VMware Horizon Community
LukaszDziwisz
Hot Shot
Hot Shot

Unable to run VBS script on logon with appstacks

Hello Everyone,

We have an in-house software that should be looking at the ViewClient_Machine_Name Value in HKEY_CURRENT_USER\Volatile Environment or if we issue a set view command but unfortunately it is pretty much hit and miss. THe application needs to look a the client name that the user is connecting from as this is the only constant that doesn't change

in our Instant Clones deployment

The developer came up with another idea and is able to program the application to look at the System Variable with much more reliability. However, to achieve that they are  asking us to deploy a VBS script that should be deployed using Horizon View GPO/Agent Settings and be running at logon (CommandsToRunOnConnect) and reconnect to session (CommandsToRunon Reconnect) with the following command:  c:\windows\system32\cscript.exe \\domain.local\netlogon\viewlogin.vbs

Overall the script works when logged in to VM with writable only but as soon as I attach another appstack to it the script breaks and does not run. ALso if I'm fully logged in and go to my Netlogon share and run it then it doesn't work. No errors, nothing in logs, at least I cannot find anything.

Below is the script:

'************************************************************************************************************************

'The following will create applications and printers based on the following variables:

'vMachine = View Client Machine Name

'vIP = View Client IP Address

'vMAC = View Client MAC Address

'This section sets the variables mentioned above based on registry keys set by VMware View Agent

'***********************************************************************************************************************

On Error Resume Next

Const HKEY_CURRENT_USER = &H80000001

Set wmiLocator=CreateObject("WbemScripting.SWbemLocator")

Set wmiNameSpace = wmiLocator.ConnectServer(".", "root\default")

Set objRegistry = wmiNameSpace.Get("StdRegProv")

sPath = "Volatile Environment"

lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_Machine_Name", vMachine)

lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_IP_Address", vIP)

lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_MAC_Address", vMAC)

'msgbox "The Remote Device Name is " & vMachine & " @ " & vIP & " (" & vMAC & ") "

Dim WSHShell

Dim Shortcut, Desktop, DesktopPath

Set WSHShell = WScript.CreateObject("WScript.Shell")

DesktopPath = WSHShell.SpecialFolders("Desktop")

Set fso = CreateObject("Scripting.FileSystemObject")

'Sets ViewClient_Machine_Name as a system variable Dim SysVarReg, Value Set SysVarReg = WScript.CreateObject("WScript.Shell") value = SysVarReg.RegRead("HKCU\Volatile Environment\ViewClient_Machine_Name") SysVarReg.RegWrite "HKCU\Volatile Environment\1\CLIENTNAME", value WshShell.Environment.Item("ViewClient_Machine_Name") = vMachine

We did give Users Modify permissions to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

It seems to be very inconsistent too as it seems to work with some appstacks attached but not all which is majority but it always works fine on Vm with no appstacks and writable only.

I have also attempted to do the same with Powershell Script but that doesn't seem to work at all, not even on appstack free machines.

$userVariables= (Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Volatile Environment')

Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name ViewClient_Machine_Name -Value $userVariables.ViewClient_Machine_Name

Also tried UEM Logon task just to see if the PS script would work and even though in logs I see it processed it does not work. When logged in to the machine I can run it just fine. UEM was more for test as it wil lneed to work through Horizon GPO due to reconnect option.

Envronment: AppVoloumes 2.16, Horizon 7.8, vCenter 6.7 U3, Windows 1809 LTSC

Any advise would be very appreciated.

Reply
0 Kudos
11 Replies
sjesse
Leadership
Leadership

Have you tried wrapping the command in a cmd file?

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

I didn't, just simply followed what vendor requested. Would you mind sharing how to accomplish this?

Reply
0 Kudos
sjesse
Leadership
Leadership

take

c:\windows\system32\cscript.exe \\domain.local\netlogon\viewlogin.vbs

and put it in viewlogin.bat, and save that in the appstack and use the gpos to call viewlogin.bat instead.

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

Ok I'll try that. I'm not putting the script in the appstack. Instead is sits in my Netlogon share and I'm calling it from there as not every machine has the same appstack and some don't have any.

Reply
0 Kudos
sjesse
Leadership
Leadership

If these are all instant clones can you put it in the parent image? If not you may want to enable the always wait for network gpo setting to make sure its not being ran before the netlogon share is available.

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

Yes I  do have wait for network gpo setting enabled. For now if it works I will leave it in Netlogon and once I go around with my image updates I'll include it there and point it to local drive of the Parent Image

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

OK so I have done more testing and different scenarios. None of them seem satisfactory, here are the reuslts"

All scenarios have permissions for Users set to Modify on  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

1. Scenario 1 - as main post above

- ViewLogin.vbs located in \\domain\netlogon\viewlogin.vbs

- horizon agent configured through GPO to run c:\windows\system32\cscript.exe \\domain\netlogon\viewlogin.vbs

Results:

Works on VMs with writable only and some appstacks but with majority of them it does not work

If I'm logged in to the machine with appstack  and try to run it manually it also doesn't work

2. Scenario 2

- Placed ViewLogin.vbs in C:\Windows\Setup\Scripts on the master image

- horizon agent configured through GPO to run c:\windows\system32\cscript.exe C:\Windows\Setup\Scripts\viewlogin.vbs

Results:

The same as Scenario 1.

Works on VMs with writable only and some appstacks but with majority of them it does not work

If I'm logged in to the machine with appstack  and try to run it manually it also doesn't work

3. Scenario 3

As advised I have created a ViewLogin.bat and placed it into \\domain\netlogon\viewlogin.bat.

ViewLogin.bat contains the following:

c:\windows\system32\cscript.exe C:\Windows\Setup\Scripts\viewlogin.vbs

- Placed ViewLogin.vbs in C:\Windows\Setup\Scripts

- horizon agent configured through GPO to run \\domain\netlogon\viewlogin.bat

Results:

Doesn't work at the logon on Vm with no appstack. If I run it manually it adds the Environmental Variable just fine

If I attach and appstack, it doesn't work at the logon and it doesn't work when I manually launch it when logged in to machine with appstack

4. Scenario 4

Created a ViewLogin.bat and placed it into \C:\Windows\Setup\Scripts\viewlogin.bat on master image

ViewLogin.bat contains the following:

c:\windows\system32\cscript.exe C:\Windows\Setup\Scripts\viewlogin.vbs

- Placed ViewLogin.vbs in C:\Windows\Setup\Scripts

- horizon agent configured through GPO to run C:\Windows\Setup\Scripts\viewlogin.bat

Results:

The same as Scenario 3

Doesn't work at the logon on Vm with no appstack. If I run it manually it adds the Environmental Variable just fine

If I attach and appstack, it doesn't work at the logon and it doesn't work when I manually launch it when logged in to machine with appstack

Any idea what might be happening?

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

So we have identified why it's not working with appstacks but don't really know how ti fix it.

Even though HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment key has users permissions to modify the key on the master image, when I attach appstack the command is not running successfully and we are seeing access denied in logs. I have tried to manually run the command in logged in machine and it fails as well.

I have tried to create any key this registry key and it fails with access denied as well. I can successfully create one in HKCU but not in HKLM. Once I detach the appstack I can run it successfully.

SO for some reason having appstack attached is causing it to fail

Also, more for anyone trying to run commands on Connect and reconnect through Horizon Agent GPO I was missing -c  in front of the command that's why the bat file didn't work on logon with no appstack

To run scripts that require console access, prepend the -C or -c option followed by a space. For example:

-c C:\Scripts\Cli_clip.cmd

-C e:\procexp.exe

Supported file types include .CMD, .BAT, and .EXE. .VBS files will not run unless they are parsed with cscript.exe or wscript.exe. For example:

-C C:\WINDOWS\system32\wscript.exe C:\Scripts\checking.vbs

The total length of the string, including the -C or -c option, should not exceed 260 characters.

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

UPDATE:

I had SR opened with VMware and we have discovered that if I create brand new appstack containg the same application ( not update existing one) it appears to be working and script successfully is running, so we decided to go that route. However, now we are finding that we still have 10 more appstacks that even after recreation they still prevent this script from running. We even tried to add registry exclusion for that key exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment    in snapvol.cfg of the appstack and still no luck

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

Furthermore, I have been playing around a little more with affected appstacks and found that for some reason I can create new registry entry under Environment key using regedit UI and it sticks fine but if I try to run it using cmd I get access denied. If I run cmd with privileged account that has admin rights to the machine it works as well.

So somewhere along the lines of provisioning something is changing and prevents the script from creating the registry in it. I do have Environment key configured with modify permissions for users.

It alos seems like it is only with some applications in appstack that we are seeing it. Don't know what it is though. Examplease are Content Manager Desktop, SQL Management Studio, Quickbooks and couple of other ones specific to our organization.

Anyone seen anything like it?

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

One more update:

The issue is fixed. It appears that the registry key Environment has some permission issues. If I'm in provisioning and want to change permissions on that key they don't stick. As the matter of the fact yo modify permission and immediately is wipes the change. So affected appstacks were somehow affecting that key because even after attaching the appstack to VM and was trying to manually add the Variable to the key  using CMD I would be getting access denied. I can do that using  UI  (regedit) but just not using cmd. I have checked exclusions on snapvol.cfg and that key is not excluded besides we pretty much stayed with default template.

Anyway long story short, I ended up changing the permissions on that key for users to be able to modify on packaging machine and did snapshot and provisioned the same application on that machine and now the script runs with no issues.

Thank you everyone for all the suggestions and help with it. Hopefully this will help anybody trying to do something similar.

Reply
0 Kudos