ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer showing system time change events on a monitoring dashboard
Event ID 11708InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 11708 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11708 indicates the system time was changed, either manually by a user or automatically by time synchronization services. Critical for security auditing and troubleshooting time-related issues.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 3
Event ID 11708Microsoft-Windows-Kernel-General 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 11708 serves as a comprehensive audit trail for system time modifications across Windows environments. The kernel-level event captures precise timestamps and process information whenever the system clock is adjusted, making it essential for maintaining temporal integrity in enterprise networks.

The event structure includes several key data points: the previous system time, the new system time, the process ID responsible for the change, and the user context under which the modification occurred. This granular information enables administrators to distinguish between legitimate automatic synchronization events and potentially malicious manual time changes.

In Active Directory environments, this event becomes particularly significant as time synchronization is fundamental to Kerberos authentication protocols. Domain controllers typically maintain authoritative time sources, and member servers synchronize their clocks accordingly. Event 11708 helps validate this synchronization process and identify systems experiencing time drift beyond acceptable thresholds.

Security teams leverage this event for forensic analysis and compliance reporting, as unauthorized time changes can indicate attempts to manipulate audit logs or evade time-based security controls. The event's detailed logging capabilities support comprehensive timeline reconstruction during incident response activities.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual time adjustment through Windows Date & Time settings
  • Automatic synchronization by Windows Time service (W32Time)
  • Time zone changes or daylight saving time transitions
  • Hardware clock drift correction by the operating system
  • Third-party time synchronization software modifications
  • System recovery operations restoring previous time settings
  • Virtual machine time synchronization with hypervisor host
  • Network Time Protocol (NTP) client synchronization events
  • Group Policy-enforced time configuration changes
  • PowerShell or command-line time modification commands
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 11708 to understand the nature of the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 11708 in the Event IDs field and click OK
  5. Double-click on recent Event ID 11708 entries to view detailed information
  6. Examine the General tab for old time, new time, and process information
  7. Check the Details tab for additional XML data including user SID and process details

Use PowerShell for more efficient filtering:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=11708} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Analyze Time Synchronization Configuration

Verify the Windows Time service configuration to determine if time changes are expected synchronization events.

  1. Open an elevated Command Prompt or PowerShell session
  2. Check the current time service configuration:
w32tm /query /configuration
  1. Verify the time source and synchronization status:
w32tm /query /source
w32tm /query /status
  1. Review time service event logs for additional context:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Time-Service'} -MaxEvents 10
  1. For domain-joined computers, verify domain controller time synchronization:
w32tm /monitor /domain
Pro tip: Compare Event 11708 timestamps with Time-Service events to correlate automatic synchronization activities.
03

Investigate Process and User Context

Determine which process and user account initiated the time change to identify potential security concerns.

  1. Extract detailed event information using PowerShell:
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=11708} -MaxEvents 5
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    Write-Host "Time: $($Event.TimeCreated)"
    Write-Host "Process ID: $($EventData | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text')"
    Write-Host "User SID: $($EventData | Where-Object {$_.Name -eq 'UserSid'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Old Time: $($EventData | Where-Object {$_.Name -eq 'OldTime'} | Select-Object -ExpandProperty '#text')"
    Write-Host "New Time: $($EventData | Where-Object {$_.Name -eq 'NewTime'} | Select-Object -ExpandProperty '#text')"
    Write-Host "---"
}
  1. Cross-reference the Process ID with running processes at the time:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like "*ProcessId*"} | Select-Object TimeCreated, Message
  1. Resolve the User SID to identify the account:
$SID = "S-1-5-21-..." # Replace with actual SID from event
(New-Object System.Security.Principal.SecurityIdentifier($SID)).Translate([System.Security.Principal.NTAccount])
04

Configure Time Change Auditing and Monitoring

Implement comprehensive monitoring to track future time changes and establish baseline behavior.

  1. Enable advanced audit policies for time changes:
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
  1. Create a scheduled task to monitor Event ID 11708:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Get-WinEvent -FilterHashtable @{LogName='System'; Id=11708} -MaxEvents 1 | Out-File C:\Logs\TimeChanges.log -Append"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "MonitorTimeChanges" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  1. Set up Event Viewer custom views for time-related events:
<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[(EventID=11708 or EventID=1074 or EventID=6005 or EventID=6006)]]</Select>
  </Query>
</QueryList>
  1. Configure Group Policy to restrict time change permissions if needed:

Navigate to Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentChange the system time

Warning: Restricting time change permissions can interfere with automatic synchronization services.
05

Advanced Forensic Analysis and Correlation

Perform comprehensive analysis to correlate time changes with other system events for security investigations.

  1. Create a PowerShell script for comprehensive time change analysis:
$StartTime = (Get-Date).AddDays(-7)
$TimeChangeEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=11708; StartTime=$StartTime}
$SecurityEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4624,4625,4648,4672); StartTime=$StartTime}

foreach ($TimeEvent in $TimeChangeEvents) {
    $TimeWindow = $TimeEvent.TimeCreated
    $CorrelatedEvents = $SecurityEvents | Where-Object {
        $_.TimeCreated -ge $TimeWindow.AddMinutes(-5) -and 
        $_.TimeCreated -le $TimeWindow.AddMinutes(5)
    }
    
    Write-Host "Time Change Event: $($TimeEvent.TimeCreated)"
    Write-Host "Correlated Security Events:"
    $CorrelatedEvents | Format-Table TimeCreated, Id, LevelDisplayName -AutoSize
    Write-Host "---"
}
  1. Export comprehensive event data for external analysis:
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=11708; StartTime=(Get-Date).AddDays(-30)}
$Events | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='ProcessId';Expression={([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'}}, @{Name='UserSid';Expression={([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'UserSid'} | Select-Object -ExpandProperty '#text'}} | Export-Csv -Path "C:\Temp\TimeChangeAnalysis.csv" -NoTypeInformation
  1. Check for registry modifications related to time settings:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | Where-Object {$_.Message -like "*CurrentControlSet\Control\TimeZoneInformation*" -or $_.Message -like "*W32Time*"}
  1. Analyze system performance counters for time-related metrics:
Get-Counter "\System\System Up Time" -MaxSamples 1
Get-Counter "\W32Time Service\Clock Frequency Adjustment (ppb)" -MaxSamples 5 -SampleInterval 2

Overview

Event ID 11708 from the Microsoft-Windows-Kernel-General source fires whenever the system time is modified on a Windows machine. This event captures both manual time changes performed by users through the Date & Time settings and automatic adjustments made by the Windows Time service (W32Time) during synchronization with domain controllers or external time servers.

The event appears in the System log and provides detailed information about the time change, including the old time value, new time value, and the process responsible for the modification. This makes it invaluable for security auditing, compliance monitoring, and troubleshooting time synchronization issues in enterprise environments.

System administrators frequently encounter this event in domain environments where time synchronization is critical for Kerberos authentication, certificate validation, and distributed application functionality. The event helps track unauthorized time modifications and diagnose time drift problems that can cause authentication failures and application errors.

Frequently Asked Questions

What does Windows Event ID 11708 indicate and why is it important?+
Event ID 11708 indicates that the system time was changed on a Windows machine. It's generated by the Microsoft-Windows-Kernel-General source whenever the system clock is modified, either manually by users or automatically by time synchronization services. This event is crucial for security auditing because unauthorized time changes can indicate malicious activity, attempts to manipulate audit logs, or efforts to bypass time-based security controls. In enterprise environments, it helps administrators track time synchronization issues that can cause Kerberos authentication failures and application problems.
How can I distinguish between legitimate automatic time synchronization and manual time changes in Event ID 11708?+
You can distinguish between automatic and manual time changes by examining the process information and user context within the event details. Automatic synchronization typically shows the Windows Time service (w32tm.exe) or System process as the initiator, with the SYSTEM account context. Manual changes usually display explorer.exe, timedate.cpl, or PowerShell processes with a specific user account. Additionally, automatic changes often occur at regular intervals and correlate with Time-Service provider events in the System log, while manual changes appear as isolated incidents with larger time adjustments.
Can Event ID 11708 help identify security threats or unauthorized access?+
Yes, Event ID 11708 can be a valuable indicator of security threats. Attackers sometimes modify system time to evade time-based security controls, manipulate audit log timestamps, or interfere with certificate validation. Suspicious patterns include: time changes during off-hours, modifications by non-administrative accounts, frequent manual adjustments, or time changes that coincide with other suspicious activities. Security teams should correlate Event 11708 with authentication events (4624, 4625), privilege escalation events (4672), and process creation events (4688) to identify potential security incidents.
What should I do if I see frequent Event ID 11708 entries in my environment?+
Frequent Event ID 11708 entries usually indicate time synchronization problems that need investigation. First, verify your Windows Time service configuration using 'w32tm /query /status' and check if your time sources are accessible. For domain environments, ensure domain controllers are properly synchronized and member servers can reach them. Review network connectivity to NTP servers and check for firewall restrictions on UDP port 123. If the frequency is excessive, consider adjusting the time synchronization polling intervals or investigating hardware clock drift issues. Document the baseline frequency to distinguish normal operations from anomalous behavior.
How do I configure monitoring and alerting for Event ID 11708 in my environment?+
Configure monitoring for Event ID 11708 by creating custom Event Viewer filters, PowerShell scheduled tasks, or integrating with SIEM solutions. Use Windows Task Scheduler to create tasks triggered by Event 11708 that execute notification scripts. For enterprise environments, configure Windows Event Forwarding (WEF) to centralize these events on collector servers. Set up alerts for unusual patterns like multiple time changes within short periods, changes outside business hours, or modifications by non-service accounts. Consider using tools like System Center Operations Manager (SCOM) or third-party solutions for advanced correlation and automated response capabilities.
Documentation

References (2)

1
Microsoft Learn - Windows Time Service Technical ReferenceComprehensive documentation on Windows Time service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tech-ref
2
Microsoft Docs - Event Logging in WindowsTechnical reference for Windows event logging architecture, including kernel-level events and system event sources.https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-11708#windows-events#time-synchronization

Related Windows Events

Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 5889
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5889 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5889 indicates the system time was changed, either manually by a user or automatically by time synchronization services. This event helps track time modifications for security and audit purposes.

March 1812 min
Windows Event Viewer showing system time change events on a monitoring dashboard
Event 5121
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5121 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5121 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 1812 min
System administrator analyzing Windows kernel errors and event logs on multiple monitoring displays
Event 5058
Microsoft-Windows-Kernel-General
Windows EventError

Windows Event ID 5058 – Microsoft-Windows-Kernel-General: Key File Operation Failure

Event ID 5058 indicates a critical kernel-level file operation failure, typically involving system files, registry hives, or security databases that Windows cannot access or modify properly.

March 1812 min
Windows Event Viewer displaying system time synchronization events on a server monitoring dashboard
Event 5056
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5056 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5056 fires when Windows detects a system time change, typically during boot or when time synchronization occurs. Critical for audit trails and troubleshooting time-related issues.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...