ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event ID 8197InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 8197 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 8197 fires when Windows detects a significant system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 8197Microsoft-Windows-Kernel-General 5 methods 9 min
Event Reference

What This Event Means

Event ID 8197 represents Windows kernel-level detection of system time modifications that exceed predefined thresholds. The Windows kernel continuously monitors system time consistency and generates this event when it detects significant time jumps, whether forward or backward.

The event captures comprehensive details including the exact timestamps of the old and new system times, the process identifier responsible for the change, and additional context about the time adjustment. This information proves invaluable for security auditing, as unauthorized time changes can indicate malicious activity or system compromise attempts.

In enterprise environments, this event helps administrators track compliance with time synchronization policies and identify systems experiencing time drift issues. The event also assists in troubleshooting Kerberos authentication failures, which are highly sensitive to time skew between domain controllers and client systems.

Modern Windows systems in 2026 have enhanced time change detection capabilities, providing more granular information about the source and nature of time modifications. This includes better integration with Windows Defender ATP and improved correlation with other security events for comprehensive threat detection.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual system time adjustment through Date and Time settings or command line tools
  • Automatic time synchronization via Windows Time Service (W32Time) with NTP servers
  • Domain controller time synchronization in Active Directory environments
  • Hardware clock adjustments during system boot or resume from hibernation
  • Third-party time synchronization software making system time changes
  • Malware attempting to manipulate system time for evasion purposes
  • Virtual machine time synchronization with hypervisor host systems
  • System recovery operations restoring previous time settings
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 8197 to understand the nature of the time change:

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter for Event ID 8197 by right-clicking the System log and selecting Filter Current Log
  4. Enter 8197 in the Event IDs field and click OK
  5. Double-click on recent Event ID 8197 entries to view detailed information
  6. Note the Old Time, New Time, and Process ID values in the event description
  7. Check the General tab for timestamp information and the Details tab for XML data

Use PowerShell for more detailed analysis:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=8197} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Analyze Time Change Patterns with PowerShell

Use PowerShell to identify patterns in time changes and correlate with other system events:

  1. Extract detailed time change information:
$TimeChangeEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=8197} -MaxEvents 50
$TimeChangeEvents | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        OldTime = $EventXML.Event.EventData.Data[0].'#text'
        NewTime = $EventXML.Event.EventData.Data[1].'#text'
        ProcessId = $EventXML.Event.EventData.Data[2].'#text'
    }
} | Format-Table -AutoSize
  1. Check for correlation with Windows Time Service events:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Time-Service'} -MaxEvents 10
  1. Identify the process responsible for time changes:
$ProcessId = 1234  # Replace with actual Process ID from event
Get-Process -Id $ProcessId -ErrorAction SilentlyContinue
03

Investigate Windows Time Service Configuration

Examine Windows Time Service settings to understand automatic time synchronization behavior:

  1. Check current time service configuration:
w32tm /query /configuration
w32tm /query /status
  1. Review time service registry settings:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config"
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
  1. Check NTP server configuration:
w32tm /query /peers
w32tm /query /source
  1. Examine time service event logs:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Time-Service'} | Select-Object TimeCreated, Id, LevelDisplayName, Message
  1. Test time synchronization manually:
w32tm /resync /rediscover
Pro tip: Use w32tm /stripchart /computer:time.windows.com to monitor time accuracy against a reference server.
04

Configure Time Change Auditing and Monitoring

Implement comprehensive monitoring for time changes to enhance security auditing:

  1. Enable advanced audit policies for time changes:
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
  1. Create a custom Event Viewer view for time-related events:

In Event Viewer, right-click Custom ViewsCreate Custom View:

  • Set Event level to Information, Warning, Error
  • Set Event IDs to: 8197, 1, 35, 37, 129, 131
  • Set Event sources to: Microsoft-Windows-Kernel-General, Microsoft-Windows-Time-Service
  1. Set up PowerShell monitoring script:
Register-WmiEvent -Query "SELECT * FROM Win32_VolumeChangeEvent" -Action {
    $Event = Get-WinEvent -FilterHashtable @{LogName='System'; Id=8197} -MaxEvents 1
    if ($Event) {
        Write-Host "Time change detected at $($Event.TimeCreated)"
        # Add notification logic here
    }
}
  1. Configure Group Policy for time synchronization (domain environments):

Navigate to Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers and configure:

  • Configure Windows NTP Client: Enabled
  • Enable Windows NTP Client: Enabled
  • Enable Windows NTP Server: As needed
05

Advanced Security Analysis and Threat Detection

Perform comprehensive security analysis to identify potential malicious time manipulation:

  1. Correlate time changes with security events:
$StartTime = (Get-Date).AddHours(-24)
$SecurityEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    StartTime=$StartTime
    Id=4624,4625,4648,4672
}
$TimeEvents = Get-WinEvent -FilterHashtable @{
    LogName='System'
    StartTime=$StartTime
    Id=8197
}

# Compare timestamps for suspicious patterns
$TimeEvents | ForEach-Object {
    $TimeChange = $_.TimeCreated
    $NearbySecEvents = $SecurityEvents | Where-Object {
        [Math]::Abs(($_.TimeCreated - $TimeChange).TotalMinutes) -lt 5
    }
    if ($NearbySecEvents) {
        Write-Host "Potential correlation found at $TimeChange"
        $NearbySecEvents | Format-Table TimeCreated, Id, Message
    }
}
  1. Check for unauthorized time manipulation tools:
Get-Process | Where-Object {$_.ProcessName -match "time|clock|sync"} | Select-Object Name, Id, StartTime, Path
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=1} | Where-Object {$_.Message -match "time|clock"}
  1. Analyze process execution around time changes:
$TimeChangeEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=8197} -MaxEvents 10
foreach ($Event in $TimeChangeEvents) {
    $EventTime = $Event.TimeCreated
    $ProcessEvents = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4688
        StartTime=$EventTime.AddMinutes(-2)
        EndTime=$EventTime.AddMinutes(2)
    } -ErrorAction SilentlyContinue
    
    if ($ProcessEvents) {
        Write-Host "Process activity around time change at $EventTime:"
        $ProcessEvents | Select-Object TimeCreated, @{n='ProcessName';e={($_.Message -split '\n' | Select-String 'New Process Name').ToString().Split(':')[1].Trim()}}
    }
}
Warning: Frequent unexpected time changes may indicate system compromise or hardware issues requiring immediate investigation.

Overview

Event ID 8197 from Microsoft-Windows-Kernel-General logs whenever Windows detects a system time change that exceeds the configured threshold. This event captures both manual time adjustments and automatic time synchronization events from Windows Time Service (W32Time). The event records the old time, new time, and the process responsible for the change.

This event serves as a critical audit trail for security compliance, particularly in environments where accurate timekeeping is essential for log correlation, Kerberos authentication, and regulatory requirements. The event fires regardless of whether the time change was initiated by an administrator, automatic NTP synchronization, or system processes.

You'll find this event in the System log under Event ViewerWindows LogsSystem. The event provides detailed information including the previous system time, new system time, and the process ID that initiated the change. Understanding this event is crucial for maintaining system security and troubleshooting time-related authentication issues.

Frequently Asked Questions

What does Event ID 8197 mean and why is it important?+
Event ID 8197 indicates that Windows detected a system time change exceeding configured thresholds. This event is crucial for security auditing because unauthorized time changes can indicate malicious activity, system compromise, or attempts to evade security controls. It also helps troubleshoot time synchronization issues that can affect Kerberos authentication, log correlation, and compliance requirements. The event provides detailed information about the old time, new time, and the process responsible for the change.
How can I distinguish between legitimate and suspicious time changes in Event ID 8197?+
Legitimate time changes typically originate from Windows Time Service (w32tm.exe), system processes during boot/resume, or scheduled NTP synchronization. Suspicious changes may come from unexpected processes, occur at unusual times, involve large time jumps, or correlate with other security events like failed logins or privilege escalation attempts. Check the Process ID in the event details and correlate with process execution logs (Security Event ID 4688) to identify the source. Regular small adjustments are normal, while sudden large changes warrant investigation.
Can Event ID 8197 help troubleshoot Kerberos authentication issues?+
Yes, Event ID 8197 is valuable for diagnosing Kerberos problems because Kerberos is extremely sensitive to time skew. If clients and domain controllers have time differences exceeding 5 minutes (default), authentication fails. By reviewing Event ID 8197 alongside Kerberos error events (like Event ID 4), you can identify when time synchronization issues occurred and correlate them with authentication failures. This helps determine if time drift is causing intermittent login problems or service account authentication issues.
How do I configure Windows to reduce unnecessary Event ID 8197 entries?+
You can adjust time synchronization settings to minimize frequent small adjustments that generate Event ID 8197. Configure W32Time service with appropriate polling intervals using 'w32tm /config /manualpeerlist:"server1,server2" /syncfromflags:manual /reliable:yes /update'. Set reasonable time correction thresholds in the registry at HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config. For virtual machines, ensure proper time synchronization with the hypervisor. However, don't disable time change logging entirely as it's important for security auditing.
What should I do if I see frequent Event ID 8197 entries on my system?+
Frequent Event ID 8197 entries may indicate hardware clock drift, network connectivity issues with NTP servers, or system problems. First, check if your system's hardware clock is functioning properly using 'w32tm /query /status' and 'w32tm /stripchart /computer:time.windows.com'. Verify NTP server connectivity and response times. For domain-joined computers, ensure proper time hierarchy with domain controllers. Consider checking for hardware issues like failing CMOS battery, overheating, or power supply problems. If the system is virtualized, review time synchronization settings between guest and host.
Documentation

References (2)

1
Microsoft Learn - Windows Time ServiceComprehensive documentation on Windows Time Service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-top
2
Microsoft Docs - Event Logging ReferenceTechnical reference for Windows Event Logging system including kernel-level events and system time change detection mechanisms.https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-reference
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-8197#windows-time-service#system-monitoring

Related Windows Events

Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 16388
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16388 – Microsoft-Windows-Kernel-General: System Time Change Notification

Event ID 16388 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer showing system event logs on a monitoring dashboard
Event 16384
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16384 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 16384 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.

March 189 min
Windows Event Viewer displaying system time change events on a monitoring dashboard
Event 11728
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11728 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11728 fires when Windows detects a system time change, typically from time synchronization services, manual adjustments, or hardware clock drift corrections.

March 1812 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 11724
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11724 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11724 indicates the Windows kernel detected a system time change, typically triggered by time synchronization services, manual adjustments, or hardware clock drift corrections.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...