Not sure exactly what's going on, but maybe there is something to the fact that "Some security logs can roll over frequently, or they can extend for several years. The time polled for this class is limited to the last 90 days."
Could it be that the usage reported in the table comes from data gathered more than 90 days ago? Depending on your security event log settings, if it's maxing out on the size before it's allowed to roll, you could be missing information or it's rolling the data faster than the inventory cycle is gathering it? Is it filling and not writing the logoff/logon events properly? From: [email protected] [mailto:[email protected]] On Behalf Of Kelley, Matthew Sent: Monday, November 23, 2015 12:01 PM To: [email protected] Subject: [mssms] RE: system console usage question My coworker found a machine that has only one reported logged on user, but excessive minutes! Any help is appreciated. TotalConsoleTime : 220636 TotalConsoleUsers : 1 TotalSecurityLogTime : 99125 From: [email protected] [mailto:[email protected]] On Behalf Of Kelley, Matthew Sent: Monday, November 23, 2015 11:28 AM To: [email protected] Subject: [mssms] system console usage question So, I understand how the sms_systemconsoleusage class is supposed to work: https://msdn.microsoft.com/en-us/library/cc146052.aspx My question is; How do others deal with some machines reporting more minutes logged on than there are actual minutes in the event log? My theory is that because of this: If a matching logoff event cannot be found, the next shutdown event or logon event is used in place of a logoff event. If none of these can be found, the latest entry in the security log is used. The resulting information is aggregated by user and ordered by total console usage. it is possible there were multiple logon events found, but no subsequent matching logoff events, causing minutes to be double/triple/(whatever number of users were on the device) counted. Are other people seeing this? For example, I have machines that report to have one day's worth of security event log, with over 1440 minutes of usage. I log in to the machine, and in fact there is only one day worth of security event log but yet the wmi class on the device definitely claims over 1440 minutes worth of logon time within that one day. With only 1440 minutes being available in a day, we all know that can't be possible. This appears to only happen on machines with TotalConsoleUsers > 1, supporting my theory. So, how do others filter out the "junk" or is there some supported way to remedy this? SCCM 2012 R2 CU4, clients are Windows 7, 32 and 64. ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
