Time on Power Monitoring Expert Server Changes to a Future Date in a Redundant System
Issue
The time on the PME server changes to 2084 or a similar year in the future.
Product Line
Power Monitoring Expert 8.1 (could apply to any version)
everRun from Stratus Technologies (Marathon)
Environment
PME installed on a redundant system running on Marathon
Cause
A series of these events are in Windows Security Log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/30/2084 1:10:54 PM
Event ID: 4616
Task Category: Security State Change
Level: Information
Keywords: Audit Success
User: N/A
Computer: WIN-L9J7NRS9HL1
Description: The system time was changed.
Process Information:
Process ID: 0xa34
Name: C:\Program Files (x86)\Citrix\XenTools\XenGuestAgent.exe
Previous Time: 2084-07-30T18:10:54.628000000Z
New Time: 2084-07-30T18:10:54.626000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Resolution
As described above, the XenGuestAgent process is using System privilege to change the time. A workarount would be to remove this priviledge:
1. From Administrative Tools open Local Security Policy
2. Navigate to Local Policies > User Rights Assignment
3. In 'Change the system time' remove the SYSTEM group
- open 'Change the system time' property window (double click on it)
- select SYSTEM group
- click on Remove