Hi again,
I look at Event ID 4616 in security.evtx and see some system time changing logs.
But later, I look system.evtx ( Event ID 1) and I perceive some system time changing logs are (in system.evtx) not have in security.evtx.
Which one is trusts ? I wait your valuable opinions.
Event ID 4616 in security.evtx is true one, cause other one is show normally system time changing ( power on-off, sleep etc.)
Thanks.
One way to check if the time has been altered on the computer if it has been put backwards is to check the events in order of their EventRecordID and see if the dates and times are in the correct order.
This used to be easy with evt logs but I think it may require something like Log Parser with evtx to pull out this field.
H
Yes - annoyingly, Event Record ID seems to be the only field you cannot "sort by" in the new Event Viewer.
However, if it is of any help, then when you first load an evtx file, it is by default ordered by Event Record ID.
Yes - annoyingly, Event Record ID seems to be the only field you cannot "sort by" in the new Event Viewer.
Would something like this help?
http//
jaclaz
Nice one yes it does display the EventrecordID for evtx.
H
in a security.evtx log
system time change(4616)
old time 01.07.2010 071709
new time 28.06.2010 071146 and this info's time is 28.06.2010 101146 (3 hours later than new time)
old time 28.06.2010 072520
new time 28.06.2010 031156 and this info's time is 28.06.2010 061156 (3 hours later than new time too)
If a file is creating on 28.06.2010 101756 is it normally? And info's times are normally ( 3 hours later than new time status)
That is interesting, I think the best way to find out the answer for sure is to test it yourself on your own system and see what happens.
H