Boot and logon duration (classic)

The startup time of a device has a direct impact on the productivity and the experience of employees. Since the first activities that a user performs on a device are to power it on and to log on, users typically have a very negative perception of devices that take too long to start. Indeed, a long boot or logon process is often a symptom of other underlying problems in a device, such as disk failures, network issues, low memory or general obsolescence. Nexthink provides the following measurements of the boot and logon duration of a device:

Boot duration The time between powering on a device and the display of the sign-in screen.

Logon duration The time between user authentication and the desktop being shown.

Extended logon duration The time between user authentication and the device being ready.

Because of the techniques employed in the measurement of boot and logon duration, these values apply to Windows devices only.

Applies to platform | Windows |

Measurement of the boot duration

The boot duration measures the elapsed time between a user pressing the power button of a device and the moment in which the device shows the sign-in screen.

Nexthink records boot events for devices that either perform a full boot sequence or a fast startup. A fast startup is a boot technique introduced in Windows 8 that reduces the boot time by keeping the kernel state on disk. Nexthink does not consider waking up the device after being in a standby (sleep) or hibernation state a device boot.

Boot duration
Boot duration

Start

Stop

Device is powered on

Sign-in screen appears

Inspecting boot duration through Finder (classic) and NXQL

System boot is the activity that contains boot duration information in Nexthink. Look for system boots in Finder by creating a new investigation:

  1. At the bottom of the Start page, click New Investigation.

  2. Under the Activities tab, select system boots.

  3. Fill in the conditions and time frame as desired.

  4. Ensure that the Columns in the DISPLAY section include the Duration of the system boot.

  5. (Optional) include the column Boot type to know whether the system boot was either:

    • full boot, a complete boot sequence.

    • fast startup, a reduced boot sequence (available in Windows 8 and later).

  6. Click Run.

In NXQL, system boots are a type of the more general device_activity event. For instance, to get a list of all boot events, open the NXQL editor and type in:

(select * (from device_activity (where device_activity (eq type (enum boot)))))

To get boot duration information for a particular device in Finder, create an investigation on devices and look for the following columns to display.

Last boot duration The duration of the last boot measured on the device.

Full boot duration baseline This is the exponentially weighted moving average of the duration of all full boots of the device stored in the Engine database. For a measured boot duration B(n) on the nth logon, the weighted average S(n) is recursively computed with the following formula:

S(n) = B(1), for n = 1

S(n) = α ⋅ B(n) + (1 - α) ⋅ S(n - 1), for n > 1

Where coefficient α = 0.1 and where the system removes the contribution to the duration of old boot events as soon as they are dropped from the history of the database.

Note that this field is precomputed from all boot events available in the database, so its value does not depend on the time frame of the investigation.

Fast startup duration baseline: This is the exponentially weighted moving average of the duration of all fast startups of the device stored in the Engine database. It is computed similarly to the Full boot duration baseline, but counts the duration of boot events for the fast startup type only.

Note that this field is precomputed from all fast startup events available in the database, so its value does not depend on the time frame of the investigation.

In NXQL, the equivalent fields for Last boot duration, Full boot duration baseline and Fast startup duration baseline are called, respectively, last_boot_duration, average_boot_duration and average_fast_startup_duration. For instance, to get the last boot, full boot baseline and the fast startup durations for every device, type in the query:

(select (last_boot_duration
         average_boot_duration
         average_fast_startup_duration)
  (from device))

We have seen that the system precomputes the Full boot duration baseline and the Fast startup duration baseline for a device and does not depend on the time frame. To actually compute the average boot duration of a device over a time frame, add the Average boot duration aggregate to your displayed columns. The system calculates the average as the sum of the duration of all boot events (full boots and fast startups) divided by the number of boot events within the time frame.

In NXQL, the equivalent for the Average boot duration is the average_boot_duration aggregate. Note that it has the same name as the full boot duration baseline, but the aggregate also includes the fast startups. Filter full boots or fast startups through conditions when necessary. Place it inside a compute clause in the NXQL query, as you would with any aggregate, so there is no confusion. For example, to query for both the full boot duration baseline and average (for the last day) in a single NXQL query, type in:

(select average_boot_duration
  (from device
     (with device_activity (compute average_boot_duration)
     (between now-1d now))))

Measurement of the logon and extended logon durations

The moment the user finishes authenticating, either by typing in their credentials or by any other identification means, marks the start of the logon process. Collector has two ways of detecting the start of the logon process by either:

  • Looking in the Security log for an audit logon event.

  • Waiting for a session creation event.

The preferred method for Collector to detect a user logon is to look for audit logon events in the Security log of Windows. For the Security log to include logon information, the system administrator must activate the corresponding audit policy option. The logon time detected by Collector will then match the time recorded by Windows.

Nevertheless, if the audit policy on the device does not include the audit of logon events, Collector defaults to detecting user logons by listening to session creation events. Capturing the moment of creation of a session is usually a precise method to determine the time of a user logon. However, in setups with roaming user profiles, using this method could yield logon durations that are much shorter than the actual logon duration experienced by users. To avoid sending inaccurate information, if the audit of logon events is not enabled, Collector does not report the logon duration of users with roaming profiles. For more information on roaming user profiles, see the next section.

Both the logon and the extended logon durations take the start of the logon process as the beginning of their measurement, but they differ from each other in their ending point:

  • The appearance of the desktop marks the end of the logon duration.

  • After the desktop appears, the device being ready for use marks the end of the extended logon duration. The system considers the device to be ready to use when the operating system frees enough resources so that the device becomes responsive again to the commands of the user. Depending on the type of device, the resource consumption the system requires to consider the device to be ready is as follows:

    • Desktops and laptops: the CPU usage drops below 15% and the disk usage below 80%.

    • Servers: the CPU usage of all the processes that belong to the logged-on user drops below 15%.

If the consumption of resources in the device is still higher than the required 25 minutes after user authentication, Collector stops waiting and reports the logon duration as 25 minutes.

Logon duration
Logon duration

Start

Stop

  • User authentication

  • Desktop appears

  • Device is ready to use

Start

Continue

Stop

Extended logon duration

Logon duration in devices with roaming user profiles

A roaming user profile is a concept in Windows that allows users to have a consistent desktop experience across different computers within the same network. Independently of the computer that they choose to work with, the users have access to their personal documents, the applications remember their preferences and the desktop appearance remains the same. In this section, learn how roaming user profiles may impact the measurement of the logon duration.

When roaming users log on to a device, the loading of their profile can take a substantial part of the logon time. However, the new session starts only after the system loads the profile completely. If Collector only waited for the session creation event to compute the logon duration, it would ignore the time spent loading the user profile as part of the logon duration. Because of this omission, Collector would report much smaller logon durations than the actual values for the logon duration of roaming users. Therefore, Collector never uses this method to compute the logon duration of roaming users.

The alternative is to get logon information from the Security log of Windows. Logon events in the Security log always report the correct logon time. For this reason, auditing logon events is the preferred method for Collector to compute the logon duration of all kinds of users and it is mandatory for roaming users. For devices with roaming user profiles, remember to always activate the audit of logon events. Failing to do so results in Collector not reporting the logon duration of users with roaming profiles.

Inspecting logon duration through Finder (classic) and NXQL

User logon is the activity that contains logon duration information in Nexthink. Look for user logons in Finder by creating a new investigation:

  1. At the bottom of the Start page, click New Investigation.

  2. Under the Activities tab, select user logons.

  3. Fill in the conditions and time frame as desired.

  4. Ensure that the Columns in the DISPLAY section include the Duration and the Extended duration of the user logon.

  5. Click Run.

In NXQL, user logons are a type of the more general user_activity event. For instance, to get a list of all logon events, open the NXQL editor and type in:

(select * (from user_activity
  (where user_activity (eq type (enum logon)))))

Note that the extended logon duration is called real_duration in NXQL.

To get logon duration information for a particular device in Finder, create an investigation on devices and look for the following columns to display. Note that there is a normal and an extended duration version of each field:

  • Last [extended] logon duration: The (extended) duration of the last user logon measured on the device.

  • [Extended] Logon duration baseline: The exponentially weighted moving average of the (extended) duration of all user logons of the device stored in the Engine database. For a measured logon duration L(n) on the nth logon, the weighted average S(n) is recursively computed with the following formula:

    • S(n) = L(1), for n = 1

    • S(n) = α ⋅ L(n) + (1 - α) ⋅ S(n - 1), for n > 1

    Where coefficient α = 0.1 and where the system removes the contribution to the duration of old boot events as soon as they are dropped from the history of the database.

Note that the system precomputes this field from all user logons available in the database, so its value does not depend on the time frame of the investigation.

In NXQL, the equivalent fields are:

Finder
NXQL

Last logon duration

last_logon_duration

Logon duration baseline

average_logon_duration

Last extended logon duration

last_extended_logon_duration

Extended logon duration baseline

extended_logon_duration_baseline

To get all types of logon duration for every device, type in the query:

(select (last_logon_duration average_logon_duration
  last_extended_logon_duration extended_logon_duration_baseline)
  (from device))

We have seen that the system precomputes the logon duration baselines (normal and extended) for a device and do not depend on the time frame. To actually compute the average logon duration of a user on a device over a time frame, add the Average [extended] logon duration aggregate to your displayed columns. The system calculates the average as the sum of the duration of the logon events divided by the number of logon events within the time frame.

In NXQL, the equivalent for the Average logon duration is the average_logon_duration aggregate. Note that it has the same name as the normal logon duration baseline, but you must place it inside a compute clause in the NXQL query, so there is no confusion possible.

Finder
NXQL

Average logon duration

average_logon_duration

Average extended logon duration

average_extended_logon_duration

For example, to query both for the normal and the extended logon duration baselines and averages (for the last day) in an NXQL query, type in:

(select (average_logon_duration extended_logon_duration_baseline)
  (from device (with user_activity
     (compute average_logon_duration average_extended_logon_duration)
  (between now-1d now))))

Last updated

#451: 2024.8-Overview of integration DOC

Change request updated