3

When I logged into my workstation this morning, the timezone had been changed from Eastern to Pacific. In the event viewer I see the following three events, all at 4:12:15 AM.

It looks like the timezone was not changed for the 1st and 2nd event but then somehow in the 3rd event changed from a timezone of T11 to T08. This is all very odd because I believe that when I installed the OS, that I set the timezone correctly to Eastern (I'm near NYC).

Here are the event logs:

1st event

The system time was changed.

Subject:
    Security ID:        LOCAL SERVICE
    Account Name:       LOCAL SERVICE
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3E5

Process Information:
    Process ID: 0x3d8
    Name:       C:\Windows\System32\svchost.exe

Previous Time:  ‎2014‎-‎04‎-‎25T08:12:15.456072100Z
New Time:       ‎2014‎-‎04‎-‎25T08:12:15.455000000Z

2nd event:

Previous Time:  ‎2014‎-‎04‎-‎25T08:12:15.456888000Z
New Time:       ‎2014‎-‎04‎-‎25T08:12:15.456000000Z

3rd event:

Previous Time:  ‎2014‎-‎04‎-‎25T11:12:04.008461800Z
New Time:       ‎2014‎-‎04‎-‎25T08:12:15.456616800Z

Is there a benign explanation for this or could this be a virus?

Update 2014-05-01: More occurrences

This event happened three more times on 2014-04-26, all at exactly 3:02:15 AM. The event has not occurred since then.

Previous Time:   ‎2014‎-‎04‎-‎26T07:02:15.198939400Z
New Time:        2014‎-‎04‎-‎26T07:02:15.198000000Z
Previous Time:   2014‎-‎04‎-‎26T07:02:15.200081200Z
New Time:        ‎2014‎-‎04‎-‎26T07:02:15.199000000Z
Previous Time:   ‎2014‎-‎04‎-‎26T07:02:13.067340800Z
New Time:        ‎2014‎-‎04‎-‎26T07:02:15.199708000Z

Update 2014-04-26: Result of w32tm /query /configuration

[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Local)
MaxPollInterval: 15 (Local)
MaxNegPhaseCorrection: 54000 (Local)
MaxPosPhaseCorrection: 54000 (Local)
MaxAllowedPhaseOffset: 1 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 1 (Local)
UpdateInterval: 360000 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 604800 (Local)
Type: NTP (Local)
NtpServer: time.windows.com,0x9 (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)
Wayne Bloss
  • 143
  • 1
  • 1
  • 5
  • Do you have it synced with a proper NTP time source? If you don't know you can check with this command: w32tm /query /configuration – Brad Bouchard Apr 26 '14 at 15:33
  • 1
    Weird. Also, this is Zulu time/UTC (notice the `Z` at the end) and should thus be timezone-agnostic. – MichelZ Apr 26 '14 at 16:15
  • @BradBouchard - I started the Windows Time service and ran that command as Administrator. The results have been posted in an update to the question. – Wayne Bloss Apr 26 '14 at 17:01
  • Also, on the "Internet Time" tab of the Date and Time panel it says "This computer is set to automatically synchronize with 'time.windows.com'. – Wayne Bloss Apr 26 '14 at 17:08
  • Is the issue still happening? – Brad Bouchard Apr 30 '14 at 19:34
  • @BradBouchard - The event occurred 3 more times on the day after I corrected the timezone manually, but only minor time corrections were made (no timezone change). Nothing since then. I updated the post with time adjustments that those three events performed. – Wayne Bloss May 01 '14 at 14:43
  • For now I guess I'm going to chalk this up to me going through the installation too quickly and possibly forgetting to change the timezone after the initial installation. Either that or Windows Server wants to use UTC time now similar to Linux but I'm actually using it as a workstation/desktop, not a server. – Wayne Bloss May 01 '14 at 14:47
  • Does the server use a dynamic IP address from a DHCP server by chance? DHCP servers have the ability to change the timezone of their clients. – Ryan Ries Jun 04 '15 at 18:11

1 Answers1

1

You need to look for the following type of event:

Log Name:      System
Source:        Microsoft-Windows-Kernel-General
Date:          8/17/2014 1:35:21 PM
Event ID:      1
Task Category: None
Level:         Information
Keywords:      Time
User:          MYDOMAIN\Administrator
Computer:      WIN-3RBJO240LH2.mydomain.local
Description:
The system time has changed to ‎2014‎-‎08‎-‎17T16:35:21.300689700Z from ‎2014‎-‎08‎-‎17T16:35:21.300689700Z.

Change Reason: System time adjusted to the new time zone.

You can see the time change was done because of a new timezone and which user did it.

Joel Coel
  • 12,910
  • 13
  • 61
  • 99
Giovanni Tirloni
  • 5,693
  • 3
  • 24
  • 49