Profiler: unknown login (ServerName$) doing periodic admin queries RRS feed

  • Question

  • Hi,

    - SQL2K Enterprise, Cluster 2 Nodes, Active / Passive
    - Windows 2003 Enterprise
    - Microsoft Operation Manager installed

    In Profiler, every minute, there are a dozen of lines doing various queries which look like administrative maintenance.:

    EventClass: SQL:BatchCompleted
    ApplicationName =  SQLDMO_nnn (nnn seems to be random number)
    NTUserName: myServer$ (if server name = SnowFlake, login is SNOWFLAKE$)
    LoginName: myDomain\myServer$

    TextData contains various queries, here is an example made on a user DB (each line represents a record in Profiler trace having the same properties listed above)

    - USE myDB1
    - exec sp_spaceused

    - SELECT groupid, groupname, FILEGROUPPROPERTY( f.groupname, N'IsReadOnly' ), FILEGROUPPROPERTY( f.groupname, N'IsPrimaryFG' ),     FILEGROUPPROPERTY( f.groupname, N'IsDefault' ) FROM dbo.sysfilegroups f

    - SELECT o.fileid, o.name, o.filename, o.groupid, o.size, o.maxsize, o.growth, o.status FROM dbo.sysfiles o WHERE o.groupid = (SELECT u.groupid FROM dbo.sysfilegroups u WHERE u.groupname = N'PRIMARY') and (o.status & 0x40) = 0

    - SELECT fileid, name, filename, size, growth, status, maxsize FROM dbo.sysfiles WHERE (status & 0x40) <> 0

    When it comes to master DB, the series of TextData is different:

    - select @@microsoftversion
    - select loginname from dbo.sysusers u, master.dbo.syslogins l where u.name = user and u.sid = l.sid
    - exec sp_MSdbuserpriv N'ver'

    Question 1: What is this mysterious login? Where does that come from? Why don't I see it in Enterprise Manager?

    Question 2: What do the activities above represent?

    Question 3: Which kind of application is allowed to use this MyServer$ login? There are two more applications I have seen so far. Besides the SQLDMO_xxx applications, there are also "Microsoft Operation Manager" and "PKM". I guess that MOM was doing its monitoring job. But what is PKM? This application seems to do "exec sp_fulltext_getdata"

    Thank you very much in advance for any help.
    Wednesday, January 30, 2008 9:28 PM

All replies

  • The login name is the login that lets a service execution under the other servers NT Authority\System account access the sql server on another machine.  To track this backwards, go to that server, and look at the services that run under the NT Authority\System account that use a database.  I am guessing it is likely that the PKM is your Full Text Engine running to update the data in FTI's. 


    Thursday, January 31, 2008 1:10 AM
  •  Jonathan Kehayias wrote:
    The login name is the login that lets a service execution under the other servers NT Authority\System account access the sql server on another machine.

    Understood for PKM application to perform its FullText activities. For the remaining, sorry but I am still confuse. Does that mean:

    1- There is another server (other than MyServer)
    2- It uses its own NT Authority\System (LocalSystem ?) account
    3- To access the SQL Server 2000 on myServer?

    I have reviewed the Services on both Node1 and Node2 of the cluster. Services on Node1 (the active one) seems to be OK, nothing out of the ordinary. Node2 has "Microsoft Operation Manager (MOM)" service executing under LocalSystem. Would that be this MOM Service that author of all the requests under the MyServer$ login?

    Thursday, January 31, 2008 4:57 PM
  • It is possible that it is mom.  I can't tell you for certain without digging into your server directly.  Let me look at some things on our development environment, and I will get back to you on what you can check to try and isolate this and or eliminate it.

    Thursday, January 31, 2008 6:56 PM
  • PKM - Publishing and Knowledge Management Collaboration that are related to Data Objects.

    This is initiated when MSSEARCH service runs and if you have fulltext enabled & running, you will see such activity, so now you have to see what are the privileges for FULLTEXT account.


    Thursday, January 31, 2008 7:10 PM