It could be any of those things really. I am just thoroughly confused. Our logs are set to maximum of 1GB or 30 days, whichever is more (so if 30 days worth is over a gig, it will still keep 30 days worth, otherwise limited to 1GB. I think you may have actually put that in place when you were here due to other inventory issues. Can't remember exactly.) I am thinking it may have something to do with the logon/logoff events not being handled properly as you mentioned.
Some of these machines have multiple records in the database/WMI like below. This seems strange to me because there is only one instance of the root\cimv2\sms:sms_systemconsoleusage class on the machine. Normally items with multiple instances in current inventory would have multiple instances on the client WMI. Notice some of the instances show the totalconsole time less than totalsecuritylogtime (which I would expect - can't have more time logged in there there are minutes in the event log you are checking) but then some of the instances show more time logged in than is actually present in the security event log! This particular record goes from 1 user to 26 users but is a "kiosk" machine so that is not unusual. Thanks for the suggestions. I will keep digging and let you know if I find anything or can make sense of this mess! gwmi -Namespace root\sms\site_$((gwmi -Namespace root\sms -Class sms_providerlocation).sitecode) -Class sms_g_system_system_console_usage -Filter "resourceid=16777705" | select GroupID, RevisionID, Timestamp, totalconsoletime, totalconsoleusers, totalsecuritylogtime, resourceID, securitylogstartdate GroupID : 47 RevisionID : 1 Timestamp : 20150331013401.000000+*** totalconsoletime : 120454 totalconsoleusers : 1 totalsecuritylogtime : 140260 resourceID : 16777705 securitylogstartdate : 20141223145245.000000+*** GroupID : 68 RevisionID : 1 Timestamp : 20150406013540.000000+*** totalconsoletime : 119012 totalconsoleusers : 1 totalsecuritylogtime : 138505 resourceID : 16777705 securitylogstartdate : 20141230200800.000000+*** GroupID : 92 RevisionID : 1 Timestamp : 20150413013449.000000+*** totalconsoletime : 119011 totalconsoleusers : 1 totalsecuritylogtime : 138649 resourceID : 16777705 securitylogstartdate : 20150106174400.000000+*** GroupID : 422 RevisionID : 1 Timestamp : 20150717013346.000000+*** totalconsoletime : 179376 totalconsoleusers : 1 totalsecuritylogtime : 141476 resourceID : 16777705 securitylogstartdate : 20150409193653.000000+*** GroupID : 458 RevisionID : 1 Timestamp : 20150728013425.000000+*** totalconsoletime : 187542 totalconsoleusers : 1 totalsecuritylogtime : 139669 resourceID : 16777705 securitylogstartdate : 20150422014416.000000+*** GroupID : 535 RevisionID : 1 Timestamp : 20150819013451.000000+*** totalconsoletime : 287239 totalconsoleusers : 5 totalsecuritylogtime : 138242 resourceID : 16777705 securitylogstartdate : 20150515013132.000000+*** GroupID : 571 RevisionID : 1 Timestamp : 20150829013459.000000+*** totalconsoletime : 416486 totalconsoleusers : 14 totalsecuritylogtime : 135362 resourceID : 16777705 securitylogstartdate : 20150527013149.000000+*** GroupID : 578 RevisionID : 1 Timestamp : 20150831013444.000000+*** totalconsoletime : 412266 totalconsoleusers : 14 totalsecuritylogtime : 135360 resourceID : 16777705 securitylogstartdate : 20150529013257.000000+*** GroupID : 607 RevisionID : 1 Timestamp : 20150908013355.000000+*** totalconsoletime : 588721 totalconsoleusers : 18 totalsecuritylogtime : 133994 resourceID : 16777705 securitylogstartdate : 20150607001900.000000+*** GroupID : 632 RevisionID : 1 Timestamp : 20150915013422.000000+*** totalconsoletime : 688149 totalconsoleusers : 19 totalsecuritylogtime : 133945 resourceID : 16777705 securitylogstartdate : 20150614010736.000000+*** GroupID : 637 RevisionID : 1 Timestamp : 20150916013439.000000+*** totalconsoletime : 685272 totalconsoleusers : 19 totalsecuritylogtime : 133138 resourceID : 16777705 securitylogstartdate : 20150615143500.000000+*** GroupID : 655 RevisionID : 1 Timestamp : 20150921013429.000000+*** totalconsoletime : 716208 totalconsoleusers : 19 totalsecuritylogtime : 134693 resourceID : 16777705 securitylogstartdate : 20150619124011.000000+*** GroupID : 662 RevisionID : 1 Timestamp : 20150923013505.000000+*** totalconsoletime : 724756 totalconsoleusers : 19 totalsecuritylogtime : 133907 resourceID : 16777705 securitylogstartdate : 20150622014608.000000+*** GroupID : 704 RevisionID : 1 Timestamp : 20151005013416.000000+*** totalconsoletime : 914586 totalconsoleusers : 21 totalsecuritylogtime : 132513 resourceID : 16777705 securitylogstartdate : 20150705010000.000000+*** GroupID : 729 RevisionID : 1 Timestamp : 20151012013416.000000+*** totalconsoletime : 1100509 totalconsoleusers : 25 totalsecuritylogtime : 132893 resourceID : 16777705 securitylogstartdate : 20150711183937.000000+*** GroupID : 754 RevisionID : 1 Timestamp : 20151019013506.000000+*** totalconsoletime : 1333453 totalconsoleusers : 26 totalsecuritylogtime : 133918 resourceID : 16777705 securitylogstartdate : 20150718013515.000000+*** GroupID : 762 RevisionID : 1 Timestamp : 20151021013453.000000+*** totalconsoletime : 1325398 totalconsoleusers : 26 totalsecuritylogtime : 132800 resourceID : 16777705 securitylogstartdate : 20150720201317.000000+*** GroupID : 769 RevisionID : 1 Timestamp : 20151023013456.000000+*** totalconsoletime : 1360032 totalconsoleusers : 26 totalsecuritylogtime : 133176 resourceID : 16777705 securitylogstartdate : 20150722135721.000000+*** GroupID : 786 RevisionID : 1 Timestamp : 20151028013501.000000+*** totalconsoletime : 1400146 totalconsoleusers : 26 totalsecuritylogtime : 132481 resourceID : 16777705 securitylogstartdate : 20150728013234.000000+*** GroupID : 804 RevisionID : 1 Timestamp : 20151102013455.000000+*** totalconsoletime : 1448992 totalconsoleusers : 27 totalsecuritylogtime : 132643 resourceID : 16777705 securitylogstartdate : 20150801235030.000000+*** GroupID : 829 RevisionID : 1 Timestamp : 20151109013350.000000+*** totalconsoletime : 1517497 totalconsoleusers : 27 totalsecuritylogtime : 132801 resourceID : 16777705 securitylogstartdate : 20150808211120.000000+*** GroupID : 854 RevisionID : 1 Timestamp : 20151116013450.000000+*** totalconsoletime : 1551619 totalconsoleusers : 27 totalsecuritylogtime : 133982 resourceID : 16777705 securitylogstartdate : 20150815013104.000000+*** GroupID : 862 RevisionID : 1 Timestamp : 20151118013415.000000+*** totalconsoletime : 1530841 totalconsoleusers : 27 totalsecuritylogtime : 132541 resourceID : 16777705 securitylogstartdate : 20150818013220.000000+*** GroupID : 879 RevisionID : 1 Timestamp : 20151123013440.000000+*** totalconsoletime : 1572848 totalconsoleusers : 26 totalsecuritylogtime : 133456 resourceID : 16777705 securitylogstartdate : 20150822101736.000000+*** GroupID : 884 RevisionID : 1 Timestamp : 20151124020415.000000+*** totalconsoletime : 1572789 totalconsoleusers : 26 totalsecuritylogtime : 132571 resourceID : 16777705 securitylogstartdate : 20150824013157.000000+*** From: [email protected] [mailto:[email protected]] On Behalf Of Nick Sent: Tuesday, November 24, 2015 2:06 PM To: [email protected] Subject: RE: [mssms] RE: system console usage question Not sure exactly what's going on, but maybe there is something to the fact that "Some security logs can roll over frequently, or they can extend for several years. The time polled for this class is limited to the last 90 days." Could it be that the usage reported in the table comes from data gathered more than 90 days ago? Depending on your security event log settings, if it's maxing out on the size before it's allowed to roll, you could be missing information or it's rolling the data faster than the inventory cycle is gathering it? Is it filling and not writing the logoff/logon events properly? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kelley, Matthew Sent: Monday, November 23, 2015 12:01 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: system console usage question My coworker found a machine that has only one reported logged on user, but excessive minutes! Any help is appreciated. TotalConsoleTime : 220636 TotalConsoleUsers : 1 TotalSecurityLogTime : 99125 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kelley, Matthew Sent: Monday, November 23, 2015 11:28 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] system console usage question So, I understand how the sms_systemconsoleusage class is supposed to work: https://msdn.microsoft.com/en-us/library/cc146052.aspx My question is; How do others deal with some machines reporting more minutes logged on than there are actual minutes in the event log? My theory is that because of this: If a matching logoff event cannot be found, the next shutdown event or logon event is used in place of a logoff event. If none of these can be found, the latest entry in the security log is used. The resulting information is aggregated by user and ordered by total console usage. it is possible there were multiple logon events found, but no subsequent matching logoff events, causing minutes to be double/triple/(whatever number of users were on the device) counted. Are other people seeing this? For example, I have machines that report to have one day's worth of security event log, with over 1440 minutes of usage. I log in to the machine, and in fact there is only one day worth of security event log but yet the wmi class on the device definitely claims over 1440 minutes worth of logon time within that one day. With only 1440 minutes being available in a day, we all know that can't be possible. This appears to only happen on machines with TotalConsoleUsers > 1, supporting my theory. So, how do others filter out the "junk" or is there some supported way to remedy this? SCCM 2012 R2 CU4, clients are Windows 7, 32 and 64. ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
