Windows xp system event log not updating

This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations.

This field is rapidly evolving and changing as technology marches forward.

With regard to NT systems in which event logs are a feature, there are a couple of indicators.

If, and that's a big if, Privilege Use logging is enabled, event 577 indicates a system time change.

Locate the app date / time of interest in any of your logs. The moment you "sort by date or time", you lose this sequential capture.

Take a screen shot of it if you see it on a live box.

The problem with this article is that it talks about disk mirroring. Please note that Windows Server 2008 is mentioned specifically, which has a common code-base with Windows 7.

Therefore, the driver identifies the mirrored volume as an unsupported volume. However, this hotfix is intended to correct only the problem that is described in this article.

If you double click on that entry, you can see the properties of that entry.

The detailed description is longer than can be shown in one screen shot, so I copied the contents and placed it in a notepad view immediately to the left of the Event Properties window.

You can clearly see the description stating that "The system time was changed" and further it lists the "Previous Time" and the "New Time".

(Double click on the image to the left to see the details in a "full screen" view.) Another indicator of time change can be found. The event logs are maintained sequentially and suddenly the time drops back an hour.

6013 - system has been up for a day or more, time in seconds.