Fulcrum Blog

Article: A Deep Dive into Active Setup: Part 4 – The Finale

Apr 27, 2020 | blog |

by Jacob Kimbrough

Consulting Architect

Jacob Kimbrough is a Consulting Architect at Fulcrum Technology Solutions. Kimbrough joined the Infrastructure team in 2014.

In Part 1 of this series, we looked at what Active Setup is and some use cases that I solved using Active Setup. In Part 2, we looked at the technical side and inner workings of an Active Setup component along with some testing methods. Last time in Part 3, we took a look at some very important “gotchas” and ways to get around them. In the final part of this series, we look at a special case for implementing Active Setup in an RDS RemoteApp or Citrix published app environment, and present a few bonus items.

RemoteApp RDS Server Special Workaround
If you use Microsoft’s own Remote Desktop Services (RDS), and further make use of specialized RemoteApp facility, you run into a problem when you want to use Active Setup: explorer.exe is NOT the user’s shell when the user session logs on! Since explorer.exe is what runs Active Setup, that’s an issue. Microsoft has implemented a workaround that’s somewhat less functional than Active Setup, but accomplishes basically the same trick: RailRunonce.

Registry location:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RailRunonce

But note, there is no versioning here, so it might not be ideal for your environment. Instead, you could run the AlternateShellStartup item mentioned earlier as part of a logon script or your RailRunonce registry item.

How to use RailRunonce
Under the RailRunonce key, put a REG_SZ or REG_EXPAND_SZ entry with a Value containing the path that would be in your StubPath.

Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RailRunonce
Name MyScript
Value cmd.exe /c “START “My script” powershell.exe -WindowStyle Hidden -NonInteractive -File “C:\Program Files\Scripts\MyScript.ps1″”


Having Cake and Eating It, Too: Combine RailRunonce with Active Setup
You can use the kiosk “trick” to make RemoteApp’s shell execute Active Setup! To do this, create the following registry entry:

Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RailRunonce
Name RunActiveSetup
Value %systemroot%\system32\runonce.exe /AlternateShellStartup


Now, I can use my Active Setup components normally inside of a kiosk/RemoteApps session, where explorer.exe is NOT my user default shell! In this context, Active Setup behaves just as you expect – complete with version control, running once per user, etc.

Having said that, there is one caveat: your Active Setup components will run ASYNCHRONOUSLY to the user’s RemoteApp application. Allow me to present the execution flow in order to explain:

  1. User logs onto RemoteApp and initiates a logon session
  2. Windows logs in the user and executes exe as the default user shell
  3. exe looks in the RailRunonce registry key and executes these in order asynchronously
  4. Your exe call (%systemroot%\system\runonce.exe /AlternateShellStartup) is executed asynchronously
  5. User application is launched

Step 4 spawns off the Active Setup process, but everything else continues to execute.

If you need Active Setup to initialize some things for your user’s RemoteApp application, you may need to instruct users to run the app; sign off; and run the app again the first time. Otherwise, you’d have to employ some sort of launcher script with an arbitrary wait period or some sort of registry checking mechanism.

Bonus Points

What if you have multiple Active Setup components that you need to run in a certain order?
Active Setup keys are processed in alphanumeric order!  So you can pre-pend your components like this:

…\Active Setup\Installed Components\1_MyASComponent

…\Active Setup\Installed Components\2_MyASComponent

…\Active Setup\Installed Components\3_MyASComponent

EXTRA Bonus Points!  Active Setup will process “<” and “>” operators just like you think:

…\Active Setup\Installed Components\<MyASComponent (will run first, before MyASComponent)

…\Active Setup\Installed Components\MyASComponent (will run second)

…\Active Setup\Installed Components\>MyASComponent (will run last, after MyASComponent)

What if you want to use a script, a la my SCCM use case above, to create an Active Setup component on target PCs?
You can create a .reg file and import it. Or, you can use a script to generate the entries. Here’s a PowerShell snippet to do just that – quotes and all:

# Create-ActiveSetupEntry

# This function will create the registry entries necessary for an Active Setup item

# Parameters:

# -Name: String; name of the Active Setup item that will be displayed on screen

# -ExecutionPath: String; command to be executed. Must have full paths, quotes, parameters, etc specified.

# -VersionNumber: String; version number of this item. (Note that any dots “.” will be converted into commas “,” for compatibility)

# -ExemptCurrentUser: Switch; if specified, appropriate registry entries will be made to fool Active Setup into thinking

#                     that the process has already been executed for the current user. Useful if you want this item to execute for all

#                     logins, but will handle the currently logged-on user differently.

# Return: String “Complete.” if completes successfully.

Function Create-ActiveSetupEntry {


Param (

[Parameter(Mandatory=$true)][string] $Name,


[Parameter(Mandatory=$true)][string] $ExecutionPath,


[Parameter()][string] $VersionNumber



# Format constants

$RegPathTemplate = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{0}”

$ComponentName = $Name

$RegPath = ( $RegPathTemplate -f $ComponentName )

$VersionString = $VersionNumber -replace “\.”, “,”

# Test to see if the key already exists; create it if not

if ( Test-Path -Path $RegPath ) {

Write-Host “Registry path ‘$RegPath’ already exists”

} else {

Write-Host “Registry path ‘$RegPath’ does NOT already exist; creating it”

New-Item -Path $RegPath -Force


# Create properties

Write-Host “Creating Active Setup properties…”

New-ItemProperty -Force -Path $RegPath -Name “IsInstalled” -Value 1 -PropertyType DWORD

New-ItemProperty -Force -Path $RegPath -Name “Locale” -Value “*” -PropertyType STRING

New-ItemProperty -Force -Path $RegPath -Name “StubPath” -Value $ExecutionPath -PropertyType STRING

New-ItemProperty -Force -Path $RegPath -Name “Version” -Value $VersionString -PropertyType STRING

New-ItemProperty -Force -Path $RegPath -Name “(Default)” -Value $Name -PropertyType STRING

Write-Host “Complete.”

} #/Create-ActiveSetupEntry

# Example of using Active Setup to launch a batch file

$BatchFilename = “C:\ProgramData\TestBatch.cmd”

$ExecutionString = “$ENV:windir\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command `”& Start-Process -WindowStyle Hidden `’$BatchFilename`’`””

Create-ActiveSetupEntry `

-Name “Test Task” `

-ExecutionPath $ExecutionString `

-VersionNumber “1,0,0,0” `


I hope you’ve enjoyed this series on Active Setup. Active Setup solves a lot of interesting use cases and is pretty straight-forward to implement, but comes with several caveats and gotchas. Hopefully, you found something you didn’t already know and can avoid some intense days of R&D (or worse – resorting to a messier and error-prone alternative approach). Good luck!


[feather_share show=”facebook, twitter, linkedin,” hide=”reddit, tumblr, pinterest, google_plus, mail”]
[wpad-comment-form id=”311″]

The Fulcrum Difference

At Fulcrum Technology Solutions, we differentiate ourselves from other technology- and business-consulting firms with a unique guarantee: when you hire Fulcrum, we commit to finish the job. Whether working under a time-and-materials contract or a cost-plus arrangement, we will not leave until we’ve delivered exactly what we said we’d do. Our word defines us, and motivates us to give you the service that you deserve!

2603 Augusta Dr. Suite 1325, Houston, TX 77057

Phone: 832-954-2800 


Share This