Identifying Citrix/RDS User Sessions & Processes
Citrix XenApp and other multi-user systems based on Remote Desktop Services host dozens or even hundreds of user sessions concurrently. Being able to reliably identify individual sessions and the processes running in them is a necessity for a variety of security, monitoring, and capacity planning use cases. That is, however, much more difficult than it sounds because the operating system’s session and process IDs are not suitable. uberAgent helps.
Each user session is assigned a 32-bit session identifier (RDS session ID). The first user session to launch typically gets the ID 1, the second session the ID 2, and so on. Session ID 0 is reserved for services and other system processes.
The reason why RDS session IDs are not very useful for monitoring and analytics is simple: they are reused. When user Peter logs on his session might get the ID 1. When he logs off, ID 1 becomes available again. When user Mary logs on only seconds later, her session also gets the ID 1. If you used RDS session IDs to distinguish between individual sessions Peter’s and Mary’s sessions would show up as one, not two sessions. So that does not work.
Session IDs are unique for concurrent sessions on a single machine, but not over time and not on more than one computer.
But what if you combined the session ID with the user name and tracked sessions that way? In above example we could clearly differentiate between sessions Peter-1 and Mary-1. That sounds good at first, but it does not work in practice, either. Consider the following example:
Paul logs on and the OS assigns the ID 1 to his session. When his work is done, he logs off. A little later, he logs on once again. This new, second session, also gets the ID 1. In our monitoring system, both Paul’s sessions would show up as Paul-1.
uberAgent generates unique IDs per user session. These so-called SessionGUIDs are never reused and guaranteed to be unique even with very large numbers of computers.
uberAgent’s SessionGUIDs enable a plethora of powerful use cases like the following:
- Counting the number of concurrent sessions
- Determining session duration
- Finding all processes running in a session
- Monitoring session activity
- Tracking session performance
- Capacity planning based on session resource footprint
Windows process IDs are very similar to session IDs. They are reused, too, which makes them ill-suited for monitoring for the same reasons session IDs are unqualified.
uberAgent fixes this, too, by generating unique ProcGUIDs. With ProcGUIDs individual process instances can be uniquely identified even amongst hundreds of thousands of machines. ProcGUIDs are indispensable for monitoring process performance and tracking process lifetimes. uberAgent’s ProcGUIDs are also immensely helpful for visualizing parent-child relationships. Such process trees are perfect for root cause analysis and a broad range of security use cases.
uberAgent is an innovative Windows and macOS user experience monitoring (UXM) and endpoint security analytics (ESA) product. UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. ESA comes with a sophisticated activity monitoring engine, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.