## This is a quick and dirty script I wrote to report on the time difference bet

1. ## This is a quick and dirty script I wrote to report on the time difference between a PC and the Domain Controller.
2. ## It will look for events in the event log which recorded the machine changing the time by a significant amount (more than 5 minutes).
3. ## The logic is designed to ignore timejump events which occured close to the machine waking up or powering on.
4. ## The script also reports on the difference between the current system time and the current time on the DC.
5. ## All this info is haphazardly organized and put into a .txt file which is then placed on an accessible share.
6. ## Feel free to do what you want with it.
7.  
8. $colLogs = @()
9. $logPath = '\\server\path' ## Set a path to a share that's openly accessible by whatever account will be running this script.
10.  
11. ## Create a hash of log properties to search for
12. $hashprops = @{
13. ProviderName = 'Microsoft-Windows-Security-Auditing'
14. StartTime = (Get-Date).AddDays(-4)
15. ID = 4616
16. }
17.  
18. $logs = Get-WinEvent -FilterHashtable $hashprops
19.  
20. foreach($log in $logs) {
21.  
22. ## When grabbing time strings from event logs, you need to be careful because they often contain invsible Unicode characters.
23. ## If a string has invisible Unicode characters, you won't be able to properly cast it to a [datetime] object.
24. ## The reason for the .Replace('‎','') at the end of this string manipulation is that we're actually replacing
25. ## Unicode character [U+200E], also known as "Left-To-Right Mark," with nothing. If you try to move your cursor between the
26. ## first set of '‎', you'll notice that it actually takes 3 taps to move across those characters instead of 2.
27.  
28. [datetime]$prevTime = ($log.Message[($log.Message.IndexOf('Previous'))..($log.Message.IndexOf('New') - 1)] -join '').Split('')[3].Replace('‎','')
29. [datetime]$newTime = ($log.Message[($log.Message.IndexOf('New'))..($log.Message.IndexOf('New') + ($log.Message[$log.Message.IndexOf('New')..($log.Message.Length)] -join '').indexof('Z'))] -join '').Split('')[3].Replace('‎','')
30.  
31. ## We want to make sure that the time jump event that we found isn't being caused by the PC waking up from sleep or powering on.
32. ## We create a hash of properties to search for a Wake Up event that's within 5 minutes of the timejump event.
33. $wakeupHashProp = @{
34. ProviderName = 'Microsoft-Windows-Kernel-Power'
35. StartTime = $prevTime.AddMinutes(-5)
36. ID = 107
37. }
38.  
39. Write-Output "Looking for Wake Up Event around $($wakeupHashProp.StartTime)"
40. $wakeupLog = Get-WinEvent -FilterHashtable $wakeupHashProp | Select-Object -First 1
41.  
42. $wakeupTimeSpan = $null
43. $wakeupTimeSpan = New-TimeSpan -Start $wakeupLog.TimeCreated -End $prevTime
44.  
45. if(($wakeupTimeSpan -ne $null) -and (($wakeupTimeSpan.TotalMinutes -lt 5) -or ($wakeupTimeSpan.TotalMinutes -gt -5))) {
46. Write-Output "Current timejump event is within 5 minutes of a Wake From Sleep event. Ignoring"
47.  
48. } else {
49. $timespan = New-TimeSpan -Start $prevTime -End $newTime
50.  
51. if(($timespan.TotalMinutes -gt 5) -or ($timespan.TotalMinutes -lt -5)) {
52. $oLogs = New-Object -TypeName psobject -Property @{
53. TimeCreated = $log.TimeCreated
54. TotalMinutes = $timespan.TotalMinutes
55. }
56.  
57. $colLogs += $oLogs
58. }
59. }
60. }
61.  
62. $count = $colLogs.Count
63.  
64. ## Query the DC for the time
65. $nettime = net time
66. [datetime]$serverdatetime = $nettime[0].Replace('Current time at ','').Replace(' is ','|').Split('|')[1] ## Parse the returned string and cast it to a [datetime] object
67.  
68. ## Query the system for what time it thinks is correct
69. $localdatetime = Get-Date
70.  
71. $currenttimespan = New-TimeSpan -Start $localdatetime -End $serverdatetime
72.  
73. ## Here we're creating 3 different log files depending on how the time is behaving.
74. if(($currentimespan.TotalMinutes -gt 5) -or ($currenttimespan.TotalMinutes -lt -5)) {
75. $logfile = New-Item -Path "$logPath" -Name "!!!$($env:COMPUTERNAME)_$count.txt" -ItemType File -Force
76. Write-Output "Time is currently off by more than 5 minutes" | Out-File $logfile -Append
77.  
78. } elseif ($count -gt 0) {
79. $logfile = New-Item -Path "$logPath" -Name "!$($env:COMPUTERNAME)_$count.txt" -ItemType File -Force
80. Write-Output "Time is currently correct, but it has flipped out in the past" | Out-File $logfile -Append
81.  
82. } else {
83. $logfile = New-Item -Path "$logPath" -Name "$($env:COMPUTERNAME)_$count.txt" -ItemType File -Force
84. Write-Output "No errors with time" | Out-File $logfile -Append
85.  
86. }
87.  
88. $compInfo = Get-ComputerInfo
89.  
90. Write-Output $compInfo.WindowsProductName | Out-File $logfile -Append
91. Write-Output 'OS Version: ' $compInfo.OsVersion | Out-File $logfile -Append
92. Write-Output 'LogonServer: ' $compInfo.LogonServer | Out-File $logfile -Append
93. Write-Output "$($nettime[0])" | Out-File $logfile -Append
94. Write-Output "Local machine time is $($localdatetime.ToLongDateString()) $($localdatetime.ToLongTimeString())" | Out-File $logfile -Append
95. Write-Output 'Information about the difference between the current system time and the time on the DC:'
96. Write-Output $timespan | Out-File $logfile -Append
97. Write-Output "The time has flipped out $count times. Here are those events (if any):" | Out-File $logfile -Append
98. Write-Output $colLogs | Out-File $logfile -Append
99.  
100.  
101. ## Uncomment this section if you want the script to temporarily resync the system time with the DC
102.  
103. <#
104. Stop-Service -Name 'w32time' -Force
105. & 'w32tm' '/unregister'
106. & 'w32tm' '/register'
107. Start-Service -Name 'w32time'
108. #>