Tracking System Time Changes

Look for two event IDs in the Security log to determine whether someone changed the system time.

ITPro Today

September 26, 2005

1 Min Read
ITPro Today logo in a gray background | ITPro Today

I'm investigating an incident in which someone deleted rows from a Microsoft SQL Server 2000 table. I suspect that the person changed the system time before deleting the rows. Can I track system time changes on a Windows Server 2003 system?

You can look for two event IDs in the Security log. First, to change the system time, a user must possess the Change system time right, which is also known as SeSystemtimePrivilege. If you have the Audit privilege use policy enabled for successful events, you'll see an occurrence of event ID 577 (Privileged Service Called) with SeSystemtimePrivilege as the privilege, as Figure 1 shows. On Windows 2003, you'll also see two occurrences of event ID 520 (The system time was changed.), which Figure 2 shows. In addition to telling you everything that event ID 577 does, event ID 520 lists the original and new times. Event ID 520 is produced by the Audit system events policy. If you don't have either auditing policy enabled and can't determine who changed the time, check the current assignments for the SeSystemtimePrivilege right—typically, only the Administrators and Server Operators groups have this authority.

—Randy Franklin Smith

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like