Re: SQL 2005 Profiler



Since both of us are not in office and for sure neither one of us that uses
profiler as shown in the log. My question is: Is there any possibility that
the logs is triggered by SQL itself besides human?

Traces can be run independently of Profiler using sp_trace* stored procedures so Profiler may or may not be involved. Only sysadmins and persons with ALTER TRACE can run traces, though. IMHO, a larger issue is that unknown user is able to elevate their permissions to sysadmin without your knowledge.

7:12:20 Driver Microsoft Office Document Image Writer Driver required for
printer Microsoft Office Document Image Writer is unknown. Contact the
administrator to install the driver before you log in again.

I've seen the messages generated when a Remote Desktop session login occurs. Check the security log to see the Windows login events in the time period. Perhaps the person is logging in via Remote Desktop and using Profiler.

If it is an intruder works, where can I look for more traces leave behind by
intruder?

You can list current created and running traces with fn_trace_getinfo:

SELECT *
FROM fn_trace_getinfo(DEFAULT)

Note that if the default trace is enabled, it is directed to the SQL Server log folder (usually trace id 1). In fact, the default trace might help you identify the culprit with a fn_trace_gettable query like the example below:

SELECT SessionLoginName, *
FROM fn_trace_gettable('C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_240.trc', DEFAULT)
WHERE TextData LIKE '%sp[_]trace[_]setstatus%'

See the Books Online for more information.

--
Hope this helps.

Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/

"Jonathan Chong" <j0nathon@xxxxxxxxxxx> wrote in message news:%23YSkKrcqIHA.2256@xxxxxxxxxxxxxxxxxxxxxxx
I found below entries in Event Viewer's Application Log and System Log which
worries me as I know for sure that
there is no one login to SQL and use profiler on that time. There are only
two of us have the access to the SQL server and it is firewalled to only
allow office's IP to SQL 2005 server (on Windows 2003 server).

Application Log:
7:24:39 Login failed for user 'sa'. [CLIENT: <local machine>]
7:29:03 SQL Trace ID 2 was started by login "sa".
7:30:56 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.
7:46:07 SQL Trace ID 2 was started by login "sa".
7:46:35 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.
7:49:03 SQL Trace ID 2 was started by login "sa".
7:49:12 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.
7:49:31 SQL Trace ID 2 was started by login "sa".
7:49:46 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.

System Log:
7:12:20 Driver Microsoft Office Document Image Writer Driver required for
printer Microsoft Office Document Image Writer is unknown. Contact the
administrator to install the driver before you log in again.
7:12:21 Driver Microsoft XPS Document Writer required for printer Microsoft
XPS Document Writer is unknown. Contact the administrator to install the
driver before you log in again.
7:45:01 Driver Microsoft Office Document Image Writer Driver required for
printer Microsoft Office Document Image Writer is unknown. Contact the
administrator to install the driver before you log in again.
7:45:02 Driver Microsoft XPS Document Writer required for printer Microsoft
XPS Document Writer is unknown. Contact the administrator to install the
driver before you log in again.
7:59:13 Driver Microsoft Office Document Image Writer Driver required for
printer Microsoft Office Document Image Writer is unknown. Contact the
administrator to install the driver before you log in again.

Since both of us are not in office and for sure neither one of us that uses
profiler as shown in the log. My question is: Is there any possibility that
the logs is triggered by SQL itself besides human?

If it is an intruder works, where can I look for more traces leave behind by
intruder?

Jon



.



Relevant Pages

  • SQL 2005 Profiler
    ... 7:12:20 Driver Microsoft Office Document Image Writer Driver required for ... printer Microsoft Office Document Image Writer is unknown. ...
    (microsoft.public.sqlserver.security)
  • Re: TermServDevices
    ... > Driver Microsoft Office Document Image Writer Driver required for printer ... > Microsoft Office Document Image Writer is unknown. ... You're connecting to the server via Remote Desktop Connection/Terminal ...
    (microsoft.public.windows.server.sbs)
  • TermServDevices
    ... Driver Microsoft Office Document Image Writer Driver required for printer ... Microsoft Office Document Image Writer is unknown. ...
    (microsoft.public.windows.server.sbs)
  • image writer error
    ... Driver Microsoft Office Document Image Writer Driver required for printer ... Microsoft Office Document Image Writer is unknown. ...
    (microsoft.public.windows.server.sbs)
  • Re: TDBC documentation, examples, syntax?
    ... current SQL standards. ... for variable binding at the Tcl level. ... API, I'd probably use Oracle's bound session variables and pass ... As a convenience for driver writers, ...
    (comp.lang.tcl)