Enable Windows Time Service Auditing


To totally unlock this section you need to Log-in


Login

Accurate date and time in a domain environment is essential for authentication between clients and servers to work correctly. Kerberos v5 protocol requires a tolerance of less than 5 minutes, anything more than this and you will get authentication errors.

We have recently been investigating a a server who’s time leaped 28 days into the future! So wanted to start auditing the Windows Time service to see what made the change.

Here are the two event log messages which (along with the fact no one could log in), prompted the investigation.

Enable Windows Time Service Auditing

Enable Windows Time Service Auditing

To enable Time Service auditing

Open an elevated command prompt and type:

w32tm /debug /enable /file:c:\W32Time\w32time.log /size:10000000 /entries:0-300

Enable Windows Time Service Auditing

The command uses the following options:

  • /debug - This tells w32tm that you will be changing the debug log settings.
  • /enable - We are turning on the debug log (as opposed to turning it off).
  • /file - Here we are specifying the full path of where the log file will be created; in this case: "C:\windows\temp\w32time.log".
  • /size - The maximum size of the log file, in bytes; in this case, it is 10 Mb. When the log is full, the w32time service will wrap to the top of the log file.
  • /entries - This field is a mask, where you can mask off certain types of entries. More about this later.

To disable Time Service auditing

Type: w32tm /debug /disable

Using the registry

In essence, the w32tm.exe command shown above does exactly what we are about to do here. The only real difference is that when you use w32tm, it handles the reloading of the config, which will actually apply the values found in the registry. Since we will now be making the changes ourselves, we will need to reload the config ourselves.

Note: If you just want a quick .reg file that you can modify and merge, skip to the bottom of this post.

To get started, fire up the Windows Registry Editor:

Start -> Run -> Regedit.exe

Next, browse to the w32time config key, where we keep all of the w32time configuration:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Here, you will be creating the following three keys (if they do not exist):

  • FileLogName (REG_SZ)
  • FileLogSize (REG_DWORD)
  • FileLogEntries (REG_SZ)

Once they are created, go ahead and add the values that you want:

  • FileLogName should point to the full path where you want to store the log file. C:\windows\temp is the preferred location. Just ensure that a service running as LOCAL_SYSTEM has write access to the directory.
  • FileLogSize should be the maximum size of the log file, in bytes. Remember to convert to hex as needed 10Mb in hex would be 0x989680.
  • FileLogEntries is a numerical mask of the entries that you want to have logged in the log file. Each number in the range 1 - 300 represents a particular logging entry, such as polling intervals, packets received, etc. For the sake of simplicity, you should enable all logging. This is really only useful if you need to track a particular entry over a long period of time, and you don't want all of the other logging to clobber your file. Using 0-300 will guarantee that everything possible will be logged.

Once you apply the changes to the registry, you need to tell the w32time service that it needs to re-read the configuration information. To do this, you can use the following command:

w32tm /config /update

Example .reg file

Here is an example .reg file content you can modify to simplify the process:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"FileLogName"="C:\\windows\\temp\\w32time.log"
"FileLogEntries"="0-300"
"FileLogSize"=dword:00989680

Disabling w32time logging

Of course, once the issues are solved you can stop the logging. This can be performed as follow:

Create a reg file (w32Time_Log_Remove.reg for example) with the following content:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Config]
"FileLogSize"=-
"FileLogName"=-
"FileLogEntries"=-

Import the file with the following command:

regedit /s w32Time_Log_Remove.reg

Restart the Windows Time service:

service stop "Windows Time"
service start "Windows Time"