{
	"id": "d9280c92-a61a-42ca-8c48-d11081ab4cdd",
	"created_at": "2026-04-06T02:13:17.519341Z",
	"updated_at": "2026-04-10T13:11:39.558641Z",
	"deleted_at": null,
	"sha1_hash": "4343081213b6ddac6b6b25e7a179f2576a1d1efc",
	"title": "xp_cmdshell (Transact-SQL) - SQL Server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82265,
	"plain_text": "xp_cmdshell (Transact-SQL) - SQL Server\r\nBy markingmyname\r\nArchived: 2026-04-06 01:58:16 UTC\r\nApplies to: SQL Server\r\nSpawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text.\r\n Transact-SQL syntax conventions\r\nxp_cmdshell { 'command_string' } [ , NO_OUTPUT ]\r\nImportant\r\nArguments for extended stored procedures must be entered in the specific order as described in the Syntax section.\r\nIf the parameters are entered out of order, an error message occurs.\r\nThe string that contains a command to be passed to the operating system. command_string is varchar(8000) or\r\nnvarchar(4000), with no default. command_string can't contain more than one set of double quotation marks. A\r\nsingle pair of quotation marks is required if any spaces are present in the file paths or program names referenced\r\nin command_string. If you have trouble with embedded spaces, consider using FAT 8.3 file names as a\r\nworkaround.\r\nAn optional parameter, specifying that no output should be returned to the client.\r\n0 (success) or 1 (failure).\r\nExecuting the following xp_cmdshell statement returns a directory listing of the current directory.\r\nEXECUTE xp_cmdshell 'dir *.exe';\r\nGO\r\nThe rows are returned in an nvarchar(255) column. If the NO_OUTPUT option is used, only the following output is\r\nreturned:\r\nThe command(s) completed successfully.\r\nThe Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account.\r\nxp_cmdshell operates synchronously. Control isn't returned to the caller until the command-shell command is\r\ncompleted. If xp_cmdshell is executed within a batch and returns an error, the batch will fail.\r\nhttps://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017\r\nPage 1 of 4\n\nWhen it's called by a user that isn't a member of the sysadmin fixed server role, xp_cmdshell connects to\r\nWindows by using the account name and password stored in the credential named\r\n##xp_cmdshell_proxy_account## . If this proxy credential doesn't exist, xp_cmdshell fails.\r\nThe proxy account credential can be created by executing sp_xp_cmdshell_proxy_account . As arguments, this\r\nstored procedure takes a Windows user name and password. For example, the following command creates a proxy\r\ncredential for Windows domain user SHIPPING\\KobeR . Replace \u003cpassword\u003e with a strong password.\r\nEXECUTE sp_xp_cmdshell_proxy_account 'SHIPPING\\KobeR', '\u003cpassword\u003e';\r\nFor more information, see sp_xp_cmdshell_proxy_account.\r\nBecause malicious users sometimes attempt to elevate their privileges by using xp_cmdshell , xp_cmdshell is\r\ndisabled by default. Use sp_configure or Policy Based Management to enable it. For more information, see\r\nxp_cmdshell Server Configuration Option.\r\nWhen first enabled, xp_cmdshell requires CONTROL SERVER permission to execute and the Windows process\r\ncreated by xp_cmdshell has the same security context as the SQL Server service account. The SQL Server\r\nservice account often has more permissions than are necessary for the work performed by the process created by\r\nxp_cmdshell . To enhance security, access to xp_cmdshell should be restricted to highly privileged users.\r\nTo allow non-administrators to use xp_cmdshell , and allow SQL Server to create child processes with the\r\nsecurity token of a less-privileged account, follow these steps:\r\n1. Create and customize a Windows local user account or a domain account with the least privileges that your\r\nprocesses require.\r\n2. Use the sp_xp_cmdshell_proxy_account system procedure to configure xp_cmdshell to use that least-privileged account.\r\nNote\r\nYou can also configure this proxy account using SQL Server Management Studio by right-clicking\r\nProperties on your server name in Object Explorer, and looking on the Security tab for the Server proxy\r\naccount section.\r\n3. In Management Studio, using the master database, execute the following Transact-SQL statement to give\r\nspecific non-sysadmin users the ability to execute xp_cmdshell . The specified user must exist in the\r\nmaster database.\r\nGRANT exec ON xp_cmdshell TO N'\u003csome_user\u003e';\r\nNow non-administrators can launch operating system processes with xp_cmdshell and those processes run with\r\nthe permissions of the proxy account that you configured. Users with CONTROL SERVER permission (members\r\nhttps://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017\r\nPage 2 of 4\n\nof the sysadmin fixed server role) continue to receive the permissions of the SQL Server service account for child\r\nprocesses that are launched by xp_cmdshell .\r\nTo determine the Windows account being used by xp_cmdshell when launching operating system processes,\r\nexecute the following statement:\r\nEXECUTE xp_cmdshell 'whoami.exe';\r\nTo determine the security context for another login, execute the following Transact-SQL code:\r\nEXECUTE AS LOGIN = '\u003cother_login\u003e';\r\nGO\r\nEXECUTE xp_cmdshell 'whoami.exe';\r\nREVERT;\r\nThe following example shows the xp_cmdshell extended stored procedure executing a directory command.\r\nEXECUTE master..xp_cmdshell 'dir *.exe';\r\nThe following example uses xp_cmdshell to execute a command string without returning the output to the client.\r\nUSE master;\r\nEXECUTE xp_cmdshell 'copy c:\\SQLbcks\\AdvWorks.bck\r\n \\\\server2\\backups\\SQLbcks', NO_OUTPUT;\r\nGO\r\nIn the following example, the xp_cmdshell extended stored procedure also suggests return status. The return\r\ncode value is stored in the variable @result .\r\nDECLARE @result AS INT;\r\nEXECUTE @result = xp_cmdshell 'dir *.exe';\r\nIF (@result = 0)\r\n PRINT 'Success';\r\nELSE\r\n PRINT 'Failure';\r\nThe following example writes the contents of the @var variable to a file named var_out.txt in the current\r\nserver directory.\r\nhttps://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017\r\nPage 3 of 4\n\nDECLARE @cmd AS SYSNAME, @var AS SYSNAME;\r\nSET @var = 'Hello world';\r\nSET @cmd = 'echo ' + @var + ' \u003e var_out.txt';\r\nEXECUTE master..xp_cmdshell @cmd;\r\nThe following example writes the contents of the current directory to a file named dir_out.txt in the current\r\nserver directory.\r\nDECLARE @cmd AS SYSNAME, @var AS SYSNAME;\r\nSET @var = 'dir /p';\r\nSET @cmd = @var + ' \u003e dir_out.txt';\r\nEXECUTE master..xp_cmdshell @cmd;\r\nGeneral extended stored procedures (Transact-SQL)\r\nxp_cmdshell (server configuration option)\r\nSurface area configuration\r\nsp_xp_cmdshell_proxy_account (Transact-SQL)\r\nSource: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017\r\nhttps://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017"
	],
	"report_names": [
		"xp-cmdshell-transact-sql?view=sql-server-2017"
	],
	"threat_actors": [],
	"ts_created_at": 1775441597,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4343081213b6ddac6b6b25e7a179f2576a1d1efc.pdf",
		"text": "https://archive.orkl.eu/4343081213b6ddac6b6b25e7a179f2576a1d1efc.txt",
		"img": "https://archive.orkl.eu/4343081213b6ddac6b6b25e7a179f2576a1d1efc.jpg"
	}
}