1  

Error code 5 means - access denied.

错误代码5表示 - 访问被拒绝。

Please check if account which used for MSSQL service has right on command that you trying to run.

请检查用于MSSQL服务的帐户是否具有您尝试运行的命令。

Details: http://social.msdn.microsoft.com/Forums/sqlserver/en-US/bbdffb3c-6604-4011-ac5f-5ea8ecb1a32c/xpcmdshell-a-call-to-createprocess-failed-with-error-code-5-under-sql2005-rtm?forum=sqlsecurity

2  

While this is likely very easy for many folks, I wasted an enormous amount of time doing this ... and the gotcha wasn't obvious ... hopefully this helps someone else.

虽然这对很多人来说很容易,但是我浪费了大量的时间来做这件事...而且问题并不明显......希望这对其他人有所帮助。

(Tested on SQL2012)

(在SQL2012上测试过)

Step 1: Actually enable the xp_cmdshell feature in SQL Server

步骤1:实际启用SQL Server中的xp_cmdshell功能

            USE master
            Go
            EXEC sp_configure 'show advanced options', 1
            Go
            RECONFIGURE
            Go
            EXEC sp_configure 'xp_cmdshell', 1 
            GO 
            RECONFIGURE 
            GO
            EXEC sp_configure 'show advanced options', 0
            Go
            RECONFIGURE
            Go

Step 2: Run a dos "whoami /all" command using xp_cmdshell and our two service stop commands

步骤2:使用xp_cmdshell和我们的两个服务停止命令运行dos“whoami / all”命令

            EXEC xp_cmdshell 'whoami /all'
            exec xp_cmdshell 'net stop MR2012ApplicationService';
            exec xp_cmdshell 'net stop MR2012ProcessService';

Among other bits, this will show my execution context is "nt authority\network service S-1-5-20". The account shown has to have permissions to the service being restarted. The other two commands, both attempting to stop services fail due to permissions:

除了其他位之外,这将显示我的执行上下文是“nt authority \ network service S-1-5-20”。显示的帐户必须具有正在重新启动的服务的权限。其他两个命令,都试图阻止服务因权限而失败:

            System error 5 has occurred.
            Access is denied.

Step 3: Using SUBINACL, let's look at the permissions on the service before we start. Because this is where I got in trouble, lets make sure we know the full path to SUBINACL.exe.

第3步:使用SUBINACL,让我们在开始之前查看服务的权限。因为这是我遇到麻烦的地方,所以请确保我们知道SUBINACL.exe的完整路径。

            where SUBINACL
            SUBINACL.exe /SERVICE MR2012ProcessService /DISPLAY

If you had the same problem I had, you will see the path to SUBINACL is wherever you might have previously extracted "Windows Server 2003 Resource Kit Tools" (this is my development machine) and is version 4.0.1.1604. That said, observe that "nt authority\network service" doesn't have permissions. Roger? Roger!

如果您遇到了同样的问题,您将看到SUBINACL的路径是您之前提取的“Windows Server 2003资源工具包”(这是我的开发机器),版本为4.0.1.1604。也就是说,观察“nt authority \ network service”没有权限。罗杰?罗杰!

Step 4: Let's grant those permissions!

第4步:让我们授予这些权限!

            SUBINACL.exe /SERVICE MR2012ApplicationService /GRANT="nt authority\network service"=LQSTOP
            SUBINACL.exe /SERVICE MR2012ProcessService /GRANT="nt authority\network service"=LQSTOP

Step 5: Pay close attention to the output of those two commands! Doesn't look like they did much, did it?

第五步:密切关注这两个命令的输出!看起来他们做得不多,做到了吗?

            +SERVICE MR2012ApplicationService
            /GRANT=nt authority\network service=LQSTOP

            Elapsed Time: 00 00:00:00
            Done:        0, Modified        0, Failed        0, Syntax errors        0

Hmmm. Well, since we looked at permissions BEFORE we started, let's see what they look like now:

嗯。好吧,既然我们在开始之前就查看了权限,让我们看看它们现在的样子:

            SUBINACL.exe /SERVICE MR2012ProcessService /DISPLAY

Well, that is lame. It didn't work! Well, as it turns out, I wasted a HUGE amount of time trying all sorts of crazy business and the root of the problem is a known bug in SUBINACL!

嗯,那太蹩脚了。它没用!好吧,事实证明,我浪费了大量的时间来尝试各种疯狂的业务,问题的根源是SUBINACL中的已知错误!

Step 6: Let's go get the newest version and install it to C:\Dev\Tools:

第6步:我们去获取最新版本并将其安装到C:\ Dev \ Tools:

            https://www.microsoft.com/en-us/download/details.aspx?id=23510

After the install, let's check the path/version to the exe again.

安装完成后,让我们再次检查exe的路径/版本。

            where SUBINACL

Hmm, it is the same version, but there is a SUBINACL.exe.old now.

嗯,它是相同的版本,但现在有一个SUBINACL.exe.old。

Step 7: Let's try those permission grants again! Output should now look like this:

第7步:让我们再次尝试这些许可授予!输出现在应该如下所示:

            MR2012ApplicationService : new ace for DOMAIN\MyProxyAccount
            MR2012ApplicationService : 1 change(s)

            Elapsed Time: 00 00:00:00
            Done:        1, Modified        1, Failed        0, Syntax errors        0
            Last Done  : MR2012ApplicationService

There is one more wrinkle; the execution account will be the service account of sql server (i.e. nt authority\network service). However, if this is not desired, a proxy can be setup.

还有一个皱纹;执行帐户将是sql server的服务帐户(即nt authority \ network service)。但是,如果不需要,可以设置代理。

Step 8: Set up a proxy account has to be set up like this:

第8步:设置代理帐户必须设置如下:

            EXEC sp_xp_cmdshell_proxy_account 'DOMAIN\MyProxyAccount', '$ome$uper$ecureP@ssword';

To be clear, this isn't my set up, just my understanding of how it works.

要清楚,这不是我的设置,只是我对其工作原理的理解。

Step 9: And of course, this proxy account has to have permissions:

第9步:当然,这个代理帐户必须具有权限:

            C:\Dev\Tools\SUBINACL.exe /SERVICE MR2012ApplicationService /GRANT=DOMAIN\MyProxyAccount=LQSTOP
            C:\Dev\Tools\SUBINACL.exe /SERVICE MR2012ProcessService /GRANT=DOMAIN\MyProxyAccount=LQSTOP

Also, the service account will need "Logon as a batch job" in local policies.

此外,服务帐户将需要在本地策略中“作为批处理作业登录”。

Regards,

Stuart

0  

You can do this from SQL Server Management Studio as follows:

您可以从SQL Server Management Studio执行此操作,如下所示:

Right-click the server, and choose Facets Select Facet Surface Area Configuration Set property XPCmdShellEnabled to True then create proxy account

右键单击服务器,选择Facets Select Facet Surface Area Configuration Set属性XPCmdShellEnabled为True然后创建代理帐户