Symptoms
- RDP/Citrix sessions appear "hung".
- Remote Desktop and/or Citrix session does not terminate services such as Notifier.exe and dsa-wrs-app.exe automatically when the remote user logs off (these are the only services running under the logged off username).
- High resource consumption due to multiple unterminated processes
- Update failures because services are not properly terminated
- Service termination requires manual intervention
Root Cause
As part of Windows Remote Desktop and Citrix session termination logic, if the specified startup program spawns new processes, those child processes are considered part of the original program. The session may not fully terminate until all spawned processes also terminate.
The following Trend Micro processes are known to spawn child processes under users when they log in to new remote sessions:
- Notifier.exe - Deep Security Agent notification service
- dsa-wrs-app.exe - Trend Micro Web Reputation App (formerly Deep Security Web Reputation App)
For RDP Sessions
Add the affected Trend Micro processes to the Windows Terminal Services system processes registry key:
- Open Registry Editor (regedit.exe) as Administrator.
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Sysprocs.
- Create the following DWORD values:
- For Notifier.exe:
- Value name: Notifier.exe
- Data type: REG_DWORD
- Base: Hexadecimal
- Value data: 0
- For dsa-wrs-app.exe:
- Value name: dsa-wrs-app.exe
- Data type: REG_DWORD
- Base: Hexadecimal
- Value data: 0
- For Notifier.exe:
For Citrix Environments
Add the affected Trend Micro processes to the Citrix Terminal Window Interface (TWI) registry key:
- Open Registry Editor (regedit.exe) as Administrator
- Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
- Locate or create the following registry value:
Value Name: LogoffCheckSysModules Data Type: REG_SZ (String Value) Value Data: Notifier.exe,dsa-wrs-app.exe
For Mixed RDP and Citrix Environments
Apply both registry configurations above to ensure proper session termination across all remote access methods.
- Registry Configuration Requirements:
- Registry changes require administrative privileges
- Test in a non-production environment first
- For RDP: Restart the Terminal Services service or reboot the server for changes to take effect
- For Citrix: Restart the Citrix services or reboot the server for changes to take effect
- Monitor system behavior after implementation to ensure proper functionality
- Citrix-Specific Considerations:
- The LogoffCheckSysModules registry value tells Citrix to check if these system modules need to be terminated during logoff
- This configuration works in conjunction with Citrix's session management policies
- Verify compatibility with your specific Citrix Virtual Apps and Desktops version
In certain environments or organizations where registry modification is not allowed/preferred, the following can be performed:
- Manual Process Termination: Administrators can manually terminate these processes before ending remote sessions
- Startup Script Modification: Modify the remote session startup program to explicitly terminate Trend Micro processes before exiting
- Group Policy Configuration: Use Group Policy to manage Terminal Services and Citrix process handling
- Citrix Policies: Configure Citrix policies to handle process termination during session logoff
- Include both registry configurations in your standard remote access server deployment procedures when Trend Micro agents are installed
- Document these configurations as part of your Trend Micro agent deployment guide for Terminal Server and Citrix environments
- Consider creating a deployment script that applies both registry changes automatically