ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event ID 5889InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 5889 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5889 indicates the system time was changed, either manually by a user or automatically by time synchronization services. This event helps track time modifications for security and audit purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5889Microsoft-Windows-Kernel-General 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 5889 represents a fundamental system audit event that tracks modifications to the system clock. When Windows detects a time change, the kernel-level Microsoft-Windows-Kernel-General provider immediately logs this event with detailed information about the transition. The event includes the previous time value, the new time value, and identifies the process or service that initiated the change.

This event plays a critical role in maintaining system integrity and security posture. Time synchronization is essential for proper domain authentication, certificate validation, and distributed system coordination. Unauthorized or unexpected time changes can disrupt these services and potentially mask malicious activities by altering log timestamps.

The event typically occurs during normal operations when Windows Time Service synchronizes with domain controllers or external time sources. However, it also fires when users manually adjust the system clock through the Date and Time control panel, command-line tools like w32tm, or PowerShell cmdlets. Security teams monitor this event to detect potential tampering attempts, while system administrators use it to troubleshoot time synchronization problems across their infrastructure.

In Windows Server environments, this event becomes particularly important for domain controllers, which must maintain accurate time for Kerberos ticket validation. Time skew beyond acceptable thresholds can cause authentication failures and service disruptions across the entire domain.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Windows Time Service (W32Time) synchronizing with domain controllers or external NTP servers
  • Manual time adjustment through Date and Time control panel by users with administrative privileges
  • Command-line time changes using w32tm /resync, net time, or PowerShell Set-Date cmdlets
  • Group Policy enforced time synchronization policies taking effect
  • System recovery from hibernation or sleep mode with significant time drift
  • Hardware clock (CMOS) battery failure causing time reset during boot
  • Virtual machine time synchronization with hypervisor host
  • Third-party time synchronization software making automatic adjustments
  • Daylight saving time transitions handled by Windows automatic time zone updates
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 5889 to understand what triggered the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 5889 in the Event IDs field and click OK
  5. Double-click on recent Event ID 5889 entries to view detailed information
  6. Check the General tab for old time, new time, and process information
  7. Note the time difference and whether changes appear to be automatic or manual

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=5889} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: Look for patterns in timing - regular intervals suggest automatic synchronization, while irregular times may indicate manual changes.
02

Check Windows Time Service Configuration

Verify the Windows Time Service configuration to determine if time changes are expected automatic synchronizations.

  1. Open an elevated Command Prompt or PowerShell session
  2. Check the current time service configuration:
w32tm /query /configuration
  1. Review the NTP server sources and synchronization settings:
w32tm /query /source
w32tm /query /status
  1. Check time synchronization logs for additional context:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Time-Service'} -MaxEvents 10
  1. Verify domain time synchronization hierarchy if domain-joined:
w32tm /query /peers
  1. Test manual synchronization to see if it triggers Event ID 5889:
w32tm /resync /nowait
Warning: Manual time synchronization may temporarily disrupt services that depend on consistent timestamps.
03

Analyze Process and User Context

Investigate which process or user account initiated the time change to determine if it was authorized.

  1. Use PowerShell to extract detailed event information including process details:
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=5889} -MaxEvents 10
foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    Write-Host "Time: $($Event.TimeCreated)"
    Write-Host "Process: $($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text')"
    Write-Host "User: $($Event.UserId)"
    Write-Host "---"
}
  1. Cross-reference with Security log for logon events around the same time:
$TimeChangeEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=5889} -MaxEvents 5
foreach ($Event in $TimeChangeEvents) {
    $StartTime = $Event.TimeCreated.AddMinutes(-5)
    $EndTime = $Event.TimeCreated.AddMinutes(5)
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$StartTime; EndTime=$EndTime} | Select-Object TimeCreated, Id, Message
}
  1. Check for scheduled tasks that might modify system time:
Get-ScheduledTask | Where-Object {$_.Actions.Execute -like '*time*' -or $_.Actions.Arguments -like '*time*'}
  1. Review Group Policy settings that might affect time synchronization:
gpresult /h GPReport.html
# Review the generated HTML report for time-related policies
04

Monitor and Set Time Change Alerts

Implement monitoring to track future time changes and set up alerts for unauthorized modifications.

  1. Create a PowerShell script to monitor Event ID 5889 in real-time:
# Save as Monitor-TimeChanges.ps1
Register-WmiEvent -Query "SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2" -Action {
    $Event = Get-WinEvent -FilterHashtable @{LogName='System'; Id=5889} -MaxEvents 1
    Write-Host "Time change detected at: $($Event.TimeCreated)" -ForegroundColor Yellow
    # Add email notification or logging here
}

Write-Host "Monitoring for time changes. Press Ctrl+C to stop."
try { while ($true) { Start-Sleep 1 } }
finally { Get-EventSubscriber | Unregister-Event }
  1. Set up Windows Event Forwarding to centralize time change monitoring:
# On collector server
wecutil qc
# Create subscription for Event ID 5889 from multiple systems
  1. Configure audit policy to enhance time change tracking:
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
  1. Create a custom Windows Event Log view for time changes:
# Save as TimeChangeView.xml and import into Event Viewer
<ViewerConfig>
  <QueryConfig>
    <QueryParams>
      <Simple>
        <Channel>System</Channel>
        <EventId>5889</EventId>
        <RelativeTimeInfo>0</RelativeTimeInfo>
        <BySource>False</BySource>
      </Simple>
    </QueryParams>
  </QueryConfig>
</ViewerConfig>
Pro tip: Set up email alerts using Task Scheduler to trigger on Event ID 5889 for immediate notification of time changes.
05

Advanced Forensic Analysis and Registry Investigation

Perform deep analysis of time change events for security investigations or compliance requirements.

  1. Export Event ID 5889 events for detailed analysis:
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=5889} -MaxEvents 100
$Events | Export-Csv -Path "C:\Temp\TimeChangeEvents.csv" -NoTypeInformation

# Create detailed report with time differences
$Report = foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $OldTime = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'OldTime'} | Select-Object -ExpandProperty '#text'
    $NewTime = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'NewTime'} | Select-Object -ExpandProperty '#text'
    [PSCustomObject]@{
        EventTime = $Event.TimeCreated
        OldSystemTime = $OldTime
        NewSystemTime = $NewTime
        TimeDifference = ([DateTime]$NewTime - [DateTime]$OldTime).TotalSeconds
        ProcessId = $Event.ProcessId
        UserId = $Event.UserId
    }
}
$Report | Export-Csv -Path "C:\Temp\TimeChangeAnalysis.csv" -NoTypeInformation
  1. Check registry entries related to time service configuration:
# Windows Time Service registry settings
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config"

# Time zone information
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
  1. Correlate with other security events for comprehensive timeline:
# Get related events around time changes
$TimeChanges = Get-WinEvent -FilterHashtable @{LogName='System'; Id=5889} -MaxEvents 10
foreach ($Change in $TimeChanges) {
    $StartTime = $Change.TimeCreated.AddMinutes(-10)
    $EndTime = $Change.TimeCreated.AddMinutes(10)
    
    Write-Host "=== Time Change at $($Change.TimeCreated) ===" -ForegroundColor Cyan
    
    # Check for logon events
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$StartTime; EndTime=$EndTime} -ErrorAction SilentlyContinue | 
        Select-Object TimeCreated, Id, @{Name='Event';Expression={if($_.Id -eq 4624){'Logon Success'}else{'Logon Failure'}}}
    
    # Check for privilege use
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672; StartTime=$StartTime; EndTime=$EndTime} -ErrorAction SilentlyContinue | 
        Select-Object TimeCreated, Id, @{Name='Event';Expression={'Special Privileges Assigned'}}
}
  1. Generate forensic timeline for incident response:
# Create comprehensive timeline
$Timeline = @()
$Timeline += Get-WinEvent -FilterHashtable @{LogName='System'; Id=5889} -MaxEvents 50 | 
    Select-Object TimeCreated, @{Name='EventType';Expression={'Time Change'}}, @{Name='Source';Expression={'System'}}, Message
$Timeline += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4672} -MaxEvents 100 | 
    Select-Object TimeCreated, @{Name='EventType';Expression={'Security'}}, @{Name='Source';Expression={'Security'}}, Message

$Timeline | Sort-Object TimeCreated -Descending | Export-Csv -Path "C:\Temp\SecurityTimeline.csv" -NoTypeInformation
Warning: Extensive event log queries can impact system performance. Run during maintenance windows when possible.

Overview

Event ID 5889 fires whenever the system time is modified on a Windows machine. The Microsoft-Windows-Kernel-General provider logs this event to track both manual time changes and automatic adjustments made by Windows Time Service (W32Time). This event appears in the System log and provides crucial audit information about when and how system time was altered.

The event captures the old time value, new time value, and the process responsible for the change. System administrators rely on this event to monitor unauthorized time modifications, troubleshoot time synchronization issues, and maintain compliance with audit requirements. Time changes can affect log correlation, certificate validation, Kerberos authentication, and scheduled tasks.

In enterprise environments, unexpected time changes often indicate configuration problems with domain time synchronization, manual interventions by users with administrative privileges, or potential security incidents. The event helps distinguish between legitimate automatic time corrections and suspicious manual modifications that could be used to obscure malicious activity timestamps.

Frequently Asked Questions

What does Event ID 5889 mean and when should I be concerned?+
Event ID 5889 indicates that the system time was changed on your Windows machine. This is normal when Windows Time Service synchronizes with domain controllers or NTP servers. You should be concerned if you see frequent manual time changes outside of normal synchronization patterns, changes made by unauthorized users, or time modifications that coincide with suspicious activities. Regular automatic synchronization typically shows small time adjustments (seconds or minutes), while manual changes often involve larger time shifts.
How can I tell if Event ID 5889 was caused by automatic synchronization or manual intervention?+
Check the event details for the process name and time difference. Automatic synchronization typically shows 'w32tm.exe' or 'svchost.exe' as the process, with small time adjustments (usually under 5 minutes). Manual changes often show larger time differences and may be initiated by 'explorer.exe' (GUI changes) or 'cmd.exe'/'powershell.exe' (command-line changes). Regular intervals between events suggest automatic sync, while irregular timing patterns indicate manual intervention. You can also correlate with Windows Time Service events in the System log.
Can Event ID 5889 indicate a security breach or malicious activity?+
While Event ID 5889 itself is informational, unexpected time changes can be part of malicious activity. Attackers might modify system time to alter log timestamps, evade time-based security controls, or disrupt authentication mechanisms. Investigate if time changes occur outside normal business hours, are made by unauthorized accounts, coincide with other suspicious events, or involve significant time shifts backward (which could hide malicious activity). Always correlate time change events with security logs, user activity, and system changes to determine if investigation is warranted.
Why do I see multiple Event ID 5889 entries in a short time period?+
Multiple Event ID 5889 entries in quick succession can occur during initial time synchronization after system startup, when correcting significant time drift, during daylight saving time transitions, or when time sync policies are applied. Virtual machines often generate multiple events during host synchronization. If you see excessive events (more than 10 per hour), check your time service configuration, verify NTP server accessibility, and ensure time sync intervals are properly configured. Frequent time changes can indicate hardware clock issues or misconfigured time services.
How do I prevent unauthorized time changes while maintaining proper synchronization?+
Implement Group Policy to restrict time change privileges to specific administrative accounts using 'Change the system time' user right assignment. Configure Windows Time Service through Group Policy to ensure consistent synchronization across your domain. Enable audit policies for privilege use and system integrity to track time-related activities. Set up monitoring alerts for Event ID 5889 to detect unusual patterns. For critical systems, consider using hardware security modules or dedicated time servers. Regular monitoring of time change events combined with proper access controls provides the best balance between security and functionality.
Documentation

References (2)

1
Microsoft Learn - Windows Time Service Technical ReferenceComprehensive documentation on Windows Time Service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tech-ref
2
Microsoft Docs - Event Logging in WindowsOfficial documentation covering Windows event logging architecture, event sources, and programmatic access to event logs.https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5889#windows-events#time-synchronization

Related Windows Events

Windows Event Viewer showing system time change events on a monitoring dashboard
Event 11708
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11708 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11708 indicates the system time was changed, either manually by a user or automatically by time synchronization services. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer showing system time change events on a monitoring dashboard
Event 5121
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5121 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5121 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 1812 min
System administrator analyzing Windows kernel errors and event logs on multiple monitoring displays
Event 5058
Microsoft-Windows-Kernel-General
Windows EventError

Windows Event ID 5058 – Microsoft-Windows-Kernel-General: Key File Operation Failure

Event ID 5058 indicates a critical kernel-level file operation failure, typically involving system files, registry hives, or security databases that Windows cannot access or modify properly.

March 1812 min
Windows Event Viewer displaying system time synchronization events on a server monitoring dashboard
Event 5056
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5056 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5056 fires when Windows detects a system time change, typically during boot or when time synchronization occurs. Critical for audit trails and troubleshooting time-related issues.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...