Get Windows From Registry
-->
- Open Settings by pressing Win + I on the keyboard. Go to Upgrade & recovery Windows Insider Program. Join the program, if you are not already in, and select the Release Preview channel which will be the only available channel for you. Now, press Win + R and type regedit, and hit the Enter key.
- For a 32-bit application on a 64-bit operating system, you need to get the content of the registry key HKEYLOCALMACHINE SOFTWARE Wow6432Node Microsoft Windows CurrentVersion Uninstall. If an application was installed for the current user, then you can locate it using the following registry key HKCU Software Microsoft Windows CurrentVersion.
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10
The Windows Time service (W32Time) synchronizes the date and time for all computers managed by Active Directory Domain Services (AD DS). This article covers the different tools and settings used to manage the Windows Time service.
By default, a computer that is joined to a domain synchronizes time through a domain hierarchy of time sources. However, if a computer has been manually configured to synchronize from a specific time source, perhaps because it was formerly not joined to a domain, you can reconfigure the computer to begin automatically sourcing its time from the domain hierarchy.
Most domain-joined computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. An exception to this is the domain controller, which functions as the primary domain controller (PDC) emulator operations master for the root forest domain. The PDC emulator operations master in turn is usually configured to synchronize time with an external time source.
Wmic csproduct get UUID. That UUID is the best way to ID a machine, it exists in Windows, Mac and many other platforms. It is 32 characters in length, a universally unique identifier. You can run the above wmic command to get it. But wait, that’s not always the case.
You can achieve down to one-millisecond time accuracy in your domain. For more information, see Support boundary for high-accuracy time and see Accurate Time for Windows Server 2016.
Caution
Don't use the Net time command to configure or set a computer's clock time when the Windows Time service is running.
Also, on older computers that run Windows XP or earlier, the Net time /querysntp command displays the name of a Network Time Protocol (NTP) server with which a computer is configured to synchronize, but that NTP server is used only when the computer's time client is configured as NTP or AllSync. This command has since been deprecated.
Network port
The Windows Time service follows the Network Time Protocol (NTP) specification, which requires the use of UDP port 123 for all time synchronization. Whenever the computer synchronizes its clock or provides time to another computer, it happens over UDP port 123. This port is exclusively reserved by the Windows Time service.
Note
If you have a computer with multiple network adapters (is multi-homed), you cannot enable the Windows Time service based on a network adapter.
Using W32tm.exe
You can use the command-line tool W32tm.exe to configure Windows Time service settings and to diagnose computer time problems. W32tm.exe is the preferred command-line tool for configuring, monitoring, and troubleshooting the Windows Time service. W32tm.exe is included with Windows XP and later and Windows Server 2003 and later.
Membership in the local Administrators group is required to run W32tm.exe locally, while membership in the Domain Admins group is required to run W32tm.exe remotely.
Run W32tm.exe
- In the Windows search bar, enter cmd.
- Right-click Command Prompt, then select Run as administrator.
- At the command prompt, enter w32tm followed by the applicable parameter, as described below:
Parameter | Description |
---|---|
/? | Displays the W32tm command-line help |
/register | Registers the Windows Time service to run as a service and adds its default configuration information to the registry. |
/unregister | Unregisters the Windows Time service and removes all of its configuration information from the registry. |
/monitor [/domain:<domain name>] [/computers:<name>[,<name>[,<name>...]]] [/threads:<num>] | Monitors the Windows Time service. /domain: Specifies which domain to monitor. If no domain name is given, or neither the /domain nor /computers option is specified, the default domain is used. This option might be used more than once. /computers: Monitors the given list of computers. Computer names are separated by commas, with no spaces. If a name is prefixed with a *, it is treated as a PDC. This option might be used more than once. /threads: Specifies the number of computers to analyze simultaneously. The default value is 3. The allowed range is 1-50. |
/ntte <NT time epoch> | Converts a Windows NT system time (measured in 10-7-second intervals starting from 0h 1-Jan 1601) into a readable format. |
/ntpte <NTP time epoch> | Converts an NTP time (measured in 2-32-second intervals starting from 0h 1-Jan 1900) into a readable format. |
/resync [/computer:<computer>] [/nowait] [/rediscover] [/soft] | Tells a computer that it should resynchronize its clock as soon as possible, throwing out all accumulated error statistics. /computer:<computer>: Specifies the computer that should resynchronize. If not specified, the local computer will resynchronize. /nowait: do not wait for resynchronization to occur; return immediately. Otherwise, wait for resynchronization to complete before returning. /rediscover: Redetects the network configuration and rediscovers network sources, then resynchronizes. /soft: Resynchronizes by using existing error statistics. This is used for compatibility purposes. |
/stripchart /computer:<target> [/period:<refresh>] [/dataonly] [/samples:<count>] [/rdtsc] | Displays a strip chart of the offset between this computer and another computer. /computer:<target>: The computer to measure the offset against. /period:<refresh>: The time between samples, in seconds. The default is 2 seconds. /dataonly: Displays the data only, without graphics. /samples:<count>: Collects <count> samples, then stops. If not specified, samples will be collected until Ctrl+C is pressed.
|
/config [/computer:<target>] [/update] [/manualpeerlist:<peers>] [/syncfromflags:<source>] [/LocalClockDispersion:<seconds>] [/reliable:(YES|NO)] [/largephaseoffset:<milliseconds>]** | /computer:<target>: Adjusts the configuration of <target>. If not specified, the default is the local computer. /update: Notifies the Windows Time service that the configuration has changed, causing the changes to take effect. /manualpeerlist:<peers>: Sets the manual peer list to <peers>, which is a space-delimited list of DNS or IP addresses. When specifying multiple peers, this option must be enclosed in quotes. /syncfromflags:<source>: Sets what sources the NTP client should synchronize from. <source> should be a comma-separated list of these keywords (not case sensitive):
/reliable:(YES|NO): Set whether this computer is a reliable time source. This setting is only meaningful on domain controllers.
|
/tz | Displays the current time zone settings. |
/dumpreg [/subkey:<key>] [/computer:<target>] | Displays the values associated with a given registry key. The default key is HKLMSystemCurrentControlSetServicesW32Time (the root key for the Windows Time service). /subkey:<key>: Displays the values associated with subkey of the default key. /computer:<target>: Queries registry settings for computer <target> |
/query [/computer:<target>] {/source | /configuration | /peers | /status} [/verbose] | Displays the computer's Windows Time service information. This parameter was first made available for the Windows Time client in Windows Vista and Windows Server 2008. /computer:<target>: Queries the information of <target>. If not specified, the default value is the local computer. /source: Displays the time source. /configuration: Displays the configuration of run time and where the setting comes from. In verbose mode, display the undefined or unused setting too. /peers: Displays a list of peers and their status. /status: Displays Windows Time service status. /verbose: Sets the verbose mode to display more information. |
/debug {/disable | {/enable /file:<name> /size:/<bytes> /entries:<value> [/truncate]}} | Enables or disables the local computer Windows Time service private log. This parameter was first made available for the Windows Time client in Windows Vista and Windows Server 2008. /disable: Disables the private log. /enable: Enables the private log.
|
Set client to use two time servers
To set a client computer to point to two different time servers, one named ntpserver.contoso.com
and another named clock.adatum.com
, type the following command at the command prompt, and then press ENTER:
Set client to sync time automatically from a domain source
To configure a client computer that is currently synchronizing time using a manually-specified computer to synchronize time automatically from the AD domain hierarchy, run the following following:
Check client time configuration
To check a client configuration from a Windows-based client computer that has a host name of contosoW1
, run the following command:
The output of this command displays a list of W32time configuration parameters that are set for the client.
Important
Windows Server 2016 has improved the time synchronization algorithms to align with RFC specifications. Therefore, if you want to set the local time client to point to multiple peers, we recommended that you prepare three or more different time servers.
If you have only two time servers, you should specify the NtpserverUseAsFallbackOnly
flag (0x2)to de-prioritize one of them. For example, if you want to prioritize ntpserver.contoso.com
over clock.adatum.com
, run the following command.
Additionally, you can run the following command and read the value of NtpServer
in the output:
Configure computer clock reset
In order for W32tm.exe to reset a computer clock, it first checks the offset (CurrentTimeOffset
, also known as Phase Offset
) between the current time and the computer clock time to determine whether the offset is less than the MaxAllowedPhaseOffset
value.
CurrentTimeOffset
<MaxAllowedPhaseOffset
: Adjust the computer clock gradually by using the clock rate.CurrentTimeOffset
≥MaxAllowedPhaseOffset
: Set the computer clock immediately.
Then, to adjust the computer clock by using the clock rate, W32tm.exe calculates a PhaseCorrection
value. This algorithm varies depending on the version of Windows:
Windows Server 2016 and later versions:
PhaseCorrection_raw
= |CurrentTimeOffset
| ÷ (16 ×PhaseCorrectRate
×pollIntervalInSeconds
)MaximumCorrection
= |CurrentTimeOffset
| ÷ (UpdateInterval
× 1,000 × 10,000)PhaseCorrection
= min(PhaseCorrection_raw
,MaximumCorrection
)Windows Server 2012 R2 and earlier versions:
PhaseCorrection
= |CurrentTimeOffset
| ÷ (PhaseCorrectRate
×UpdateInterval
)
All versions of Windows use the same final equation to check PhaseCorrection
:
PhaseCorrection
≤ SystemClockRate
÷ 2
Note
These equations use
PhaseCorrectRate
,UpdateInterval
,MaxAllowedPhaseOffset
, andSystemClockRate
measured in units of clock ticks. On Windows systems, 1 ms = 10,000 clock ticks.MaxAllowedPhaseOffset
is configurable in the registry. However, the registry parameter is measured in seconds instead of clock ticks.To see the
SystemClockRate
andpollIntervalInSeconds
values (measured in seconds), open a Command Prompt window and then runW32tm /query /status /verbose
. This command produces output that resembles the following.
The output presents the poll interval in both clock ticks and in seconds. The equations use the value measured in seconds (the value in parentheses).
The output presents the clock rate in seconds. To see theSystemClockRate
value in clock ticks, use the following formula:(
value in seconds
) × 1,000 × 10,000For example, if
SystemClockRate
is 0.0156250 seconds, the value that the equation uses is 156,250 clock ticks.For full descriptions of the configurable parameters and their default values, see Config entries later in this article.
The following examples show how to apply these calculations for Windows Server 2012 R2 and earlier versions.
Example: System clock rate off by four minutes
Your computer clock time is 11:05 and the actual current time is 11:09:
PhaseCorrectRate
= 1
UpdateInterval
= 30,000 clock ticks
SystemClockRate
= 156,000 clock ticks
MaxAllowedPhaseOffset
= 10 min = 600 seconds = 600 × 1,000 × 10,000 = 6,000,000,000 clock ticks
|CurrentTimeOffset
| = 4 min = 4 × 60 × 1,000 × 10,000 = 2,400,000,000 clock ticks
Is CurrentTimeOffset
≤ MaxAllowedPhaseOffset
?
2,400,000,000 ≤ 6,000,000,000: TRUE
AND does it satisfy the following equation?
(|CurrentTimeOffset
| ÷ (PhaseCorrectRate
× UpdateInterval
) ≤ SystemClockRate
÷ 2)
Is 2,400,000,000 / (30,000 × 1) ≤ 156,000 ÷ 2
80,000 ≤ 78,000: FALSE
Therefore, W32tm.exe would set the clock back immediately.
Note
In this case, if you want to set the clock back slowly, you would also have to adjust the values of PhaseCorrectRate
or UpdateInterval
in the registry to make sure that the equation result is TRUE.
Example: System clock rate off by three minutes
Your computer clock time is 11:05 and the actual current time is 11:08:
PhaseCorrectRate
= 1
UpdateInterval
= 30,000 clock ticks
SystemClockRate
= 156,000 clock ticks
MaxAllowedPhaseOffset
= 10 min = 600 seconds = 600 × 1,000 × 10,000 = 6,000,000,000 clock ticks
|CurrentTimeOffset
| = 3 mins = 3 × 60 × 1,000 × 10,000 = 1,800,000,000 clock ticks
Is CurrentTimeOffset
≤ MaxAllowedPhaseOffset
?
1,800,000,000 ≤ 6,000,000,000: TRUE
AND does it satisfy the following equation?
(|CurrentTimeOffset
| ÷ (PhaseCorrectRate
× UpdateInterval
) ≤ SystemClockRate
÷ 2)
Is 3 mins × (1,800,000,000) ÷ (30,000 × 1) ≤ 156,000 ÷ 2
Is 60,000 ≤ 78,000: TRUE
In this case, the clock will be set back slowly.
Using Local Group Policy Editor
The Windows Time service stores a number of configuration properties as registry entries. You can use Group Policy Objects (GPOs) in Local Group Policy Editor to configure most of this information. For example, you can use GPOs to configure a computer to be an NTPServer or NTPClient, configure the time synchronization mechanism, or configure a computer to be a reliable time source.
Note
Group Policy settings for the Windows Time service can be applied on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 domain controllers and can be applied to computers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.
Windows stores the Windows Time service policy information in the Local Group Policy Editor under Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
. It stores configuration information that the policies define in the Windows registry, and then uses those registry entries to configure the registry entries specific to the Windows Time service. As a result, the values defined by Group Policy overwrite any pre-existing values in the Windows Time service section of the registry. Some of the preset GPO settings differ from the corresponding default Windows Time service registry entries.
For example, suppose you edit policy settings in the Time ProvidersConfigure Windows NTP Client policy. Windows loads these settings into the policy area of the registry under the following subkey:
HKLMSoftwarePoliciesMicrosoftW32timeTimeProvidersNtpClient
Then Windows uses the policy settings to configure the related Windows Time service registry entries under the following subkey:
HKLMSYSTEMCurrentControlSetServicesW32TimeTime ProvidersNTPClient
The following table lists the policies that you can configure for the Windows Time service, and the registry subkeys that those policies affect.
Note
When you remove a Group Policy setting, Windows removes the corresponding entry from the policy area of the registry.
Group Policy1 | Registry locations2,3 |
---|---|
Global Configuration Settings | W32Time W32TimeConfig W32TimeParameters |
Time ProvidersConfigure Windows NTP Client | W32TimeTimeProvidersNtpClient |
Time ProvidersEnable Windows NTP Client | W32TimeTimeProvidersNtpClient |
Time ProvidersEnable Windows NTP Server | W32TimeTimeProvidersNtpServer |
1Category path: Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
2 Subkey: HKLMSOFTWAREPoliciesMicrosoft
3 Subkey: HKLMSYSTEMCurrentControlSetServices
Windows registry reference
Warning
This information is provided as a reference for use in troubleshooting and validation. Windows registry keys are used by W32Time to store critical information. Don't change these values. Modifications to the registry are not validated by the registry editor or by Windows before they are applied. If the registry contains invalid values, Windows may experience unrecoverable errors.
The Windows Time service stores information in the registry at the HKLMSYSTEMCurrentControlSetServicesW32Time path under the following subkeys:
In the following tables, 'All versions' refers to Windows 7, Windows 8, Windows 10, Windows Server 2008 and Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
Note
Some of the parameters in the registry are measured in clock ticks and some are measured in seconds. To convert the time from clock ticks to seconds, use these conversion factors:
- 1 minute = 60 sec
- 1 sec = 1000 ms
- 1 ms = 10,000 clock ticks on a Windows system, as described at DateTime.Ticks Property.
For example, 5 minutes becomes 5 × 60 × 1000 × 10000 = 3,000,000,000 clock ticks.
Config entries
The Config
subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeConfig
.
Registry entry | Versions | Description |
---|---|---|
AnnounceFlags | All versions | Controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server.
The default value for domain members is 10. The default value for stand-alone clients and servers is 10. |
ChainDisable | Controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), a read-only domain controller (RODC) can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. This is a boolean setting, and the default value is 0. | |
ChainEntryTimeout | Specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. The default value is 16 (seconds). | |
ChainLoggingRate | Controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. The default is 30 (minutes). | |
ChainMaxEntries | Controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. The default value is 128 (entries). | |
ChainMaxHostEntries | Controls the maximum number of entries that are allowed in the chaining table for a particular host. The default value is 4 (entries). | |
ClockAdjustmentAuditLimit | Windows Server 2016 Version 1709 and later versions; Windows 10 Version 1709 and later versions | Specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target computer. The default value is 800 (parts per million - PPM). |
ClockHoldoverPeriod | Windows Server 2016 Version 1709 and later versions; Windows 10 Version 1709 and later versions | Indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7,800 seconds. |
EventLogFlags | All versions | Controls which events that the time service logs.
|
FrequencyCorrectRate | All versions | Controls the rate at which the clock is corrected. If this value is too small, the clock is unstable and overcorrects. If the value is too large, the clock takes a long time to synchronize. The default value on domain members is 4. The default value on stand-alone clients and servers is 4. Note |
HoldPeriod | All versions | Controls the period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly. A spike is a time sample indicating that time is off a number of seconds, and is usually received after good time samples have been returned consistently. The default value on domain members is 5. The default value on stand-alone clients and servers is 5. |
LargePhaseOffset | All versions | Specifies that a time offset greater than or equal to this value in 10-7 seconds is considered a spike. A network disruption such as a large amount of traffic might cause a spike. A spike will be ignored unless it persists for a long period of time. The default value on domain members is 50000000. The default value on stand-alone clients and servers is 50000000. |
LastClockRate | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is 156250. The default value on stand-alone clients and servers is 156250. |
LocalClockDispersion | All versions | Controls the dispersion (in seconds) that you must assume when the only time source is the built-in CMOS clock. The default value on domain members is 10. The default value on stand-alone clients and servers is 10. |
MaxAllowedPhaseOffset | All versions | Specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1. |
MaxClockRate | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860. |
MaxNegPhaseCorrection | All versions | Specifies the largest negative time correction, in seconds, that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Note The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs). |
MaxPollInterval | All versions | Specifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15. |
MaxPosPhaseCorrection | All versions | Specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Note The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs). |
MinClockRate | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860. |
MinPollInterval | All versions | Specifies the smallest interval, in log base 2 seconds, allowed for the system polling interval. Note that while a system does not request samples more frequently than this, a provider can produce samples at times other than the scheduled interval. The default value for domain controllers is 6. The default value for domain members is 10. The default value for stand-alone clients and servers is 10. |
PhaseCorrectRate | All versions | Controls the rate at which the phase error is corrected. Specifying a small value corrects the phase error quickly, but might cause the clock to become unstable. If the value is too large, it takes a longer time to correct the phase error. The default value on domain members is 1. The default value on stand-alone clients and servers is 7. Note |
PollAdjustFactor | All versions | Controls the decision to increase or decrease the poll interval for the system. The larger the value, the smaller the amount of error that causes the poll interval to be decreased. The default value on domain members is 5. The default value on stand-alone clients and servers is 5. |
RequireSecureTimeSyncRequests | Windows 8 and later versions | Controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC will not respond to requests using such protocols. This is a boolean setting, and the default value is 0. |
SpikeWatchPeriod | All versions | Specifies the amount of time that a suspicious offset must persist before it is accepted as correct (in seconds). The default value on domain members is 900. The default value on stand-alone clients and workstations is 900. |
TimeJumpAuditOffset | All versions | An unsigned integer that indicates the time jump audit threshold, in seconds. If the time service adjusts the local clock by setting the clock directly, and the time correction is more than this value, then the time service logs an audit event. |
UpdateInterval | All versions | Specifies the number of clock ticks between phase correction adjustments. The default value for domain controllers is 100. The default value for domain members is 30,000. The default value for stand-alone clients and servers is 360,000. Note |
UtilizeSslTimeData | Windows versions later than Windows 10 build 1511 | Value of 1 indicates that W32Time uses multiple SSL timestamps to seed a clock that is grossly inaccurate. |
Parameters entries
The Parameters
subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeParameters
.
Registry entry | Versions | Description |
---|---|---|
AllowNonstandardModeCombinations | All versions | Indicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1. |
NtpServer | All versions | Specifies a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Each DNS name or IP address listed must be unique. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock.
There is no default value for this registry entry on domain members. The default value on stand-alone clients and servers is time.windows.com,0x1 . |
ServiceDll | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll. |
ServiceMain | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is SvchostEntry_W32Time. The default value on stand-alone clients and servers is SvchostEntry_W32Time. |
Type | All versions | Indicates which peers to accept synchronization from:
|
NtpClient entries
The NtpClient
subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient
Registry entry | Version | Description |
---|---|---|
AllowNonstandardModeCombinations | All versions | Indicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1. |
CompatibilityFlags | All versions | Specifies the following compatibility flags and values:
|
CrossSiteSyncFlags | All versions | Determines whether the service chooses synchronization partners outside the domain of the computer. The options and values are:
|
DllName | All versions | Specifies the location of the DLL for the time provider. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll. |
Enabled | All versions | Indicates if the NtpClient provider is enabled in the current Time Service.
|
EventLogFlags | All versions | Specifies the events logged by the Windows Time service.
|
InputProvider | All versions | Indicates whether to enable the NtpClient as an InputProvider, which obtains time information from the NtpServer. The NtpServer is a time server that responds to client time requests on the network by returning time samples that are useful for synchronizing the local clock.
|
LargeSampleSkew | All versions | Specifies the large sample skew for logging, in seconds. To comply with Security and Exchange Commission (SEC) specifications, this should be set to three seconds. Events will be logged for this setting only when EventLogFlags is explicitly configured for 0x2 large sample skew. The default value on domain members is 3. The default value on stand-alone clients and servers is 3. |
ResolvePeerBackOffMaxTimes | All versions | Specifies the maximum number of times to double the wait interval when repeated attempts to locate a peer to synchronize with fail. A value of zero means that the wait interval is always the minimum. The default value on domain members is 7. The default value on stand-alone clients and servers is 7. |
ResolvePeerBackoffMinutes | All versions | Specifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with. The default value on domain members is 15. The default value on stand-alone clients and servers is 15. |
SpecialPollInterval | All versions | Specifies the special poll interval, in seconds, for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determined by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800. New for build 1703, SpecialPollInterval is contained by the MinPollInterval and MaxPollInterval Config registry values. |
SpecialPollTimeRemaining | All versions | Maintained by W32Time. It contains reserved data that is used by the Windows operating system. It specifies the time, in seconds, before W32Time will resynchronize after the computer has restarted. Any changes to this setting can cause unpredictable results. The default value on both domain members and on stand-alone clients and servers is left blank. |
NtpServer entries
The NtpClient
subkey entries are located at HKLMSYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer
.
Registry Entry | Versions | Description |
---|---|---|
AllowNonstandardModeCombinations | All versions | Indicates that non-standard mode combinations are allowed in synchronization between clients and servers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1. |
DllName | All versions | Specifies the location of the DLL for the time provider. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%System32W32Time.dll . |
Enabled | All versions | Indicates if the NtpServer provider is enabled in the current Time Service.
|
InputProvider | All versions | Indicates whether to enable the NtpClient as an InputProvider, which obtains time information from the NtpServer. The NtpServer is a time server that responds to client time requests on the network by returning time samples that are useful for synchronizing the local clock.
|
Enhanced logging
The following registry entries are not a part of the W32Time default configuration but can be added to the registry to obtain enhanced logging capabilities. The information logged to the System Event log can be modified by changing values for the EventLogFlags setting in the Group Policy Object Editor. By default, the Windows Time service logs an event every time that it switches to a new time source.
In order to enable W32Time logging, add the following registry entries:
Entry | Versions | Description |
---|---|---|
FileLogEntries | All versions | Controls the number of entries created in the Windows Time log file. The default value is none, which does not log any Windows Time activity. Valid values are 0 to 300. This value does not affect the event log entries normally created by Windows Time |
FileLogName | All versions | Controls the location and file name of the Windows Time log. The default value is blank, and should not be changed unless FileLogEntries is changed. A valid value is a full path and file name that Windows Time will use to create the log file. This value does not affect the event log entries normally created by Windows Time. |
FileLogSize | All versions | Controls the circular logging behavior of Windows Time log files. When FileLogEntries and FileLogName are defined, defines the size, in bytes, to allow the log file to reach before overwriting the oldest log entries with new entries. Please use 1000000 or larger value for this setting. This value does not affect the event log entries normally created by Windows Time. |
Group Policy Object settings
Group Policy settings are contained in the Global Configuration Settings and the Windows NTP Client Settings GPOs.
Global Configuration Settings
These are the global Group Policy settings and default values for the Windows Time service. These settings are contained in the Global Configuration Settings GPO in Local Policy Editor.
Group Policy setting | Default value |
---|---|
AnnounceFlags | 10 |
EventLogFlags | 2 |
FrequencyCorrectRate | 4 |
HoldPeriod | 5 |
LargePhaseOffset | 1,280,000 |
LocalClockDispersion | 10 |
MaxAllowedPhaseOffset | 300 |
MaxNegPhaseCorrection | 54,000 (15 hours) |
MaxPollInterval | 15 |
MaxPosPhaseCorrection | 54,000 (15 hours) |
MinPollInterval | 10 |
PhaseCorrectRate | 7 |
PollAdjustFactor | 5 |
SpikeWatchPeriod | 90 |
UpdateInterval | 100 |
Windows NTP Client settings
These are the Windows NTP client settings and default values for the Windows Time service. These settings are contained in the Configure Windows NTP Client GPO in Local Group Policy Editor.
Get Windows Registry Value Powershell
Group Policy setting | Default value |
---|---|
NtpServer | time.windows.com , 0x1 |
Type | NTP - Use for non-domain-joined computers NT5DS - Use for domain-joined computers |
CrossSiteSyncFlags | 2 |
ResolvePeerBackoffMinutes | 15 |
ResolvePeerBackoffMaxTimes | 7 |
SpecialPollInterval | 3,600 |
EventLogFlags | 0 |
Related information
See RFC 1305 - Network Time Protocol of the Internet Engineering Task Force (IETF).
Whenever you install software, updates or make configuration changes, it’s common for Windows to need a reboot. Many OS tasks sometimes force Windows to require a reboot. When a reboot is pending, Windows add some registry values to show that. In this blog post, you’re going to learn how to check for a pending reboot and how to build a PowerShell script to automate the task.
Windows Needs Rebooted
When you’re in on the console, you can notice a reboot is pending by some popup box or notification as shown below.
From that notification, you can restart Windows and be done with it. But, what if you can’t immediately reboot a machine when it needs to? What if you’ve just installed updates on a production server and that server can’t be rebooted right now?
The reboot must wait.
Time goes by and by then the reboot may be forgotten about altogether! By the time you realize, many servers or workstations need to be rebooted but which ones?
Pending Reboot Flags are in the Registry
A pending reboot is defined in many places. Scroll right to see the values and conditions. A Windows computer is pending a reboot if any of the conditions in this table are true.
If you have the Microsoft System Center Configuration Manager (SCCM) client installed, you may also see these methods in WMI.
Once you know each method to check for a pending reboot, there are many different ways to check registry values. You could open up regedit.exe and manually mouse through each registry key.
Manually checking via the registry works but we’re human. What if you forget to check one registry path or just forget which ones to check? There’s a much better way to do this. You can create a script or function to do this for you. In my case, I prefer PowerShell so that’s what I’ll use.
By using a PowerShell script, you can query one or all computers in our domain or manually provide the server names to see if they are pending a reboot. You can then make a decision to whether to reboot them then or make a list to reboot later. The choice is yours.
To use my PowerShell method, you’ll need to ensure PowerShell Remoting is set up and available on your servers.
Testing for a a Pending Reboot (The Easy Way)
If you don’t want to learn how to check these registry keys and build a tool like this in PowerShell, I’ve made it easy for you. Simply open up your PowerShell console and type Install-Script Test-PendingReboot
. Install-Script
will download my PowerShell script from the PowerShell Gallery to C:Program FilesWindowsPowerShellScripts. Then run the script as shown below.
You can provide as many servers as you want via the ComputerName
parameter. The script will return True or False along with the server name.
This tool checks all of the registry keys in the above table for you.
If you’d like to add conditions I’ve missed or correct any mistakes I’ve made, feel free to issue a pull request on GitHub to fix it.
If you want to learn how to build a tool like this, read on!
Building a Pending Reboot PowerShell Tool
First, you’ll need to define all of the computers you’d like to test a reboot on. There are many different ways to do this but for this demonstration, I’ll define them manually via an array.
Now create a foreach loop to iterate over each of them.
Next, I recommend using PowerShell Remoting and checking each registry key and value condition inside of a single PSSession. Create a PSSession for every server.
Once you have a PSSession created, you’ll then need to run the checks.
Get Windows Registry Key C#
Since you’ll be running many different checks using the same code such as:
- Testing if a registry key exists
- Testing if a registry value exists
- Testing if a registry value is not null
I recommend creating simple functions for each of these checks. This allows you to call a function instead of duplicating code. The Test-PendingReboot
script builds all of these helper functions into a single scriptblock as shown below.
Inside of that same scriptblock, define each condition referencing the helper functions you just created.
You can now create a foreach loop inside of your $servers
foreach loop that reads each test executes each test.
When you run the code, the script returns an output like this:
You can create this output by ensuring the foreach loop returns a single object per server. You should know that if any of the registry values exist, then the server is pending a reboot. Knowing this, you then need to return True if any of the values exist and False if none of them exist.
Wrap all of this up into a script and it should look like this (with some minor additions like Credential
).
You can now execute it like this:
Summary
Get My Windows Product Key From Registry
You should now have a quick way to test pending reboot across Windows servers. You can see that by using PowerShell, you can consolidate down many tedious steps into one script. This script allows you to quickly test for a pending reboot across many servers at once.
If you know of any other indications to check for a pending reboot, please let me know.
More from Adam The Automator & Friends