3

How do I determine how long it's been since a user with files opened on my server has been actively using their workstation in a Windows Active Directory environment (XP, 7, 8 clients and Server 2008, 2012)?

Before rebooting the file server I check to see if anyone has open files on the server, so I check the Open Files pane of the Shared Folders MMC:

enter image description here

Because Redirected Folders are in use, a logged in user will have open files, even if it's been a while since they've been at their computer. I notice an Idle Time column on the Sessions pane of the MMC:

enter image description here

As I understand it, this is the idle time for the SMB session between the workstation and the server. Is this able to indicate how long it's been since the user was active? Or could a logged in workstation without user activity reset this counter to 0:00?

I've also explored the output of QWINSTA run via PSEXEC against the user's workstation. This tells me the session's state is Active, but I don't know if that's the same as "logged on" or "active in the past X minutes."

So, is there a way to determine how long it's been since a workstation has had an active user? Perhaps by a method other than these two I've tried?

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51

1 Answers1

4

The idle time shown in your screenshots can indicate user inactivity. If the user were to leave a program that periodically accesses the file server this number wouldn't indicate time where a user is not present providing input to the computer.

One quick-and-dirty idea comes to mind: Use the creation time of a screensaver process

Assuming the user is running a screensaver (or that you're forcing it with Group Policy), remotely scanning the process list for an .SCR and looking at the difference between the current wallclock time and the process creation time would give you an idea of the length of time the PC hasn't received mouse or keyboard input.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I like the screensaver approach, but I manage many different environments and was hoping for something I could expect to work in all cases. That said, if there is no such thing, your idea would cover the majority of cases. I'll start here. Thanks! – I say Reinstate Monica Oct 18 '14 at 23:44
  • I'm not sure there's "no such thing", but this seems like low hanging fruit. I was recently writing some code that needed to detect user inactivity and I decided that the screensaver was probably a great way. If the user was playing a video full screen, for example, there are already APIs to disable the screensaver. By using the presence of the screensaver as an indication of "idleness" my code gets the benefits of those APIs automatically. – Evan Anderson Oct 18 '14 at 23:47
  • You might want to also check for the presence of LogonUI.exe, which is probably a more common "screen saver" in office environments than actual screen savers are these days. I know this seems like it should be trivial, but I think Evan's answer is probably the best there is. The waters are very murky because you have console sessions, RDP sessions, fast user-switching, etc. You could `CreateProcessAsUser` all users and then check `GetLastInputInfo` or you could register `WTSSessionNotification`, but I'm betting those are both more effort than it's worth to you. – Ryan Ries Oct 19 '14 at 00:38