Summary
This document explains Citrix API hooking as provided by mfaphook.dll and enumerates the functions supported by it.
Background
Certain Citrix Presentation Server features are implemented by loading a number of DLL modules into the address space of each application and hooking certain API calls. Once hooked, Citrix's implementation of a given function will replace the default implementation for the life of the process.
Implementation
When Microsoft's user32.dll is attached to a process the following registry key is queried for a list of DLLs which are to be loaded:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Citrix Presentation Server adds “mfaphook.dll” to this list which in turn enumerates and loads the DLLs specified by keys under the following registry key for 32-bit:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook
And 64-bit:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CtxHook
-And-
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CtxHook64
Provided certain conditions are met, each module will be loaded in turn and will persist for the life of the process.
Features
The following Citrix Presentation Server features are implemented using this API hooking functionality.
In MetaFrame XP and later:
• Per Session Time Zone
• Shadow Event Logging
• Smart Card support for applications
• SpeedScreen Latency Reduction
• SpeedScreen Browser Acceleration
In MetaFrame Presentation Server 3.0 and later:
• SpeedScreen Flash Acceleration
• WDM Audio
In Citrix Presentation Server 4.0 and later:
• Virtual IP
• ActiveSync
• Application Isolation Environment (There is also a device driver)
• Multiple monitor support
• CTX110301 – Applications Unexpectedly Exit from Multiple Monitor Workstations
• CTX112908 – LIMITED RELEASE - Hotfix PSE400R03W2K009 - For Citrix Presentation Server 4.0 for Windows 2000 Server
• Seamless Explorer
• TWAIN
• Unicode Injection IME
• UPD
More Information
Working with the AppInit_DLLs registry value
