Description

The time provider 'TimeProvider' logged the following error: ErrorMessage.

Message #

The time provider '%1' logged the following error: %2

Fields #

Description

The time provider 'TimeProvider' logged the following warning: ErrorMessage.

Message #

The time provider '%1' logged the following warning: %2

Fields #

Description

The time provider 'TimeProvider' logged the following message: ErrorMessage.

Message #

The time provider '%1' logged the following message: %2

Fields #

Description

The time provider 'TimeProvider' failed to start due to the following error: ErrorMessage.

Message #

The time provider '%1' failed to start due to the following error: %2

Fields #

Description

The time provider 'TimeProvider' returned the following error during shutdown: ErrorMessage.

Message #

The time provider '%1' returned the following error during shutdown: %2

Fields #

Description

The time service encountered an error while reading its configuration from the registry, and will continue running with its previous configuration. The error was: ErrorMessage.

Message #

The time service encountered an error while reading its configuration from the registry, and will continue running with its previous configuration. The error was: %1

Fields #

Description

The time provider 'TimeProvider' returned an error while updating its configuration. The error will be ignored. The error was: ErrorMessage.

Message #

The time provider '%1' returned an error while updating its configuration. The error will be ignored. The error was: %2

Fields #

Description

The time provider 'TimeProvider' returned an error when notified of a polling interval change. The error will be ignored. The error was: ErrorMessage.

Message #

The time provider '%1' returned an error when notified of a polling interval change. The error will be ignored. The error was: %2

Fields #

Description

The time provider 'TimeProvider' returned an error when notified of a time jump. The error will be ignored. The error was: ErrorMessage.

Message #

The time provider '%1' returned an error when notified of a time jump. The error will be ignored. The error was: %2

Fields #

Description

The time provider 'TimeProvider' returned an error when asked for time samples. The error will be ignored. The error was: ErrorMessage.

Message #

The time provider '%1' returned an error when asked for time samples. The error will be ignored. The error was: %2

Fields #

Message #

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is not a member of a domain. NtpClient will attempt to use an alternate configured external time source if available. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Message #

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 12,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:00:42.976192+00:00",
    "event_record_id": 1289,
    "correlation": {},
    "execution": {
      "process_id": 384,
      "thread_id": 516
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_DOMAIN_HIERARCHY_ROOT"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but the computer is joined to a Windows NT 4.0 domain. Windows NT 4.0 domain controllers do not have a time service and do not support domain hierarchy as a time source. NtpClient will attempt to use an alternate configured external time source if available. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Description

The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in RetryMinutes minutes.

Message #

The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in %1 minutes.

Fields #

Description

The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will fall back to the remaining configured time sources, if any are available. The error was: ErrorMessage.

Message #

The time provider NtpClient was unable to find a domain controller to use as a time source.  NtpClient will fall back to the remaining configured time sources, if any are available. The error was: %1

Fields #

Description

Time Provider NtpClient: An unexpected error occurred during DNS lookup of the manually configured peer 'ManualPeer'. This peer will not be used as a time source. The error was: ErrorMessage.

Message #

Time Provider NtpClient: An unexpected error occurred during DNS lookup of the manually configured peer '%1'. This peer will not be used as a time source. The error was: %2

Fields #

Description

Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'ManualPeer'. NtpClient will try the DNS lookup again in RetryMinutes minutes. The error was: ErrorMessage.

Message #

Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer '%1'. NtpClient will try the DNS lookup again in %3 minutes. The error was: %2

Fields #

Description

The time provider NtpClient failed to establish a trust relationship between this computer and the domain in order to securely synchronize time. NtpClient will try again in minutes. The error was.

Message #

The time provider NtpClient failed to establish a trust relationship between this computer and the %1 domain in order to securely synchronize time. NtpClient will try again in %3 minutes. The error was: %2

Fields #

Message #

Logging was requested, but the time service encountered an error while trying to set up the log file: %1. The error was: %2. Please make sure that 'Local Service' has permission to write to the file or directory.

Fields #

Description

Logging was requested, but the time service encountered an error while trying to write to the log file: LogFile. The error was: ErrorMessage.

Message #

Logging was requested, but the time service encountered an error while trying to write to the log file: %1. The error was: %2

Fields #

Description

The time service is configured to use one or more input providers, however, none of the input providers are available. The time service has no source of accurate time.

Message #

The time service is configured to use one or more input providers, however, none of the input providers are available. The time service has no source of accurate time.

Message #

The time provider NtpServer encountered an error while digitally signing the NTP response for peer %1. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: %2

Fields #

Message #

The time provider NtpServer encountered an error while digitally signing the NTP response for symmetric peer %1. NtpServer cannot provide secure (signed) time to the peer and will not send a packet. The error was: %2

Fields #

Message #

Time Provider NtpClient: No valid response has been received from domain controller %1 after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain controller from which to synchronize. The error was: %2

Fields #

Description

The time provider NtpClient cannot determine whether the response received from DomainPeer has a valid signature. The response will be ignored. The error was: ErrorMessage.

Message #

The time provider NtpClient cannot determine whether the response received from %1 has  a valid signature. The response will be ignored. The error was: %2

Fields #

Description

Time Provider NtpClient: The response received from domain controller DomainPeer has a bad signature. The response may have been tampered with and will be ignored.

Message #

Time Provider NtpClient: The response received from domain controller %1 has a bad signature. The response may have been tampered with and will be ignored.

Fields #

Description

Time Provider NtpClient: The response received from domain controller DomainPeer is missing the signature. The response may have been tampered with and will be ignored.

Message #

Time Provider NtpClient: The response received from domain controller %1 is missing the signature. The response may have been tampered with and will be ignored.

Fields #

Description

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are accessible. NtpClient has no source of accurate time.

Message #

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are accessible. NtpClient has no source of accurate time.

Message #

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for %1 minutes. NtpClient has no source of accurate time.

Fields #

Description

The time service encountered an error while reading its configuration from the registry and cannot start. The error was: ErrorMessage.

Message #

The time service encountered an error while reading its configuration from the registry and cannot start. The error was: %1

Fields #

Message #

The time service discovered that the system time zone information was corrupted. Because many system components require valid time zone information, the time service has reset the system time zone to GMT. Use the Date/Time control panel to set the correct time zone.

Description

The time service discovered that the system time zone information was corrupted. The time service tried to reset the system time zone to GMT, but failed. The time service cannot start. The error was.

Message #

The time service discovered that the system time zone information was corrupted. The time service tried to reset the system time zone to GMT, but failed. The time service cannot start. The error was: %1

Fields #

Message #

The time service has jumped the local system clock by %1 seconds. This occurs when the time source and local system time are far enough apart that clock rate adjustments cannot be made to reach the time specified by the time source.

Fields #

Message #

The time service has detected that the system time needs to be  changed by %1 seconds. The time service will not change the system time by more than %2 seconds. Verify that your time and time zone are correct, and that the time source %3 is working properly.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 34,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-04T07:40:21.081156+00:00",
    "event_record_id": 729,
    "correlation": {},
    "execution": {
      "process_id": 1832,
      "thread_id": 600
    },
    "channel": "System",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_TIME_CHANGE_TOO_BIG",
    "SystemTimeChangeSeconds": 2660727,
    "MaxSystemTimeChangeSeconds": 54000,
    "TimeSource": "time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->40.119.148.38:123)"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The time service is now synchronizing the system time with the time source Name with reference id TimeSource. Current local stratum number is TimeSourceRefId.

Message #

The time service is now synchronizing the system time with the time source %1 with reference id %2. Current local stratum number is %3.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 35,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T22:26:18.430557+00:00",
    "event_record_id": 1711,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1720
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_TIME_SOURCE_CHOSEN",
    "TimeSource": "time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->40.119.148.38:123)",
    "TimeSourceRefId": 647264040,
    "CurrentStratumNumber": 4
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

The time service has not synchronized the system time for the last %1 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients after %2 seconds. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization. You can control the frequency of the time source rediscovery using ClockHoldoverPeriod W32time config setting. Modify the EventLogFlags W32time config setting if you wish to disable this message.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 36,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2016-09-17T22:53:43.100250Z",
    "event_record_id": 7768,
    "correlation": {},
    "execution": {
      "process_id": 860,
      "thread_id": 3624
    },
    "channel": "System",
    "computer": "IE10Win7",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "UnsynchronizedTimeSeconds": 86400
  }
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The time provider NtpClient is currently receiving valid time data from Name.

Message #

The time provider NtpClient is currently receiving valid time data from %1.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 37,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:53.238092+00:00",
    "event_record_id": 1708,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1744
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_TIME_SOURCE_REACHABLE",
    "TimeSource": "time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->40.119.148.38:123)"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The time provider NtpClient has not received response from server TimeSource.

Message #

The time provider NtpClient has not received response from server %1.

Fields #

Message #

The time service is unable to register for network configuration change events. This may occur when TCP/IP is not correctly configured. The time service will be unable to sync time from network providers, but will still use locally installed hardware provdiers, if any are available.

Description

The time provider 'TimeProvider' was stopped with error ErrorMessage.

Message #

The time provider '%1' was stopped with error %2.

Fields #

Description

The time service has been configured to use one or more input providers, however, none of the input providers are still running. The time service has no source of accurate time.

Message #

The time service has been configured to use one or more input providers, however, none of the input providers are still running. The time service has no source of accurate time.

Description

The time service attempted to create a named event which was already opened. This could be the result of an attempt to compromise your system's security.

Message #

The time service attempted to create a named event which was already opened. This could be the result of an attempt to compromise your system's security.

Description

The time provider 'TimeProvider' returned an error when notified of a network configuration change. The error will be ignored. The error was: ErrorMessage.

Message #

The time provider '%1' returned an error when notified of a network configuration change. The error will be ignored. The error was: %2

Fields #

Description

The time provider NtpClient encountered an error and was forced to shut down. The error was: ErrorMessage.

Message #

The time provider NtpClient encountered an error and was forced to shut down. The error was: %1

Fields #

Description

The time provider NtpServer encountered an error and was forced to shut down. The error was: ErrorMessage.

Message #

The time provider NtpServer encountered an error and was forced to shut down. The error was: %1

Fields #

Description

The time service encountered an error and was forced to shut down. The error was: ErrorMessage.

Message #

The time service encountered an error and was forced to shut down. The error was: %1

Fields #

Message #

Time Provider NtpClient: No valid response has been received from manually configured peer %1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: %2

Fields #

Message #

Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer '%1'. NtpClient will continue to try the DNS lookup every %3 minutes. This message will not be logged again until a successful lookup of this manually configured peer occurs. The error was: %2

Fields #

Message #

The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will continue trying to locate an AD DC every %1 minutes. This message will not be logged again until after a domain controller is found.

Fields #

Message #

The time service detected a time difference of greater than %1 milliseconds for %2 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 50,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-04T11:05:00.453780+00:00",
    "event_record_id": 1054,
    "correlation": {},
    "execution": {
      "process_id": 1832,
      "thread_id": 600
    },
    "channel": "System",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_LOCALCLOCK_UNSET",
    "TimeDifferenceMilliseconds": 5000,
    "TimeSampleSeconds": 900
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Time Provider NtpClient: The time sample received from peer Peer differs from the local time by TimeDifferenceSeconds seconds. The observed transmission delay from the server was TransmissionDelayMilliseconds milliseconds.

Message #

Time Provider NtpClient: The time sample received from peer %1 differs from the local time by %2 seconds. The observed transmission delay from the server was %3 milliseconds.

Fields #

Description

The time service has set the time with offset Name seconds.

Message #

The time service has set the time with offset %1 seconds.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 52,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:10:56.758456+00:00",
    "event_record_id": 484,
    "correlation": {},
    "execution": {
      "process_id": 1192,
      "thread_id": 1252
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_TIME_JUMP_AUDIT",
    "TimeOffsetSeconds": 32399
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The time provider NtpClient fails sending request to server Peer.

Message #

The time provider NtpClient fails sending request to server %1.

Fields #

Description

The time service encountered an error while refreshing its configuration in the registry and cannot start. The error was: ErrorMessage.

Message #

The time service encountered an error while refreshing its configuration in the registry and cannot start. The error was: %1

Fields #

Description

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in RetryMinutes minutes and double the reattempt interval thereafter. The error was: ErrorMessage.

Message #

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in %2 minutes and double the reattempt interval thereafter. The error was: %1

Fields #

Message #

NtpClient was unable to set a domain peer to use as a time source because of failure in establishing  a trust relationship between this computer and the '%3' domain in order to securely synchronize time. NtpClient will try again in %2 minutes and double the reattempt interval thereafter. The error was: %1

Fields #

Message #

NtpClient was unable to set a domain peer to use as a time source because of DNS resolution error on '%3'. NtpClient will try again in %2 minutes and double the reattempt interval thereafter. The error was: %1.

Fields #

Message #

NtpClient was unable to set a domain peer to use as a time source because of duplicate error on '%3'.  The same time source '%4' has been specified as manual peer in NtpServer. NtpClient will try again in %2 minutes and double the reattempt interval thereafter. The error was: %1

Fields #

Description

NtpClient was unable to set a domain peer to use a time source because of an unexpected error. NtpClient will try again in RetryMinutes minutes and double the reattempt interval thereafter. The error was: ErrorMessage.

Message #

NtpClient was unable to set a domain peer to use a time source because of an unexpected error.  NtpClient will try again in %2 minutes and double the reattempt interval thereafter. The error was: %1

Fields #

Message #

NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on '%3'. NtpClient will try again in %2 minutes and double the reattempt interval thereafter. The error was: %1

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 134,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:41.154964+00:00",
    "event_record_id": 1685,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1720
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_MANUAL_PEER_DNS_ERROR",
    "ErrorMessage": "No such host is known. (0x80072AF9)",
    "RetryMinutes": 15,
    "DomainPeer": "time.windows.com,0x9"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

NtpClient was unable to set a manual peer to use as a time source because of duplicate error on '%3'. The same time source '%4' has been either specified as manual peer in NtpServer or selected as domain peer.  NtpClient will try again in %2 minutes and double the reattempt interval thereafter. The error was: %1

Fields #

Description

NtpClient was unable to set a manual peer to use as a time source because of an unexpected error. NtpClient will try again in minutes and double the reattempt interval thereafter. The error was.

Message #

NtpClient was unable to set a manual peer to use as a time source because of an unexpected error. NtpClient will try again in %2 minutes and double the reattempt interval thereafter. The error was: %1

Fields #

Description

NtpClient succeeds in resolving manual peer Name after a previous failure.

Message #

NtpClient succeeds in resolving manual peer %1 after a previous failure.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 137,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:53.213446+00:00",
    "event_record_id": 1707,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1744
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_MANUAL_PEER_SUCCESS_ERROR",
    "ManualPeer": "time.windows.com,0x9"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

NtpClient succeeds in resolving domain peer DomainPeer after a previous failure.

Message #

NtpClient succeeds in resolving domain peer %1 after a previous failure.

Fields #

Description

The time service has started advertising as a time source.

Message #

The time service has started advertising as a time source.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 139,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:53:20.719081+00:00",
    "event_record_id": 1210,
    "correlation": {},
    "execution": {
      "process_id": 384,
      "thread_id": 2288
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_START_ADVERTISING"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The time service has stopped advertising as a time source because the local machine is not an Active Directory Domain Controller.

Message #

The time service has stopped advertising as a time source because the local machine is not an Active Directory Domain Controller.

Description

The time service has stopped advertising as a time source because there are no providers running.

Message #

The time service has stopped advertising as a time source because there are no providers running.

Description

The time service has stopped advertising as a time source because the local clock is not synchronized.

Message #

The time service has stopped advertising as a time source because the local clock is not synchronized.

Description

The time service has started advertising as a good time source.

Message #

The time service has started advertising as a good time source.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 143,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:53:20.719083+00:00",
    "event_record_id": 1211,
    "correlation": {},
    "execution": {
      "process_id": 384,
      "thread_id": 2288
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_EVENT_START_ADVERTISING_GT"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The time service has stopped advertising as a good time source.

Message #

The time service has stopped advertising as a good time source.

Description

The time service has stopped advertising as a time source.

Message #

The time service has stopped advertising as a time source.

Description

The RODC has received ChainingCountRequests requests in the previous ChainLoggingRate minutes. ChainingCountSuccess have resulted in success, and ChainingCountFailure have resulted in failure.

Message #

The RODC has received %1 requests in the previous %2 minutes. %3 have resulted in success, and %4 have resulted in failure.

Fields #

Description

The time sample was rejected because: Duplicate timestamps were received from this peer.

Message #

The time sample was rejected because: Duplicate timestamps were received from this peer.

Description

The time sample was rejected because: Message was received out-of-order.

Message #

The time sample was rejected because: Message was received out-of-order.

Message #

The time sample was rejected because: The peer is not synchronized, or reachability has been lost in one, or both, directions. This may also indicate that the peer has incorrectly sent an NTP request instead of an NTP response.

Description

The time sample was rejected because: Round-trip delay too large.

Message #

The time sample was rejected because: Round-trip delay too large.

Description

The time sample was rejected because: Packet not authenticated.

Message #

The time sample was rejected because: Packet not authenticated.

Description

The time sample was rejected because: The peer is not synchronized, or it has been too long since the peer's last synchronization.

Message #

The time sample was rejected because: The peer is not synchronized, or it has been too long since the peer's last synchronization.

Description

The time sample was rejected because: The peer's stratum is less than the host's stratum.

Message #

The time sample was rejected because: The peer's stratum is less than the host's stratum.

Description

The time sample was rejected because: Packet contains unreasonable root delay or root dispersion values. This may be caused by poor network conditions.

Message #

The time sample was rejected because: Packet contains unreasonable root delay or root dispersion values. This may be caused by poor network conditions.

Description

The RODC was unable to forward a time sync request from client RID ClientRID because the client's RID value is too large and the domain peer (DomainPeer) does not support the uplevel timesync authentication format.

Message #

The RODC was unable to forward a time sync request from client RID %1 because the client's RID value is too large and the domain peer (%2) does not support the uplevel timesync authentication format.

Fields #

Message #

The time provider NtpServer received a request from a client (%1) using a legacy protocol format. The request has been ignored per the RequireSecureTimeSyncRequests policy setting. By default, this message will be logged only once per day per unique client address.

Fields #

Message #

The time provider '%1' has indicated that the current hardware and operating environment is not supported and has stopped. This behavior is expected for VMICTimeProvider on non-HyperV-guest environments. This may be the expected behavior for the current provider in the current operating environment as well.

Fields #

Message #

W32time is unable to communicate with Netlogon Service. This failure prevents NTPClient from discovering and using domain peers, besides causing problems with correct W32time service state being advertised by Netlogon. This could be a temporary condition that resolves itself shortly. If this warning repeats over a considerable period of time, ensure the Netlogon service is running and is responsive and restart W32time service to reintiaize the overall state. The error was %1

Fields #

Description

W32time service has started at Name (UTC), System Tick Count CurrentTime(UTC).

Message #

W32time service has started at %1 (UTC), System Tick Count %2.
Configuration:
%3
Time Providers:
%4Clock Rate:%5
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 257,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:25:38.783993+00:00",
    "event_record_id": 13,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1684
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_STARTUP",
    "CurrentTime(UTC)": "2023-11-06T06:25:38.783Z",
    "TickCount": 63156,
    "Configuration": "EventLogFlags: 2 (Local)\nAnnounceFlags: 10 (Local)\nTimeJumpAuditOffset: 28800 (Local)\nMinPollInterval: 10 (Local)\nMaxPollInterval: 15 (Local)\nMaxNegPhaseCorrection: 54000 (Local)\nMaxPosPhaseCorrection: 54000 (Local)\nMaxAllowedPhaseOffset: 1 (Local)\n\nFrequencyCorrectRate: 4 (Local)\nPollAdjustFactor: 5 (Local)\nLargePhaseOffset: 50000000 (Local)\nSpikeWatchPeriod: 900 (Local)\nLocalClockDispersion: 10 (Local)\nHoldPeriod: 5 (Local)\nPhaseCorrectRate: 1 (Local)\nUpdateInterval: 360000 (Local)\n\nFileLogName:  (Undefined or not used)\nFileLogEntries:  (Undefined or not used)\nFileLogSize: 0 (Undefined or not used)\nFileLogFlags: 0 (Undefined or not used)\n\nUtilizeSslTimeData: 1 (Local)\n\n[Leap Seconds]\nEnabled: 1 (Local)\nTotal Leap Seconds (after June 2018): 0 (Local)\nCurrent UTC offset: 0 (Local)\n",
    "TimeProviders": "NtpClient (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\nCrossSiteSyncFlags: 0 (Undefined or not used)\nAllowNonstandardModeCombinations: 1 (Local)\nResolvePeerBackoffMinutes: 15 (Local)\nResolvePeerBackoffMaxTimes: 7 (Local)\nCompatibilityFlags: 2147483648 (Local)\nEventLogFlags: 1 (Local)\nLargeSampleSkew: 3 (Local)\nSpecialPollInterval: 32768 (Local)\nType: NTP (Local)\nNtpServer: time.windows.com,0x9 (Local)\n\nVMICTimeProvider (Local)\nDllName: C:\\Windows\\System32\\vmictimeprovider.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\n\nNtpServer (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 0 (Local)\nInputProvider: 0 (Local)\n\n\n",
    "ClockRate": 156250
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

W32time service is stopping at Name (UTC), System Tick Count CurrentTime(UTC) with return code: TickCount.

Message #

W32time service is stopping at %1 (UTC), System Tick Count %2 with return code: %3
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 258,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-05T22:26:57.771292+00:00",
    "event_record_id": 23,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1716
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_SHUTDOWN",
    "CurrentTime(UTC)": "2023-11-05T22:26:57.771Z",
    "TickCount": 117000,
    "ErrorMessage": "0x00000000: Success."
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

NTP Client provider periodic status.

Message #

NTP Client provider periodic status:
Ntp Client is receiving time data from the following NTP Servers: %1  and the chosen reference time server is %2. System Tick Count %3. IFTSTMP:%4.
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 259,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T17:04:16.813693+00:00",
    "event_record_id": 57,
    "correlation": {},
    "execution": {
      "process_id": 384,
      "thread_id": 4252
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_NTP_CLIENT_TIME_SOURCES",
    "AllNtpServers": ";",
    "ChosenReferenceNtpServer": "",
    "TickCount": 703843,
    "IFTSTMP": 1
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

W32time Service periodic configuration and status message.

Message #

W32time Service periodic configuration and status message
Configuration:
%1
Time Providers:
%2
Current Status:
Leap Indicator: %3
Stratum: %4
Precision: %5
RootDelay: %6
RootDispersion: %7
ReferenceId: %8
Last Successful Sync Time: %9 (UTC)
Source: %10
Poll Interval: %11
Phase Offset: %12
Clock Rate: %13
State Machine: %14
Time Source Flags: %15
Server Role: %16
Last Sync Error: %17
Time Since Last Good Sync: %18
System Tick Count: %19
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 260,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T17:03:12.815732+00:00",
    "event_record_id": 56,
    "correlation": {},
    "execution": {
      "process_id": 384,
      "thread_id": 4252
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_PERIODIC_CONFIG_STATUS",
    "Configuration": "EventLogFlags: 2 (Local)\nAnnounceFlags: 10 (Local)\nTimeJumpAuditOffset: 28800 (Local)\nMinPollInterval: 6 (Local)\nMaxPollInterval: 10 (Local)\nMaxNegPhaseCorrection: 172800 (Local)\nMaxPosPhaseCorrection: 172800 (Local)\nMaxAllowedPhaseOffset: 300 (Local)\n\nFrequencyCorrectRate: 4 (Local)\nPollAdjustFactor: 5 (Local)\nLargePhaseOffset: 50000000 (Local)\nSpikeWatchPeriod: 900 (Local)\nLocalClockDispersion: 10 (Local)\nHoldPeriod: 5 (Local)\nPhaseCorrectRate: 7 (Local)\nUpdateInterval: 100 (Local)\n\nFileLogName:  (Undefined or not used)\nFileLogEntries:  (Undefined or not used)\nFileLogSize: 0 (Undefined or not used)\nFileLogFlags: 0 (Undefined or not used)\n\nUtilizeSslTimeData: 1 (Local)\n\n[Leap Seconds]\nEnabled: 1 (Local)\nTotal Leap Seconds (after June 2018): 0 (Local)\nCurrent UTC offset: 0 (Local)\n",
    "TimeProviders": "NtpClient (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\nCrossSiteSyncFlags: 2 (Local)\nAllowNonstandardModeCombinations: 1 (Local)\nResolvePeerBackoffMinutes: 15 (Local)\nResolvePeerBackoffMaxTimes: 7 (Local)\nCompatibilityFlags: 2147483648 (Local)\nEventLogFlags: 1 (Local)\nLargeSampleSkew: 3 (Local)\nSpecialPollInterval: 1024 (Local)\nType: NT5DS (Local)\nNtpServer:  (Undefined or not used)\n\nNtpServer (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 0 (Local)\nAllowNonstandardModeCombinations: 1 (Local)\nEventLogFlags: 0 (Undefined or not used)\n\nVMICTimeProvider (Local)\nDllName: C:\\Windows\\System32\\vmictimeprovider.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\n\n\n",
    "LeapIndicator": 0,
    "Stratum": 1,
    "Precision": "-23",
    "RootDelay": "0.0000000s",
    "RootDispersion": "10.0000000s",
    "ReferenceId": "0x4C4F434C",
    "LastSuccessfulSyncTime": "2022-04-07T16:53:20.718Z",
    "Source": "Local CMOS Clock",
    "PollInterval": 6,
    "PhaseOffset": "0.0000000s",
    "ClockRate": 156250,
    "StateMachine": 0,
    "TimeSourceFlags": 0,
    "ServerRole": 576,
    "LastSyncError": 1,
    "TimeSinceLastGoodSync": "592.0843097s",
    "TickCount": 639843
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

W32time service has set the system time to Name(UTC). Previous system time was NewTime(UTC). System Tick Count: OldTime.

Message #

W32time service has set the system time to %1(UTC). Previous system time was %2(UTC). System Tick Count: %3
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 261,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-05T22:26:57.710703+00:00",
    "event_record_id": 22,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1728
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_SET_TIME",
    "NewTime": "2023-11-05T22:26:57.709Z",
    "OldTime": "2023-11-05T22:26:57.701Z",
    "TickCount": 116937
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

W32time service has adjusted the system clock rate by Name PPM and the new nominal clock rate is AdjustmentPPM. Previous nominal clock rate was NewClockRate. System Tick Count: OldClockRate.

Message #

W32time service has adjusted the system clock rate by %1 PPM and the new nominal clock rate is %2. Previous nominal clock rate was %3. System Tick Count: %4.
Clock adjustments below %5 PPM are not logged. Performance counters are recommended to efficiently track small adjustment values.
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 262,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-04T14:09:39.947633+00:00",
    "event_record_id": 3168,
    "correlation": {},
    "execution": {
      "process_id": 1776,
      "thread_id": 1188
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_SET_TIME_ADJUSTMENT",
    "AdjustmentPPM": "-832.90002",
    "NewClockRate": 156380,
    "OldClockRate": 156388,
    "TickCount": 3494593,
    "MinReportedAdjustmentPPM": "800.00000"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

W32time Service configuration parameters have been updated. This may impact the fine-grained time synchronization accuracy.

Message #

W32time Service configuration parameters have been updated. This may impact the fine-grained time synchronization accuracy.
Updated Configuration:
%1
Updated Time Providers:
%2System Tick Count: %3
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 263,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T17:34:38.180039+00:00",
    "event_record_id": 65,
    "correlation": {},
    "execution": {
      "process_id": 384,
      "thread_id": 1120
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_SERVICE_PARAM_CHANGE",
    "Configuration": "EventLogFlags: 2 (Local)\nAnnounceFlags: 10 (Local)\nTimeJumpAuditOffset: 28800 (Local)\nMinPollInterval: 6 (Local)\nMaxPollInterval: 10 (Local)\nMaxNegPhaseCorrection: 172800 (Local)\nMaxPosPhaseCorrection: 172800 (Local)\nMaxAllowedPhaseOffset: 300 (Local)\n\nFrequencyCorrectRate: 4 (Local)\nPollAdjustFactor: 5 (Local)\nLargePhaseOffset: 50000000 (Local)\nSpikeWatchPeriod: 900 (Local)\nLocalClockDispersion: 10 (Local)\nHoldPeriod: 5 (Local)\nPhaseCorrectRate: 7 (Local)\nUpdateInterval: 100 (Local)\n\nFileLogName:  (Undefined or not used)\nFileLogEntries:  (Undefined or not used)\nFileLogSize: 0 (Undefined or not used)\nFileLogFlags: 0 (Undefined or not used)\n\nUtilizeSslTimeData: 1 (Local)\n\n[Leap Seconds]\nEnabled: 1 (Local)\nTotal Leap Seconds (after June 2018): 0 (Local)\nCurrent UTC offset: 0 (Local)\n",
    "TimeProviders": "NtpClient (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\nCrossSiteSyncFlags: 2 (Local)\nAllowNonstandardModeCombinations: 1 (Local)\nResolvePeerBackoffMinutes: 15 (Local)\nResolvePeerBackoffMaxTimes: 7 (Local)\nCompatibilityFlags: 2147483648 (Local)\nEventLogFlags: 1 (Local)\nLargeSampleSkew: 3 (Local)\nSpecialPollInterval: 1024 (Local)\nType: NT5DS (Local)\nNtpServer:  (Undefined or not used)\n\nNtpServer (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 0 (Local)\nAllowNonstandardModeCombinations: 1 (Local)\nEventLogFlags: 0 (Undefined or not used)\n\nVMICTimeProvider (Local)\nDllName: C:\\Windows\\System32\\vmictimeprovider.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\n\n\n",
    "TickCount": 2525203
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

NTP Client observed a change peer reachability. Ntp Client is now receiving time data from the following NTP Servers: Name. System Tick Count: AllNtpServers.

Message #

NTP Client observed a change peer reachability. Ntp Client is now receiving time data from the following NTP Servers: %1. System Tick Count: %2.
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 264,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:25:53.238115+00:00",
    "event_record_id": 16,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1744
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_NTP_CLIENT_TIME_SOURCES_CHANGE",
    "AllNtpServers": "time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->40.119.148.38:123);",
    "TickCount": 77640
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The time service is now synchronizing the system time with the reference time source Name with reference id TimeSource. Current local stratum number is TimeSourceRefId, System Tick Count: LocalStratumNumber.

Message #

The time service is now synchronizing the system time with the reference time source %1 with reference id %2. Current local stratum number is %3, System Tick Count: %4.
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 265,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-05T22:26:18.430549+00:00",
    "event_record_id": 19,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1720
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_TIME_SOURCE_REFERENCE",
    "TimeSource": "time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->40.119.148.38:123)",
    "TimeSourceRefId": "0x28779426",
    "LocalStratumNumber": 4,
    "TickCount": 77656
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

W32time Service received notification to rediscover its time sources and/or resynchronize time. Reason Code:Name System Tick Count: ReasonCode.

Message #

W32time Service received notification to rediscover its time sources and/or resynchronize time. Reason Code:%1 System Tick Count: %2
Reason code description:
0 : An explicit time resynchronization request from an administrator
1 : Power state changes on this machine
2 : Changes to the network interface or to the network topology
3 : State changes within W32time that require time synchronization
The actions that follow this notifcation may impact fine-grained time synchronization accuracy.For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 266,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:25:53.076531+00:00",
    "event_record_id": 15,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1716
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_TIME_RESYNC_EVENT",
    "ReasonCode": 0,
    "TickCount": 77484
  },
  "message": ""
}