User Profile Service writes wrong Hash in UserChoice

Hi,

we host multiple clients with highly standardized environments but on the servers of a single customer i have the following behaviour:

• a User logs on to the RDS Server
• the User Profile Service (profsvc) writes the assigned FTAs (in this case protocols) into the user registry (observed in procmon)
• the User gets promted for which application to use for opening assigned type

The associations xml is right since it works with every other customer. The only FTAs (or protocols) included are http and https.

The values get written to the correct reg key: HKU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http(s)\UserChoice

There ProgID and Hash are also written but it seems like the Hash is wrong.

If i set the default Program in the dialog (OpenWith), another Hash is written and this Hash seems to be correct since opening Hyperlinks works then. But since UsrClass.dat doesn't roam after a logoff the settings are gone.

If I take a hash value that has been set through the OpenWith dialog that is working and replace it with the hash set from profsvc it also works.

I read that the generation of the hash also includes the timestamp of the reg key. If this is true replacing the hash with an older version should not work right?

Since this behaviour only occurs on one of our clients i do not rule out the possibility of customizations made by the customer but i can not find any further clues to pin down the culprit. 

Said Server is a 2012 R2 with latest patches, Citrix VDA 7.6, Citrix UPM 5.5. The issue occurs on all tested clients (Win7, Win10, IGEL ThinClients)

What are other areas i could look or tools i could use to do any further analysis? My traces so far involved monitoring the activity on said registry keys and the mentioned associations.xml in procmon. In both cases only svchost with UserProfileService on the Stack accessed said items.

Thanks in advance!

associations.xml:

<?xml version="1.0" encoding="UTF-8"?><DefaultAssociations><Association ApplicationName="Internet Explorer" ProgId="IE.HTTP" Identifier="http"/><Association ApplicationName="Internet Explorer" ProgId="IE.HTTPS" Identifier="https"/></DefaultAssociations>

Stack of the RegSetValue Operation on the hash on User login:
0	ntoskrnl.exe	RtlEqualUnicodeString + 0x1f00	0xfffff8033d425d80	C:\WINDOWS\system32\ntoskrnl.exe
1	ntoskrnl.exe	SeAssignSecurity + 0x2d77	0xfffff8033d45d5cf	C:\WINDOWS\system32\ntoskrnl.exe
2	ntoskrnl.exe	setjmpex + 0x6523	0xfffff8033d1d51a3	C:\WINDOWS\system32\ntoskrnl.exe
3	ntdll.dll	NtSetValueKey + 0xa	0x7ffaead70d5a	C:\WINDOWS\SYSTEM32\ntdll.dll
4	KERNELBASE.dll	RegCreateKeyExW + 0x187	0x7ffae8161477	C:\WINDOWS\system32\KERNELBASE.dll
5	KERNELBASE.dll	RegSetValueExW + 0x141	0x7ffae8161601	C:\WINDOWS\system32\KERNELBASE.dll
6	SHELL32.dll	OpenRegStream + 0x2daf	0x7ffae97924df	C:\WINDOWS\system32\SHELL32.dll
7	SHELL32.dll	Ordinal714 + 0x32ad	0x7ffae9840f2d	C:\WINDOWS\system32\SHELL32.dll
8	SHELL32.dll	SHGetFolderPathAWorker + 0x74b	0x7ffae98568fb	C:\WINDOWS\system32\SHELL32.dll
9	SHELL32.dll	SHGetFolderPathAWorker + 0xa5c	0x7ffae9856c0c	C:\WINDOWS\system32\SHELL32.dll
10	SHELL32.dll	SHGetFolderPathAWorker + 0x904	0x7ffae9856ab4	C:\WINDOWS\system32\SHELL32.dll
11	SHELL32.dll	SHGetFolderPathAWorker + 0x148a	0x7ffae985763a	C:\WINDOWS\system32\SHELL32.dll
12	SHELL32.dll	SHGetFolderPathAWorker + 0xdde	0x7ffae9856f8e	C:\WINDOWS\system32\SHELL32.dll
13	SHELL32.dll	Ordinal891 + 0x17a36	0x7ffae98c6ae6	C:\WINDOWS\system32\SHELL32.dll
14	profsvc.dll	profsvc.dll + 0x4ad8	0x7ffae59b4ad8	c:\windows\system32\profsvc.dll
15	profsvc.dll	profsvc.dll + 0x499b	0x7ffae59b499b	c:\windows\system32\profsvc.dll
16	profsvc.dll	UserProfileServiceMain + 0xe69	0x7ffae59c2079	c:\windows\system32\profsvc.dll
17	profsvc.dll	UserProfileServiceMain + 0x16f1	0x7ffae59c2901	c:\windows\system32\profsvc.dll
18	profsvc.dll	profsvc.dll + 0x7d3d	0x7ffae59b7d3d	c:\windows\system32\profsvc.dll
19	profsvc.dll	profsvc.dll + 0x68da	0x7ffae59b68da	c:\windows\system32\profsvc.dll
20	ntdll.dll	TpSimpleTryPost + 0x1be	0x7ffaeacf679e	C:\WINDOWS\SYSTEM32\ntdll.dll
21	ntdll.dll	RtlFreeUnicodeString + 0x17ed	0x7ffaead18e8d	C:\WINDOWS\SYSTEM32\ntdll.dll
22	KERNEL32.DLL	BaseThreadInitThunk + 0x22	0x7ffae8c213d2	C:\WINDOWS\system32\KERNEL32.DLL
23	ntdll.dll	RtlUserThreadStart + 0x34	0x7ffaeacf54f4	C:\WINDOWS\SYSTEM32\ntdll.dll