AnsweredAssumed Answered

Scans causing lastUseTime on Windows user profiles to change?

Question asked by putter101 on Jul 17, 2019
Latest reply on Jul 18, 2019 by Dwayne Fleming

Hello,

 

We noticed on our Windows 2012 and Windows 2016 server that the "lastUseTime" on user profiles are changing in batches that coincide with Qualys scan times and Qualys activity in event viewer. I'm not sure if it is the vulnerability or policy compliance scan causing it yet. We can see the lastUseTime info with this powershell command:

 

Get-ciminstance -ClassName Win32_UserProfile | Sort-Object LastUseTime | Select LocalPath,LastUseTime

 

This prevents a job that automatically cleans up old stagnant user profiles from being able to purge unused user profiles. Each entry in the below table is a different user that had their lastUseTime changed during the last scan.

 

Is there anything that can be done to prevent this besides excluding the culprit QID(s) (which I haven't narrowed down yet) from the scans.

 

LocalPath LastUseTime
--------- -----------
C:\Users\xxxxxx 07/15/2019 12:07:15 AM
C:\Users\xxxxxx 07/15/2019 12:07:15 AM
C:\Users\xxxxxx 07/15/2019 12:07:15 AM
C:\Users\xxxxxx 07/15/2019 12:07:15 AM
C:\Users\xxxxxx 07/15/2019 12:07:16 AM
C:\Users\xxxxxx 07/15/2019 12:07:16 AM
C:\Users\xxxxxx 07/15/2019 12:07:17 AM
C:\Users\xxxxxx 07/15/2019 12:07:18 AM
C:\Users\xxxxxx 07/15/2019 12:07:19 AM
C:\Users\xxxxxx 07/15/2019 12:07:19 AM
C:\Users\xxxxxx 07/15/2019 12:07:20 AM
C:\Users\xxxxxx 07/15/2019 12:07:20 AM
C:\Users\xxxxxx 07/15/2019 12:07:20 AM
C:\Users\xxxxxx 07/15/2019 12:07:20 AM
C:\Users\xxxxxx 07/15/2019 12:07:21 AM
C:\Users\xxxxxx 07/15/2019 12:07:21 AM
C:\Users\xxxxxx 07/15/2019 12:07:21 AM
C:\Users\xxxxxx 07/15/2019 12:07:22 AM
C:\Users\xxxxxx 07/15/2019 12:07:22 AM
C:\Users\xxxxxx 07/15/2019 12:07:22 AM
C:\Users\xxxxxx 07/15/2019 12:07:22 AM
C:\Users\xxxxxx 07/15/2019 12:07:23 AM
C:\Users\xxxxxx 07/15/2019 12:07:23 AM
C:\Users\xxxxxx 07/15/2019 12:07:23 AM
C:\Users\xxxxxx 07/15/2019 12:07:24 AM
C:\Users\xxxxxx 07/15/2019 12:07:24 AM
C:\Users\xxxxxx 07/15/2019 12:07:24 AM
C:\Users\xxxxxx 07/15/2019 12:07:24 AM
C:\Users\xxxxxx 07/15/2019 12:07:25 AM
C:\Users\xxxxxx 07/15/2019 12:07:25 AM
C:\Users\xxxxxx 07/15/2019 12:07:25 AM
C:\Users\xxxxxx 07/15/2019 12:07:26 AM
C:\Users\xxxxxx 07/15/2019 12:07:26 AM
C:\Users\xxxxxx 07/15/2019 12:07:26 AM
C:\Users\xxxxxx 07/15/2019 12:07:27 AM
C:\Users\xxxxxx 07/15/2019 12:07:27 AM
C:\Users\xxxxxx 07/15/2019 12:07:28 AM
C:\Users\xxxxxx 07/15/2019 12:07:29 AM
C:\Users\xxxxxx 07/15/2019 12:07:29 AM
C:\Users\xxxxxx 07/15/2019 12:07:29 AM
C:\Users\xxxxxx 07/15/2019 12:07:29 AM
C:\Users\xxxxxx 07/15/2019 12:07:30 AM
C:\Users\xxxxxx 07/15/2019 12:07:30 AM
C:\Users\xxxxxx 07/15/2019 5:40:41 PM
C:\Users\xxxxxx 07/16/2019 9:31:12 PM
C:\Users\xxxxxx 07/17/2019 12:04:07 AM
C:\Users\xxxxxx 07/17/2019 5:01:24 AM
C:\Users\xxxxxx 07/17/2019 6:04:07 AM
C:\Users\xxxxxx 07/17/2019 7:14:52 AM
C:\Users\xxxxxx 07/17/2019 8:16:58 AM

Outcomes