System Time registry key

  • Thread starter Thread starter Gus Teng
  • Start date Start date
G

Gus Teng

if I want to know if the system time has been changed, when it has been
changed and how many time it has been changed, etc, where I can find the
registry that hold all these informations? Thanks.
 
Not stored in the registry. Or anywhere else AFAIK.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| if I want to know if the system time has been changed, when it has been
| changed and how many time it has been changed, etc, where I can find the
| registry that hold all these informations? Thanks.
|
|
 
Hi Dave,
thanks. i saw in a TV reconstruction of a murder investigation in nz where
the husband tampered with the system time to show that the computer was used
during the murder to confuse the investigator. The computer forensic
examiner was able to show that the system time was changed and reset to the
correct time later(but never said how as this is a their trade secret).
Something was mentioned about the system time changes were saved/logged
somewhere. Is it possible that system time change is logged by the system?
Gus
 
Hi Dave,
thanks. i saw in a TV reconstruction of a murder investigation
in nz where the husband tampered with the system time to show
that the computer was used during the murder to confuse the
investigator. The computer forensic examiner was able to show
that the system time was changed and reset to the correct time
later(but never said how as this is a their trade secret).
Something was mentioned about the system time changes were
saved/logged somewhere. Is it possible that system time change
is logged by the system? Gus
Click to expand...

That may be logged with aggressive auditing enabled perhaps. Not
certain. Suggest you look at auditing Privilege Use and System
Events as a start. And assuming NT5.x

But in theoretical terms, any account with authority to change the
system time might also be able to clear the audit logs... YMMV.
Since it appears the "husband" had full local access nearly
anything is possible...including forgetting to clear audited
events. <G>
 
Back
Top