Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

uberAgent

Identifying Citrix/RDS User Sessions & Processes

  • by Helge Klein
  • January 30, 2017

In this article

Citrix XenApp and other multi-user systems based on Remote Desktop Services host dozens or even hundreds of user sessions concurrently. Being able to reliably identify individual sessions and the processes running in them is a necessity for a variety of security, monitoring, and capacity planning use cases. That is, however, much more difficult than it sounds because the operating system’s session and process IDs are not suitable. uberAgent helps.

Why Session IDs are not Suitable for Monitoring

Each user session is assigned a 32-bit session identifier (RDS session ID). The first user session to launch typically gets the ID 1, the second session the ID 2, and so on. Session ID 0 is reserved for services and other system processes.

The reason why RDS session IDs are not very useful for monitoring and analytics is simple: they are reused. When user Peter logs on his session might get the ID 1. When he logs off, ID 1 becomes available again. When user Mary logs on only seconds later, her session also gets the ID 1. If you used RDS session IDs to distinguish between individual sessions Peter’s and Mary’s sessions would show up as one, not two sessions. So that does not work.

Session IDs are unique for concurrent sessions on a single machine, but not over time and not on more than one computer.

But what if you combined the session ID with the user name and tracked sessions that way? In above example we could clearly differentiate between sessions Peter-1 and Mary-1. That sounds good at first, but it does not work in practice, either. Consider the following example:

Paul logs on and the OS assigns the ID 1 to his session. When his work is done, he logs off. A little later, he logs on once again. This new, second session, also gets the ID 1. In our monitoring system, both Paul’s sessions would show up as Paul-1.

uberAgent’s Better Session IDs

uberAgent generates unique IDs per user session. These so-called SessionGUIDs are never reused and guaranteed to be unique even with very large numbers of computers.

uberAgent’s SessionGUIDs enable a plethora of powerful use cases like the following:

  • Counting the number of concurrent sessions
  • Determining session duration
  • Finding all processes running in a session
  • Monitoring session activity
  • Tracking session performance
  • Capacity planning based on session resource footprint

Why Process IDs are not Suitable for Monitoring

Windows process IDs are very similar to session IDs. They are reused, too, which makes them ill-suited for monitoring for the same reasons session IDs are unqualified.

uberAgent fixes this, too, by generating unique ProcGUIDs. With ProcGUIDs individual process instances can be uniquely identified even amongst hundreds of thousands of machines. ProcGUIDs are indispensable for monitoring process performance and tracking process lifetimes. uberAgent’s ProcGUIDs are also immensely helpful for visualizing parent-child relationships. Such process trees are perfect for root cause analysis and a broad range of security use cases.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *

Related Posts

December 18, 2023

We've released a web app that lets you see exactly which Sigma detection signatures are supported in uberAgent ESA's Threat Detection Engine.
December 7, 2023

Learn how uberAgent ESA’s Security Score enables help desk engineers to improve endpoint security by detecting insecure configurations and risky activity.
November 30, 2023

We're making exciting improvements to uberAgent ESA’s Threat Detection rules. These upcoming changes increase the rule engine’s performance, enhance the readability of rule queries, and simplify day-to-day operations.
All posts