locked
what processing is causing this message in my log file? RRS feed

  • Question

  • My sql server 2005 log file is report the following message every 5 minutes:


    "Sql Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off'.

    How do I find out what is process is being blocked and what or who is initiating it?

    Thank you for the replies.  I looked in the sql profiler. That answered my question

    • Edited by tarbell Monday, July 1, 2013 7:20 PM
    Friday, June 28, 2013 4:36 PM

Answers

  • The simplest way is to use Profiler and find the user/machine which is calling xp_cmdshell. 

    However I will point out, this can be a result of "SQL Injection" and other hacking attempts if you are using a web front end for the database server.

    http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx

    • Proposed as answer by Fanny Liu Saturday, June 29, 2013 2:54 AM
    • Marked as answer by tarbell Monday, July 1, 2013 7:21 PM
    Friday, June 28, 2013 4:46 PM
  • I think you need enable it. Try this to enable this -

    -- To allow advanced options to be changed.
    EXEC sp_configure 'show advanced options', 1
    GO
    -- To update the currently configured value for advanced options.
    RECONFIGURE
    GO
    -- To enable the feature.
    EXEC sp_configure 'xp_cmdshell', 1
    GO
    -- To update the currently configured value for this feature.
    RECONFIGURE
    GO

    refer this for more details - http://msdn.microsoft.com/en-us/library/ms190693.aspx
    • Marked as answer by tarbell Monday, July 1, 2013 7:21 PM
    Friday, June 28, 2013 4:48 PM
  • Hi,

    thank you for the reply.  What I want to know is what is running the is causing this message.  I do not want to change the setting.

    • Marked as answer by tarbell Monday, July 1, 2013 7:21 PM
    Friday, June 28, 2013 4:52 PM
  • Do NOT enable xp_cmdshell unless you know what it is being used for.  This allows SQL Server to run commands directly against the OS and can be hazardous.

    • Marked as answer by tarbell Monday, July 1, 2013 7:21 PM
    Friday, June 28, 2013 4:52 PM
  • Hi,

    thank you for the reply.  What I want to know is what is running the is causing this message.  I do not want to change the setting.

    • Marked as answer by tarbell Monday, July 1, 2013 7:22 PM
    Friday, June 28, 2013 4:52 PM
  • Hi,

    Thank you for the reply.  I do not want to enable it.  What I want to do is find out what process is causing this event in the log file.  Do you have any suggestions to find out what is causing this?

    • Marked as answer by tarbell Monday, July 1, 2013 7:22 PM
    Friday, June 28, 2013 5:27 PM
  • Hi,

    Thank you for the reply.  I do not want to enable it.  What I want to do is find out what process is causing this event in the log file.  Do you have any suggestions to find out what is causing this?

    Hi Tarbell,

    First comment by Tom says that use profiler to find out what application/user/request is causing this message.So please use it

    I dont know whether its hacking or not but below can be reasons of the message ur getting

    1. You can be using xp_cmdshell during backup

    2. You can be using xp_cmdshell  in some stored proc

    3. You can be using xp_cmdshell  in some job configured on ur server...

    And best way to find is thru profiler..

    Below link has same discussion and to find out A code snippet in provided by Vidar just see whether it helps

    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/f3b0a883-fb27-4512-ba60-5ce1bc030d46/sql-server-blocked-access


    Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers


    • Edited by Shanky_621MVP Saturday, June 29, 2013 5:22 AM added line
    • Marked as answer by tarbell Monday, July 1, 2013 7:22 PM
    Saturday, June 29, 2013 4:12 AM

All replies

  • The simplest way is to use Profiler and find the user/machine which is calling xp_cmdshell. 

    However I will point out, this can be a result of "SQL Injection" and other hacking attempts if you are using a web front end for the database server.

    http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx

    • Proposed as answer by Fanny Liu Saturday, June 29, 2013 2:54 AM
    • Marked as answer by tarbell Monday, July 1, 2013 7:21 PM
    Friday, June 28, 2013 4:46 PM
  • I think you need enable it. Try this to enable this -

    -- To allow advanced options to be changed.
    EXEC sp_configure 'show advanced options', 1
    GO
    -- To update the currently configured value for advanced options.
    RECONFIGURE
    GO
    -- To enable the feature.
    EXEC sp_configure 'xp_cmdshell', 1
    GO
    -- To update the currently configured value for this feature.
    RECONFIGURE
    GO

    refer this for more details - http://msdn.microsoft.com/en-us/library/ms190693.aspx
    • Marked as answer by tarbell Monday, July 1, 2013 7:21 PM
    Friday, June 28, 2013 4:48 PM
  • Hi,

    thank you for the reply.  What I want to know is what is running the is causing this message.  I do not want to change the setting.

    • Marked as answer by tarbell Monday, July 1, 2013 7:21 PM
    Friday, June 28, 2013 4:52 PM
  • Do NOT enable xp_cmdshell unless you know what it is being used for.  This allows SQL Server to run commands directly against the OS and can be hazardous.

    • Marked as answer by tarbell Monday, July 1, 2013 7:21 PM
    Friday, June 28, 2013 4:52 PM
  • Hi,

    thank you for the reply.  What I want to know is what is running the is causing this message.  I do not want to change the setting.

    • Marked as answer by tarbell Monday, July 1, 2013 7:22 PM
    Friday, June 28, 2013 4:52 PM
  • Hi,

    Thank you for the reply.  I do not want to enable it.  What I want to do is find out what process is causing this event in the log file.  Do you have any suggestions to find out what is causing this?

    • Marked as answer by tarbell Monday, July 1, 2013 7:22 PM
    Friday, June 28, 2013 5:27 PM
  • Hi,

    Thank you for the reply.  I do not want to enable it.  What I want to do is find out what process is causing this event in the log file.  Do you have any suggestions to find out what is causing this?

    Hi Tarbell,

    First comment by Tom says that use profiler to find out what application/user/request is causing this message.So please use it

    I dont know whether its hacking or not but below can be reasons of the message ur getting

    1. You can be using xp_cmdshell during backup

    2. You can be using xp_cmdshell  in some stored proc

    3. You can be using xp_cmdshell  in some job configured on ur server...

    And best way to find is thru profiler..

    Below link has same discussion and to find out A code snippet in provided by Vidar just see whether it helps

    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/f3b0a883-fb27-4512-ba60-5ce1bc030d46/sql-server-blocked-access


    Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers


    • Edited by Shanky_621MVP Saturday, June 29, 2013 5:22 AM added line
    • Marked as answer by tarbell Monday, July 1, 2013 7:22 PM
    Saturday, June 29, 2013 4:12 AM