Windows Security Log Event ID 4616
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | System • Security State Change |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
520
|
4616: The system time was changed.
On this page
This event indicates the old and new system time as well as who did it as specified in the Subject: section. Process information shows the program that was used to change the time. Changing the time manually from the taskbar uses rundll.exe as shown in the example.
It is routine to see this event where subject is "LOCAL SERVICE", process name is "svchost.exe" and can be ignored. You will see this event logged twice in a row for whatever reason.
Events showing a change by an actual user and a process like rundll.exe indicate a time change outside the normal Windows Time Service.
The format of date/time changes from Win2008 and Win2012 as shown in the examples.
Free Security Log Resources by Randy
Subject:
- Security ID: The SID of the account that changed the time
- Account Name: The logon name of the account that changed the time
- Account Domain: The domain where that account resides
- Logon ID: See 4624
Process Information:
- Process ID: See 4688
- Name: full path name of the program executing the change
Other information:
- Previous Time: One or two fields depending on version of Windows. (See examples below.)
- New Time: One or two fields depending on version of Windows. (See examples below.)
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.
Windows 2008
The system time was changed.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x2f6de
Process Information:
Process ID: 0xf28
Name: C:\Windows\System32\rundll32.exe
Other Information:
Previous Time: 8:23:53 AM 12/24/2007
New Time: 8:24:49 AM 12/24/2007
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Windows 2012
The system time was changed.
Subject:
Security ID: LB\administrator
Account Name: administrator
Account Domain: LB
Logon ID: 0x3DE02
Process Information:
Process ID: 0x1034
Name: C:\Windows\System32\rundll32.exe
Previous Time: 2013-10-14T14:14:35.026274800Z
New Time: 2013-10-14T14:14:35.000000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection