Get Windows From Registry

Another common Windows registry operation is the enumeration of the values under a given registry key. Windows provides the RegEnumValue API (bit.ly/2jB4kaV) for this purpose. Here, I’ll show how to use this API to get a list of the names and types of the values located under a given registry key, wrapping the enumeration process in a.

-->
  • Back up the Registry. To do so: Open the Registry Editor by typing regedit into Start and then clicking regedit. Click File in the top-left corner. In the drop-down menu. Enter a name for your Registry backup. Check the 'All' box on the left side of the window.
  • To Find Windows Version Number in Registry Editor 1 Press the Win + R keys to open Run, type regedit into Run, and click/tap on OK to open Registry Editor. 2 If prompted by UAC, click/tap on Yes. 3 In the left pane of Registry Editor, browse to the key below. (see screenshot below).

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10

The Windows Time service (W32Time) synchronizes the date and time for all computers managed by Active Directory Domain Services (AD DS). This article covers the different tools and settings used to manage the Windows Time service.

By default, a computer that is joined to a domain synchronizes time through a domain hierarchy of time sources. However, if a computer has been manually configured to synchronize from a specific time source, perhaps because it was formerly not joined to a domain, you can reconfigure the computer to begin automatically sourcing its time from the domain hierarchy.

Most domain-joined computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. An exception to this is the domain controller, which functions as the primary domain controller (PDC) emulator operations master for the root forest domain. The PDC emulator operations master in turn is usually configured to synchronize time with an external time source.

You can achieve down to one-millisecond time accuracy in your domain. For more information, see Support boundary for high-accuracy time and see Accurate Time for Windows Server 2016.

Caution

Don't use the Net time command to configure or set a computer's clock time when the Windows Time service is running.

Also, on older computers that run Windows XP or earlier, the Net time /querysntp command displays the name of a Network Time Protocol (NTP) server with which a computer is configured to synchronize, but that NTP server is used only when the computer's time client is configured as NTP or AllSync. This command has since been deprecated.

Network port

The Windows Time service follows the Network Time Protocol (NTP) specification, which requires the use of UDP port 123 for all time synchronization. Whenever the computer synchronizes its clock or provides time to another computer, it happens over UDP port 123. This port is exclusively reserved by the Windows Time service.

Note

If you have a computer with multiple network adapters (is multi-homed), you cannot enable the Windows Time service based on a network adapter.

Using W32tm.exe

You can use the command-line tool W32tm.exe to configure Windows Time service settings and to diagnose computer time problems. W32tm.exe is the preferred command-line tool for configuring, monitoring, and troubleshooting the Windows Time service. W32tm.exe is included with Windows XP and later and Windows Server 2003 and later.

Membership in the local Administrators group is required to run W32tm.exe locally, while membership in the Domain Admins group is required to run W32tm.exe remotely.

Run W32tm.exe

  1. In the Windows search bar, enter cmd.
  2. Right-click Command Prompt, then select Run as administrator.
  3. At the command prompt, enter w32tm followed by the applicable parameter, as described below:
ParameterDescription
/?Displays the W32tm command-line help
/registerRegisters the Windows Time service to run as a service and adds its default configuration information to the registry.
/unregisterUnregisters the Windows Time service and removes all of its configuration information from the registry.
/monitor [/domain:<domain name>] [/computers:<name>[,<name>[,<name>..]]] [/threads:<num>]Monitors the Windows Time service.

/domain: Specifies which domain to monitor. If no domain name is given, or neither the /domain nor /computers option is specified, the default domain is used. This option might be used more than once.

/computers: Monitors the given list of computers. Computer names are separated by commas, with no spaces. If a name is prefixed with a *, it is treated as a PDC. This option might be used more than once.

/threads: Specifies the number of computers to analyze simultaneously. The default value is 3. The allowed range is 1-50.

/ntte <NT time epoch>Converts a Windows NT system time (measured in 10-7-second intervals starting from 0h 1-Jan 1601) into a readable format.
/ntpte <NTP time epoch>Converts an NTP time (measured in 2-32-second intervals starting from 0h 1-Jan 1900) into a readable format.
/resync [/computer:<computer>] [/nowait] [/rediscover] [/soft]Tells a computer that it should resynchronize its clock as soon as possible, throwing out all accumulated error statistics.

/computer:<computer>: Specifies the computer that should resynchronize. If not specified, the local computer will resynchronize.

/nowait: do not wait for resynchronization to occur; return immediately. Otherwise, wait for resynchronization to complete before returning.

/rediscover: Redetects the network configuration and rediscovers network sources, then resynchronizes.

/soft: Resynchronizes by using existing error statistics. This is used for compatibility purposes.

/stripchart /computer:<target> [/period:<refresh>] [/dataonly] [/samples:<count>] [/rdtsc]Displays a strip chart of the offset between this computer and another computer.

/computer:<target>: The computer to measure the offset against.

/period:<refresh>: The time between samples, in seconds. The default is 2 seconds.

/dataonly: Displays the data only, without graphics.

/samples:<count>: Collects <count> samples, then stops. If not specified, samples will be collected until Ctrl+C is pressed.
/rdtsc: For each sample, this option prints comma-separated values along with the headers RdtscStart, RdtscEnd, FileTime, RoundtripDelay, and NtpOffset instead of the text graphic.

  • RdtscStart: RDTSC (Read Time Stamp Counter) value collected just before the NTP request was generated.
  • RdtscEnd: RDTSC value collected just after the NTP response was received and processed.
  • FileTime: Local FILETIME value used in the NTP request.
  • RoundtripDelay: Time elapsed in seconds between generating the NTP request and processing the received NTP response, computed as per NTP roundtrip computations.
  • NTPOffset: Time offset in seconds between the local computer and the NTP server, computed as per NTP offset computations.
/config [/computer:<target>] [/update] [/manualpeerlist:<peers>] [/syncfromflags:<source>] [/LocalClockDispersion:<seconds>] [/reliable:(YES|NO)] [/largephaseoffset:<milliseconds>]**/computer:<target>: Adjusts the configuration of <target>. If not specified, the default is the local computer.

/update: Notifies the Windows Time service that the configuration has changed, causing the changes to take effect.

/manualpeerlist:<peers>: Sets the manual peer list to <peers>, which is a space-delimited list of DNS or IP addresses. When specifying multiple peers, this option must be enclosed in quotes.

/syncfromflags:<source>: Sets what sources the NTP client should synchronize from. <source> should be a comma-separated list of these keywords (not case sensitive):

  • MANUAL: Include peers from the manual peer list.
  • DOMHIER: Synchronize from a domain controller (DC) in the domain hierarchy.
/LocalClockDispersion:<seconds>: Configures the accuracy of the internal clock that W32Time will assume when it can't acquire time from its configured sources.

/reliable:(YES|NO): Set whether this computer is a reliable time source. This setting is only meaningful on domain controllers.

  • YES: This computer is a reliable time service.
  • NO: This computer is not a reliable time service.
/largephaseoffset:<milliseconds>: sets the time difference between local and network time that W32Time will consider a spike.
/tzDisplays the current time zone settings.
/dumpreg [/subkey:<key>] [/computer:<target>]Displays the values associated with a given registry key.

The default key is HKLMSystemCurrentControlSetServicesW32Time (the root key for the Windows Time service).

/subkey:<key>: Displays the values associated with subkey of the default key.

/computer:<target>: Queries registry settings for computer <target>

/query [/computer:<target>] {/source | /configuration | /peers | /status} [/verbose]Displays the computer's Windows Time service information. This parameter was first made available for the Windows Time client in Windows Vista and Windows Server 2008.

/computer:<target>: Queries the information of <target>. If not specified, the default value is the local computer.

/source: Displays the time source.

/configuration: Displays the configuration of run time and where the setting comes from. In verbose mode, display the undefined or unused setting too.

/peers: Displays a list of peers and their status.

/status: Displays Windows Time service status.

/verbose: Sets the verbose mode to display more information.

/debug {/disable | {/enable /file:<name> /size:/<bytes> /entries:<value> [/truncate]}}Enables or disables the local computer Windows Time service private log. This parameter was first made available for the Windows Time client in Windows Vista and Windows Server 2008.

/disable: Disables the private log.

/enable: Enables the private log.

  • file:<name>: Specifies the absolute file name.
  • size:<bytes>: Specifies the maximum size for circular logging.
  • entries:<value>: Contains a list of flags, specified by number and separated by commas, that specify the types of information that should be logged. Valid values are 0 to 300. A range of numbers is valid, in addition to single numbers, such as 0-100,103,106. Value 0-300 is for logging all information.
/truncate: Truncate the file if it exists.

Set client to use two time servers

To set a client computer to point to two different time servers, one named ntpserver.contoso.com and another named clock.adatum.com, type the following command at the command prompt, and then press ENTER:

Set client to sync time automatically from a domain source

To configure a client computer that is currently synchronizing time using a manually-specified computer to synchronize time automatically from the AD domain hierarchy, run the following following:

Check client time configuration

To check a client configuration from a Windows-based client computer that has a host name of contosoW1, run the following command:

The output of this command displays a list of W32time configuration parameters that are set for the client.

Important

Windows Server 2016 has improved the time synchronization algorithms to align with RFC specifications. Therefore, if you want to set the local time client to point to multiple peers, we recommended that you prepare three or more different time servers.

If you have only two time servers, you should specify the NtpserverUseAsFallbackOnly flag (0x2)to de-prioritize one of them. For example, if you want to prioritize ntpserver.contoso.com over clock.adatum.com, run the following command.

Additionally, you can run the following command and read the value of NtpServer in the output:

Configure computer clock reset

In order for W32tm.exe to reset a computer clock, it first checks the offset (CurrentTimeOffset, also known as Phase Offset) between the current time and the computer clock time to determine whether the offset is less than the MaxAllowedPhaseOffset value.

  • CurrentTimeOffset < MaxAllowedPhaseOffset: Adjust the computer clock gradually by using the clock rate.
  • CurrentTimeOffsetMaxAllowedPhaseOffset: Set the computer clock immediately.

Then, to adjust the computer clock by using the clock rate, W32tm.exe calculates a PhaseCorrection value. This algorithm varies depending on the version of Windows:

  • Windows Server 2016 and later versions:

    PhaseCorrection_raw = |CurrentTimeOffset| ÷ (16 × PhaseCorrectRate × pollIntervalInSeconds)
    MaximumCorrection = |CurrentTimeOffset| ÷ (UpdateInterval × 1,000 × 10,000)
    PhaseCorrection = min(PhaseCorrection_raw, MaximumCorrection)

  • Windows Server 2012 R2 and earlier versions:

    PhaseCorrection = |CurrentTimeOffset| ÷ (PhaseCorrectRate × UpdateInterval)

All versions of Windows use the same final equation to check PhaseCorrection:

PhaseCorrectionSystemClockRate ÷ 2

Note

  • These equations use PhaseCorrectRate, UpdateInterval, MaxAllowedPhaseOffset, and SystemClockRate measured in units of clock ticks. On Windows systems, 1 ms = 10,000 clock ticks.

  • MaxAllowedPhaseOffset is configurable in the registry. However, the registry parameter is measured in seconds instead of clock ticks.

  • To see the SystemClockRate and pollIntervalInSeconds values (measured in seconds), open a Command Prompt window and then run W32tm /query /status /verbose. This command produces output that resembles the following.
    The output presents the poll interval in both clock ticks and in seconds. The equations use the value measured in seconds (the value in parentheses).
    The output presents the clock rate in seconds. To see the SystemClockRate value in clock ticks, use the following formula:

    (value in seconds) × 1,000 × 10,000

    For example, if SystemClockRate is 0.0156250 seconds, the value that the equation uses is 156,250 clock ticks.For full descriptions of the configurable parameters and their default values, see Config entries later in this article.

The following examples show how to apply these calculations for Windows Server 2012 R2 and earlier versions.

Example: System clock rate off by four minutes

Your computer clock time is 11:05 and the actual current time is 11:09:

PhaseCorrectRate = 1

UpdateInterval = 30,000 clock ticks

SystemClockRate = 156,000 clock ticks

MaxAllowedPhaseOffset = 10 min = 600 seconds = 600 × 1,000 × 10,000 = 6,000,000,000 clock ticks

|CurrentTimeOffset| = 4 min = 4 × 60 × 1,000 × 10,000 = 2,400,000,000 clock ticks

Is CurrentTimeOffsetMaxAllowedPhaseOffset?

2,400,000,000 ≤ 6,000,000,000: TRUE

AND does it satisfy the following equation?

(|CurrentTimeOffset| ÷ (PhaseCorrectRate × UpdateInterval) ≤ SystemClockRate ÷ 2)

Is 2,400,000,000 / (30,000 × 1) ≤ 156,000 ÷ 2

80,000 ≤ 78,000: FALSE

Therefore, W32tm.exe would set the clock back immediately.

Note

In this case, if you want to set the clock back slowly, you would also have to adjust the values of PhaseCorrectRate or UpdateInterval in the registry to make sure that the equation result is TRUE.

Example: System clock rate off by three minutes

Your computer clock time is 11:05 and the actual current time is 11:08:

PhaseCorrectRate = 1

UpdateInterval = 30,000 clock ticks

SystemClockRate = 156,000 clock ticks

MaxAllowedPhaseOffset = 10 min = 600 seconds = 600 × 1,000 × 10,000 = 6,000,000,000 clock ticks

|CurrentTimeOffset| = 3 mins = 3 × 60 × 1,000 × 10,000 = 1,800,000,000 clock ticks

Is CurrentTimeOffsetMaxAllowedPhaseOffset?

1,800,000,000 ≤ 6,000,000,000: TRUE

AND does it satisfy the following equation?

(|CurrentTimeOffset| ÷ (PhaseCorrectRate × UpdateInterval) ≤ SystemClockRate ÷ 2)

Is 3 mins × (1,800,000,000) ÷ (30,000 × 1) ≤ 156,000 ÷ 2

Is 60,000 ≤ 78,000: TRUE

In this case, the clock will be set back slowly.

Using Local Group Policy Editor

The Windows Time service stores a number of configuration properties as registry entries. You can use Group Policy Objects (GPOs) in Local Group Policy Editor to configure most of this information. For example, you can use GPOs to configure a computer to be an NTPServer or NTPClient, configure the time synchronization mechanism, or configure a computer to be a reliable time source.

Note

Group Policy settings for the Windows Time service can be applied on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 domain controllers and can be applied to computers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.

Windows stores the Windows Time service policy information in the Local Group Policy Editor under Computer ConfigurationAdministrative TemplatesSystemWindows Time Service. It stores configuration information that the policies define in the Windows registry, and then uses those registry entries to configure the registry entries specific to the Windows Time service. As a result, the values defined by Group Policy overwrite any pre-existing values in the Windows Time service section of the registry. Some of the preset GPO settings differ from the corresponding default Windows Time service registry entries.

For example, suppose you edit policy settings in the Time ProvidersConfigure Windows NTP Client policy. Windows loads these settings into the policy area of the registry under the following subkey:

Get Windows Version From Registry

HKLMSoftwarePoliciesMicrosoftW32timeTimeProvidersNtpClient

Then Windows uses the policy settings to configure the related Windows Time service registry entries under the following subkey: Bluestacks 1 yukle.

HKLMSYSTEMCurrentControlSetServicesW32TimeTime ProvidersNTPClient

The following table lists the policies that you can configure for the Windows Time service, and the registry subkeys that those policies affect.

Note

When you remove a Group Policy setting, Windows removes the corresponding entry from the policy area of the registry.

Group Policy1Registry locations2,3
Global Configuration SettingsW32Time
W32TimeConfig
W32TimeParameters
Time ProvidersConfigure Windows NTP ClientW32TimeTimeProvidersNtpClient
Time ProvidersEnable Windows NTP ClientW32TimeTimeProvidersNtpClient
Time ProvidersEnable Windows NTP ServerW32TimeTimeProvidersNtpServer

1Category path: Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
2 Subkey: HKLMSOFTWAREPoliciesMicrosoft
3 Subkey: HKLMSYSTEMCurrentControlSetServices

Windows registry reference

Warning

This information is provided as a reference for use in troubleshooting and validation. Windows registry keys are used by W32Time to store critical information. Don't change these values. Modifications to the registry are not validated by the registry editor or by Windows before they are applied. If the registry contains invalid values, Windows may experience unrecoverable errors.

The Windows Time service stores information in the registry at the HKLMSYSTEMCurrentControlSetServicesW32Time path under the following subkeys:

In the following tables, 'All versions' refers to Windows 7, Windows 8, Windows 10, Windows Server 2008 and Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.

Note

Some of the parameters in the registry are measured in clock ticks and some are measured in seconds. To convert the time from clock ticks to seconds, use these conversion factors:

  • 1 minute = 60 sec
  • 1 sec = 1000 ms
  • 1 ms = 10,000 clock ticks on a Windows system, as described at DateTime.Ticks Property.

For example, 5 minutes becomes 5 × 60 × 1000 × 10000 = 3,000,000,000 clock ticks.

Config entries

The Config subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeConfig.

Registry entryVersionsDescription
AnnounceFlagsAll versionsControls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server.
  • 0x00. Not a time server
  • 0x01. Always time server
  • 0x02. Automatic time server
  • 0x04. Always-reliable time server
  • 0x08. Automatic reliable time server

The default value for domain members is 10. The default value for stand-alone clients and servers is 10.
ChainDisableControls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), a read-only domain controller (RODC) can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. This is a boolean setting, and the default value is 0.
ChainEntryTimeoutSpecifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. The default value is 16 (seconds).
ChainLoggingRateControls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. The default is 30 (minutes).
ChainMaxEntriesControls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. The default value is 128 (entries).
ChainMaxHostEntriesControls the maximum number of entries that are allowed in the chaining table for a particular host. The default value is 4 (entries).
ClockAdjustmentAuditLimitWindows Server 2016 Version 1709 and later versions; Windows 10 Version 1709 and later versionsSpecifies the smallest local clock adjustments that may be logged to the W32time service event log on the target computer. The default value is 800 (parts per million - PPM).
ClockHoldoverPeriodWindows Server 2016 Version 1709 and later versions; Windows 10 Version 1709 and later versionsIndicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7,800 seconds.
EventLogFlagsAll versionsControls which events that the time service logs.
  • 0x1. Time jump
  • 0x2. Source change
The default value on domain members is 2. The default value on stand-alone clients and servers is 2.
FrequencyCorrectRateAll versionsControls the rate at which the clock is corrected. If this value is too small, the clock is unstable and overcorrects. If the value is too large, the clock takes a long time to synchronize. The default value on domain members is 4. The default value on stand-alone clients and servers is 4.

Note
Zero is not a valid value for the FrequencyCorrectRate registry entry. On Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 , and Windows Server 2008 R2 computers, if the value is set to 0, the Windows Time service automatically changes it to 1.

HoldPeriodAll versionsControls the period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly. A spike is a time sample indicating that time is off a number of seconds, and is usually received after good time samples have been returned consistently. The default value on domain members is 5. The default value on stand-alone clients and servers is 5.
LargePhaseOffsetAll versionsSpecifies that a time offset greater than or equal to this value in 10-7 seconds is considered a spike. A network disruption such as a large amount of traffic might cause a spike. A spike will be ignored unless it persists for a long period of time. The default value on domain members is 50000000. The default value on stand-alone clients and servers is 50000000.
LastClockRateAll versionsMaintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is 156250. The default value on stand-alone clients and servers is 156250.
LocalClockDispersionAll versionsControls the dispersion (in seconds) that you must assume when the only time source is the built-in CMOS clock. The default value on domain members is 10. The default value on stand-alone clients and servers is 10.
MaxAllowedPhaseOffsetAll versionsSpecifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1.
MaxClockRateAll versionsMaintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860.
MaxNegPhaseCorrectionAll versionsSpecifies the largest negative time correction, in seconds, that the service makes. If the service determines that a change larger than this is required, it logs an event instead.

Note
The value 0xFFFFFFFF is a special case. This value means that the service always corrects the time.

The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs).

MaxPollIntervalAll versionsSpecifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15.
MaxPosPhaseCorrectionAll versionsSpecifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead.

Note
The value 0xFFFFFFFF is a special case. This value means that the service always corrects the time.

The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs).

MinClockRateAll versionsMaintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860.
MinPollIntervalAll versionsSpecifies the smallest interval, in log base 2 seconds, allowed for the system polling interval. Note that while a system does not request samples more frequently than this, a provider can produce samples at times other than the scheduled interval. The default value for domain controllers is 6. The default value for domain members is 10. The default value for stand-alone clients and servers is 10.
PhaseCorrectRateAll versionsControls the rate at which the phase error is corrected. Specifying a small value corrects the phase error quickly, but might cause the clock to become unstable. If the value is too large, it takes a longer time to correct the phase error.

The default value on domain members is 1. The default value on stand-alone clients and servers is 7.

Note
Zero is not a valid value for the PhaseCorrectRate registry entry. On Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 computers, if the value is set to 0, the Windows Time service automatically changes it to 1.

PollAdjustFactorAll versionsControls the decision to increase or decrease the poll interval for the system. The larger the value, the smaller the amount of error that causes the poll interval to be decreased. The default value on domain members is 5. The default value on stand-alone clients and servers is 5.
RequireSecureTimeSyncRequestsWindows 8 and later versionsControls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC will not respond to requests using such protocols. This is a boolean setting, and the default value is 0.
SpikeWatchPeriodAll versionsSpecifies the amount of time that a suspicious offset must persist before it is accepted as correct (in seconds). The default value on domain members is 900. The default value on stand-alone clients and workstations is 900.
TimeJumpAuditOffsetAll versionsAn unsigned integer that indicates the time jump audit threshold, in seconds. If the time service adjusts the local clock by setting the clock directly, and the time correction is more than this value, then the time service logs an audit event.
UpdateIntervalAll versionsSpecifies the number of clock ticks between phase correction adjustments. The default value for domain controllers is 100. The default value for domain members is 30,000. The default value for stand-alone clients and servers is 360,000.

Note
Zero is not a valid value for the UpdateInterval registry entry. On computers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2, if the value is set to 0, the Windows Time service automatically changes it to 1.

UtilizeSslTimeDataWindows versions later than Windows 10 build 1511Value of 1 indicates that W32Time uses multiple SSL timestamps to seed a clock that is grossly inaccurate.

Parameters entries

The Parameters subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeParameters.

Registry entryVersionsDescription
AllowNonstandardModeCombinationsAll versionsIndicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1.
NtpServerAll versionsSpecifies a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Each DNS name or IP address listed must be unique. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock.
  • 0x01 SpecialInterval
  • 0x02 UseAsFallbackOnly
  • 0x04 SymmetricActive: For more information about this mode, see Windows Time Server.
  • 0x08 Client

There is no default value for this registry entry on domain members. The default value on stand-alone clients and servers is time.windows.com,0x1.
ServiceDllAll versionsMaintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll.
ServiceMainAll versionsMaintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is SvchostEntry_W32Time. The default value on stand-alone clients and servers is SvchostEntry_W32Time.
TypeAll versionsIndicates which peers to accept synchronization from:
  • NoSync. The time service does not synchronize with other sources.
  • NTP. The time service synchronizes from the servers specified in the NtpServer. registry entry.
  • NT5DS. The time service synchronizes from the domain hierarchy.
  • AllSync. The time service uses all the available synchronization mechanisms.
The default value on domain members is NT5DS. The default value on stand-alone clients and servers is NTP.

NtpClient entries

The NtpClient subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient

Registry entryVersionDescription
AllowNonstandardModeCombinationsAll versionsIndicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1.
CompatibilityFlagsAll versionsSpecifies the following compatibility flags and values:
  • 0x00000001 - DispersionInvalid
  • 0x00000002 - IgnoreFutureRefTimeStamp
  • 0x80000000 - AutodetectWin2K
  • 0x40000000 - AutodetectWin2KStage2
The default value for domain members is 0x80000000. The default value for stand-alone clients and servers is 0x80000000.
CrossSiteSyncFlagsAll versionsDetermines whether the service chooses synchronization partners outside the domain of the computer. The options and values are:
  • 0 - None
  • 1 - PdcOnly
  • 2 - All
This value is ignored if the NT5DS value is not set. The default value for domain members is 2. The default value for stand-alone clients and servers is 2.
DllNameAll versionsSpecifies the location of the DLL for the time provider.

The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll.

EnabledAll versionsIndicates if the NtpClient provider is enabled in the current Time Service.
  • 1 - Yes
  • 0 - No
The default value on domain members is 1. The default value on stand-alone clients and servers is 1.
EventLogFlagsAll versionsSpecifies the events logged by the Windows Time service.
  • 0x1 - Reachability changes
  • 0x2 - Large sample skew (This is applicable to Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 only)
The default value on domain members is 0x1. The default value on stand-alone clients and servers is 0x1.
InputProviderAll versionsIndicates whether to enable the NtpClient as an InputProvider, which obtains time information from the NtpServer. The NtpServer is a time server that responds to client time requests on the network by returning time samples that are useful for synchronizing the local clock.
  • 1 - Yes
  • 0 - No
Default value for both domain members and stand-alone clients is 1.
LargeSampleSkewAll versionsSpecifies the large sample skew for logging, in seconds. To comply with Security and Exchange Commission (SEC) specifications, this should be set to three seconds. Events will be logged for this setting only when EventLogFlags is explicitly configured for 0x2 large sample skew. The default value on domain members is 3. The default value on stand-alone clients and servers is 3.
ResolvePeerBackOffMaxTimesAll versionsSpecifies the maximum number of times to double the wait interval when repeated attempts to locate a peer to synchronize with fail. A value of zero means that the wait interval is always the minimum. The default value on domain members is 7. The default value on stand-alone clients and servers is 7.
ResolvePeerBackoffMinutesAll versionsSpecifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with. The default value on domain members is 15. The default value on stand-alone clients and servers is 15.
SpecialPollIntervalAll versionsSpecifies the special poll interval, in seconds, for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determined by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.
New for build 1703, SpecialPollInterval is contained by the MinPollInterval and MaxPollInterval Config registry values.
SpecialPollTimeRemainingAll versionsMaintained by W32Time. It contains reserved data that is used by the Windows operating system. It specifies the time, in seconds, before W32Time will resynchronize after the computer has restarted. Any changes to this setting can cause unpredictable results. The default value on both domain members and on stand-alone clients and servers is left blank.

NtpServer entries

The NtpClient subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer.

Registry EntryVersionsDescription
AllowNonstandardModeCombinationsAll versionsIndicates that non-standard mode combinations are allowed in synchronization between clients and servers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1.
DllNameAll versionsSpecifies the location of the DLL for the time provider. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll.
EnabledAll versionsIndicates if the NtpServer provider is enabled in the current Time Service.
  • 1 - Yes
  • 0 - No
The default value on domain members is 1. The default value on stand-alone clients and servers is 1.
InputProviderAll versionsIndicates whether to enable the NtpClient as an InputProvider, which obtains time information from the NtpServer. The NtpServer is a time server that responds to client time requests on the network by returning time samples that are useful for synchronizing the local clock.
  • 1 - Yes
  • 0 - No = 0
Default value for both domain members and stand-alone clients: 1

Enhanced logging

The following registry entries are not a part of the W32Time default configuration but can be added to the registry to obtain enhanced logging capabilities. The information logged to the System Event log can be modified by changing values for the EventLogFlags setting in the Group Policy Object Editor. By default, the Windows Time service logs an event every time that it switches to a new time source.

In order to enable W32Time logging, add the following registry entries:

Get the windows key from registry
EntryVersionsDescription
FileLogEntriesAll versionsControls the number of entries created in the Windows Time log file. The default value is none, which does not log any Windows Time activity. Valid values are 0 to 300. This value does not affect the event log entries normally created by Windows Time
FileLogNameAll versionsControls the location and file name of the Windows Time log. The default value is blank, and should not be changed unless FileLogEntries is changed. A valid value is a full path and file name that Windows Time will use to create the log file. This value does not affect the event log entries normally created by Windows Time.
FileLogSizeAll versionsControls the circular logging behavior of Windows Time log files. When FileLogEntries and FileLogName are defined, defines the size, in bytes, to allow the log file to reach before overwriting the oldest log entries with new entries. Please use 1000000 or larger value for this setting. This value does not affect the event log entries normally created by Windows Time.

Group Policy Object settings

Group Policy settings are contained in the Global Configuration Settings and the Windows NTP Client Settings GPOs.

Global Configuration Settings

These are the global Group Policy settings and default values for the Windows Time service. These settings are contained in the Global Configuration Settings GPO in Local Policy Editor.

Group Policy settingDefault value
AnnounceFlags10
EventLogFlags2
FrequencyCorrectRate4
HoldPeriod5
LargePhaseOffset1,280,000
LocalClockDispersion10
MaxAllowedPhaseOffset300
MaxNegPhaseCorrection54,000 (15 hours)
MaxPollInterval15
MaxPosPhaseCorrection54,000 (15 hours)
MinPollInterval10
PhaseCorrectRate7
PollAdjustFactor5
SpikeWatchPeriod90
UpdateInterval100

Windows NTP Client settings

These are the Windows NTP client settings and default values for the Windows Time service. These settings are contained in the Configure Windows NTP Client GPO in Local Group Policy Editor.

Group Policy settingDefault value
NtpServertime.windows.com, 0x1
TypeNTP - Use for non-domain-joined computers
NT5DS - Use for domain-joined computers
CrossSiteSyncFlags2
ResolvePeerBackoffMinutes15
ResolvePeerBackoffMaxTimes7
SpecialPollInterval3,600
EventLogFlags0

Related information

See RFC 1305 - Network Time Protocol of the Internet Engineering Task Force (IETF).

Starting from its first version, PowerShell offers an administrator an extensive set of tools to interact with Windows system registry. If necessary, all typical operations with the registry can be performed not in the good old Regedit interface, or reg.exe, but in PowerShell command prompt. In different scripts and scenarios it is indispensable. In this article, we’ll consider how to create, edit or delete keys and parameters of Windows registry, search something or connect to the registry on a remote computer using PowerShell.

Registry Navigation Using PowerShell

Working with the registry in PowerShell is similar to working with common files on a local disk.

Display the list of available drives:

get-psdrive

As you can see, the built-in provider allows to get access to the contents of two branches of the registry: HKEY_CURRENT_USER (HKCU) and HKEY_LOCAL_MACHINE (HKLM). The branches of the registry are addressed like drives (HKLM: and HKCU:). For example, to go to the root of HKLM, run this command:

cd HKLM:

You can go to the specific branch of the registry (for example, to the one responsible for the settings of automatic driver updates) using Set-Location command (alias — sl)

Set-Location -Path HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDriverSearching

Display the contents of the key:

dir

Or

Get-ChildItem

Get Windows Product Key From Registry

Open the same branch in the Registry Editor. As you can see, the command has displayed only the information about the subkeys, not the parameters of the current branch.

The matter is that, from PowerShell point of view, a registry branch (a key) is a file analog, and the parameters stored in this registry key are the properties of this file.

So, to get the parameters of this branch, use Get-Item cmdlet:

Get-Item .
Or
Get-Item -Path HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDriverSearching

As you can see, DriverSearching key has only one parameter – SearchOrderConfig with its value equal to 0.

To address the specific key parameter, Get-ItemProperty cmdlet is used. For example, assign the contents of the branch to variable and get the value of the parameter:

$DriverUpdate = Get-ItemProperty –Path ‘HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDriverSearching’
$DriverUpdate.SearchOrderConfig

We have got that the value of SearchOrderConfig parameter is equal to 1.

How to Change the Registry Value

To change the value of SearchOrderConfig parameter, use Set-ItemProperty cmdlet:

Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDriverSearching' -Name SearchOrderConfig -Value 0

How to Create a New Register Key or Parameter

To add a new registry key, use New-Item command. Create a new key with the name NewKey:

$HKCU_Desktop= 'HKCU:Control PanelDesktop'
New-Item –Path $HKCU_Desktop –Name NewKey

Add a new string parameter with the name SuperParamString and the value file_name.txt for the created key:

New-ItemProperty -Path $HKCU_DesktopNewKey -Name 'SuperParamString' -Value ”file_name.txt” -PropertyType 'String'

Make sure that the new key and parameter have appeared in the registry.

Deleting a Registry Key or Parameter

Remove the parameter SuperParamString created earlier:

$HKCU_Desktop= 'HKCU:Control PanelDesktop'
Remove-ItemProperty –Path $HKCU_DesktopNewKey –Name 'SuperParamString'

Then delete the entire branch:

Remove-Item –Path $HKCU_DesktopNewKey –Recurse

Note. –Recurse key shows that all subkeys have to be removed recursively without confirmation.

To remove all items in the branch, but not the branch itself, the command looks like this:

Remove-Item –Path $HKCU_DesktopNewKey* –Recurse

How to Rename a Key or a Parameter

To rename the parameter use this command:

Rename-ItemProperty –path ‘HKCU:Control PanelDesktopNewKey’ –name 'SuperParamString' –newname “OldParamString”

In the same way, you can rename the registry key:

Rename-Item -path 'HKCU:Control PanelDesktopNewKey' OldKey

Search the Registry Using PowerShell

PowerShell allows you to search registry. The next script searches the HKCU:Control PanelDesktop the parameters, whose names contain the *dpi* key.

$Path = (Get-ItemProperty ‘HKCU:Control PanelDesktop’)
$Path.PSObject.Properties | ForEach-Object {
If($_.Name -like '*dpi*'){
Write-Host $_.Name ' = ' $_.Value
}
}

Remote Access to the Registry Using PowerShell

PowerShell allows you to access the registry from of a remote computer. You can connect to a remote computer either using WinRM (Invoke-Command or Enter-PSSession):

Invoke-Command –ComputerName srv-fs1 –ScriptBlock { Get-ItemProperty -Path 'HKLM:SystemSetup' -Name WorkingDirectory}

Or using remote registry connection (RemoteRegistry must be enabled)

$Server = 'lon-fs1'
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $Server)
$RegKey= $Reg.OpenSubKey('SystemSetup')
$RegValue = $RegKey.GetValue('WorkingDirectory')

Tip. If you have to create/modify a certain registry parameter on a number of domain computers, it easier to use GPO features.

So, we looked at typical examples of using PowerShell to interract with the Windows registry.

Managing Saved Passwords Using Windows Credential Manager

August 9, 2021

Get Windows 7 Key From Registry

Kill a Windows Service That Stucks on Stopping..

August 5, 2021

How to Repair and Reinstall Microsoft Store on..

August 4, 2021

Changing Time Zone Settings in Windows via CMD,..

August 4, 2021

Get Windows Password From Registry

Hyper-V: Enabling Routing Between Internal Networks (Subnets)

August 2, 2021