THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Ben Miller

Finding out who stopped SQL Server

This is the latest quest of the day.  I am appealing to all those that have a great handle on how Windows events happen and whether or not they are kept or just logged.  If you get an event in the Event Viewer that indicates that "Service Control Manager" stopped SQL Server, there is no indication of the user that did it.

Is there a way to capture that after the fact? Or in other words, does Windows store that anywhere that you can get to after it has come back up?  Windows has not been restarted, but SQL Server has.

Any ideas of how to find out who stopped and started SQL Server would be great.

Published Thursday, July 10, 2008 1:31 PM by dbaduck

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Cooper said:

Is SQL Server clustered?

July 10, 2008 3:25 PM
 

alphatross said:

It's not perfect (and only works if the culprit had an interactive logon to the server), but here's what I do: find an event for an RDP logon from around the same time, or another event that has the IP address of the originating server. Then a command like "nbtstat -a <IP-Address>" will show the user who is logged on that Machine. Another option is to mine through the Security Log for Logon/ Logoff Events around the time the Service was stopped. Still, it's bad that the service control event doesn't show who stops a service, isn't it!

July 11, 2008 7:40 AM
 

Vishal Gandhi said:

Look in System Log, Copy the entire details and post it , you  will notice user , will this help ?

Event Type: Information

Event Source: Service Control Manager

Event Category: None

Event ID: 7035

Date: 7/14/2008

Time: 1:02:02 AM

User: vishalgandhi

Computer: xxxxxxxxxxxx

Description:

The SQL Server (MSSQLSERVER) service was successfully sent a stop control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

July 14, 2008 2:06 AM
 

Raymond said:

Vishal Gandhi - excellent advice - thanks we found our culprit.

April 7, 2010 9:24 AM
 

Arpita said:

vishal@ thank you

it really good post and really works.

January 6, 2011 1:09 AM
 

Mikhail said:

Event Type: Information

Event Source: Service Control Manager

Event Category: None

Event ID: 7035

Date: 21.12.2011

Time: 2:31:28

User: NT AUTHORITY\SYSTEM

Computer:c-sadmksad

The SQL Server Agent (***) service was successfully sent a stop control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

We see tha user = system, but how we can recognize process name which called stop command ?

December 21, 2011 6:38 AM

Leave a Comment

(required) 
(required) 
Submit

About dbaduck

Ben Miller is a Senior Database Administrator for HealthEquity in Draper, UT. He has been working with SQL since SQL Server 6.0 (1998) and has had a variety of roles in his career, including SQL Support and MVP Lead at Microsoft.
Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement