Tracking System Time Changes
Look for two event IDs in the Security log to determine whether someone changed the system time.
September 26, 2005
I'm investigating an incident in which someone deleted rows from a Microsoft SQL Server 2000 table. I suspect that the person changed the system time before deleting the rows. Can I track system time changes on a Windows Server 2003 system?
You can look for two event IDs in the Security log. First, to change the system time, a user must possess the Change system time right, which is also known as SeSystemtimePrivilege. If you have the Audit privilege use policy enabled for successful events, you'll see an occurrence of event ID 577 (Privileged Service Called) with SeSystemtimePrivilege as the privilege, as Figure 1 shows. On Windows 2003, you'll also see two occurrences of event ID 520 (The system time was changed.), which Figure 2 shows. In addition to telling you everything that event ID 577 does, event ID 520 lists the original and new times. Event ID 520 is produced by the Audit system events policy. If you don't have either auditing policy enabled and can't determine who changed the time, check the current assignments for the SeSystemtimePrivilege right—typically, only the Administrators and Server Operators groups have this authority.
—Randy Franklin Smith
About the Author
You May Also Like