ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event ID 2101InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 2101 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 2101 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 2101Microsoft-Windows-Kernel-General 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 2101 represents a fundamental system monitoring capability that tracks all system time modifications. When the Windows kernel detects any change to the system clock, it generates this event with comprehensive details about the modification. The event includes the previous time, new time, the process that initiated the change, and the reason for the adjustment.

This event serves multiple critical functions in enterprise environments. From a security perspective, it provides an audit trail for time changes that could indicate tampering or unauthorized access. Time synchronization is crucial for Kerberos authentication, certificate validation, and log correlation across distributed systems. Any unexpected time changes can break these dependencies and create security vulnerabilities.

The event also helps troubleshoot time-related application issues. Many enterprise applications rely on accurate timestamps for transaction processing, database replication, and scheduled tasks. When applications report time-related errors, Event ID 2101 provides the historical context needed to identify when and why time changes occurred.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced the event to include additional context about automatic time synchronization sources and improved accuracy for sub-second time adjustments. The event now better distinguishes between legitimate administrative changes and potential security incidents.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual time adjustment through Date and Time settings or date command
  • Automatic time synchronization with domain controllers via Windows Time service
  • NTP client synchronization with external time servers
  • Daylight saving time transitions (spring forward/fall back)
  • System resume from hibernation or sleep with significant time drift
  • Virtual machine time synchronization with hypervisor host
  • Third-party time synchronization software making system adjustments
  • Hardware clock drift correction by Windows Time service
  • Group Policy enforced time synchronization settings
  • PowerShell or command-line time modification scripts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 2101 to understand what triggered the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter for Event ID 2101 by right-clicking SystemFilter Current Log → enter 2101 in Event IDs field
  4. Double-click the most recent Event ID 2101 to view details
  5. Review the General tab for old time, new time, and time differential
  6. Check the Details tab for the process name that initiated the change
  7. Note the Source field to identify if the change was user-initiated or system-initiated

Use PowerShell for bulk analysis:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=2101} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: Look for patterns in time changes. Frequent small adjustments indicate normal NTP synchronization, while large jumps may suggest manual intervention or system issues.
02

Analyze Windows Time Service Configuration

Investigate the Windows Time service configuration to determine if automatic synchronization is causing the time changes.

  1. Check Windows Time service status:
Get-Service W32Time | Format-List *
w32tm /query /status
  1. Review time synchronization configuration:
w32tm /query /configuration
w32tm /query /peers
  1. Check time synchronization sources in registry:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" | Select-Object NtpServer, Type
  1. For domain-joined computers, verify domain controller time sync:
w32tm /monitor /domain
w32tm /query /source
  1. Test manual synchronization to identify issues:
w32tm /resync /force
Warning: Forcing time synchronization can cause temporary authentication issues in domain environments. Perform during maintenance windows when possible.
03

Correlate with Security and Application Logs

Cross-reference Event ID 2101 with other system events to identify the root cause and assess security implications.

  1. Check for related security events around the same timeframe:
$TimeChange = Get-WinEvent -FilterHashtable @{LogName='System'; Id=2101} -MaxEvents 1
$StartTime = $TimeChange.TimeCreated.AddMinutes(-10)
$EndTime = $TimeChange.TimeCreated.AddMinutes(10)
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$StartTime; EndTime=$EndTime; Id=4624,4625,4648} | Format-Table TimeCreated, Id, Message
  1. Look for application errors related to time synchronization:
Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$StartTime; EndTime=$EndTime; Level=2,3} | Where-Object {$_.Message -like "*time*" -or $_.Message -like "*clock*"}
  1. Check for Group Policy events that might enforce time settings:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502,1503} -MaxEvents 20
  1. Review Task Scheduler logs for automated time-related tasks:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TaskScheduler/Operational'; StartTime=$StartTime; EndTime=$EndTime}
  1. Export comprehensive time change analysis:
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=2101} -MaxEvents 100
$Events | Export-Csv -Path "C:\Temp\TimeChangeAnalysis.csv" -NoTypeInformation
04

Configure Advanced Time Monitoring and Alerting

Implement proactive monitoring to detect and alert on unexpected time changes for security and compliance purposes.

  1. Create a custom Event Viewer view for time monitoring:

In Event ViewerCustom ViewsCreate Custom View:

  • Event level: Information, Warning, Error
  • Event logs: System, Security
  • Event IDs: 2101, 4616, 1
  • Save as "Time Change Monitoring"
  1. Set up PowerShell-based monitoring script:
# Save as TimeChangeMonitor.ps1
$LastCheck = (Get-Date).AddHours(-1)
$TimeChanges = Get-WinEvent -FilterHashtable @{LogName='System'; Id=2101; StartTime=$LastCheck}
if ($TimeChanges) {
    foreach ($Event in $TimeChanges) {
        $Message = "Time change detected at $($Event.TimeCreated): $($Event.Message)"
        Write-EventLog -LogName Application -Source "TimeMonitor" -EventId 9001 -EntryType Warning -Message $Message
        # Add email notification or SIEM integration here
    }
}
  1. Configure Windows Task Scheduler to run monitoring script:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\TimeChangeMonitor.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "TimeChangeMonitor" -Action $Action -Trigger $Trigger -Settings $Settings -RunLevel Highest
  1. Create registry monitoring for time service changes:
$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
$Baseline = Get-ItemProperty -Path $RegPath | ConvertTo-Json
$Baseline | Out-File -FilePath "C:\Temp\W32TimeBaseline.json"
Pro tip: Integrate time change monitoring with your SIEM solution by forwarding custom events or using Windows Event Forwarding to centralize time change detection across your environment.
05

Implement Time Security Hardening and Compliance

Configure advanced time security measures to prevent unauthorized time changes and ensure compliance with security frameworks.

  1. Restrict time change permissions using Group Policy:

Navigate to Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment:

  • Modify "Change the system time" policy
  • Remove "Users" group, keep only "Administrators" and "LOCAL SERVICE"
  1. Configure secure time source hierarchy via Group Policy:

In Computer ConfigurationAdministrative TemplatesSystemWindows Time Service:

  • Enable "Configure Windows NTP Client"
  • Set NtpServer to trusted sources: time.nist.gov,0x1 pool.ntp.org,0x1
  • Enable "Enable Windows NTP Server" on domain controllers only
  1. Implement time tampering detection registry settings:
# Enable detailed time service logging
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config" -Name "EventLogFlags" -Value 3
# Configure maximum allowed time adjustment
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config" -Name "MaxAllowedPhaseOffset" -Value 300
  1. Set up automated compliance reporting:
# Create compliance report for time changes
$Report = @()
$TimeEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=2101} -MaxEvents 100
foreach ($Event in $TimeEvents) {
    $Report += [PSCustomObject]@{
        Timestamp = $Event.TimeCreated
        EventID = $Event.Id
        Source = $Event.ProviderName
        Message = $Event.Message
        UserSID = $Event.UserId
    }
}
$Report | Export-Csv -Path "C:\Compliance\TimeChangeReport_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  1. Configure Windows Event Forwarding for centralized monitoring:
# On collector server
wecutil qc /q
# Create subscription for time events
$SubscriptionXML = @"
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>TimeChangeCollection</SubscriptionId>
    <Query><![CDATA[<QueryList><Query Id="0"><Select Path="System">*[System[EventID=2101]]</Select></Query></QueryList>]]></Query>
</Subscription>
"@
$SubscriptionXML | Out-File -FilePath "C:\Temp\TimeSubscription.xml"
wecutil cs "C:\Temp\TimeSubscription.xml"
Warning: Time security hardening can impact legitimate system operations. Test thoroughly in non-production environments and ensure proper documentation of approved time sources and procedures.

Overview

Event ID 2101 from Microsoft-Windows-Kernel-General logs whenever Windows detects a system time change. This event fires during manual time adjustments, automatic time synchronization with domain controllers or NTP servers, and daylight saving time transitions. The event captures both the old and new time values, making it essential for security auditing and compliance tracking.

This event appears in the System log and provides detailed information about what triggered the time change, whether it was user-initiated, system-initiated, or caused by external synchronization. In domain environments, frequent 2101 events often indicate NTP configuration issues or network connectivity problems affecting time synchronization.

Security teams monitor this event closely because unauthorized time changes can mask malicious activity or disrupt log correlation across systems. The event includes the process responsible for the change and the exact time differential, enabling administrators to track legitimate versus suspicious time modifications.

Frequently Asked Questions

What does Event ID 2101 mean and why is it important for security?+
Event ID 2101 indicates that Windows detected a system time change, logging both the old and new time values along with the process that initiated the change. This event is crucial for security because unauthorized time modifications can mask malicious activity, disrupt log correlation, and break time-dependent authentication mechanisms like Kerberos. Security teams use this event to maintain audit trails and detect potential tampering with system clocks.
How can I distinguish between legitimate and suspicious time changes in Event ID 2101?+
Legitimate time changes typically show small adjustments (seconds to minutes) from the Windows Time service (w32time.exe) or scheduled synchronization. Suspicious changes include large time jumps (hours or days), changes initiated by unexpected processes, or modifications outside of maintenance windows. Look for correlation with security events like unusual logons (Event ID 4624) or privilege escalation attempts around the same timeframe.
Why do I see frequent Event ID 2101 entries on my domain-joined computers?+
Frequent Event ID 2101 entries on domain computers usually indicate normal NTP synchronization behavior, especially if the time adjustments are small (under 30 seconds). However, excessive frequency might suggest network connectivity issues with domain controllers, misconfigured time sources, or hardware clock drift. Check the Windows Time service configuration with 'w32tm /query /status' and verify connectivity to your domain controllers.
Can Event ID 2101 help troubleshoot Kerberos authentication failures?+
Yes, Event ID 2101 is essential for troubleshooting Kerberos issues because Kerberos requires time synchronization within 5 minutes (default) between client and server. If you see Kerberos authentication failures (Event ID 4625 with failure reason 0x18), check for recent Event ID 2101 entries that might indicate time drift. Large time adjustments can invalidate existing Kerberos tickets and require users to re-authenticate.
How should I configure monitoring and alerting for Event ID 2101 in enterprise environments?+
Configure Event ID 2101 monitoring by setting up custom Event Viewer filters, PowerShell monitoring scripts, and SIEM integration. Alert on time changes exceeding normal thresholds (typically more than 1 minute), changes outside maintenance windows, or modifications by unexpected processes. Use Windows Event Forwarding to centralize time change events from all systems, and establish baseline patterns to identify anomalies. Consider implementing automated compliance reporting for audit purposes.
Documentation

References (2)

1
Microsoft Learn - Windows Time ServiceComprehensive documentation on Windows Time service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-top
2
Microsoft Security Compliance ToolkitSecurity baselines and compliance guidance including time synchronization security recommendations.https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-2101#time-synchronization#security-auditing

Related Windows Events

Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 16388
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16388 – Microsoft-Windows-Kernel-General: System Time Change Notification

Event ID 16388 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer showing system event logs on a monitoring dashboard
Event 16384
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16384 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 16384 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.

March 189 min
Windows Event Viewer displaying system time change events on a monitoring dashboard
Event 11728
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11728 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11728 fires when Windows detects a system time change, typically from time synchronization services, manual adjustments, or hardware clock drift corrections.

March 1812 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 11724
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11724 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11724 indicates the Windows kernel detected a system time change, typically triggered by time synchronization services, manual adjustments, or hardware clock drift corrections.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...