Skip navigation

Why can't I get at a network file when I run a program from xp_cmdshell?

A. A. The reason is that the MSSQLSERVER service is running under a separate set of NT credentials. It doesn't matter who YOU are logged on as (after all SQL runs quite happily when no-one is logged on to the console doesn't it). Therefore your logon account and any mapped drives are irrelevant. It is SQL Server running the program (e.g. bcp) not you.

The default set of NT credentials used by MSSQLSERVER is the Localsystem account. You can check what userid that MSSQLSERVER is running under by looking at control panel/services highlighting MSSQLSERVER and choosing the start-up option.

The Localsystem account has no access to shares on the network as it isn't an authenticated network account.

So, if you want a program running under xp_cmdshell to access a network resource you have two choices :-

1, Change the account the MSSQLSERVER service runs under to a user account with the relevant network rights.


2, Amend the following registry value on the TARGET server and add the sharename you want to access - the share does not then authenticate who is coming in and so a Localsystem account will work. The server service on the target server must be re-started before the change takes effect. Note that this effectively removes security on that share, so you need to be careful about what is in the share. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionShares

Whichever method you use, you MUST use a UNC name to reference the resources required and not a drive letter.
e.g. xp_cmdshell 'dir \\server01\share'

Contributed by Neil Pike

TAGS: SQL Server
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.