Windows Security Log Event ID 4616
Operating Systems Windows Vista
Windows Server 2008
Category
 • Subcategory
System
 • Security State Change
Type Success
Corresponding events
in Windows 2003
and before
520  
Discussions on Event ID 4616
Ask a question about this event

4616: The system time was changed.

On this page

This event indicates the old and new system time as well as who did it as specified in the Subject: section.  Process information shows the program that was used to change the time.  Changing the time manually from the taskbar uses rundll.exe as shown in the example.

It is routine to see this event where subject is "LOCAL SERVICE", process name is "svchost.exe"  and can be ignored. You will see this event logged twice in a row for whatever reason.

Events showing a change by an actual user and a process like rundll.exe indicate a time change outside the normal Windows Time Service.

The format of date/time changes from Win2008 and Win2012 as shown in the examples.

Subject:

  •  Security ID:  The SID of the account that changed the time 
  •  Account Name:  The logon name of the account that changed the time
  •  Account Domain:  The domain where that account resides
  •  Logon ID:  See 4624

Process Information:

  •  Process ID: See 4688
  •  Name:  full path name of the program executing the change

 Other information:

  • Previous Time: One or two fields depending on version of Windows.  (See examples below.)
  • New Time: One or two fields depending on version of Windows.  (See examples below.)

Top 10 Windows Security Events to Monitor

Windows 2008

The system time was changed.

Subject:
  
Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x2f6de

Process Information:
  
Process ID: 0xf28
   Name:  C:\Windows\System32\rundll32.exe

Other Information:
   P
revious Time:  8:23:53 AM 12/24/2007
   New Time:  8:24:49 AM 12/24/2007

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

Windows 2012

The system time was changed.

Subject:
  Security ID: LB\administrator
  Account Name: administrator
  Account Domain: LB
  Logon ID: 0x3DE02

Process Information:
  Process ID: 0x1034
  Name: C:\Windows\System32\rundll32.exe

Previous Time: ‎2013‎-‎10‎-‎14T14:14:35.026274800Z
New Time: ‎2013‎-‎10‎-‎14T14:14:35.000000000Z

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this



Training for the Windows Security Log