FIX: Running RESTORE VERIFYONLY logs a CREATE DATABASE event in a server audit specification that uses DATABASE_CHANGE_GROUP in SQL Server

Aplica-se a: SQL Server 2014SQL Server 2016SQL Server 2017 on Linux


Assume that you set up a Microsoft SQL Server audit to have a server audit specification that uses the DATABASE_CHANGE_GROUP event. When a user runs RESTORE VERIFYONLY on a database backup file, the CREATE DATABASE permission is logged to the Audit log.


The CREATE DATABASE permission is required to run RESTORE VERIFYONLY. When that permission is checked, a corresponding event is logged to the Audit log for the DATABASE_CHANGE_GROUP audit specification.


To work around this issue, use a query such as the following to filter the Audit log records that are related to running RESTORE VERIFYONLY:

select * from fn_get_audit_file('C:\path\to\file.sqlaudit', default, default) where statement NOT LIKE '%RESTORE VERIFYONLY%'

More information


Microsoft has confirmed that this is an issue in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology that Microsoft uses to describe software updates.