Time on Power Monitoring Expert Server Changes to a Future Date in a Redundant System

Issue
The time on the PME server changes to 2084 or a similar year in the future.

Product Line
Power Monitoring Expert 8.1 (could apply to any version)
everRun from Stratus Technologies (Marathon)

Environment
PME installed on a redundant system running on Marathon

Cause Source:          Microsoft-Windows-Security-Auditing
Date:              7/30/2084 1:10:54 PM
Event ID:        4616
Task Category: Security State Change
Level:              Information
Keywords:       Audit Success
User:              N/A
Computer:      WIN-L9J7NRS9HL1
Description:   The system time was changed.

Subject:
    Security ID:               SYSTEM
    Account Name:          WIN-L9J7NRS9HL1$
    Account Domain:        WORKGROUP
    Logon ID:                   0x3e7

Process Information:
    Process ID:    0xa34
    Name:        C:\Program Files (x86)\Citrix\XenTools\XenGuestAgent.exe

Previous Time:        ‎2084‎-‎07‎-‎30T18:10:54.628000000Z
New Time:              ‎2084‎-‎07‎-‎30T18:10:54.626000000Z

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

Resolution
As described above, the XenGuestAgent process is using System privilege to change the time.  A workarount would be to remove this priviledge:

1. From Administrative Tools open Local Security Policy
2. Navigate to Local Policies > User Rights Assignment

          

3. In 'Change the system time' remove the SYSTEM group
- open 'Change the system time' property window (double click on it)
- select SYSTEM group
- click on Remove