Citrix User Profile Manager (UPM) and the Broken Rootdrive

Terminal server application compatibility scripts have been around for a long time - so long in fact, that I considered them a legacy and stowed away any knowledge of them in a very remote area of my brain. When a Citrix customer brought up a problem with the mapping of ROOTDRIVE in the User Profile Manager forum, at first I had no clue what he was talking about. Luckily, the customer was able to pin the problem down to a specific command that failed when, and only when, User Profile Manager was processing the logon. This is the story of UsrLogon.cmd, ACRegL.exe and UPM.

Application Compatibility Scripts … WHAT?

Back in the old days, when you had to get a special edition of NT4 if you wanted to deploy terminal services, application compatibility issues were dealt with in a far more primitive manner than today: NT4 Terminal Server Edition (TSE) had a special terminal server-only logon script mechanism. At logon, every command in the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup registry value was executed. One of those commands was the execution of the batch file UsrLogon.cmd, the entry point of a set of pre-defined application compatibility scripts that could be customized by the administrator.

Among other things, these compatibility scripts tried to deal with the fact that old applications could not cope with paths in their stored configuration, they needed a single drive letter. The method of choice? “Subst” the real path to a user’s home directory with a drive letter. In essence, UsrLogon.cmd mapped a drive to a user’s home directory with the following command:

Subst %RootDrive% "%HomeDrive%%HomePath%"

The Problem

The paragraphs above are written in the past tense. But do not be fooled: the described functionality is still present in Windows Server 2003 and even 2008 terminal services, and it is still used as the case at hand demonstrates.

In his analysis of the problem the customer got to the point where UsrLogon.cmd calls SetPaths.cmd which in turn executes the following command:

"%systemroot%\Application Compatibility Scripts\ACRegL.exe" "%TEMP%\getpaths.cmd" COMMON_PATHS "HKLM\Software" "" GETPATHS

As the customer states in his forum post, ACRegL.exe fails whenever a logon is processed by Citrix User Profile Manager (logons on the same machine not processed by UPM are unaffected). This in turn causes %RootDrive% not to be mapped to %Homedrive%%HomePath% which ultimately makes a certain legacy application crash upon clicking on File > Save. Not so good.

Analysis

So what does ACRegL.exe even do? It reads some paths from the registry and writes the batch file GetPaths.cmd which then looks similar to the following:

SET COMMON_START_MENU=C:\Documents and Settings\All Users\Start Menu
SET COMMON_STARTUP=C:\Documents and Settings\All Users\Start Menu\Programs\Startup
SET COMMON_PROGRAMS=C:\Documents and Settings\All Users\Start Menu\Programs
SET USER_START_MENU=C:\Documents and Settings\username\Start Menu
SET USER_STARTUP=C:\Documents and Settings\username\Start Menu\Programs\Startup
SET USER_PROGRAMS=C:\Documents and Settings\username\Start Menu\Programs
SET MY_DOCUMENTS=My Documents
SET TEMPLATES=Templates
SET APP_DATA=Application Data

So where does it fail? As the faithful Process Monitor shows, the programmers of ACRegL.exe did a thorough job: they not only read some paths from the registry, but they verify if each path actually exists!

Solution

And with that we finally have solved the puzzle. In its default configuration, User Profile Manager excludes the start menu, i.e. it does not copy the start menu’s files and folders to the file server during logoff. During the next logon, assuming that the locally cached profile has been deleted, UPM copies everything back, except the start menu. When ACRegL.exe is called a little later by UsrLogon.cmd (still in the logon process), it does not find the start menu’s directories and fails.

In case you experience this problem, I recommend you do not exclude the start menu.

Proof

For the fun of it, here is a sequence of commands I used to verify my analysis. They were executed on a machine with UPM enabled for the current user, but without any exclusion lists.

H:\>"c:\WINDOWS\Application Compatibility Scripts\acregl.exe" "C:\DOCUME~1\test01\LOCALS~1\Temp\1\getpaths.cmd" COMMON_PATHS "HKLM\Software" "" GETPATHS

H:\>echo %errorlevel%
0

H:\>rd /s /q "c:\Documents and Settings\test01\Start Menu\Programs\Startup"

H:\>"c:\WINDOWS\Application Compatibility Scripts\acregl.exe" "C:\DOCUME~1\test01\LOCALS~1\Temp\1\getpaths.cmd" COMMON_PATHS "HKLM\Software" "" GETPATHS

H:\>echo %errorlevel%
1

As you can see, at first ACRegL.exe works correctly. Only when the Startup folder is deleted, does it fail.

ACRegL.exeApplication Compatibility ScriptsAppSetupCitrixGetPaths.cmdRootDriveSetPaths.cmdTerminal ServicesUser Profile ManagerUser ProfilesUsrLogon.cmd

Comments

Related Posts

Differences Between Citrix Profile Management and Immidio Flex Profiles

From time to time I get asked about the differences between Citrix’s and Immidio’s profile management products. Here are some common questions along with my answers. Can the product be used to provide a single profile on multiple platforms? Citrix Profile Management 3.x does not have cross-platform capabilities built in. That means you cannot use an XP profile on Windows 7, but you can use the same profile on 32 and 64 bit Windows, if you dare. Citrix has a beta version of PM with cross-platform support for MS Office and Internet Explorer. Flex Profiles does not have true cross-platform capabilities either, but it can be used to make settings available cross-platform that have the same format on all platforms. Example: HKCU\Software\Paint.NET is probably a no-brainer whereas copying HKCU\Software\Microsoft\Internet Explorer around is probably a bad idea. Can the product be used on SBC, VDI and fat clients? This is true for both Citrix PM and Flex Profiles (licensing restrictions may apply). Can the product be used to preconfigure a user’s environment? Both Citrix Profile Management and Immidio Flex Profiles are classic profile management products without the capability to set up a specific user environment or distribute updated settings to all users. That is typically referred to as “user environment management” and two free implementations are Microsoft’s Group Policy Preferences and Pierre Marmignon’s Virtual User Environment Manager. Of course there are many alternatives by companies like AppSense or RES. Can portions of the profile be saved during a session as well as at logoff and at disconnects? Citrix Profile Management loads (respectively streams) the profile at logon and writes changes back at logoff. It also has a feature called “active write back” which, if enabled, causes changed files to be written back to the user store immediately. This works for files only, not for registry keys. Flex Profiles typically is configured to import settings at logon and export again at logoff. Since Flex uses a simple tool for the imports/exports it is conceivable to call that tool during a session as well. There is, however, no built-in support for that. Neither is there for exporting settings at disconnects. Can it be configured what to save and what not? Both products are very flexible when it comes to which parts of the profile should be saved. Yet there is one major difference: by default, Profile Management saves everything whereas Flex Profiles saves nothing. As a consequence, PM just works out of the box whereas Flex needs to be configured for each application individually.
User Profiles

Latest Posts

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration
After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.
Website