Blog

Enable xp_cmdshell in SQL Server 2008

Banner will redirect to landing page with Certification Track courses.

Want to enable xp_cmdshell in SQL Server 2008? This fast and easy T-SQL script will do the trick without trying to find the setting using the MS SQL Management Studio Object Explorer. (If you insist on using Object Explorer you can find the switch for xp_cmdshell by right clicking on the server name, selecting "Facets", selecting "Server Configuration" in the Facet dropdown. "XPCmdShellEnabled" is at the bottom of the Facet Properties window).

EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
GO
RECONFIGURE
GO

8 Responses to “Enable xp_cmdshell in SQL Server 2008”

  1. John Rutledge June 28, 2012 at 1:30 pm #

    Great post, concise, accurate, exactly what I needed, I used the management studio->Facets..., worked immediately.

    Thanks

  2. dbo August 1, 2012 at 10:37 am #

    Outstanding! Glad to help!

  3. Ajay August 9, 2012 at 2:12 am #

    Great!!!!!!!! Thank u so much

  4. Joel September 26, 2012 at 9:14 am #

    When I try to QA, and run RECONFIGURE, I deployed. "Not supported ad hoc updates to system catalogs." When you try this option, I worked.

    Thanks

  5. Nguyen Van Binh November 6, 2012 at 1:34 am #

    Help me!
    I want to change the administrator password of windows server 2008 with SQL2008 xp_cmdshell command

  6. arif April 18, 2013 at 12:28 pm #

    I'm trying to disable xp_Cmdshell and rpc_out on sql 2008 windows(2008) platform. it has been disabled based on the output i get when i runn the command or procedure but when i run a security scan report it shows
    i need to disable getting confused can anyone provide tips.

    5 Microsoft SQL Server Database Link Crawling Command Execution

    QID:
    19824
    Category:
    Database
    CVE ID:
    -
    Vendor Reference
    -
    Bugtraq ID:
    -
    Service Modified:
    02/20/2013
    User Modified:
    -
    Edited:
    No
    PCI Vuln:
    Yes
    THREAT:
    Microsoft SQL Server is exposed to a remote command execution vulnerability.
    Affected Versions:
    Microsoft SQL Server 2005, 2008, 2008 R2, 2012 are affected.
    IMPACT:
    Successful exploitation could allow attackers to obtain sensitive information and execute arbitrary code.
    SOLUTION:
    There are no solutions available at this time. Workaround:
    Disable RPC_Out and xp_cmdshell for this issue.
    COMPLIANCE:
    Not Applicable
    EXPLOITABILITY:
    There is no exploitability information for this vulnerability.
    ASSOCIATED MALWARE:
    There is no malware information for this vulnerability.
    RESULTS:
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe Version is 2009.100.4000.0

  7. arif April 18, 2013 at 12:28 pm #

    I'm trying to disable xp_Cmdshell and rpc_out on sql 2008 windows(2008) platform. it has been disabled based on the output i get when i runn the command or procedure but when i run a security scan report it shows
    i need to disable getting confused can anyone provide tips.

    5 Microsoft SQL Server Database Link Crawling Command Execution

    QID:
    19824
    Category:
    Database
    CVE ID:
    -
    Vendor Reference
    -
    Bugtraq ID:
    -
    Service Modified:
    02/20/2013
    User Modified:
    -
    Edited:
    No
    PCI Vuln:
    Yes
    THREAT:
    Microsoft SQL Server is exposed to a remote command execution vulnerability.
    Affected Versions:
    Microsoft SQL Server 2005, 2008, 2008 R2, 2012 are affected.
    IMPACT:
    Successful exploitation could allow attackers to obtain sensitive information and execute arbitrary code.
    SOLUTION:
    There are no solutions available at this time. Workaround:
    Disable RPC_Out and xp_cmdshell for this issue.
    COMPLIANCE:
    Not Applicable
    EXPLOITABILITY:
    There is no exploitability information for this vulnerability.
    ASSOCIATED MALWARE:
    There is no malware information for this vulnerability.
    RESULTS:
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe Version is 2009.100.4000.0

  8. Omar April 6, 2014 at 11:59 pm #

    Gerat help!! thanks a lot.

Leave a Reply