Friday, June 3, 2016

Windows 10 TH2 - date and time are frozen (continously revert to some date in the past)

I've noticed something strange with my Windows 10 TH2 labs running as guest on Hyper-V host Windows Server 2016 TP5. After some time of operating, labs enter some bad state:
  • Date and time is frozen at some time in the past.
  • Win10 VM utilizes 100% of one CPU core (by svchost.exe)
  • VM stops responding after some time of operating in this state.
I've also noticed that bug appears only when there is no Internet connection (LAN without routes to the Internet and without the proxy).

How to fix that issue

Just start a command prompt as an administrator:
reg.exe add "HKLM\System\CurrentControlSet\Services\W32Time\Config" /v "UtilizeSslTimeData" /t REG_DWORD /d 0 /f
net stop w32time
net start w32time
Or you can apply Group Policy setting:
\Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Global Configuration Settings     UtilizeSslTimeData=0
\Administrative Templates\System\Windows Time Service\Global Configuration\Settings\UtilizeSslTimeData=0
* If you do not have "UtilizeSslTimeData" setting in your Group Policy Editor, you can use custom ADMX file W32Time_custom.admx to make it available (copy ADMX and ADML to C:\Windows\PolicyDefinitions\ folder and "UtilizeSslTimeData" will be accessible under \Computer Configuration\Policies\Administrative Templates\System\Windows Time Service (Custom)\Global Configuration Settings)

What causes that issue

As I realised reading this article, there is a new feature in the time synchronization service: 'Secure Time'. When the Internet connection is available, Windows 10 host automatically synchronizes time with SSL server (what server? I have no idea. It can be server for windows telemetry, windows update server or maybe this could be any https server?). And there is a bug in this logic: when the computer have no Internet access for some time, this logic is activated and reverts time to the time in the past again and again, to the time when Internet connection was available last time.

How I investigated this issue

WinDbg helped me to find out who freezes the time and date

I've attached to Windows 10 x86 VM with WinDbg as kernel debugger (KDnet & Hyper-V are really useful for kernel mode debugging and are my friends!).

Then I installed breakpoint on KeSetSystemTime function:
bp nt!KeSetSystemTime
This breakpoint trigges every few milliseconds and the callstack is always the same:
Now we know, that the bug is in w32time service in the svchost.exe process. I've stopped 'w32time' service to check my guesses. Everything is correct - the time is not frozen now. But when I've started w32time the service again, the issue comes back. What now? I need working time synchronization service. So I continued the investigation.

W32time service logs

I tried to disable Hyper-V time synchronization (File / Settings / Integration Services / Time synchronization). No luck.

So I decided to turn on w32time service logs:
w32tm.exe /debug /enable /file:%windir%\temp\w32time.log /size:10000000 /entries:0-300
And now I have w32time.log file full of identical records:
151699 13:03:21.3648717s - W32TmServiceMain: ********** Time Slip Notification **********
151699 13:03:21.3649134s - ClockDispln TimeSlip:TimeSlip LastUTC:4830841 SetUnsync: LI:3 S:0 RDl:0 RDs:0 TSF:0x0 
151699 13:03:21.3649365s - ClockDispln Discipline: Check and set secure time
151699 13:03:21.3649477s - TimeProvCommand([NtpClient], TPC_TimeJumped) called.
151699 13:03:21.3649782s - Setting the system time because it is outside the secure time limits.
151699 13:03:21.3649824s - W32TmServiceMain: waiting i16.000s (1024.000s)
151699 13:03:21.3649956s -  Current system time:  13:3:21.364 5/4/2016
151699 13:03:21.3650128s -  Target system time:  13:3:21.364 5/4/2016
151699 13:03:21.3615310s - ClockDispln Discipline: *SET*SECURE*TIME*
151699 13:03:21.3627793s - W32TmServiceMain: ********** Time Slip Notification **********
151699 13:03:21.3628094s - ClockDispln TimeSlip:TimeSlip LastUTC:4830841 SetUnsync: LI:3 S:0 RDl:0 RDs:0 TSF:0x0 
151699 13:03:21.3628287s - ClockDispln Discipline: Check and set secure time
151699 13:03:21.3628637s - Setting the system time because it is outside the secure time limits.
151699 13:03:21.3628796s -  Current system time:  13:3:21.362 5/4/2016
151699 13:03:21.3628925s -  Target system time:  13:3:21.364 5/4/2016
151699 13:03:21.3629183s - TimeProvCommand([NtpClient], TPC_TimeJumped) called.
151699 13:03:21.3625523s - ClockDispln Discipline: *SET*SECURE*TIME*
151699 13:03:21.3636418s - W32TmServiceMain: waiting i16.000s (1024.000s)
151699 13:03:21.3636712s - W32TmServiceMain: ********** Time Slip Notification **********

I decided to debug w32time.dll further and after some time I clarified that:

  • The log message 'Setting the system time because it is outside the secure time limits' is reported from w32time!RefreshAndEnforceSecureTime function.
  • 'Secure time limits' logic is conditional and can be turned off.
  • The w32time service configuration setting, which turnes on/off 'Secure time limits' has the name "UtilizeSslTimeData" and is loaded from the registry key HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ W32Time \ Config
  • The w32time service configuration is loaded on service start and while group policy updates.


I found some revelant links for this issue:

    A computer that is running Windows 10 Version 1511 reverts to a previous date and time at startup KB3160312
    "UtilizeSslTimeData - This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an additional input for correcting the local clock. Default: 1 Boolean"
    (Google-translated from japaneese) "From Windows 10 (TH2), as the new time synchronization function, connected to the SSL server on the Internet, Secure Time function to retrieve the time it will have been added.
    Time information acquired in this function is stored in the registry key below.

    HKLM \ SYSTEM \ CurrentControlSet \ Services \ W32Time \ SecureTimeLimits

    So, we were able key called new "SecureTimeLimits" under w32time.

    The mechanism, while performing a time synchronization destination and time synchronization using the conventional Windows Time service, in order to increase the further time synchronization accuracy, will conduct the time alignment also uses Secure Time function.

    Timing Secure Time function is used, are determined by the system side, it will be the non-public information.
    In verification level, we have to make sure that you are referring to failure to time synchronization of the system restart or when the Windows Time service.

    Secure Time function, the value of the under HKLM \ SYSTEM \ CurrentControlSet \ Services \ W32Time \ SecureTimeLimits is ordered and structured that connected to the SSL server that exists on the Internet, to get the time.
    In other words, https: When you access the of the site, without any problem value under this registry key is updated.
    If you are always connected to the Internet will be able to operate without problems.

    However, the Internet connection is limited environment or the Windows 10, when you are reading in an environment that does not connect, the value of the underlying SecureTimeLimits is not properly updated, situation occurs that there is a case in which the correct system date and time has not been set You may.

    If you continue to operate in this state, when the Secure Time function is activated, it will change suddenly time."
Good luck.