-
March 10th, 2011, 03:08 PM
#1
Junior Member
What is messing with my time sync settings?
(No idea if people here will answer this type of question, but I'm really worried about this and hoping someone can help.)
I noticed that my computer's time was 10 min slow, tried to sync it, sync didn't work, tried to start Windows Time Service but couldn't, so I went investigating W32Time. I got it to work by changing it from peer mode to client mode, re-registering it and restarting it but then noticed that many registry values for W32Time did not match the published defaults. Any ideas why they wouldn't? Is this dangerous?
My machine is running the latest updated version of XP.
Here's my reference for defaults:
http://technet.microsoft.com/en-us/l...mes_tools_uhlp
-------------------
Here's what I found, keys that don't match published defaults:
SpikeWatchPeriod
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
The default value on domain members is 900. The default value on stand-alone clients and workstations is 900. (Mine is 90)
EventLogFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Default is 0x1 reachability changes (Mine is 0)
InputProvider
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
Default it Yes 1 (Mine is 0)
LargePhaseOffset
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
The default value on domain members is 50000000. The default value on stand-alone clients and servers is 50000000. (Mine is 1280000)
LargeSampleSkew
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
The default value on domain members is 3. (I don't have any value.)
MaxClockRate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
The default value for stand-alone clients and servers is 155860. (Mine is 156640.)
NtpServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Default is time.windows.com,0x1. I added an entry for time.nist.gov,0x8 that appears to be working. I'd like to remove the time.windows.com,0x1 entry.
----
Also, there is no domain controller, and no group policy, but there are a bunch of additional registry flags that look like I there is, like:
CrossSiteSyncFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
and a few others.
Is this a security hole? Should I change these keys back to the defaults? Should I replace win32time.dll with a factory version? Most importantly, who or what is messing with my time services?
-
March 10th, 2011, 03:30 PM
#2
Hi, and welcome to AO,
If you are running XP it won't be a new machine, so my first solution would be to replace the CR2032 3v lithium button cell on your motherboard.
Otherwise, I would point out that CMOS doesn't have a "real" clock..........it is a "click counter" and is nothing like as accurate as your quartz wristwatch. Given this, they do tend to get out of synch with real time.
I wouldn't worry unless you see other problems. Just run chkdsk to check your files (don't bother with the surface scan unless you really want to)
You might get EUSING's Registry Cleaner and run that (click the skip button on the popup and select the check for errors on the top left) let it fix what it finds as it automatically creates a Registry backup.......it is free for private use.
http://www.eusing.com/
There is other free software on the site
Otherwise, if it ain't broke: don't fix it.
-
March 10th, 2011, 04:25 PM
#3
Junior Member
why did time sync stop by itself?
Hey, nihil, thanks for a quick and friendly response.
I'm not so worried about the time being wrong--it was more that the time sync service couldn't be started, and I couldn't even run W32Time.exe. These seem like crucial services that shouldn't be stopping and starting themselves whenever, or outside of my control. That's what has me worried!
Also, I do see other problems--every now and then, the screen flashes randomly (looks like an old school screen grab) and I get booted off of my chat server.
Last edited by lindbergh; March 10th, 2011 at 04:28 PM.
Reason: Adding more info
-
March 10th, 2011, 04:53 PM
#4
Hi lindbergh,
Some pretty strange things can happen if your CMOS battery runs down, so I think that it is best to eliminate that first.
Then validate/repair your Windows file system using chkdsk.
Then use a Registry repair/cleaning utility, that way you know that you should have a level playing field.
Then you can look to see if you have any other problems.
I'm not so worried about the time being wrong--it was more that the time sync service couldn't be started, and I couldn't even run W32Time.exe. These seem like crucial services that shouldn't be stopping and starting themselves whenever, or outside of my control. That's what has me worried!
I can' say I am familiar with the inner workings of those services, but they may not work properly or at all if they find what they think is a defective CMOS RTC.
I remember some of the software that was around to test Y2K compatibility. It would report a machine as non-compliant, when all it needed was a new battery! I "scored" several old machines as a result most surprising being an HP Vectra x286................that actually had a 4 digit date clock in it...........and a totally flat battery............I still have it and it still works for playing old DOS games.
I suggest that we eliminate the obvious and progress from there?
-
March 12th, 2011, 07:25 PM
#5
you can also type into the command prompt:
sfc /scannow
This scans windows system files and replaces those which are not original/MS Signed. Run you standard set of malware/virus tools (trend housecall, spybot, malwarebytes etc) and if it comes up clean I wouldn't worry.
You could also try to install the latest Daylight Savings patch which will have an impact on system files and registry keys. I also found this with a quick google search:
Fix Time Sync (Clock Drifting) Reference
Type into command prompt;
net stop w32time
w32tm /unregister [ignore error message]
w32tm /unregister [enter a second time]
w32tm /register
reg add hklm\system\currentcontrolset\services\w32time\parameters\ /v
NtpServer /t reg_sz /d time.nist.gov /f
net start w32time
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
Similar Threads
-
By al1aprize in forum Spyware / Adware
Replies: 23
Last Post: March 15th, 2004, 01:24 AM
-
By instronics in forum The Security Tutorials Forum
Replies: 3
Last Post: February 17th, 2003, 11:45 AM
-
By instronics in forum The Security Tutorials Forum
Replies: 7
Last Post: February 5th, 2003, 10:04 AM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
-
By Badassatchu in forum Non-Security Archives
Replies: 1
Last Post: November 23rd, 2001, 11:13 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|