Access Denied: Determining When a Server’s Time and Date Were Changed
Get answers to your security-related Windows 2003, XP, and Win2K questions
December 19, 2004
How can I determine from the logs when a server's system time and date were changed? Can I tell who made the change and what the time and date were changed to?
Yes, you can determine who changed the system clock and what values the date and time were changed from and to. The information is in the Windows Security log. The Security log in Windows Server 2003 has a new event ID that gives you all this information in one event, but you can also obtain the same information in Windows versions prior to Windows 2003.
The Windows 2003 event is event ID 520 (The system time was changed) in the System Event category. As you can see in the example in Figure 1, event ID 520's Primary and Client fields tell you who changed the system time. Sometimes, the Primary fields might list the local computer as the user who changed the time, but if a user changed the time, the Client fields will identify him or her. If no user—only the local system—appears in either the Primary or Client fields, the system changed the time as a result of the Windows Time service synchronizing with a time server. All computers in an Active Directory (AD) forest synchronize with the forest time server, which defaults to the first domain controller (DC) in the forest root domain. The meaning of the Previous Time and New Time fields is obvious. The Process fields identify the program that executed the change.
Figure 1 shows an event ID 520 that occurred after I double-clicked the time on the taskbar to launch the Date and Time Properties Control Panel applet and changed the system time. Windows uses the rundll32.exe process to run Control Panel applets, as the Process Name field shows. The Process ID field lists the unique number assigned to that execution session of the program. You can use the Process ID to link this event to other events that list the Process ID, such as event ID 592 (Process started). If you changed the time through some other means, such as from the command line, the Process Name and Process ID fields would correspond to the program you used.
Previous versions of Windows don't log event ID 520, but you can still identify time changes because changing the system time requires the user to have the SeSystemtimePrivilege right, which is listed as Change the system in Group Policy Objects (GPOs) under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignments. To track the use of user rights, you must enable the Audit privilege use audit policy. When you enable this audit policy, Windows starts logging user rights activity under the Privilege Use category in the Security log. When a user changes the system time, Windows logs event ID 577 (Privileged Service Called), with SeSystemtimePrivilege listed in the Privileges field, as Figure 2 shows. As you can see, the Primary and Client fields tell you who changed the system time as explained earlier. You can look at the date and time before and after event ID 577 in the log to determine what values the date and time were changed from and to. Be aware that some applications can generate false positives—they enable this privilege without actually changing the time. You'll recognize such false positives by the fact that the time doesn't change.
About the Author
You May Also Like