{"id":4305,"date":"2014-02-11T06:54:02","date_gmt":"2014-02-11T14:54:02","guid":{"rendered":"http:\/\/3.209.169.194\/blogs\/paul\/?p=4305"},"modified":"2014-02-11T06:54:02","modified_gmt":"2014-02-11T14:54:02","slug":"using-transaction-sid-transaction-log","status":"publish","type":"post","link":"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/","title":{"rendered":"More on using Transaction SID from the transaction log"},"content":{"rendered":"

Back in 2012 I blogged<\/a> about using fn_dblog<\/em> and fn_dump_dblog<\/em> to figure out the point at which something occurred that you’d like to restore to just before (e.g. a table drop). I also mentioned that you can use the SUSER_SNAME ()<\/em> function on on the [Transaction SID]<\/em> column for the LOP_BEGIN_XACT<\/em> log record of the operation to find out who performed the operation.<\/p>\n

Yesterday in our IE2 Performance Tuning class in Tampa, someone asked me what the [Transaction SID]<\/em> column would show if someone had run EXECUTE AS<\/em>. As I wasn’t 100% certain, I decided to test and write a quick blog post.<\/p>\n

First off I’ll set up a database and table to use:<\/p>\n

\r\nUSE [master];\r\nGO\r\nCREATE DATABASE [Test];\r\nGO\r\nALTER DATABASE [Test] SET RECOVERY SIMPLE;\r\nGO\r\nUSE [Test];\r\nGO\r\nCREATE TABLE [TestTable] ([c1] INT IDENTITY);\r\nGO\r\nINSERT INTO [TestTable] DEFAULT VALUES;\r\nGO 5\r\n<\/pre>\n
Next I’ll create a Kimberly user for a SQL login, and a Katelyn user for a Windows login:<\/p>\n
\r\n-- Create Kimberly login and user\r\nCREATE LOGIN [KimberlyLogin] WITH PASSWORD = 'NiceWife';\r\nCREATE USER [KimberlyUser] FOR LOGIN [KimberlyLogin];\r\nEXEC sp_addrolemember N'db_owner', N'KimberlyUser';\r\nGO\r\n\r\n-- Create Katelyn user\r\nCREATE USER [KatelynUser] FOR LOGIN [APPLECROSS\\Katelyn];\r\nEXEC sp_addrolemember N'db_owner', N'KatelynUser';\r\nGO\r\n<\/pre>\n
Now I’ll delete a single row as me and each of the users and logins:<\/p>\n
\r\n-- Delete as me\r\nDELETE FROM [TestTable] WHERE [c1] = 1;\r\nGO\r\n\r\n-- Now delete as Kimberly user\r\nEXECUTE AS USER = N'KimberlyUser';\r\nDELETE FROM [TestTable] WHERE [c1] = 2;\r\nREVERT;\r\nGO\r\n\r\n-- Now delete as Kimberly login\r\nEXECUTE AS LOGIN = N'KimberlyLogin';\r\nDELETE FROM [TestTable] WHERE [c1] = 3;\r\nREVERT;\r\nGO\r\n\r\n-- Now delete as Katelyn user\r\nEXECUTE AS USER = N'KatelynUser';\r\nDELETE FROM [TestTable] WHERE [c1] = 4;\r\nREVERT;\r\nGO\r\n\r\n-- Now delete as Katelyn login\r\nEXECUTE AS LOGIN = N'APPLECROSS\\Katelyn';\r\nDELETE FROM [TestTable] WHERE [c1] = 5;\r\nREVERT;\r\nGO\r\n<\/pre>\n
Finally I’ll pull the [Transaction SID]<\/em> for each of the delete operations and pass it into SUSER_SNAME ()<\/em>:<\/p>\n
\r\nSELECT\r\n\t[Operation], [Transaction Name], [Transaction SID],\r\n\tSUSER_SNAME ([Transaction SID]) AS [WhoDidIt?]\r\nFROM fn_dblog (NULL, NULL)\r\nWHERE [Operation] = N'LOP_BEGIN_XACT'\r\nAND [Transaction Name] = 'DELETE';\r\nGO\r\n<\/pre>\n
\r\nOperation       Transaction Name  Transaction SID                                             WhoDidIt?\r\n--------------- ----------------- ----------------------------------------------------------- -------------------\r\nLOP_BEGIN_XACT  DELETE            0x0105000000000005150000003A5014D05A957BF8F5C8882EE8030000  APPLECROSS\\paul\r\nLOP_BEGIN_XACT  DELETE            0x9A9A69BEACF67E4994E2F2DEE35BC02F                          KimberlyLogin\r\nLOP_BEGIN_XACT  DELETE            0x9A9A69BEACF67E4994E2F2DEE35BC02F                          KimberlyLogin\r\nLOP_BEGIN_XACT  DELETE            0x0105000000000005150000003A5014D05A957BF8F5C8882EFE030000  APPLECROSS\\Katelyn\r\nLOP_BEGIN_XACT  DELETE            0x0105000000000005150000003A5014D05A957BF8F5C8882EFE030000  APPLECROSS\\Katelyn\r\n<\/pre>\n
So the answer is that the log record contains the SID of who you’re executing as. The only way to tell who is really running the code would be through auditing.<\/p>\n
Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"
Back in 2012 I blogged about using fn_dblog and fn_dump_dblog to figure out the point at which something occurred that you’d like to restore to just before (e.g. a table drop). I also mentioned that you can use the SUSER_SNAME () function on on the [Transaction SID] column for the LOP_BEGIN_XACT log record of the […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35,98,100],"tags":[],"class_list":["post-4305","post","type-post","status-publish","format-standard","hentry","category-disaster-recovery","category-transaction-log","category-undocumented-commands"],"yoast_head":"\nMore on using Transaction SID from the transaction log - Paul S. Randal<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"More on using Transaction SID from the transaction log - Paul S. Randal\" \/>\n<meta property=\"og:description\" content=\"Back in 2012 I blogged about using fn_dblog and fn_dump_dblog to figure out the point at which something occurred that you’d like to restore to just before (e.g. a table drop). I also mentioned that you can use the SUSER_SNAME () function on on the [Transaction SID] column for the LOP_BEGIN_XACT log record of the […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/\" \/>\n<meta property=\"og:site_name\" content=\"Paul S. Randal\" \/>\n<meta property=\"article:published_time\" content=\"2014-02-11T14:54:02+00:00\" \/>\n<meta name=\"author\" content=\"Paul Randal\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Paul Randal\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/\",\"url\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/\",\"name\":\"More on using Transaction SID from the transaction log - Paul S. Randal\",\"isPartOf\":{\"@id\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/#website\"},\"datePublished\":\"2014-02-11T14:54:02+00:00\",\"author\":{\"@id\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/#\/schema\/person\/ffcec826c18782e1e0adf173826a7fce\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"More on using Transaction SID from the transaction log\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/#website\",\"url\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/\",\"name\":\"Paul S. Randal\",\"description\":\"In Recovery...\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/#\/schema\/person\/ffcec826c18782e1e0adf173826a7fce\",\"name\":\"Paul Randal\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0b6a266bba2f088f2551ef529293001bd73bf026bc1908b9866728c062beeeb6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0b6a266bba2f088f2551ef529293001bd73bf026bc1908b9866728c062beeeb6?s=96&d=mm&r=g\",\"caption\":\"Paul Randal\"},\"sameAs\":[\"http:\/\/3.209.169.194\/blogs\/paul\"],\"url\":\"https:\/\/www.sqlskills.com\/blogs\/paul\/author\/paul\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"More on using Transaction SID from the transaction log - Paul S. Randal","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/","og_locale":"en_US","og_type":"article","og_title":"More on using Transaction SID from the transaction log - Paul S. Randal","og_description":"Back in 2012 I blogged about using fn_dblog and fn_dump_dblog to figure out the point at which something occurred that you’d like to restore to just before (e.g. a table drop). I also mentioned that you can use the SUSER_SNAME () function on on the [Transaction SID] column for the LOP_BEGIN_XACT log record of the […]","og_url":"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/","og_site_name":"Paul S. Randal","article_published_time":"2014-02-11T14:54:02+00:00","author":"Paul Randal","twitter_misc":{"Written by":"Paul Randal","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/","url":"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/","name":"More on using Transaction SID from the transaction log - Paul S. Randal","isPartOf":{"@id":"https:\/\/www.sqlskills.com\/blogs\/paul\/#website"},"datePublished":"2014-02-11T14:54:02+00:00","author":{"@id":"https:\/\/www.sqlskills.com\/blogs\/paul\/#\/schema\/person\/ffcec826c18782e1e0adf173826a7fce"},"breadcrumb":{"@id":"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.sqlskills.com\/blogs\/paul\/using-transaction-sid-transaction-log\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.sqlskills.com\/blogs\/paul\/"},{"@type":"ListItem","position":2,"name":"More on using Transaction SID from the transaction log"}]},{"@type":"WebSite","@id":"https:\/\/www.sqlskills.com\/blogs\/paul\/#website","url":"https:\/\/www.sqlskills.com\/blogs\/paul\/","name":"Paul S. Randal","description":"In Recovery...","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.sqlskills.com\/blogs\/paul\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.sqlskills.com\/blogs\/paul\/#\/schema\/person\/ffcec826c18782e1e0adf173826a7fce","name":"Paul Randal","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.sqlskills.com\/blogs\/paul\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0b6a266bba2f088f2551ef529293001bd73bf026bc1908b9866728c062beeeb6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0b6a266bba2f088f2551ef529293001bd73bf026bc1908b9866728c062beeeb6?s=96&d=mm&r=g","caption":"Paul Randal"},"sameAs":["http:\/\/3.209.169.194\/blogs\/paul"],"url":"https:\/\/www.sqlskills.com\/blogs\/paul\/author\/paul\/"}]}},"_links":{"self":[{"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/posts\/4305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/comments?post=4305"}],"version-history":[{"count":0,"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/posts\/4305\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/media?parent=4305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/categories?post=4305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sqlskills.com\/blogs\/paul\/wp-json\/wp\/v2\/tags?post=4305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}