Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 520 - The system time was changed [Win 2003 / XP]
EventID 520 - The system time was changed [Win 2003 / XP]

Indicates that the computer's clock was successfuly changed.

It might have been synchronized with a time server on the Internet or an intranet, or a user might have manually set the system time. This message is logged for informational purposes only.
This event is not logged on Windows 2000.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: System Event
        Event ID:       520
        Date:           10/26/2009
        Time:           07:41:24
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        The system time was changed.
        Process ID:		3720
        Process Name:		C:\WINDOWS\system32\cmd.exe
        Primary User Name:	Alebovsky
        Primary Domain:		RESEARCH
        Primary Logon ID:		(0x0,0x59DF36)
        Client User Name:		Alebovsky
        Client Domain:		RESEARCH
        Client Logon ID:		(0x0,0x59DF36)
        Previous Time:		7:41:25 AM 10/26/2009
        New Time:		7:41:24 AM 10/26/2009
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Windows XP
Category System
Source Security
EventId 520
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Process ID ID of the process that changed the time InsertionString1 3720
Process Name Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP) InsertionString2 C:\WINDOWS\system32\cmd.exe
Primary User Name Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command. InsertionString3 Alebovsky
Primary Domain Domain of the Primary User InsertionString4 RESEARCH
Primary Logon ID ID of the logon session of the user that changed the time. Useful for tracking other user activity during the same logon session. InsertionString5 (0x0,0x59DF36)
Client User Name Same as Primary User Name InsertionString6 Alebovsky
Client Domain Same as Primary Domain InsertionString7 RESEARCH
Client Logon ID Same as Primary Logon ID InsertionString8 (0x0,0x59DF36)
Previous Time The old time value just before it was changed "%10 %9" %10 %9
New Time The new time value right after it was changed "%12 %11" %12 %11
You must be logged in to comment