Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


Monitoring User Session Activity With uberAgent

  • by Dominik Britz
  • April 11, 2019

The other day I got a question from a customer if it is possible to monitor session activity with uberAgent. Of course, I thought! One has to just look at the session connection state, which can be active, disconnected, etc. That is monitored by uberAgent very well. But when I thought about it further, I noticed that the situation is not so trivial. Read below how I solved it with a custom search.

Customer’s Requirements

Our customer is a service provider and wants to know if users are actively working in their sessions and to what percentage. “Actively working” means users are logged in and are doing something in the session. Non-active time means the users are logged in but not working. The latter is the case when:

  1. the session is disconnected
  2. the session is locked
  3. the screensaver is active

How to Solve That With uberAgent

Disconnected and Idle Sessions

The first point was easy to solve; you just have to search for sessions that are in the state active so all others are ignored.

| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
   latest(SessionUserLower) as User
   filter host in (*)
   filter SessionConnectionState is "active"

Locked Sessions

Points two and three took me a while to figure out. uberAgent’s capability to collect the foreground application brought me to my goal. Let us start with locked sessions.

Want to know more about uberAgent’s capability to collect the foreground application? Read more here.

If the desktop is locked, the foreground process is LockApp.exe. The lock screen appears before you have to enter your credentials. Mine looks like this:

uberAgent’s application identification groups LockApp.exe into the application Microsoft Windows OS. To identify the process uniquely, I have overwritten the identification in uberAgent’s configuration file:

# Lock App
^C:\\Windows\\SystemApps\\Microsoft.LockApp_cw5n1h2txyewy\\LockApp\.exe$ = Lock App

While this upstream lock screen looks nice on physical PCs, it makes no sense in virtual environments and is typically disabled. In virtual environments, users are taken directly to the “real” login screen, where they have to put in their credentials. That is a secure shell and cannot be accessed by uberAgent. Hence the foreground application field is empty – which is good for us as it is empty only in this case!

By the way, if a user is just looking at the desktop with all applications closed, the foreground application identified by uberAgent is Microsoft Windows OS (foreground process is explorer.exe).

To conclude, uberAgent is able to identify if a desktop is locked either with Microsoft’s Lock App or without.

Active Screensaver

After I found out how to recognize the lock screen with uberAgent, the screensaver was a breeze. The foreground application is empty when the screensaver is active, too.

The Final Search

So the logic to see if a session is not active is as follows. One statement has to be true.

  • the session connection state is not active
  • the session is active and the foreground app is Lock App
  • the session is active, and there is no foreground app

That translates into this easy-peasy Splunk eval command: | eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)

Here is the final search I ended up with:

| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
   count(Session_SessionDetail_Users) as EventCount
   latest(SessionConnectionState) as SessionConnectionState
   latest(SessionFgAppName) as SessionFgAppName
   latest(SessionUserLower) as User
      period second
   filter host in (*)
| eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
| stats
   sum(Active) as Active
   sum(EventCount) as EventCount
   latest(User) as User
| eval "Active time (%)" = round(Active / EventCount * 100,1)
| eval sortfield='Active time (%)'
| sort limit=0 -sortfield 'Active time (%)'
| table
   "Active time (%)"

And the result:

Alternative Method

While the above works per session, uberAgent also collects idleness in percent per machine. 100% means the system is completely idle. This metric is used by Windows to determine whether to start the screen saver or turn off the display. Details are available in our documentation.

Test Setup

  • Microsoft Windows 10 Enterprise 1809 x64
  • uberAgent 5.2
  • Splunk 7.2.5

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *