ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer showing system time change events on a monitoring dashboard
Event ID 5121InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 5121 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5121 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5121Microsoft-Windows-Kernel-General 5 methods 12 min
Event Reference

What This Event Means

Event ID 5121 represents Windows' built-in mechanism for tracking system time modifications across all supported Windows versions. When the system clock changes by any amount, the kernel generates this event to maintain an audit trail of temporal modifications. The event includes comprehensive details about the time change, including the previous time, new time, process ID responsible for the change, and the reason code indicating whether the change was manual, automatic, or programmatic.

The event structure contains several key fields that help administrators understand the context of the time change. The OldTime and NewTime fields show the exact timestamps before and after the modification, while the Reason field indicates the source of the change. Common reason codes include user-initiated changes through the Date and Time control panel, automatic synchronization via Windows Time Service (W32Time), or programmatic changes made by applications using SetSystemTime API calls.

In domain environments, Event ID 5121 becomes crucial for maintaining security posture. Kerberos authentication relies on synchronized time between clients and domain controllers, with a default tolerance of 5 minutes. When systems experience significant time drift or unauthorized time changes, authentication failures cascade throughout the environment. This event helps administrators quickly identify and remediate time-related issues before they impact business operations.

The event also plays a vital role in forensic investigations and compliance auditing. Security teams use Event ID 5121 to detect potential tampering with system clocks, which could be used to obscure malicious activity or manipulate log timestamps. Financial institutions and regulated industries particularly value this event for maintaining accurate audit trails and demonstrating compliance with temporal integrity requirements.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual time adjustment through Windows Date and Time settings
  • Automatic time synchronization with domain controllers via W32Time service
  • NTP client synchronization with external time servers
  • Application-initiated time changes using SetSystemTime API
  • Hardware clock drift correction during system startup
  • Time zone changes or daylight saving time transitions
  • Virtual machine time synchronization with hypervisor host
  • Group Policy-enforced time synchronization settings
  • Third-party time synchronization software modifications
  • System recovery operations that restore previous time settings
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 5121 to understand what triggered the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 5121 in the Event IDs field and click OK
  5. Double-click on recent Event ID 5121 entries to view detailed information
  6. Review the General tab for OldTime, NewTime, and Reason fields
  7. Check the Details tab for additional context including Process ID

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=5121} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: The Reason field value helps identify whether the change was user-initiated (1), automatic synchronization (2), or programmatic (3).
02

Analyze Time Synchronization Status

Investigate the Windows Time Service configuration and synchronization status to identify potential issues.

  1. Open an elevated Command Prompt or PowerShell session
  2. Check current time synchronization status:
w32tm /query /status
  1. Review time source configuration:
w32tm /query /source
  1. Examine detailed time service configuration:
w32tm /query /configuration
  1. Check for recent time synchronization events:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Time-Service'} -MaxEvents 10
  1. Verify NTP server connectivity if using external time sources:
w32tm /stripchart /computer:pool.ntp.org /samples:5
Warning: Frequent time changes may indicate hardware clock issues or network connectivity problems affecting time synchronization.
03

Investigate Process-Initiated Time Changes

Identify which processes are modifying system time and determine if the changes are authorized.

  1. Use PowerShell to extract detailed event information including process details:
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=5121} -MaxEvents 50
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $ProcessId = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'
    $OldTime = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'OldTime'} | Select-Object -ExpandProperty '#text'
    $NewTime = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'NewTime'} | Select-Object -ExpandProperty '#text'
    Write-Output "Time: $($Event.TimeCreated) | Process ID: $ProcessId | Old: $OldTime | New: $NewTime"
}
  1. Cross-reference process IDs with running processes at the time of the event
  2. Check for suspicious applications that might be manipulating system time:
Get-Process | Where-Object {$_.ProcessName -match 'time|clock|sync'} | Select-Object ProcessName, Id, StartTime, Path
  1. Review installed software for time-related utilities:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match 'time|clock|sync'} | Select-Object Name, Version, InstallDate
  1. Examine scheduled tasks that might modify system time:
Get-ScheduledTask | Where-Object {$_.Actions.Execute -match 'w32tm|time|clock'} | Select-Object TaskName, State, Actions
04

Configure Time Change Auditing and Monitoring

Implement comprehensive monitoring to track and alert on unauthorized time changes.

  1. Enable advanced audit policy for time changes using Group Policy or local security policy:
  2. Open Local Security Policy (secpol.msc) or Group Policy Management
  3. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  4. Expand System Audit PoliciesSystem
  5. Configure Audit Security System Extension to Success and Failure
  6. Set up PowerShell monitoring script for real-time alerts:
# Create monitoring script
$Action = {
    $Event = $Event.SourceEventArgs.NewEvent
    $XML = [xml]$Event.ToXml()
    $NewTime = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'NewTime'} | Select-Object -ExpandProperty '#text'
    $OldTime = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'OldTime'} | Select-Object -ExpandProperty '#text'
    Write-Host "ALERT: System time changed from $OldTime to $NewTime" -ForegroundColor Red
    # Add email notification or logging here
}

Register-WmiEvent -Query "SELECT * FROM Win32_VolumeChangeEvent" -Action $Action
  1. Configure Windows Event Forwarding to centralize time change events:
wecutil qc /q
winrm quickconfig
  1. Create custom event log views for time-related events in Event Viewer
Pro tip: Consider implementing SIEM integration to correlate time changes with other security events for comprehensive monitoring.
05

Remediate Time Synchronization Issues

Resolve underlying time synchronization problems that may be causing frequent Event ID 5121 occurrences.

  1. Reset Windows Time Service configuration to defaults:
Stop-Service w32time
w32tm /unregister
w32tm /register
Start-Service w32time
  1. Configure reliable time sources for domain and workgroup environments:
# For domain controllers
w32tm /config /manualpeerlist:"pool.ntp.org,0x8 time.windows.com,0x8" /syncfromflags:manual /reliable:yes /update

# For domain members
w32tm /config /syncfromflags:domhier /update
  1. Adjust time synchronization intervals to reduce frequent changes:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config" /v MaxPosPhaseCorrection /t REG_DWORD /d 3600 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config" /v MaxNegPhaseCorrection /t REG_DWORD /d 3600 /f
  1. Configure time synchronization policies via Group Policy:
  2. Open Group Policy Management and edit the appropriate GPO
  3. Navigate to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  4. Configure time providers and synchronization settings
  5. Force immediate time synchronization and verify results:
w32tm /resync /force
w32tm /query /status
  1. Monitor hardware clock drift on physical systems:
w32tm /monitor /computers:localhost
Warning: Significant time changes can disrupt Kerberos authentication and certificate validation. Plan time corrections during maintenance windows when possible.

Overview

Event ID 5121 from Microsoft-Windows-Kernel-General logs whenever Windows detects a system time change. This event fires during manual time adjustments, automatic time synchronization with domain controllers or NTP servers, and when applications programmatically modify system time. The event captures both the old and new time values, making it essential for security auditing and compliance tracking.

This event appears in the System log and provides detailed information about what triggered the time change, including the process responsible and the exact time delta. Windows generates this event regardless of whether the change was initiated by a user, service, or external time source. The event becomes particularly important in enterprise environments where accurate timekeeping is critical for Kerberos authentication, certificate validation, and audit trail integrity.

System administrators rely on Event ID 5121 to track unauthorized time changes, investigate authentication failures related to time skew, and monitor the health of time synchronization services. The event also helps identify systems that may have drifted from the correct time due to hardware clock issues or network connectivity problems.

Frequently Asked Questions

What does Event ID 5121 mean and when should I be concerned?+
Event ID 5121 indicates that Windows detected a system time change. This is normal for automatic time synchronization, but frequent occurrences or large time jumps may indicate hardware clock issues, network problems affecting time sync, or unauthorized manual changes. Be concerned if you see multiple events per day, changes exceeding several minutes, or events occurring outside of scheduled synchronization windows.
How can I determine what caused a specific Event ID 5121 occurrence?+
Examine the event details in Event Viewer or use PowerShell to extract the Reason field and Process ID. Reason code 1 indicates manual user changes, code 2 shows automatic synchronization, and code 3 represents programmatic changes. Cross-reference the Process ID with running applications to identify the specific program that initiated the time change. Check the OldTime and NewTime fields to understand the magnitude of the change.
Can Event ID 5121 events impact system security or authentication?+
Yes, time changes can significantly impact security. Kerberos authentication requires time synchronization within 5 minutes between clients and domain controllers. Large time changes can cause authentication failures, certificate validation errors, and audit log inconsistencies. Unauthorized time changes might also be used by attackers to manipulate log timestamps or evade time-based security controls. Monitor these events closely in security-sensitive environments.
How do I prevent unauthorized time changes while maintaining proper synchronization?+
Configure Group Policy to restrict time change privileges to administrators only by modifying the 'Change the system time' user right in Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment. Ensure Windows Time Service is properly configured with reliable time sources. Implement monitoring alerts for Event ID 5121 to detect unauthorized changes. Consider using hardware security modules or trusted time sources in high-security environments.
Why am I seeing frequent Event ID 5121 events on virtual machines?+
Virtual machines commonly generate frequent Event ID 5121 events due to time synchronization between the VM and hypervisor host. VMware Tools, Hyper-V Integration Services, and other virtualization platforms regularly adjust VM time to match the host. This is normal behavior, but you can reduce frequency by adjusting time synchronization intervals in the virtualization platform settings or disabling VM time sync if using domain-based time synchronization instead.
Documentation

References (2)

1
Microsoft Learn - Windows Time Service Technical ReferenceComprehensive documentation on Windows Time Service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/
2
Microsoft Docs - Event Logging in WindowsTechnical reference for Windows event logging system, including event structure and programmatic access methods.https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5121#windows-events#time-synchronization

Related Windows Events

Windows Event Viewer showing system time change events on a monitoring dashboard
Event 11708
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11708 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11708 indicates the system time was changed, either manually by a user or automatically by time synchronization services. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 5889
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5889 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5889 indicates the system time was changed, either manually by a user or automatically by time synchronization services. This event helps track time modifications for security and audit purposes.

March 1812 min
System administrator analyzing Windows kernel errors and event logs on multiple monitoring displays
Event 5058
Microsoft-Windows-Kernel-General
Windows EventError

Windows Event ID 5058 – Microsoft-Windows-Kernel-General: Key File Operation Failure

Event ID 5058 indicates a critical kernel-level file operation failure, typically involving system files, registry hives, or security databases that Windows cannot access or modify properly.

March 1812 min
Windows Event Viewer displaying system time synchronization events on a server monitoring dashboard
Event 5056
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5056 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5056 fires when Windows detects a system time change, typically during boot or when time synchronization occurs. Critical for audit trails and troubleshooting time-related issues.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...