Windows Event ID 903 – Microsoft-Windows-Kernel-General: System Time Changed

Start by examining the specific details of Event ID 903 to understand what triggered the time change.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → System
3. Filter for Event ID 903 by right-clicking the System log and selecting Filter Current Log
4. Enter 903 in the Event IDs field and click OK
5. Double-click on recent Event ID 903 entries to view detailed information
6. Note the Old Time and New Time values in the event data
7. Check the Process ID and Process Name to identify what caused the change

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=903} -MaxEvents 20 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap

Investigate the Windows Time service configuration to determine if automatic synchronization is causing frequent time changes.

1. Open an elevated Command Prompt or PowerShell session
2. Check the current time service configuration:

w32tm /query /configuration

3. Review the time synchronization status:

w32tm /query /status

4. Check time synchronization peers:

w32tm /query /peers

5. For domain-joined computers, verify domain hierarchy synchronization:

w32tm /query /source

6. Review Group Policy settings affecting time synchronization in Computer Configuration\Administrative Templates\System\Windows Time Service
7. Check the registry for time service configuration at HKLM\SYSTEM\CurrentControlSet\Services\W32Time

Create a comprehensive analysis of time change patterns to identify trends and potential issues.

1. Use PowerShell to extract detailed time change information:

# Get Event ID 903 entries from the last 30 days
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=903; StartTime=(Get-Date).AddDays(-30)}

# Parse event data for analysis
$TimeChanges = foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $OldTime = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'OldTime'} | Select-Object -ExpandProperty '#text'
    $NewTime = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'NewTime'} | Select-Object -ExpandProperty '#text'
    
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        OldTime = [DateTime]::FromFileTime($OldTime)
        NewTime = [DateTime]::FromFileTime($NewTime)
        TimeDifference = ([DateTime]::FromFileTime($NewTime) - [DateTime]::FromFileTime($OldTime)).TotalSeconds
    }
}

# Display results
$TimeChanges | Sort-Object TimeCreated -Descending | Format-Table -AutoSize

2. Analyze the frequency and magnitude of time changes:

# Group by day to identify patterns
$TimeChanges | Group-Object {$_.TimeCreated.Date} | Select-Object Name, Count | Sort-Object Name -Descending

3. Export results for further analysis:

$TimeChanges | Export-Csv -Path "C:\Temp\TimeChanges.csv" -NoTypeInformation

Set up comprehensive monitoring to track and alert on suspicious time changes for security purposes.

1. Enable advanced audit policy for time changes using Group Policy or local security policy:
2. Open Local Security Policy (secpol.msc) or Group Policy Management
3. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration
4. Enable Audit System Integrity under System category
5. Create a PowerShell script for real-time monitoring:

# Real-time Event ID 903 monitor
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='System' AND EventCode=903" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    $Message = "Time change detected at {0}: {1}" -f $Event.TimeGenerated, $Event.Message
    Write-Host $Message -ForegroundColor Yellow
    
    # Optional: Send email alert or log to custom location
    Add-Content -Path "C:\Logs\TimeChangeAlerts.log" -Value "$(Get-Date): $Message"
}

6. Configure Windows Event Forwarding (WEF) to centralize time change events:

# Configure event forwarding subscription
wecutil cs TimeChangeSubscription.xml

7. Set up Task Scheduler to trigger actions on Event ID 903:
8. Open Task Scheduler and create a new task
9. Set trigger to On an event with Log: System, Source: Microsoft-Windows-Kernel-General, Event ID: 903
10. Configure appropriate actions such as running scripts or sending notifications

Perform advanced analysis to determine if time changes represent security threats or compliance violations.

1. Correlate Event ID 903 with security events using PowerShell:

# Correlate time changes with logon events
$TimeChanges = Get-WinEvent -FilterHashtable @{LogName='System'; Id=903; StartTime=(Get-Date).AddDays(-7)}
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=(Get-Date).AddDays(-7)}

# Find logon events within 5 minutes of time changes
foreach ($TimeChange in $TimeChanges) {
    $StartWindow = $TimeChange.TimeCreated.AddMinutes(-5)
    $EndWindow = $TimeChange.TimeCreated.AddMinutes(5)
    
    $RelatedLogons = $LogonEvents | Where-Object {
        $_.TimeCreated -ge $StartWindow -and $_.TimeCreated -le $EndWindow
    }
    
    if ($RelatedLogons) {
        Write-Host "Time change at $($TimeChange.TimeCreated) correlates with $($RelatedLogons.Count) logon events" -ForegroundColor Red
    }
}

2. Check for privilege escalation attempts around time changes:

# Look for privilege use events (4672, 4673, 4674)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4673,4674; StartTime=(Get-Date).AddDays(-7)} | Where-Object {
    $TimeChange = $TimeChanges | Where-Object {[Math]::Abs(($_.TimeCreated - $Event.TimeCreated).TotalMinutes) -lt 10}
    return $TimeChange -ne $null
}

3. Analyze process execution context for time changes:

# Extract process information from Event ID 903
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=903} -MaxEvents 50
foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $ProcessId = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'
    $ProcessName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    
    Write-Host "Time changed by Process: $ProcessName (PID: $ProcessId) at $($Event.TimeCreated)"
}

4. Review registry modifications related to time settings:
5. Check HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation for unauthorized changes
6. Monitor HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters for configuration tampering
7. Use Process Monitor (ProcMon) to track real-time registry access to time-related keys