Windows Time Problem

Hi there! Sorry for all my typos and style, I’m trying to write briefly and do not check anything since do not have time for that. But technically it is all written right and it is all real life experience where I spent many hours to fix the problem. And give it to you for free 🙂

Recently I got one server where was not possible to start windows time service.  Error message was:

The Windows Time service terminated with the following error:

The system cannot find the file specified.

Windows time service depends on three files located at C:\Windows\System32

W32time.dll

W32tm.exe

W32topl.dll

When I checked them, on the server, all of them were in place and they were original.

So I decided to re-register windows time service:

On the elevated command prompt:

W32tm /unregister

W32tm /unregister

W32tm /register

I know that I mentioned /unregister twice; it is because sometimes it cannot unregister at the first time.

But when I tried to register I got exactly the same error

The following error occurred: The system cannot find the path specified. (0x80070003)

Later on, I tried to check which files it is trying to find with a procmon filtering by w32tm.exe process name. I got no information from there.

w32tm

So I decided to copy whole registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\ including sub keys from another working machine. In general, it is exactly the same on any windows version.

Now I started to get an error message

The time service encountered an error and was forced to shut down. The error was: 0x80070005: Access is denied.

 

Then I configured logging for Windows Time Service, since it was not clear for me where it comes from

Since windows time service executable is “C:\Windows\system32\svchost.exe -k LocalService” it was not possible to check its activity in procmon.

From elevated command prompt run:

w32tm /debug /enable /file:c:\windows\temp\w32time.log /size:10000000 /entries:0-116

 

Error message from the log file was:

151991 12:30:27.1064599s – ———- Log File Opened —————–

151991 12:30:27.1064599s – CurSpc:15625100ns  BaseSpc:15625000ns  SyncToCmos:No

151991 12:30:27.1064599s – PerfFreq:3579545c/s

151991 12:30:27.1064599s – Logging error: The time service encountered an error while refreshing its configuration in the registry and cannot start. The error was: Access is denied. (0x80070005)

151991 12:30:27.1064599s – Failed in initialization, w/o restart service151991 12:30:27.1064599s – Service shutdown initiated with exit code: -2147024891.

151991 12:30:27.1064599s – Exiting ServiceShutdown

151991 12:30:27.1064599s – ———- Log File Closed —————–

 

Based on this error description I found the article from MS.

In general, it is about giving permissions for account NT Service\W32Time to different sub keys of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\

I never could imagine there is such account exists!

But when I granted permissions for NT Service\W32Time to whole key and its subkeys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\

I was able to start service successfully

During investigation I also disabled this key, dunno if this is important or not:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider]

“Enabled”=dword:00000001

For those of you who do not have an empty windows machine where to copy registry settings from I publish them here

#0x80070003, #0x80070005, #w32time, #debug, #register


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Config]

“FrequencyCorrectRate”=dword:00000004

“PollAdjustFactor”=dword:00000005

“LargePhaseOffset”=dword:02faf080

“SpikeWatchPeriod”=dword:00000384

“LocalClockDispersion”=dword:0000000a

“HoldPeriod”=dword:00000005

“PhaseCorrectRate”=dword:00000001

“UpdateInterval”=dword:00057e40

“EventLogFlags”=dword:00000002

“AnnounceFlags”=dword:0000000a

“TimeJumpAuditOffset”=dword:00007080

“MinPollInterval”=dword:0000000a

“MaxPollInterval”=dword:0000000f

“MaxNegPhaseCorrection”=dword:0000d2f0

“MaxPosPhaseCorrection”=dword:0000d2f0

“MaxAllowedPhaseOffset”=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Parameters]

“ServiceDll”=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\

00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

77,00,33,00,32,00,74,00,69,00,6d,00,65,00,2e,00,64,00,6c,00,6c,00,00,00

“ServiceMain”=”SvchostEntry_W32Time”

“ServiceDllUnloadOnStop”=dword:00000001

“Type”=”NTP”

“NtpServer”=”time.windows.com,0x9”

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Security]

“Security”=hex:01,00,04,80,84,00,00,00,90,00,00,00,00,00,00,00,14,00,00,00,02,\

00,70,00,05,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,\

00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\

00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,14,00,\

8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,9d,01,02,00,01,\

01,00,00,00,00,00,05,13,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\

00,00,00,00,00,05,12,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient]

“DllName”=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,\

00,33,00,32,00,74,00,69,00,6d,00,65,00,2e,00,64,00,6c,00,6c,00,00,00

“Enabled”=dword:00000001

“InputProvider”=dword:00000001

“AllowNonstandardModeCombinations”=dword:00000001

“CrossSiteSyncFlags”=dword:00000002

“ResolvePeerBackoffMinutes”=dword:0000000f

“ResolvePeerBackoffMaxTimes”=dword:00000007

“CompatibilityFlags”=dword:80000000

“EventLogFlags”=dword:00000001

“LargeSampleSkew”=dword:00000003

“SpecialPollInterval”=dword:00093a80

“SpecialPollTimeRemaining”=hex(7):74,00,69,00,6d,00,65,00,2e,00,77,00,69,00,6e,\

00,64,00,6f,00,77,00,73,00,2e,00,63,00,6f,00,6d,00,2c,00,30,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer]

“DllName”=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,\

00,33,00,32,00,74,00,69,00,6d,00,65,00,2e,00,64,00,6c,00,6c,00,00,00

“Enabled”=dword:00000000

“InputProvider”=dword:00000000

“AllowNonstandardModeCombinations”=dword:00000001

“EventLogFlags”=dword:00000000

“ChainEntryTimeout”=dword:00000010

“ChainMaxEntries”=dword:00000080

“ChainMaxHostEntries”=dword:00000004

“ChainDisable”=dword:00000000

“ChainLoggingRate”=dword:0000001e

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider]

“Enabled”=dword:00000001

“InputProvider”=dword:00000001

“DllName”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,76,\

00,6d,00,69,00,63,00,74,00,69,00,6d,00,65,00,70,00,72,00,6f,00,76,00,69,00,\

64,00,65,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider\Parameters]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider\Parameters\IPC]

“UniqueId”=”f3932585-19e8-40cc-922f-673073cbc0d7”

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TriggerInfo]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TriggerInfo\0]

“Type”=dword:00000003

“Action”=dword:00000001

“GUID”=hex:ba,0a,e2,1c,51,98,21,44,94,30,1d,de,b7,66,e8,09

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TriggerInfo\1]

“Type”=dword:00000003

“Action”=dword:00000002

“GUID”=hex:6e,51,af,dd,c2,58,66,48,95,74,c3,b6,15,d4,2e,a1