Windows Time Change

This query will list all users who initiated a time change. System accounts change time automatically, as such I’ve ignored system accounts from the query output.

Windows 2008 and newer:
sourcetype=WinEventLog:Security EventCode=4616 Account_Name!="*$" Account_Name!="LOCAL SERVICE"| stats count by Account_Name

Windows 2003 and before:
sourcetype=WinEventLog:Security user!="*$" user!="LOCAL SERVICE" EventCode=520 | stats count by user

Share This:

Leave A Comment?