Windows Event ID 4113 – Microsoft-Windows-Kernel-General: System Time Changed

Start by examining the specific details of Event ID 4113 to understand what triggered the time change.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → System
3. Filter the log by clicking Filter Current Log in the Actions pane
4. Enter 4113 in the Event IDs field and click OK
5. Double-click on recent Event ID 4113 entries to view detailed information
6. Note the Old Time and New Time values in the event description
7. Check the Process ID to identify which process initiated the change

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=4113} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Determine which process or service initiated the time change to understand if it was legitimate or potentially malicious.

1. From the Event ID 4113 details, note the Process ID (PID) mentioned in the event
2. Cross-reference this with other system events around the same time
3. Use PowerShell to correlate the process information:

# Get recent time change events with process details
Get-WinEvent -FilterHashtable @{LogName='System'; Id=4113} -MaxEvents 10 | ForEach-Object {
    $timeChanged = $_.TimeCreated
    $message = $_.Message
    Write-Output "Time: $timeChanged"
    Write-Output "Details: $message"
    Write-Output "---"
}

4. Check if the change was made by svchost.exe (Windows Time service) or explorer.exe (user action)
5. Review Security log for Event ID 4616 (System time was changed) for additional context
6. Verify the user account associated with manual time changes

Examine the Windows Time service configuration to ensure proper time synchronization and identify potential issues.

1. Check the current time service configuration:

# Display current W32Time configuration
w32tm /query /configuration

# Show time service status
w32tm /query /status

# Display configured time sources
w32tm /query /peers

2. Review time service registry settings at HKLM\SYSTEM\CurrentControlSet\Services\W32Time
3. Check the Event Viewer for W32Time service events:

# Query W32Time service events
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Time-Service'} -MaxEvents 50

4. Verify NTP server connectivity and response times:

# Test time server connectivity
w32tm /stripchart /computer:time.windows.com /samples:5

# Force immediate time synchronization
w32tm /resync /force

5. For domain-joined computers, ensure proper time hierarchy with domain controllers

Set up automated monitoring to track and alert on unexpected time changes for security and compliance purposes.

1. Create a PowerShell script to monitor Event ID 4113 in real-time:

# Monitor time change events
$action = {
    $event = $Event.SourceEventArgs.NewEvent
    $timeChanged = $event.TimeCreated
    $message = $event.Message
    
    # Log to custom file
    "$timeChanged - Time Change Detected: $message" | Out-File -Append C:\Logs\TimeChanges.log
    
    # Send alert if change is significant (more than 1 minute)
    if ($message -match "Old Time: (.+?) New Time: (.+?)") {
        $oldTime = [DateTime]::Parse($matches[1])
        $newTime = [DateTime]::Parse($matches[2])
        $diff = [Math]::Abs(($newTime - $oldTime).TotalMinutes)
        
        if ($diff -gt 1) {
            Write-EventLog -LogName Application -Source "TimeMonitor" -EventId 1001 -Message "Significant time change detected: $diff minutes"
        }
    }
}

# Register event watcher
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='System' AND EventCode=4113" -Action $action

2. Create a scheduled task to run the monitoring script at startup
3. Set up Windows Event Forwarding to centralize time change events from multiple systems
4. Configure SIEM integration to correlate time changes with other security events

Use Group Policy to enforce time synchronization policies and restrict unauthorized time changes in enterprise environments.

1. Open Group Policy Management Console and edit the appropriate GPO
2. Navigate to Computer Configuration → Administrative Templates → System → Windows Time Service
3. Configure the following policies:
• Global Configuration Settings - Set authoritative time sources
• Time Providers - Configure NTP client settings
• Configure Windows NTP Client - Specify time servers and update intervals
4. Restrict user ability to change system time:

# Check current time change privileges
secedit /export /cfg C:\temp\security.inf
Select-String "SeSystemtimePrivilege" C:\temp\security.inf

5. Navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
6. Modify Change the system time policy to restrict access to authorized accounts only
7. Enable audit policy for time changes:

# Enable time change auditing via command line
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

8. Deploy the GPO and verify settings with gpresult /r on target systems