UserLock Documentation
UserLock Documentation
You are here: Reference > Agents > Desktop agent > Desktop agent manual installation

Desktop agent manual installation

The UserLock 'Desktop' agent is designed to audit, control and protect workstations, servers and terminal servers. This agent audits all interactive sessions activity on these machines and protects them by applying a user access control policy defined through protected account rules.

This 'Desktop' agent has to be installed on the machines and communicates with UserLock servers to control all open requests for interactive sessions.

The UserLock 'Desktop' agent can be installed through the UserLock console. However you can also deploy it manually through the following procedure which depends on the target operating systems. In all cases, defining the communication settings through specific registry values is required.

Install the agent manually

From Windows Vista / Windows Server 2008, the 'Desktop' agent is a Windows service defined to run as 'Local system'.
For Windows XP, Server 2003 and 2003 R2, see this specific section below.

  1. Copy the 'UlAgentExe.exe' file from the UserLock installation folder of the Primary server (localized by default in 'C:\Program Files[ (x86)]\ISDecisions\UserLock') to the system folder of the target machine ("%windir%\SysWOW64\" for 64-bit OS, "%windir%\System32\" for 32-bit OS).
  2. Add the name of the UserLock server in the machine registry.

  3. Register the Windows service with the following command line (run as administrator):

    ULAgentExe.exe /SERVICE S

  4. Start the UserLock agent service using the 'Windows Services console' or the following command line (run as administrator):

    net start UlAgentService

No machine restart is required.

Update the machine registry

Additionally the UserLock 'Desktop' communication settings need to be configured on all machines, whatever operating systems or technologies are involved:

  1. Open the registry on the machine.
  2. Browse to the key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
  3. Create the following values:
    • 'UserLockServer' (REG_SZ) containing the name of the UserLock Primary server.
    • 'UserLockServerBackup' (REG_SZ) containing the name of the UserLock Backup server.

    For offsite computers, you might want to configure the following registry values as well:
    • 'UserLockInternetUrl' (REG_SZ) If UserLock Anywhere is enabled, create this registry value and set in its content the URL of UserLock Anywhere (learn more about UserLock Anywhere).
    • 'SessionsWithoutNetworkLogoffAgentInternet' (REG_DWORD) If UserLock Anywhere is enabled, the number of minutes the Desktop agent will wait between each request for the list of sessions to interact with.
    • 'UserLockCfg' (REG_DWORD) See details in the Windows Installer package page.


    Exemple via PowerShell :
    $RegKeyPath = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
    Set-ItemProperty -Path $RegKeyPath -Name 'UserLockServer' -Value 'ULSRVPRI'
    Set-ItemProperty -Path $RegKeyPath -Name 'UserLockServerBackup' -Value 'ULSRVBAC'
    Set-ItemProperty -Path $RegKeyPath -Name 'UserLockInternetUrl' -Value 'https://VES1.VDE.INTRA/ulproxy'
    Set-ItemProperty -Path $RegKeyPath -Name 'UserLockCfg' -Value 768

Please note:

Without setting these registry values, agents can't use localized UserLock servers.

For Windows XP, Server 2003 and 2003 R2

The 'Desktop' agent is a GINA DLL (Graphical Identification and Authentication Dynamic-Link Library).

  1. Copy the file named 'UlAgent.dll' from the UserLock installation folder of the Primary server (localized by default in 'C:\Program Files[(x86)]\ISDecisions\UserLock') to the 'System32' directory of the target machines.
  2. Add the name of the UserLock server in the machine registry.
  3. Set the value 'GinaDLL' of the machine by entering the path of 'UlAgent.dll' (by default 'C:\Windows\System32\UlAgent.dll') for the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Administrative rights are required to set this value.
  4. Restart the machine to enable the 'Desktop' agent.

For Citrix terminal servers

Citrix metaframe uses its own GINA dll. On these servers you should specify the UserLock 'Desktop' agent name 'UlAgent.dll' in the registry value 'ctxGinaDll' (and not as previously in the value 'GinaDll'). This will allow the Citrix GINA to call the UserLock GINA and chains them correctly.

Then you must add the name of the UserLock server in the machine registry.

Once done, the machine needs to be restarted.

For machines with another GINA already installed

In this case the 'GinaDll' registry value already exists in the 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key.

  1. Rename the existing value 'GinaDll' to 'OldGinaDll'.

  2. Create a new value named 'GinaDll' and define it with the path of the 'UlAgent.dll'.

    With this configuration the UserLock GINA will be in charge to call the second GINA and normally the two GINAs will be chained correctly.

    If the other GINA needs to be loaded first, you should leave the previous 'GinaDll' value and read the documentation for the relevant product to establish how this GINA can be chained with the UserLock GINA. In most cases, you will need to specify 'UlAgent.dll' in another registry value (like the 'ctxGinaDll' value of Citrix terminal servers).

  3. Add the name of the UserLock server in the machine registry.
  4. Once done, the machine needs to be restarted.

Please note:

Since 5.51, the GINA chaining registry value 'OldGinaDll' has been renamed to 'UlOrigGinaDll' to avoid a conflict with 'Avatier Password Station' software which was using the same UserLock value name. Upgraded agents will still use the value 'OldGinalDll' for compatibility with old installations.

Uninstall the desktop agent

You can also uninstall the 'Desktop agent' manually.

To completely clean agent data (common to all Windows OS)

Run "RegEdit", browse the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" registry key, then delete:

  • All registry values beginning with "UserLock".
  • The "UserLock" sub key (ie the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserLock" registry key).

From Windows Vista / Windows Server 2008

Unregister the agent with the following command lines (run as administrator):

NET STOP UlAgentService
C:\Windows\SysWOW64\ULAgentExe.exe /SERVICE U
C:\Windows\SysWOW64\ULAgentExe.exe /UNREGISTER

On a 32-bit operating system, replace "SysWOW64" with "System32".

Once done, the agent will be completely uninstalled.

On Windows XP and Server 2003

Unregister the agent with the following command line (run as administrator):

regsvr32 /u C:\Windows\System32\ULAgent.dll

Once done the agent will be disabled but still loaded. To unload the agent, restart the computer.

You can download a reg file here to do it.