System date change tracking in windows xp

0

I wanted to track when system time was changed in a PC.By looking at event viewer for event id 520 i will get it. But when i changed date manually in windows and look at event viewer i found 4 entries for a single date change.

enter image description here

Now In that 4 entries last one has below description

The system time was changed.
 Process ID:    1932
 Process Name:  C:\WINDOWS\system32\rundll32.exe
 Primary User Name: nav
 Primary Domain:    PC132
 Primary Logon ID:  (0x0,0x115A0)
 Client User Name:  nav
 Client Domain: PC132
 Client Logon ID:   (0x0,0x115A0)
 Previous Time: 10:18:32 AM 8/23/2013
 New Time:  10:18:32 AM 8/24/2013

All other three entries shows

The system time was changed.
 Process ID:    1932
 Process Name:  C:\WINDOWS\system32\rundll32.exe
 Primary User Name: navaneeth a
 Primary Domain:    PC132
 Primary Logon ID:  (0x0,0x115A0)
 Client User Name:  navaneeth a
 Client Domain: PC132
 Client Logon ID:   (0x0,0x115A0)
 Previous Time: 10:18:32 AM 8/24/2013
 New Time:  10:18:32 AM 8/24/2013

What is the meaning of these 4 entries for a date change?

Also is there any method to get system date changed history or log?

IT researcher

Posted 2013-08-23T05:08:19.040

Reputation: 783

Answers

0

To explain Event ID -520 :

Process Name : Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP)

Primary User Name: Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command.

Primary Domain : domain of the user

Primary Logon ID: correlates to the logon ID in the user's logon session event ID 528 or 540

Client User Name :your log in name

Client Domain : your internal domain

Client Logon ID :logon id

Previous Time: Previous system time

New Time : Current changed time

In addition to it the fourth entry has event id : 515

From technet :

This event record indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source.Logon processes are trusted components responsible for collecting identification and authentication information from external devices, such as terminals and networks. They use Local Security Authority services to log these users on. A single system can simultaneously support multiple logon processes.

Your system date

Alternatively you can try myeventviewer for keep tracking the changes.

i guess overwrite is disabled at event-viewer properties,so the logs might get logged multiple times

BlueBerry - Vignesh4303

Posted 2013-08-23T05:08:19.040

Reputation: 7 221

1These are just explanation about what each details refer to. But i want to know why 4 events are written in event viewer if i change date only once? – IT researcher – 2013-08-23T06:09:20.227

Asked: 2013-08-23T05:08:19.040

Viewed: 3 773 times

Active: 2020-02-02T18:00:38.063