NXLog Legacy Documentation

Windows Time service

The Windows Time service (W32Time) synchronizes the date and time on a machine with a time server. Date and time accuracy is important for most services and applications to operate correctly, and it ensures that an accurate timestamp is assigned to operations such as resource access requests and network communication. This guide contains information on how to procure Windows Time service logs, which can provide visibility on issues or potential tampering with the time on the monitored system.

Windows Time service logs are accessible in two ways depending on the version of your operating system:

  • Via Event Tracing for Windows (ETW), for Windows 10 version 1073, Windows Server 2016 version 1709, and newer versions of Windows.

  • Via the file system for all versions of Windows.

Collecting logs from ETW

This method is recommended for newer operating systems since it takes advantage of the ETW channel and the standardization of logs, which includes an event ID that can be used for correlation. To ensure that the channel is producing logs:

  1. Open Event Viewer (eventvwr.msc).

  2. Expand Application and Services Logs > Microsoft > Windows > Windows-Time.

  3. Right click on the Operational channel and make sure that Enable Log is selected.

  4. If disk space is a concern, make sure that Overwrite events as needed is selected in the channel properties.

Although the Windows Time ETW channel is available on Windows 2012 R2, it isn’t supported and doesn’t produce any logs.
Example 1. Windows Time service log collection via ETW

This configuration uses the im_etw module to collect logs from the Microsoft-Windows-Time-Service channel.

nxlog.conf
<Input win_time>
    Module	     im_etw
    Provider	   Microsoft-Windows-Time-Service
</Input>
Output sample
2021-08-06 14:26:07 SERVER-1 INFO SourceName="Microsoft-Windows-Time-Service" ProviderGuid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" EventID="260" Version="0" ChannelID="16" OpcodeValue="0" TaskValue="0" Keywords="4611686018427387904" ExecutionProcessID="636" ExecutionThreadID="2768" EventType="INFO" SeverityValue="2" Domain="NT AUTHORITY" AccountName="LOCAL SERVICE" UserID="S-1-5-19" AccountType="Well Known Group" Flags="EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)" Configuration="EventLogFlags: 2 (Local)_AnnounceFlags: 10 (Local)_TimeJumpAuditOffset: 28800 (Local)_MinPollInterval: 6 (Local)_MaxPollInterval: 10 (Local)_MaxNegPhaseCorrection: 4294967295 (Local)_MaxPosPhaseCorrection: 4294967295 (Local)_MaxAllowedPhaseOffset: 300 (Local)__FrequencyCorrectRate: 4 (Local)_PollAdjustFactor: 5 (Local)_LargePhaseOffset: 50000000 (Local)_SpikeWatchPeriod: 900 (Local)_LocalClockDispersion: 10 (Local)_HoldPeriod: 5 (Local)_PhaseCorrectRate: 1 (Local)_UpdateInterval: 100 (Local)__FileLogName:  (Undefined or not used)_FileLogEntries:  (Undefined or not used)_FileLogSize: 0 (Undefined or not used)_FileLogFlags: 0 (Undefined or not used)__UtilizeSslTimeData: 1 (Local)__[Leap Seconds]_Enabled: 1 (Local)_Total Leap Seconds (after June 2018): 0 (Local)_Current UTC offset: 0 (Local)_" TimeProviders="NtpClient (Local)_DllName: C:\\Windows\\system32\\w32time.dll (Local)_Enabled: 1 (Local)_InputProvider: 1 (Local)_CrossSiteSyncFlags: 2 (Local)_AllowNonstandardModeCombinations: 1 (Local)_ResolvePeerBackoffMinutes: 15 (Local)_ResolvePeerBackoffMaxTimes: 7 (Local)_CompatibilityFlags: 2147483648 (Local)_EventLogFlags: 1 (Local)_LargeSampleSkew: 3 (Local)_SpecialPollInterval: 1024 (Local)_Type: NT5DS (Local)_NtpServer:  (Undefined or not used)__VMICTimeProvider (Local)_DllName: C:\\Windows\\System32\\vmictimeprovider.dll (Local)_Enabled: 1 (Local)_InputProvider: 1 (Local)__NtpServer (Local)_DllName: C:\\Windows\\system32\\w32time.dll (Local)_Enabled: 0 (Local)_InputProvider: 0 (Local)___" LeapIndicator="0" Stratum="2" Precision="-23" RootDelay="0.0008262s" RootDispersion="10.2637940s" ReferenceId="0xC0A858DC" LastSuccessfulSyncTime="2021-08-06T21:26:07.180Z" Source="VC-SERV1.VCTEST.com " PollInterval="7" PhaseOffset="0.0107040s" ClockRate="156250" StateMachine="2" TimeSourceFlags="8" ServerRole="0" LastSyncError="0" TimeSinceLastGoodSync="0.0000091s" TickCount="657828"

Collecting logs from file

The Windows Time service can be configured to run in debug mode and output logs to file. This method can be used on older operating systems that do not support collection via ETW. Several options are available to enable debug mode.

Enable debug using the W32tm tool

W32tm is a tool available in Windows for configuring the Windows Time service. Execute the following command to enable debug logging:

> w32tm /debug /enable /file:C:\windows\temp\w32time.log /size:10000000 /entries:0-116

Where:

  • /file specifies the absolute path of the log file

  • /size specifies the maximum size of the log file in bytes for circular logging

  • /entries specifies the debugging level up to a maximum of 0-300

Specifying a higher debugging level adds considerable verbosity to the log file, which is only recommended for debugging, not for actively logging to a SIEM.

Enable debug in the registry

To turn on debug logging from Registry Editor, follow the instructions on how to Turn on debug logging for Windows Time Service in the Microsoft documentation.

To add the necessary registry key and values from Command Prompt:

  1. Create a file with the following content, modifying the values as appropriate:

    w32time-config.reg
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
    "FileLogName"="C:\\windows\\temp\\w32time.log"
    "FileLogEntries"="0-116"
    "FileLogSize"=dword:00989680
  2. Execute the following command to add the contents of the file to the registry:

    > regedit.exe w32time-config.reg
  3. You may need to restart the Windows Time service for the changes to take effect. You can restart it from the Services (services.msc) console or by executing the following command:

    > net stop w32time && net start w32time

Alternatively, if PowerShell is available on the system, the following set of commands can be executed.

w32time-config.reg
# Add w32time registry entries

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name  'FileLogSize' -Value '10000000' -PropertyType 'DWORD' –Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name  'FileLogName' -Value 'C:\Windows\Temp\w32time.log' -PropertyType 'String' –Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name  'FileLogEntries' -Value '0-116' -PropertyType 'String' –Force

Restart-Service -Name W32Time
These steps require altering the Windows Registry and should be executed with care. Incorrect modifications could potentially render the system unusable.
Example 2. Windows Time service file-based log collection

This configuration captures log data from a Windows Time service debug log file. Since the log file generated by the debug method has UTF-16 LE encoding, the xm_charconv extension module is needed for reading the file. The LineReader directive in the converter instance determines the encoding to be used.

The win_time instance of the im_file module uses the InputType directive for referencing the xm_charconv instance name, converter, that defines the character encoding type to use when reading this log file. Without this, UTF-8 encoding will be assumed and no data will be returned.

The Exec block of the win_time instance contains a conditional block for adding a new field, $nttetimestamp, which will be assigned the value matched by the first capture group of the regular expression. This is contingent on the second capture group being matched as well, which will assign its value to another new field, $message. In case one (or both) of these two capture groups is not matched, the remaining else conditional block is used, which assigns $raw_event, the entire line of log data read, to a new field called $message.

The Exec block concludes by converting each record to JSON using the to_json() procedure of the xm_json module, which also enriches the event log with the NXLog core fields.

nxlog.conf
<Extension json>
    Module        xm_json
</Extension>

<Extension converter>
    # One way to figure out the codec type is to open the log
    # file in Notepad, save the file with Save As, and under
    # the Encoding portion at the bottom, the encoding that
    # is chosen by default is what the file is currently
    # encoded as.

    Module        xm_charconv
    LineReader    UTF-16LE
</Extension>

<Input win_time>
    Module        im_file
    File          'C:\Windows\Temp\w32time.log'
    InputType     converter
    <Exec>
       if $raw_event =~ /([1-9]{1,6} [0-9]{2}:[0-9]{2}:[0-9]{2}.*s) - (.*)/
       {
           $nttetimestamp = $1;
           $message = $2;
       }
       else
       {
           $message = $raw_event;
       }
       to_json();
    </Exec>
</Input>
Output sample
{
  "EventReceivedTime": "2021-08-14T20:35:32.644755-07:00",
  "SourceModuleName": "win_time",
  "SourceModuleType": "im_file",
  "nttetimestamp": "153628 03:35:32.0392286s",
  "message": "ClockDispln Discipline: *SKEW*TIME* - PhCRR:-10 CRD:-14 PhCRR_:-22 CRD_:-31 CR:14318180  (PhCRRL:-10 CRL:156250 phcTL:131072) UI:360000 KPhO:-37280"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

Windows Server 2012
Windows 10 Home
Windows XP SP3
NXLog EE 5.3.6985

Last revision: 6 August 2021