Post reply

Auditing the use of xp_cmdshell

  • October 11, 2014 at 11:11 am

    #297326

    I agree that xp_cmdshell shouldn't even be enabled. However, I just joined this company and it is enabled on multiple servers. So now, I would like to be able to audit its use in some way to see if it even needs to be enabled.

    Is there any way you can create an auditing method? Server side trace, trigger, service broker, etc. and see what command is being issued to it?

    Owner & Principal SQL Server Consultant
    Im Your DBA, Inc.
    https://www.imyourdba.com/

  • October 11, 2014 at 11:44 am

    #1751819

    Server side trace with SP:StmtStarting and SQL:StmtStarting with the filter TextData like %xp_cmdshell% seems like the only alternative. Ot the corresponding X-event session on SQL 2012 or later.

    [font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply