ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event ID 15InformationKernel-GeneralWindows

Windows Event ID 15 – Kernel-General: System Time Changed

Event ID 15 from Kernel-General logs when the system time is changed, either manually by users, automatically by time synchronization services, or due to hardware clock adjustments.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 15Kernel-General 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 15 is generated by the Kernel-General provider whenever the system clock undergoes a time change. This includes changes made through the Date and Time control panel, Group Policy time synchronization, NTP client updates, or manual adjustments via command-line tools like w32tm or date.

The event contains detailed information including the previous system time, the new system time, and the process or service responsible for the change. This granular logging helps administrators distinguish between legitimate automatic synchronization and potentially suspicious manual modifications.

In Windows Server environments, Event ID 15 frequently appears during normal operations as domain controllers and member servers synchronize their clocks with authoritative time sources. However, unexpected time changes outside of scheduled synchronization windows may indicate configuration issues, hardware problems, or security incidents.

The event plays a critical role in forensic investigations, as attackers sometimes modify system time to alter log timestamps or bypass time-based security controls. Security teams rely on Event ID 15 to detect such tampering attempts and maintain the integrity of their audit trails.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual time adjustment through Date and Time settings in Control Panel
  • Automatic time synchronization via Windows Time service (W32Time)
  • NTP client synchronization with external time servers
  • Group Policy-enforced time synchronization in domain environments
  • Command-line time changes using tools like w32tm, date, or time
  • Hardware clock drift correction during system startup
  • Time zone changes that affect the displayed local time
  • Daylight saving time transitions (spring forward/fall back)
  • Virtual machine time synchronization with hypervisor host
  • Third-party time synchronization software making system adjustments
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 15 to understand what triggered the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 15 in the Event IDs field and click OK
  5. Double-click on recent Event ID 15 entries to view detailed information
  6. Examine the General tab for old time, new time, and the process responsible
  7. Check the Details tab for additional XML data including the exact time difference

Look for patterns in timing and frequency. Legitimate W32Time synchronization typically occurs at regular intervals, while manual changes appear as isolated events.

02

Query Time Change Events with PowerShell

Use PowerShell to efficiently query and analyze time change events across multiple systems.

  1. Open PowerShell as Administrator
  2. Query recent time change events:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=15} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -AutoSize
  3. For detailed analysis of time changes in the last 24 hours:
    $StartTime = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='System'; Id=15; StartTime=$StartTime} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        OldTime = $xml.Event.EventData.Data[0].'#text'
        NewTime = $xml.Event.EventData.Data[1].'#text'
        Reason = $xml.Event.EventData.Data[2].'#text'
    }
}
  4. To check time synchronization status:
    w32tm /query /status
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=15} -MaxEvents 100 | Export-Csv -Path "C:\temp\TimeChangeEvents.csv" -NoTypeInformation
03

Investigate Windows Time Service Configuration

Examine the Windows Time service configuration to understand automatic time synchronization behavior.

  1. Check current time service configuration:
    w32tm /query /configuration
  2. Verify time synchronization sources:
    w32tm /query /source
  3. Review time service registry settings:
    Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
  4. Check time synchronization intervals in the registry:
    Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config"
  5. For domain-joined computers, verify Group Policy time settings:
    gpresult /h C:\temp\gpresult.html
  6. Test manual time synchronization:
    w32tm /resync /force
  7. Monitor the System log immediately after the resync to see if Event ID 15 appears
Pro tip: In domain environments, only the PDC Emulator should sync with external time sources. Member servers and workstations should sync with domain controllers.
04

Analyze Security Implications and Audit Trail

Investigate potential security concerns related to unauthorized time changes and maintain proper audit trails.

  1. Check Security log for related logon events around time changes:
    $TimeChangeEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=15} -MaxEvents 10
foreach ($Event in $TimeChangeEvents) {
    $StartTime = $Event.TimeCreated.AddMinutes(-5)
    $EndTime = $Event.TimeCreated.AddMinutes(5)
    Write-Host "Time change at: $($Event.TimeCreated)"
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$StartTime; EndTime=$EndTime} | Select-Object TimeCreated, Id, Message
}
  2. Review Process Creation events (Event ID 4688) for time-related commands:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -match "w32tm|date|time"} | Select-Object TimeCreated, Message
  3. Check for privilege escalation events before time changes:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} | Select-Object TimeCreated, Message | Format-Table -AutoSize
  4. Examine Group Policy changes that might affect time synchronization:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502,1503} | Select-Object TimeCreated, Message
  5. Create a monitoring script for suspicious time changes:
    # Save as Monitor-TimeChanges.ps1
$LastCheck = (Get-Date).AddHours(-1)
Get-WinEvent -FilterHashtable @{LogName='System'; Id=15; StartTime=$LastCheck} | ForEach-Object {
    if ($_.Message -notmatch "W32Time") {
        Write-Warning "Suspicious time change detected at $($_.TimeCreated)"
        $_.Message
    }
}
Warning: Frequent manual time changes or large time adjustments may indicate malicious activity or system compromise. Always correlate with security logs and user activity.
05

Configure Advanced Time Monitoring and Alerting

Implement comprehensive monitoring for time changes to detect anomalies and maintain security compliance.

  1. Create a scheduled task to monitor time changes:
    # Create XML for scheduled task
$TaskXML = @"


  
    
      <QueryList><Query Id="0" Path="System"><Select Path="System">*[System[EventID=15]]</Select></Query></QueryList>
    
  
  
    
      powershell.exe
      -File "C:\Scripts\TimeChangeAlert.ps1"
    
  

"@
$TaskXML | Out-File -FilePath "C:\temp\TimeChangeMonitor.xml" -Encoding Unicode
  2. Register the scheduled task:
    Register-ScheduledTask -TaskName "TimeChangeMonitor" -Xml (Get-Content "C:\temp\TimeChangeMonitor.xml" | Out-String)
  3. Create the alert script (C:\Scripts\TimeChangeAlert.ps1):
    # TimeChangeAlert.ps1
$Event = Get-WinEvent -FilterHashtable @{LogName='System'; Id=15} -MaxEvents 1
$xml = [xml]$Event.ToXml()
$OldTime = $xml.Event.EventData.Data[0].'#text'
$NewTime = $xml.Event.EventData.Data[1].'#text'
$Reason = $xml.Event.EventData.Data[2].'#text'

# Send email alert or write to custom log
Write-EventLog -LogName "Application" -Source "TimeMonitor" -EventId 1001 -EntryType Warning -Message "Time changed from $OldTime to $NewTime. Reason: $Reason"
  4. Configure Windows Event Forwarding for centralized monitoring:
    # On collector server
wecutil qc /q
# Create subscription for Event ID 15
wecutil cs C:\temp\TimeChangeSubscription.xml
  5. Set up registry monitoring for time service changes:
    $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time"
$Action = {
    Write-EventLog -LogName "Application" -Source "TimeMonitor" -EventId 1002 -EntryType Information -Message "Time service registry modified"
}
Register-WmiEvent -Query "SELECT * FROM RegistryTreeChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND RootPath='SYSTEM\\CurrentControlSet\\Services\\W32Time'" -Action $Action
Pro tip: In high-security environments, consider implementing tamper-evident logging by forwarding Event ID 15 to a secure, centralized SIEM system immediately upon occurrence.

Overview

Event ID 15 from the Kernel-General source fires whenever Windows detects a system time change. This event captures both manual time adjustments and automatic synchronization activities performed by the Windows Time service (W32Time). The event records the old time, new time, and the reason for the change, making it essential for security auditing and troubleshooting time-related issues.

This event appears in the System log and provides crucial forensic information for investigating unauthorized time changes, which can be used to circumvent security policies or hide malicious activity. In domain environments, frequent Event ID 15 entries may indicate time synchronization problems between domain controllers and client machines.

The event becomes particularly important in environments where accurate timekeeping is critical, such as financial systems, logging infrastructure, or compliance-regulated networks. Understanding when and why system time changes occur helps administrators maintain proper audit trails and identify potential security concerns.

Frequently Asked Questions

What does Windows Event ID 15 mean and when should I be concerned?+
Event ID 15 indicates that the system time has been changed. You should be concerned when these events occur frequently outside of normal synchronization schedules, show large time adjustments, or appear alongside suspicious security events. Normal W32Time synchronization typically causes small, regular adjustments, while manual changes or large corrections may indicate configuration issues or potential security incidents.
How can I distinguish between legitimate time synchronization and suspicious manual time changes?+
Legitimate time synchronization events typically show small time adjustments (usually seconds or minutes), occur at regular intervals, and reference the W32Time service in the event details. Suspicious changes often involve large time adjustments, occur at irregular intervals, reference user processes rather than system services, or correlate with unusual user logon activity. Check the event's XML data for the process responsible and the magnitude of the time change.
Why am I seeing multiple Event ID 15 entries in my domain environment?+
In Active Directory domains, multiple Event ID 15 entries are normal as domain controllers and member computers synchronize their clocks. The PDC Emulator synchronizes with external time sources, other domain controllers sync with the PDC, and member computers sync with domain controllers. However, if you see excessive events or large time corrections, check your time hierarchy configuration and network connectivity between domain controllers.
Can Event ID 15 help me detect security breaches or malicious activity?+
Yes, Event ID 15 is valuable for security monitoring. Attackers sometimes modify system time to alter log timestamps, bypass time-based security controls, or hide their activities. Correlate Event ID 15 with security events like privilege escalation (Event ID 4672), process creation (Event ID 4688), and logon events (Event ID 4624/4625). Sudden large time changes or manual adjustments during off-hours should trigger security investigations.
How do I configure proper time synchronization to minimize unnecessary Event ID 15 entries?+
Configure your time hierarchy properly: set the PDC Emulator to sync with reliable external NTP sources using 'w32tm /config /manualpeerlist:"pool.ntp.org" /syncfromflags:manual'. Ensure other domain controllers sync with the PDC, and member computers sync with domain controllers through Group Policy. Adjust synchronization intervals in the registry at HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config to reduce frequency if needed, but maintain accuracy requirements for your environment.
Documentation

References (2)

1
Microsoft Learn - Windows Time Service Technical ReferenceComprehensive documentation on Windows Time service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tech-ref
2
Microsoft Support - How to configure an authoritative time server in Windows ServerStep-by-step guidance for configuring authoritative time servers and establishing proper time synchronization hierarchy in Active Directory domains.https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/configure-authoritative-time-server
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-15#time-synchronization#system-monitoring

Related Windows Events

Windows server monitoring dashboard displaying critical system events in a professional data center environment
Event 4
Kernel-General
Windows EventCritical

Windows Event ID 4 – Kernel-General: System Process Terminated Unexpectedly

Event ID 4 indicates a critical system process has terminated unexpectedly, often signaling kernel-level failures, driver issues, or system instability requiring immediate investigation.

March 1812 min
Windows Event Viewer displaying system boot completion events on a server monitoring dashboard
Event 2
Kernel-General
Windows EventInformation

Windows Event ID 2 – Kernel-General: System Boot Completion

Event ID 2 from Kernel-General indicates successful Windows system boot completion. This informational event logs when the kernel finishes loading and the system is ready for user logon.

March 187 min
Windows boot performance monitoring dashboard showing Event ID 13 system logs and performance metrics
Event 13
Kernel-General
Windows EventInformation

Windows Event ID 13 – Kernel-General: System Boot Performance Monitoring

Event ID 13 from Kernel-General tracks system boot performance metrics, recording boot duration and initialization phases during Windows startup sequences.

March 1812 min
Windows Event Viewer showing system event logs on a monitoring dashboard
Event 12010
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 12010 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 12010 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...