Its commonly happened at all work place where a user trigger a DROP or DELETE command by mistake or intensely on a SQL Server and no one will be accepting who did this. Here, I would like to demonstrate a way using the transaction log to track down helpful information related to this incident.
As a standard, to find such users is with the help of the default trace, because the default trace captures and tracks database activity performed on SQL Server instance, but if your system is very busy in that case the trace files may roll over far too fast and it may not be able to catch some of the changes in database. But these changes are also tracked in the transaction log file of the database and we will use this to find the users in questions.
To achieve this, we can use undocumented function fn_dblog
to find any unauthorized or unapproved deletes or table drops. The below tip will help to track or find any unethical or an unwanted user who has dropped a table or deleted data from a table. Its strongly suggested, Please don’t test this tips on production environment, test first it with test/Dev lab environment.
Here, I have created a Database Named ‘VIRENDRATEST’ and a create a Table Named ‘tblTest’ as
–Creating DB VirendraTest
CREATE DATABASE VirendraTest;
– Creating Table tblTest
CREATE TABLE tblTest ( ID INT IDENTITY, Ord_Date DATETIME DEFAULT GETDATE ())
– Inserting dummy test Data
INSERT INTO tblTest DEFAULT VALUES
Now, suppose, you have deleted record having ID=10 as
Delete tblTest where ID =10
Now here, find the user who deleted row/rows , steps are as below
Find transaction ID from :SELECT [Transaction ID],Operation, Context,AllocUnitName FROM fn_dblog(NULL, NULL)
WHERE Operation = ‘LOP_DELETE_ROWS’
Now We have found the transaction ID from the above command which we will use in the below command to get the transaction SID of the user who has deleted the data from below command,
SELECT Operation,[Transaction ID], [Begin Time], [Transaction Name], [Transaction SID]
FROM fn_dblog(NULL, NULL) WHERE [Transaction ID] = ’0000:00000752′
AND [Operation] = ‘LOP_BEGIN_XACT’
Using Transaction ID , we can get exact user name as
Above syntax will show exact user name.
Below is the list from where we can find out operations timing with these types of details (It’s not a complete list, I just get it from self-practice and some Google)
|| Indicates that a transaction was aborted and rolled back.
|| A checkpoint has begun.
|| Indicates the start of a transaction.
|| Writing to Buffer.
|| Indicates that a transaction has committed.
||New Allocation chain
|| Creating an index.
|| Rows were deleted from a table.
|| A page split has occurred. Rows have moved physically.
|| SYSINDEXES table has been modified.
|| Dropping an index.
|| Checkpoint has finished.
|| Row physically expunged from a page, now free for new rows.
|| SQL Server has grown a database file.
|| Shows that a 2-phase commit transaction was rolled back.
|| Write a header of a newly allocated database page.
||Identity’s New reseed values
|| Insert a row into a user or system table.
|| Data Definition Language change – table schema was modified.
|| Designate that an application has issued a ‘SAVE TRANSACTION’ command.
|| Designates that a row was modified as the result of an Update command.
|| A new data page created and has initialized the header of that page.
|| Row modification as a result of an Update command.
|| Transaction is in a 2-phase commit protocol.
|| Designates that the DBMS modified space allocation bits as the result of allocating a new extent.
|| Designates that a previously allocated extent has been returned to the free pool.
|| A sort begins with index creation. – SORT_END end of the sorting while creating an index.
|| Sorting extents as part of building an index.
|| The page split process has been dumped.
|| During the Checkpoint, open transactions were detected.
Please let me know about description’s missing values in above table. :)