Event-o-Pedia EventID 520 - The system time was changed [Win 2003 / XP]

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 520 - The system time was changed [Win 2003 / XP]

EventID 520 - The system time was changed [Win 2003 / XP]

Indicates that the computer's clock was successfuly changed.

Note:
It might have been synchronized with a time server on the Internet or an intranet, or a user might have manually set the system time. This message is logged for informational purposes only.
This event is not logged on Windows 2000.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008

EventID 4616 - The system time was changed

Sample:

        Event Type:     Success Audit
        Event Source:   Security
        Event Category: System Event
        Event ID:       520
        Date:           10/26/2009
        Time:           07:41:24
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        The system time was changed.
        Process ID:		3720
        Process Name:		C:\WINDOWS\system32\cmd.exe
        Primary User Name:	Alebovsky
        Primary Domain:		RESEARCH
        Primary Logon ID:		(0x0,0x59DF36)
        Client User Name:		Alebovsky
        Client Domain:		RESEARCH
        Client Logon ID:		(0x0,0x59DF36)
        Previous Time:		7:41:25 AM 10/26/2009
        New Time:		7:41:24 AM 10/26/2009

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 2003 Windows XP
Category	System
Source	Security
EventId	520

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Category	A name for a subclass of events within the same Event Source.	Category	Logon/Logoff
Process ID	ID of the process that changed the time	InsertionString1	3720
Process Name	Path and name of the process that changed the time. Will usually be rundll32.exe (Control Panel), cmd.exe (Time command) or svchost (if the time was changed by the system in connection with the Windows time synchronization service or NTP)	InsertionString2	C:\WINDOWS\system32\cmd.exe
Primary User Name	Will correspond to local system if changed automatically; otherwise will identify the actual user if changed through control panel or the time command.	InsertionString3	Alebovsky
Primary Domain	Domain of the Primary User	InsertionString4	RESEARCH
Primary Logon ID	ID of the logon session of the user that changed the time. Useful for tracking other user activity during the same logon session.	InsertionString5	(0x0,0x59DF36)
Client User Name	Same as Primary User Name	InsertionString6	Alebovsky
Client Domain	Same as Primary Domain	InsertionString7	RESEARCH
Client Logon ID	Same as Primary Logon ID	InsertionString8	(0x0,0x59DF36)
Previous Time	The old time value just before it was changed	"%10 %9"	%10 %9
New Time	The new time value right after it was changed	"%12 %11"	%12 %11