4616 (S) :已更改系统时间。4616(S): The system time was changed.

适用于Applies to

  • Windows 10Windows 10
  • Windows Server 2016Windows Server 2016
Event 4616 illustration

*_子类别:__   审核安全状态更改*Subcategory:Audit Security State Change

*事件说明:Event Description:*

每次更改系统时间时,都会生成此事件。This event generates every time system time was changed.

无论"审核安全状态更改"子类别设置如何,此事件始终都会记录。This event is always logged regardless of the "Audit Security State Change" sub-category setting.

通常,你将看到这些事件具有"*Subject\Security ID " = " LOCAL SERVICE**",这些事件是正常的时间更正操作。You will typically see these events with “*Subject\Security ID ” = “ LOCAL SERVICE**”, these are normal time correction actions.

备注

有关建议,请参阅 此事件的安全 监视建议。For recommendations, see Security Monitoring Recommendations for this event.


*事件 XML:*Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4616</EventID> 
 <Version>1</Version> 
 <Level>0</Level> 
 <Task>12288</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-09T05:04:29.995794600Z" /> 
 <EventRecordID>1101699</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="4" ThreadID="148" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
 <Data Name="SubjectUserName">dadmin</Data> 
 <Data Name="SubjectDomainName">CONTOSO</Data> 
 <Data Name="SubjectLogonId">0x48f29</Data> 
 <Data Name="PreviousTime">2015-10-09T05:04:30.000941900Z</Data> 
 <Data Name="NewTime">2015-10-09T05:04:30.000000000Z</Data> 
 <Data Name="ProcessId">0x1074</Data> 
 <Data Name="ProcessName">C:\\Windows\\WinSxS\\amd64\_microsoft-windows-com-surrogate-core\_31bf3856ad364e35\_6.3.9600.16384\_none\_25a8f00faa8f185c\\dllhost.exe</Data> 
 </EventData>
 </Event>

*必需的服务器角色:* 无。Required Server Roles: None.

*最低操作系统版本:* Windows Server 2008、Windows Vista。Minimum OS Version: Windows Server 2008, Windows Vista.

*事件版本:Event Versions:*

  • 0 - Windows Server 2008, Windows Vista。0 - Windows Server 2008, Windows Vista.

  • 1 - Windows Server 2008 R2、Windows 7。1 - Windows Server 2008 R2, Windows 7.

    • 添加了"进程信息"部分。Added “Process Information” section.

*字段描述:Field Descriptions:*

主题:*Subject:*

  • 安全 ID [Type = SID] 请求"更改系统时间"操作的帐户 SID。Security ID [Type = SID]: SID of account that requested the “change system time” operation. 事件查看器会自动尝试解析 SID 并显示帐户名。Event Viewer automatically tries to resolve SIDs and show the account name. 如果无法解析 SID,将在事件中看到源数据。If the SID cannot be resolved, you will see the source data in the event.

    备注

    SID ** (安全 **) 是可变长度的唯一值,用于标识受信任 (安全主体) 。A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). 每个帐户都有一个由权威机构(例如 Active Directory 域控制器)颁发并存储在安全性数据库中的唯一 SID。Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. 每次用户登录时,系统都会从数据库中检索该用户的 SID,并将其放在该用户的访问令牌中。Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. 系统使用访问令牌中的 SID 来标识所有后续与 Windows 安全的交互的用户。The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. SID 用作用户或组的唯一标识符后,不能再次用于识别其他用户或组。When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. 有关 SID 的更多信息,参见安全标识符For more information about SIDs, see Security identifiers.

  • 帐户名称 [Type = UnicodeString] 请求"更改系统时间"操作的帐户的名称。Account Name [Type = UnicodeString]: the name of the account that requested the “change system time” operation.

  • 账户域 [Type = UnicodeString] 使用者域或计算机名称。Account Domain [Type = UnicodeString]: subject’s domain or computer name. 格式各不相同,包括以下内容:Formats vary, and include the following:

    • 域 NETBIOS 名称示例: CONTOSODomain NETBIOS name example: CONTOSO

    • 小写完整域名: contoso.localLowercase full domain name: contoso.local

    • 大写完整域名:CONTOSO.LOCALUppercase full domain name: CONTOSO.LOCAL

    • 对于某些众所周知的安全主体,例如 LOCAL SERVICE 或 ANONYMOUS LOGON,此字段的值为 “NT AUTHORITY”。For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

    • 对于本地用户帐户,此字段将包含此帐户所属的计算机或设备的名称,例如:“Win81”。For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

  • 登录 ID \ [Type = HexInt64 ] 十六进制值,可帮助您将此事件与可能包含相同登录 ID 的最新事件(例如,"4624:帐户已成功登录")相关联。Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

进程信息 [版本 1]Process Information [Version 1]:

  • 进程 ID [Type = Pointer] [版本 1]:更改系统时间的进程的十六进制进程 ID。Process ID [Type = Pointer] [Version 1]: hexadecimal Process ID of the process that changed the system time. 进程 ID (PID) 是操作系统用来唯一标识活动进程的数字。Process ID (PID) is a number used by the operating system to uniquely identify an active process. 例如,若要查看特定进程的 PID,可使用任务管理器(“详细信息”选项卡,PID 列):To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

    Task manager illustration

    如果将十六进制值转换为十进制,则可以将其与任务管理器中的值进行比较。If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

    还可以将此进程 ID 与其他事件中的进程 ID 相关联,例如 “4688:已创建新进程”Process Information\New Process IDYou can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been created” Process Information\New Process ID.

  • Name [Type = UnicodeString] [Version 1] 进程的完整路径和可执行文件的名称。Name [Type = UnicodeString] [Version 1]: full path and the name of the executable for the process.

Previous Time [Type = FILETIME]: previous time in ** UTC_ time zone.格式为 _ YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:Previous Time [Type = FILETIME]: previous time in *UTC_ time zone. The format is _* YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:

  • Y - 年Y - years

  • M - 月M - months

  • D - 天D - days

  • T - 时间元素的开头,如 ISO 8601 中指定T - the beginning of the time element, as specified in ISO 8601.

  • h - 小时h - hours

  • m - 分钟m - minutes

  • s - 秒s - seconds

  • n - 分数秒n - fractional seconds

  • Z - 零 UTC 偏移的区域表示符。Z - the zone designator for the zero UTC offset. 因此,"09:30 UTC"表示为"09:30Z"。"09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC"为"14:45:15Z"。"14:45:15 UTC" would be "14:45:15Z".

New Time [Type = FILETIME]: New time that was set in ** UTC_ time zone.格式为 _ YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:New Time [Type = FILETIME]: new time that was set in *UTC_ time zone. The format is _* YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:

  • Y - 年Y - years

  • M - 月M - months

  • D - 天D - days

  • T - 时间元素的开头,如 ISO 8601 中指定T - the beginning of the time element, as specified in ISO 8601.

  • h - 小时h - hours

  • m - 分钟m - minutes

  • s - 秒s - seconds

  • n - 分数秒n - fractional seconds

  • Z - 零 UTC 偏移的区域表示符。Z - the zone designator for the zero UTC offset. 因此,"09:30 UTC"表示为"09:30Z"。"09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC"为"14:45:15Z"。"14:45:15 UTC" would be "14:45:15Z".

安全监控建议Security Monitoring Recommendations

对于 4616 (S) :已更改系统时间。For 4616(S): The system time was changed.

重要

对于此事件,另请参阅附录 A:许多审核事件的安全监视建议For this event, also see Appendix A: Security monitoring recommendations for many audit events.

  • 报告所有 "Subject\Security ID" 不等于 "LOCAL SERVICE", 这意味着时间更改不是由 Windows 时间服务进行。Report all “Subject\Security ID” not equals “LOCAL SERVICE”, which means that the time change was not made not by Windows Time service.

  • 报告所有 "Process Information\Name" 不等于 C:\Windows\System32\svchost.exe (路径到 svchost.exe 可以不同,可以搜索"svchost.exe"子字符串) ,这意味着时间更改不是由 Windows 时间服务进行。Report all “Process Information\Name” not equals “C:\Windows\System32\svchost.exe” (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made not by Windows Time service.

  • 如果对于此事件中报告的进程具有预定义**** 的"进程名称",请监视"进程名称"不等于定义值的所有**** 事件。If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with “Process Name” not equal to your defined value.

  • 您可以监视"进程名称"是否**** 不在标准文件夹 (例如,不在System32Program Files) 中,或是否位于受限文件夹 (例如,临时Internet 文件) 。You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).

  • 如果您有一个预定义的受限子字符串列表或进程名称中的单词 (例如,"mim一tz" 或"******cain.exe**") ,请检查"进程名称"中的这些子字符串。If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or “cain.exe”), check for these substrings in “Process Name.”