Event ID 257 — W32time service has started at Name (UTC), System Tick Count CurrentTime(UTC).

Provider: Microsoft-Windows-Time-Service
Channel: Operational
Level: Informational

Description

W32time service has started at Name (UTC), System Tick Count CurrentTime(UTC).

Message #

W32time service has started at %1 (UTC), System Tick Count %2.
Configuration:
%3
Time Providers:
%4Clock Rate:%5
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Name	Description
`Name`	—
`CurrentTime(UTC)` UnicodeString	—
`TickCount` UInt64	—
`Configuration` UnicodeString	—
`TimeProviders` UnicodeString	—
`ClockRate` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 257,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:25:38.783993+00:00",
    "event_record_id": 13,
    "correlation": {},
    "execution": {
      "process_id": 1644,
      "thread_id": 1684
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_STARTUP",
    "CurrentTime(UTC)": "2023-11-06T06:25:38.783Z",
    "TickCount": 63156,
    "Configuration": "EventLogFlags: 2 (Local)\nAnnounceFlags: 10 (Local)\nTimeJumpAuditOffset: 28800 (Local)\nMinPollInterval: 10 (Local)\nMaxPollInterval: 15 (Local)\nMaxNegPhaseCorrection: 54000 (Local)\nMaxPosPhaseCorrection: 54000 (Local)\nMaxAllowedPhaseOffset: 1 (Local)\n\nFrequencyCorrectRate: 4 (Local)\nPollAdjustFactor: 5 (Local)\nLargePhaseOffset: 50000000 (Local)\nSpikeWatchPeriod: 900 (Local)\nLocalClockDispersion: 10 (Local)\nHoldPeriod: 5 (Local)\nPhaseCorrectRate: 1 (Local)\nUpdateInterval: 360000 (Local)\n\nFileLogName:  (Undefined or not used)\nFileLogEntries:  (Undefined or not used)\nFileLogSize: 0 (Undefined or not used)\nFileLogFlags: 0 (Undefined or not used)\n\nUtilizeSslTimeData: 1 (Local)\n\n[Leap Seconds]\nEnabled: 1 (Local)\nTotal Leap Seconds (after June 2018): 0 (Local)\nCurrent UTC offset: 0 (Local)\n",
    "TimeProviders": "NtpClient (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\nCrossSiteSyncFlags: 0 (Undefined or not used)\nAllowNonstandardModeCombinations: 1 (Local)\nResolvePeerBackoffMinutes: 15 (Local)\nResolvePeerBackoffMaxTimes: 7 (Local)\nCompatibilityFlags: 2147483648 (Local)\nEventLogFlags: 1 (Local)\nLargeSampleSkew: 3 (Local)\nSpecialPollInterval: 32768 (Local)\nType: NTP (Local)\nNtpServer: time.windows.com,0x9 (Local)\n\nVMICTimeProvider (Local)\nDllName: C:\\Windows\\System32\\vmictimeprovider.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\n\nNtpServer (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 0 (Local)\nInputProvider: 0 (Local)\n\n\n",
    "ClockRate": 156250
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline