This query will list all users who initiated a time change. System accounts change time automatically, as such I’ve ignored system accounts from the query output. Windows 2008 and newer: sourcetype=WinEventLog:Security EventCode=4616 Account_Name!=”*$” Account_Name!=”LOCAL SERVICE”| stats count by Account_Name Windows 2003 and before: sourcetype=WinEventLog:Security user!=”*$” user!=”LOCAL SERVICE” EventCode=520 | stats count by user
