Citrix PVS prep script for Sophos

Some of you will know that Sophos is my, ahem, favourite Sophosanti-virus product.  However it was the product of choice at the time (they are now moving to McAfee) for a large school district I deal with hence I had no choice but to remain acquainted with it irrespective of it’s poor performance (Sophos have advised to leave real-time scanning *off* for performance reasons?!?), it’s poor management console (customer had to write their own deployment scripts for reliable deployment) and poor customer service from Sophos.

I wrote a small script to prepare Sophos for PVS deployment on XenApp and XenDesktop machines, run this script just prior to shutting down your Private mode image and switching back to Standard.

@echo off
REM Script by Daniel Marsh
REM run at shutdown to prep Sophos on Citrix XenApp/VDI machines.
REM refer to

net stop "Sophos Agent"
net stop "Sophos Anti-Virus"
net stop "Sophos Anti-Virus status reporter"
net stop "Sophos AutoUpdate Service"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
net stop "Sophos Web Intelligence Service"

del C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt

reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f
reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f
reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkp /f
reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkc /f

When I have a spare few minutes I may even see if I can another feature – it could be run via GPO as a machine shutdown script that only executes if the image is in private mode, which would save you having to run it manually.  I haven’t figured out how to do this yet, if you do know please drop me a comment below.

Refer to for more detail on what each key/service etc does.

XenApp 6.5 HRP02 install hangs

Citrix recently released the eagerly anticipated HRP02 for XenApp 6.5, which contains around 87 hotfixes bundled into this one rollup.  You can download it here.

While installing this patch onto several servers in a farm, most of them worked fine however on one server the patch installation hung part way through (at around 90%) with no apparent errors or issues recorded in the event log.



Restarting the server and retrying the install with AV disabled, Citrix services stopped, third party services stopped had no effect.  Next step was to enable logging by installing the patch using the following command line:

C:\Temp> msiexec /p XA650W2K8R2X64R02.msp /L*V c:\temp\hrp02.log

Examining the resulting log file revealed the issue – this particular server had the XenApp install run from a UNC network share that no longer existed, and could not locate the original install media:

HRP02_logA quick registry search revealed this original UNC path of the install media was set in multiple places in the registry, for each of the individual components that make up a XenApp install (eg base XenApp install, Flash extensions, Delivery Services console etc all have individual installers).  After a bit of find and replace work, and a restart of the server, the patch install completed successfully!