Windows Security Log Event ID 4616

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
System
 • Security State Change
Type Success
Corresponding events
in Windows 2003
and before
520  

4616: The system time was changed.

On this page

This event indicates the old and new system time as well as who did it as specified in the Subject: section.  Process information shows the program that was used to change the time.  Changing the time manually from the taskbar uses rundll.exe as shown in the example.

It is routine to see this event where subject is "LOCAL SERVICE", process name is "svchost.exe"  and can be ignored. You will see this event logged twice in a row for whatever reason.

Events showing a change by an actual user and a process like rundll.exe indicate a time change outside the normal Windows Time Service.

The format of date/time changes from Win2008 and Win2012 as shown in the examples.

Free Security Log Resources by Randy

Description Fields in 4616

Subject:

  •  Security ID:  The SID of the account that changed the time 
  •  Account Name:  The logon name of the account that changed the time
  •  Account Domain:  The domain where that account resides
  •  Logon ID:  See 4624

Process Information:

  •  Process ID: See 4688
  •  Name:  full path name of the program executing the change

 Other information:

  • Previous Time: One or two fields depending on version of Windows.  (See examples below.)
  • New Time: One or two fields depending on version of Windows.  (See examples below.)

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 4616

Windows 2008

The system time was changed.

Subject:
  
Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x2f6de

Process Information:
  
Process ID: 0xf28
   Name:  C:\Windows\System32\rundll32.exe

Other Information:
   P
revious Time:  8:23:53 AM 12/24/2007
   New Time:  8:24:49 AM 12/24/2007

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

Windows 2012

The system time was changed.

Subject:
  Security ID: LB\administrator
  Account Name: administrator
  Account Domain: LB
  Logon ID: 0x3DE02

Process Information:
  Process ID: 0x1034
  Name: C:\Windows\System32\rundll32.exe

Previous Time: ‎2013‎-‎10‎-‎14T14:14:35.026274800Z
New Time: ‎2013‎-‎10‎-‎14T14:14:35.000000000Z

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!