Citrix states in their article: CTX891671

Document ID: CTX891671, Created on: Jun 19, 2000, Updated: May 2, 2006

Products: Citrix MetaFrame XP 1.0 for Microsoft NT 4.0 Server Terminal Server Edition, Citrix MetaFrame XP 1.0 for Microsoft Windows 2000, Citrix MetaFrame 1.8 for Microsoft NT 4.0 Server Terminal Server Edition, Citrix MetaFrame 1.8 for Microsoft Windows 2000, Citrix MetaFrame XP 1.0 for Microsoft Windows 2003, Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2000, Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2003, Citrix Presentation Server 4.0 for Microsoft Windows 2000, Citrix Presentation Server 4.0 for Microsoft Windows 2003

Symptoms

Graceful logoffs from a published application launched in a Seamless, fixed window, or as an RDP Initial Program, may result in the session not closing and the user being logged off. Sessions are able to be reset or exited correctly by manually resetting them, or by terminating remnant user processes in either Terminal Services Administration, the Management Console or Access Suite Console.

Cause

When publishing an application, only the main executable is specified, however, some applications may spawn additional processes that run in the background and are not closed by the corresponding main executable. Additional processes may also be created from scripts that are executed or from specific registry keys, such as the RunOnceKey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Some processes may create a visible window for added functionality, and others may not.

Because the Explorer.exe Desktop is not running when launching an application in one of these ways, there is no default mechanism in either Presentation Server or Windows to exit these background processes when a user has exited the main application.

Presentation Server has a hard coded list of what are considered ‘System’ type secondary processes that are checked for and exited once all user application processes have terminated, these include: csrss.exe, smss.exe, screg.exe, lsass.exe,

spoolss.exe, EventLog.exe, netdde.exe, clipsrv.exe, lmsvcs.exe, MsgSvc.exe, winlogon.exe, NETSTRS.EXE, nddeagnt.exe, os2srv.exe, proquota.exe, wfshell.exe,

win.com, conime.exe, imejpmgr.exe, imejp98m.exe, wpabaln.exe, ctfmon.exe, imepadsv.exe, jsvschvw.exe, ssonsvr.exe, nddeagent.exe, ddhelp.exe, ibdbsch.exe,

wuauclt.exe, atok1*.exe, iatokik*.exe, iatokqb*.exe, iatqb1*.exe

Note: To specify additional processes specific to your environment, see the Resolution section of this article for more information.

Examples of Secondary Processes

CTX106747 – Active Session Left After Logging Off the Session When Microsoft Office XP or Microsoft Office 2003 is Installed on Citrix Presentation Server

Cwbprovd.exe is a process initiated by IBM Client Access. If you have IBM Client Access on your system and observe the same behavior as stated above, follow these steps:

1.

Verify the sessionID that is having this issue.

2.

Before logoff, type the following at a command prompt to manually kill Cwbprovd.exe:

kill cwbprovd.exe session id

3.

Gracefully exit the published application.

4.

The Cwbprovd.exe process (among two other processes) is being launched at logon by IBM Client Access (even if you do not run it) through the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Contact IBM for a utility called CWBCFWTS to remove these processes from the registry.

Note: Servers running IBM’s Client Access Express ARE NOT known to exhibit this behavior.

Proquota.exe is a process initiated by having a Windows 2000 policy, Limit Profile Size, enabled. This may conflict with the Seamgr.exe process. Manually terminating either of these two processes temporarily fixes the problem and allows the session to reset. This issue is resolved by installing Service Pack 2 for MetaFrame 1.8 for Windows 2000.

Sxplog32.exe is a process initiated by the SoftWare Delivery Agent by Computer Associates and can be found in the userinit value of the winlogon registry key. Manually terminating the process temporarily fixes the problem and allows the session to reset.

Etlits.exe, Entell50.exe are processes initiated by Entrust 6.1 and can be found in the userinit value of the winlogon registry key. Manually terminating the process temporarily fixes the problem and allows the session to reset.

Wisptis.exe is a process that runs as a system service that provides pen-data collection for other components of the SDK. When a component needs to interact with the pen (for example, to collect ink or to detect gestures), this executable is spawned as a service to communicate directly with the input device. On a Tablet PC, Wisptis.exe interacts with the digitizer, whereas on a desktop it interacts with the mouse as well. The executable’s name is an acronym that references an outdated internal name for the team that developed it (Windows Ink Services Platform Tablet Input Subsystem). One cannot get rid of wisptis.exe by renaming or deleting it: Windows File Protection would reinstall the file the next time Adobe Acrobat 6.0 started. In general, the ways in which wisptis.exe can get installed on the system:

Installing Journal Viewer via Windows Update or installing Microsoft Office 2003.

Ssonsvr.exe

If a starting program was specified under the Environment tab in User Account Properties and if the ICA pass-through Client had pass through authentication enabled, Ssonsvr.exe was running in the user’s ICA session. When the user exited the application (specified under the Environment tab in User Account Properties), the ICA session could not be logged off; the administrator had to manually stop the Ssonsvr.exe process. The thread that caused the Ssonsvr.exe process to exit when the user logged off from the application was not being started.

Now the thread that causes the Ssonsvr.exe process to exit is started when the user logs off from the application.

From Hotfix XE103W2K030

Ssoshell.exe,Ssobho.exe,Ssomho.exe

CTX103640- Password Manager Agent remains active after a graceful logoff

CTX104115- Password Agent 2.0 on MetaFrame XP Server causes roaming user profiles to not unload.

Resolution

The following registry key is valid on Citrix Presentation Server 4.0, MetaFrame Presentation Server 3.0, MetaFrame XP Service Pack 2 or later, MetaFrame 1.8 Service Pack 3 for Windows 2000 or later, and MetaFrame 1.8 for Terminal Server 4.0 with hotfixes ME183W030 and ME183T032 or later.

It is best to first determine if the application in question and its associated processes correctly exit on a windows workstation outside of
a Terminal Services environment.

If they don’t, then it’s possible that this mechanism may not work, or it may be necessary to contact the application manufacturer.

Add the process file name to the following registry key:

Caution! This fix requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI

Value Name:LogoffCheckSysModules

Type:REG_SZ

String:MyAppName.exe

NOTE 1:

Do not place the executable name of the main published application in this key, as this may result in failure to properly launch the published application. If the main executable for the specified published application is not exiting correctly, then there is some other problem.

NOTE 2:

Do not place the executable name of a secondary process that has a visible window in this key. This mechanism is designed to exit secondary processes that do not have a visible window, as it is expected that if an application window is visible, then it is intended for the user to see it, and therefore close it themselves.

NOTE 3:

Enter the list of executable names with a comma and NO spaces between them, for example:

App1.exe,app2.exe,app3.exe