ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event ID 1511InformationKernel-GeneralWindows

Windows Event ID 1511 – Kernel-General: System Time Change Detected

Event ID 1511 fires when Windows detects a significant system time change, either from manual adjustment, NTP synchronization, or hardware clock drift. Critical for security auditing and troubleshooting time-sensitive applications.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 1511Kernel-General 5 methods 12 min
Event Reference

What This Event Means

Event ID 1511 serves as Windows' primary mechanism for tracking system time modifications, providing administrators with visibility into when and why the system clock changes. The event contains crucial metadata including the previous time value, new time value, and the process or service that initiated the change.

This event is generated by the Windows kernel's time management component whenever it detects a time adjustment that exceeds the normal clock drift threshold. Common triggers include manual time changes through the Date and Time control panel, automatic synchronization with domain controllers or NTP servers, and corrections applied by the Windows Time service (W32Time).

The event data includes the old system time, new system time, and often identifies the responsible process. For domain-joined machines, this frequently shows w32tm.exe or the Windows Time service making adjustments to maintain synchronization with the domain hierarchy. On standalone systems, users manually adjusting the clock or third-party time synchronization software may trigger this event.

From a security perspective, Event ID 1511 is valuable for detecting potential tampering with system time, which could be used to circumvent time-based security controls or obscure audit trails. Compliance frameworks often require monitoring of time changes to ensure log integrity and accurate event correlation across systems.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual time adjustment through Windows Date and Time settings
  • Automatic time synchronization via Windows Time service (W32Time)
  • NTP client synchronization with external time servers
  • Domain controller time synchronization in Active Directory environments
  • Hardware clock drift correction during system startup
  • Third-party time synchronization software making adjustments
  • Virtual machine time synchronization with hypervisor host
  • System recovery from hibernation or sleep with significant time drift
  • BIOS/UEFI firmware time updates
  • Malicious software attempting to manipulate system time
Resolution Methods

Troubleshooting Steps

01

Check Event Details in Event Viewer

Start by examining the specific details of the Event ID 1511 occurrence to understand what triggered the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter for Event ID 1511 by right-clicking the System log and selecting Filter Current Log
  4. Enter 1511 in the Event IDs field and click OK
  5. Double-click on recent Event ID 1511 entries to view details
  6. Examine the General tab for old time, new time, and time difference
  7. Check the Details tab for additional information about the process that initiated the change

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=1511} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: Look for patterns in the time changes - regular intervals might indicate scheduled synchronization, while random changes could suggest manual intervention or issues.
02

Analyze Windows Time Service Configuration

Investigate the Windows Time service configuration to determine if automatic time synchronization is causing the events.

  1. Open Command Prompt as Administrator
  2. Check current time service status:
w32tm /query /status
  1. Review time service configuration:
w32tm /query /configuration
  1. Check time source and synchronization peers:
w32tm /query /peers
  1. Examine time service registry settings:
Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
  1. For domain-joined machines, verify domain hierarchy:
w32tm /query /source
Warning: Modifying time service settings on domain controllers can affect the entire domain's time synchronization hierarchy.
03

Monitor Time Synchronization Events with PowerShell

Create a comprehensive monitoring solution to track time changes and identify patterns or anomalies.

  1. Create a PowerShell script to monitor time change events:
# Monitor Event ID 1511 for time changes
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1511; StartTime=(Get-Date).AddDays(-7)}

foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $OldTime = $EventXML.Event.EventData.Data[0].'#text'
    $NewTime = $EventXML.Event.EventData.Data[1].'#text'
    
    Write-Host "Time Change Detected:"
    Write-Host "  Date: $($Event.TimeCreated)"
    Write-Host "  Old Time: $OldTime"
    Write-Host "  New Time: $NewTime"
    Write-Host "  Process: $($Event.ProcessId)"
    Write-Host "---"
}
  1. Check for related time service events:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Time-Service'} -MaxEvents 50
  1. Monitor for large time adjustments that might indicate issues:
# Alert on time changes greater than 1 minute
$LargeTimeChanges = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1511; StartTime=(Get-Date).AddHours(-24)} | Where-Object {
    $EventXML = [xml]$_.ToXml()
    $TimeDiff = [Math]::Abs(([DateTime]$EventXML.Event.EventData.Data[1].'#text') - ([DateTime]$EventXML.Event.EventData.Data[0].'#text')).TotalSeconds
    $TimeDiff -gt 60
}

if ($LargeTimeChanges) {
    Write-Warning "Large time changes detected in the last 24 hours"
    $LargeTimeChanges | Format-Table TimeCreated, Id, Message
}
04

Investigate Hardware and Virtual Environment Issues

Examine hardware clock stability and virtual machine time synchronization settings that might cause frequent time adjustments.

  1. Check system hardware clock accuracy:
w32tm /stripchart /computer:time.windows.com /samples:5
  1. For virtual machines, check hypervisor time synchronization settings:
# Check if running in VM
$ComputerSystem = Get-WmiObject -Class Win32_ComputerSystem
if ($ComputerSystem.Model -match "Virtual|VMware|Hyper-V|VirtualBox") {
    Write-Host "Virtual machine detected: $($ComputerSystem.Model)"
    
    # Check VM integration services
    Get-Service | Where-Object {$_.Name -match "vmtools|hypervvssd|vboxservice"}
}
  1. Examine system event logs for hardware-related time issues:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'} -MaxEvents 100 | Where-Object {$_.Message -match "time|clock"}
  1. Check BIOS/UEFI time settings and battery status:
# Check system firmware time
$BiosTime = Get-WmiObject -Class Win32_BIOS | Select-Object ReleaseDate
$SystemTime = Get-Date
Write-Host "Current System Time: $SystemTime"
Write-Host "BIOS Release Date: $($BiosTime.ReleaseDate)"

# Check for CMOS battery issues in System log
Get-WinEvent -FilterHashtable @{LogName='System'} -MaxEvents 1000 | Where-Object {$_.Message -match "CMOS|battery|clock"}
  1. For Hyper-V guests, disable time synchronization if causing issues:
# Disable Hyper-V time synchronization (run in VM)
Set-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider" -Name "Enabled" -Value 0
Pro tip: In virtualized environments, coordinate time synchronization between the hypervisor and guest OS to prevent conflicts.
05

Implement Security Monitoring and Compliance Tracking

Set up comprehensive monitoring for time changes to meet security and compliance requirements.

  1. Create a scheduled task to log time changes to a separate file:
# Create monitoring script
$ScriptContent = @'
$Events = Get-WinEvent -FilterHashtable @{LogName="System"; Id=1511; StartTime=(Get-Date).AddMinutes(-5)}
foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $LogEntry = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Time Change: Old=$($EventXML.Event.EventData.Data[0].'#text') New=$($EventXML.Event.EventData.Data[1].'#text') Process=$($Event.ProcessId)"
    Add-Content -Path "C:\Logs\TimeChanges.log" -Value $LogEntry
}
'@

# Save script
New-Item -Path "C:\Scripts" -ItemType Directory -Force
$ScriptContent | Out-File -FilePath "C:\Scripts\MonitorTimeChanges.ps1" -Encoding UTF8
  1. Create scheduled task to run the monitoring script:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\MonitorTimeChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

Register-ScheduledTask -TaskName "MonitorTimeChanges" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  1. Set up Windows Event Forwarding for centralized monitoring:
wecutil qc /q
winrm quickconfig
  1. Configure audit policy for time changes:
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
  1. Create PowerShell function for compliance reporting:
function Get-TimeChangeReport {
    param(
        [DateTime]$StartDate = (Get-Date).AddDays(-30),
        [DateTime]$EndDate = (Get-Date)
    )
    
    $Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1511; StartTime=$StartDate; EndTime=$EndDate}
    
    $Report = $Events | ForEach-Object {
        $EventXML = [xml]$_.ToXml()
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            OldTime = $EventXML.Event.EventData.Data[0].'#text'
            NewTime = $EventXML.Event.EventData.Data[1].'#text'
            ProcessId = $_.ProcessId
            MachineName = $_.MachineName
        }
    }
    
    return $Report | Sort-Object TimeCreated
}

# Generate report
Get-TimeChangeReport | Export-Csv -Path "C:\Reports\TimeChangeReport.csv" -NoTypeInformation
Warning: Ensure log files are protected and regularly rotated to prevent disk space issues and maintain audit trail integrity.

Overview

Event ID 1511 from the Kernel-General source indicates that Windows has detected a system time change. This event fires whenever the system clock is adjusted by more than a few seconds, whether through manual intervention, automatic time synchronization via NTP, or hardware clock drift correction. The event captures both the old and new time values, making it essential for security auditing and compliance tracking.

This event appears in the System log and provides detailed information about what triggered the time change, including the process responsible and the magnitude of the adjustment. In enterprise environments, unexpected time changes can indicate security issues, hardware problems, or misconfigured time services. The event is particularly important for domain controllers, where accurate time synchronization is critical for Kerberos authentication.

Windows generates this event through the kernel's time management subsystem, which continuously monitors the system clock for significant changes. The threshold for triggering this event is typically around 3-5 seconds, though this can vary based on system configuration and the source of the time change.

Frequently Asked Questions

What does Event ID 1511 mean and when should I be concerned?+
Event ID 1511 indicates that Windows detected a system time change. This is normal for automatic time synchronization but concerning if it happens frequently without explanation. Be alert if you see large time jumps (more than a few minutes), time changes outside of scheduled synchronization windows, or changes that coincide with security events. In enterprise environments, unexpected time changes can indicate hardware issues, malicious activity, or misconfigured time services that could affect Kerberos authentication and audit log integrity.
How can I distinguish between legitimate and suspicious time changes in Event ID 1511?+
Legitimate time changes typically show small adjustments (seconds to minutes) from w32tm.exe or the Windows Time service, occur at regular intervals, and align with your configured synchronization schedule. Suspicious changes include large time jumps (hours or days), changes initiated by unexpected processes, frequent adjustments outside normal sync windows, or changes that correlate with other security events. Check the event details for the process ID and compare against known time synchronization services. Manual changes through the Date/Time control panel will show different process information than automatic synchronization.
Why does Event ID 1511 appear frequently on my virtual machines?+
Virtual machines often experience frequent time changes due to conflicts between hypervisor time synchronization and guest OS time services. When VMs are paused, migrated, or experience host clock drift, significant time adjustments may be needed upon resumption. Hyper-V Integration Services, VMware Tools, and VirtualBox Guest Additions all provide time synchronization that can trigger Event ID 1511. To reduce frequency, configure either the hypervisor or guest OS to handle time synchronization exclusively, not both. For domain-joined VMs, typically disable hypervisor time sync and rely on Windows Time service for domain synchronization.
Can Event ID 1511 affect Active Directory authentication and how do I prevent issues?+
Yes, significant time changes can severely impact Active Directory authentication because Kerberos requires time synchronization within 5 minutes (default) between clients and domain controllers. Event ID 1511 showing large time adjustments can indicate synchronization problems that may cause authentication failures. Prevent issues by ensuring proper time hierarchy configuration with PDC Emulator as the authoritative time source, configuring reliable external NTP sources for the PDC, monitoring time drift across domain controllers, and setting appropriate MaxPosPhaseCorrection and MaxNegPhaseCorrection values in W32Time registry settings to control automatic adjustment limits.
How do I set up monitoring and alerting for abnormal time changes in Event ID 1511?+
Implement monitoring by creating PowerShell scripts that query Event ID 1511 and filter for abnormal patterns like time changes exceeding specific thresholds, multiple changes within short periods, or changes from unexpected processes. Use Windows Event Forwarding to centralize time change events from multiple systems, configure SIEM tools to correlate time changes with other security events, and set up scheduled tasks or monitoring agents to alert on suspicious patterns. Consider implementing custom event log subscriptions that trigger immediate notifications for time changes exceeding your defined acceptable limits, typically 1-5 minutes depending on your environment's requirements.
Documentation

References (2)

1
Microsoft Learn - Windows Time Service Technical ReferenceComprehensive documentation on Windows Time service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tech-ref
2
Microsoft Docs - Event Logging in WindowsTechnical reference for Windows event logging system, including kernel-generated events and event data interpretation.https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-1511#time-synchronization#system-monitoring

Related Windows Events

Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 15
Kernel-General
Windows EventInformation

Windows Event ID 15 – Kernel-General: System Time Changed

Event ID 15 from Kernel-General logs when the system time is changed, either manually by users, automatically by time synchronization services, or due to hardware clock adjustments.

March 1812 min
Windows server monitoring dashboard displaying critical system events in a professional data center environment
Event 4
Kernel-General
Windows EventCritical

Windows Event ID 4 – Kernel-General: System Process Terminated Unexpectedly

Event ID 4 indicates a critical system process has terminated unexpectedly, often signaling kernel-level failures, driver issues, or system instability requiring immediate investigation.

March 1812 min
Windows Event Viewer displaying system boot completion events on a server monitoring dashboard
Event 2
Kernel-General
Windows EventInformation

Windows Event ID 2 – Kernel-General: System Boot Completion

Event ID 2 from Kernel-General indicates successful Windows system boot completion. This informational event logs when the kernel finishes loading and the system is ready for user logon.

March 187 min
Windows boot performance monitoring dashboard showing Event ID 13 system logs and performance metrics
Event 13
Kernel-General
Windows EventInformation

Windows Event ID 13 – Kernel-General: System Boot Performance Monitoring

Event ID 13 from Kernel-General tracks system boot performance metrics, recording boot duration and initialization phases during Windows startup sequences.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...