General Discussion: Win7 Time Changes

Hi there,hope someone can help Internal examination of a Win7 Enterprise SP1 system (Central Time i.e. 6 hrs behind us in UK for the period in question), I have noticed a number of system time change events in System Event Log (ID 1), the Event Log covers 22nd to 30th May Some of these are not even changes e.g.: to ‎2014‎-‎05‎-‎30T02:16:10.251159900Z from ‎2014‎-‎05‎-‎30T02:16:10.251159900Z. Some are minute changes e.g.: to ‎2014‎-‎05‎-‎22T08:03:41.680000000Z from ‎2014‎-‎05‎-‎22T08:03:41.680739900Z. While some are (more or less) complete hours e.g.: to ‎2014‎-‎05‎-‎23T06:37:39.500000000Z from ‎2014‎-‎05‎-‎23T00:37:40.676328800Z. While yet others are seemingly random e.g.: to ‎2014‎-‎05‎-‎22T23:46:50.500000000Z from ‎2014‎-‎05‎-‎22T14:04:15.845506900Z. I compared against the event log on my system (same OS) which has an irregular (per day) number of ID35 events, and all ID1 events are miniscule changes. So I changed the timezone on my system and observed one new ID 1 event with to and from times with exactly the same values - no new 35 events. Then I changed the timezone back again and saw similar behaviour Then I moved the clock back by 6 hours and got this ID 1 event: to ‎2014‎-‎08‎-‎20T07:58:26.000000000Z from ‎2014‎-‎08‎-‎20T13:58:32.541140900Z. (am surprised by the lower number of seconds in the "to" section, but it matches the above example) Followed immediately by this ID 1 event: to ‎2014‎-‎08‎-‎20T07:58:26.000000000Z from ‎2014‎-‎08‎-‎20T07:58:26.000000000Z. I'm especially confused about three entries on 30th May (significant digits reduced for ease of display): Local Time________Description 30-May-14 19:07:45 "to ‎2014‎-‎05‎-‎30T18:07:45.50Z from ‎2014‎-‎05‎-‎30T12:07:46.69Z" 30-May-14 13:04:13 "to ‎2014‎-‎05‎-‎30T12:04:12.50Z from ‎2014‎-‎05‎-‎30T08:37:57.12Z" 30-May-14 09:37:29 "to ‎2014‎-‎05‎-‎30T08:37:24.50Z from ‎2014‎-‎05‎-‎30T02:37:24.92Z" i.e. forward by about six hours, forward by about 3.5 hours, forward by about 6 hours. And there seems to be some kind of continuity from the "to" value of one event to the "from" value of the next one. As these events don't mirror the results of the tests I did on my own system I wonder if a BIOS change would make any difference but our systems are locked down so he can't have done this (unless he SE'd the password from IT in which case we wouldn't know about it) There is no evidence of the datetime.cpl having been accessed so I'm wondering how one can explain these types of events? Cheers