Richard Parmiter

Virtualisation blog and Knowledge Base

  • You are here: 
  • Home
  • Windows 2003

IMA crash & CriticalSectionTimeout value

Posted on July 8th, 2009

I have been experiencing some strange crashes of the following services:

  • Citrix Independent Management Architecture (IMA) – ImaSrv.exe
  • Citrix Print Manager Service – CpSvc.exe

These were happenning on a Windows 2003 x64 Standard Edition R2 server with Citrix XenApp 4.5 R04.

While investigating the problems I also noted the following error while trying to open task manager. Either CTRL-SHIFT-ESC, CTRL-ALT-DEL and selecting it or right click taskbar and selecting gave the same results. The task manager icon appeared in the systray but task manager never appeared. For every attempt to open task manager added another icon in the systray but never opened it.

Waiting for anywhere from a few minutes to several hours, eventually task manager opened.

Associated problems appeared to be that WMI was breaking regularly. The MOF databases could be rebuilt to resolve this (as per this article RP492)

All of these problems appeared to be a result of the following registry setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\CriticalSectionTimeout

reg_dword: 120 (dec)

Changing this value back to it’s default of

reg_dword: 2592000 (dec)

Resovled all the issues and after a week none of them have re-occurred.

If I get any more info about why this is happenning, I will add to this post.

Tags: , , , , , , , , ,
Filed under Windows 2003 | 1 Comment »

File Name Warning: There is a file or folder on your computer called c:\program causing problems. Rename?

Posted on June 26th, 2009

Have seen the following error while logging onto a server:

File Name Warning

There is a file or folder on your computer called “c:\program” which could cause certain applications to not function correctly. Renaming it to “c:\program1” would solve this problem. Would you like to rename it now?

Rename | Ignore

This error occurred on a server that has previously been a Citrix License server and the tool lmdiag.exe had been run on the server creating the following file:

program

in the root of the c: drive.

Opening this file in notepad shows:

lmdiag – Copyright (c) 1989-2006 Macrovision Europe Ltd. and/or Macrovision Corporation. All Rights Reserved.
FLEXlm diagnostics on Thu 9/6/2009 09:46

To resolve the problem, simply remove or rename the file

It seems that lmdiag has a bug or coding error which generated this rogue file.

Tags: , , , ,
Filed under Citrix XenApp, Windows 2003 | 1 Comment »

Easy way to remove the Microsoft Office document image writer printer

Posted on June 17th, 2009

By default, when Office 2003 is installed, the Microsoft Office document image writer appears in the printers folder, as shown:

Here is a really easy way of removing the Microsoft Office document image writer printer via a script.

  • cscript c:\windows\system32\prnmngr.vbs -d -p “Microsoft Office Document Image Writer”

This can be added to a build sctipt if needed.

Tags: , , , , , , ,
Filed under Windows 2003 | No Comments »

Debugging with Windbg

Posted on May 15th, 2009

If you have crash dump files, the only real way to debug them is by using windbg. This can be installed as part of the Windows debugging tools for 32 bit or 64 bit.

The symbols paths need to be set correctly to correctly identify the relevant information. This can be done for Microsoft and Citrix symbols as their symbols paths are in the public domain. Other associated companies, such as Appsense, do not publicly release their symbols so you are unable to link to them. The entry in windbg needs to be set for the following to set the MS and Citrix symbols paths:

SRV*c:\symbols*http://ctxsym.citrix.com/symbols;SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

To open a crash dump file, select file | open crash dump

Select the file in question

After a few seconds the dump loads and the entry bar at the bottom of the window will become active. The following commands may be useful:

!analyze -v

Will show a verbose analysis of the dump file. The important information is at the end of the text that appears. The process that caused the fault will be listed along with the errors.

To get more information about the module use the following command:

lmv m “module name”

It is also possible to use windbg to force a dump of a running / crashing process.

File | Attach to process & Select the process

Chose to save the workspace

A white dialog box is then generated

In the command window of the debugger, enter the following:

.dump /ma c:\mydump.dmp

If I find any more public symbol paths, I will update this entry.

Tags: , , , , , , ,
Filed under Windows 2003 | No Comments »

Restricting some sites in Internet Explorer

Posted on April 14th, 2009

When it comes to providing Internet Explorer access from a Citrix Server, trying to lock it down can be tricky.

Sure, there are various Group Policy settings that can be applied to lockdown the application, but the most common question is providing some kind of lockdown to where users are able to browse to. You may want to allow external Internet browsing, for example, but block some sites. The same may happen for internal Intranet sites and block some sites that rely heavily on plug ins or whatever other reason supplied.

In the past the only real way to provide this type of lockdown would be have a dedicated proxy server or rule base that would provide a white and black list of sites. Depending on the availablity of such a process, this may or may not be possible in the environment you are working in. You may also have a different white and black list for different Citrix application silos so this would need a seperate proxy or rule base for each environment.

Another way to lockdown some access is to add sites to the trusted sites or the Restricted Sites list. This can be set up by Group Policy but is a hastle to maintain because adding or removing sites from the list relies on other factors; such as editing the Group Policy from a machine that is already configured with the right settings as it will try and suck in local machine settings as soon as you try and edit it. From experience, this is a real pain and can easily become mis-configured with the wrong settings if someone edits it from the wrong computer. This also doesn’t full block the site, it only blocks the execution of scripts from the site in question. So, if the site runs a script on page launch it will be blocked from running and access to the site will be denied. This clearly doesn’t apply to all sites so even adding a site to the Restricted Sites zone doesn’t guarantee it being blocked.

There is a third way

Internet Explorer can use an automatic configuration script or a .pac file to provide it with configuration options. Typically this is used to supply IE with the proxy server address automatically. With a bit of additional programing this can be used to provide the exact result required.

The .pac file is just a text file with Javascript functions and can be configured to provide this lockdown. The configuration can be set to return different Proxy server addresses based on the URL being accessed. So, for example, if a site is ‘blocked’ the .pac file can be configured to return a non-existent proxy server address (or no proxy address at all) and then the site can not be accessed.

The following expressions are useful.

This is the expression required for this to work:

function FindProxyForURL(url, host)

To match the URL and return a direct Proxy method. This would be the same as adding the site to the ‘do not use proxy server for addresses beginning with:’ option. In the case of external sites, returning a direct method of access is great because the browser will never find the site and time-out very quickly.

if (shExpMatch(url, “*.facebook.com/*”)) return “DIRECT”;

In the case of a blocked internal site, returning a direct method of access is of no use as all computers are on the same network and the browser will still find the site. Instead you will need to return a fake Proxy server that does not exist on the network. The browser will time-out while trying to find this procy and IE will not find the site. The browser will not time-out immediately, however, and it will appear to take 30secs.

if (shExpMatch(url, “*://Intranet/*”)) return “PROXY 10.10.10.10:1010”;

The first wild card will lock down http and https access.The second wild card is deliberately placed after the "/" otherwise it can lockdown too many sites. Placing the second wild-card here would, however, mean that you would need to enter the URL twice – once as just the name and once for the fqdn also.

These can all be combined to provide the lockdown required.

Here is a sample ie.pac file.

// Restricted sites list
// v1.0
// Richard Parmiter
function FindProxyForURL(url, host)
{
  //set the ip address of the proxy into a variable named proxy
  var proxy = "PROXY proxyserver.fqdn.local:80";
//list of all restricted sites as shown
//return "DIRECT" for external sites as is quicker for the browser to time out
//
if (shExpMatch(url, "*.facebook.com/*")) return "DIRECT";
if (shExpMatch(url, "*.youtube.com/*")) return "DIRECT";
//return "PROXY 10.10.10.10:1010" for internal sites
//
if (shExpMatch(url, "*://internalsite1/*")) return "PROXY 10.10.10.10:1010";
if (shExpMatch(url, "*://internalsite1.fqdn.local/*")) return "PROXY 10.10.10.10:1010";
if (shExpMatch(url, "*://192.168.100.100/*")) return "PROXY 10.10.10.10:1010";
if (shExpMatch(url, "*://192.168.100.101/path/url*")) return "PROXY 10.10.10.10:1010";
//Bypass proxy for local addresses
//
if (isPlainHostName(host)) return "DIRECT";
else
return proxy;
}

This file is setting a variable above of the correct server address and has a catch all statement at the end ot return this variable if the URL doesn’t match any of the above statements.

The ‘is PlainHostName’ varibale is applied to any URL that does not include a “.” in it. This is the same as ticking the option “Bypass proxy server for local addresses”.

This ie.pac file can be referenced in two ways. Either configure the relevant Group Policy entry to point to it or poke in the relevant Registry setting at logon using logon scripts, as shown:

RegWrite Array(“HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings”,”AutoConfigURL”,”http://Internalwebsite.fqdn.local/restrictedsites/ie.pac”,”REG_SZ”)

In this case the ie.pac file is located on an internal web site, but it can also be referenced by a file share or local file (i.e. \\uncpath\ie.pac or c:\ie.pac)

Voila..  Happy URL restricting..

Tags: , , , , , , , , ,
Filed under Windows 2003 | 3 Comments »