Citrix XenApp

Script to make your Citrix XenApp servers run better with SEP antivirus

on

If you use SEP (Symantec Endpoint Protection) on your Citrix servers, you will notice that performance on your server takes a huge hit if you leave Symantec as is. Specifically increased RAM and CPU usage caused by multiple instances of SmcGui.exe and ccApp.exe processes for all the connected sessions.

Symantec has a great KB article here that addresses this:

http://www.symantec.com/business/support/index?page=content&id=TECH105060

You can disable SmcGui to prevent multiple instances of it running by adding following DWORD registry value on your Citrix server:

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\LaunchSmcGui

and setting the value to 0. You can also disable ccAPP by deleting the ccApp entry at the following keys:

32 bit:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

64 bit:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

I didn’t want to go to each Citrix server and verify and/or make these changes manually so I created this little bat script I can execute remotely on each Server 2008 R2 box (you’ll want to modify for 32 bit boxes):

Now when building a new XenApp server (i.e. not from a template), I wanted to use this same script as a “post-install script” after installing XenApp but with a few other things included. One thing I wanted is to set the Terminal Server roaming profile path (assuming you are not doing it with GPO already). So I add this to the script:

I also want to install my EdgeSight agent at this time. I wrote a a few installs script for this already in my post here:

http://www.jasonsamuel.com/2011/09/13/how-to-deploy-edgesight-5-4-xenapp-agents-using-install-scripts-to-all-your-citrix-farms/

so I will call on these bat scripts from the script I am writing now. But I want it to pause and let me verify that the Symantec changes happened successfully. So I add this first:

then finally I call on the EdgeSight agent install script (which will reboot your system after installing automatically). I have it shared off my EdgeSight server under the “XENAPP_AGENT” share so my script looks like:

So my final script will look like this screenshot:

Hope this helps. Let me know if there is anything that any of you would like to see added.

About Jason Samuel

Jason Samuel lives in Houston, TX with a primary focus on strategic advisory and architecture of end-user computing, security, enterprise mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and networking over his 20+ year career in IT. He is an Author, Speaker, and Local User Group Community Leader. He is certified in several technologies and is 1 of 63 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 42 people in the world that has been awarded as a VMware EUC Champion and VMware vExpert. He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with. Disclaimer: The content and opinions expressed in articles and posts are his own and are by no means associated with his employer.

Recommended for you

6 Comments

  1. Eamonn

    May 10, 2012 at 9:29 AM

    The newer SEP 12.1.1 that came out in April 2012 version seems to prevent changes to this reg key.
    Endpoint “Protection SMC LaunchSmcGui” 0

  2. Tom

    February 25, 2013 at 3:20 PM

    Any remedies for the issue Eamonn points out??

    Thank you, Tom

  3. Jason Samuel

    February 25, 2013 at 3:32 PM

    Tom :

    Any remedies for the issue Eamonn points out??

    Thank you, Tom

    I’m afraid I can’t replicate the issue in a SEP 12.1.1 environment. Using The script continues to work fine for me. Are you running it as an administrator?

  4. Eamonn Deering

    February 25, 2013 at 3:43 PM

    @Jason Samuel

    I got it working. As far as I remember you have to disable Symantec Tamper protection if its on.
    You can enable it after the reg change.

  5. Jason Samuel

    February 25, 2013 at 3:56 PM

    Eamonn Deering :

    @Jason Samuel

    I got it working. As far as I remember you have to disable Symantec Tamper protection if its on.
    You can enable it after the reg change.

    Thanks for the update!

  6. John

    February 6, 2014 at 1:55 PM

    If we enable SEP, Windows Explorer that published on Citrix server will not run. you have to open any other applications on same server and then launch Windows Explorer icon.
    is there any way, we can resolve this issue?

Leave a Reply

Your email address will not be published.