June 10, 2009 at 2:24 pm
Every time SQL starts I see this message in the Management Error Logs:
"Using 'xpstar90.dll' version '2005.90.4035' to execute extended stored procedure 'xp_regdeletevalue'. This is an informational message only; no user action is required."
followed by several of these errors:
RegOpenKeyEx() returned error 5, 'Access is denied.'
Error: 22002, Severity: 16, State: 1.
RegCreateKeyEx() returned error 5, 'Access is denied.'
Error: 22002, Severity: 16, State: 1.
This is SQL 2005 and we have seen the error in SP2 and SP3.
SQL 2000 was never installed on this machine and this is the only SQL installation that has ever been on it. There is only the default instance.
The account running the SQL Service and Agent account is the same domain account.
The domain account is not a local administrator for this machine.
I can see that account in the correct groups created by SQL 2005.
We do not appear to have any loss of functionality. I can manipulate services accounts, create file groups and databases, etc.
I have run ProcessMonitor to determine where the account may be denied, but it returns several registry keys, mainly in Performance Monitoring, that return Access Denied for NT Authority\System, nothing for the domain account. None of our SQL services run as a system account.
There must be something fundamental I am just missing I am sure, but I cannot find where this is coming from. Has anyone experienced this issue before? Any help would be appreciated.
June 12, 2009 at 3:41 pm
bump
June 15, 2009 at 5:49 am
Can you post the process monitor result when you set this filter:
process name = sqlservr.exe
result = Access Denied
and then start sql.
ed
June 15, 2009 at 10:18 am
Sure. Thank you for your help.
Operation Path Result
RegOpenKeyHKLM\System\CurrentControlSet\Control\Services\.NET CLR Data\PerformanceACCESS DENIED
User Description
NT AUTHORITY\SYSTEMSQL Server Windows NT - 64 Bit
I get this for most of this hive. I also see some of this:
Operation Path Result User Description
RegCreateKeyHKLM\Software\Microsoft\SystemCertificates\caACCESS DENIEDNT AUTHORITY\SYSTEMLSA Shell
Again I am not using the system account for anything and I am not sure why it is showing NT Authority\System instead of my domain account. I thought this was supposed to be taken care of by the windows groups created by SQL 2005, but I don't want to mess with any of those settings. If you can think of anything please let me know. I appreciate your help.
June 17, 2009 at 1:34 am
Hi, you could try to execute SQL server service as another user. (Ex: like an admin user). If it works is a problem with your acccount.
June 17, 2009 at 1:12 pm
I have tried switching the domain account to one that is an admin on the machine and I don't see any of these errors. So I am sure it is some sort of permissions issue.
But the non-admin account is being dropped into the correct windows groups and ProcessMonitor doesn't show anything for that user...
Short of just going to the registry and applying permissions all over the place and see what works, I can't figure out where this is coming from.
June 17, 2009 at 1:45 pm
From the registry keys involved it looks like the sqlclr - but on my system when I start the sqlclr it doesn't try to use those keys.
Do you have the sqlclr enabled and any startup procs or triggers etc which might be starting?
I was thinking that maybe if there was one with the safe permission it might explain why the system account was being used but I haven't been able to reproduce it.
Also on my system the key you mention has full control for the system account so if it did try it would have worked - have you locked down your server with a restrictive security policy?
Ed
June 18, 2009 at 1:49 am
Hi, sometimes you will need to change permissions in Windows registry. Here you have some information about it:
http://support.microsoft.com/?scid=kb;en-us;310426&x=12&y=11
June 18, 2009 at 9:56 am
Do you have the sqlclr enabled and any startup procs or triggers etc which might be starting?
No we aren't using in on this box and I double checked.
Also on my system the key you mention has full control for the system account so if it did try it would have worked - have you locked down your server with a restrictive security policy?
I checked a dozen or so of the same keys on my machine and the system account has full access to them also.
I am going to try assigning permissions to some of those keys directly to the service account and see if I can troubleshoot the issue.
Thanks you for you help. I am just kind of confused on the whole situation, there must be some part that I am missing.
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply