System date change tracking in windows xp
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I wanted to track when system time was changed in a PC.By looking at event viewer for event id 520 i will get it. But when i changed date manually in windows and look at event viewer i found 4 entries for a single date change.
Now In that 4 entries last one has below description
The system time was changed.
Process ID: 1932
Process Name: C:WINDOWSsystem32rundll32.exe
Primary User Name: nav
Primary Domain: PC132
Primary Logon ID: (0x0,0x115A0)
Client User Name: nav
Client Domain: PC132
Client Logon ID: (0x0,0x115A0)
Previous Time: 10:18:32 AM 8/23/2013
New Time: 10:18:32 AM 8/24/2013
All other three entries shows
The system time was changed.
Process ID: 1932
Process Name: C:WINDOWSsystem32rundll32.exe
Primary User Name: navaneeth a
Primary Domain: PC132
Primary Logon ID: (0x0,0x115A0)
Client User Name: navaneeth a
Client Domain: PC132
Client Logon ID: (0x0,0x115A0)
Previous Time: 10:18:32 AM 8/24/2013
New Time: 10:18:32 AM 8/24/2013
What is the meaning of these 4 entries for a date change?
Also is there any method to get system date changed history or log?
windows windows-xp date event-viewer
asked Aug 23 '13 at 5:08
IT researcherIT researcher
43882342
add a comment |
I wanted to track when system time was changed in a PC.By looking at event viewer for event id 520 i will get it. But when i changed date manually in windows and look at event viewer i found 4 entries for a single date change.
Now In that 4 entries last one has below description
The system time was changed.
Process ID: 1932
Process Name: C:WINDOWSsystem32rundll32.exe
Primary User Name: nav
Primary Domain: PC132
Primary Logon ID: (0x0,0x115A0)
Client User Name: nav
Client Domain: PC132
Client Logon ID: (0x0,0x115A0)
Previous Time: 10:18:32 AM 8/23/2013
New Time: 10:18:32 AM 8/24/2013
All other three entries shows
The system time was changed.
Process ID: 1932
Process Name: C:WINDOWSsystem32rundll32.exe
Primary User Name: navaneeth a
Primary Domain: PC132
Primary Logon ID: (0x0,0x115A0)
Client User Name: navaneeth a
Client Domain: PC132
Client Logon ID: (0x0,0x115A0)
Previous Time: 10:18:32 AM 8/24/2013
New Time: 10:18:32 AM 8/24/2013
What is the meaning of these 4 entries for a date change?
Also is there any method to get system date changed history or log?
windows windows-xp date event-viewer
asked Aug 23 '13 at 5:08
IT researcherIT researcher
43882342
add a comment |
I wanted to track when system time was changed in a PC.By looking at event viewer for event id 520 i will get it. But when i changed date manually in windows and look at event viewer i found 4 entries for a single date change.
Now In that 4 entries last one has below description
The system time was changed.
Process ID: 1932
Process Name: C:WINDOWSsystem32rundll32.exe
Primary User Name: nav
Primary Domain: PC132
Primary Logon ID: (0x0,0x115A0)
Client User Name: nav
Client Domain: PC132
Client Logon ID: (0x0,0x115A0)
Previous Time: 10:18:32 AM 8/23/2013
New Time: 10:18:32 AM 8/24/2013
All other three entries shows
The system time was changed.
Process ID: 1932
Process Name: C:WINDOWSsystem32rundll32.exe
Primary User Name: navaneeth a
Primary Domain: PC132
Primary Logon ID: (0x0,0x115A0)
Client User Name: navaneeth a
Client Domain: PC132
Client Logon ID: (0x0,0x115A0)
Previous Time: 10:18:32 AM 8/24/2013
New Time: 10:18:32 AM 8/24/2013
What is the meaning of these 4 entries for a date change?
Also is there any method to get system date changed history or log?
windows windows-xp date event-viewer
asked Aug 23 '13 at 5:08
IT researcherIT researcher
43882342
I wanted to track when system time was changed in a PC.By looking at event viewer for event id 520 i will get it. But when i changed date manually in windows and look at event viewer i found 4 entries for a single date change.
Now In that 4 entries last one has below description
The system time was changed.
Process ID: 1932
Process Name: C:WINDOWSsystem32rundll32.exe
Primary User Name: nav
Primary Domain: PC132
Primary Logon ID: (0x0,0x115A0)
Client User Name: nav
Client Domain: PC132
Client Logon ID: (0x0,0x115A0)
Previous Time: 10:18:32 AM 8/23/2013
New Time: 10:18:32 AM 8/24/2013
All other three entries shows
The system time was changed.
Process ID: 1932
Process Name: C:WINDOWSsystem32rundll32.exe
Primary User Name: navaneeth a
Primary Domain: PC132
Primary Logon ID: (0x0,0x115A0)
Client User Name: navaneeth a
Client Domain: PC132
Client Logon ID: (0x0,0x115A0)
Previous Time: 10:18:32 AM 8/24/2013
New Time: 10:18:32 AM 8/24/2013
What is the meaning of these 4 entries for a date change?
Also is there any method to get system date changed history or log?
windows windows-xp date event-viewer
windows windows-xp date event-viewer
asked Aug 23 '13 at 5:08
IT researcherIT researcher
43882342
asked Aug 23 '13 at 5:08
IT researcherIT researcher
43882342
asked Aug 23 '13 at 5:08
IT researcherIT researcher
43882342
asked Aug 23 '13 at 5:08
IT researcherIT researcher
43882342
asked Aug 23 '13 at 5:08
IT researcherIT researcher
43882342
43882342
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
To explain Event ID -520 :
Process Name : Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP)
Primary User Name: Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command.
Primary Domain : domain of the user
Primary Logon ID: correlates to the logon ID in the user's logon session event ID 528 or 540
Client User Name :your log in name
Client Domain : your internal domain
Client Logon ID :logon id
Previous Time: Previous system time
New Time : Current changed time
In addition to it the fourth entry has event id : 515
From technet :
This event record indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source.Logon processes are trusted components responsible for collecting identification and authentication information from external devices, such as terminals and networks. They use Local Security Authority services to log these users on. A single system can simultaneously support multiple logon processes.
Your system date
Alternatively you can try myeventviewer for keep tracking the changes.
i guess overwrite is disabled at event-viewer properties,so the logs might get logged multiple times
answered Aug 23 '13 at 6:05
BlueBerry - Vignesh4303BlueBerry - Vignesh4303
5,518205079
1
These are just explanation about what each details refer to. But i want to know why 4 events are written in event viewer if i change date only once?
– IT researcher
Aug 23 '13 at 6:09
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f635600%2fsystem-date-change-tracking-in-windows-xp%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To explain Event ID -520 :
Process Name : Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP)
Primary User Name: Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command.
Primary Domain : domain of the user
Primary Logon ID: correlates to the logon ID in the user's logon session event ID 528 or 540
Client User Name :your log in name
Client Domain : your internal domain
Client Logon ID :logon id
Previous Time: Previous system time
New Time : Current changed time
In addition to it the fourth entry has event id : 515
From technet :
This event record indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source.Logon processes are trusted components responsible for collecting identification and authentication information from external devices, such as terminals and networks. They use Local Security Authority services to log these users on. A single system can simultaneously support multiple logon processes.
Your system date
Alternatively you can try myeventviewer for keep tracking the changes.
i guess overwrite is disabled at event-viewer properties,so the logs might get logged multiple times
answered Aug 23 '13 at 6:05
BlueBerry - Vignesh4303BlueBerry - Vignesh4303
5,518205079
1
These are just explanation about what each details refer to. But i want to know why 4 events are written in event viewer if i change date only once?
– IT researcher
Aug 23 '13 at 6:09
add a comment |
To explain Event ID -520 :
Process Name : Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP)
Primary User Name: Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command.
Primary Domain : domain of the user
Primary Logon ID: correlates to the logon ID in the user's logon session event ID 528 or 540
Client User Name :your log in name
Client Domain : your internal domain
Client Logon ID :logon id
Previous Time: Previous system time
New Time : Current changed time
In addition to it the fourth entry has event id : 515
From technet :
This event record indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source.Logon processes are trusted components responsible for collecting identification and authentication information from external devices, such as terminals and networks. They use Local Security Authority services to log these users on. A single system can simultaneously support multiple logon processes.
Your system date
Alternatively you can try myeventviewer for keep tracking the changes.
i guess overwrite is disabled at event-viewer properties,so the logs might get logged multiple times
answered Aug 23 '13 at 6:05
BlueBerry - Vignesh4303BlueBerry - Vignesh4303
5,518205079
1
These are just explanation about what each details refer to. But i want to know why 4 events are written in event viewer if i change date only once?
– IT researcher
Aug 23 '13 at 6:09
add a comment |
To explain Event ID -520 :
Process Name : Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP)
Primary User Name: Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command.
Primary Domain : domain of the user
Primary Logon ID: correlates to the logon ID in the user's logon session event ID 528 or 540
Client User Name :your log in name
Client Domain : your internal domain
Client Logon ID :logon id
Previous Time: Previous system time
New Time : Current changed time
In addition to it the fourth entry has event id : 515
From technet :
This event record indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source.Logon processes are trusted components responsible for collecting identification and authentication information from external devices, such as terminals and networks. They use Local Security Authority services to log these users on. A single system can simultaneously support multiple logon processes.
Your system date
Alternatively you can try myeventviewer for keep tracking the changes.
i guess overwrite is disabled at event-viewer properties,so the logs might get logged multiple times
answered Aug 23 '13 at 6:05
BlueBerry - Vignesh4303BlueBerry - Vignesh4303
5,518205079
To explain Event ID -520 :
Process Name : Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP)
Primary User Name: Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command.
Primary Domain : domain of the user
Primary Logon ID: correlates to the logon ID in the user's logon session event ID 528 or 540
Client User Name :your log in name
Client Domain : your internal domain
Client Logon ID :logon id
Previous Time: Previous system time
New Time : Current changed time
In addition to it the fourth entry has event id : 515
From technet :
This event record indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source.Logon processes are trusted components responsible for collecting identification and authentication information from external devices, such as terminals and networks. They use Local Security Authority services to log these users on. A single system can simultaneously support multiple logon processes.
Your system date
Alternatively you can try myeventviewer for keep tracking the changes.
i guess overwrite is disabled at event-viewer properties,so the logs might get logged multiple times
answered Aug 23 '13 at 6:05
BlueBerry - Vignesh4303BlueBerry - Vignesh4303
5,518205079
edited Aug 23 '13 at 6:41
answered Aug 23 '13 at 6:05
BlueBerry - Vignesh4303BlueBerry - Vignesh4303
5,518205079
answered Aug 23 '13 at 6:05
BlueBerry - Vignesh4303BlueBerry - Vignesh4303
5,518205079
answered Aug 23 '13 at 6:05
BlueBerry - Vignesh4303BlueBerry - Vignesh4303
5,518205079
5,518205079
1
These are just explanation about what each details refer to. But i want to know why 4 events are written in event viewer if i change date only once?
– IT researcher
Aug 23 '13 at 6:09
add a comment |
1
These are just explanation about what each details refer to. But i want to know why 4 events are written in event viewer if i change date only once?
– IT researcher
Aug 23 '13 at 6:09
1
1
These are just explanation about what each details refer to. But i want to know why 4 events are written in event viewer if i change date only once?
– IT researcher
Aug 23 '13 at 6:09
These are just explanation about what each details refer to. But i want to know why 4 events are written in event viewer if i change date only once?
– IT researcher
Aug 23 '13 at 6:09
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f635600%2fsystem-date-change-tracking-in-windows-xp%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
