Can anyone help me solve this:
A transaction occurred on one of the important databases.75000 rows were
updated with one value in a field of one table. It was almost a major
disaster. As I began to investigate, it started to look like something
other than a system or programming fault.
It became top priority to find out who did this update (and to repair it).
Restoring and rolling forward was not an option as there were many
legitimate transactions since this one.
I used a tool called log explorer to find any clues. I found out that the
update was done by 'dbo'. This narrows it down to anyone in the group
called BuiltinAdmins - or possibly Global Admins. I can use Log explorer to
look back and find out what changes were made to what tables, etc. Is there
a system table that would tell me who connected to that database at that
time (I know the exact time of the transaction)?
I have looked at teh NT logs and they only tell me actual logins to that
box. I believe this was done via Query Analyser. Is there anywhere it
would be reported as to who was actually connecting to that database - or
hopefully who ran the query (I believe I may know exactly what the query
What if I restore to an exact point in time (when it happened) on a dummy
db. Would I then be able to look at any system tables to see a snapshot of
who was connected, etc?
By the way, the backups and transaction log backups are on tape. Does
anyone know any way of getting the log file off the tape (NSE Backup Exec)
without actually restoring it?
Is there any way of restoring to a point in time and then replaying the
transactions and running profiler or something...?
Is there anything at all I can do?
Any help appreciated.
Please do not hesitate to send suggestions. I am working on this right now
and really do need to sort it out.