How is the Primary User information captured?
The process for determining the Primary User is multi-tiered. Most basic is by using the AeXUserMonitorLog.xml file that is stored in the install directory of the Altiris Agent. To send the information contained in the AeXUserMonitorLog.xml file via a Basic Inventory, the <BasicInvLog..../> line must be read. In the AeXUserMonitorLog file to find this line look for:
<BasicInvLog userID="domain\User" duration="10000" utc_lastCalculated="2007-7-28 04:00:00/>
There should be a BasicInvLog entry for each user that logs onto the machine.
Behind the scene we also subscribe to authentication events using Windows API's. For example when the interactive user is logged out, Windows will send a WM_ENDSESSION event to the Altiris Agent, meaning that the current user is about to be logged off. We also use a method to determine the logged on user via the Win32 API advApi32Dll.LookupAccountName. The Agent then fires its own internal event to handle this by updating primary user, sending logoff events, etc. We also register for logon events so that Windows should notify the Agent when this happens. (Note-The process is slightly different for TS logins in XP / Windows 2K3.)
Finally, If the Windows API calls fail we look in the registry. We try and extract the user information from the registry under HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList
Please review the following KB Articles to help understand Primary User
HOWTO7796 – “Understanding the Primary User in Notification Server 6.0 sp2 and sp3
HOWTO1603 – Primary User Process Flow diagram
These articles are worth noting as well:
TECH23879 – “KNOWN ISSUE: An abnormal computer shutdown does not clear the AeXUserMonitorLog.xml”
TECH18706 - "Primary user data for machines with over a years worth of data shows incorrectly"