The list of Citrix services
In kernel or complete memory dumps coming from Windows servers running Citrix Presentation Server 4.x you might see the following processes running in session 0, for example:
2: kd> !process 0 0
PROCESS 895c7380 SessionId: 0 Cid: 03f0 Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d220 ObjectTable: 895c7628 HandleCount: 684.
Image: CpSvc.exe
PROCESS 892e3320 SessionId: 0 Cid: 060c Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d440 ObjectTable: 892e76c8 HandleCount: 93.
Image: cdmsvc.exe
PROCESS 892ed4a0 SessionId: 0 Cid: 05f8 Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d420 ObjectTable: 892f1268 HandleCount: 107.
Image: CdfSvc.exe
PROCESS 89297020 SessionId: 0 Cid: 06ac Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d520 ObjectTable: 892991c8 HandleCount: 62.
Image: encsvc.exe
PROCESS 892a4020 SessionId: 0 Cid: 06d4 Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d540 ObjectTable: 892b9a48 HandleCount: 1088.
Image: ImaSrv.exe
PROCESS 892a5020 SessionId: 0 Cid: 070c Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d560 ObjectTable: 8927b568 HandleCount: 188.
Image: mfcom.exe
PROCESS 890e8620 SessionId: 0 Cid: 0cc4 Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d6e0 ObjectTable: 890e8948 HandleCount: 691.
Image: SmaService.exe
PROCESS 8901bd60 SessionId: 0 Cid: 0d80 Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d880 ObjectTable: 89021e88 HandleCount: 148.
Image: XTE.exe
PROCESS 88fce020 SessionId: 0 Cid: 1204 Peb: 7ffdf000 ParentCid: 01a8
DirBase: 0a43d900 ObjectTable: 88fcfac8 HandleCount: 186.
Image: ctxwmisvc.exe
These are Citrix services and the following Citrix article describes them:
Citrix Presentation Server Services Overview
- Dmitry Vostokov @ DumpAnalysis.org -