Session Recording 2112

Log events

Session Recording can log events and tag events in recordings for later search and playback. You can search for events of interest from large amounts of recordings and locate the events during playback in the Session Recording Player.

System-defined events

Session Recording can log the following system-defined events that occur during recorded sessions:

  • Insertion of USB mass storage devices

  • Application starts and ends

  • App failures

  • App installs and uninstalls

  • File renaming, creation, deletion, and moving operations within sessions

  • File transfers between session hosts (VDAs) and client devices (including mapped client drives and generic redirected mass storage devices)

  • Web browsing activities

  • Topmost window events

  • Clipboard activities

  • Modifications in the Windows registry

  • User account modifications

  • RDP connections

Note:

Applications built by PowerBuilder might exit unexpectedly when there are active policies detecting web browsing activities and topmost window events. To avoid the issue, use PowerBuilder 2019 R3 to build your applications.

Insertion of USB mass storage devices

Session Recording can log the insertion of a Client Drive Mapping (CDM) mapped or generic redirected USB mass storage device in a client where Citrix Workspace app for Windows or for Mac is installed. Session Recording tags these events in the recording.

Note:

To use an inserted USB mass storage device and log the insertion events, set the Client USB device redirection policy to Allowed in Citrix Studio.

Currently, only the insertion of USB mass storage devices (USB Class 08) can be logged. For more information, see Event detection policies.

Application starts and ends

Session Recording supports logging of both application starts and ends. When you add a process to the App monitoring list, apps driven by the added process and its child processes are monitored. Child processes of a parent process that starts before Session Recording runs can also be captured.

Session Recording adds the process names, cmd.exe, powershell.exe, and wsl.exe, to the App monitoring list by default. If you select Log app start events and Log app end events for an event logging policy, the starts and ends of the Command Prompt, PowerShell, and Windows Subsystem for Linux (WSL) apps are logged no matter whether you manually add their process names to the App monitoring list. The default process names aren’t visible on the App monitoring list.

In addition, Session Recording provides a full command line for each app start event logged.

App start and end events

Application failures

You can log unexpected app exits and unresponsive apps by selecting Log app failures when creating your event detection policy. The Log app failures rule applies to all apps.

App installs and uninstalls

The Log app installs and uninstalls rule applies to all apps.

User account modifications

You can log account creation, enablement, disablement, deletion, name changes, and password modification attempts.

RDP connections

You can log RDP connections initiated from the VDA hosting the recorded session.

File renaming, creation, deletion, and moving operations within sessions and file transfers between session hosts (VDAs) and client devices

Session Recording can log renaming, creation, deletion, and moving operations on target files and folders that you specify in the File monitoring list. Session Recording can also log file transfers between session hosts (VDAs) and client devices (including mapped client drives and generic redirected mass storage devices). Selecting the Log sensitive file events option triggers the logging of file transfers, no matter whether or not you specify the File monitoring list. For more information, see Event detection policies.

Note:

To enable file drag and drop and capture the drag and drop events, set the Drag and Drop policy to Enabled in Citrix Studio.

Web browsing activities

You can log user activities on supported browsers and tag the events in the recording. The browser name, URL, and page title are logged. For an example, see the following screen capture.

Web browsing activity

When you move your cursor away from a webpage that has focus, your browsing of this webpage is tagged without showing the browser name. This feature can be used to estimate how long a user stays on a webpage. For an example, see the following screen capture.

Cursor away from a webpage that has focus

List of supported browsers:

Browser Version
Chrome 69 and later
Internet Explorer 11
Firefox 61 and later

Note:

This feature requires Session Recording Version 1906 or later. For more information, see Event detection policies.

Topmost window events

Session Recording can log the events when the window of an app is on top of all others. The process name, title, and process number are logged.

Topmost window events

Clipboard activities

Session Recording can log copy operations of text, images, and files using the clipboard. The process name and file path are logged for a file copy. The process name and title are logged for a text copy. The process name is logged for an image copy.

Note: Content of copied text is not logged by default. To log text content, go to the Session Recording Agent and set HKEY_LOCAL_MACHINE\SOFTWARE\ Citrix\SmartAuditor\Agent\CaptureClipboardContent to 1(the default value is 0).

Clipboard activity events

Modifications in the Windows registry

Starting with Version 2109, Session Recording can detect and log the following registry modifications while recording sessions:

Registry modification Corresponding event
Adding a key Registry Create
Adding a value Registry Set Value
Renaming a key Registry Rename
Renaming a value Registry Delete Value and Registry Set Value
Changing an existing value Registry Set Value
Deleting a key Registry Delete
Deleting a value Registry Delete Value

For example:

Registry modification events

To enable this registry monitoring functionality, select the Log registry modifications option for your event detection policy. For more information, see Create a custom event detection policy.

Custom events

The Session Recording Agent provides the IUserApi COM interface that third-party applications can use to add application-specific event data into recorded sessions. Based on the event customization, Session Recording can block sensitive information and log the session pause and session resume events accordingly.

Sensitive information blocking

Session Recording lets you skip certain periods when recording the screen and blocks sensitive information in these periods during session playback. To use this feature, use Session Recording 2012 and later.

Content blocked prompt

To use this feature, complete the following steps:

  1. In Session Recording Agent Properties, select the Allow third party applications to record custom data on this VDA machine check box and click Apply.

    Allowing event customization

  2. Grant users permission to invoke the Session Recording Event API (IUserApi COM interface).

    Session Recording added access control to the event API COM interface in version 7.15. Only authorized users are allowed to invoke the functionality to insert event metadata into a recording.

    Local administrators are granted with this permission by default. To grant other users this permission, use the Windows DCOM configuration tool:

    1. Open the Windows DCOM configuration tool on the Session Recording Agent by running dcomcnfg.exe.

      Windows DCOM configuration tool

    2. Right-click Citrix Session Recording Agent and choose Properties.

      Selecting Session Recording Agent Properties

    3. Select the Security tab, and then click Edit to add users with Local Activation permission in the Launch and Activation Permissions section.

      Adding users with the Local Activation permission

      Adding users with the Local Activation permission

    Note:

    DCOM configuration takes effect immediately. There is no need to restart any services or the machine.

  3. Start a Citrix virtual session.

  4. Start PowerShell and change the current drive to the <Session Recording Agent installation path>\Bin folder to import the SRUserEventHelperSnapin.dll module.

  5. Run the Session-Pause and Session-Resume cmdlets to set parameters for triggering sensitive information blocking.

    Parameter Description Required or Optional
    -APP The app name that calls the cmdlet. Required
    -Reason The reason that content is blocked. If you leave this parameter unspecified, the default setting shows, stating Content Blocked and Sensitive information exists and is blocked. If you set this parameter, the reason you specify shows when you navigate to the blocked period during session playback. Optional

    For example, you can run Session-Pause similar to the following:

    Running Session-Pause

Search for and play back recordings with tagged events

Search for recordings with tagged events

The Session Recording Player allows you to perform advanced searches for recordings with tagged events.

  1. In the Session Recording Player, click Advanced Search on the tool bar or choose Tools > Advanced Search.
  2. Define your search criteria in the Advanced Search dialog box.

The Events tab allows you to search for tagged events in sessions by Event text or Event type or both. You can use the Events, Common, Data/Time, and Other filters in combination to search for recordings that meet your criteria.

Advanced event search

Note:

  • The Event type list itemizes all event types. You can select an event type to search. Selecting Any Citrix-defined event means to search for all recordings with any type of events logged by Citrix Session Recording.
  • The Event text filter supports partial match. Wildcards are not supported.
  • The Event text filter is case-insensitive when matching.
  • For the types of events, the words App Start, App End, Client drive mapping, and File Rename do not participate in matching when you search by Event text. Therefore, when you type App Start, App End, Client drive mapping, or File Rename in the Event text box, no result can be found.

Play back recordings with tagged events

When you play back a recording with events tagged, the events are present in the Events and Bookmarks panel and show as yellow dots in the lower part of the Session Recording Player:

Playing back recordings with tagged events

You can use events to navigate through a recorded session, or skip to the points where the events are tagged.

Log events