Windows System Event: 4616

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

System Event » Windows System Event: 4616

Event ID 4616: The system time was changed.

Description The system time has been changed. The event describes the old and new time.
Category System

The event logs the following information:

Process ID Unique identifier of the process.
Process name Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP)
Primary user name Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command.
Primary domain Domain of the user.
Primary logon ID Logon ID of the user that correlates to the logon ID in the user's logon session (event ID 528 or 540)
Client user name The user name of the user who changed the time
Client domain The domain to which the client user belongs to.
Client logon ID Logon ID of the user that changed the time.
Previous time Time before the event occurred.
New time Time after the event occurred.

Pro tips:

  • ADAudit Plus can collect these logs in real time and thus lets you know whenever any change in system time occurs.
  • ADAudit plus also has features that can alert you via E-mail or SMS when system time has been changed.
  • The intuitive reports generated by ADAudit Plus let you know who changed the system time, when it was changed and on which machine it was changed.

Event 4616 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10

Corresponding event in Windows Server 2003 and earlier versions - Event 520

Explore Active Directory auditing and reporting with ADAudit Plus.

  •  
  •  
  •  
  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing