Windows Time service
The Windows Time service (W32Time) synchronizes the date and time on a machine with a time server. Date and time accuracy is important for most services and applications to operate correctly, and it ensures that an accurate timestamp is assigned to operations such as resource access requests and network communication. This guide contains information on how to procure Windows Time service logs, which can provide visibility on issues or potential tampering with the time on the monitored system.
Windows Time service logs are accessible in two ways depending on the version of your operating system:
-
Via Event Tracing for Windows (ETW), for Windows 10 version 1073, Windows Server 2016 version 1709, and newer versions of Windows.
-
Via the file system for all versions of Windows.
Collecting logs from ETW
This method is recommended for newer operating systems since it takes advantage of the ETW channel and the standardization of logs, which includes an event ID that can be used for correlation. To ensure that the channel is producing logs:
-
Open Event Viewer (eventvwr.msc).
-
Expand Application and Services Logs > Microsoft > Windows > Windows-Time.
-
Right click on the Operational channel and make sure that Enable Log is selected.
-
If disk space is a concern, make sure that Overwrite events as needed is selected in the channel properties.
Although the Windows Time ETW channel is available on Windows 2012 R2, it isn’t supported and doesn’t produce any logs. |
This configuration uses the im_etw module to collect logs from the Microsoft-Windows-Time-Service
channel.
<Input win_time>
Module im_etw
Provider Microsoft-Windows-Time-Service
</Input>
2021-08-06 14:26:07 SERVER-1 INFO SourceName="Microsoft-Windows-Time-Service" ProviderGuid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" EventID="260" Version="0" ChannelID="16" OpcodeValue="0" TaskValue="0" Keywords="4611686018427387904" ExecutionProcessID="636" ExecutionThreadID="2768" EventType="INFO" SeverityValue="2" Domain="NT AUTHORITY" AccountName="LOCAL SERVICE" UserID="S-1-5-19" AccountType="Well Known Group" Flags="EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)" Configuration="EventLogFlags: 2 (Local)_AnnounceFlags: 10 (Local)_TimeJumpAuditOffset: 28800 (Local)_MinPollInterval: 6 (Local)_MaxPollInterval: 10 (Local)_MaxNegPhaseCorrection: 4294967295 (Local)_MaxPosPhaseCorrection: 4294967295 (Local)_MaxAllowedPhaseOffset: 300 (Local)__FrequencyCorrectRate: 4 (Local)_PollAdjustFactor: 5 (Local)_LargePhaseOffset: 50000000 (Local)_SpikeWatchPeriod: 900 (Local)_LocalClockDispersion: 10 (Local)_HoldPeriod: 5 (Local)_PhaseCorrectRate: 1 (Local)_UpdateInterval: 100 (Local)__FileLogName: (Undefined or not used)_FileLogEntries: (Undefined or not used)_FileLogSize: 0 (Undefined or not used)_FileLogFlags: 0 (Undefined or not used)__UtilizeSslTimeData: 1 (Local)__[Leap Seconds]_Enabled: 1 (Local)_Total Leap Seconds (after June 2018): 0 (Local)_Current UTC offset: 0 (Local)_" TimeProviders="NtpClient (Local)_DllName: C:\\Windows\\system32\\w32time.dll (Local)_Enabled: 1 (Local)_InputProvider: 1 (Local)_CrossSiteSyncFlags: 2 (Local)_AllowNonstandardModeCombinations: 1 (Local)_ResolvePeerBackoffMinutes: 15 (Local)_ResolvePeerBackoffMaxTimes: 7 (Local)_CompatibilityFlags: 2147483648 (Local)_EventLogFlags: 1 (Local)_LargeSampleSkew: 3 (Local)_SpecialPollInterval: 1024 (Local)_Type: NT5DS (Local)_NtpServer: (Undefined or not used)__VMICTimeProvider (Local)_DllName: C:\\Windows\\System32\\vmictimeprovider.dll (Local)_Enabled: 1 (Local)_InputProvider: 1 (Local)__NtpServer (Local)_DllName: C:\\Windows\\system32\\w32time.dll (Local)_Enabled: 0 (Local)_InputProvider: 0 (Local)___" LeapIndicator="0" Stratum="2" Precision="-23" RootDelay="0.0008262s" RootDispersion="10.2637940s" ReferenceId="0xC0A858DC" LastSuccessfulSyncTime="2021-08-06T21:26:07.180Z" Source="VC-SERV1.VCTEST.com " PollInterval="7" PhaseOffset="0.0107040s" ClockRate="156250" StateMachine="2" TimeSourceFlags="8" ServerRole="0" LastSyncError="0" TimeSinceLastGoodSync="0.0000091s" TickCount="657828"
Collecting logs from file
The Windows Time service can be configured to run in debug mode and output logs to file. This method can be used on older operating systems that do not support collection via ETW. Several options are available to enable debug mode.
Enable debug using the W32tm tool
W32tm is a tool available in Windows for configuring the Windows Time service. Execute the following command to enable debug logging:
> w32tm /debug /enable /file:C:\windows\temp\w32time.log /size:10000000 /entries:0-116
Where:
-
/file
specifies the absolute path of the log file -
/size
specifies the maximum size of the log file in bytes for circular logging -
/entries
specifies the debugging level up to a maximum of 0-300
Specifying a higher debugging level adds considerable verbosity to the log file, which is only recommended for debugging, not for actively logging to a SIEM.
Enable debug in the registry
To turn on debug logging from Registry Editor, follow the instructions on how to Turn on debug logging for Windows Time Service in the Microsoft documentation.
To add the necessary registry key and values from Command Prompt:
-
Create a file with the following content, modifying the values as appropriate:
w32time-config.regWindows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config] "FileLogName"="C:\\windows\\temp\\w32time.log" "FileLogEntries"="0-116" "FileLogSize"=dword:00989680
-
Execute the following command to add the contents of the file to the registry:
> regedit.exe w32time-config.reg
-
You may need to restart the Windows Time service for the changes to take effect. You can restart it from the Services (services.msc) console or by executing the following command:
> net stop w32time && net start w32time
Alternatively, if PowerShell is available on the system, the following set of commands can be executed.
# Add w32time registry entries
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name 'FileLogSize' -Value '10000000' -PropertyType 'DWORD' –Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name 'FileLogName' -Value 'C:\Windows\Temp\w32time.log' -PropertyType 'String' –Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name 'FileLogEntries' -Value '0-116' -PropertyType 'String' –Force
Restart-Service -Name W32Time
These steps require altering the Windows Registry and should be executed with care. Incorrect modifications could potentially render the system unusable. |
This configuration captures log data from a Windows Time service debug log file.
Since the log file generated by the debug method has UTF-16 LE encoding, the
xm_charconv extension module is needed for reading the file.
The LineReader
directive in the converter
instance determines the encoding
to be used.
The win_time
instance of the im_file module uses the InputType
directive for referencing the xm_charconv instance name,
converter
, that defines the character encoding type to use when reading this
log file. Without this, UTF-8
encoding will be assumed and no data will be
returned.
The Exec block of the win_time
instance contains a
conditional block for adding a new field, $nttetimestamp
, which will be
assigned the value matched by the first capture group of the
regular expression.
This is contingent on the second capture group being matched as well, which will
assign its value to another new field, $message
.
In case one (or both) of these two capture groups is not matched, the remaining
else
conditional block is used, which assigns $raw_event
, the entire line of
log data read, to a new field called $message
.
The Exec
block concludes by converting each record to JSON using the
to_json() procedure of the xm_json module,
which also enriches the event log with the NXLog
core fields.
<Extension json>
Module xm_json
</Extension>
<Extension converter>
# One way to figure out the codec type is to open the log
# file in Notepad, save the file with Save As, and under
# the Encoding portion at the bottom, the encoding that
# is chosen by default is what the file is currently
# encoded as.
Module xm_charconv
LineReader UTF-16LE
</Extension>
<Input win_time>
Module im_file
File 'C:\Windows\Temp\w32time.log'
InputType converter
<Exec>
if $raw_event =~ /([1-9]{1,6} [0-9]{2}:[0-9]{2}:[0-9]{2}.*s) - (.*)/
{
$nttetimestamp = $1;
$message = $2;
}
else
{
$message = $raw_event;
}
to_json();
</Exec>
</Input>
{
"EventReceivedTime": "2021-08-14T20:35:32.644755-07:00",
"SourceModuleName": "win_time",
"SourceModuleType": "im_file",
"nttetimestamp": "153628 03:35:32.0392286s",
"message": "ClockDispln Discipline: *SKEW*TIME* - PhCRR:-10 CRD:-14 PhCRR_:-22 CRD_:-31 CR:14318180 (PhCRRL:-10 CRL:156250 phcTL:131072) UI:360000 KPhO:-37280"
}