Friday, December 18, 2015

Help! My Citrix application is running slow (Meditech, Citrix, Imprivata)

We have an application (Meditech) that users have reported as performing poorly in Citrix.  They were able to confirm the poor performance by comparing it to a desktop that had the same software installed.  I was brought on to try and understand these performance differences and why Citrix would be performing so much worse.  To measure the performance, the user took me to a screen where they held down a key on the keyboard to increment a counter in the software.  When holding the key down on the desktop the counter was quick and incremented at a steady pace, on Citrix it seemed OK at first but then slowed as time went on.   To illustrate these performance differences, I made a video:

So we definitely have a problem.  My first steps on troubleshooting this problem was to compare the differences between the desktop and the VM.  The VM had server processors but they were older, and at less GHz at 2.6GHz for the server.  The desktop had 3.4GHz processors with a newer generation.  If the processing is NOT latent sensitive then the faster processor's can make a difference, and the CPUMark had them at 1500 and 2100 (~40% difference).  At first glance, this seems like it could be the difference in our timings but it's still too drastic at ~5s vs ~20s, a 400% difference.  To try and narrow the difference I took the application to a completely bare server with no software on it what-so-ever and reran the test.  It completed in about ~5-6s.  The processor it ran on was comparable to the original server processor but ran at 2.7GHz instead.  The processor was not running at nearly enough speed to make up the difference, something else must be consuming those cycles.

At this point I procmon'ed the benchmark and came up with the following:

(PID 6660 is the process that the benchmark runs against)

Very obviously, the pattern of each key stroke on the Citrix server is present with the initial pattern highlighted:

About 400ms from each key stroke to when the next one is registered.  So what is delaying the 400ms?  From my experience, unexplained delays are CPU related.  I then looked at the process activity summary to see if I can find the bottleneck:

Again, very obviously we are seeing the CPU ramp up, and it can also explain the faster, initial iterations of the GUI as the CPU 'ramps' up and doesn't spike to the it's maximum.  None of the other graphs show any activity at the time of the benchmark so the suspect is highly on the CPU.  When hovering over the graph we see the CPU percentage.

This is a 4 core box, so ~25% equals one full core for a single threaded application.  Again, this points to the application being bottlenecked by the processor, but again, the difference is too large to consider just the CPU at this point.  We need to find what part of the process is consuming these resources.  Fortunately, ProcExp (process explorer) can help us determine what is going on within a process.

I started a new run and got properties of the process:

MGUI.DLL is consuming all of the CPU.  That is a DLL utilized by the application, clicking on 'Stack' gives us the hierarchy of commands being utilized by that thread.

From this, I can understand that ntoskrnl.exe, ntdll.dll are native Microsoft Windows functions, MGUI.DLL is utilized by Meditech, but what is ISXHook.dll?

Doing a search within the process shows that it's utilized by Imprivata, a single sign-on solution we utilize to try and increase user efficiency.  It works by 'screen scraping' to determine fields that it needs to populate with user credentials to try and speed up user logins.  Logically, this sounds like it could be causing the delay by screen scraping every time a key is stroked or a change is registered.  To confirm this, we need to remove Imprivata from the application.  Fortunately, it's hooked in by services that can easily be terminated.

I'm going to terminate everything that says 'Imprivata Inc.'

With the processes terminated I reran my test.  Using Process Explorer and getting properties on the process, immediately CPU usage went from 25% down to 15% at a peak:

And getting Stack information showed a much cleaner stack:

In conclusion, I may need to investigate into Imprivata to determine if I can reduce its polling rate or find some way of allowing it to 'stop' polling the CSMagic process *after* the accelerated login.  Its current settings (which I'm not familiar with, sadly) is not acceptable and causes a significant slow down.  Fortunately, the root cause has been determined and we can work towards a full resolution.

Friday, December 04, 2015

AppV5 - Sequencing an application that has Com+ Applications

AppV has a few weaknesses, one of them is Com+ Objects.  It doesn't like Com+ Objects and sequencing an application with them generally results in this error message:

The Resolution seem easy enough:
1) Try extracting and installing the COM+ component natively on both sequencing station and the client
2) Thoroughly test your virtual application package to verify functionality.

But how do you extract the COM+ components?

1) Open 'Component Services'

2) Expand until you find your Com+ Applications, right-click and select 'Export'

3) Click 'Next'

4) Enter a path to save your MSI then click 'Next'

5) Click 'Finish'

Since this application had two Com+ Applications I exported my second one as well:

To ensure they work, I took them to our XenApp Test server and installed them.

Both *appeared* to have installed correctly.  But this application requires the Com+ Application to run under a service account.  Checking the original install:

I can see under the 'Identity' tab that it is configured for 'This user:'.  I then checked the MSI install on the XenApp Test server and looked at the Identity tab:

It appears it defaults to 'System Account' even though I selected 'Export user identities with roles'.  To change the user account silently, I used this script supplied by the vendor (as a encrypted vbe):

This script changes the user account on the Com+ applications to use the proper account.  When browsing the properties of the components of the SFSQL object I saw it referenced the dll to it:

Fortunately, it seems these files are captured by the MSI export of the Com+ Application.

To test everything now, I must now create my AppV package.  Before doing the install I installed my prerequisites (the Com+ Applications) into the Sequencer so they are not captured by the package.

I ran this script to do my prereq install:

Now I startup the sequencer and do my sequencing first steps.

I selected a batch file I created for the install (per the vendor's initial instructions):

Once the install completed I saved my package and took it to my XenApp Test server and published the application and ran it.

No, this is not correct

For some reason my application was failing.  I double checked the COM+ Applications are installed and appear to be working, so I opened Procmon.exe to see if I can find where it's going wrong:

I've used procmon enough now to practically pull the old' Matrix, "blonde, brunette, red head".  Working from bottom to top, the message box is generated from the 'Text' (LanguagePack) back to the KernelBase.dll.  So we can exclude that has the cause, this is telling us *of* the issue.  So if we look at the lines preceding it, one of them must be causing our message.

Looking at the first keys, the OLE keys, I can compare them to my sequencer and they match exactly, so the likelihood of them causing our issues is none.

So we go back a little further to the AppID key and jumping to the *SUCCESS* location to look at it's value...

I am on a server called WSCTXAPP301T but the registry key for this value is pointing to the system I did my sequencing on.  I changed the value to the actual server name and did a registry search for "WSAPVSEQ07" to see if it appeared anywhere else.  It did in one other location so I modified the value there as well to point to the local server:

And tested my application again:

Success!  The login screen.  This is as far as I can take this app until I get credentials or a user to login and try testing for me.  So, for now, I can create a preflight-script to setup some prerequisites when the application is published.  I modified my preflight script to include the two registry values being updated:

Then I updated the Deployment_Config.xml file for this application:

Lastly, I logged onto a new, fresh, system and manually tested my XML file by publishing from the command line:

Using Procmon to monitor to ensure the prerequisites get installed:

"Exit Status: 0" --> Usually a good thing :)
Testing the application:
Looks good

Then testing removal and monitoring with Procmon:

Com+ Application are removed cleanly :)
So everything looks good and I can now add this application to our AppV Management Server and deploy it to the machines that need it.