Pro Tips with Esben #46
One thing Jacob, our new Cost and efficiency Evangelist, brought to my attention is that there are quite a number of people who would like to see Lansweeper do scanning software usage or software metering. Lansweeper doesn't offer this functionality, but this month, we'll explore what you can do to see if specific software is being used.
Lansweeper has multiple tools that can be used to discover information about software. Obviously, it scans all of the software installed on your devices, which is the basis of this whole endeavor. Additionally, there are more advanced scanning options like registry scanning and file property scanning, and even event log scanning.
Prerequisites and Best Practices
After quite some brainstorming with Jacob, we went over a number of options ranging from using file property scanning to custom PowerShell scripts. Eventually, we discovered that there is no perfect solution as some options we explored either flat out didn't work, and others were never 100% accurate. Eventually, we settled on using the event log. It seems to be the best method of capturing software usage accurately, at the potential cost of being less optimal for very large environments. Using the event 4688(S) we can see exactly when a process is created. This information in the event log gives us a lot of possibilities for reporting later on.
Scan Success Audit Events
However, this does introduce some prerequisites and best practices. First, you'll need to enable "success audit events" scanning in the server options.
Event Log Scanning Best Practises
Scanning event log data, especially with thousands of machines can be very data-intensive and resource-intensive. You're pulling in a lot of data. To help you manage this, here are a couple of tips.
Scanned Item Interval
The scanned item interval lets you configure how frequently items get rescanned by scanning targets. The number represents how many days Lansweeper will wait before rescanning that data. A 0 means the data is refreshed during every scan. I would highly recommend changing the interval to something higher unless you have a specific reason why you need eventlog data rescanned all the time. Doing this will significantly improve scanning performance.
History Cleanup Options
In the server options, you'll be able to find History Cleanup Options. By default, eventlog data is only deleted after 60 days. I would recommend lowering this as much as you can depending on your usage. It will significantly reduce your Lansweeper database usage and could also improve the performance of Lansweeper in general.
Logging Software Usage
After quite some brainstorming, using the event log seems to be the best method of capturing software usage. Using the event 4688(S) we can see exactly when a process is created. This information in the event log gives us a lot of possibilities for reporting later on.
But first, let's quickly run through how to enable the logging, as the event will not log all process creations by default. Obviously, if you want to enable this for many devices, a GPO is the easiest method.
- Open the Local Security Policy Editor:
Windows + Rto open the Run dialog.
secpol.mscand press Enter.
- Navigate to Advanced Audit Policies:
- In the left pane of the Local Security Policy window, expand "Advanced Audit Policy Configuration."
- Click on "Detailed Tracking" to select it.
- Enable Audit Process Creation:
- In the right pane, you'll see various audit policies. Locate and double-click on "Audit Process Creation."
- Configure the Audit Policy:
- In the "Audit Process Creation Properties" window, select the "Define these policy settings" checkbox.
- Choose "Success" to log successful process creations.
Reporting Software Usage
Once you have the data, it's time to do some reporting. While the reports below can be used as they are, you can also use them as a template to do whatever you want with the data.
This first report is simply a list of all of the audit process creation events for the software "zoom.exe"
Software Usage Chart
This report gives you a chart of all the zoom.exe process creation events per day, in the last 14 days.
This report is a slight adaptation of the chart report to also show the date of when the instances took place. This lets you see for each device how many times and on which days the zoom.exe process was created.
Technical Product Evangelist at Lansweeper Maximizing IT Asset Management proficiency by empowering end-users to take full advantage of their toolset.