I saw an interesting question the other day. A sysadmin had a department asking for more computers, and he suspected the department wasn’t using the machines they have. His IT department didn’t want to go to the trouble and expense to provide more computers to a department that didn’t need them. So here’s how to check computer usage.
Use Perfmon
Here’s one easy way to check computer usage: Load Performance Monitor. Then right-click on Performance and select Connect to another computer. Type the remote computer’s name or click Browse and pick it from the list, then click OK. Then click on Performance Monitor on the left hand side. This lets you monitor the computer’s CPU usage. You can even right click on the chart and select Save Data As to save the data for review later.
If the CPU usage is extremely low, that’s a good indicator nobody is using it. There will be times during the day when the CPU will jump no matter what, such as when the antivirus runs a scan. But if you see hours on end where the CPU utilization is essentially flat, that’s a pretty good indication that nobody is using it.
Check the event logs
Windows computers write to their event logs almost all the time, without needing much reason to do so. But there are a handful of events that indicate human activity. Load Event Viewer, then connect to the remote computer the same way you did in the step before. The events your security team is interested in are the same ones that prove whether someone is actually using the computer. Look for events in the 4600 range in the security event log, especially 4624 and 4625, which shows someone trying to log on, successfully or unsuccessfully. You’re going to see unsuccessful logons due to people forgetting passwords.
Also look for event 4647 to make sure your users are logging off, and not sharing a single account. You’ll have to find out what’s normal in your company, whether people log on for a couple of hours and then log off for someone else to use it, or whether logging in at the start of a shift and staying logged in for 8 hours straight is normal.
If you’re not seeing logon/logoff events for long periods of time, that’s a good indication no one is using the computer. Also look for events 4800 and 4801. If hours go by between locking and unlocking the computer, no one is using it during that time.
While you’re at it, look at the Application log. During the time someone is logged in, you should see tons of events in the application log. Windows and Windows applications log a lot. If the application log is pretty quiet during the times it seems someone is logged in, and you see low CPU usage, that’s a good indication they aren’t really using the computer.
And that’s how to check computer usage. It’s not that hard once you know where to look.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.