Lakeside Systrack – excluding applications from being captured

Lakeside systrack gathers a lot of data around application metrics and a ton of other cool stuff. However on occasion you may find yourself wanting to exclude the systrack agent from collecting data. This might be for instance if you are having an issue with a application  and suspect this may be down to the Lakeside Systrack agent hooking into your applications executables.

Lakeside Systrack uses a couple of DLL’s for hooking into and collecting metrics for all applications by default. This DLL is LSIHok.32.dll and the 64bit DLL is Lsihok64.dll. You you use process explorer https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer and view the DLL’s associated with the processes you will see that the Lakeside DLL’s hook into pretty much everything.

lakeside Systrack LSIHok.dll application view.

Now there are a couple of things you can do here to try and test whether the Systrack hook may be causing your application woes. Unfortunately the first one does not quite provide the full test. There is a Systrack setting that you can configure to detail executables to exclude from systrack data gathering. While this does stop the data being gathered by the executable it does not remove to hook from the executable.

In order to specify the executables you wish to exclude from metrics, open up the Systrack Deploy tool then navigate to “Configuration\Alarms and configuration”. The select the  Configuration you wish to change and click Edit.

Now ensure you have click the Enable Advanced settings tick box at the bottom left hand of the screen and select the “Policies and Settings” node.

lakeside Systrack LSIHok.dll configuration

Now expand the “Application Management” and add your executable names (comma delimited) into the “Applications for which data is not recorded” setting. Now OK your way back to the deploy tool and you can either wait for the agents to pick up their new configuration or select all the relevant computers in the tool and select “Read configuration now”.

In a non persistent world though you may find this not to be enough as you’ll want this configuration generally to be available before the Systrack agent starts up and pulls its configuration from the master server. In these instances you can also append these settings into the master image via a registry key.  The registry key in question is located in:

HKLM\Software\Wow6432Node\lakeside Software\LSIAgent\HookThread

You can add the same executable list to the “FilteredApps” reg_sz key and then seal up your image.

Now as mentioned if this doesn’t help your cause and you still suspect systrack of causing issues with your application/executable there is one more thing you can try however it is generally probably a bad idea within a live production environment.  If you want to remove the LSIhok from the application then you can from the same “Alarms and Configuration\Policies and Settings\Application Management” section of the configuration set the “Enable Application Hook” to False. Similarly in a non-perisistent desktop you can also set the following registry key to disable that functionality.

HKLM\Software\Wow6432Node\LanesideSoftware\LsiAgent\HookThread and change the Red_dword value to 0 for the EnableHook key.

This unfortunately does come with some negative behaviour in that you will no longer get any data for application/service hangs logon process information and command like reporting, which for the visualisers and the resolve tool limit their functionality quite considerably. You’ll either want to do this on a small set of test machines or for a very short space of time for testing.

Author: Dale Scriven

Leave a Reply

Your email address will not be published. Required fields are marked *