THE SQL Server Blog Spot on the Web

Welcome to - The SQL Server blog spot on the web Sign in | |
in Search

Argenis Fernandez

Think Your Windows Administrators Don’t Have Access to SQL Server 2008 by Default? Think Again.

Published Sunday, July 10, 2011 7:56 PM by Argenis

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS



Robert L Davis said:

Interesting. I never considered trying something like this.

July 10, 2011 10:15 PM

Paul Timmerman said:

Well that's not scary at all, LOL!

July 10, 2011 10:20 PM

Mark Shay said:

You can also schedule an AT Job to open a command prompt.. Basically, the same thing to get NT Authority/SYSTEM session going.

July 10, 2011 10:31 PM

Robert Miller said:

Some mad hacker skills there.  

Seriously, like Robert Davis, I never thought of this approach.

July 10, 2011 11:01 PM

Meher said:

Nice demo Argenis.


July 11, 2011 9:07 AM

Brent Ozar said:

Wow.  Nice find, man.

July 11, 2011 9:10 AM

K. Brian Kelley said:

Another thing is if you look at the SQL Server VSS Writer service, the service account is System. In SQL Server 2000 System was required because of Full Text. In 2005/2008 it's required not only for updates, but also for this service.

The one disadvantage of using AT is you can't get an interactive session in newer versions of the OS. This is to prevent the case where you schedule a job using AT to start explorer and then intentionally kill explorer. And you can prevent the AT issue by setting the service account that is used for these jobs. This should be a best practice because it's also a security exploit on Windows systems where you've been stripped of admin rights.

July 11, 2011 9:31 AM

Jim Murphy said:

Nice job!  Nice combined use of tools and 'features'.

July 11, 2011 9:54 AM

Chris Wood said:


The KB article says that this account is used for Microsoft Update. I have had problems with others using Microsoft Update on SQL Server so that would be a good reason not to give it sysadmin authority. Do we know what authority the SQL VSS Writer service needs because I would want to remove sysadmin role from it?



July 11, 2011 11:50 AM

Amit Banerjee said:

If you are using VSS backups for your SQL Server instance, then remove the Local System account from the sysadmin list will cause these backups to fail.


Additionally, because of the types of operations that the writer must perform, we recommend that you do not remove the NT AUTHORITY\SYSTEM login from the sysadmin server role.

July 11, 2011 12:10 PM

Chris Wood said:


If you are only using the Maintenance Plan Backup DB thru an SQL agent job then you do not need this service right? We also use Red Gate SQLBackup so I know that this uses the Writer service but what elso would use it?


July 11, 2011 1:51 PM

Argenis said:


For regular native backups or Red Gate backups you do not need the VSS Writer service. You would need it if you used DPM, for example.


July 11, 2011 2:10 PM

Chris Wood said:


If that's the case then we can certaily try to remove syadmin authority.



July 11, 2011 3:30 PM

Leo Miller said:

Thinking it through you will see he doesn't even need to add himself as a Sysadmin. Under the NT Authotity account he is already a sysadmin, and effectivly transparent to most monitoring.

Our system monitors Sysadmins added or removed, but we wouldn't see the first logon.

July 11, 2011 5:36 PM

Argenis said:


If you're only monitoring 'sa' logins, then yes, you will miss the login by 'NT AUTHORITY\SYSTEM'. In my opinion any system that is properly audited should monitor all logins (failed and successful) - this is especially true of member of the sysadmin server role.

July 11, 2011 6:15 PM

GrumpyOldDBA said:

ah well this account NT AUTHORITY\SYSTEM  does not need sysadmin rights to run, even on a cluster. I change this to public only, add as a user to master database and grant datareader. I forget exactly what it needs to call, think it might be checking version info.

Sorry but a DBA should understand security on his or her system fully with regard to what logins are created by default on install - it could be that I spent many years working in a SOX environment - that tends to sharpen your outlook ( paranoia ) on things.

I see to remember ms kbs covering this - something like "impeding admins ona  cluster" or something.

Good post though - I wonder how many DBAs suddenly had a panic attack?

July 13, 2011 9:56 AM

Dale Hirt said:

I had heard of the running SQL Server in single-user mode hack, but this one is truly a wonder of simplicity and a gaping hole.

Thanks for the great article on it.

July 18, 2011 4:22 PM

Aaron Sentell said:

At least they can't use this to hack in using a GUI like SSMS ... or can they? Not that I feel any better either way.

July 20, 2011 4:43 PM

Jorge Segarra said:

Again, awesome find. Good news for security folks though, looks like this loophole might be "closed" in Denali as NT\System is no longer sysadmin by default:

"BUILTIN\administrators and Local System (NT AUTHORITY\SYSTEM) are not automatically provisioned in the sysadmin fixed server role."

July 23, 2011 8:05 PM

Jason S said:

This isn't a security hole or loophole by any means. If you are a local admin on a system, all bets are off to begin with. Local admins by definition can do anything they want. If someone isn't trusted, then they shouldn't be a local admin. If an untrusted user is on a system as local admin, you've got big trouble whether they try to log into SQL Server or not.

Also, the task scheduler was completely redesigned in Vista/2008 so the AT trick (mentioned way above) hasn't worked in a while.

October 14, 2011 3:47 PM

Argenis Fernandez said:

  If you recall one of my previous blog posts, titled Think Your Windows Administrators Don’t Have

January 12, 2012 6:34 PM

Sudhanshu said:

Excelelnt one, this saves my time...


March 21, 2012 3:40 AM

Neil Simmons said:

Actually as long as you use the -i switch in psexec then you can just as easily run the SSMS from here.

August 13, 2012 9:14 AM

Nik Edmiidz said:

Got the following error:

C:\Windows\system32>sqlcmd -S MAGMA\R2

HResult 0xFFFFFFFF, Level 16, State 1

SQL Server Network Interfaces: Error Locating Server/Instance Specified [xFFFFFF


Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : A network-related or in

stance-specific error has occurred while establishing a connection to SQL Server

. Server is not found or not accessible. Check if instance name is correct and i

f SQL Server is configured to allow remote connections. For more information see

SQL Server Books Online..

Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired.


September 7, 2012 12:07 PM

Argenis said:

@Neil: indeed you can - the cmd window shows a what I would have needed several SSMS screenshots to demonstrate.

September 7, 2012 12:18 PM

Argenis said:

@Nik: MAGMA\R2 is the name of the SQL Server instance that I used in this example. You'll have to replace it with the name of the instance you're trying to connect to.

September 7, 2012 12:19 PM

PJ said:


November 15, 2012 10:00 AM

Ankur Arora said:

This article is indeed very interesting and knowledgable. Thanks a lot Argenis


November 22, 2012 3:17 PM

Josh M. said:

Great workaround!

January 18, 2013 10:57 AM

DL said:

Great tool!  Thanks!

February 12, 2013 12:08 PM

Es said:

Amazing. Thanks!

May 30, 2013 10:15 PM

David said:

I frickin' love you!

October 31, 2013 11:15 PM

ars said:

Worked !


June 30, 2014 3:15 AM

Julio said:

Worked, and saves me from disaster.

Thanks a lot.

November 26, 2014 7:27 PM

Zubair Ahmed said:

Excellent KB; thanks Argenis.

March 10, 2015 4:48 AM

Jack said:

On my server NT AUTHORITY\SYSTEM  does not have sysadmin rights, public only. Any advice how can I login as sa?

March 18, 2015 1:22 PM

Argenis said:

March 18, 2015 1:27 PM

Jack said:

@Argenis, thank you very much! It works now :)

March 19, 2015 9:35 AM

Pavel Lemnitskiy said:

Great workaround, thanks!


April 24, 2015 10:07 PM

khalil said:

Nice Articles, still works on old boxes.


August 6, 2015 4:49 AM

fyrefox said:

Thank you for this how-to ! Worked for me!

December 18, 2015 7:28 AM

ermoas said:

great post! very useful information. thanks for sharing

March 7, 2016 2:01 AM

RJ said:

When I tried to run the SQLCMD, i hit with pipe error.

But when I tried to run the SQL management ssme.exe with the same , it worked.

PsExec -s -i "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"

April 27, 2016 7:59 PM

Vincent said:

RJ Thanks!!!!!!!!!!!! All other solution sdid not work for me!!!!!

May 11, 2016 11:13 AM

Seán said:

Massive thanks for this.

I had a legacy vendor-installed SQL 2008 R2 Express system that nobody had the password to. This worked a charm :-)

June 10, 2016 6:58 AM

rodabot said:

Perfect! thanks!

September 29, 2016 12:09 PM

Vlad said:

Argenis - great article, thanks a million.

January 27, 2017 9:15 AM

Michael said:

Sometimes get troubles with these assignments and projects. While Java is still a fair programming language as compared to other languages, it is still very complicated to make assignments and projects. Students often take Programming Assignment Help from the online writing services to help them out from this difficult situation.

January 14, 2019 10:09 PM

ammie said:

Being an academic writer from past 5 years providing assignment help writing services to college and university students also associated with Myassignmenthelp platform. I am dedicated in providing best online academic writing services to the college students at the affordable rates.

January 23, 2019 10:31 PM

<a href="">Tow Truck Service</a> said:

Pleasant to be going to your web journal yet again, it has been months for me. Well this article ive been sat tight for accordingly long. i need this article to complete my task inside of the staff, and it has same theme together with your article. Much appreciated, pleasant offer.<a href="">Tow Truck Service</a>

February 4, 2019 10:35 AM

buy travel gift voucher said:

Hi I am so charmed I found your online journal, I truly found you by error, while I was watching on google for something else, Anyways I am here now and could simply get a kick out of the chance to say thank for a huge post and an inside and out enlivening site. Kindly do keep up the considerable work.

February 5, 2019 11:06 PM

guelph real estate said:

I hate artifical stuffs so i always do organic gardening at home to get some natural foods~

March 6, 2019 8:39 AM

Johnson City TN Family Practice Clinics said:

Amazing site, Distinguished criticism that I can handle. Im advancing and may apply to my present place of employment as a pet sitter, which is extremely agreeable, yet I have to extra extend. Respects.[url=]Johnson City TN Family Practice Clinics[/url]

March 7, 2019 7:48 PM

Domenic Tylor said:

Students do not write a lengthy dissertation and he always needs a good writer help. Don’t worry, we provide online dissertation writers. We have more then 5000+ writers. We provide our service in Australia. Hire now at

March 13, 2019 10:32 PM

Jessica said:

Get assignment help in Australia in law subject at: and from Student Life saviour at:

March 14, 2019 3:46 AM

Max said:

This post is quite striking and helped me to gain deep understanding of some of my academic topics. I would recommend everyone to choose Assignment Help Australia. You can email us at cs@Myassignmenthelpau.Com or Phone Number: +61-2-8005-8227. For More Details Visit :-

March 19, 2019 12:51 AM

Leave a Comment

Privacy Statement