Event ID 1 — The system time has changed to NewTime from OldTime.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: Informational
Collection Priority: Recommended (NSA)
Task: SystemTimeChange

Description

The system time has changed to NewTime from OldTime.

Message #

The system time has changed to %1 from %2.

Fields #

Name	Description
`NewTime` FILETIME	—
`OldTime` FILETIME	—
`TimeDeltaInMs` Int64	Time Delta.
`Reason` UInt32	Change Reason.
`ProcessName` UnicodeString	—
`ProcessID` UInt32	—
`CmosTime` FILETIME	RTC time.
`TimeZoneBias` Int32	Current time zone bias.
`RealTimeIsUniversal` Boolean	RTC time is in UTC.
`SystemInCmosMode` Boolean	System time was based on RTC time.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-General",
    "guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
    "event_source_name": "",
    "event_id": 1,
    "version": 4,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 9223372036854775824,
    "time_created": "2023-11-05T22:32:22.236350+00:00",
    "event_record_id": 1943,
    "correlation": {},
    "execution": {
      "process_id": 3308,
      "thread_id": 3676
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewTime": "2023-11-05T22:32:22.232000Z",
    "OldTime": "2023-11-05T22:32:20.942615Z",
    "TimeDeltaInMs": 1289,
    "Reason": 1,
    "ProcessName": "\\Device\\HarddiskVolume4\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
    "ProcessID": 3308,
    "CmosTime": "2023-11-05T14:32:22.232000Z",
    "TimeZoneBias": 480,
    "RealTimeIsUniversal": false,
    "SystemInCmosMode": false
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline