Archive
Learn How to Find Who Deleted Records in SQL Server
Query 1: “Hello friends, I am writing for the first time hoping that some of the learned friends can help me sort out the problem. Some of the tables of my SQL database are accessible to other users too. Yesterday, I noticed that certain rows got missing from the database table. How to find who deleted those rows from that table? Please help me with some genuine method.”
Query 2: “I received a query from a database user who wants to know “how to find who deleted records in SQL Server”. Here, I am talking about the Express edition of database. As per my assumption, this data can be found in the LDF file (if it has not been truncated). If I am correct, tell me how to find out this particular information from LDF file.”
If you want to know how to find out who deleted records from SQL Server, you may find these queries familiar. Hundreds of users like these are looking for ways to find out the culprit who deleted SQL data that caused them serious problem. If you are one of them, hold on, as we will tell you the most impressive method to locate who deleted SQL Server records.
How to Find Who Deleted Records in SQL Server
The record of the user who deleted some data from SQL Server can be found in the Transaction Log file. If you want to know, you need to retrieve that information from LDF file of your SQL database. For this, you will require SQL Transaction Log Viewer that can open and read LDF file data easily. Here is how you can read Log file data using this software.
a. Install and start SQL Log Analyzer Tool of your Windows system. Click on Open to add your log file.
b. A dialog box will appear that will showcase two different tabs for Online Database and Offline Database. Here we will show you the procedure of reading Log file form Online database. Select Online DB Options tab and then choose the Server name from the list. Also, select the Authentication mode and Select Database from the list. Click OK when done.
c. The software will scan the LDF file and prompt when it is finished. Click OK.
d. It will display the summary of LDF file including counts of records, inserts, updates, and deletes. Again, click OK.
e. Now, you will see the complete LDF file data on the software screen. Any record can be previewed.
f. Users can sort the LDF file entries based on Transaction, Login Name, Time, table Name, and Transaction Name.
g. Just click on any table entry to select and preview the corresponding log entry of that operation. If you want to know who deleted a record, click on Delete transaction of that record. You will be able to see the Login Name of the person who deleted that data.
h. If you wish to export these data, check the boxes beside the necessary tables and click on Export.
i. Another dialog box will appear where you can apply record type filter, date filter, Export To/As, Database Credentials for Source database, and Destination Database.
j. Click on Export button when all the fields are filled properly.
k. The tool will export the selected data and upon finishing, prompt the users. Click OK.
l. The software will also display a report which you can save as CSV file for reference.
Note: Besides analyzing Log file data, this software can also retrieve deleted data if the database is in simple recovery mode.
Conclusion
SQL database often contains essential information and deletion of such data causes great inconvenience. Hence, we answered the question how to find who deleted records in SQL Server in this post. Using SQL Log Analyzer, users can open LDF file and find out who performed any particular transaction like Insert, Update, and Delete.
Calculating Datetime Based on NT Time
A colleague of mine gave me an interesting challenge today. I am by no means a T-SQL expert, however it was interesting dissecting the problem.
Give the time, 128271382742968750, what does it mean? How to read this?
We can use command line utility called w32tm.exe with following command to get the exact time…
w32tm.exe /ntte 128271382742968750
Return we get
148462 05:57:54.2968750 – 6/24/2007 8:57:54 AM (local time).
Problem SOLVED!
Well not quite, this doesn’t translate well against many gigs of data that my friend wanted to translate. So reading the KB555936, started breaking down the time-stamp above.
- Multiple 128271382742968750 by 100 to get 12827138274296875000; because the time is recorded in number of 100 ns have ticked by since January 1, 1601.
- Next divide 12827138274296875000 by 1,000,000,000 to get number of seconds passed since January 1, 1601. We get 12,827,138,274.2968750.
- We can ignore everything after the decimal, that is number of ms passed (which we don’t care about).
- Unfortunately we cannot use the DATEADD function in SQL Server to calculate the date, as in SQL Server we can go back to only 1/1/1753. So we need to calculate the number of seconds passed from 1/1/1601 to 1/1/1753 and subtract that from that.
- And that is 4,796,668,800 seconds (you can take my word for it, or calculate it using PowerShell script, below).
- So we take the number calculated in step 3 and subtract 4,796,668,800 from it. To get 8,030,469,474 seconds passed since 1/1/1753. Now we can use our ADDDATE!!! Yeeh? Right?
- Umm unfortunately NO. The DATEADD function accepts a integer parameter, and that number is too big so we get row over flow error :(.
- So we have to do some additional math, we take that number and divide by 60, to get number of minutes passed. We get 133,841,157.90.
- Now the .90 is important as we’ll need to calculate the seconds; so don’t forget it. But we can now pass in the above value to get the date.
- SELECT DATEADD(Minute,133,841,157.90,’1753/1/1′); almost done. DATEADD function truncates any decimal value so we do not get the number of seconds passed.
- So now we have to add the number of seconds to the puzzle. We can do that using SELECT DATEADD(Second,.90*60,DATEADD(Minute,133841157.90,’1753/1/1′)).
- Now we have our final answer of 2007-06-24 05:57:54 :).
- Just for heck of it if we wanted ms also, the answer should be
SELECT DATEADD(MILLISECOND,0.296800000*1000000,DATEADD(Second,.90*60,DATEADD(Minute,133841157.90,’1753/1/1′))).
So there you have it, NT time in normal time using T-SQL :). Lots of work, but possible heh.
SQL Server Script to Calculate the NT Time in Readable formatting using T-SQL, combining all 12 steps into single step:
DECLARE @NTTime BIGINT DECLARE @TimeSkip BIGINT DECLARE @BaseTime DATETIME SET @NTTime = 128271382742968750 SET @TimeSkip = 47966688000000000 SET @BaseTime = '1753/1/1 0:00:00.000' SELECT DATEADD(SECOND,((((@NTTime - @TimeSkip)*1.0)/600000000)-ROUND(((@NTTime - @TimeSkip)/600000000),0,1))*60,DATEADD(MINUTE,((@NTTime - @TimeSkip)/600000000),@BaseTime)) AS NormalTime
PowerShell Script to find time passed between 1/1/1601 and 1/1/1753:
[DateTime]$LowDateRange = '1/1/1601' [DateTime]$HighDateRange = '1/1/1753' $HighDateRange.Subtract($LowDateRange)