What is changing my Windows Server's date?

At my organisation we have a number of virtual machines on ESXi hosts in a number of sites.

For the past few months, around once or twice a week one virtual machine, seemingly at random, will update the date to something weeks in the future for a few minutes, only for W32Time to notice and change it back. This is affecting the applications running on the server and we cannot figure out what could be causing it.

This is not the usual time change of a few minutes, it's shifting the date and time to something completely different, and there's no pattern to what it moves to.

The latest example can be seen in the below event log pulled from the server:

"Event 4616, Microsoft Windows security auditing. The system time was changed. Subject: Security ID: LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x174 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2022‎-‎10‎-‎11T19:28:42.731783900Z New Time: ‎2022‎-‎12‎-‎06T05:38:25.439000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."

Any help or advice would be greatly appreciated!

Most likely, the VM is being 'updated' to the wrong time by the ESXi host.

When a VM is 'stunned' (on pause, snapshot, migration, etc.) it inherits the host's system time, regardless of the VM settings. Possibly the 'seemingly at random' times are when snapshots are taken, backups are running or similar. And very likely the other VMs are having the same problem but you just haven't noticed it yet (been there myself).

Therefore, it's very important to keep your hosts updated by NTP at all times and check their correct system time on a regular basis.