The top three users all have the same lastconsoleuse time. It does look like
the logon/logoff events are not matching up, so the minutes just go from first
logon event to end of event log as Nick mentioned and I suspected. In this
case, inventory was today around 2:37pm and the top 3 users have that as
essentially their "logoff time".
>From MS webpage:
If a matching logoff event cannot be found, the next shutdown event or logon
event is used in place of a logoff event. If none of these can be found, the
latest entry in the security log is used. The resulting information is
aggregated by user and ordered by total console usage.
So, I guess this is just a feature of console use data that I need to be aware
of when writing reports and delivering data. At least I have a somewhat
reasonable explanation for the manager that was wondering how the numbers were
so far off. I could run a script to clean up the security logs but it isn't
that crucial I guess.
Thanks for the help, Nick. Have a great Thanksgiving!
gwmi -Namespace root\sms\site_$((gwmi -Namespace root\sms -Class
sms_providerlocation).sitecode) -Class sms_g_system_system_console_user -Filter
"resourceid=16777705" | select Lastconsoleuse, totaluserconsoleminutes
Lastconsoleuse
totaluserconsoleminutes
--------------
-----------------------
20151124143711.000000+***
254493
20151124143711.000000+***
245233
20151124143711.000000+***
368196
20151123014439.000000+***
47272
20151118092449.000000+***
53043
20151029183319.000000+***
2110
20150914004446.000000+***
30712
20151123091003.000000+***
126806
20151021004420.000000+***
8205
20151119134136.000000+***
109717
20150827101544.000000+***
2089
20151109014400.000000+***
49367
20151113165615.000000+***
144477
20151120130042.000000+***
30
20151117131748.000000+***
104758
20151118152157.000000+***
14
20151105153212.000000+***
40
20150923103453.000000+***
10
20151005004422.000000+***
9521
20151007091754.000000+***
154
20151009095542.000000+***
4
20151009124849.000000+***
36
20151009130752.000000+***
38
20151014093949.000000+***
68
20151029150140.000000+***
6
20151117085403.000000+***
8
From: [email protected] [mailto:[email protected]] On
Behalf Of Kelley, Matthew
Sent: Tuesday, November 24, 2015 2:37 PM
To: [email protected]
Subject: RE: [mssms] RE: system console usage question
It could be any of those things really. I am just thoroughly confused. Our logs
are set to maximum of 1GB or 30 days, whichever is more (so if 30 days worth is
over a gig, it will still keep 30 days worth, otherwise limited to 1GB. I think
you may have actually put that in place when you were here due to other
inventory issues. Can't remember exactly.) I am thinking it may have something
to do with the logon/logoff events not being handled properly as you mentioned.
Some of these machines have multiple records in the database/WMI like below.
This seems strange to me because there is only one instance of the
root\cimv2\sms:sms_systemconsoleusage class on the machine. Normally items with
multiple instances in current inventory would have multiple instances on the
client WMI. Notice some of the instances show the totalconsole time less than
totalsecuritylogtime (which I would expect - can't have more time logged in
there there are minutes in the event log you are checking) but then some of
the instances show more time logged in than is actually present in the security
event log! This particular record goes from 1 user to 26 users but is a "kiosk"
machine so that is not unusual.
Thanks for the suggestions. I will keep digging and let you know if I find
anything or can make sense of this mess!
gwmi -Namespace root\sms\site_$((gwmi -Namespace root\sms -Class
sms_providerlocation).sitecode) -Class sms_g_system_system_console_usage
-Filter "resourceid=16777705" | select GroupID, RevisionID, Timestamp,
totalconsoletime, totalconsoleusers, totalsecuritylogtime, resourceID,
securitylogstartdate
GroupID : 47
RevisionID : 1
Timestamp : 20150331013401.000000+***
totalconsoletime : 120454
totalconsoleusers : 1
totalsecuritylogtime : 140260
resourceID : 16777705
securitylogstartdate : 20141223145245.000000+***
GroupID : 68
RevisionID : 1
Timestamp : 20150406013540.000000+***
totalconsoletime : 119012
totalconsoleusers : 1
totalsecuritylogtime : 138505
resourceID : 16777705
securitylogstartdate : 20141230200800.000000+***
GroupID : 92
RevisionID : 1
Timestamp : 20150413013449.000000+***
totalconsoletime : 119011
totalconsoleusers : 1
totalsecuritylogtime : 138649
resourceID : 16777705
securitylogstartdate : 20150106174400.000000+***
GroupID : 422
RevisionID : 1
Timestamp : 20150717013346.000000+***
totalconsoletime : 179376
totalconsoleusers : 1
totalsecuritylogtime : 141476
resourceID : 16777705
securitylogstartdate : 20150409193653.000000+***
GroupID : 458
RevisionID : 1
Timestamp : 20150728013425.000000+***
totalconsoletime : 187542
totalconsoleusers : 1
totalsecuritylogtime : 139669
resourceID : 16777705
securitylogstartdate : 20150422014416.000000+***
GroupID : 535
RevisionID : 1
Timestamp : 20150819013451.000000+***
totalconsoletime : 287239
totalconsoleusers : 5
totalsecuritylogtime : 138242
resourceID : 16777705
securitylogstartdate : 20150515013132.000000+***
GroupID : 571
RevisionID : 1
Timestamp : 20150829013459.000000+***
totalconsoletime : 416486
totalconsoleusers : 14
totalsecuritylogtime : 135362
resourceID : 16777705
securitylogstartdate : 20150527013149.000000+***
GroupID : 578
RevisionID : 1
Timestamp : 20150831013444.000000+***
totalconsoletime : 412266
totalconsoleusers : 14
totalsecuritylogtime : 135360
resourceID : 16777705
securitylogstartdate : 20150529013257.000000+***
GroupID : 607
RevisionID : 1
Timestamp : 20150908013355.000000+***
totalconsoletime : 588721
totalconsoleusers : 18
totalsecuritylogtime : 133994
resourceID : 16777705
securitylogstartdate : 20150607001900.000000+***
GroupID : 632
RevisionID : 1
Timestamp : 20150915013422.000000+***
totalconsoletime : 688149
totalconsoleusers : 19
totalsecuritylogtime : 133945
resourceID : 16777705
securitylogstartdate : 20150614010736.000000+***
GroupID : 637
RevisionID : 1
Timestamp : 20150916013439.000000+***
totalconsoletime : 685272
totalconsoleusers : 19
totalsecuritylogtime : 133138
resourceID : 16777705
securitylogstartdate : 20150615143500.000000+***
GroupID : 655
RevisionID : 1
Timestamp : 20150921013429.000000+***
totalconsoletime : 716208
totalconsoleusers : 19
totalsecuritylogtime : 134693
resourceID : 16777705
securitylogstartdate : 20150619124011.000000+***
GroupID : 662
RevisionID : 1
Timestamp : 20150923013505.000000+***
totalconsoletime : 724756
totalconsoleusers : 19
totalsecuritylogtime : 133907
resourceID : 16777705
securitylogstartdate : 20150622014608.000000+***
GroupID : 704
RevisionID : 1
Timestamp : 20151005013416.000000+***
totalconsoletime : 914586
totalconsoleusers : 21
totalsecuritylogtime : 132513
resourceID : 16777705
securitylogstartdate : 20150705010000.000000+***
GroupID : 729
RevisionID : 1
Timestamp : 20151012013416.000000+***
totalconsoletime : 1100509
totalconsoleusers : 25
totalsecuritylogtime : 132893
resourceID : 16777705
securitylogstartdate : 20150711183937.000000+***
GroupID : 754
RevisionID : 1
Timestamp : 20151019013506.000000+***
totalconsoletime : 1333453
totalconsoleusers : 26
totalsecuritylogtime : 133918
resourceID : 16777705
securitylogstartdate : 20150718013515.000000+***
GroupID : 762
RevisionID : 1
Timestamp : 20151021013453.000000+***
totalconsoletime : 1325398
totalconsoleusers : 26
totalsecuritylogtime : 132800
resourceID : 16777705
securitylogstartdate : 20150720201317.000000+***
GroupID : 769
RevisionID : 1
Timestamp : 20151023013456.000000+***
totalconsoletime : 1360032
totalconsoleusers : 26
totalsecuritylogtime : 133176
resourceID : 16777705
securitylogstartdate : 20150722135721.000000+***
GroupID : 786
RevisionID : 1
Timestamp : 20151028013501.000000+***
totalconsoletime : 1400146
totalconsoleusers : 26
totalsecuritylogtime : 132481
resourceID : 16777705
securitylogstartdate : 20150728013234.000000+***
GroupID : 804
RevisionID : 1
Timestamp : 20151102013455.000000+***
totalconsoletime : 1448992
totalconsoleusers : 27
totalsecuritylogtime : 132643
resourceID : 16777705
securitylogstartdate : 20150801235030.000000+***
GroupID : 829
RevisionID : 1
Timestamp : 20151109013350.000000+***
totalconsoletime : 1517497
totalconsoleusers : 27
totalsecuritylogtime : 132801
resourceID : 16777705
securitylogstartdate : 20150808211120.000000+***
GroupID : 854
RevisionID : 1
Timestamp : 20151116013450.000000+***
totalconsoletime : 1551619
totalconsoleusers : 27
totalsecuritylogtime : 133982
resourceID : 16777705
securitylogstartdate : 20150815013104.000000+***
GroupID : 862
RevisionID : 1
Timestamp : 20151118013415.000000+***
totalconsoletime : 1530841
totalconsoleusers : 27
totalsecuritylogtime : 132541
resourceID : 16777705
securitylogstartdate : 20150818013220.000000+***
GroupID : 879
RevisionID : 1
Timestamp : 20151123013440.000000+***
totalconsoletime : 1572848
totalconsoleusers : 26
totalsecuritylogtime : 133456
resourceID : 16777705
securitylogstartdate : 20150822101736.000000+***
GroupID : 884
RevisionID : 1
Timestamp : 20151124020415.000000+***
totalconsoletime : 1572789
totalconsoleusers : 26
totalsecuritylogtime : 132571
resourceID : 16777705
securitylogstartdate : 20150824013157.000000+***
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Nick
Sent: Tuesday, November 24, 2015 2:06 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [mssms] RE: system console usage question
Not sure exactly what's going on, but maybe there is something to the fact that
"Some security logs can roll over frequently, or they can extend for several
years. The time polled for this class is limited to the last 90 days."
Could it be that the usage reported in the table comes from data gathered more
than 90 days ago? Depending on your security event log settings, if it's
maxing out on the size before it's allowed to roll, you could be missing
information or it's rolling the data faster than the inventory cycle is
gathering it? Is it filling and not writing the logoff/logon events properly?
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Kelley, Matthew
Sent: Monday, November 23, 2015 12:01 PM
To: [email protected]<mailto:[email protected]>
Subject: [mssms] RE: system console usage question
My coworker found a machine that has only one reported logged on user, but
excessive minutes! Any help is appreciated.
TotalConsoleTime : 220636
TotalConsoleUsers : 1
TotalSecurityLogTime : 99125
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Kelley, Matthew
Sent: Monday, November 23, 2015 11:28 AM
To: [email protected]<mailto:[email protected]>
Subject: [mssms] system console usage question
So, I understand how the sms_systemconsoleusage class is supposed to work:
https://msdn.microsoft.com/en-us/library/cc146052.aspx
My question is; How do others deal with some machines reporting more minutes
logged on than there are actual minutes in the event log?
My theory is that because of this:
If a matching logoff event cannot be found, the next shutdown event or logon
event is used in place of a logoff event. If none of these can be found, the
latest entry in the security log is used. The resulting information is
aggregated by user and ordered by total console usage.
it is possible there were multiple logon events found, but no subsequent
matching logoff events, causing minutes to be double/triple/(whatever number of
users were on the device) counted. Are other people seeing this? For example, I
have machines that report to have one day's worth of security event log, with
over 1440 minutes of usage. I log in to the machine, and in fact there is only
one day worth of security event log but yet the wmi class on the device
definitely claims over 1440 minutes worth of logon time within that one day.
With only 1440 minutes being available in a day, we all know that can't be
possible. This appears to only happen on machines with TotalConsoleUsers > 1,
supporting my theory. So, how do others filter out the "junk" or is there some
supported way to remedy this? SCCM 2012 R2 CU4, clients are Windows 7, 32 and
64.
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be
used for urgent or sensitive issues
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be
used for urgent or sensitive issues
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be
used for urgent or sensitive issues
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be
used for urgent or sensitive issues
