Hello, I was trying to investigate a problem. The problem is one of the detached processes in the machine has changed the system time. When I looked into the accounting information, I found the following entry there: DETACHED Process Termination Username: SYSTEM UIC: [GROUPS,GRP363] Account: <start> Finish time: 27-MAR-2005 03:02:40.27 Process ID: 00067168 Start time: 27-MAR-2005 02:00:07.66 Owner ID: Elapsed time: 0 01:02:32.60 Terminal name: Processor time: 0 00:00:24.77 Remote node addr: Priority: 4 Remote node name: Privilege <31-00>: FFFFFFFF Remote ID: Privilege <63-32>: FFFFFFFF Remote full name: Queue entry: Final status code: 00000001 Queue name: Job name: Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 3450 Direct IO: 8739 Page fault reads: 141 Buffered IO: 418 Peak working set: 22320 Volumes mounted: 0 Peak page file: 241856 Images executed: 4 Can anybody suggest a way to find which process has done it? Thanks in advance Final_Dest

Final_Dest, Let's start at the beginning. What indications are there that this process changed the system's TOY (Time of Year) clock? - Bob Gezelter, http://www.rlgsc.com

Hello Bob, Thanks for the reply. If you look at the start and the end time of the process in the following lines Account: <start> Finish time: 27-MAR-2005 03:02:40.27 ----------- Process ID: 00067168 Start time: 27-MAR-2005 02:00:07.66 ----------- Owner ID: Elapsed time: 0 01:02:32.60 Terminal name: Processor time: 0 00:00:24.77 ----------- It started @ 02:00 and finished @ 03:02. But the CPU time elapsed is just 24 Seconds. That made me to come to a decision that the process has changed the clock. None of the other processes around this process had the possibility to change the clock. Please let me know if you need any more information regarding this. Thanks in advance Final_Dest

Final_dest, 27-MAR-2005 03:02:40.27 27-MAR-2005 02:00:07.66 Elapsed time: 0 01:02:32.60 The elapsed time difference is in the jitter/conversion imprecision range. The lack of CPU consumed means that the CPU was not fully utilized, at least by that process. This is not indication that the time was changed, although it doesn't prove that the time was not changed. What is the problem that you are trying to solve? If you want to move this to private email at some point, that is also not problem. - Bob Gezelter, http://www.rlgsc.com

Is the system located in Europe ? Did You notice that this night (Easter Sunday) was the daylight savings time switch ? (Don't know if it is also true for the USA or other regions). The times makes perfectly sense in this case.

And to answer the question how to find out more about the proces: If Your system has Security audit enabled for detached logins, then use ANALYZE/AUDIT/FULL/EVENT=LOGIN/SINCE=27-MAR/BEFORE=28-MAR on the security audit file in use during that period.