Boot and logon duration

Contents

Boot and logon duration

Overview

The startup time of a device has a direct impact on the productivity and the experience of end-users. Since the first activities that a user performs on a device are to power it on and to log on, users typically have a very negative perception of devices that take too long to start. Indeed, a long boot or logon process are often a symptom of other underlying problems in a device, such as disk failures, network issues, low memory, or general obsolescence. Nexthink provides the following measurements of the boot and logon duration of a device:

Boot duration
After powering on the device, the boot duration is the time between the start of the OS kernel and the launch of the logon screen.
Logon duration
The time between user authentication and the desktop being shown.
Extended logon duration
The time between user authentication and the device being ready.

Because of the techniques employed in the measurement of boot and logon duration, these values apply to Windows devices only.

Applies to platforms: PlatformWindows.png

Measurement of the boot duration

The measurement of the boot duration begins when the kernel of the operating system loads the Collector driver during its initialization. Once up and running, the Collector notifies the boot of the device and then continuously reports the time elapsed since the kernel started (the system boot, as recorded by the operating system) to the Engine. Any steps in the boot sequence previous to the start of the kernel, such as the BIOS hardware checks and the loading of the kernel itself, are therefore not included in the boot duration. The Engine establishes the absolute boot time of the device according to this information.

In addition to the boot time, the Engine needs to know when the operating system launches the logon screen to compute the boot duration. The launch of the logon screen corresponds to the execution of the system process logonUI.exe. Since the Collector successively informs the Engine of the processes being executed in the device, the Engine just needs to wait for the Collector to detect the launch of logonUI.exe. The Engine records the interval between the boot time and the start of logonUI.exe as the boot duration.

Note that Nexthink records boot events only for full boot sequences. Waking up the device after being in a standby (sleep) or a hibernation state is not considered a device boot. Moreover, the boot technique known as Fast Startup in Windows 8 (and higher) is not a full boot sequence either; therefore, it is not recorded as such.

Boot duration
Start Stop
  • System boot
    (as recorded by the OS)
  • Start of logon screen
    (launch of logonUI.exe)

Inspecting boot duration through Finder and NXQL

System boot is the activity that holds boot duration information in Nexthink. Look for system boots in the Finder by creating a new investigation:

  1. In the bottom of the Start page, click New Investigation.
  2. Under the Activities tab, select system boots.
  3. Fill the conditions and time frame as desired.
  4. Ensure that the Columns in the DISPLAY section include the Duration of the system boot.
  5. Click Run

In NXQL, system boots are a type of the more general device_activity events. For instance, to get a list of all boot events, open the NXQL editor and type in:

(select * (from device_activity (where device_activity (eq type (enum boot)))))


To get boot duration information for a particular device in the Finder, create an investigation on devices and look for the following columns to display:

  • Last system boot duration:
    The duration of the last boot measured on the device.
  • System boot duration baseline:
    The exponentially weighted moving average of the duration of all system boots of the device stored in the Engine database. For a measured boot duration B(n) on the nth logon, the weighted average S(n) is recursively computed with the following formula:
    • S(n) = B(1), for n = 1
    • S(n) = α ⋅ B(n) + (1 - α) ⋅ S(n - 1), for n > 1
    Where coefficient α = 0.1 and the contribution to the duration of old boot events is removed as soon as they are dropped from the history of the database.
    Alert.gif Note that this field is precomputed from all boot events available in the database, so its value does not depend on the time frame of the investigation.

In NXQL, the equivalent for Last system boot duration and System boot duration baseline are called last_boot_duration and average_boot_duration, respectively. For instance, to get the last and the baseline boot duration for every device, type in the query:

(select (last_boot_duration average_boot_duration) (from device))


We have seen that the System boot duration baseline is precomputed for a device and does not depend on the time frame. To actually compute the average boot duration of a device over a time frame, add the Average system boot duration aggregate to your displayed columns. The average is calculated as the sum of the duration of the boot events divided by the number of boot events within the time frame.

In NXQL, the equivalent for the Average system boot duration is the average_boot_duration aggregate. Note that it has the same name as the boot duration baseline, but it must be placed inside a compute clause in the NXQL query, so there is no confusion possible. For example, to query both for the boot duration baseline and average (for the last day) in an NXQL query, type in:

(select average_boot_duration (from device (with device_activity (compute average_boot_duration) (between now-1d now))))


Measurement of the logon and extended logon durations

The moment when the user finishes authenticating, either by typing in their credentials or by any other identification means, marks the start of the logon process. The Collector has two ways to detect the start of the logon process:

  • Look in the Security log for an audit logon event.
  • Wait for a session creation event.

The preferred method for the Collector to detect a user logon is to look for audit logon events in the Security log of Windows. For the Security log to include logon information, it is necessary that the system administrator activates the corresponding audit policy option. The logon time detected by the Collector in this case matches thus the time recorded by Windows.

Nevertheless, if the audit policy on the device does not include the audit of logon events, the Collector defaults to detecting user logons by listening to session creation events. Capturing the moment of creation of a session is usually a precise method to determine the time of a user logon. However, in setups with roaming user profiles, using this method could yield logon durations that are much shorter than the actual logon duration experienced by users. To avoid sending inaccurate information, if the audit of logon events is not enabled, the Collector does not report the logon duration of users with roaming profiles. For more information on roaming user profiles, see the next section.

Both the logon and the extended logon durations take the start of the logon process as the beginning of their measurement, but they differ from each other in their ending point:

  • The appearance of the desktop marks the end of the logon duration.
  • After the desktop is shown, the readiness of the device to being used marks the end of the extended logon duration. The device is considered to be ready to use when the operating system frees enough resources so that the device becomes responsive again to the commands of the user. Depending on the type of device, the resource consumption for considering the device to be ready is as follows:
    • Desktops and laptops: the CPU usage drops below 15% and the disk usage below 80%.
    • Servers: the CPU usage of all the processes that belong to the logged on user drops below 15%.

If the consumption of resources in the device is still higher than required 25 minutes after user authentication, the Collector stops waiting and reports the logon duration as 25 minutes.

Logon duration
Start Stop
  • User authentication
  • Desktop is shown
  • Device is ready to use
Start Continue Stop
Extended logon duration

Logon duration in devices with roaming user profiles

A roaming user profile is a concept in Windows that allows users to have a consistent desktop experience across different computers within the same network. Independently of the computer that they choose to work with, the users have access to their personal documents, the applications remember their preferences and the desktop appearance remains the same. In this section, learn how roaming user profiles may impact the measurement of the logon duration.

When roaming users log on a device, the loading of their profile can take a substantial part of the logon time. However, the new session starts only after the profile is completely loaded. If the Collector just waited for the session creation event to compute the logon duration, it would ignore the time spent to load the user profile as part of the logon duration. Because of this omission, the Collector would report much smaller logon durations than the actual values for the logon duration of roaming users. Therefore, the Collector never uses this method for computing the logon duration of roaming users.

The alternative is to get logon information from the Security log of Windows. Logon events in the Security log always report the correct logon time. For this reason, auditing logon events is the preferred method for the Collector to compute the logon duration of all kinds of users and it is mandatory for roaming users. For devices with roaming user profiles, remember to always activate the audit of logon events. Failing to do so results in the Collector not reporting the logon duration of users with roaming profiles.

Inspecting logon duration through Finder and NXQL

User logon is the activity that holds logon duration information in Nexthink. Look for user logons in the Finder by creating a new investigation:

  1. In the bottom of the Start page, click New Investigation.
  2. Under the Activities tab, select user logons.
  3. Fill the conditions and time frame as desired.
  4. Ensure that the Columns in the DISPLAY section include the Duration and the Extended duration of the user logon.
  5. Click Run

In NXQL, user logons are a type of the more general user_activity events. For instance, to get a list of all logon events, open the NXQL editor and type in:

(select * (from user_activity (where user_activity (eq type (enum logon)))))

Note that the extended logon duration is called real_duration in NXQL.

To get logon duration information for a particular device in the Finder, create an investigation on devices and look for the following columns to display (note that there is a normal and an extended duration version of each field):

  • Last [extended] logon duration:
    The (extended) duration of the last user logon measured on the device.
  • [Extended] Logon duration baseline:
    The exponentially weighted moving average of the (extended) duration of all user logons of the device stored in the Engine database. For a measured logon duration L(n) on the nth logon, the weighted average S(n) is recursively computed with the following formula:
    • S(n) = L(1), for n = 1
    • S(n) = α ⋅ L(n) + (1 - α) ⋅ S(n - 1), for n > 1
    Where coefficient α = 0.1 and the contribution to the duration of old user logons is removed as soon as they are dropped from the history of the database.
    Alert.gif Note that this field is precomputed from all user logons available in the database, so its value does not depend on the time frame of the investigation.

In NXQL, the equivalent fields are called as follows:

Finder NXQL
Last logon duration last_logon_duration
Logon duration baseline average_logon_duration
Last extended logon duration last_extended_logon_duration
Extended logon duration baseline extended_logon_duration_baseline

For instance, to get all types of logon duration for every device, type in the query:

(select (last_logon_duration average_logon_duration last_extended_logon_duration extended_logon_duration_baseline) (from device))


We have seen that the logon duration baselines (normal and extended) are precomputed for a device and do not depend on the time frame. To actually compute the average logon duration of a user on a device over a time frame, add the Average [extended] logon duration aggregate to your displayed columns. The average is calculated as the sum of the duration of the logon events divided by the number of logon events within the time frame.

In NXQL, the equivalent for the Average logon duration is the average_logon_duration aggregate. Note that it has the same name as the normal logon duration baseline, but it must be placed inside a compute clause in the NXQL query, so there is no confusion possible.

Finder NXQL
Average logon duration average_logon_duration
Average extended logon duration average_extended_logon_duration

For example, to query both for both the normal and the extended logon duration baselines and averages (for the last day) in an NXQL query, type in:

(select (average_logon_duration extended_logon_duration_baseline) (from device (with user_activity (compute average_logon_duration average_extended_logon_duration) (between now-1d now))))


Related tasks