LANDesk SoftMon Monitoring Information

LANDesk Softmon.exe monitors application execution and logs usage information in the registry. The following information is logged to the registry: Current Duration, Current User, First Started, Last Duration, Last Started, Total Duration, and Total Runs. This information is useful to determine application usage and location of said applications.

The monitor information can be found in the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\]

Each log entry receives a new key, an example would be C:/Program Files/Microsoft Office/OFFICE11/EXCEL.EXE.

Under this application name key you may see the following registry values, not all values are available:
Current Duration
Current User
First Started
Last Duration
Last Started
Total Duration
Total Runs

Unfortunately, if an application is no longer available the usage information still lives on in the registry. This may give you inaccurate usage information if you solely rely on this data. I would recommend checking to see if the application still exists in the path specified by the key to determine if the application is still available on the PC.

How do you determine Last Duration?
1) Extract the Last Duration REG_BINARY value in Hex.
Example: 20 F2 96 1E A6 00 00 00
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
00 00 00 a6 1E 96 F2 20
4) Click the Dec radio to switch the decimal.
5) Divide the decimal number by 10,000,000
You will now have the Last Duration in seconds. In this example the result will be 71347.778 seconds.

How do you determine Total Duration?
1) Extract the Total Duration REG_BINARY value in Hex.
Example: 10 B1 AD D9 CB 09 00 00
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
00 00 09 CB D9 AD B1 10
4) Click the Dec radio to switch the decimal.
5) Divide the decimal number by 10,000,000
You will now have the Total Duration in seconds. In this example the result will be 1077113.505 seconds.

How do you determine Current Duration?
1) Extract the Current Duration REG_BINARY value in Hex.
Example: 80 97 6A 76 2F 00 00 00
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
00 00 00 2F 76 6A 97 80
4) Click the Dec radio to switch the decimal.
5) Divide the decimal number by 10,000,000
You will now have the Current Duration in seconds. In this example the result will be 20385.016 seconds.

How do you determine Last Started?
1) Extract the Last Started REG_BINARY value in Hex.
Example: 40 4D C8 A0 55 45 CC 01
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
01 CC 45 55 A0 C8 4D 40
4) Click the Dec radio to switch the decimal.
5) Use this decimal number in a Filetime converter utility to get the date and time.
I found a useful converter at: http://www.silisoftware.com/tools/date.php
The input format is filetime and key the decimal into the date field.
6) Click convert and you have the Last Started date.

How do you determine First Started?
1) Extract the First Started REG_BINARY value in Hex.
Example: 50 0D CE 02 00 09 CC 01
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
01 CC 09 00 02 CE 0D 50
4) Click the Dec radio to switch the decimal.
5) Use this decimal number in a Filetime converter utility to get the date and time.
I found a useful converter at: http://www.silisoftware.com/tools/date.php
The input format is filetime and key the decimal into the date field.
6) Click convert and you have the First Started date.

How do you determine the Current User?
1) Extract the Current User REG_SZ value in a string value.

How do you determine Total Runs?
1) Extract the Total Runs REG_DWORD in a decimal value to get the total number of executions.

You may be asking why I would go through so much trouble to determine the usage of an application on a computer. Well, I come from the background that if you can keep a computer clean that it will perform the best. By using this information, I can determine if the application needs to be reinstalled on a replacement PC or if it needs to be uninstalled on a current PC. By using this information you may find how and when a user uses an application.

** Note this information is provide for educational purposes only. **

Comments (0)

› No comments yet.