0

Detecting application launches - issue with MS Visio and Project 2019

This question is in relation to the following blog posting:  
https://uberagent.com/blog/listing-users-launching-applications-often/

In following the guidance of the article, we have been using the following search to identify the number of times that end-users are launching certain applications on their laptop: 

index=kpmg_uberagent_euc AppName="name_of_app" sourcetype="uberAgent:Process:ProcessStartup" ProcUser!=sys ProcUser!=lvc ProcUser!=nvc | stats count by user

We've noticed that certain Microsoft apps do not get returned by this approach.  In particular, the apps are:

  • Microsoft Visio Standard 2019
  • Microsoft Visio Professional 2019
  • Microsoft Project Standard 2019
  • Microsoft Project Professional 2019

For example, the following search result is successful in that it returns an accurate list of users who have been launching Microsoft Visio Standard 2013:

index=kpmg_uberagent_euc AppName="Microsoft Visio Standard 2013*" sourcetype="uberAgent:Process:ProcessStartup" ProcUser!=sys ProcUser!=lvc ProcUser!=nvc | stats count by user

Yet the following search for Microsoft Visio Standard 2019 returns no results:

index=kpmg_uberagent_euc AppName="Microsoft Visio Standard 2019*" sourcetype="uberAgent:Process:ProcessStartup" ProcUser!=sys ProcUser!=lvc ProcUser!=nvc | stats count by user

Note: the full name of the Visio Standard 2019 application is:  "Microsoft Visio Standard 2019 - en-us"

3 comments

  • Avatar
    Dominik Britz Official comment

    uberAgent determines the application names for all executables from properties of the MSI package the executable was installed from. Where that is not possible, uberAgent uses the information embedded in the executable.

    See: https://uberagent.com/docs/uberagent/latest/features-configuration/automatic-application-identification/

    I just checked that on my machine. Apparently uberAgent can't get the details from the MSI. Maybe because of the click-to-run Office installer method. It then falls back to the process details. On my machine, it then uses "Microsoft Office" as the application name. I'm afraid that I can't help you in the short-term. For the long-term, I added an entry to our backlog to enhance the application name identification algorithm as I assume more customers are interested in identifying Office versions.

  • 0
    Avatar
    Dominik Britz

    Hi Wayne,

    You can check what uberAgent detects for Visio and Project with the following search:

    | pivot `uA_DM_Process_ProcessStartup` Process_ProcessStartup
    values(AppName) as "App name(s)"
    splitrow
    ProcName
    filter host in (*)
    filter ProcName in ("VISIO.EXE","WINPROJ.EXE")
  • 0
    Avatar
    Wayne Deguara

    Thanks Dominik,   but unfortunately that does not allow you to identify whether it is the  Standard or Professional version of Visio/Project as both versions have the same executable name.  

Please sign in to leave a comment.