ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs with Event ID 4616 system time change events on a monitoring dashboard
Event ID 4616InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4616 – Security: System Time Changed

Event ID 4616 logs when the system time is changed on a Windows machine. This security audit event tracks time modifications for compliance and forensic purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4616Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4616 is a security audit event that provides comprehensive logging of system time modifications. When generated, it records the exact timestamp of when the change occurred, the previous system time, the new system time, and identifies both the process and user account responsible for the modification.

The event structure includes several key fields: the Security ID of the user who made the change, the logon ID associated with the session, the process ID and name of the application that requested the time change, and the precise before-and-after timestamps. This granular detail makes it invaluable for security investigations and compliance reporting.

In enterprise environments, this event helps administrators track unauthorized time changes that could indicate compromise attempts. Attackers sometimes modify system time to evade log correlation, bypass time-based security controls, or interfere with certificate validation. The event also captures legitimate changes from NTP synchronization, manual adjustments, and timezone modifications.

The frequency of this event varies significantly based on system configuration. Servers with strict time synchronization may generate multiple entries daily, while isolated workstations might only log occasional manual adjustments. Understanding normal patterns for your environment is crucial for effective monitoring.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual time change through Date and Time settings in Control Panel or Settings app
  • Windows Time Service (W32Time) synchronizing with NTP servers
  • Applications using SetSystemTime() API to modify system clock
  • Timezone changes or daylight saving time transitions
  • Group Policy enforced time synchronization
  • Malware attempting to manipulate system time for evasion
  • Virtual machine time synchronization with hypervisor
  • Hardware clock drift correction by the operating system
  • PowerShell Set-Date cmdlet execution
  • Third-party time synchronization software
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4616 entry to understand what triggered the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4616 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4616 in the Event IDs field and click OK
  5. Double-click on a 4616 event to view detailed information
  6. Review the General tab for timestamp and basic details
  7. Check the Details tab for structured data including:
    • SubjectUserSid: Security identifier of the user who changed time
    • SubjectUserName: Username of the account
    • ProcessName: Application that made the change
    • PreviousTime: System time before the change
    • NewTime: System time after the change
Pro tip: Look for patterns in the ProcessName field. Legitimate changes often show explorer.exe, w32time.exe, or specific administrative tools.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze Event ID 4616 entries across multiple systems or time ranges.

  1. Open PowerShell as Administrator
  2. Query recent time change events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4616} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Extract detailed information from specific events:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4616} -MaxEvents 10
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    Write-Host "Time: $($Event.TimeCreated)"
    Write-Host "User: $($EventData | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Process: $($EventData | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Previous Time: $($EventData | Where-Object {$_.Name -eq 'PreviousTime'} | Select-Object -ExpandProperty '#text')"
    Write-Host "New Time: $($EventData | Where-Object {$_.Name -eq 'NewTime'} | Select-Object -ExpandProperty '#text')"
    Write-Host "---"
}
  4. Search for suspicious time changes (large jumps):
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4616; StartTime=(Get-Date).AddDays(-7)} | Where-Object {$_.Message -notmatch 'w32time'}
Warning: Large result sets can impact system performance. Use -MaxEvents parameter to limit output.
03

Analyze Windows Time Service Configuration

Investigate the Windows Time Service configuration to determine if time changes are legitimate synchronization events.

  1. Check current time service status:
    w32tm /query /status
  2. Review time service configuration:
    w32tm /query /configuration
  3. Examine time synchronization sources:
    w32tm /query /peers
  4. Check registry settings for time service:
    Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
  5. Review Group Policy settings affecting time synchronization:
    • Navigate to HKLM\SOFTWARE\Policies\Microsoft\W32Time
    • Check for configured NTP servers and synchronization intervals
  6. Verify domain time synchronization (for domain-joined machines):
    w32tm /monitor /domain
  7. Test manual time synchronization:
    w32tm /resync /force
Pro tip: In domain environments, time changes from w32time.exe with SYSTEM account are typically legitimate NTP synchronization.
04

Implement Advanced Monitoring and Alerting

Set up comprehensive monitoring to detect unauthorized time changes and establish baseline behavior patterns.

  1. Create a custom Event Viewer view for time change monitoring:
    • In Event Viewer, right-click Custom Views and select Create Custom View
    • Set Event Level to Information
    • Enter Event ID 4616
    • Name the view "System Time Changes"
  2. Configure Windows Event Forwarding for centralized logging:
    # On collector server
wecutil qc
wecutil cs subscription.xml
  3. Create a PowerShell monitoring script:
    # TimeChangeMonitor.ps1
$LastCheck = (Get-Date).AddHours(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4616; StartTime=$LastCheck}

foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    $User = $EventData | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $Process = $EventData | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    
    # Alert on non-system time changes
    if ($User -ne "SYSTEM" -and $Process -notmatch "w32time") {
        Write-Warning "Suspicious time change detected by user: $User via process: $Process"
        # Add alerting logic here (email, SIEM, etc.)
    }
}
  4. Schedule the monitoring script:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\TimeChangeMonitor.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
Register-ScheduledTask -TaskName "TimeChangeMonitor" -Action $Action -Trigger $Trigger
05

Forensic Analysis and Correlation

Perform detailed forensic analysis to correlate time changes with other system events and identify potential security incidents.

  1. Export Event ID 4616 logs for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4616; StartTime=(Get-Date).AddDays(-30)} | Export-Csv -Path "C:\Temp\TimeChanges.csv" -NoTypeInformation
  2. Correlate with other security events around the same timeframe:
    # Look for logon events near time changes
$TimeChanges = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4616} -MaxEvents 10
foreach ($Change in $TimeChanges) {
    $TimeWindow = $Change.TimeCreated
    $StartTime = $TimeWindow.AddMinutes(-5)
    $EndTime = $TimeWindow.AddMinutes(5)
    
    Write-Host "Analyzing events around: $TimeWindow"
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$StartTime; EndTime=$EndTime} | Format-Table TimeCreated, Id, Message
}
  3. Check for process creation events:
    # Correlate with process creation (Event ID 4688)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-2)} | Where-Object {$_.Message -match "timedate.cpl|w32tm.exe|powershell"}
  4. Analyze registry modifications related to time settings:
    # Check for registry changes to time-related keys
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | Where-Object {$_.Message -match "W32Time|TimeZone"}
  5. Generate a comprehensive timeline report:
    # Create timeline of all relevant events
$AllEvents = @()
$AllEvents += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4616; StartTime=(Get-Date).AddDays(-1)}
$AllEvents += Get-WinEvent -FilterHashtable @{LogName='System'; Id=1,12,13; StartTime=(Get-Date).AddDays(-1)}
$AllEvents | Sort-Object TimeCreated | Export-Csv -Path "C:\Temp\TimelineAnalysis.csv"
Warning: Time changes can affect log correlation. Always consider the impact on timestamp accuracy when analyzing events before and after time modifications.

Overview

Event ID 4616 fires whenever the system time is modified on a Windows machine. This security audit event is generated by the Windows Security subsystem and appears in the Security event log. The event captures critical details including the previous time, new time, process responsible for the change, and the user account that initiated the modification.

This event is particularly valuable for security monitoring, compliance auditing, and forensic investigations. Time changes can indicate legitimate administrative actions, malware attempting to evade detection, or unauthorized system modifications. In domain environments, unexpected time changes can disrupt Kerberos authentication and cause service failures.

The event fires for both manual time changes through the Date and Time control panel and programmatic changes via APIs like SetSystemTime(). It also triggers when Windows Time Service (W32Time) synchronizes with external time sources, though these entries typically show the system account as the initiator.

Frequently Asked Questions

What does Event ID 4616 mean and when should I be concerned?+
Event ID 4616 indicates that the system time was changed on your Windows machine. You should be concerned when the changes are made by non-administrative users, occur frequently without explanation, or happen outside of normal maintenance windows. Legitimate causes include NTP synchronization (showing w32time.exe as the process) or scheduled administrative tasks. Suspicious indicators include changes made by regular user accounts, modifications that create large time jumps, or changes that coincide with other security events like failed logons or malware detection.
How can I distinguish between legitimate and malicious time changes in Event ID 4616?+
Legitimate time changes typically show specific patterns: the process name is usually w32time.exe, explorer.exe, or timedate.cpl; the user account is often SYSTEM or a known administrator; and the time adjustments are small (seconds or minutes for NTP sync). Malicious changes often involve regular user accounts making large time jumps, unknown processes modifying time, or changes that occur alongside other suspicious activities. Check the ProcessName and SubjectUserName fields in the event details, and correlate with your organization's maintenance schedules and NTP configuration.
Why do I see multiple Event ID 4616 entries from w32time.exe daily?+
Multiple daily Event ID 4616 entries from w32time.exe are normal and indicate that Windows Time Service is functioning correctly. The frequency depends on your time synchronization configuration - domain-joined machines typically sync every 8 hours by default, while standalone machines may sync less frequently. These entries show the SYSTEM account as the user and w32time.exe as the process. The time adjustments are usually small (milliseconds to seconds) as the service maintains accurate time. You can verify this is normal behavior by checking your time service configuration with 'w32tm /query /configuration' and reviewing your Group Policy settings.
Can Event ID 4616 help me detect malware that manipulates system time?+
Yes, Event ID 4616 is valuable for detecting malware that manipulates system time for evasion purposes. Malware might change system time to bypass time-based security controls, interfere with certificate validation, or disrupt log correlation. Look for suspicious patterns such as: large backward time jumps, changes made by unexpected processes or user accounts, time modifications that coincide with malware alerts or network anomalies, and frequent time changes outside normal synchronization patterns. Implement monitoring scripts to alert on non-system time changes and correlate these events with other security logs for comprehensive threat detection.
How do I configure proper auditing for Event ID 4616 in my environment?+
To configure proper auditing for Event ID 4616, ensure that 'Audit System Events' is enabled in your audit policy. Use Group Policy to configure this: navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies → System, and enable 'Audit Security System Extension' for both Success and Failure. For centralized monitoring, implement Windows Event Forwarding to collect these events from multiple systems. Consider setting up custom Event Viewer views and PowerShell monitoring scripts to automatically detect suspicious time changes. In high-security environments, forward these events to your SIEM solution for correlation with other security indicators.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4616 and related system time change monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Time Service Technical ReferenceOfficial documentation for Windows Time Service configuration, troubleshooting, and understanding time synchronization events.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-top
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4616#security-auditing#time-synchronization

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...