Understanding the Citrix MetaFrame Logon and Logoff Process

The Windows logon and logoff process is a complex part of a Terminal Server environment, and these processes are complicated even more when Citrix MetaFrame Presentation Server is installed. However, knowing how these processes really work can cut down your troubleshooting time.

The Windows logon and logoff process is a complex part of a Terminal Server environment, and these processes are complicated even more when Citrix MetaFrame Presentation Server is installed. However, knowing how these processes really work can cut down your troubleshooting time.

This article can’t cover all aspects and every detail of the logon and logoff processes. However, it will take a look at these processes from an administrator’s standpoint (as opposed to taking a developer’s perspective).

The first part of this article covers the session initialization. It covers the steps that take place from the time a client tries to connect until the application shows up on the user’s desktop. (Note that we’re only talking about the actual connection from the client to the server. We are not talking about application enumeration or load balancing since those activities take place before a client connects to a server.)

The second part of this article will cover the disconnection and logoff processes.

Session initialization

No matter how an ICA session is invoked (Program Neighborhood, Web Interface, double-clicking an ICA file, etc.), the ICA client engine (wfica32.exe for Win32 clients) fires up and loads the module.ini file from the root folder of the ICA Client. The module.ini file defines the specific capabilities that the ICA client should or can use. Therefore, when troubleshooting, it’s possible (and useful) to change settings in the module.ini to change the capabilities of the ICA Client. For example, you might chose to disable specific client drives (DisableDrives=A,D,F) or to enable server drives in a pass-through session (NativeDriveMapping=TRUE).

The following screen shot has highlighted the module.ini section where the virtual drivers that get loaded by the ICA client are specified. For testing purposes you could just choose to remove a specific virtual driver all together. This will prevent the client engine of loading the specific virtual driver, for example SmartCard, SpeechMike, ClientAudio etc.

Some virtual drivers (like clipboard functionality) are “built into” the client engine. Removing the word “Clipboard” from that VirtualDriver line will only disable the Clipboard on a client basis (as described in Citrix Knowledge Base article CTX102977.)

Once the ICA client works out which drivers it will use, it starts a connection with the server via port 1494 (even with session reliability enabled). The server responses with “7F7FICA” for an ICA handshake as shown in the next screen shot. During the handshake the client sends its list of capabilities (virtual channels supported by the client) to the server.

Next, (still before anything shows up in any admin console or on the client desktop), the TSCAL license verification is made. If the license cannot be verified then the session just ends (See CTX543560). Even though this is by design it’s still very confusing for most people.

If the client has or gets a valid TSCAL, the server’s WinLogon.exe process calls the GINA (and any linked GINAs, like ctxgina.dll when MetaFrame is installed) and the user is presented with the logon GUI.

Once the user credentials are validated via csrss.exe, WinLogon downloads the user profile. (Here is a nice article about profiles http://www.windowsitpro.com/Windows/Article/ArticleID/41654/41654.html)

The GINA then calls UserInit.exe which is responsible for setting up the user’s environment (restoring net uses, etc.). When Terminal Server is installed, UserInit queries the registry key AppSetup located in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and executes all the programs listed in that key. By default this is limited to UsrLogon.cmd, although MetaFrame XP adds cmstart.exe to the list and MetaFrame version 3 adds CtxHide UsrLogon.cmd, and CmStart.exe. (Those of you who’ve been using Terminal Server for awhile will remember that UsrLogon.com is a hold-over from the early days when application compatibility scripts were used. See Microsoft article Q195950.)

The last thing UserInit does is launch the user’s shell as specified in the registry. By default this is explorer.exe, although you can change it to whatever you want and have some fun with your colleagues by changing theirs to progman.exe.

Once the shell is fired up the final steps take place, including items listed in the run registry keys and the programs from the Startup folder.

There’s a great utility from SysInternals called “AutoRuns” that you can run on a server to quickly and graphically show you all the things that run automatically when a session is started.

Everything on the server side that we’ve mentioned so far is Microsoft only. It applies if you’re connecting via a standard Terminal Server / RDP session or via a MetaFrame ICA session, (For more detail on WinLogon, UserInit, Csrss, and other Windows processes, take a look at Microsoft Knowledge Base article Q263201.)

Now let’s take a look at what happens when Citrix is thrown in the picture. As we mentioned earler, UserInit also executes the CmStart.exe process. CmStart.exe is the Citrix Client Manager Starting Utility and it’s responsible for two things:

  1. It starts the Citrix seamless windows engine shell called wfshell.exe.
  2. It launches the Citrix Client Manager (cltmgr.exe ) that’s used to keep the ICA client up to date.

The following screenshot is of Systernals’ Process Explorer running during a MetaFrame session start.

Let’s take a closer look at these processes and what they each do.

Citrix Client Manager Starting Utility (CmStart.exe)

CmStart is responsible for launching the seamless engine which means no seamless windows without CmStart.exe in the AppSetup Key! This missing entry will not stop a desktop session from working though.

Citrix Seamless engine (wfshell.exe)

One of the things wfshell is responsible for is to autocreate the client printers. If you are using third party printer drivers (HP, Canon, Lexmark etc.) instead of original printer drivers that come on the Windows CD then you might see some of the following issues:

  • Crashes of wfshell.exe (CTX102634)
  • High CPU spikes of wfshell.exe
  • Slow logons
  • Printer being not mapped

Advice: Don’t use third party printer drivers. Instead, use mappings from the printer matrix at http://www.printingsupport.com and at least don’t use PCL6 Drivers an advice by Stefan.

Citrix Client Manager (cltmgr.exe )

Cltmgr.exe is launched right after wfshell because it uses a virtual channel (VDCM.dll, ClientManagement) to get the client version from the version.dat file. Problems with the retrieving of the ICA client version and the update might have the following effects:

  • Crashes of wfshell.exe
  • Slow logons (without updating the client)

Advice: If the Client Update feature is not used, you should disable the client update database on every Citrix server (Start | Run | cudutil.exe | Database | Properties | uncheck enable).

Session Termination

When closing a published application or logging off from a desktop session, the most important parts are terminating the user processes and unloading the user’s registry hive from the system registry.

In a desktop session the termination of the processes is done by csrss.exe. With published applications the seamless engine is responsible for closing the applications and sending the logoff message to csrss. Under certain circumstances this might not work and ends with a user’s session remaining active on the Citrix Server, although we’ll discuss this more later.

In some cases the user’s registry can not be unloaded during the logoff. This issue is very famous in the community and the solution is to use the Microsoft’s UPHClean service. (Be sure you’re using the most current version.) If the unload process doesn’t work as expected, then the profile gets stuck on the server (a bit different with Windows 2003). This then impacts the logon process, especially with anonymous users.


This article summarized the important steps and processes you see with Windows 2000/2003 and MetaFrame XP / 3.0. There are additional processes like Ctxhide.exe, but they are not big troublemakers.

Unfortunately MPS 4.0 is going to majorly change the Citrix portion of this process, but that’s a story for another day.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How about the anctient tips to put cmstart.exe to userlogon.cmd to speed up the login process? Is that still valid today?
It seems to me that FR-3 for MetaFrame XP took care of this.. What do others think?
It was a great idea by Brian to move the CmStart.exe to the UsrLogon.cmd
This way the logon moves on but the client printer autocreations are still done by wfshell.exe
Again the troublemaker here are the 3rd. party printer drivers that can slow down the logon process.

I was thinking on adding this to the article but you have to be carefull how and where to add it to
the UsrLogon.cmd to make sure CmStart really starts.

Also, Citrix added to the CMC the option of starting publish applications without waiting for printer
creation (SMB => ICA) but is limited to network printer.

Personally I don't know whether this problem was fixed with FR3/MPS.
I didn't see anything relating to the PsSson and SSONSVR.exe.
As said, this article can’t cover all aspects and every detail of the logon and logoff processes.
Not everyone is using the Citrix single sign-on service (SSONSVR.exe) etc.
At least with MPS3.0 and MPS4.0 the option to start apps without waiting for client printers to be created works fine. Sometimes you have to disable this option eg. in case a published application does not autoregfresh windows printers and has the need to see one at startup to run correctly.
From Client machine, I launch some application (say notepad), which is present in Citrix server. Notepad is running on server, but I can use it from client. I run Spy++ on client. From this Spy++, I try to get the information of a window in the notepad. I cannot get because Spy++ is running on client and notepad on server.

Is there any way to get the information of the window? Can I write some code (in any language) which executes on client, but can get information of a window belonging to an exe running on server?
To my knowledge, no this can't be done. Mercury Interactive cooperated with Citrix to produce an agent for Loadrunner that provides this information through the ICA Virtual Channel. If you want to do automation within Citrix you've got a few options:

1) Use Spy++ to gather your window handles, etc. within the Citrix session and run your automation scripts locally on Citrix. This have unfortunate side effect of adding unnecessary load.

2) Automate the ICA session on the Citrix. Problem is you won't be able to get window handles, etc. so you'll need to rely on key stuffing, etc.

3) Use something like Loadrunner with the Loadrunner agent for Citrix to properly identify objects within the ICA session. Perhaps Brian can comment on how Scapa handles this as it might be a much lower cost solution.

brian really need your help here..we are presenting citrix in class on friday..Got the client to connect to the citrix server but its so slow...It takes like 5 mins for applications to appear on client..Almost like its connecting remotely..Not sure why it would do this.. We are students learning ..so any info would be helpful--thanks
You need to provide more information than that, like:

1) What are the specs of your server?

2) What are the specs of the clients?

3) What network connectivity is between the clients and the server?

4) What type of profiles are you using? If roaming, what size?

5) What type of logon script are you running?

6) Are there any event log entries on the server?

That would be a good start.

As long as the seamless article is not published, visit

Thank you Thomas! I must have typed this info like 3 or 4 times in the last week. UGH! Should have checked your site first...
very very good
Hi this is my first posting. I am relatively new to citrix and am faced with a problem with a client that is causing me great stress. I have a windows2000 Sp4 TS machine running Citrix XP fr3 users are experiencing problems logging off their sessions as the publish app continues to run and hog the processor thus slowing everyone down. I have added the reg key Logoffchecksysmodules=ssonsvr.exe but this hasn't worked. The client is reluctant to put rollup1 on unless I can prove this problem is fixed. I have read through and I can't find this problem specifically. Does anyone have any ideas what I can do?
It clears all my doubts about TSCAL aspects during login !!!
How would I run a logoff script? They don't seem to run when a user logs off Citrix.
If you have an AD state a logoff script in the GPO wich applies to TS users.

Otherwise by local policy: gpedit.msc
Hi - I wonder if anyone could tell what is happening on a few of my Citrix servers in my farm! The problem is this .. when connecting to particular servers using a published application to a desktop the Citrix dialogue box saying "Applying Registry Policy" hangs for several minutes and then continues to login ok. This only happens when connecting to certain servers in the farm, others fly right through this stage. All the servers are built exactly the same way (well as far as I can tell). If however, I have administrative rights then it all works ok - so is there some sort of permission thing going on here?
What eactly is happening during this "Applying Registry Policy" stage?
Rich - rtutton@leekes.co.uk
HI Brain i need your helpWe are using Citrix PS4 enterprise Edn installed on Blade servers and ,Remote users connecting through PN version 8.0We are using a home developed application say "x" ,which uses windows taskbar and desktop. Shortcut to Applications like word,outlook,excel are provided in the application x,user executes the application by clicking the Icon and that icon executes the exe file of the programe .and the programme runs over the application X .So we need to only publish application X in Citrix and all the required applications are given as shortcut icon.We are facing the problem of session freezing from some users, the application responds very slowlley for some user even they cant logoff from the server.And if we terminate the Wfshell.exe for the affected user the freezing problem resolves.Can someone help me out why this is happening,and what could be the resolution.Or explain me why it is resolved by terminating wfshell.
I installed Citrix metaframe ver4.0 on my Win2003 STD 2 months ago and it was working fine but now it gives me this error; The system has reached its license logon limit . Please try again later. When i try to logon from a remote machine. I have tried to reinstall the licences but it has changed nothing. what can i do
Have you examined the License Management console to see if all of your licenses are exhausted?

Hello All,

Which program is used to display this information (see screenshot below) I'm trying to diagnose a citrix logon problem and finding out this information would be useful.
<img src="https://www.brianmadden.com/content/images/logonlogoff2.jpg">

How is the login process different when you have a published application versus a published desktop?
Jeff D.
I have a server farm with 3 citrix servers on windows 2003 server with 50 users. My problem is that the printers are not always created in applications like outlook or word. It is also random so if the user restarts their wyse terminal and logs back into the citrix farm it works again. I don't have this problem if the users log into the 2 terminal servers. When the user trys to print somwtimes it shows that no printers are available but if they open up local internet explorer on the wyse terminal they can print just fine. We have wyse terminals at most users and they all have the HP ip printers loaded locally. The Driver that is at the client is the standard HP Laserjet III that comes in windows 2003 server. I did this to try and simplify the issue but it did not work. The printers are all HP 4050's with buit in print servers.
Is there anyway to troubleshoot how this problems keeps happening? Do you have any ideas as to how to correct it?
SorryI post this into the wrong forum. I will repost in the printers forum.
my user unable to log in to application due to blue screen issue.can you help how to resolve the blue screen issue
My desktop session locked up after completing diagnostics on a remote server. The last screen that was displayed by the diagnostic utility cannot be closed or minimized. How can I terminate the session and restore the desktop without rebooting my Metaframe server?
what you need to do is delete the module file on your pc from program files and empty your profile from the server where the profiles gets created
Hi Brian,

I have an ICA file setup for a Citrix application. It works great except the first time you try to launch it, it won't connect. What I have to do is launch another Citrix application and then it works fine after that. I never have to do this again after connecting. This is the case whether I connect with the program neighborhood or the ICA file. Any ideas? Thanks for your help!


Hi --- We have been having critical events showing up for sometime without a permanent resolution, the only procedure that seems to remedy the problem is deleting the local user profile on the citrix server and then recreating it... below are to pastes showing the two events from the apps log that have been ongoing now for well over a year... We have called citrix on this issue and they tell us this is a microsoft problem and to contact them....  Microsoft says it is a Citrix issue... Can someone shed some light on this problem...

thanks in advance...

below are the two events that are always showing up to gether one after the other.

1st event below:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1521
Date:  4/14/2008
Time:  2:50:47 AM
User:  EU\SBoer
Computer: SBTS4
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.  

 DETAIL - The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Second event below:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1511
Date:  4/14/2008
Time:  2:50:49 AM
User:  EU\SBoer
Computer: SBTS4
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

this is your hardware problem so pls chack your hardware

Best bet is <a href="http://www.eventid.net/" target="_blank">www.eventid.net</a> solves most issuse like this. Cheers


When I connect to a published app, I get a system popup that wants to install windows update. But these updates are from the citrix server that is running the published app. How can i prevent my local pc from getting these popups from the server


For roaming profile issue, please use UPH clean on all Citrix servers, and in event of profile issue first restart the UPHClean service.

Share your feedback if this hold good.

UPHClean clear the registry hive of the user profile when user did not log off properly. This is know as Memory Leak in WIndows server.