PC under 2019 domain controller change the time by svchost.

Ramy 0 Reputation points
2023-07-19T07:52:56.0066667+00:00

hello

I have a domain controller Windows 2019.

This domain is in Egypt, and as you know, the daylight feature has been activated this year.

I updated the domain so that the time zone can be changed without changing the region to Riyadh or Kuwait

There are several Windows 10 devices under this domain, but without the update that is responsible for updating Time Zone because those PC is old.

This update depends on other updates that will make the pcs too slow, so we create a policy group was created to clone the registry files that are responsible for updating Egypt Time Zone and Dynamic DST from the domain to Clint PCs for a week till all PCs are updated by GP, It is confirmed that the recording files in the domain related to Time Zone Egypt and Dynamic DST have been copied and updated on the devices within that domain

but occasionally some PCs return to their old status and cancel the daylight option and switch it to OFF !!

After returning to Regedit and following the paths of the change, I found that a change had been made in:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Egypt Standard Time\Dynamic DST\2023 with different value from domain

the value of 2023 must be : (check the first image to see the different )

"2023"=hex:88,ff,ff,ff,00,00,00,00,c4,ff,ff,ff,00,00,0a,00,04,00,05,00,17,00,\
  3b,00,3b,00,e7,03,00,00,04,00,04,00,05,00,17,00,3b,00,3b,00,e7,03

also, check the event viewer and we found this msg: The system time has changed to ‎2023‎-‎07‎-‎18T11:35:49.353327200Z from ‎2023‎-‎07‎-‎18T11:35:49.352900300Z.

Change Reason: An application or system component changed the time.

Process: '\Device\HarddiskVolume4\Windows\System32\svchost.exe' (PID 1684).

I want to know what makes the PCs change and turned the daylight off.

Thank You

9d7574c1-34de-47d7-a6f6-8fca1c885028

000000000000000000000

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2023-12-29T07:13:51.28+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Generally speaking, this event log indicates that the system time change was launched by the svchost.exe process.

    The Service Host (svchost.exe) is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance doesn't affect other instances.

    I believe you has noticed that the PID mentioned is 1684.

    To further identify the process, please open PowerShell and run

    Get-Process -Id 1684 | Select-Object -Property Name, Path

    This will provide information about the svchost.exe process with the PID 1684, including the path to the executable.

    If next time another PID is logged, please switch 1684 to the actual PID.

    To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.