So, I understand how the sms_systemconsoleusage class is supposed to work:
https://msdn.microsoft.com/en-us/library/cc146052.aspx My question is; How do others deal with some machines reporting more minutes logged on than there are actual minutes in the event log? My theory is that because of this: If a matching logoff event cannot be found, the next shutdown event or logon event is used in place of a logoff event. If none of these can be found, the latest entry in the security log is used. The resulting information is aggregated by user and ordered by total console usage. it is possible there were multiple logon events found, but no subsequent matching logoff events, causing minutes to be double/triple/(whatever number of users were on the device) counted. Are other people seeing this? For example, I have machines that report to have one day's worth of security event log, with over 1440 minutes of usage. I log in to the machine, and in fact there is only one day worth of security event log but yet the wmi class on the device definitely claims over 1440 minutes worth of logon time within that one day. With only 1440 minutes being available in a day, we all know that can't be possible. This appears to only happen on machines with TotalConsoleUsers > 1, supporting my theory. So, how do others filter out the "junk" or is there some supported way to remedy this? SCCM 2012 R2 CU4, clients are Windows 7, 32 and 64. ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
