Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-20-2020 02:15 PM
I use file scanning to see when a program was last accessed, for example
%programfiles(x86)%\Microsoft Office\Office16\winword.exe
Even though i use the software every day, the result of "lastaccess" is in the past: 05/02/2020
The Clients are scanned every day, i tried also single asset rescans.
I also receive wrong data when querying other program files
Any Idea?
%programfiles(x86)%\Microsoft Office\Office16\winword.exe
Even though i use the software every day, the result of "lastaccess" is in the past: 05/02/2020
The Clients are scanned every day, i tried also single asset rescans.
I also receive wrong data when querying other program files
Any Idea?
Labels:
- Labels:
-
General Discussion
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-21-2020 02:22 PM
I think technically you may be correct, but without testing it I can't say for certain. Assuming you are correct, in reality that is still the last accessed date. You can't tell it that you want to know the last access date, but only when it is by a user and not the system. Without tools that would cost additional money, the only way I can think to do something like this is to enable security auditing for process start/stop and then deal with the log entries that are created as it should associate users to it. That is at least something you can tell Lansweeper to pull in. It may be overwhelming, but it is something you can filter against.
EventID is 4688 and it shows up in the security log.
secpol.msc
Local Policies\Audit Policy\Audit Process tracking
EventID is 4688 and it shows up in the security log.
secpol.msc
Local Policies\Audit Policy\Audit Process tracking
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-21-2020 08:49 AM
Thank you very much for your comments.
The background of my question is that I would like to find out which users do not use assigned Adobe licenses.
The query of the last accessed date does not bring the desired result.
I also think that for example an access of a backup or a virus protection would also change the date.
The entry in the registry of windows 10 is called
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
The value is 80000003 (hexadecimal)
The background of my question is that I would like to find out which users do not use assigned Adobe licenses.
The query of the last accessed date does not bring the desired result.
I also think that for example an access of a backup or a virus protection would also change the date.
The entry in the registry of windows 10 is called
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
The value is 80000003 (hexadecimal)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-20-2020 06:40 PM
The last accessed date within Lansweeper is based solely off of the last accessed date within the properties of the file. By default the updating of file access time is disabled within Windows as a performance tweak as it causes an increased amount of drive writes. This is especially worth pointing out because SSDs can only perform so many writes before they start to degrade. In other words, enable at your own risk.
To turn it on modify the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
NtfsDisableLastAccessDate
Set it to 0.
To turn it on modify the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
NtfsDisableLastAccessDate
Set it to 0.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-20-2020 07:28 PM
RKCar wrote:
The last accessed date within Lansweeper is based solely off of the last accessed date within the properties of the file. By default the updating of file access time is disabled within Windows as a performance tweak as it causes an increased amount of drive writes. This is especially worth pointing out because SSDs can only perform so many writes before they start to degrade. In other words, enable at your own risk.
To turn it on modify the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
NtfsDisableLastAccessDate
Set it to 0.
Thanks...that's very helpful
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-20-2020 06:21 PM
Interesting...I just set up a similar report and see the same thing. What it appears to me at first glance is that the "last accessed" date matches my boot date/time. I wonder if there's something to that...I'll have to reboot and see if I can figure this out. It would certainly be a useful way to audit software usage, if it works properly.
