Another common Windows registry operation is the enumeration of the values under a given registry key. Windows provides the RegEnumValue API (bit.ly/2jB4kaV) for this purpose. Here, I’ll show how to use this API to get a list of the names and types of the values located under a given registry key, wrapping the enumeration process in a.
-->- Back up the Registry. To do so: Open the Registry Editor by typing regedit into Start and then clicking regedit. Click File in the top-left corner. In the drop-down menu. Enter a name for your Registry backup. Check the 'All' box on the left side of the window.
- To Find Windows Version Number in Registry Editor 1 Press the Win + R keys to open Run, type regedit into Run, and click/tap on OK to open Registry Editor. 2 If prompted by UAC, click/tap on Yes. 3 In the left pane of Registry Editor, browse to the key below. (see screenshot below).
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10
The Windows Time service (W32Time) synchronizes the date and time for all computers managed by Active Directory Domain Services (AD DS). This article covers the different tools and settings used to manage the Windows Time service.
By default, a computer that is joined to a domain synchronizes time through a domain hierarchy of time sources. However, if a computer has been manually configured to synchronize from a specific time source, perhaps because it was formerly not joined to a domain, you can reconfigure the computer to begin automatically sourcing its time from the domain hierarchy.
Most domain-joined computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. An exception to this is the domain controller, which functions as the primary domain controller (PDC) emulator operations master for the root forest domain. The PDC emulator operations master in turn is usually configured to synchronize time with an external time source.
You can achieve down to one-millisecond time accuracy in your domain. For more information, see Support boundary for high-accuracy time and see Accurate Time for Windows Server 2016.
Caution
Don't use the Net time command to configure or set a computer's clock time when the Windows Time service is running.
Also, on older computers that run Windows XP or earlier, the Net time /querysntp command displays the name of a Network Time Protocol (NTP) server with which a computer is configured to synchronize, but that NTP server is used only when the computer's time client is configured as NTP or AllSync. This command has since been deprecated.
Network port
The Windows Time service follows the Network Time Protocol (NTP) specification, which requires the use of UDP port 123 for all time synchronization. Whenever the computer synchronizes its clock or provides time to another computer, it happens over UDP port 123. This port is exclusively reserved by the Windows Time service.
Note
If you have a computer with multiple network adapters (is multi-homed), you cannot enable the Windows Time service based on a network adapter.
Using W32tm.exe
You can use the command-line tool W32tm.exe to configure Windows Time service settings and to diagnose computer time problems. W32tm.exe is the preferred command-line tool for configuring, monitoring, and troubleshooting the Windows Time service. W32tm.exe is included with Windows XP and later and Windows Server 2003 and later.
Membership in the local Administrators group is required to run W32tm.exe locally, while membership in the Domain Admins group is required to run W32tm.exe remotely.
Run W32tm.exe
- In the Windows search bar, enter cmd.
- Right-click Command Prompt, then select Run as administrator.
- At the command prompt, enter w32tm followed by the applicable parameter, as described below:
Parameter | Description |
---|---|
/? | Displays the W32tm command-line help |
/register | Registers the Windows Time service to run as a service and adds its default configuration information to the registry. |
/unregister | Unregisters the Windows Time service and removes all of its configuration information from the registry. |
/monitor [/domain:<domain name>] [/computers:<name>[,<name>[,<name>..]]] [/threads:<num>] | Monitors the Windows Time service. /domain: Specifies which domain to monitor. If no domain name is given, or neither the /domain nor /computers option is specified, the default domain is used. This option might be used more than once. /computers: Monitors the given list of computers. Computer names are separated by commas, with no spaces. If a name is prefixed with a *, it is treated as a PDC. This option might be used more than once. /threads: Specifies the number of computers to analyze simultaneously. The default value is 3. The allowed range is 1-50. |
/ntte <NT time epoch> | Converts a Windows NT system time (measured in 10-7-second intervals starting from 0h 1-Jan 1601) into a readable format. |
/ntpte <NTP time epoch> | Converts an NTP time (measured in 2-32-second intervals starting from 0h 1-Jan 1900) into a readable format. |
/resync [/computer:<computer>] [/nowait] [/rediscover] [/soft] | Tells a computer that it should resynchronize its clock as soon as possible, throwing out all accumulated error statistics. /computer:<computer>: Specifies the computer that should resynchronize. If not specified, the local computer will resynchronize. /nowait: do not wait for resynchronization to occur; return immediately. Otherwise, wait for resynchronization to complete before returning. /rediscover: Redetects the network configuration and rediscovers network sources, then resynchronizes. /soft: Resynchronizes by using existing error statistics. This is used for compatibility purposes. |
/stripchart /computer:<target> [/period:<refresh>] [/dataonly] [/samples:<count>] [/rdtsc] | Displays a strip chart of the offset between this computer and another computer. /computer:<target>: The computer to measure the offset against. /period:<refresh>: The time between samples, in seconds. The default is 2 seconds. /dataonly: Displays the data only, without graphics. /samples:<count>: Collects <count> samples, then stops. If not specified, samples will be collected until Ctrl+C is pressed.
|
/config [/computer:<target>] [/update] [/manualpeerlist:<peers>] [/syncfromflags:<source>] [/LocalClockDispersion:<seconds>] [/reliable:(YES|NO)] [/largephaseoffset:<milliseconds>]** | /computer:<target>: Adjusts the configuration of <target>. If not specified, the default is the local computer. /update: Notifies the Windows Time service that the configuration has changed, causing the changes to take effect. /manualpeerlist:<peers>: Sets the manual peer list to <peers>, which is a space-delimited list of DNS or IP addresses. When specifying multiple peers, this option must be enclosed in quotes. /syncfromflags:<source>: Sets what sources the NTP client should synchronize from. <source> should be a comma-separated list of these keywords (not case sensitive):
/reliable:(YES|NO): Set whether this computer is a reliable time source. This setting is only meaningful on domain controllers.
|
/tz | Displays the current time zone settings. |
/dumpreg [/subkey:<key>] [/computer:<target>] | Displays the values associated with a given registry key. The default key is HKLMSystemCurrentControlSetServicesW32Time (the root key for the Windows Time service). /subkey:<key>: Displays the values associated with subkey of the default key. /computer:<target>: Queries registry settings for computer <target> |
/query [/computer:<target>] {/source | /configuration | /peers | /status} [/verbose] | Displays the computer's Windows Time service information. This parameter was first made available for the Windows Time client in Windows Vista and Windows Server 2008. /computer:<target>: Queries the information of <target>. If not specified, the default value is the local computer. /source: Displays the time source. /configuration: Displays the configuration of run time and where the setting comes from. In verbose mode, display the undefined or unused setting too. /peers: Displays a list of peers and their status. /status: Displays Windows Time service status. /verbose: Sets the verbose mode to display more information. |
/debug {/disable | {/enable /file:<name> /size:/<bytes> /entries:<value> [/truncate]}} | Enables or disables the local computer Windows Time service private log. This parameter was first made available for the Windows Time client in Windows Vista and Windows Server 2008. /disable: Disables the private log. /enable: Enables the private log.
|
Set client to use two time servers
To set a client computer to point to two different time servers, one named ntpserver.contoso.com
and another named clock.adatum.com
, type the following command at the command prompt, and then press ENTER:
Set client to sync time automatically from a domain source
To configure a client computer that is currently synchronizing time using a manually-specified computer to synchronize time automatically from the AD domain hierarchy, run the following following:
Check client time configuration
To check a client configuration from a Windows-based client computer that has a host name of contosoW1
, run the following command:
The output of this command displays a list of W32time configuration parameters that are set for the client.
Important
Windows Server 2016 has improved the time synchronization algorithms to align with RFC specifications. Therefore, if you want to set the local time client to point to multiple peers, we recommended that you prepare three or more different time servers.
If you have only two time servers, you should specify the NtpserverUseAsFallbackOnly
flag (0x2)to de-prioritize one of them. For example, if you want to prioritize ntpserver.contoso.com
over clock.adatum.com
, run the following command.
Additionally, you can run the following command and read the value of NtpServer
in the output:
Configure computer clock reset
In order for W32tm.exe to reset a computer clock, it first checks the offset (CurrentTimeOffset
, also known as Phase Offset
) between the current time and the computer clock time to determine whether the offset is less than the MaxAllowedPhaseOffset
value.
CurrentTimeOffset
<MaxAllowedPhaseOffset
: Adjust the computer clock gradually by using the clock rate.CurrentTimeOffset
≥MaxAllowedPhaseOffset
: Set the computer clock immediately.
Then, to adjust the computer clock by using the clock rate, W32tm.exe calculates a PhaseCorrection
value. This algorithm varies depending on the version of Windows:
Windows Server 2016 and later versions:
PhaseCorrection_raw
= |CurrentTimeOffset
| ÷ (16 ×PhaseCorrectRate
×pollIntervalInSeconds
)MaximumCorrection
= |CurrentTimeOffset
| ÷ (UpdateInterval
× 1,000 × 10,000)PhaseCorrection
= min(PhaseCorrection_raw
,MaximumCorrection
)Windows Server 2012 R2 and earlier versions:
PhaseCorrection
= |CurrentTimeOffset
| ÷ (PhaseCorrectRate
×UpdateInterval
)
All versions of Windows use the same final equation to check PhaseCorrection
:
PhaseCorrection
≤ SystemClockRate
÷ 2
Note
These equations use
PhaseCorrectRate
,UpdateInterval
,MaxAllowedPhaseOffset
, andSystemClockRate
measured in units of clock ticks. On Windows systems, 1 ms = 10,000 clock ticks.MaxAllowedPhaseOffset
is configurable in the registry. However, the registry parameter is measured in seconds instead of clock ticks.To see the
SystemClockRate
andpollIntervalInSeconds
values (measured in seconds), open a Command Prompt window and then runW32tm /query /status /verbose
. This command produces output that resembles the following.
The output presents the poll interval in both clock ticks and in seconds. The equations use the value measured in seconds (the value in parentheses).
The output presents the clock rate in seconds. To see theSystemClockRate
value in clock ticks, use the following formula:(
value in seconds
) × 1,000 × 10,000For example, if
SystemClockRate
is 0.0156250 seconds, the value that the equation uses is 156,250 clock ticks.For full descriptions of the configurable parameters and their default values, see Config entries later in this article.
The following examples show how to apply these calculations for Windows Server 2012 R2 and earlier versions.
Example: System clock rate off by four minutes
Your computer clock time is 11:05 and the actual current time is 11:09:
PhaseCorrectRate
= 1
UpdateInterval
= 30,000 clock ticks
SystemClockRate
= 156,000 clock ticks
MaxAllowedPhaseOffset
= 10 min = 600 seconds = 600 × 1,000 × 10,000 = 6,000,000,000 clock ticks
|CurrentTimeOffset
| = 4 min = 4 × 60 × 1,000 × 10,000 = 2,400,000,000 clock ticks
Is CurrentTimeOffset
≤ MaxAllowedPhaseOffset
?
2,400,000,000 ≤ 6,000,000,000: TRUE
AND does it satisfy the following equation?
(|CurrentTimeOffset
| ÷ (PhaseCorrectRate
× UpdateInterval
) ≤ SystemClockRate
÷ 2)
Is 2,400,000,000 / (30,000 × 1) ≤ 156,000 ÷ 2
80,000 ≤ 78,000: FALSE
Therefore, W32tm.exe would set the clock back immediately.
Note
In this case, if you want to set the clock back slowly, you would also have to adjust the values of PhaseCorrectRate
or UpdateInterval
in the registry to make sure that the equation result is TRUE.
Example: System clock rate off by three minutes
Your computer clock time is 11:05 and the actual current time is 11:08:
PhaseCorrectRate
= 1
UpdateInterval
= 30,000 clock ticks
SystemClockRate
= 156,000 clock ticks
MaxAllowedPhaseOffset
= 10 min = 600 seconds = 600 × 1,000 × 10,000 = 6,000,000,000 clock ticks
|CurrentTimeOffset
| = 3 mins = 3 × 60 × 1,000 × 10,000 = 1,800,000,000 clock ticks
Is CurrentTimeOffset
≤ MaxAllowedPhaseOffset
?
1,800,000,000 ≤ 6,000,000,000: TRUE
AND does it satisfy the following equation?
(|CurrentTimeOffset
| ÷ (PhaseCorrectRate
× UpdateInterval
) ≤ SystemClockRate
÷ 2)
Is 3 mins × (1,800,000,000) ÷ (30,000 × 1) ≤ 156,000 ÷ 2
Is 60,000 ≤ 78,000: TRUE
In this case, the clock will be set back slowly.
Using Local Group Policy Editor
The Windows Time service stores a number of configuration properties as registry entries. You can use Group Policy Objects (GPOs) in Local Group Policy Editor to configure most of this information. For example, you can use GPOs to configure a computer to be an NTPServer or NTPClient, configure the time synchronization mechanism, or configure a computer to be a reliable time source.
Note
Group Policy settings for the Windows Time service can be applied on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 domain controllers and can be applied to computers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.
Windows stores the Windows Time service policy information in the Local Group Policy Editor under Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
. It stores configuration information that the policies define in the Windows registry, and then uses those registry entries to configure the registry entries specific to the Windows Time service. As a result, the values defined by Group Policy overwrite any pre-existing values in the Windows Time service section of the registry. Some of the preset GPO settings differ from the corresponding default Windows Time service registry entries.
For example, suppose you edit policy settings in the Time ProvidersConfigure Windows NTP Client policy. Windows loads these settings into the policy area of the registry under the following subkey:
Get Windows Version From Registry
HKLMSoftwarePoliciesMicrosoftW32timeTimeProvidersNtpClient
Then Windows uses the policy settings to configure the related Windows Time service registry entries under the following subkey: Bluestacks 1 yukle.
HKLMSYSTEMCurrentControlSetServicesW32TimeTime ProvidersNTPClient
The following table lists the policies that you can configure for the Windows Time service, and the registry subkeys that those policies affect.
Note
When you remove a Group Policy setting, Windows removes the corresponding entry from the policy area of the registry.
Group Policy1 | Registry locations2,3 |
---|---|
Global Configuration Settings | W32Time W32TimeConfig W32TimeParameters |
Time ProvidersConfigure Windows NTP Client | W32TimeTimeProvidersNtpClient |
Time ProvidersEnable Windows NTP Client | W32TimeTimeProvidersNtpClient |
Time ProvidersEnable Windows NTP Server | W32TimeTimeProvidersNtpServer |
1Category path: Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
2 Subkey: HKLMSOFTWAREPoliciesMicrosoft
3 Subkey: HKLMSYSTEMCurrentControlSetServices
Windows registry reference
Warning
This information is provided as a reference for use in troubleshooting and validation. Windows registry keys are used by W32Time to store critical information. Don't change these values. Modifications to the registry are not validated by the registry editor or by Windows before they are applied. If the registry contains invalid values, Windows may experience unrecoverable errors.
The Windows Time service stores information in the registry at the HKLMSYSTEMCurrentControlSetServicesW32Time path under the following subkeys:
In the following tables, 'All versions' refers to Windows 7, Windows 8, Windows 10, Windows Server 2008 and Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
Note
Some of the parameters in the registry are measured in clock ticks and some are measured in seconds. To convert the time from clock ticks to seconds, use these conversion factors:
- 1 minute = 60 sec
- 1 sec = 1000 ms
- 1 ms = 10,000 clock ticks on a Windows system, as described at DateTime.Ticks Property.
For example, 5 minutes becomes 5 × 60 × 1000 × 10000 = 3,000,000,000 clock ticks.
Config entries
The Config
subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeConfig
.
Registry entry | Versions | Description |
---|---|---|
AnnounceFlags | All versions | Controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server.
The default value for domain members is 10. The default value for stand-alone clients and servers is 10. |
ChainDisable | Controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), a read-only domain controller (RODC) can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. This is a boolean setting, and the default value is 0. | |
ChainEntryTimeout | Specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. The default value is 16 (seconds). | |
ChainLoggingRate | Controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. The default is 30 (minutes). | |
ChainMaxEntries | Controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. The default value is 128 (entries). | |
ChainMaxHostEntries | Controls the maximum number of entries that are allowed in the chaining table for a particular host. The default value is 4 (entries). | |
ClockAdjustmentAuditLimit | Windows Server 2016 Version 1709 and later versions; Windows 10 Version 1709 and later versions | Specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target computer. The default value is 800 (parts per million - PPM). |
ClockHoldoverPeriod | Windows Server 2016 Version 1709 and later versions; Windows 10 Version 1709 and later versions | Indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7,800 seconds. |
EventLogFlags | All versions | Controls which events that the time service logs.
|
FrequencyCorrectRate | All versions | Controls the rate at which the clock is corrected. If this value is too small, the clock is unstable and overcorrects. If the value is too large, the clock takes a long time to synchronize. The default value on domain members is 4. The default value on stand-alone clients and servers is 4. Note |
HoldPeriod | All versions | Controls the period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly. A spike is a time sample indicating that time is off a number of seconds, and is usually received after good time samples have been returned consistently. The default value on domain members is 5. The default value on stand-alone clients and servers is 5. |
LargePhaseOffset | All versions | Specifies that a time offset greater than or equal to this value in 10-7 seconds is considered a spike. A network disruption such as a large amount of traffic might cause a spike. A spike will be ignored unless it persists for a long period of time. The default value on domain members is 50000000. The default value on stand-alone clients and servers is 50000000. |
LastClockRate | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is 156250. The default value on stand-alone clients and servers is 156250. |
LocalClockDispersion | All versions | Controls the dispersion (in seconds) that you must assume when the only time source is the built-in CMOS clock. The default value on domain members is 10. The default value on stand-alone clients and servers is 10. |
MaxAllowedPhaseOffset | All versions | Specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1. |
MaxClockRate | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860. |
MaxNegPhaseCorrection | All versions | Specifies the largest negative time correction, in seconds, that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Note The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs). |
MaxPollInterval | All versions | Specifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15. |
MaxPosPhaseCorrection | All versions | Specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Note The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs). |
MinClockRate | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860. |
MinPollInterval | All versions | Specifies the smallest interval, in log base 2 seconds, allowed for the system polling interval. Note that while a system does not request samples more frequently than this, a provider can produce samples at times other than the scheduled interval. The default value for domain controllers is 6. The default value for domain members is 10. The default value for stand-alone clients and servers is 10. |
PhaseCorrectRate | All versions | Controls the rate at which the phase error is corrected. Specifying a small value corrects the phase error quickly, but might cause the clock to become unstable. If the value is too large, it takes a longer time to correct the phase error. The default value on domain members is 1. The default value on stand-alone clients and servers is 7. Note |
PollAdjustFactor | All versions | Controls the decision to increase or decrease the poll interval for the system. The larger the value, the smaller the amount of error that causes the poll interval to be decreased. The default value on domain members is 5. The default value on stand-alone clients and servers is 5. |
RequireSecureTimeSyncRequests | Windows 8 and later versions | Controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC will not respond to requests using such protocols. This is a boolean setting, and the default value is 0. |
SpikeWatchPeriod | All versions | Specifies the amount of time that a suspicious offset must persist before it is accepted as correct (in seconds). The default value on domain members is 900. The default value on stand-alone clients and workstations is 900. |
TimeJumpAuditOffset | All versions | An unsigned integer that indicates the time jump audit threshold, in seconds. If the time service adjusts the local clock by setting the clock directly, and the time correction is more than this value, then the time service logs an audit event. |
UpdateInterval | All versions | Specifies the number of clock ticks between phase correction adjustments. The default value for domain controllers is 100. The default value for domain members is 30,000. The default value for stand-alone clients and servers is 360,000. Note |
UtilizeSslTimeData | Windows versions later than Windows 10 build 1511 | Value of 1 indicates that W32Time uses multiple SSL timestamps to seed a clock that is grossly inaccurate. |
Parameters entries
The Parameters
subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeParameters
.
Registry entry | Versions | Description |
---|---|---|
AllowNonstandardModeCombinations | All versions | Indicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1. |
NtpServer | All versions | Specifies a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Each DNS name or IP address listed must be unique. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock.
There is no default value for this registry entry on domain members. The default value on stand-alone clients and servers is time.windows.com,0x1 . |
ServiceDll | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll. |
ServiceMain | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is SvchostEntry_W32Time. The default value on stand-alone clients and servers is SvchostEntry_W32Time. |
Type | All versions | Indicates which peers to accept synchronization from:
|
NtpClient entries
The NtpClient
subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient
Registry entry | Version | Description |
---|---|---|
AllowNonstandardModeCombinations | All versions | Indicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1. |
CompatibilityFlags | All versions | Specifies the following compatibility flags and values:
|
CrossSiteSyncFlags | All versions | Determines whether the service chooses synchronization partners outside the domain of the computer. The options and values are:
|
DllName | All versions | Specifies the location of the DLL for the time provider. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll. |
Enabled | All versions | Indicates if the NtpClient provider is enabled in the current Time Service.
|
EventLogFlags | All versions | Specifies the events logged by the Windows Time service.
|
InputProvider | All versions | Indicates whether to enable the NtpClient as an InputProvider, which obtains time information from the NtpServer. The NtpServer is a time server that responds to client time requests on the network by returning time samples that are useful for synchronizing the local clock.
|
LargeSampleSkew | All versions | Specifies the large sample skew for logging, in seconds. To comply with Security and Exchange Commission (SEC) specifications, this should be set to three seconds. Events will be logged for this setting only when EventLogFlags is explicitly configured for 0x2 large sample skew. The default value on domain members is 3. The default value on stand-alone clients and servers is 3. |
ResolvePeerBackOffMaxTimes | All versions | Specifies the maximum number of times to double the wait interval when repeated attempts to locate a peer to synchronize with fail. A value of zero means that the wait interval is always the minimum. The default value on domain members is 7. The default value on stand-alone clients and servers is 7. |
ResolvePeerBackoffMinutes | All versions | Specifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with. The default value on domain members is 15. The default value on stand-alone clients and servers is 15. |
SpecialPollInterval | All versions | Specifies the special poll interval, in seconds, for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determined by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800. New for build 1703, SpecialPollInterval is contained by the MinPollInterval and MaxPollInterval Config registry values. |
SpecialPollTimeRemaining | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system. It specifies the time, in seconds, before W32Time will resynchronize after the computer has restarted. Any changes to this setting can cause unpredictable results. The default value on both domain members and on stand-alone clients and servers is left blank. |
NtpServer entries
The NtpClient
subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer
.
Registry Entry | Versions | Description |
---|---|---|
AllowNonstandardModeCombinations | All versions | Indicates that non-standard mode combinations are allowed in synchronization between clients and servers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1. |
DllName | All versions | Specifies the location of the DLL for the time provider. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll . |
Enabled | All versions | Indicates if the NtpServer provider is enabled in the current Time Service.
|
InputProvider | All versions | Indicates whether to enable the NtpClient as an InputProvider, which obtains time information from the NtpServer. The NtpServer is a time server that responds to client time requests on the network by returning time samples that are useful for synchronizing the local clock.
|
Enhanced logging
The following registry entries are not a part of the W32Time default configuration but can be added to the registry to obtain enhanced logging capabilities. The information logged to the System Event log can be modified by changing values for the EventLogFlags setting in the Group Policy Object Editor. By default, the Windows Time service logs an event every time that it switches to a new time source.
In order to enable W32Time logging, add the following registry entries:
Entry | Versions | Description |
---|---|---|
FileLogEntries | All versions | Controls the number of entries created in the Windows Time log file. The default value is none, which does not log any Windows Time activity. Valid values are 0 to 300. This value does not affect the event log entries normally created by Windows Time |
FileLogName | All versions | Controls the location and file name of the Windows Time log. The default value is blank, and should not be changed unless FileLogEntries is changed. A valid value is a full path and file name that Windows Time will use to create the log file. This value does not affect the event log entries normally created by Windows Time. |
FileLogSize | All versions | Controls the circular logging behavior of Windows Time log files. When FileLogEntries and FileLogName are defined, defines the size, in bytes, to allow the log file to reach before overwriting the oldest log entries with new entries. Please use 1000000 or larger value for this setting. This value does not affect the event log entries normally created by Windows Time. |
Group Policy Object settings
Group Policy settings are contained in the Global Configuration Settings and the Windows NTP Client Settings GPOs.
Global Configuration Settings
These are the global Group Policy settings and default values for the Windows Time service. These settings are contained in the Global Configuration Settings GPO in Local Policy Editor.
Group Policy setting | Default value |
---|---|
AnnounceFlags | 10 |
EventLogFlags | 2 |
FrequencyCorrectRate | 4 |
HoldPeriod | 5 |
LargePhaseOffset | 1,280,000 |
LocalClockDispersion | 10 |
MaxAllowedPhaseOffset | 300 |
MaxNegPhaseCorrection | 54,000 (15 hours) |
MaxPollInterval | 15 |
MaxPosPhaseCorrection | 54,000 (15 hours) |
MinPollInterval | 10 |
PhaseCorrectRate | 7 |
PollAdjustFactor | 5 |
SpikeWatchPeriod | 90 |
UpdateInterval | 100 |
Windows NTP Client settings
These are the Windows NTP client settings and default values for the Windows Time service. These settings are contained in the Configure Windows NTP Client GPO in Local Group Policy Editor.
Group Policy setting | Default value |
---|---|
NtpServer | time.windows.com , 0x1 |
Type | NTP - Use for non-domain-joined computers NT5DS - Use for domain-joined computers |
CrossSiteSyncFlags | 2 |
ResolvePeerBackoffMinutes | 15 |
ResolvePeerBackoffMaxTimes | 7 |
SpecialPollInterval | 3,600 |
EventLogFlags | 0 |
Related information
See RFC 1305 - Network Time Protocol of the Internet Engineering Task Force (IETF).
Starting from its first version, PowerShell offers an administrator an extensive set of tools to interact with Windows system registry. If necessary, all typical operations with the registry can be performed not in the good old Regedit interface, or reg.exe, but in PowerShell command prompt. In different scripts and scenarios it is indispensable. In this article, we’ll consider how to create, edit or delete keys and parameters of Windows registry, search something or connect to the registry on a remote computer using PowerShell.
Registry Navigation Using PowerShell
Working with the registry in PowerShell is similar to working with common files on a local disk.
Display the list of available drives:
get-psdrive
As you can see, the built-in provider allows to get access to the contents of two branches of the registry: HKEY_CURRENT_USER (HKCU) and HKEY_LOCAL_MACHINE (HKLM). The branches of the registry are addressed like drives (HKLM: and HKCU:). For example, to go to the root of HKLM, run this command:
cd HKLM:
You can go to the specific branch of the registry (for example, to the one responsible for the settings of automatic driver updates) using Set-Location command (alias — sl)
Set-Location -Path HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDriverSearching
Display the contents of the key:
dir
Or
Get-ChildItem
Get Windows Product Key From Registry
Open the same branch in the Registry Editor. As you can see, the command has displayed only the information about the subkeys, not the parameters of the current branch.
The matter is that, from PowerShell point of view, a registry branch (a key) is a file analog, and the parameters stored in this registry key are the properties of this file.
So, to get the parameters of this branch, use Get-Item cmdlet:
Get-Item .
OrGet-Item -Path HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDriverSearching
As you can see, DriverSearching key has only one parameter – SearchOrderConfig with its value equal to 0.
To address the specific key parameter, Get-ItemProperty cmdlet is used. For example, assign the contents of the branch to variable and get the value of the parameter:
$DriverUpdate = Get-ItemProperty –Path ‘HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDriverSearching’
$DriverUpdate.SearchOrderConfig
We have got that the value of SearchOrderConfig parameter is equal to 1.
How to Change the Registry Value
To change the value of SearchOrderConfig parameter, use Set-ItemProperty cmdlet:
Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDriverSearching' -Name SearchOrderConfig -Value 0
How to Create a New Register Key or Parameter
To add a new registry key, use New-Item command. Create a new key with the name NewKey:
$HKCU_Desktop= 'HKCU:Control PanelDesktop'
New-Item –Path $HKCU_Desktop –Name NewKey
Add a new string parameter with the name SuperParamString and the value file_name.txt for the created key:
New-ItemProperty -Path $HKCU_DesktopNewKey -Name 'SuperParamString' -Value ”file_name.txt” -PropertyType 'String'
Make sure that the new key and parameter have appeared in the registry.
Deleting a Registry Key or Parameter
Remove the parameter SuperParamString created earlier:
$HKCU_Desktop= 'HKCU:Control PanelDesktop'
Remove-ItemProperty –Path $HKCU_DesktopNewKey –Name 'SuperParamString'
Then delete the entire branch:
Remove-Item –Path $HKCU_DesktopNewKey –Recurse
To remove all items in the branch, but not the branch itself, the command looks like this:
Remove-Item –Path $HKCU_DesktopNewKey* –Recurse
How to Rename a Key or a Parameter
To rename the parameter use this command:
Rename-ItemProperty –path ‘HKCU:Control PanelDesktopNewKey’ –name 'SuperParamString' –newname “OldParamString”
In the same way, you can rename the registry key:
Rename-Item -path 'HKCU:Control PanelDesktopNewKey' OldKey
Search the Registry Using PowerShell
PowerShell allows you to search registry. The next script searches the HKCU:Control PanelDesktop the parameters, whose names contain the *dpi* key.
$Path = (Get-ItemProperty ‘HKCU:Control PanelDesktop’)
$Path.PSObject.Properties | ForEach-Object {
If($_.Name -like '*dpi*'){
Write-Host $_.Name ' = ' $_.Value
}
}
Remote Access to the Registry Using PowerShell
PowerShell allows you to access the registry from of a remote computer. You can connect to a remote computer either using WinRM (Invoke-Command or Enter-PSSession):
Invoke-Command –ComputerName srv-fs1 –ScriptBlock { Get-ItemProperty -Path 'HKLM:SystemSetup' -Name WorkingDirectory}
Or using remote registry connection (RemoteRegistry must be enabled)
$Server = 'lon-fs1'
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $Server)
$RegKey= $Reg.OpenSubKey('SystemSetup')
$RegValue = $RegKey.GetValue('WorkingDirectory')
So, we looked at typical examples of using PowerShell to interract with the Windows registry.