How and when to set Windows logging to UTC time

The concept of time zones is a relatively one. In England, to organize trains and schedules, the concept of railway time was introduced to overcome the confusion caused by having non-uniform local times in each town and station stop. It was also used to reduce accidents and issues in scheduling trains entering and leaving stations. As travel increased in scope and type, the need for standardization demanded that we had time zones. As we added technology, we just built on the concept of the need for local time.

Once upon a time we set the logging for servers in the local time of wherever they were located. This made correlation of events, especially to local computers, consistent and relatively easy. Then the internet was born, and we moved our servers to the cloud and data centers. Suddenly, setting logging to local time made no sense at all. Add to that having help desks and distributed organizations and making the correlation across organizations means that moving logging to Coordinated Universal Time (UTC) may be wise.

What is UTC and why is it important to security?

UTC is a 24-hour time standard that helps the world’s timing centers keep their time scales synchronized. It is based on Universal Time (UT1), which uses the speed of the Earth’s rotation to measure time.

As I explained earlier, if you cannot properly sync time across your network, it can have negative effect on security updates, authentication and forensics investigations. Moving logging to UTC helps keep your entire network in sync.

As with any decision, you need to evaluate what makes sense for your organization. If you are a small firm and all your administrators and users are in one time zone, logging into that time zone might be more appropriate. If all of the logs are pulled into a central location from various time zones for analysis, you might choose UTC to do a cross analysis. You should also check with your logging and firewall vendors to see what they recommend for selection of time.

Often applications choose a time zone for you. Thus, it’s wise to investigate ahead of time what time zone is chosen. For example, for many years Microsoft’s web server, Internet Information Services (IIS) would by default choose UTC time based on a specification.  As noted in KB271196, the extended log file format used by IIS was defined in the W3C Working Draft WD- logfile-960323 specification by Phillip M. Hallam-Baker and Brian Behlendorf. This document defined the date and time files to always be in Greenwich Mean Time (GMT), which shares the same current time as UTC. You had to make an adjustment if you wanted a local time zone.

Microsoft’s cloud platform Azure bases its system on UTC now, but that wasn’t always the case. In 2009, the decision was made to move Azure off of Pacific time zone logging time and onto UTC. Azure and the Windows Defender Advanced Threat Protection (ATP) portal uses UTC for their logging and tracking information. While the local computer is in its local time zone, the logging in the ATP portal is always UTC. However, it’s easy to click on the global icon on the menu to flip between the local time zone of the computer and UTC.

Susan Bradley

Often in forensics, you use the registry to determine what time zone a computer is located in. As noted, you can look at HKEY_LOCAL_MACHINEControlSet001ControlTimeZoneInformation (in a mounted image) or on a live computer look at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTimeZoneInformation to determine what time zone a computer is set for.

Susan Bradley

As you can see, the registry key identifies what time zone the computer is in.

As noted in a recent article, when dealing with time and Azure and especially SQL, consider GETUTCDATE and SYSUTCDATETIME instead of using functions like GETDATE and SYSDATETIME. Older SQL applications often were written without cloud platforms in mind and using local time. Before migrating applications to the cloud, evaluate if they can handle a transition to UTC time.

Finally, you can use PowerShell to determine the exact time zone of the computer and use it to determine the time zone from a series of remote computers. The command Get-TimeZone will respond with the time zone of the computer. It can be combined with a list of servers to determine the time zone of numerous systems.

Susan Bradley

Bottom line: Evaluate applications, logging and anything else that might be time sensitive and determine if they can be moved to UTC time or have an easy conversion from the local time to UTC time.  Determine what makes sense for you and what provides you with the best information. You might find as you add more cloud services that moving logging across your network to UTC makes the most sense to allow you to best correlate events.