ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event ID 8231InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 8231 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 8231 fires when Windows detects a system time change, typically during time synchronization, manual adjustments, or hardware clock drift corrections.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 8231Microsoft-Windows-Kernel-General 5 methods 9 min
Event Reference

What This Event Means

Event ID 8231 is generated by the Windows kernel whenever the system time undergoes a change that exceeds the kernel's threshold for normal clock drift. The event contains crucial metadata including the previous time, new time, and the process or service responsible for the change. This makes it an essential audit event for environments requiring strict time accuracy.

The event typically appears during several scenarios: Windows Time service synchronization with NTP servers, manual time changes through the Date & Time settings, time zone adjustments, or corrections applied after system hibernation or sleep. In virtualized environments, this event frequently occurs when VM time synchronization corrects drift between the guest and host systems.

From a security perspective, Event ID 8231 serves as an important indicator of potential tampering attempts. Malicious actors sometimes modify system time to evade log correlation or bypass time-based security controls. Security teams monitor these events to detect unauthorized time changes that could indicate compromise or insider threats.

The event's timing and frequency patterns also help diagnose underlying hardware issues. Excessive time change events may indicate failing CMOS batteries, faulty real-time clocks, or virtualization platform problems affecting time synchronization accuracy.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Windows Time service (W32Time) synchronizing with NTP servers or domain controllers
  • Manual time adjustments through Windows Settings or Control Panel
  • Time zone changes or daylight saving time transitions
  • System recovery from hibernation or sleep mode with significant time drift
  • Virtual machine time synchronization corrections
  • Hardware clock drift exceeding acceptable thresholds
  • Third-party time synchronization software making adjustments
  • BIOS/UEFI firmware updating system time during boot
  • Network time protocol client corrections after connectivity restoration
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 8231 to understand what triggered the time change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter for Event ID 8231 by right-clicking SystemFilter Current Log → Enter 8231 in Event IDs field
  4. Double-click on recent Event ID 8231 entries to view details
  5. Check the General tab for time change information and the process responsible
  6. Note the Old Time and New Time values in the event description
  7. Review the Details tab for additional XML data including the initiating process

Use PowerShell for bulk analysis:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=8231} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
02

Check Windows Time Service Configuration

Verify Windows Time service settings to ensure proper time synchronization behavior.

  1. Open Command Prompt as Administrator
  2. Check current time service status:
w32tm /query /status
  1. Review time source configuration:
w32tm /query /source
  1. Examine detailed time service configuration:
w32tm /query /configuration
  1. For domain-joined systems, verify domain hierarchy:
w32tm /query /peers
  1. Check time synchronization logs:
Get-WinEvent -LogName 'Microsoft-Windows-Time-Service/Operational' -MaxEvents 20
Pro tip: Use w32tm /resync /rediscover to force immediate time synchronization and generate Event ID 8231 for testing.
03

Analyze Time Change Patterns and Frequency

Investigate patterns in time change events to identify underlying issues or security concerns.

  1. Generate a comprehensive report of time change events:
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=8231; StartTime=(Get-Date).AddDays(-30)}
$Events | ForEach-Object {
    $XML = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        OldTime = $XML.Event.EventData.Data[0].'#text'
        NewTime = $XML.Event.EventData.Data[1].'#text'
        ProcessId = $XML.Event.System.Execution.ProcessID
        ThreadId = $XML.Event.System.Execution.ThreadID
    }
} | Export-Csv -Path "C:\Temp\TimeChanges.csv" -NoTypeInformation
  1. Check for excessive frequency indicating hardware issues:
$DailyCount = Get-WinEvent -FilterHashtable @{LogName='System'; Id=8231; StartTime=(Get-Date).AddDays(-7)} | Group-Object {$_.TimeCreated.Date} | Select-Object Name, Count
$DailyCount | Where-Object {$_.Count -gt 10}
  1. Identify unusual time changes outside business hours:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=8231; StartTime=(Get-Date).AddDays(-7)} | Where-Object {$_.TimeCreated.Hour -lt 6 -or $_.TimeCreated.Hour -gt 22}
  1. Cross-reference with security logs for potential correlation:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=(Get-Date).AddHours(-1)} | Select-Object TimeCreated, Id, Message
04

Configure Time Change Auditing and Monitoring

Implement comprehensive monitoring for time change events to enhance security and troubleshooting capabilities.

  1. Enable detailed time service logging:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config" /v EventLogFlags /t REG_DWORD /d 3 /f
  1. Configure Group Policy for time change auditing (on domain controllers):
  2. Open Group Policy Management → Edit Default Domain Policy
  3. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  4. Enable Audit System Time Change under System Audit Policies
  1. Create a scheduled task to monitor excessive time changes:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Get-WinEvent -FilterHashtable @{LogName='System'; Id=8231; StartTime=(Get-Date).AddHours(-1)} | Measure-Object | Where-Object {$_.Count -gt 5} | ForEach-Object {Send-MailMessage -To 'admin@company.com' -From 'monitoring@company.com' -Subject 'Excessive Time Changes Detected' -Body 'Multiple time change events detected in the last hour' -SmtpServer 'mail.company.com'}"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
Register-ScheduledTask -TaskName "TimeChangeMonitor" -Action $Action -Trigger $Trigger -RunLevel Highest
  1. Set up Windows Event Forwarding for centralized monitoring:
wecutil cs subscription.xml
Warning: Excessive time service logging can generate significant log volume. Monitor disk space usage after enabling detailed logging.
05

Troubleshoot Hardware and Virtualization Time Issues

Address underlying hardware or virtualization problems causing frequent time changes.

  1. Check CMOS battery status and hardware clock accuracy:
w32tm /stripchart /computer:pool.ntp.org /samples:5 /dataonly
  1. For virtual machines, verify time synchronization settings:
  2. VMware: Check VMware Tools time synchronization in VM settings
  3. Hyper-V: Verify Integration Services time synchronization component
  4. VirtualBox: Configure time synchronization in Guest Additions
  1. Disable VM time synchronization if using NTP:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider" /v Enabled /t REG_DWORD /d 0 /f
  1. Configure high-precision time for critical systems:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v RealTimeIsUniversal /t REG_DWORD /d 1 /f
  1. Test hardware clock stability:
$StartTime = Get-Date
Start-Sleep -Seconds 3600  # Wait 1 hour
$EndTime = Get-Date
$Drift = ($EndTime - $StartTime).TotalSeconds - 3600
Write-Host "Clock drift: $Drift seconds per hour"
  1. For persistent issues, consider external NTP appliances or GPS time sources for critical infrastructure
Pro tip: In virtualized environments, configure the host system as the authoritative time source and disable guest time synchronization to prevent conflicts.

Overview

Event ID 8231 from Microsoft-Windows-Kernel-General appears in the System log whenever Windows detects a change in system time. This event fires during normal time synchronization operations, manual time adjustments through Control Panel or Settings, or when the system corrects for hardware clock drift. The event captures both the old and new time values, making it valuable for audit trails and troubleshooting time-related issues.

This event is particularly important in enterprise environments where accurate timekeeping is critical for Kerberos authentication, file timestamps, and compliance requirements. Domain-joined systems typically generate this event during regular NTP synchronization with domain controllers, while standalone systems may trigger it during internet time server updates or manual adjustments.

The event provides detailed information about what initiated the time change, whether it was a service, user action, or system process. Understanding when and why these events occur helps administrators maintain proper time synchronization across their infrastructure and identify potential security concerns related to unauthorized time modifications.

Frequently Asked Questions

What does Event ID 8231 mean and should I be concerned?+
Event ID 8231 indicates that Windows detected a system time change. This is typically normal behavior during time synchronization with NTP servers, manual time adjustments, or time zone changes. You should only be concerned if these events occur frequently without explanation, happen outside normal business hours, or coincide with other suspicious activities. Regular time synchronization events are expected and necessary for proper system operation.
How can I determine what caused a specific Event ID 8231?+
Check the event details in Event Viewer to see the process ID and thread ID responsible for the time change. Cross-reference this with the Windows Time service logs and Task Manager or Process Monitor to identify the specific service or application. Common causes include w32time.exe for NTP synchronization, explorer.exe for manual changes through Settings, or vmtoolsd.exe for VM time synchronization. The event description also shows the old and new time values to help determine the magnitude of the change.
Why am I seeing multiple Event ID 8231 entries every day?+
Multiple daily occurrences usually indicate normal time synchronization behavior, especially in domain environments where systems sync with domain controllers regularly. However, excessive events (more than 10-15 per day) may suggest hardware clock drift, virtualization time sync conflicts, or failing CMOS batteries. Check your Windows Time service configuration with 'w32tm /query /status' and verify that time sources are accessible and responding properly.
Can Event ID 8231 indicate a security issue?+
Yes, Event ID 8231 can indicate security concerns if time changes occur unexpectedly or outside normal patterns. Attackers sometimes modify system time to evade log correlation, bypass time-based security controls, or interfere with Kerberos authentication. Monitor for time changes during off-hours, large time adjustments, or changes that coincide with other suspicious activities. Implement time change auditing and correlate these events with security logs to detect potential threats.
How do I prevent unnecessary Event ID 8231 entries in virtualized environments?+
In virtual environments, disable guest time synchronization if you're using NTP for time management. For VMware, uncheck time synchronization in VM settings and VMware Tools. For Hyper-V, disable the time synchronization integration service. Configure the host system as an authoritative time source and ensure all VMs sync with reliable NTP servers instead of relying on hypervisor time sync. This prevents conflicts between VM time sync and NTP, reducing unnecessary time change events.
Documentation

References (2)

1
Microsoft Learn - Windows Time Service Technical ReferenceComprehensive documentation on Windows Time service configuration, troubleshooting, and best practices for enterprise environments.https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tech-ref
2
Microsoft Support - How to configure an authoritative time serverStep-by-step guidance for configuring Windows systems as authoritative time servers in domain environments.https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-authoritative-time-server
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-8231#windows-time-service#system-monitoring

Related Windows Events

Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 16388
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16388 – Microsoft-Windows-Kernel-General: System Time Change Notification

Event ID 16388 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer showing system event logs on a monitoring dashboard
Event 16384
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16384 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 16384 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.

March 189 min
Windows Event Viewer displaying system time change events on a monitoring dashboard
Event 11728
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11728 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11728 fires when Windows detects a system time change, typically from time synchronization services, manual adjustments, or hardware clock drift corrections.

March 1812 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 11724
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11724 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11724 indicates the Windows kernel detected a system time change, typically triggered by time synchronization services, manual adjustments, or hardware clock drift corrections.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...