4616 The system time was changed
Written when the system time is changed. Most occurrences are normal corrections by the time synchronization service, but a time change can also be a means for an attacker to skew evidence or disrupt authentication.
Overview
The subcategory is Audit Security State Change. This event is always logged regardless of the subcategory setting. Normally most entries are legitimate corrections (by the Windows Time service) where Subject\Security ID is LOCAL SERVICE. The old and new times, plus the process and account that made the change, are recorded.
How it is triggered
- Routine time sync by the Windows Time service (
w32tm). This is the normal case. - A manual time change by an administrator.
- Execution of an application or script that changes the time. A subject holding
SeSystemTimePrivilege(the right to change the system time) can do this.
Security review points
- If
Subject\Security IDis notLOCAL SERVICE, orProcess Nameis notsvchost.exe(the process that runs the time service), it is not a legitimate time sync, so investigate. - Shifting the time by more than five minutes breaks Kerberos authentication (an authentication method that depends on time synchronization). Changes on a domain controller (the server that governs network authentication) ripple across the whole domain, so monitor those first.
- Setting the clock back can be an evidence-manipulation (anti-forensics) move that throws off log timestamps to hinder analysis. Also check whether a suspicious
Process Namesuch asmimikatzappears.
Notes for log review
- Small corrections by
LOCAL SERVICE+svchost.exeare high-volume normal noise. Excluding them and keeping only “changes by other subjects or processes” improves precision. - Prioritize large differences between
PreviousTimeandNewTime, backward changes, and changes outside business hours.
Key fields
| Field | Meaning |
|---|---|
Subject\Security ID | The account that requested the time change; LOCAL SERVICE when normal |
Process Name | The process that made the change; svchost.exe when normal |
Previous Time / New Time | The time before and after the change (UTC) |
Glossary
- Anti-forensics — techniques that erase or alter evidence to hinder investigation and analysis.