ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer showing system event logs on a monitoring dashboard
Event ID 1796InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 1796 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 1796 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-sensitive applications.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
17 March 20269 min read 0
Event ID 1796Microsoft-Windows-Kernel-General 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 1796 represents a fundamental system monitoring capability that tracks all modifications to the system clock. The Microsoft-Windows-Kernel-General provider generates this event at the kernel level, ensuring comprehensive coverage of time changes regardless of the modification method.

The event structure contains several critical data points: the previous system time, the new system time, the adjustment amount in 100-nanosecond units, and contextual information about what triggered the change. This granular detail enables administrators to distinguish between legitimate automatic synchronizations and potentially malicious manual adjustments.

In enterprise environments, Event ID 1796 serves multiple purposes. Security teams monitor these events to detect potential tampering with system clocks, which could indicate attempts to evade log correlation or hide malicious activity. IT operations teams use the events to verify proper NTP synchronization and diagnose time-related application issues.

The event becomes particularly valuable in forensic investigations where timeline accuracy is paramount. By correlating Event ID 1796 occurrences with other system events, investigators can reconstruct accurate sequences of activities and identify any attempts to manipulate timestamps.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Automatic NTP time synchronization with domain controllers or external time servers
  • Manual time adjustment through Windows Time and Date settings
  • PowerShell or command-line time modification using Set-Date or w32tm commands
  • Daylight saving time automatic transitions
  • System recovery operations restoring previous time settings
  • Hardware clock drift correction during system startup
  • Time zone changes triggering clock adjustments
  • Virtual machine time synchronization with hypervisor host
  • Third-party time synchronization software making adjustments
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 1796 entries to understand the time change patterns and sources.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. In the Actions pane, click Filter Current Log
  4. Enter 1796 in the Event IDs field and click OK
  5. Double-click each Event ID 1796 entry to examine the details
  6. Note the Old Time and New Time values in the event data
  7. Check the Reason field to identify what triggered the time change
  8. Look for patterns in timing and frequency of these events

Pay special attention to large time adjustments or frequent changes that might indicate synchronization problems or unauthorized modifications.

02

Query Events with PowerShell for Analysis

Use PowerShell to extract and analyze Event ID 1796 data for comprehensive time change tracking.

  1. Open PowerShell as Administrator
  2. Run this command to retrieve recent time change events:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1796} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
  1. For detailed analysis of time adjustments, use:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1796} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        OldTime = $xml.Event.EventData.Data[0].'#text'
        NewTime = $xml.Event.EventData.Data[1].'#text'
        Reason = $xml.Event.EventData.Data[2].'#text'
    }
} | Format-Table -AutoSize
  1. To export results for further analysis:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1796} | Export-Csv -Path "C:\Temp\TimeChangeEvents.csv" -NoTypeInformation
03

Verify Windows Time Service Configuration

Check the Windows Time service settings to ensure proper NTP synchronization and identify potential configuration issues.

  1. Open Command Prompt as Administrator
  2. Check current time service status:
w32tm /query /status
  1. Review time source configuration:
w32tm /query /configuration
  1. Check time synchronization peers:
w32tm /query /peers
  1. In PowerShell, examine the Windows Time service registry settings:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" | Select-Object NtpServer, Type
  1. Verify time service is running:
Get-Service W32Time | Select-Object Name, Status, StartType
  1. If issues are found, restart the time service:
net stop w32time && net start w32time
Pro tip: Use w32tm /resync to force immediate synchronization with configured time sources.
04

Configure Time Change Auditing and Monitoring

Implement comprehensive monitoring to track and alert on suspicious time changes for security purposes.

  1. Enable advanced audit policies for time changes:
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
  1. Create a PowerShell monitoring script for real-time alerts:
# Save as TimeChangeMonitor.ps1
$Query = @"

  
    
  

"@

Register-WmiEvent -Query "SELECT * FROM Win32_VolumeChangeEvent" -Action {
    $Event = Get-WinEvent -FilterXml $Query -MaxEvents 1
    Write-Host "Time change detected at $($Event.TimeCreated)" -ForegroundColor Yellow
    # Add email notification or logging here
}
  1. Set up Event Viewer custom view for time changes:
  2. In Event Viewer, right-click Custom ViewsCreate Custom View
  3. Select By logSystem
  4. Enter Event ID 1796 and save as "Time Changes"
  5. Configure Group Policy to centralize time change logging:
HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\MaxSize = 20971520
Warning: Frequent time changes may indicate hardware issues, malware, or configuration problems requiring immediate investigation.
05

Advanced Forensic Analysis and Correlation

Perform deep analysis of time change events for security investigations and compliance reporting.

  1. Create a comprehensive PowerShell analysis script:
# TimeChangeForensics.ps1
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1796} -MaxEvents 1000
$Analysis = @()

foreach ($Event in $Events) {
    $xml = [xml]$Event.ToXml()
    $OldTime = [DateTime]$xml.Event.EventData.Data[0].'#text'
    $NewTime = [DateTime]$xml.Event.EventData.Data[1].'#text'
    $TimeDiff = ($NewTime - $OldTime).TotalSeconds
    
    $Analysis += [PSCustomObject]@{
        EventTime = $Event.TimeCreated
        OldTime = $OldTime
        NewTime = $NewTime
        AdjustmentSeconds = $TimeDiff
        AdjustmentType = if ([Math]::Abs($TimeDiff) -gt 300) { "Major" } else { "Minor" }
        UserSID = $Event.UserId
    }
}

$Analysis | Export-Csv -Path "C:\Forensics\TimeChangeAnalysis.csv" -NoTypeInformation
$Analysis | Where-Object AdjustmentType -eq "Major" | Format-Table
  1. Correlate with security events for comprehensive analysis:
$TimeChanges = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1796} -MaxEvents 50
$SecurityEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625} -MaxEvents 100

# Cross-reference time changes with logon events
foreach ($TimeChange in $TimeChanges) {
    $Window = $TimeChange.TimeCreated.AddMinutes(-5)..($TimeChange.TimeCreated.AddMinutes(5))
    $RelatedEvents = $SecurityEvents | Where-Object { $_.TimeCreated -ge $Window[0] -and $_.TimeCreated -le $Window[1] }
    if ($RelatedEvents) {
        Write-Host "Time change at $($TimeChange.TimeCreated) correlates with $($RelatedEvents.Count) security events"
    }
}
  1. Generate compliance report:
$Report = $Analysis | Group-Object { $_.EventTime.Date } | ForEach-Object {
    [PSCustomObject]@{
        Date = $_.Name
        TotalChanges = $_.Count
        MajorAdjustments = ($_.Group | Where-Object AdjustmentType -eq "Major").Count
        MaxAdjustment = ($_.Group | Measure-Object AdjustmentSeconds -Maximum).Maximum
    }
}

$Report | Export-Csv -Path "C:\Reports\DailyTimeChangeReport.csv" -NoTypeInformation

Overview

Event ID 1796 from Microsoft-Windows-Kernel-General logs whenever the Windows system clock undergoes a time change. This event captures both manual time adjustments and automatic synchronizations with time servers. The event records the old time value, new time value, and the reason for the change.

This event appears in the System log and provides crucial audit information for environments where time accuracy is critical. Domain controllers, financial systems, and security-sensitive applications rely on accurate timestamps, making this event essential for compliance and troubleshooting.

The event fires during various scenarios including NTP synchronization, manual time changes through Control Panel or PowerShell, daylight saving time transitions, and system recovery operations. Each occurrence includes detailed information about the time adjustment magnitude and source.

System administrators use this event to track unauthorized time changes, diagnose time synchronization issues, and maintain audit trails for regulatory compliance. The event data includes precise timestamps and adjustment values measured in 100-nanosecond intervals.

Frequently Asked Questions

What does Event ID 1796 mean and why is it important?+
Event ID 1796 indicates that Windows has detected a system time change. This event is crucial for security auditing, compliance monitoring, and troubleshooting time-sensitive applications. It records the old time, new time, and reason for the change, providing a complete audit trail of all system clock modifications. In enterprise environments, this event helps detect unauthorized time tampering and verify proper NTP synchronization.
How can I distinguish between legitimate and suspicious time changes in Event ID 1796?+
Legitimate time changes typically show small adjustments (seconds or minutes) from NTP synchronization, occur at regular intervals, and happen during normal business hours. Suspicious changes include large time adjustments (hours or days), manual changes outside maintenance windows, frequent adjustments indicating sync problems, or changes correlating with security events. Use PowerShell analysis to calculate adjustment magnitudes and identify patterns that deviate from normal synchronization behavior.
Can Event ID 1796 help with forensic investigations?+
Yes, Event ID 1796 is invaluable for forensic analysis. It provides precise timestamps for when system time was modified, which is critical for establishing accurate timelines in investigations. Attackers sometimes manipulate system clocks to evade detection or alter log timestamps. By analyzing these events alongside other system and security logs, investigators can identify attempts to manipulate evidence and reconstruct the true sequence of events during security incidents.
What should I do if I see frequent Event ID 1796 occurrences?+
Frequent Event ID 1796 events may indicate NTP synchronization problems, hardware clock drift, or configuration issues. First, check the Windows Time service status and configuration using w32tm commands. Verify that NTP servers are reachable and responding correctly. Examine the time adjustment magnitudes - small, regular adjustments are normal, but large or erratic changes suggest problems. Consider hardware issues if the system clock consistently drifts, and review any third-party time synchronization software that might conflict with Windows Time service.
How do I set up monitoring and alerting for Event ID 1796?+
Set up Event ID 1796 monitoring using PowerShell scripts with Register-WmiEvent or scheduled tasks that query the System log. Create custom Event Viewer views filtered for Event ID 1796 to easily review time changes. For enterprise environments, configure SIEM systems to collect and analyze these events, setting alerts for large time adjustments or unusual patterns. Use Group Policy to ensure consistent logging across all systems, and consider implementing automated reports that summarize time change activity for compliance and security review.
Documentation

References (2)

1
Microsoft Learn - Windows Time ServiceComprehensive documentation on Windows Time service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/
2
Microsoft Docs - Event Logging and MonitoringTechnical reference for Windows Event Logging APIs, event structure, and programmatic access to system events.https://docs.microsoft.com/en-us/windows/win32/eventlog/
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-1796#windows-events#time-synchronization

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...