Microsoft support has encountered numerous third-party products that use detours to provide additional functionalities to Microsoft SQL Server. These are usually auditing functionalities. There is no certification process for third-party detours for Microsoft applications. Therefore, generally, Microsoft strongly discourages the use of detours.
Features that use detours or similar techniques to change the behavior of SQL Server may cause the following issues:
Disk and memory corruption
Loss of SQL Server response
Unexpected process termination
Inability to use standard diagnostics, such as the fn_get_sql function and the DBCC INPUTBUFFER command
You can encounter these same issues when you are using non-Microsoft software such as linked servers, extended procedures, or COM objects within the SQL Server process. Detours are hidden from DBA view. To uncover a detour, you must use the techniques that are described in the "More Information" section that follows. Linked servers, COM objects, and extended procedures have explicit registration and defined interfaces.
Note Because of the hidden nature of detours and the lack of published interfaces, Microsoft does not provide support services for third-party features that use detours or similar techniques. The third party is responsible for support of its own code, just as it would be responsible for its own linked server or other sanctioned deployment.
It is common practice, in the usual course of troubleshooting, for Microsoft support services to ask you to disable nonessential jobs and to disable or remove third-party components and other, similar techniques. Microsoft always tries to reduce the footprint of the issue while it is identifying the problem. After the issue is identified as unrelated to the jobs or third-party products, those jobs or third-party products may be introduced back into production.
It is not our intention to uncover a detour and then consider the instance of SQL Server to be unsupported. Microsoft acknowledges that some implementations are necessary. However, Microsoft requires you to validate the supportability of the detours. A detour from a reputable and trusted company is definitely different from an unexpected detour that is used by a virus. Microsoft does not warrant or certify these third-party products or how the third-party products interact with Microsoft products and services. Instead, third-party vendors are responsible for the identification and trustworthiness of their products and services. If you have any questions about third-party products and services, please reach out to the applicable third party. Microsoft is not responsible for any issues that are caused by your use of third-party products or services in connection with SQL Server.
Detours provide enhanced capabilities and a risk/reward tradeoff. Typically, when a detour is implemented in SQL Server, third-party code is injected into the process space. This activity may change the behavior of SQL Server.
The following are some example situations and possible side effects:
Incoming network traffic (TDS) packets are scanned and changed. The detour is added at a critical location at the net_readdata network process thread. Even 100 CPU cycles at this location may significantly reduce batch rate throughput.
A change in the actual TDS data may lead to memory scribblers. This problem has triggered various SQL Server stability problems and in data corruption. Problems may cause a TDS packet to be partially changed and to replay garbage to SQL Server. Logging facilities at this level may expose passwords and other sensitive data that SQL Server tracing is designed to suppress and to help secure.
SQL Server parsing routines are detoured to change behavior. The following are possible side effects:
Execution plans do not match actual query text.
A command is submitted only one time from the client. However, the command is executed multiple times.
Trace output shows the original command instead of the altered query.
The DBCC INPUTBUFFER command shows the original command instead of the altered query.
The fn_get_sql function shows incorrect data. Additionally, the fn_get_sql function is susceptible to exceptions and to incorrect results. The fn_get_sql function is used by many monitoring solutions and may cause problems on the monitoring solutions.
Overall User Mode Scheduler (UMS) and SQL Server Operating System (SQLOS) scheduling may be interrupted. This leads to loss of SQL Server response, to performance changes, and to outages.
Win32 APIs that provide enhanced security features are detoured. Depending on the implementation, logging facilities at this level could expose passwords and other sensitive data. Overall UMS and SQLOS scheduling is interrupted. This leads to loss of SQL Server response and to outages.
Modifying function tables and redirecting core SQL Server functions or Windows API's are not supported within the SQL Server process. This can lead to instability and unexpected behavior in the SQL Server functionality.
The following example shows that the kernel32!GetQueuedCompletionStatus function has been detoured.
In the assembly for the GetQueuedCompletionStatus function, the first instruction has been replaced with a jump instruction.
0:038> u kernel32!GetQueuedCompletionStatuskernel32!GetQueuedCompletionStatus 77e660f1 e90a9f00aa jmp 21e70000 ß This points to an address that does not appear in the loaded module list (lm). It is injected code.77e660f6 83ec10 sub esp,10h
The assembly for the injected code shows the detoured activity and a call to the MyDLL file.
You can use Debugging Tools for Windows to determine whether detours are being used. To do this, follow these steps.
Note Always test this method before you try it in production. When you use Debugging Tools for Windows, the process may freeze when you run the commands. This behavior may adversely affect a production server.
Attach Debugging Tools for Windows to SQL Server, or load a full user dump file.
Issue the following debugger command. This command inspects each image against the on-disk image to determine whether detours have been injected.
!for_each_module "!chkimg -v @#Base -d"
Detach the debugger.
To obtain Debugging Tools for Windows, go to the following Microsoft website:
You can review the assembly to look more closely at the issue as follows:
0:038> u ssnetlib!ConnectionClosessnetlib!ConnectionClose]:0c263710 6800000000 push 00c263715 e9278ada03 jmp MyDLL!MyGetQueuedCompletionStatus <- A detour has been installed.
Antivirus programs that track SQL injection attacks can detour SQL Server code. In this scenario, the output of the !for_each_module "!chkimg -v @#Base -d" extension may show that the SQL Server functions yyparse and ex_raise2 are modified:
We recommend that you contact the provider of the detours or similar techniques for detailed information about how it uses the detours in SQL Server. For more information about detours and similar techniques, go to the following Microsoft Research Center website: