concurrent sessions
  • Determining session duration
  • Finding all processes running in a session
  • Monitoring session activity
  • Tracking session performance
  • Capacity planning based on session resource footprint

Why Process IDs are not Suitable for Monitoring

Windows process IDs are very similar to session IDs. They are reused, too, which makes them ill-suited for monitoring for the same reasons session IDs are unqualified.

uberAgent fixes this, too, by generating unique ProcGUIDs. With ProcGUIDs individual process instances can be uniquely identified even amongst hundreds of thousands of machines. ProcGUIDs are indispensable for monitoring process performance and tracking process lifetimes. uberAgent’s ProcGUIDs are also immensely helpful for visualizing parent-child relationships. Such process trees are perfect for root cause analysis and a broad range of security use cases.

About uberAgent

uberAgent is a Windows user experience analytics and application performance monitoring product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), network latency per target and process, process startup duration, application usage metering, browser performance per website and remoting protocol insights.

About vast limits

vast limits develop enterprise-grade tools for administrators. In addition to our flagship product uberAgent we offer a range of free tools such as Delprof2 (user profile deletion), SetACL and SetACL Studio (permissions management). Our tools have been downloaded close to a million times and are used by enterprises worldwide.

Our founder, Helge Klein, is an experienced consultant and developer. As a consultant he has worked in Windows and Citrix projects for large corporations. As a developer he architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events like Citrix Synergy, Splunk .conf, BriForum or E2EVC.


Your email address will not be published. Required fields are marked *