When I logged into my workstation this morning, the timezone had been changed from Eastern to Pacific. In the event viewer I see the following three events, all at 4:12:15 AM.
It looks like the timezone was not changed for the 1st and 2nd event but then somehow in the 3rd event changed from a timezone of T11 to T08. This is all very odd because I believe that when I installed the OS, that I set the timezone correctly to Eastern (I'm near NYC).
Here are the event logs:
1st event
The system time was changed.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x3d8
Name: C:\Windows\System32\svchost.exe
Previous Time: 2014-04-25T08:12:15.456072100Z
New Time: 2014-04-25T08:12:15.455000000Z
2nd event:
Previous Time: 2014-04-25T08:12:15.456888000Z
New Time: 2014-04-25T08:12:15.456000000Z
3rd event:
Previous Time: 2014-04-25T11:12:04.008461800Z
New Time: 2014-04-25T08:12:15.456616800Z
Is there a benign explanation for this or could this be a virus?
Update 2014-05-01: More occurrences
This event happened three more times on 2014-04-26, all at exactly 3:02:15 AM. The event has not occurred since then.
Previous Time: 2014-04-26T07:02:15.198939400Z
New Time: 2014-04-26T07:02:15.198000000Z
Previous Time: 2014-04-26T07:02:15.200081200Z
New Time: 2014-04-26T07:02:15.199000000Z
Previous Time: 2014-04-26T07:02:13.067340800Z
New Time: 2014-04-26T07:02:15.199708000Z
Update 2014-04-26: Result of w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Local)
MaxPollInterval: 15 (Local)
MaxNegPhaseCorrection: 54000 (Local)
MaxPosPhaseCorrection: 54000 (Local)
MaxAllowedPhaseOffset: 1 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 1 (Local)
UpdateInterval: 360000 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 604800 (Local)
Type: NTP (Local)
NtpServer: time.windows.com,0x9 (Local)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)
Best Answer
You need to look for the following type of event:
You can see the time change was done because of a new timezone and which user did it.