ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event ID 11724InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 11724 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11724 indicates the Windows kernel detected a system time change, typically triggered by time synchronization services, manual adjustments, or hardware clock drift corrections.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 11724Microsoft-Windows-Kernel-General 5 methods 9 min
Event Reference

What This Event Means

The Microsoft-Windows-Kernel-General provider generates Event ID 11724 whenever the system time undergoes modification beyond normal tick adjustments. This kernel-level event captures comprehensive details about time changes, including the previous time value, new time value, and the process identifier responsible for initiating the change.

Windows maintains system time through multiple mechanisms: the hardware real-time clock (RTC), software timekeeping routines, and network time synchronization. When any component adjusts the system clock significantly, the kernel logs this event to maintain an audit trail. The event distinguishes between different types of time changes, such as gradual adjustments from NTP synchronization versus abrupt changes from manual modifications.

In enterprise environments, this event becomes particularly important for security monitoring and compliance auditing. Time manipulation can be used to circumvent security controls, alter log timestamps, or disrupt time-sensitive authentication mechanisms like Kerberos tickets. The event data includes the adjustment magnitude, allowing administrators to differentiate between normal synchronization activities and potentially suspicious large time jumps.

The event also plays a crucial role in troubleshooting time-related application issues. Applications relying on precise timing, such as financial trading systems, manufacturing control software, or database replication, may experience problems when system time changes unexpectedly. By monitoring Event ID 11724, administrators can correlate application failures with time adjustment events and implement appropriate remediation strategies.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Windows Time Service (W32Time) synchronizing with domain controllers or external NTP servers
  • Manual time adjustment through Control Panel, Settings app, or command-line tools
  • Hardware real-time clock (RTC) drift correction during system startup or resume from sleep
  • Third-party time synchronization software making system clock adjustments
  • Virtual machine time synchronization with hypervisor host systems
  • Daylight saving time transitions handled by Windows time zone services
  • System recovery operations restoring time from backup or checkpoint data
  • Network time protocol (NTP) corrections due to network latency changes
  • BIOS/UEFI firmware updating system time during boot process
  • PowerShell or command-line utilities executing time modification commands
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 11724 to understand the time change context and magnitude.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 11724 in the Event IDs field and click OK
  5. Double-click on recent Event ID 11724 entries to view detailed information
  6. Examine the event data for old time value, new time value, and process ID
  7. Note the time difference magnitude and frequency of occurrences

Use PowerShell for automated analysis:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=11724} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
Pro tip: Large time adjustments (>1 minute) may indicate hardware clock issues or manual tampering, while small adjustments typically represent normal NTP synchronization.
02

Analyze Windows Time Service Configuration

Investigate the Windows Time Service settings to determine if time synchronization is causing frequent adjustments.

  1. Open Command Prompt as Administrator
  2. Check current time service configuration:
w32tm /query /configuration
  1. Review time source and synchronization settings:
w32tm /query /source
w32tm /query /status
  1. Examine time service event logs:
Get-WinEvent -LogName 'System' -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-Time-Service']]]" -MaxEvents 20
  1. Check registry settings for time service configuration:
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' | Format-List
  1. If using domain time synchronization, verify domain controller connectivity and time accuracy
Warning: Modifying time service settings incorrectly can cause authentication failures in domain environments. Always test changes in a non-production environment first.
03

Correlate with Process Activity and Security Events

Identify which processes are initiating time changes and correlate with security events for comprehensive analysis.

  1. Extract process information from Event ID 11724 entries:
$events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=11724} -MaxEvents 100
$events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ProcessId = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'
        OldTime = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'OldTime'} | Select-Object -ExpandProperty '#text'
        NewTime = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'NewTime'} | Select-Object -ExpandProperty '#text'
    }
} | Format-Table -AutoSize
  1. Cross-reference process IDs with running processes and services:
Get-Process | Where-Object {$_.Id -in @(1234, 5678)} | Select-Object Id, ProcessName, Path, StartTime
  1. Check for related security events indicating manual time changes:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4616} -MaxEvents 20 | Select-Object TimeCreated, Id, Message
  1. Review application and service logs for time-related errors:
Get-WinEvent -FilterHashtable @{LogName='Application'; Level=2,3; StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Message -match 'time|clock|sync'} | Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, Message
Pro tip: Process ID 0 typically indicates kernel-level time adjustments, while specific process IDs point to applications or services making time changes.
04

Monitor Hardware Clock and System Performance

Investigate potential hardware issues causing excessive time drift and system performance impacts.

  1. Check system hardware clock accuracy against reliable time sources:
w32tm /stripchart /computer:time.windows.com /samples:5 /dataonly
  1. Monitor system performance counters related to time keeping:
Get-Counter -Counter '\System\System Up Time', '\Processor(_Total)\% Processor Time', '\Memory\Available MBytes' -SampleInterval 5 -MaxSamples 12
  1. Examine system event logs for hardware-related issues:
Get-WinEvent -FilterHashtable @{LogName='System'; Level=2,3; StartTime=(Get-Date).AddDays(-7)} | Where-Object {$_.Message -match 'hardware|clock|RTC|CMOS'} | Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, Message
  1. Check virtual machine integration services if running on a hypervisor:
Get-Service -Name 'vmictimesync*' | Select-Object Name, Status, StartType
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters' -ErrorAction SilentlyContinue
  1. Review BIOS/UEFI settings for time and date configuration, especially on physical systems experiencing frequent time drift
Warning: Frequent large time adjustments may indicate failing CMOS battery or motherboard issues requiring hardware replacement.
05

Implement Advanced Time Monitoring and Alerting

Set up comprehensive monitoring and automated responses for time change events in enterprise environments.

  1. Create a PowerShell script for continuous time change monitoring:
# TimeChangeMonitor.ps1
$logName = 'System'
$eventId = 11724
$threshold = 60 # seconds

Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='$logName' AND EventCode=$eventId" -Action {
    $event = $Event.SourceEventArgs.NewEvent
    $timeDiff = [Math]::Abs(([DateTime]$event.NewTime - [DateTime]$event.OldTime).TotalSeconds)
    
    if ($timeDiff -gt $threshold) {
        Write-EventLog -LogName 'Application' -Source 'TimeMonitor' -EventId 1001 -EntryType Warning -Message "Large time change detected: $timeDiff seconds"
        # Add email notification or SIEM integration here
    }
}
  1. Configure Windows Event Forwarding for centralized time event collection:
wecutil cs TimeChangeSubscription.xml
  1. Set up scheduled task to analyze time change patterns:
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\AnalyzeTimeChanges.ps1'
$trigger = New-ScheduledTaskTrigger -Daily -At '06:00'
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount
Register-ScheduledTask -TaskName 'TimeChangeAnalysis' -Action $action -Trigger $trigger -Principal $principal
  1. Implement Group Policy settings to restrict manual time changes:
# Check current time change privileges
secedit /export /cfg C:\temp\current_policy.inf
Select-String -Path C:\temp\current_policy.inf -Pattern 'SeSystemtimePrivilege'
  1. Create custom performance counters and alerts in monitoring systems like SCOM or third-party solutions
Pro tip: Integrate time change monitoring with your SIEM solution to correlate with security events and detect potential time-based attacks or system manipulation.

Overview

Event ID 11724 from the Microsoft-Windows-Kernel-General source fires when the Windows kernel detects a system time change. This informational event tracks modifications to the system clock, whether initiated by Windows Time Service (W32Time), manual user adjustments, or automatic corrections from network time protocols. The event captures both forward and backward time adjustments, recording the old and new time values along with the process responsible for the change.

This event serves as an audit trail for time modifications, which is crucial for forensic analysis, compliance requirements, and troubleshooting time-sensitive applications. In domain environments, frequent occurrences may indicate NTP synchronization issues or hardware clock problems. The event appears in the System log and includes detailed information about the time change magnitude and the initiating process.

While generally benign, unexpected time changes can impact scheduled tasks, certificate validation, Kerberos authentication, and database transactions. System administrators monitor this event to ensure time synchronization operates correctly and to detect unauthorized manual time adjustments that could affect system security or application behavior.

Frequently Asked Questions

What does Windows Event ID 11724 mean and when should I be concerned?+
Event ID 11724 indicates that Windows detected a system time change. This is typically normal when caused by Windows Time Service synchronization, but you should investigate if you see frequent large time adjustments (>1 minute), time changes during off-hours without scheduled maintenance, or if the changes correlate with application failures or security events. Small, regular adjustments are usually just normal NTP synchronization keeping your system clock accurate.
How can I determine what process or service is changing the system time?+
The Event ID 11724 entry contains process information in its event data. Use PowerShell to extract this: Get-WinEvent -FilterHashtable @{LogName='System'; Id=11724} and examine the XML data for ProcessId values. Process ID 0 indicates kernel-level changes, while specific PIDs can be cross-referenced with running processes. Common legitimate sources include W32Time service, VMware Tools, or manual changes through timedate.cpl.
Why am I seeing Event ID 11724 frequently on my virtual machines?+
Virtual machines commonly generate this event due to time synchronization with the hypervisor host. VMware, Hyper-V, and other virtualization platforms regularly adjust guest system time to match the host. This is normal behavior, but if adjustments are very frequent or large, check your VM integration services, disable conflicting time sync methods (choose either hypervisor sync OR Windows Time Service, not both), and ensure the hypervisor host has accurate time.
Can Event ID 11724 indicate a security issue or malicious activity?+
While Event ID 11724 is usually benign, it can indicate security concerns in certain contexts. Large backward time adjustments might be attempts to circumvent time-based security controls, alter audit log timestamps, or disrupt Kerberos authentication. Monitor for time changes during suspicious periods, correlate with Security Event ID 4616 (system time changed), and investigate any manual time changes made by non-administrative users or during unauthorized hours.
How do I stop getting Event ID 11724 if it's filling up my event logs?+
Don't simply suppress this event as it provides valuable audit information. Instead, address the root cause: configure proper NTP synchronization to reduce large adjustments, fix hardware clock drift issues, ensure only one time sync method is active in VMs, and set appropriate time sync intervals. If you must filter it for log management, use Event Viewer custom views or log forwarding rules to exclude small time adjustments while preserving large ones that might indicate problems.
Documentation

References (2)

1
Microsoft Learn - Windows Time Service Technical ReferenceComprehensive documentation on Windows Time Service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tech-ref
2
Microsoft Docs - Event Logging and MonitoringTechnical reference for Windows event logging architecture and event analysis techniques for system administrators.https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-11724#windows-events#time-synchronization

Related Windows Events

Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 16388
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16388 – Microsoft-Windows-Kernel-General: System Time Change Notification

Event ID 16388 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer showing system event logs on a monitoring dashboard
Event 16384
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16384 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 16384 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.

March 189 min
Windows Event Viewer displaying system time change events on a monitoring dashboard
Event 11728
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11728 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11728 fires when Windows detects a system time change, typically from time synchronization services, manual adjustments, or hardware clock drift corrections.

March 1812 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 8301
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 8301 – Microsoft-Windows-Kernel-General: System Time Change Notification

Event ID 8301 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...