Software Usage Metering

Pro Tips with Esben #46

One thing Jacob, our new Cost and efficiency Evangelist, brought to my attention is that there are quite a number of people who would like to see Lansweeper do scanning software usage or software metering. Lansweeper doesn't offer this functionality, but this month, we'll explore what you can do to see if specific software is being used.

Lansweeper has multiple tools that can be used to discover information about software. Obviously, it scans all of the software installed on your devices, which is the basis of this whole endeavor. Additionally, there are more advanced scanning options like registry scanning and file property scanning, and even event log scanning.

Prerequisites and Best Practices

After quite some brainstorming with Jacob, we went over a number of options ranging from using file property scanning to custom PowerShell scripts. Eventually, we discovered that there is no perfect solution as some options we explored either flat out didn't work, and others were never 100% accurate. Eventually, we settled on using the event log. It seems to be the best method of capturing software usage accurately, at the potential cost of being less optimal for very large environments. Using the event 4688(S) we can see exactly when a process is created. This information in the event log gives us a lot of possibilities for reporting later on.

Scan Success Audit Events

However, this does introduce some prerequisites and best practices. First, you'll need to enable "success audit events" scanning in the server options.

Event Log Scanning Best Practises

Scanning event log data, especially with thousands of machines can be very data-intensive and resource-intensive. You're pulling in a lot of data. To help you manage this, here are a couple of tips.

Scanned Item Interval

The scanned item interval lets you configure how frequently items get rescanned by scanning targets. The number represents how many days Lansweeper will wait before rescanning that data. A 0 means the data is refreshed during every scan. I would highly recommend changing the interval to something higher unless you have a specific reason why you need eventlog data rescanned all the time. Doing this will significantly improve scanning performance.

History Cleanup Options

In the server options, you'll be able to find History Cleanup Options. By default, eventlog data is only deleted after 60 days. I would recommend lowering this as much as you can depending on your usage. It will significantly reduce your Lansweeper database usage and could also improve the performance of Lansweeper in general.

Logging Software Usage

After quite some brainstorming, using the event log seems to be the best method of capturing software usage. Using the event 4688(S) we can see exactly when a process is created. This information in the event log gives us a lot of possibilities for reporting later on.

But first, let's quickly run through how to enable the logging, as the event will not log all process creations by default. Obviously, if you want to enable this for many devices, a GPO is the easiest method.

  1. Open the Local Security Policy Editor:
    • Press Windows + R to open the Run dialog.
    • Type secpol.msc and press Enter.
  2. Navigate to Advanced Audit Policies:
    • In the left pane of the Local Security Policy window, expand "Advanced Audit Policy Configuration."
    • Click on "Detailed Tracking" to select it.
  3. Enable Audit Process Creation:
    • In the right pane, you'll see various audit policies. Locate and double-click on "Audit Process Creation."
  4. Configure the Audit Policy:
    • In the "Audit Process Creation Properties" window, select the "Define these policy settings" checkbox.
    • Choose "Success" to log successful process creations.

Reporting Software Usage

Once you have the data, it's time to do some reporting. While the reports below can be used as they are, you can also use them as a template to do whatever you want with the data.

Process Creation

This first report is simply a list of all of the audit process creation events for the software "zoom.exe"

Software Usage Chart

This report gives you a chart of all the zoom.exe process creation events per day, in the last 14 days.

Software Usage

This report is a slight adaptation of the chart report to also show the date of when the instances took place. This lets you see for each device how many times and on which days the zoom.exe process was created.

Esben from Lansweeper

About Esben

Technical Product Evangelist at Lansweeper

Maximizing IT Asset Management proficiency by empowering end-users to take full advantage of their toolset.

You may also like...

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.‚Äč