Windows System Time Change

Date: 2018/08/12

I wanted to know how I can recognize if the system time was changed on a Windows system or even just if it is correct.

For this I looked into two things. I've done this on a Windows 10 1803, it should be correct from Windows 7 to the most current Windows 10 Version.

1. Is the Windows Time Service Active? Can I recognize this?

2. Was the system time changed at any time?

 

The Windows Time Service

One is able to check if the Windows Time service was enabled on a system and what time source was used. For this one just needs to take a look into the registry.

The Key is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

You can find the the settings for the service here.

Under Parameters you can find the used NTP Server and the Type. I never saw another  value than NTP for Type. I will look into the possible values antoher time.

Directly under W32Time the StartType (Key "Start") is stored. On my PC it is 0x03. This means the service is NOT startet automatically. But I know that my PC is time synced.

Short research on this I found the answer: on private computers that are not part of an Active directory, the service is not started automatically. But there is a task that starts the service to synchronize the system clock. It is named SynchronizeTime. (Source: https://support.microsoft.com/en-us/help/2385818/windows-time-service-doesn-t-start-automatically-on-a-workgroup-comput)

You can find the task in the registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks. You just need to search for the task name to find the corresponding task in there, because the tasks are stored as IDs (e.g. {0BCF67FD-8BF9-4B8F-8E26-96E31D366980})

 

Okay, so one can find out if the service is generally running or not, now the next step, was the time changed or not?

 

Recognize time change

Windows logs the change of the system time in the event logs. For time change the event id 4616 is used.

You should find events in the system, because also the Windows Time Service is logged when it changes the time.

As you can see in the picture, the previous time is logged and the new time. Also the used Account. In the picture the Time Synchronization Service has changed the time. From the information above I know that the service uses NTP, so the should be correct to the real world time.

But if you find something like in the next picture you know that the time was changed by the user.

 

Conclusion

It is possible to find out if the system time was changed if the person does not delete all traces of it in the event logs. So IMHO it is worth a try to look into the Event Logs for the Event 4616 to see if the system time was correct and synchronized with the world clock or if the system never was synchronized and so it is more difficult to know what was the real time. Also it is possible to see if the user changed the time.

BUT: The event logs are only stored for three month on the Windows System by default (at least on my system). So one cannot look too far into the past.

Loading Conversation