Windows Time for Traceability
Applies to: Windows Server 2016 version 1709 or later, and Windows 10 version 1703 or later
Regulations in many sectors require systems to be traceable to UTC. This means that a system's offset can be attested with respect to UTC. To enable regulatory compliance scenarios, Windows 10 (version 1703 or higher) and Windows Server 2016 (version 1709 or higher) provides new event logs to provide a picture from the perspective of the Operating System to form an understanding of the actions taken on the system clock. These event logs are generated continuously for Windows Time service and can be examined or archived for later analysis.
These new events enable the following questions to be answered:
- Was the system clock altered
- Was the clock frequency modified
- Was the Windows Time service configuration modified
These improvements are included in Windows 10 version 1703 or higher, and Windows Server 2016 version 1709 or higher.
No configuration is required to realize this feature. These event logs are enabled by default and can be found in the event viewer under the Applications and Services Log\Microsoft\Windows\Time-Service\Operational channel.
List of Event Logs
The following section outlines the events logged for use in traceability scenarios.
This event is logged when the Windows Time Service (W32Time) is started and logs information about the current time, current tick count, runtime configuration, time providers, and current clock rate.
|Event description||Service Start|
|Details||Occurs at W32time Startup|
|Throttling mechanism||None. This event fires every time the service starts.|
W32time service has started at 2018-02-27T04:25:17.156Z (UTC), System Tick Count 3132937.
This information can also be queried using the following commands
W32Time and Time Provider configuration
w32tm.exe /query /configuration
w32tm.exe /query /status /verbose