Event ID 263 — W32time Service configuration parameters have been updated.

Provider: Microsoft-Windows-Time-Service
Channel: Operational
Level: Informational

Description

W32time Service configuration parameters have been updated. This may impact the fine-grained time synchronization accuracy.

Message #

W32time Service configuration parameters have been updated. This may impact the fine-grained time synchronization accuracy.
Updated Configuration:
%1
Updated Time Providers:
%2System Tick Count: %3
For more information, see https://go.microsoft.com/fwlink/?linkid=845961.

Fields #

Name	Description
`Name`	—
`Configuration` UnicodeString	—
`TimeProviders` UnicodeString	—
`TickCount` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Time-Service",
    "guid": "06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB",
    "event_source_name": "",
    "event_id": 263,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T17:34:38.180039+00:00",
    "event_record_id": 65,
    "correlation": {},
    "execution": {
      "process_id": 384,
      "thread_id": 1120
    },
    "channel": "Microsoft-Windows-Time-Service/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "TMP_OPS_SERVICE_PARAM_CHANGE",
    "Configuration": "EventLogFlags: 2 (Local)\nAnnounceFlags: 10 (Local)\nTimeJumpAuditOffset: 28800 (Local)\nMinPollInterval: 6 (Local)\nMaxPollInterval: 10 (Local)\nMaxNegPhaseCorrection: 172800 (Local)\nMaxPosPhaseCorrection: 172800 (Local)\nMaxAllowedPhaseOffset: 300 (Local)\n\nFrequencyCorrectRate: 4 (Local)\nPollAdjustFactor: 5 (Local)\nLargePhaseOffset: 50000000 (Local)\nSpikeWatchPeriod: 900 (Local)\nLocalClockDispersion: 10 (Local)\nHoldPeriod: 5 (Local)\nPhaseCorrectRate: 7 (Local)\nUpdateInterval: 100 (Local)\n\nFileLogName:  (Undefined or not used)\nFileLogEntries:  (Undefined or not used)\nFileLogSize: 0 (Undefined or not used)\nFileLogFlags: 0 (Undefined or not used)\n\nUtilizeSslTimeData: 1 (Local)\n\n[Leap Seconds]\nEnabled: 1 (Local)\nTotal Leap Seconds (after June 2018): 0 (Local)\nCurrent UTC offset: 0 (Local)\n",
    "TimeProviders": "NtpClient (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\nCrossSiteSyncFlags: 2 (Local)\nAllowNonstandardModeCombinations: 1 (Local)\nResolvePeerBackoffMinutes: 15 (Local)\nResolvePeerBackoffMaxTimes: 7 (Local)\nCompatibilityFlags: 2147483648 (Local)\nEventLogFlags: 1 (Local)\nLargeSampleSkew: 3 (Local)\nSpecialPollInterval: 1024 (Local)\nType: NT5DS (Local)\nNtpServer:  (Undefined or not used)\n\nNtpServer (Local)\nDllName: C:\\Windows\\system32\\w32time.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 0 (Local)\nAllowNonstandardModeCombinations: 1 (Local)\nEventLogFlags: 0 (Undefined or not used)\n\nVMICTimeProvider (Local)\nDllName: C:\\Windows\\System32\\vmictimeprovider.dll (Local)\nEnabled: 1 (Local)\nInputProvider: 1 (Local)\n\n\n",
    "TickCount": 2525203
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline