June 27, 2016 at 1:29 pm
We are trying to track down what app/service is connecting to the SQL Server instance in question and using Windows Scripting Host to execute a large number o queries that look like metrics gathering. I've run Profiler to capture the actual activity and that's how I was able to identify that the application is Windows Scripting Host but that doesn't tell me the actual app or service only that it is using Scripting Host.
We are using Solar Winds DPA and I have verified with their support that it is not their product doing this so I'm at a loss as to what might be. What I know so far is that this process/service/app is using the NT Authority\System login and when it runs which is once an hour it makes anywhere from 50-54 successful logins and runs a number of metrics gathering queries on all the DB's and the SQL Server. The connection is local (the event log shows the IP as the IP for the SQL Server instance).
Any thoughts on how to track down what it is that is doing this? We are trying to track this down because we are seeing activity spikes around the same time these connections are captured. I'd also like to know why anything is using 50+ logins to the SQL Server.
Kindest Regards,
Just say No to Facebook!June 27, 2016 at 2:57 pm
You should be able to use the sys.dm_exec_sessions DMV to query host name, program name and login used by the session. That will nail it down to the point where you can go to someone's machine and find out what they're up to.
June 27, 2016 at 4:30 pm
These logins are coming from the SQL Server box itself. Since posting I've had someone suggest it could be SCOM (Microsoft Systems Center ) which we do use. I don't deal with it so I don't have it setup but I know it can monitor SQL Server specific stuff so maybe its doing this.
I have always explicitly used a domain account for any SQLS server service I've installed so anything using the NT Authority \System account is something someone else installed. I was thinking about disabling access to the SQL Server via that account and see who starts saying their stuff won't work.
Any dangers in disabling access to SQL Server via NT Authority\System?
Kindest Regards,
Just say No to Facebook!June 29, 2016 at 12:02 pm
SOLUTION / ANSWER:
Turns out its was Systems Center that was using the NT AUTHORITY\SYSTEM account to execute 50+ queries each via its own Connection/SPID. Systems Center is using the Microsoft Monitoring Agent (a windows service) to execute T-SQL queries via Windows Scripting Host. It does this every 15 minutes throughout the day. I'm not the pone who handles Systems Center here but the guy that does told me its probably the SQL Server manage net Pack that's doing this.
It also turns out its not causing the latency issues we've been troubleshooting but it is behind these 50+ simultaneous logins and now we know.
Kindest Regards,
Just say No to Facebook!Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply