How to scan for SQL installation

Comments

14 comments

  • Brad McClave

    Have you tried doing it based on installed applications?

    0
    Comment actions Permalink
  • Kevin Tucker

    Yes, I have. Unfortunately there are too many application names that have the words SQL Server in them, so I get a lot of false positives.

    0
    Comment actions Permalink
  • Brad McClave

    Looking at the pre-built scanner and it shows ** preceding the *.exe. Perhaps trying the ** preceeding your sqlservr.exe?

    Available Wildcards: **\ - Current and All Subdirectories.

    0
    Comment actions Permalink
  • Avi Solomon

    Have you considered querying the list of services in the registry instead? All services are in HKLM\System\CurrentControlSet\Services, so you can grab the item named MSSQLSERVER (if it's a full SQL). There may be a modified version for SQL Express or for instances - but either way, you could grab anything with SQL to start and then whittle it down to only the names/objects you care about. The DisplayName key will tell you the name of SQL and the ImagePath will give you the path to the executable. It would be interesting to see what it looks like on a machine where the service is using an instance and also where there could be multiple instances on the same server. Hope that helps.

    0
    Comment actions Permalink
  • Kevin Tucker

    Changed it to ?:**\sqlservr.exe. Waiting for the scan to run. I'll let you know how it turns out.

    0
    Comment actions Permalink
  • Kevin Tucker

    Worth a try. Create a registry scan for HKLM\SOFTWARE\Microsoft\MSSQLServer**. Waiting for the scan to run. I'll let you know how it turns out.

    0
    Comment actions Permalink
  • Kevin Tucker

    This worked!

    0
    Comment actions Permalink
  • Kevin Tucker

    This also worked!

    0
    Comment actions Permalink
  • Kevin Tucker

    Thanks for your help, Avi & Brodiemac!

    0
    Comment actions Permalink
  • Kevin Tucker

    So this seemed to work. At least, I am now getting matches to my query for files with the name sqlservr.exe. However, it is giving me a bunch of false positives. I did a manual file search on a machine that I know does not have SQL server installed, but does show up in the list and found this: C:\Windows\WinSxS\amd64_microsoft-windows-wid_31bf3856ad364e35_10.0.14393.0_none_d51f72c5729800a5\sqlservr.exe So apparently SxS has a copy of sql hidden away for some reason.

    0
    Comment actions Permalink
  • Kevin Tucker

    This, I think, will be my answer. The scan completed successfully and I can now filter on MSSQLServer in the path and the list it provides is quite promising.
    Thanks!

    0
    Comment actions Permalink
  • Avi Solomon

    You may want to look for MSSQL$ also, I believe. That will show you SQL with Instances (if you're familiar with SQL instances).

    0
    Comment actions Permalink
  • Kevin Tucker

    ok. We don't generally use instances, but it's good to know. Thanks!

    0
    Comment actions Permalink
  • Avi Solomon

    ok. Keep in mind that some small apps that need a backend DB may use SQL Express and may install a small sql server with an instance specific to the app.

    0
    Comment actions Permalink

Please sign in to leave a comment.