Boot and logon duration

Overview

The startup time of a device has a direct impact on the productivity and the experience of end-users. Since the first activities that a user performs on a device are to power it on and to log on, users typically have a very negative perception of devices that take too long to start. Indeed, a long boot or logon process are often a symptom of other underlying problems in a device, such as disk failures, network issues, low memory, or general obsolescence. Nexthink provides the following measurements of the boot and logon duration of a device:

Boot duration

The time between powering on a device and the display of the sign-in screen.

Logon duration

The time between user authentication and the desktop being shown.

Extended logon duration

The time between user authentication and the device being ready.

Because of the techniques employed in the measurement of boot and logon duration, these values apply to Windows devices only.

Measurement of the boot duration

The boot duration measures the elapsed time between a user presses the power button of a device and the moment in which the device shows the sign-in screen.

Nexthink records boot events for devices that either perform a full boot sequence or a fast startup (a boot technique introduced in Windows 8 that reduces the boot time by keeping kernel state on disk). Waking up the device after being in a standby (sleep) or a hibernation state is not considered a device boot.

Inspecting boot duration through Finder and NXQL

System boot is the activity that holds boot duration information in Nexthink. Look for system boots in the Finder by creating a new investigation:

1. At the bottom of the Start page, click New Investigation.

2. Under the Activities tab, select system boots.

3. Fill the conditions and time frame as desired.

4. Ensure that the Columns in the DISPLAY section include the Duration of the system boot.

5. Optional: include the column Boot type to know whether the system boot was either:

   • full boot, a complete boot sequence.

   • fast startup, a reduced boot sequence (available in Windows 8 and later).

6. Click Run

In NXQL, system boots are a type of the more general device_activity events. For instance, to get a list of all boot events, open the NXQL editor and type in:

(select * (from device_activity (where device_activity (eq type (enum boot)))))

To get boot duration information for a particular device in the Finder, create an investigation on devices and look for the following columns to display:

• Last boot duration:

The duration of the last boot measured on the device.

• Full boot duration baseline:

The exponentially weighted moving average of the duration of all full boots of the device stored in the Engine database. For a measured boot duration B(n) on the nth logon, the weighted average S(n) is recursively computed with the following formula:

• S(n) = B(1), for n = 1

  • S(n) = α ⋅ B(n) + (1 - α) ⋅ S(n - 1), for n > 1

• Where coefficient α = 0.1 and the contribution to the duration of old boot events is removed as soon as they are dropped from the history of the database.

  Note that this field is precomputed from all boot events available in the database, so its value does not depend on the time frame of the investigation.

• Fast startup duration baseline:

The exponentially weighted moving average of the duration of all fast startups of the device stored in the Engine database. It is computed similarly to the Full boot duration baseline, but counting the duration of boot events of the fast startup type only.

Note that this field is precomputed from all fast startup events available in the database, so its value does not depend on the time frame of the investigation.

In NXQL, the equivalent fields for Last boot duration, Full boot duration baseline, and Fast startup duration baseline are called, respectively, last_boot_duration, average_boot_duration, and average_fast_startup_duration. For instance, to get the last boot, full boot baseline and the fast startup durations for every device, type in the query:

(select (last_boot_duration
         average_boot_duration
         average_fast_startup_duration)
  (from device))

We have seen that the Full boot duration baseline and the Fast startup duration baseline are precomputed for a device and do not depend on the time frame. To actually compute the average boot duration of a device over a time frame, add the Average boot duration aggregate to your displayed columns. The average is calculated as the sum of the duration of all boot events (full boots and fast startups) divided by the number of boot events within the time frame.

In NXQL, the equivalent for the Average boot duration is the average_boot_duration aggregate. Note that it has the same name as the full boot duration baseline, but the aggregate also includes the fast startups (you can filter full boots or fast startups through conditions, when necessary). Moreover, as all aggregates, it must be placed inside a compute clause in the NXQL query, so there is no confusion possible. For example, to query both for the full boot duration baseline and average (for the last day) in a single NXQL query, type in:

(select average_boot_duration
  (from device
     (with device_activity (compute average_boot_duration)
     (between now-1d now))))

Measurement of the logon and extended logon durations

The moment when the user finishes authenticating, either by typing in their credentials or by any other identification means, marks the start of the logon process. The Collector has two ways to detect the start of the logon process:

• Look in the Security log for an audit logon event.

• Wait for a session creation event.

Nevertheless, if the audit policy on the device does not include the audit of logon events, the Collector defaults to detecting user logons by listening to session creation events. Capturing the moment of creation of a session is usually a precise method to determine the time of a user logon. However, in setups with roaming user profiles, using this method could yield logon durations that are much shorter than the actual logon duration experienced by users. To avoid sending inaccurate information, if the audit of logon events is not enabled, the Collector does not report the logon duration of users with roaming profiles. For more information on roaming user profiles, see the next section.

Both the logon and the extended logon durations take the start of the logon process as the beginning of their measurement, but they differ from each other in their ending point:

• The appearance of the desktop marks the end of the logon duration.

• After the desktop is shown, the readiness of the device to being used marks the end of the extended logon duration. The device is considered to be ready to use when the operating system frees enough resources so that the device becomes responsive again to the commands of the user. Depending on the type of device, the resource consumption for considering the device to be ready is as follows:

  • Desktops and laptops: the CPU usage drops below 15% and the disk usage below 80%.

  • Servers: the CPU usage of all the processes that belong to the logged on user drops below 15%.

If the consumption of resources in the device is still higher than required 25 minutes after user authentication, the Collector stops waiting and reports the logon duration as 25 minutes.

Logon duration in devices with roaming user profiles

A roaming user profile is a concept in Windows that allows users to have a consistent desktop experience across different computers within the same network. Independently of the computer that they choose to work with, the users have access to their personal documents, the applications remember their preferences and the desktop appearance remains the same. In this section, learn how roaming user profiles may impact the measurement of the logon duration.

When roaming users log on a device, the loading of their profile can take a substantial part of the logon time. However, the new session starts only after the profile is completely loaded. If the Collector just waited for the session creation event to compute the logon duration, it would ignore the time spent to load the user profile as part of the logon duration. Because of this omission, the Collector would report much smaller logon durations than the actual values for the logon duration of roaming users. Therefore, the Collector never uses this method for computing the logon duration of roaming users.

Inspecting logon duration through Finder and NXQL

User logon is the activity that holds logon duration information in Nexthink. Look for user logons in the Finder by creating a new investigation:

1. In the bottom of the Start page, click New Investigation.

2. Under the Activities tab, select user logons.

3. Fill the conditions and time frame as desired.

4. Ensure that the Columns in the DISPLAY section include the Duration and the Extended duration of the user logon.

5. Click Run

In NXQL, user logons are a type of the more general user_activity events. For instance, to get a list of all logon events, open the NXQL editor and type in:

(select * (from user_activity
  (where user_activity (eq type (enum logon)))))

Note that the extended logon duration is called real_duration in NXQL.

To get logon duration information for a particular device in the Finder, create an investigation on devices and look for the following columns to display (note that there is a normal and an extended duration version of each field):

• Last [extended] logon duration:The (extended) duration of the last user logon measured on the device.

• [Extended] Logon duration baseline:The exponentially weighted moving average of the (extended) duration of all user logons of the device stored in the Engine database. For a measured logon duration L(n) on the nth logon, the weighted average S(n) is recursively computed with the following formula:

  • S(n) = L(1), for n = 1

  • S(n) = α ⋅ L(n) + (1 - α) ⋅ S(n - 1), for n > 1

  Where coefficient α = 0.1 and the contribution to the duration of old user logons is removed as soon as they are dropped from the history of the database.

  Note that this field is precomputed from all user logons available in the database, so its value does not depend on the time frame of the investigation.

In NXQL, the equivalent fields are called as follows:

For instance, to get all types of logon duration for every device, type in the query:

(select (last_logon_duration average_logon_duration
  last_extended_logon_duration extended_logon_duration_baseline)
  (from device))

We have seen that the logon duration baselines (normal and extended) are precomputed for a device and do not depend on the time frame. To actually compute the average logon duration of a user on a device over a time frame, add the Average [extended] logon duration aggregate to your displayed columns. The average is calculated as the sum of the duration of the logon events divided by the number of logon events within the time frame.

In NXQL, the equivalent for the Average logon duration is the average_logon_duration aggregate. Note that it has the same name as the normal logon duration baseline, but it must be placed inside a compute clause in the NXQL query, so there is no confusion possible.

For example, to query both for both the normal and the extended logon duration baselines and averages (for the last day) in an NXQL query, type in:

(select (average_logon_duration extended_logon_duration_baseline)
  (from device (with user_activity
     (compute average_logon_duration average_extended_logon_duration)
  (between now-1d now))))

RELATED TASK