Results 1 to 5 of 5

Thread: What is messing with my time sync settings?

  1. #1
    Junior Member
    Join Date
    Mar 2011
    Posts
    2

    What is messing with my time sync settings?

    (No idea if people here will answer this type of question, but I'm really worried about this and hoping someone can help.)

    I noticed that my computer's time was 10 min slow, tried to sync it, sync didn't work, tried to start Windows Time Service but couldn't, so I went investigating W32Time. I got it to work by changing it from peer mode to client mode, re-registering it and restarting it but then noticed that many registry values for W32Time did not match the published defaults. Any ideas why they wouldn't? Is this dangerous?

    My machine is running the latest updated version of XP.

    Here's my reference for defaults:

    http://technet.microsoft.com/en-us/l...mes_tools_uhlp

    -------------------
    Here's what I found, keys that don't match published defaults:

    SpikeWatchPeriod
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
    The default value on domain members is 900. The default value on stand-alone clients and workstations is 900. (Mine is 90)

    EventLogFlags
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
    Default is 0x1 reachability changes (Mine is 0)

    InputProvider
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
    Default it Yes 1 (Mine is 0)

    LargePhaseOffset
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
    The default value on domain members is 50000000. The default value on stand-alone clients and servers is 50000000. (Mine is 1280000)

    LargeSampleSkew
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
    The default value on domain members is 3. (I don't have any value.)

    MaxClockRate
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
    The default value for stand-alone clients and servers is 155860. (Mine is 156640.)

    NtpServer
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    Default is time.windows.com,0x1. I added an entry for time.nist.gov,0x8 that appears to be working. I'd like to remove the time.windows.com,0x1 entry.
    ----

    Also, there is no domain controller, and no group policy, but there are a bunch of additional registry flags that look like I there is, like:

    CrossSiteSyncFlags
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient

    and a few others.

    Is this a security hole? Should I change these keys back to the defaults? Should I replace win32time.dll with a factory version? Most importantly, who or what is messing with my time services?

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi, and welcome to AO,

    If you are running XP it won't be a new machine, so my first solution would be to replace the CR2032 3v lithium button cell on your motherboard.

    Otherwise, I would point out that CMOS doesn't have a "real" clock..........it is a "click counter" and is nothing like as accurate as your quartz wristwatch. Given this, they do tend to get out of synch with real time.

    I wouldn't worry unless you see other problems. Just run chkdsk to check your files (don't bother with the surface scan unless you really want to)

    You might get EUSING's Registry Cleaner and run that (click the skip button on the popup and select the check for errors on the top left) let it fix what it finds as it automatically creates a Registry backup.......it is free for private use.

    http://www.eusing.com/

    There is other free software on the site

    Otherwise, if it ain't broke: don't fix it.

  3. #3
    Junior Member
    Join Date
    Mar 2011
    Posts
    2

    why did time sync stop by itself?

    Hey, nihil, thanks for a quick and friendly response.

    I'm not so worried about the time being wrong--it was more that the time sync service couldn't be started, and I couldn't even run W32Time.exe. These seem like crucial services that shouldn't be stopping and starting themselves whenever, or outside of my control. That's what has me worried!

    Also, I do see other problems--every now and then, the screen flashes randomly (looks like an old school screen grab) and I get booted off of my chat server.
    Last edited by lindbergh; March 10th, 2011 at 04:28 PM. Reason: Adding more info

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi lindbergh,

    Some pretty strange things can happen if your CMOS battery runs down, so I think that it is best to eliminate that first.

    Then validate/repair your Windows file system using chkdsk.

    Then use a Registry repair/cleaning utility, that way you know that you should have a level playing field.

    Then you can look to see if you have any other problems.

    I'm not so worried about the time being wrong--it was more that the time sync service couldn't be started, and I couldn't even run W32Time.exe. These seem like crucial services that shouldn't be stopping and starting themselves whenever, or outside of my control. That's what has me worried!
    I can' say I am familiar with the inner workings of those services, but they may not work properly or at all if they find what they think is a defective CMOS RTC.

    I remember some of the software that was around to test Y2K compatibility. It would report a machine as non-compliant, when all it needed was a new battery! I "scored" several old machines as a result most surprising being an HP Vectra x286................that actually had a 4 digit date clock in it...........and a totally flat battery............I still have it and it still works for playing old DOS games.

    I suggest that we eliminate the obvious and progress from there?


  5. #5
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    you can also type into the command prompt:

    sfc /scannow

    This scans windows system files and replaces those which are not original/MS Signed. Run you standard set of malware/virus tools (trend housecall, spybot, malwarebytes etc) and if it comes up clean I wouldn't worry.

    You could also try to install the latest Daylight Savings patch which will have an impact on system files and registry keys. I also found this with a quick google search:

    Fix Time Sync (Clock Drifting) Reference

    Type into command prompt;

    net stop w32time
    w32tm /unregister [ignore error message]
    w32tm /unregister [enter a second time]
    w32tm /register
    reg add hklm\system\currentcontrolset\services\w32time\parameters\ /v
    NtpServer /t reg_sz /d time.nist.gov /f
    net start w32time
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

Similar Threads

  1. Spy Sweeper- OpenSite spyware???
    By al1aprize in forum Spyware / Adware
    Replies: 23
    Last Post: March 15th, 2004, 01:24 AM
  2. One Time Passwords Tutorial for SuSE Linux.
    By instronics in forum The Security Tutorials Forum
    Replies: 3
    Last Post: February 17th, 2003, 11:45 AM
  3. Security Policy
    By instronics in forum The Security Tutorials Forum
    Replies: 7
    Last Post: February 5th, 2003, 10:04 AM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  5. Batch File Tut
    By Badassatchu in forum Non-Security Archives
    Replies: 1
    Last Post: November 23rd, 2001, 11:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •