{ "id": "43bb1623-db96-4887-a17a-0fd8d2746499", "created_at": "2026-04-06T00:21:24.463082Z", "updated_at": "2026-04-10T03:36:13.70442Z", "deleted_at": null, "sha1_hash": "7fa62a01c51e4432aa859798b263f553750dbac0", "title": "Windows Time Service Tools and Settings", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 155430, "plain_text": "Windows Time Service Tools and Settings\r\nBy robinharwood\r\nArchived: 2026-04-05 21:49:40 UTC\r\nThe Windows Time service (W32Time) synchronizes the date and time for all computers managed by Active\r\nDirectory Domain Services (AD DS). This article covers the various tools and settings used to manage W32Time.\r\nBy default, a computer that's joined to a domain synchronizes time through a domain hierarchy of time sources.\r\nHowever, sometimes a computer is manually configured to synchronize from a specific time source, perhaps\r\nbecause it was formerly not joined to a domain. In this case, you can reconfigure the computer to begin\r\nautomatically sourcing its time from the domain hierarchy.\r\nMost domain-joined computers have a time client type of Net Time 5 Directory Service (NT5DS), which means\r\nthat they synchronize time from the domain hierarchy. An exception is the domain controller, which functions as\r\nthe primary domain controller (PDC) emulator operations master for the root forest domain. The PDC emulator\r\noperations master in turn is configured to synchronize time with an external time source.\r\nYou can achieve down to one-millisecond time accuracy in your domain. For more information, see Support\r\nboundary for high-accuracy time and Accurate Time for Windows Server 2016.\r\nW32Time follows the Network Time Protocol (NTP) specification, which requires the use of User Datagram\r\nProtocol (UDP) port 123 for all time synchronization. Whenever the computer synchronizes its clock or provides\r\ntime to another computer, it happens over UDP port 123. W32Time reserves this port as the destination port.\r\nNote\r\nNTP servers typically listen on UDP port 123 for requests and respond from the same port, which is also\r\ntrue for the built-in W32Time NTP server.\r\nYou can enable or disable the built-in W32Time NTP client and NTP server independently. Both share\r\nUDP port 123 for their functions.\r\nThe built-in W32Time NTP client can only use UDP 123 as the source port.\r\nIf your computer has multiple network adapters (it's multi-homed), you can't enable W32Time based on a\r\nnetwork adapter.\r\nYou can use the w32tm command to configure W32Time settings and diagnose computer time problems. The\r\nw32tm command is the preferred command-line tool for configuring, monitoring, and troubleshooting W32Time.\r\nMembership in the local Administrators group is required to run this tool locally, and membership in the Domain\r\nAdmins group is required to run this tool remotely.\r\nTo use w32tm , take the following steps:\r\n1. Select Start, and then enter cmd. Right-click Command Prompt, and then select Run as administrator.\r\n2. At the command prompt, enter w32tm followed by the applicable parameters.\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 1 of 17\n\nParameter Description\r\n/? Displays the w32tm command-line help.\r\n/config [/computer:\u003ctarget\u003e]\r\n[/update] [/manualpeerlist:\r\n\u003cpeers\u003e] [/syncfromflags:\r\n\u003csource\u003e]\r\n[/LocalClockDispersion:\r\n\u003cseconds\u003e] [/reliable:(YES|NO)]\r\n[/largephaseoffset:\r\n\u003cmilliseconds\u003e]\r\n/computer:\u003ctarget\u003e: Adjusts the configuration of \u003ctarget\u003e. If not\r\nspecified, the default target is the local computer.\r\n/update: Notifies W32Time that the configuration is changing, causing\r\nthe changes to take effect.\r\n/manualpeerlist:\u003cpeers\u003e: Sets the manual peer list to \u003cpeers\u003e, which is\r\na space-delimited list of Domain Name System (DNS) or IP addresses.\r\nWhen you specify multiple peers, this option must be enclosed in\r\nquotation marks.\r\n/syncfromflags:\u003csource\u003e: Sets the sources that the NTP client should\r\nsynchronize from. The \u003csource\u003e value should be a comma-separated list\r\nof the following keywords (not case sensitive):\r\nMANUAL: Include peers from the manual peer list.\r\nDOMHIER: Synchronize from a domain controller (DC) in the\r\ndomain hierarchy.\r\n/LocalClockDispersion:\u003cseconds\u003e: Configures the accuracy of the\r\ninternal clock that W32Time uses when it can't acquire time from its\r\nconfigured sources.\r\n/reliable:(YES|NO): Sets whether this computer is a reliable time\r\nsource. This setting is only meaningful on domain controllers.\r\nYES: This computer is a reliable time service.\r\nNO: This computer isn't a reliable time service.\r\n/largephaseoffset:\u003cmilliseconds\u003e: Sets the time difference between\r\nlocal and network time that W32Time considers a spike.\r\n/debug {/disable | {/enable /file:\r\n\u003cname\u003e /size:/\u003cbytes\u003e /entries:\r\n\u003cvalue\u003e [/truncate]}}\r\nEnables or disables the local computer W32Time private log.\r\n/disable: Disables the private log.\r\n/enable: Enables the private log.\r\nfile:\u003cname\u003e: Specifies the absolute file name.\r\nsize:\u003cbytes\u003e: Specifies the maximum size for circular logging.\r\nentries:\u003cvalue\u003e: Contains a list of flags, specified by number\r\nand separated by commas, that specifies the types of information\r\nthat should be logged. Valid values are 0 to 300. A range of\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 2 of 17\n\nParameter Description\r\nnumbers is valid, as are single numbers, such as 0-100,103,106.\r\nA value of 0-300 is for logging all information.\r\n/truncate: Truncates the file if it exists.\r\n/dumpreg [/subkey:\u003ckey\u003e]\r\n[/computer:\u003ctarget\u003e]\r\nDisplays the values associated with a given registry key.\r\nThe default key is\r\nHKLM\\System\\CurrentControlSet\\Services\\W32Time (the root key\r\nfor W32Time).\r\n/subkey:\u003ckey\u003e: Displays the values associated with subkey \u003ckey\u003e of\r\nthe default key.\r\n/computer:\u003ctarget\u003e: Queries registry settings for computer \u003ctarget\u003e.\r\n/monitor [/domain:\u003cdomain\r\nname\u003e] [/computers:\u003cname\u003e[,\r\n\u003cname\u003e[,\u003cname\u003e...]]] [/threads:\r\n\u003cnum\u003e]\r\nMonitors W32Time.\r\n/domain: Specifies which domain to monitor. If no domain name is\r\ngiven, and the /domain and /computers options aren't specified, the\r\ndefault domain is used. This option can be used more than once.\r\n/computers: Monitors the given list of computers. Computer names are\r\nseparated by commas, with no spaces. If a name is prefixed with an\r\nasterisk (*), the computer is treated as a PDC. This option can be used\r\nmore than once.\r\n/threads: Specifies the number of computers to analyze simultaneously.\r\nThe default value is 3. The allowed range is 1-50.\r\n/ntpte \u003cNTP time epoch\u003e\r\nConverts an NTP time (measured in 2-32-second intervals starting from\r\n0h 1-Jan 1900) into a readable format.\r\n/ntte \u003cNT time epoch\u003e\r\nConverts a Windows NT system time (measured in 10-7-second\r\nintervals starting from 0h 1-Jan 1601) into a readable format.\r\n/query [/computer:\u003ctarget\u003e]\r\n{/source | /configuration | /peers |\r\n/status} [/verbose]\r\nDisplays the computer's W32Time information.\r\n/computer:\u003ctarget\u003e: Queries the information of \u003ctarget\u003e. If not\r\nspecified, the default value is the local computer.\r\n/source: Displays the time source.\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 3 of 17\n\nParameter Description\r\n/configuration: Displays the runtime configuration and the source of\r\nthe settings. In verbose mode, this parameter also displays the undefined\r\nor unused settings.\r\n/peers: Displays a list of peers and their status.\r\n/status: Displays the W32Time status.\r\n/verbose: Turns on verbose mode to display more information.\r\n/register\r\nRegisters W32Time to run as a service and adds its default configuration\r\ninformation to the registry.\r\n/resync [/computer:\u003ccomputer\u003e]\r\n[/nowait] [/rediscover] [/soft]\r\nTells a computer that it should resynchronize its clock as soon as\r\npossible, throwing out all accumulated error statistics. The NTP client\r\nrequires UDP 123 as the source port.\r\n/computer:\u003ccomputer\u003e: Specifies the computer that should\r\nresynchronize. If no computer is specified, the local computer\r\nresynchronizes.\r\n/nowait: Doesn't wait for resynchronization to occur. Instead, it returns\r\nimmediately. If this option isn't present, the command waits for\r\nresynchronization to finish before returning.\r\n/rediscover: Redetects the network configuration, rediscovers network\r\nsources, and then resynchronizes.\r\n/soft: Resynchronizes by using existing error statistics. This option is\r\nused for compatibility purposes.\r\n/stripchart /computer:\u003ctarget\u003e\r\n[/period:\u003crefresh\u003e] [/dataonly]\r\n[/samples:\u003ccount\u003e] [/rdtsc]\r\nDisplays a strip chart of the offset between this computer and another\r\ncomputer. The NTP client uses an ephemeral UDP source port to\r\ncommunicate to the server to prevent conflicts with the built-in NTP\r\nclient.\r\n/computer:\u003ctarget\u003e: Specifies the computer to measure the offset\r\nagainst.\r\n/period:\u003crefresh\u003e: Specifies the time between samples, in seconds. The\r\ndefault value is 2.\r\n/dataonly: Displays the data only, without graphics.\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 4 of 17\n\nParameter Description\r\n/samples:\u003ccount\u003e: Collects \u003ccount\u003e samples, and then stops. If not\r\nspecified, samples are collected until Ctrl+C is selected.\r\n/rdtsc: For each sample, prints comma-separated values along with the\r\nheaders RdtscStart, RdtscEnd, FileTime, RoundtripDelay, and\r\nNtpOffset instead of the text graphic.\r\nRdtscStart: The Read Time Stamp Counter (RDTSC) value\r\ncollected just before the NTP request is generated.\r\nRdtscEnd: The RDTSC value collected just after the NTP\r\nresponse is received and processed.\r\nFileTime: The local FILETIME value used in the NTP request.\r\nRoundtripDelay: The time elapsed in seconds between\r\ngenerating the NTP request and processing the received NTP\r\nresponse, computed as per NTP roundtrip computations.\r\nNTPOffset: The time offset in seconds between the local\r\ncomputer and the NTP server, computed as per NTP offset\r\ncomputations.\r\n/tz Displays the current time zone settings.\r\n/unregister\r\nUnregisters W32Time and removes all its configuration information\r\nfrom the registry.\r\nTo set a client computer to point to two different time servers, one named ntpserver.contoso.com and another\r\nnamed clock.adatum.com , run the following command:\r\nw32tm /config /manualpeerlist:\"ntpserver.contoso.com clock.adatum.com\" /syncfromflags:manual /update\r\nSuppose you have a client computer that currently synchronizes time by using a manually specified computer. To\r\nconfigure the client computer to synchronize time automatically from the Active Directory domain hierarchy, run\r\nthe following command:\r\nw32tm /config /syncfromflags:domhier /update\r\nnet stop w32time\r\nnet start w32time\r\nTo check a client configuration from a Windows-based client computer that has a host name of contosoW1 , run\r\nthe following command:\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 5 of 17\n\nw32tm /query /computer:contosoW1 /configuration\r\nThe output of this command lists W32Time configuration parameters that are set for the client.\r\nSince Windows Server 2016, improvements to the time synchronization algorithms support alignment with\r\nRequest for Comments (RFC) specifications. Therefore, if you want to set the local time client to point to multiple\r\npeers, we recommend that you prepare three or more time servers.\r\nIf you have only two time servers, you should specify the NtpServer UseAsFallbackOnly flag (0x2) to\r\ndeprioritize one of them. For example, if you want to prioritize ntpserver.contoso.com over\r\nclock.adatum.com , run the following command:\r\nw32tm /config /manualpeerlist:\"ntpserver.contoso.com,0x8 clock.adatum.com,0x2\" /syncfromflags:manual /update\r\nAlso, you can run the following command and read the value of NtpServer in the output:\r\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\r\nIn order for w32tm to reset a computer clock, it first checks the offset CurrentTimeOffset , also known as\r\nPhase Offset , between the current time and the computer clock time to determine whether the offset is less than\r\nthe MaxAllowedPhaseOffset value.\r\nCurrentTimeOffset ≤ MaxAllowedPhaseOffset : Adjust the computer clock gradually by using the clock\r\nrate.\r\nCurrentTimeOffset \u003e MaxAllowedPhaseOffset : Set the computer clock immediately.\r\nTo adjust the computer clock by using the clock rate, w32tm then calculates a PhaseCorrection value. This\r\nalgorithm varies depending on the version of Windows:\r\nWindows Server 2016 and later versions:\r\nPhaseCorrection_raw = ( CurrentTimeOffset ) ÷ (16 × PhaseCorrectRate × pollIntervalInSeconds )\r\nMaximumCorrection = ( CurrentTimeOffset ) ÷ ( UpdateInterval ÷ 100)\r\nPhaseCorrection = min( PhaseCorrection_raw , MaximumCorrection )\r\nWindows Server 2012 R2 and earlier versions:\r\nPhaseCorrection = ( CurrentTimeOffset ) ÷ ( PhaseCorrectRate × UpdateInterval )\r\nAll versions of Windows use the same final equation to check PhaseCorrection :\r\nPhaseCorrection ≤ SystemClockRate ÷ 2\r\nNote\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 6 of 17\n\nThe following operating systems apply cumulative updates from KB5006744 onward, so they use the formula for\r\nWindows Server 2016 and later versions:\r\nWindows Server 2025\r\nWindows Server 2022\r\nWindows Server 2019 version 1809\r\nWindows 11\r\nWindows 10 version 1809\r\nIn these equations, PhaseCorrectRate , UpdateInterval , MaxAllowedPhaseOffset , and SystemClockRate are\r\nmeasured in units of clock ticks. On Windows systems, one millisecond equals 10,000 clock ticks.\r\nYou can configure the MaxAllowedPhaseOffset value in the registry. However, the registry parameter is measured\r\nin seconds instead of clock ticks.\r\nTo see the SystemClockRate and pollIntervalInSeconds values (measured in seconds), open a Command\r\nPrompt window and then run the following command: w32tm /query /status /verbose . This command\r\nproduces output that resembles the following lines:\r\nLeap Indicator: 0(no warning)\r\nStratum: 1 (primary reference - syncd by radio clock)\r\nPrecision: -23 (119.209ns per tick)\r\nRoot Delay: 0.0003538s\r\nRoot Dispersion: 0.0100002s\r\nReferenceId: 0x00000000 (unspecified)\r\nLast Successful Sync Time: 5/23/2023 7:51:39 PM\r\nSource: VM IC Time Synchronization Provider\r\nPoll Interval: 6 (64s)\r\n \r\nPhase Offset: -0.0000013s\r\nClockRate: 0.0156250s\r\nState Machine: 2 (Sync)\r\nTime Source Flags: 3 (Authenticated Hardware )\r\nServer Role: 0 (None)\r\nLast Sync Error: 0 (The command completed successfully.)\r\nTime since Last Good Sync Time: 15.7344985s\r\nIn the output, the poll interval is listed in clock ticks and in seconds. The equations use the value measured in\r\nseconds (the value in parentheses).\r\nThe output lists the clock rate in seconds. To calculate the SystemClockRate value in clock ticks, use the\r\nfollowing formula:\r\n( value in clock ticks ) = ( value in seconds ) × 1,000 × 10,000\r\nThis formula uses the following conversion factors:\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 7 of 17\n\nOne second equals 1,000 milliseconds.\r\nOne millisecond equals 10,000 clock ticks on a Windows system, as described in DateTime.Ticks Property.\r\nFor example:\r\nIf SystemClockRate is 0.0156250 seconds, the value that the equation produces is 156,250 clock ticks.\r\nBy extension, five minutes becomes 5 × 60 × 1000 × 10000 = 3,000,000,000 clock ticks.\r\nThe following examples show how to apply the phase correction calculations for Windows Server 2012 R2 and\r\nearlier versions.\r\nIf your computer clock time is 11:05 and the actual current time is 11:09, w32tm uses the following values:\r\nPhaseCorrectRate = 1\r\nUpdateInterval = 30,000 clock ticks\r\nSystemClockRate = 156,000 clock ticks\r\nMaxAllowedPhaseOffset = 10 min = 600 seconds = 600 × 1,000 × 10,000 = 6,000,000,000 clock ticks\r\nCurrentTimeOffset = 4 min = 4 × 60 × 1,000 × 10,000 = 2,400,000,000 clock ticks\r\nTo reset the clock, w32tm checks the following condition:\r\nIs CurrentTimeOffset ≤ MaxAllowedPhaseOffset ?\r\nIn this case, the condition has the following values, so it evaluates to true:\r\n2,400,000,000 ≤ 6,000,000,000\r\nNext, w32tm checks the following condition:\r\nIs (CurrentTimeOffset) ÷ (PhaseCorrectRate × UpdateInterval) ≤ SystemClockRate ÷ 2?\r\nIn this case, the condition has the following values:\r\n2,400,000,000 ÷ (30,000 × 1) ≤ 156,000 ÷ 2, or 80,000 ≤ 78,000\r\nThis condition is false. Therefore, w32tm sets the clock back immediately.\r\nNote\r\nIn this example, if you want to set the clock back slowly, you also have to adjust the values of PhaseCorrectRate\r\nor UpdateInterval in the registry to make sure that the equation result is true.\r\nIf your computer clock time is 11:05 and the actual current time is 11:08, w32tm uses the following values:\r\nPhaseCorrectRate = 1\r\nUpdateInterval = 30,000 clock ticks\r\nSystemClockRate = 156,000 clock ticks\r\nMaxAllowedPhaseOffset = 10 min = 600 seconds = 600 × 1,000 × 10,000 = 6,000,000,000 clock ticks\r\nCurrentTimeOffset = 3 mins = 3 × 60 × 1,000 × 10,000 = 1,800,000,000 clock ticks\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 8 of 17\n\nTo reset the clock, w32tm checks the following condition:\r\nIs CurrentTimeOffset ≤ MaxAllowedPhaseOffset ?\r\nIn this case, the condition has the following values, so it evaluates to true:\r\n1,800,000,000 ≤ 6,000,000,000\r\nNext, w32tm checks the following condition:\r\nIs (CurrentTimeOffset) ÷ (PhaseCorrectRate × UpdateInterval) ≤ SystemClockRate ÷ 2?\r\nIn this case, the condition has the following values:\r\n(1,800,000,000) ÷ (1 × 30,000) ≤ 156,000 ÷ 2, or 60,000 ≤ 78,000\r\nThis condition is true. The clock is set back slowly.\r\nW32Time stores several configuration properties as registry entries. You can use Group Policy Objects (GPOs) in\r\nLocal Group Policy Editor to configure most of this information. For example, you can use GPOs to configure a\r\ncomputer to be an NTP server or NTP client, configure the time synchronization mechanism, or configure a\r\ncomputer to be a reliable time source. You can also apply Group Policy settings for W32Time to domain\r\ncontrollers.\r\nWindows stores W32Time policy information in the Local Group Policy Editor under Computer\r\nConfiguration\\Administrative Templates\\System\\Windows Time Service. It stores configuration information\r\nthat the policies define in the Windows registry, and then uses those registry entries to configure the registry\r\nentries specific to W32Time. As a result, the values defined by Group Policy overwrite any preexisting values in\r\nthe W32Time section of the registry. Some of the preset GPO settings differ from the corresponding default\r\nW32Time registry entries.\r\nThe following table lists the policies that you can configure for W32Time and registry subkey equivalents that\r\nthose policies affect.\r\nGroup Policy Registry locations1,\r\n \r\n2\r\nGlobal Configuration Settings\r\nW32Time\r\nW32Time\\Config\r\nW32Time\\Parameters\r\nTime Providers\\Configure Windows NTP Client W32Time\\TimeProviders\\NtpClient\r\nTime Providers\\Enable Windows NTP Client W32Time\\TimeProviders\\NtpClient\r\nTime Providers\\Enable Windows NTP Server W32Time\\TimeProviders\\NtpServer\r\n1\r\n Subkey: HKLM\\SOFTWARE\\Policies\\Microsoft\r\n2\r\n Subkey: HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 9 of 17\n\nNote\r\nWhen you remove a Group Policy setting, Windows removes the corresponding entry from the policy area of the\r\nregistry.\r\nThe following table lists default values for the Global Configuration Settings when they're enabled:\r\nGroup Policy setting Default value\r\nAnnounceFlags 10\r\nChainDisable 0\r\nChainEntryTimeout 16\r\nChainLoggingRate 30\r\nChainMaxEntries 128\r\nChainMaxHostEntries 4\r\nClockAdjustmentAuditLimit 800\r\nClockHoldoverPeriod 7,800\r\nEventLogFlags 2\r\nFrequencyCorrectRate 4\r\nHoldPeriod 5\r\nLargePhaseOffset 50,000,000\r\nLocalClockDispersion 10\r\nMaxAllowedPhaseOffset 300\r\nMaxNegPhaseCorrection 172,800 (48 hours)\r\nMaxPollInterval 10\r\nMaxPosPhaseCorrection 172,800 (48 hours)\r\nMinPollInterval 6\r\nPhaseCorrectRate 1\r\nPollAdjustFactor 5\r\nRequireSecureTimeSyncRequests 0\r\nSpikeWatchPeriod 900\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 10 of 17\n\nGroup Policy setting Default value\r\nUpdateInterval 100 (1 second)\r\nUtilizeSslTimeData 1\r\nThe following table lists the default Windows NTP client settings that are contained in Computer\r\nConfiguration\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Configure\r\nWindows NTP Client.\r\nGroup Policy setting Default value\r\nNtpServer time.windows.com , 0x9\r\nType\r\nNT5DS: Used for domain-joined computers\r\nNTP: Used for non-domain-joined computers\r\nCrossSiteSyncFlags 2\r\nResolvePeerBackoffMinutes 15\r\nResolvePeerBackoffMaxTimes 7\r\nSpecialPollInterval 1024\r\nEventLogFlags 0\r\nNote\r\nIf you use Group Policy to set the NtpServer value as part of the Configure Windows NTP Client policy and\r\napply it to a domain member, W32Time doesn't use the NtpServer registry value. To view your NTP\r\nconfiguration, open Command Prompt and run the following command: w32tm /query /configuration .\r\nW32Time stores information under the following registry paths:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Config\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpClient\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\r\nWarning\r\nThis information is provided as a reference for use in troubleshooting and validation. Windows registry keys are\r\nused by W32Time to store critical information. Don't change these values. Modifications to the registry aren't\r\nvalidated by the registry editor or by Windows before they're applied. If the registry contains invalid values,\r\nWindows might experience unrecoverable errors.\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 11 of 17\n\nSome of the parameters in the registry are measured in clock ticks and some are measured in seconds. To convert\r\nbetween the two units, see the explanation earlier in Configure a computer clock reset.\r\nIn the following table, All versions refers to all supported versions of Windows and Windows Server.\r\nConfig\r\nParameters\r\nNtpClient\r\nNtpServer\r\nRegistry entry Versions Description\r\nAnnounceFlags All versions\r\nControls whether this computer is marked as a reliable\r\ntime server. A computer isn't marked as reliable unless\r\nit's also marked as a time server.\r\n0x00: Not time server\r\n0x01: Always time server\r\n0x02: Automatic time server\r\n0x04: Always-reliable time server\r\n0x08: Automatic reliable time server\r\nThe default value for domain members is 10. The\r\ndefault value for stand-alone clients and servers is 10.\r\nClockAdjustmentAuditLimit\r\nWindows Server\r\n2016 version\r\n1709 and later\r\nversions;\r\nWindows 10\r\nversion 1709\r\nand later\r\nversions\r\nSpecifies the smallest local clock adjustments that can\r\nbe logged to the W32Time event log on the target\r\ncomputer. The default value is 800 parts per million\r\n(ppm).\r\nClockHoldoverPeriod\r\nWindows Server\r\n2016 version\r\n1709 and later\r\nversions;\r\nWindows 10\r\nversion 1709\r\nand later\r\nversions\r\nIndicates the maximum number of seconds a system\r\nclock can nominally hold its accuracy without\r\nsynchronizing with a time source. If this period of time\r\npasses without W32Time obtaining new samples from\r\nany of its input providers, W32Time initiates a\r\nrediscovery of time sources. The default value is 7,800\r\nseconds.\r\nEventLogFlags All versions Controls which events the time service logs.\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 12 of 17\n\nRegistry entry Versions Description\r\n0x1: Time jump\r\n0x2: Source change\r\nThe default value on domain members is 2. The\r\ndefault value on stand-alone clients and servers is 2.\r\nFrequencyCorrectRate All versions\r\nControls the rate at which the clock is corrected. If this\r\nvalue is too small, the clock is unstable and\r\novercorrects. If the value is too large, the clock takes a\r\nlong time to synchronize. The default value on domain\r\nmembers is 4. The default value on stand-alone clients\r\nand servers is 4.\r\nZero isn't a valid value for the\r\nFrequencyCorrectRate registry entry.\r\nHoldPeriod All versions\r\nControls the period of time for which spike detection\r\nis disabled in order to bring the local clock into\r\nsynchronization quickly. A spike is a time sample\r\nindicating that time is off several seconds, and is\r\nreceived after good time samples return consistently.\r\nThe default value on domain members is 5. The\r\ndefault value on stand-alone clients and servers is 5.\r\nLargePhaseOffset All versions\r\nSpecifies that a time offset greater than or equal to this\r\nvalue in 10-7 seconds is considered a spike. A network\r\ndisruption such as a large amount of traffic might\r\ncause a spike. A spike is ignored unless it persists for a\r\nlong period of time. The default value on domain\r\nmembers is 50,000,000. The default value on stand-alone clients and servers is 50,000,000.\r\nLocalClockDispersion All versions\r\nControls the dispersion (in seconds) that you must\r\nassume when the only time source is the built-in\r\nCMOS clock. The default value on domain members is\r\n10. The default value on stand-alone clients and\r\nservers is 10.\r\nMaxAllowedPhaseOffset All versions Specifies the maximum offset (in seconds) for which\r\nW32Time attempts to adjust the computer clock by\r\nusing the clock rate. When the offset exceeds this rate,\r\nW32Time sets the computer clock directly. The default\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 13 of 17\n\nRegistry entry Versions Description\r\nvalue for domain members is 300. The default value\r\nfor stand-alone clients and servers is 1.\r\nMaxClockRate All versions\r\nMaintained by W32Time. It contains reserved data\r\nthat's used by the Windows operating system, and any\r\nchanges to this setting can cause unpredictable results.\r\nThe default value for domain members is 155,860. The\r\ndefault value for stand-alone clients and servers is\r\n155,860.\r\nMaxNegPhaseCorrection All versions\r\nSpecifies the largest negative time correction, in\r\nseconds, that the service makes. If the service\r\ndetermines that a change larger than this value is\r\nrequired, it logs an event instead.\r\nThe value 0xFFFFFFFF is a special case. This value\r\nmeans that the service always corrects the time.\r\nThe default value for domain members is\r\n0xFFFFFFFF (hexadecimal). The default value for\r\ndomain controllers is 172,800 (48 hrs). The default\r\nvalue for stand-alone clients and servers is 54,000 (15\r\nhrs).\r\nMaxPollInterval All versions\r\nSpecifies the largest interval, in log base 2 seconds,\r\nallowed for the system polling interval. A system must\r\npoll according to the scheduled interval. A provider\r\ncan refuse to produce samples when requested to do\r\nso. The default value for domain controllers is 10. The\r\ndefault value for domain members is 15. The default\r\nvalue for stand-alone clients and servers is 15.\r\nMaxPosPhaseCorrection All versions Specifies the largest positive time correction in\r\nseconds that the service makes. If the service\r\ndetermines that a change larger than this value is\r\nrequired, it logs an event instead.\r\nThe value 0xFFFFFFFF is a special case. This value\r\nmeans that the service always corrects the time.\r\nThe default value for domain members is\r\n0xFFFFFFFF (hexadecimal). The default value for\r\ndomain controllers is 172,800 (48 hrs). The default\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 14 of 17\n\nRegistry entry Versions Description\r\nvalue for stand-alone clients and servers is 54,000 (15\r\nhrs).\r\nMinClockRate All versions\r\nMaintained by W32Time. It contains reserved data\r\nthat's used by the Windows operating system, and any\r\nchanges to this setting can cause unpredictable results.\r\nThe default value for domain members is 155,860. The\r\ndefault value for stand-alone clients and servers is\r\n155,860.\r\nMinPollInterval All versions\r\nSpecifies the smallest interval, in log base 2 seconds,\r\nallowed for the system polling interval. A system\r\ndoesn't request samples more frequently than this\r\nvalue. A provider can produce samples at times other\r\nthan the scheduled interval. The default value for\r\ndomain controllers is 6. The default value for domain\r\nmembers is 10. The default value for stand-alone\r\nclients and servers is 10.\r\nPhaseCorrectRate All versions\r\nControls the rate at which the phase error is corrected.\r\nSpecifying a small value corrects the phase error\r\nquickly but might cause the clock to become unstable.\r\nIf the value is too large, it takes a longer time to\r\ncorrect the phase error.\r\nThe default value on domain members is 1. The\r\ndefault value on stand-alone clients and servers is 7.\r\nZero isn't a valid value for the PhaseCorrectRate\r\nregistry entry.\r\nPollAdjustFactor All versions\r\nControls the decision to increase or decrease the poll\r\ninterval for the system. The larger the value, the\r\nsmaller the amount of error that causes the poll\r\ninterval to be decreased. The default value on domain\r\nmembers is 5. The default value on stand-alone clients\r\nand servers is 5.\r\nSpikeWatchPeriod All versions Specifies the amount of time that a suspicious offset\r\nmust persist before it's accepted as correct (in\r\nseconds). The default value on domain members is\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 15 of 17\n\nRegistry entry Versions Description\r\n900. The default value on stand-alone clients and\r\nworkstations is 900.\r\nTimeJumpAuditOffset All versions\r\nIndicates the time jump audit threshold, in seconds.\r\nThe offset is stored as an unsigned integer. If the time\r\nservice adjusts the local clock by setting the clock\r\ndirectly, and the time correction is more than this\r\nvalue, the time service logs an audit event.\r\nUpdateInterval All versions\r\nSpecifies the interval (in 10ms unit) between phase\r\ncorrection adjustments. A value of 0 has the same\r\neffect as 1. The default values are:\r\nDomain controllers: 100\r\nDomain members: 30,000\r\nStand-alone clients and servers: 360,000\r\nUtilizeSslTimeData\r\nWindows\r\nversions later\r\nthan Windows\r\n10 build 1511\r\nIndicates whether W32Time uses multiple SSL\r\ntimestamps to seed a clock that's grossly inaccurate. A\r\nvalue of 1 indicates multiple SSL timestamps are used.\r\nThe UtilizeSslTimeData registry value refers to the\r\nsecure time seeding feature. For more information, see\r\nSecure Time Seeding – improving time keeping in\r\nWindows.\r\nThe default out-of-box value for all Windows versions\r\nwith this feature is 1 except for Windows Server 2025,\r\nwhere the default value is 0. Domain membership\r\ndoesn't affect this setting.\r\nThe following registry entries aren't part of the W32Time default configuration, but you can add them to the\r\nregistry to obtain enhanced logging capabilities. You can modify the information that's logged to the system event\r\nlog by adjusting the EventLogFlags settings in the Group Policy Object Editor. By default, W32Time logs an\r\nevent every time that it switches to a new time source.\r\nTo enable enhanced W32Time logging, add the following registry entries into the\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Config path.\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 16 of 17\n\nEntry Versions Description\r\nFileLogEntries\r\nAll\r\nversions\r\nControls the number of entries created in the W32Time log file. The default\r\nvalue is none, which results in no logs of W32Time activity. Valid values are\r\n0 to 300. This value doesn't affect the event log entries that W32Time\r\nnormally creates.\r\nFileLogName\r\nAll\r\nversions\r\nControls the location and file name of the W32Time log. The default value is\r\nblank. It shouldn't be changed unless FileLogEntries is changed. A valid\r\nvalue is a full path and file name that W32Time uses to create the log file.\r\nThis value doesn't affect the event log entries that W32Time normally\r\ncreates.\r\nFileLogSize\r\nAll\r\nversions\r\nControls the circular logging behavior of W32Time log files. When\r\nFileLogEntries and FileLogName are defined, this value is also defined. It\r\ncontains the size in bytes that the log file can reach before it overwrites the\r\noldest log entries with new entries. Use 1,000,000 or a larger value for this\r\nsetting. This value doesn't affect the event log entries that W32Time normally\r\ncreates.\r\nRFC 1305 - Network Time Protocol, Version 3\r\nRFC 5905 - Network Time Protocol, Version 4\r\nSource: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nhttps://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" ], "report_names": [ "windows-time-service-tools-and-settings" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434884, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7fa62a01c51e4432aa859798b263f553750dbac0.pdf", "text": "https://archive.orkl.eu/7fa62a01c51e4432aa859798b263f553750dbac0.txt", "img": "https://archive.orkl.eu/7fa62a01c51e4432aa859798b263f553750dbac0.jpg" } }