This is in continuation with Blog by Joe
Isolation of services
In this blog we will see some of the most frequently asked questions about isolation of services with answers.
1. How to find all the isolated services which are present in a profile?
One can see it in the profiler, Right click on Target->Properties->Services.
2. What all user accounts for services we support?
We isolate services installed with following user accounts.
- Local System
- Local Service
- Network Service
3. What if app installs a service with a user not present in the list above (2) Or How to change the user account of a service?
Most of the services are installed by one of the above user accounts, However if app installs a service with some other user account (custom) missing above, it can be mapped to an account having privileges at par with one of the accounts above, To change the user account of a service, in the profiler select the service in the service list and click modify, select the account from Log On As drop down.
4. How can I change the start type of the service?
Select the service in service list and click modify, select new start type in drop down.
5. Can I Isolate locally installed services?
Yes, from isolated command prompt or app, start the service, it will be isolated, provided service is not running already outside isolation.
6. Can (locally installed) services hosted by svchost.exe be run inside isolation?
Yes, provided service is locally installed and is not running already outside isolation.
7. I have an app, which starts a locally installed service, I do not want the app to isolate this particular service e.g. wsearch etc.
Yes, we can ignore selected services from being islated,there is a service ignore list here HKLM\Software\Citrix\Rade Key , Value is REG_MULTI_SZ ServiceIgnoreList.
Add the name of service to be ignored in the list above.
8. Can a rogue user inject a malicious dll into service executable, by copying a malicious dll to his user layer?
No, Service and app share only Install and physical layer, user layer for service and app sandbox is separate.
9. How do I flush the services of a profile?
Use normal RadeCahe /flush:”Guid” and it will flush all isolated services from same profile.
10. Can I create/delete a service from isolated app, on the client machine?
No, It has to be done in the profiler, User is not allowed to Create or delete the services, it has to be done centrally on the profiler.
11. What is AppHubWhiteList?
Profiles containing services need to come from a trusted app hub, for profiles not in AppHubWhiteList, services will not be started,for more details visit
12. How many instances of isolated service run per machine?
Only one, it is not per user but per machine.
13. Where is Isolated Services Database Located?
It is Here HKLM\Software\Citrix\ [AIE/RadeCahe]\GUID\REGISTRY\MACHINE\SYSTEM\IsolatedServices, However direct manipulation of Services database is not recommended.
Vikramjeet, Service Isolation Developer