Windows Security Log Event ID 4616

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	System • Security State Change
Type	Success
Corresponding events in Windows 2003 and before	520

4616: The system time was changed.

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

This event indicates the old and new system time as well as who did it as specified in the Subject: section. Process information shows the program that was used to change the time. Changing the time manually from the taskbar uses rundll.exe as shown in the example.

It is routine to see this event where subject is "LOCAL SERVICE", process name is "svchost.exe" and can be ignored. You will see this event logged twice in a row for whatever reason.

Events showing a change by an actual user and a process like rundll.exe indicate a time change outside the normal Windows Time Service.

The format of date/time changes from Win2008 and Win2012 as shown in the examples.

Free Security Log Resources by Randy

Description Fields in 4616

Subject:

Security ID: The SID of the account that changed the time
Account Name: The logon name of the account that changed the time
Account Domain: The domain where that account resides
Logon ID: See 4624

Process Information:

Process ID: See 4688
Name: full path name of the program executing the change

Other information:

Previous Time: One or two fields depending on version of Windows. (See examples below.)
New Time: One or two fields depending on version of Windows. (See examples below.)

Setup PowerShell Audit Log Forwarding in 4 Minutes

Examples of 4616

Windows 2008

The system time was changed.

Subject:
   Security ID: ACME\administrator
   Account Name: administrator
   Account Domain: ACME
   Logon ID: 0x2f6de

Process Information:
   Process ID: 0xf28
   Name: C:\Windows\System32\rundll32.exe

Other Information:
   Previous Time: 8:23:53 AM 12/24/2007
   New Time: 8:24:49 AM 12/24/2007

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

Windows 2012

The system time was changed.

Subject:
Security ID: LB\administrator
Account Name: administrator
Account Domain: LB
Logon ID: 0x3DE02

Process Information:
Process ID: 0x1034
Name: C:\Windows\System32\rundll32.exe

Previous Time: ‎2013‎-‎10‎-‎14T14:14:35.026274800Z
New Time: ‎2013‎-‎10‎-‎14T14:14:35.000000000Z

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 4616

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.