In my previous post, I needed to get into a vendor SQL Server 2000 database that was locked down. For this situation, I am trying to access another database from the same vendor, but for this system, they are using SQL Server 2005 Express Edition.
Again, due to the same draconian policies from the vendor, the program actually removes the Builtin\Administrators group and customises the SA login during installation and forces me to use their front-end to do anything with the data.
I tried using the previous method of using a memory dump of the SQL session in memory, however it didn’t work, so I had to find another way. This time instead of finding out what the SA password was, I decided to find a quicker method of just creating my own login that would have sysadmin access.
There is an important feature in SQL Server 2005 that allows us to do this with simplicity. If you start the server in Single User Mode, anyone in the machines administrators group can actually login with sysadmin privileges. Hence, once you are logged into the SQL Server, then you can create your own login with sysadmin access.
Here is an example:
- Log on to the machine with an account that is part of the Administrators group.
- Open up a command-line window and stop SQL Server using:
net stop MSSQL$SQLEXPRESS (or your service name)
- Next, start the SQL Server in Single User mode:
net start MSSQL$SQLEXPRESS /m
- With the server running, you can use SSMS to login and create a new login, or you use osql. Since SSMS is pretty straight forward, I will demonstrate using osql.
First connect to the server:
osql -S locahost\SQLEXPRESS -E
(-S specifies the server\instance, -E is needed for trusted authentication)
- Then create the new login:
CREATE LOGIN newSA WITH PASSWORD='n3ws@password'
EXEC SP_ADDSRVROLEMEMBER 'newSA','SYSADMIN'
- Once that’s done, stop the server and restart it without the /m flag.
- Now login with the new account!