ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer showing system event logs on a monitoring dashboard
Event ID 4950InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 4950 – Microsoft-Windows-Kernel-General: System Time Changed

Event ID 4950 fires when the system time is changed on a Windows machine, either manually by a user or automatically by time synchronization services.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4950Microsoft-Windows-Kernel-General 5 methods 12 min
Event Reference

What This Event Means

Event ID 4950 represents a fundamental system audit event that tracks modifications to the system clock. When Windows detects a time change, the kernel generates this event to maintain an audit trail of temporal modifications. The event captures the exact timestamp of when the change occurred, the previous system time, the new system time, and identifies the process or service that initiated the modification.

The event structure includes several key data fields: the old system time in UTC format, the new system time in UTC format, the process ID of the component that made the change, and in newer Windows versions, a reason code indicating whether the change was manual, automatic via NTP synchronization, or triggered by domain time sync. This granular information proves invaluable for forensic analysis and compliance auditing.

From a security perspective, Event ID 4950 serves as a critical detection point for potential system manipulation. Attackers sometimes modify system time to evade time-based security controls, interfere with certificate validation, or create gaps in audit logs. Security Information and Event Management (SIEM) systems commonly monitor this event to identify suspicious time modifications that deviate from expected synchronization patterns.

The event also plays a crucial role in troubleshooting time-related issues in enterprise environments. When applications fail due to time skew, authentication problems arise from Kerberos ticket timing, or scheduled tasks execute incorrectly, Event ID 4950 provides the forensic trail needed to identify when and why time changes occurred. System administrators use this event data to correlate time modifications with system problems and validate that time synchronization services are functioning correctly.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual time change through Windows Date and Time settings
  • Automatic time synchronization via Windows Time service (W32Time)
  • Domain controller time synchronization in Active Directory environments
  • NTP client synchronization with external time servers
  • Time zone changes that affect the system clock
  • Daylight saving time automatic adjustments
  • Third-party time synchronization software modifications
  • System resume from hibernation or sleep with significant time drift
  • Virtual machine time synchronization with hypervisor host
  • Hardware clock battery failure causing time reset on boot
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4950 to understand the nature of the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4950 in the Event IDs field and click OK
  5. Double-click on recent Event ID 4950 entries to view detailed information
  6. Examine the General tab for old time, new time, and time difference
  7. Check the Details tab for process ID and additional context

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=4950} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: Look for patterns in time changes - regular intervals suggest automatic synchronization, while irregular changes may indicate manual modifications or system issues.
02

Analyze Time Synchronization Configuration

Investigate the Windows Time service configuration to determine if time changes are expected behavior.

  1. Open an elevated Command Prompt or PowerShell
  2. Check the current time service configuration:
w32tm /query /configuration
  1. Verify the time source being used:
w32tm /query /source
  1. Check the time service status:
w32tm /query /status
  1. Review time synchronization peers:
w32tm /query /peers
  1. For domain-joined computers, verify domain hierarchy:
w32tm /query /configuration | Select-String -Pattern 'Type|NtpServer'
  1. Check the Windows Time service event log:
Get-WinEvent -LogName 'Microsoft-Windows-Time-Service/Operational' -MaxEvents 50
Warning: Disabling time synchronization can cause authentication failures in domain environments and certificate validation issues.
03

Correlate with Security and Application Events

Cross-reference Event ID 4950 with other system events to identify the root cause and impact of time changes.

  1. Check for related security events around the same timeframe:
$timeChange = Get-WinEvent -FilterHashtable @{LogName='System'; Id=4950} -MaxEvents 1
$startTime = $timeChange.TimeCreated.AddMinutes(-10)
$endTime = $timeChange.TimeCreated.AddMinutes(10)
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$startTime; EndTime=$endTime} | Where-Object {$_.Id -in @(4624,4625,4648,4672)}
  1. Look for application errors that might be related to time changes:
Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$startTime; EndTime=$endTime; Level=2}
  1. Check for Kerberos authentication issues:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=@(13,40)} -MaxEvents 20
  1. Review Task Scheduler events for missed or failed tasks:
Get-WinEvent -LogName 'Microsoft-Windows-TaskScheduler/Operational' -MaxEvents 50 | Where-Object {$_.TimeCreated -gt $startTime -and $_.TimeCreated -lt $endTime}
  1. Create a comprehensive timeline report:
$events = @()
$events += Get-WinEvent -FilterHashtable @{LogName='System'; Id=4950; StartTime=(Get-Date).AddDays(-1)}
$events += Get-WinEvent -FilterHashtable @{LogName='System'; Id=@(13,40); StartTime=(Get-Date).AddDays(-1)}
$events | Sort-Object TimeCreated | Format-Table TimeCreated, LogName, Id, LevelDisplayName, Message -Wrap
04

Monitor and Set Up Alerting for Time Changes

Implement monitoring solutions to track and alert on unexpected time changes for security and compliance purposes.

  1. Create a custom Event Viewer view for time change monitoring:
  2. In Event Viewer, right-click Custom Views and select Create Custom View
  3. Set Event level to Information, Event logs to System, and Event IDs to 4950
  4. Save the view as "Time Changes Monitor"
  5. Set up a scheduled task to alert on time changes:
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-Command "Get-WinEvent -FilterHashtable @{LogName=\"System\"; Id=4950; StartTime=(Get-Date).AddMinutes(-5)} | ForEach-Object {Send-MailMessage -To admin@company.com -From timechange@company.com -Subject \"Time Change Detected\" -Body $_.Message -SmtpServer mail.company.com}"'
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365)
Register-ScheduledTask -TaskName "TimeChangeAlert" -Action $action -Trigger $trigger -Description "Alert on system time changes"
  1. Configure Windows Event Forwarding for centralized monitoring:
# On the collector server
wecutil qc
# Create subscription for Event ID 4950
wecutil cs TimeChangeSubscription.xml
  1. Use PowerShell to create a real-time monitor:
Register-WmiEvent -Query "SELECT * FROM Win32_VolumeChangeEvent" -Action {
    $event = Get-WinEvent -FilterHashtable @{LogName='System'; Id=4950} -MaxEvents 1
    Write-Host "Time change detected at $($event.TimeCreated): $($event.Message)"
}
Pro tip: In enterprise environments, consider using SIEM solutions like Microsoft Sentinel or Splunk to correlate Event ID 4950 with other security events for comprehensive monitoring.
05

Advanced Forensic Analysis and Registry Investigation

Perform deep forensic analysis to understand the source and impact of time changes, especially in security incident investigations.

  1. Export Event ID 4950 events for detailed analysis:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=4950; StartTime=(Get-Date).AddDays(-30)} | Export-Csv -Path "C:\Temp\TimeChanges.csv" -NoTypeInformation
  1. Examine registry keys related to time synchronization:
# Check time service configuration
Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
# Review time providers
Get-ChildItem -Path "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders" -Recurse
  1. Analyze process information from event details:
$events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=4950} -MaxEvents 10
foreach ($event in $events) {
    $xml = [xml]$event.ToXml()
    $processId = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'
    if ($processId) {
        Write-Host "Time change by Process ID: $processId at $($event.TimeCreated)"
    }
}
  1. Check for suspicious time patterns using statistical analysis:
$timeChanges = Get-WinEvent -FilterHashtable @{LogName='System'; Id=4950; StartTime=(Get-Date).AddDays(-7)}
$intervals = @()
for ($i = 1; $i -lt $timeChanges.Count; $i++) {
    $interval = ($timeChanges[$i-1].TimeCreated - $timeChanges[$i].TimeCreated).TotalMinutes
    $intervals += $interval
}
$avgInterval = ($intervals | Measure-Object -Average).Average
Write-Host "Average time between changes: $avgInterval minutes"
$intervals | Group-Object | Sort-Object Count -Descending
  1. Generate a comprehensive forensic report:
$report = @"
Time Change Forensic Report - Generated: $(Get-Date)
=================================================

Recent Time Changes:
"@
$events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=4950} -MaxEvents 20
foreach ($event in $events) {
    $report += "`n$($event.TimeCreated): $($event.Message)"
}
$report += "`n`nTime Service Status:`n"
$report += w32tm /query /status
$report | Out-File -FilePath "C:\Temp\TimeChangeReport.txt"
Warning: When investigating security incidents, preserve original event logs before analysis and maintain proper chain of custody for forensic evidence.

Overview

Event ID 4950 from Microsoft-Windows-Kernel-General logs whenever the system time is modified on a Windows machine. This event captures both manual time changes performed by users through the Date and Time settings and automatic adjustments made by the Windows Time service (W32Time). The event appears in the System log and provides valuable audit information about when and how system time modifications occur.

This event becomes particularly important in enterprise environments where time synchronization is critical for domain authentication, certificate validation, and log correlation across multiple systems. Security teams often monitor this event to detect unauthorized time changes that could be used to evade security controls or manipulate audit trails. The event includes details about the previous time, new time, and the process responsible for the change.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced the event logging to include additional context about the time change source, making it easier to distinguish between legitimate automatic synchronization and manual modifications. The event fires immediately when the time change occurs, before other system components are notified of the modification.

Frequently Asked Questions

What does Event ID 4950 mean and when should I be concerned?+
Event ID 4950 indicates that the system time was changed on your Windows machine. You should be concerned if these events occur frequently outside of expected time synchronization windows, happen at unusual times, or correlate with security incidents. Normal automatic synchronization typically occurs every few hours, while manual changes or frequent adjustments may indicate system issues or potential security concerns. Monitor the frequency and timing patterns to distinguish between legitimate and suspicious activity.
How can I tell if a time change was manual or automatic?+
In newer Windows versions (Windows 11 22H2 and later, Windows Server 2022), Event ID 4950 includes additional context in the event details that can help identify the source. Automatic changes typically show the Windows Time service (W32Time) as the source, while manual changes show user processes. You can also correlate with Event ID 4616 (system time changed) in the Security log, which provides more detailed information about the user or process that initiated the change. Check the process ID in the event details and cross-reference with running processes at that time.
Why am I seeing multiple Event ID 4950 entries in a short time period?+
Multiple Event ID 4950 entries in quick succession usually indicate time synchronization issues or system instability. Common causes include: network connectivity problems preventing proper NTP synchronization, conflicting time sources in a domain environment, virtual machine time drift correction, hardware clock issues, or third-party time synchronization software conflicts. Check your time service configuration with 'w32tm /query /status' and review network connectivity to your time sources. In virtualized environments, verify that VM time synchronization is properly configured.
Can Event ID 4950 be used to detect security attacks?+
Yes, Event ID 4950 is valuable for security monitoring. Attackers sometimes manipulate system time to evade time-based security controls, interfere with certificate validation, create audit log gaps, or bypass time-sensitive authentication mechanisms like Kerberos tickets. Unusual patterns such as time being set backwards, frequent manual changes, or time modifications correlating with other suspicious activities warrant investigation. Security teams should monitor for time changes outside maintenance windows, especially those that create significant time skew or occur during off-hours.
How do I prevent unauthorized time changes on my Windows systems?+
To prevent unauthorized time changes, implement several security measures: Remove the 'Change the system time' user right from non-administrative users through Group Policy (Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment). Configure proper time synchronization through Group Policy to prevent manual changes. Enable audit policies to log time change attempts in the Security log. Use AppLocker or Software Restriction Policies to prevent unauthorized time synchronization tools. In enterprise environments, centrally manage time synchronization through domain controllers and monitor Event ID 4950 for anomalies.
Documentation

References (2)

1
Microsoft Learn - Windows Time ServiceComprehensive documentation about Windows Time service configuration, troubleshooting, and best practices for time synchronization in Windows environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-top
2
Microsoft Docs - Event Logging ReferenceTechnical reference for Windows event logging system, including event structure, sources, and programmatic access methods for system events.https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-reference
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4950#windows-events#time-synchronization

Related Windows Events

Windows Event Viewer showing system time change events on a monitoring dashboard
Event 11708
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11708 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11708 indicates the system time was changed, either manually by a user or automatically by time synchronization services. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 5889
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5889 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5889 indicates the system time was changed, either manually by a user or automatically by time synchronization services. This event helps track time modifications for security and audit purposes.

March 1812 min
Windows Event Viewer showing system time change events on a monitoring dashboard
Event 5121
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5121 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5121 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 1812 min
System administrator analyzing Windows kernel errors and event logs on multiple monitoring displays
Event 5058
Microsoft-Windows-Kernel-General
Windows EventError

Windows Event ID 5058 – Microsoft-Windows-Kernel-General: Key File Operation Failure

Event ID 5058 indicates a critical kernel-level file operation failure, typically involving system files, registry hives, or security databases that Windows cannot access or modify properly.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...