ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event ID 4892InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 4892 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 4892 fires when Windows detects a system time change, typically during time synchronization, manual adjustments, or hardware clock drift corrections.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4892Microsoft-Windows-Kernel-General 5 methods 12 min
Event Reference

What This Event Means

Event ID 4892 represents Windows' internal mechanism for logging system time modifications at the kernel level. When the system time changes by more than a minimal threshold, the kernel generates this event to maintain an audit trail of temporal modifications. The event includes precise timestamps showing both the previous and new time values, along with the process or service responsible for the change.

The Microsoft-Windows-Kernel-General provider handles low-level system events related to kernel operations, making this event particularly reliable for forensic analysis. Unlike user-mode time change notifications, this kernel-level event cannot be easily suppressed or manipulated by standard applications, providing a trustworthy record of time modifications.

In enterprise environments, this event becomes crucial for compliance auditing, especially in industries requiring precise time tracking for financial transactions, medical records, or legal documentation. Security teams monitor these events to detect potential timestamp manipulation attempts, while system administrators use them to troubleshoot time synchronization issues that could impact Active Directory authentication, distributed applications, and log correlation across multiple systems.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Windows Time Service (W32Time) synchronizing with domain controllers or external NTP servers
  • Manual time adjustment through Windows Settings, Control Panel, or command-line tools
  • Hardware clock drift correction during system startup or resume from sleep/hibernation
  • Third-party time synchronization software making system time adjustments
  • Virtualization platform time synchronization between host and guest systems
  • CMOS battery failure causing significant time drift requiring correction
  • Network time protocol (NTP) client receiving time updates from configured servers
  • System recovery operations restoring time from backup or checkpoint data
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4892 to understand the time change context.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter for Event ID 4892 by right-clicking the System log and selecting Filter Current Log
  4. Enter 4892 in the Event IDs field and click OK
  5. Double-click on recent Event ID 4892 entries to view detailed information
  6. Note the Old Time and New Time values in the event description
  7. Check the Process ID and Thread ID to identify the source of the time change

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=4892} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Analyze Windows Time Service Configuration

Investigate the Windows Time Service settings to determine if time synchronization is properly configured.

  1. Open Command Prompt as Administrator
  2. Check current time service status:
w32tm /query /status
  1. Review time source configuration:
w32tm /query /source
  1. Display detailed time service configuration:
w32tm /query /configuration
  1. Check for recent time synchronization events:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Time-Service'} -MaxEvents 10
  1. Verify NTP server connectivity if external synchronization is configured:
w32tm /stripchart /computer:time.windows.com /samples:5
Pro tip: Use w32tm /resync /force to manually trigger time synchronization and observe if Event ID 4892 appears immediately afterward.
03

Monitor Process-Level Time Change Activity

Identify which processes or services are initiating time changes by correlating Event ID 4892 with process activity.

  1. Enable Process Tracking in Local Security Policy:
  2. Open Local Security Policy (secpol.msc)
  3. Navigate to Advanced Audit Policy ConfigurationObject Access
  4. Enable Audit Process Creation for Success events
  5. Use PowerShell to correlate time change events with process creation:
# Get recent time change events with process details
$TimeChangeEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=4892} -MaxEvents 5

foreach ($Event in $TimeChangeEvents) {
    $EventTime = $Event.TimeCreated
    Write-Host "Time Change Event: $EventTime" -ForegroundColor Yellow
    
    # Look for process events around the same time (±2 minutes)
    $StartTime = $EventTime.AddMinutes(-2)
    $EndTime = $EventTime.AddMinutes(2)
    
    $ProcessEvents = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4688
        StartTime=$StartTime
        EndTime=$EndTime
    } -ErrorAction SilentlyContinue
    
    $ProcessEvents | Select-Object TimeCreated, @{Name='ProcessName';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*New Process Name:*'}) -replace '.*New Process Name:\s*',''}}
}
  1. Check for scheduled tasks that might be changing system time:
Get-ScheduledTask | Where-Object {$_.Actions.Execute -like '*time*' -or $_.Actions.Arguments -like '*time*'} | Select-Object TaskName, State, Actions
04

Investigate Hardware and Virtualization Time Issues

Examine hardware-related time synchronization issues, particularly in virtualized environments.

  1. Check CMOS battery status and hardware clock accuracy:
# Compare hardware clock with system time
$HardwareTime = Get-WmiObject -Class Win32_BIOS | Select-Object -ExpandProperty ReleaseDate
$SystemTime = Get-Date
Write-Host "System Time: $SystemTime"
Write-Host "BIOS Date: $HardwareTime"
  1. For virtual machines, check time synchronization settings:
# Detect if running in VM and check time sync
$VM = Get-WmiObject -Class Win32_ComputerSystem | Select-Object Manufacturer, Model
if ($VM.Manufacturer -like '*VMware*' -or $VM.Manufacturer -like '*Microsoft*') {
    Write-Host "Virtual Machine Detected: $($VM.Manufacturer) $($VM.Model)" -ForegroundColor Green
    # Check VMware Tools or Hyper-V Integration Services
    Get-Service | Where-Object {$_.Name -like '*vmtools*' -or $_.Name -like '*vmictime*'}
}
  1. Review system event logs for hardware-related time issues:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-Power'} -MaxEvents 10 | Where-Object {$_.Message -like '*time*'}
  1. Check registry settings for time synchronization behavior:
# Review time service registry settings
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" | Select-Object Type, NtpServer
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config" | Select-Object MaxPosPhaseCorrection, MaxNegPhaseCorrection
Warning: In virtualized environments, disable host time synchronization if using domain-based time synchronization to prevent conflicts.
05

Implement Advanced Time Change Monitoring and Alerting

Set up comprehensive monitoring for time changes to detect patterns and potential security issues.

  1. Create a PowerShell script for continuous time change monitoring:
# TimeChangeMonitor.ps1
param(
    [int]$MonitorDurationMinutes = 60,
    [string]$LogPath = "C:\Logs\TimeChangeMonitor.log"
)

$StartTime = Get-Date
$EndTime = $StartTime.AddMinutes($MonitorDurationMinutes)

Write-Host "Monitoring time changes until $EndTime" -ForegroundColor Green

while ((Get-Date) -lt $EndTime) {
    $Events = Get-WinEvent -FilterHashtable @{
        LogName='System'
        Id=4892
        StartTime=(Get-Date).AddMinutes(-1)
    } -ErrorAction SilentlyContinue
    
    foreach ($Event in $Events) {
        $LogEntry = "$(Get-Date): Time change detected - $($Event.Message)"
        Write-Host $LogEntry -ForegroundColor Yellow
        Add-Content -Path $LogPath -Value $LogEntry
        
        # Send alert if time change is significant (>30 seconds)
        if ($Event.Message -match 'Old Time: (.+) New Time: (.+)') {
            $OldTime = [DateTime]::Parse($Matches[1])
            $NewTime = [DateTime]::Parse($Matches[2])
            $TimeDiff = [Math]::Abs(($NewTime - $OldTime).TotalSeconds)
            
            if ($TimeDiff -gt 30) {
                Write-Host "ALERT: Significant time change detected ($TimeDiff seconds)" -ForegroundColor Red
                # Add your alerting mechanism here (email, SIEM, etc.)
            }
        }
    }
    
    Start-Sleep -Seconds 10
}
  1. Configure Windows Event Forwarding for centralized monitoring:
wecutil qc
wecutil cs TimeChangeSubscription.xml
  1. Create a scheduled task to run the monitoring script:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\TimeChangeMonitor.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "TimeChangeMonitor" -Action $Action -Trigger $Trigger -Settings $Settings -RunLevel Highest
  1. Set up custom Windows Performance Toolkit (WPT) tracing for detailed analysis:
wpr -start GeneralProfile -filemode
# Reproduce the time change issue
wpr -stop TimeChangeTrace.etl

Overview

Event ID 4892 from Microsoft-Windows-Kernel-General appears in the System log whenever Windows detects a change in system time. This event fires during normal time synchronization operations, manual time adjustments through Control Panel or Settings, or when the system corrects for hardware clock drift. The event captures both the old and new time values, making it valuable for audit trails and troubleshooting time-related issues.

This event is particularly important in domain environments where Kerberos authentication relies on synchronized time across systems. Time discrepancies exceeding five minutes can cause authentication failures and service disruptions. The event also helps administrators track unauthorized time changes that could affect log correlation, scheduled tasks, and certificate validity periods.

While typically informational, frequent occurrences may indicate hardware issues with the CMOS battery, network time protocol (NTP) configuration problems, or malicious attempts to manipulate system timestamps for forensic evasion.

Frequently Asked Questions

What does Event ID 4892 mean and when should I be concerned?+
Event ID 4892 indicates that Windows detected a system time change at the kernel level. This is typically normal behavior during time synchronization, but you should investigate if you see frequent occurrences (more than several times per hour), large time jumps (more than a few minutes), or time changes during periods when no synchronization should occur. In security contexts, unexpected time changes could indicate tampering attempts to manipulate log timestamps or evade time-based security controls.
How can I distinguish between legitimate and suspicious time changes in Event ID 4892?+
Legitimate time changes usually occur during system startup, scheduled synchronization windows, or after network connectivity restoration. They typically involve small adjustments (seconds to minutes) and correlate with Windows Time Service activity. Suspicious changes include large time jumps during normal operation, frequent oscillations between different times, changes occurring outside maintenance windows, or time modifications that coincide with other security events. Always correlate Event ID 4892 with process creation events (Event ID 4688) to identify the source.
Why do I see Event ID 4892 frequently in my virtual machine environment?+
Virtual machines commonly generate Event ID 4892 due to time synchronization between the host and guest systems. Hypervisors like VMware vSphere, Hyper-V, and VirtualBox automatically sync VM time with the host, especially after VM migration, snapshot restoration, or host time changes. This is normal behavior, but you can reduce frequency by properly configuring time synchronization settings. Disable host time sync if your VMs use domain-based NTP synchronization to prevent conflicts between multiple time sources.
Can Event ID 4892 help me troubleshoot Kerberos authentication failures?+
Yes, Event ID 4892 is crucial for diagnosing Kerberos authentication issues caused by time skew. Kerberos requires client and server clocks to be within 5 minutes (default) of each other. If you see authentication failures (Event IDs 4625, 4771, 4768) accompanied by frequent Event ID 4892 entries showing large time corrections, this indicates time synchronization problems. Check that all domain members are synchronizing with domain controllers, and domain controllers are using reliable external time sources. Use 'w32tm /monitor' to verify time accuracy across domain systems.
How do I prevent unauthorized time changes that generate Event ID 4892?+
Implement several security measures: First, restrict the 'Change the system time' user right (SeSystemtimePrivilege) to only necessary accounts through Group Policy under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Second, monitor Event ID 4892 in conjunction with logon events to detect unauthorized access. Third, configure audit policies to track privilege use (Event ID 4673). Finally, in high-security environments, consider using hardware security modules (HSMs) or trusted time sources, and implement network segmentation to protect time synchronization traffic from manipulation.
Documentation

References (2)

1
Microsoft Learn - Windows Time Service Technical ReferenceComprehensive documentation on Windows Time Service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tech-ref
2
Microsoft Docs - Audit System EventsOfficial guidance on auditing system-level events including time changes, with security implications and monitoring recommendations.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-events
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4892#time-synchronization#system-monitoring

Related Windows Events

Windows Event Viewer showing system time change events on a monitoring dashboard
Event 11708
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11708 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11708 indicates the system time was changed, either manually by a user or automatically by time synchronization services. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 5889
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5889 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5889 indicates the system time was changed, either manually by a user or automatically by time synchronization services. This event helps track time modifications for security and audit purposes.

March 1812 min
Windows Event Viewer showing system time change events on a monitoring dashboard
Event 5121
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5121 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5121 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 1812 min
System administrator analyzing Windows kernel errors and event logs on multiple monitoring displays
Event 5058
Microsoft-Windows-Kernel-General
Windows EventError

Windows Event ID 5058 – Microsoft-Windows-Kernel-General: Key File Operation Failure

Event ID 5058 indicates a critical kernel-level file operation failure, typically involving system files, registry hives, or security databases that Windows cannot access or modify properly.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...