Home Forums SQL Server 2008 SQL Server 2008 Administration Using ::fn_dblog() to find who deleted the rows in a table. RE: Using ::fn_dblog() to find who deleted the rows in a table.

  • November 8, 2012 at 3:02 pm

    #1557373

    dedicatedtosql (11/8/2012)

    Hi All,

    Recently some one deleted some rows from a table. I was asked to find out who did it. Since the log has not been backed up since the time the DB was created I took the help of undocumented Table valued function ::fn_dblog() which gives me the contents of the active portion of the log.

    I filtered on AlocUnitName and operation column.

    Allocunitname being the table name and OPERATION being the 'LOP_DELETE_ROWS'.

    I was looking fior the column TRANSACTION SID to find out the SID of the user that started the transaction that deleted the rows. I did get it.

    But the problem is the value of the SID is 0x01 which is the dbo user. It is evident that a server level login with sysadmin privilages did the delets. Is there any way I can find out the server login mapped to the dbo user?

    Any idea would be appriciated.

    0x01 is always SA. Not going to provide much in the way of help there I'm afraid.

    _______________________________________________________________

    Need help? Help us help you.

    Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

    Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.

    Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
    Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
    Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
    Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/