The error was while running the store procedure runs xp_cmdshell to run a batch file

Question

The error was while running the store procedure runs xp_cmdshell to run a batch file

Jeyamani Sekar 20

The stored procedure SP_CreateClientDatabase internally uses xp_cmdshell to execute a batch file located at: F:\ECLOUD_DB_Script\CreateDB.bat

However, the execution is currently failing with the below error:An error occurred during the execution of xp_cmdshell. A call to 'CreateProcess' failed with error code: '5' (Access Denied).

As a result, even a basic command like EXEC xp_cmdshell 'whoami' is failing, we get the same error message as above

The SQL Server service accounts are:

NT SERVICE\MSSQL$ECOM_SQLEXPRESS
NT SERVICE\MSSQL$ECLOUD_SQLEXPRES

_NT SERVICE_MSSQLSERVER

     Permission was given for all above SQL Server service for all 
    ```- The service accounts did not have the **Log on as batch job** permission configured, so I have added the required permission.

There is no existing rule restrictions configured in AppLocker.
cmd.exe is not restricted on the server and also applied required permission.
We also restarted the SQL Server services after applying the changes.
Added permission for the folders where the batch file present.

We tried all these and we can't be able to resolve this issue, please help us to resolve our issue.

Akhil Gajavelly 1,830 Reputation points Microsoft External Staff Moderator

2026-05-13T09:44:24.4833333+00:00

Hi @Jeyamani Sekar ,

The AI-generated response already covers the correct troubleshooting path.

Could you please share the result after testing xp_cmdshell 'whoami' from a sysadmin session, and whether the same access denied error still occurs?

Also, if available, please share any corresponding entries from Windows Event Viewer at the time of failure. That would help narrow down whether the denial is coming from the OS or from the SQL Server execution context.

Thanks,
Akhil.
Jeyamani Sekar 20 Reputation points

2026-05-13T10:54:38.6633333+00:00

Hi Akhil,

We executed xp_cmdshell 'whoami' from a sysadmin session and observed the same error:

An error occurred during the execution of xp_cmdshell.

A call to 'CreateProcess' failed with error code: '5'.

As requested, we checked the Windows Event Viewer logs at the time of failure. However, we were not able to find any corresponding entries in either the Application or System event logs for the exact timestamp when the issue occurred.

We verified the logs multiple times after reproducing the issue, but no related events were recorded.

Please let us know the next steps or if any specific logs or tracing needs to be enabled for further troubleshooting.Thanks,

Jeyamani C S G
Erland Sommarskog 134.7K Reputation points MVP Volunteer Moderator

2026-05-13T12:49:03.65+00:00

xp_cmdshell normally works, so this suggests that someone has performed some lockdown on this server. I've been googling around to see if I could figure out which permission is needed for CreateProcess, but I was apparently not zealous enough,

One approach would be to compare with a machine where xp_cmdshell works.

Answer recommended by moderator

MotoX80 37,696

I don't know if this will help you or not, but here is something you could try.

Download and run Process Monitor. Use it to capture the error.

https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

This tool captures a lot of data, so it's important to start the capture, recreate the problem, and then stop the capture immediately.

There are a number of videos that demonstrate how to use this tool out on the internet if you can't figure it out.

Search for cmd.exe, whoami.exe or "access denied" in the trace. In this example, I locked the permissions on the pgmtest.exe file. See if you can identify what resource can't be accessed.

User's image

You can double click on the event to get more information. Check the event/process/stack tabs. That will show what account is executing the call. Since you mentioned applocker, there is a chance that you could see it, or some other module, in the call stack that might point you to the software that is blocking the call. I don't know how applocker works, so I don't know what exactly to tell you to look for.

User's image

Also review the entries that occur after the access denied event. If the call is being blocked, you may see a log file, or a different eventlog being referenced.

You might also want to configure your servers audit policy and monitor "object access", "privilege use", and "process tracking". Then check the Security event log for entries.

Akhil Gajavelly 1,830 Reputation points Microsoft External Staff Moderator

2026-05-26T05:06:28.9133333+00:00

Hi @Jeyamani Sekar ,

Thanks for the update and for sharing the findings.

The ProcMon trace shared above is a good next direction since the issue appears to be occurring during process creation at the OS/security layer rather than within SQL Server itself.

Please review the ProcMon capture for any ACCESS DENIED entries related to cmd.exe, whoami.exe, or the batch file path, and also check whether any security/endpoint protection component appears in the stack trace during the failure.

Additionally, enabling Security auditing for process tracking/object access may help surface more details in the Security event log that are not visible in the standard Application/System logs.

Thanks,
Akhil.
Akhil Gajavelly 1,830 Reputation points Microsoft External Staff Moderator

2026-05-28T06:33:33.94+00:00

Hi @Jeyamani Sekar ,

Just following up to see whether you were able to review the ProcMon trace and Security event logs for any additional clues.

In particular, were there any ACCESS DENIED entries or indications that endpoint/security software was interfering with process creation or script execution? Any updated findings or screenshots would help continue narrowing this down further.

Thanks,
Akhil.

1 additional answer

Your answer

Akhil Gajavelly 1,830 Reputation points Microsoft External Staff Moderator

2026-05-13T09:44:24.4833333+00:00

Hi @Jeyamani Sekar ,

The AI-generated response already covers the correct troubleshooting path.

Could you please share the result after testing xp_cmdshell 'whoami' from a sysadmin session, and whether the same access denied error still occurs?

Also, if available, please share any corresponding entries from Windows Event Viewer at the time of failure. That would help narrow down whether the denial is coming from the OS or from the SQL Server execution context.

Thanks,
Akhil.
Jeyamani Sekar 20 Reputation points

2026-05-13T10:54:38.6633333+00:00

Hi Akhil,

We executed xp_cmdshell 'whoami' from a sysadmin session and observed the same error:

An error occurred during the execution of xp_cmdshell.

A call to 'CreateProcess' failed with error code: '5'.

As requested, we checked the Windows Event Viewer logs at the time of failure. However, we were not able to find any corresponding entries in either the Application or System event logs for the exact timestamp when the issue occurred.

We verified the logs multiple times after reproducing the issue, but no related events were recorded.

Please let us know the next steps or if any specific logs or tracing needs to be enabled for further troubleshooting.Thanks,

Jeyamani C S G
Erland Sommarskog 134.7K Reputation points MVP Volunteer Moderator

2026-05-13T12:49:03.65+00:00

xp_cmdshell normally works, so this suggests that someone has performed some lockdown on this server. I've been googling around to see if I could figure out which permission is needed for CreateProcess, but I was apparently not zealous enough,

One approach would be to compare with a machine where xp_cmdshell works.
Akhil Gajavelly 1,830 Reputation points Microsoft External Staff Moderator

2026-05-26T05:06:28.9133333+00:00

Hi @Jeyamani Sekar ,

Thanks for the update and for sharing the findings.

The ProcMon trace shared above is a good next direction since the issue appears to be occurring during process creation at the OS/security layer rather than within SQL Server itself.

Please review the ProcMon capture for any ACCESS DENIED entries related to cmd.exe, whoami.exe, or the batch file path, and also check whether any security/endpoint protection component appears in the stack trace during the failure.

Additionally, enabling Security auditing for process tracking/object access may help surface more details in the Security event log that are not visible in the standard Application/System logs.

Thanks,
Akhil.
Akhil Gajavelly 1,830 Reputation points Microsoft External Staff Moderator

2026-05-28T06:33:33.94+00:00

Hi @Jeyamani Sekar ,

Just following up to see whether you were able to review the ProcMon trace and Security event logs for any additional clues.

In particular, were there any ACCESS DENIED entries or indications that endpoint/security software was interfering with process creation or script execution? Any updated findings or screenshots would help continue narrowing this down further.

Thanks,
Akhil.

Answer 1

Error code 5 from CreateProcess means the Windows account under which xp_cmdshell is running does not have sufficient permissions for what it is trying to do (starting cmd.exe, accessing the batch file, or accessing some folder/file used by the batch file).

Key points from the context:

xp_cmdshell runs under the security context of the SQL Server service account, unless a proxy account is configured.
The Windows process spawned by xp_cmdshell has exactly the same rights as the SQL Server service account.

Given that even EXEC xp_cmdshell 'whoami' fails with CreateProcess error 5, the failure occurs before the command itself runs, so focus on the account that xp_cmdshell is using and its ability to start cmd.exe.

Use the following steps:

Confirm which account xp_cmdshell is using
- If the caller is a member of sysadmin, xp_cmdshell runs as the SQL Server service account for that instance.
- If the caller is not sysadmin, xp_cmdshell uses the credential ##xp_cmdshell_proxy_account## (if configured). If this credential is missing, xp_cmdshell fails.
- Run a test as a sysadmin login to eliminate proxy issues:
```
     EXEC xp_cmdshell 'whoami';
```
  If this still fails with error 5, the SQL Server service account itself cannot start cmd.exe.
Verify xp_cmdshell is enabled
- Ensure xp_cmdshell is enabled via sp_configure or Policy-Based Management. If it is disabled, enabling it is required before any command can run.
Check the SQL Server service account permissions
- Identify the exact service account for the instance where xp_cmdshell is being executed (for example, NT SERVICE\MSSQL$ECOM_SQLEXPRESS or NT SERVICE\MSSQLSERVER).
- Ensure this account has:
  - Read and execute permission on C:\Windows\System32\cmd.exe (and the system directory where cmd.exe resides).
  - Read/execute/list permissions on the folder path and file F:\ECLOUD_DB_Script\CreateDB.bat.
  - Any additional file/folder permissions required by commands inside CreateDB.bat (for example, database file locations, log folders, or network shares).
Test with a minimal command
- After verifying permissions, test again as sysadmin:
```
     EXEC xp_cmdshell 'whoami';
```
- If this succeeds, then test:
```
     EXEC xp_cmdshell 'dir F:\ECLOUD_DB_Script';
     EXEC xp_cmdshell 'F:\ECLOUD_DB_Script\CreateDB.bat';
```
- If whoami works but the batch file fails, the issue is with permissions required by the batch file contents or its target locations.
Consider using an xp_cmdshell proxy account
- If the SQL Server service account is intentionally restricted, configure a proxy credential with the required rights:
```
     EXEC sp_xp_cmdshell_proxy_account 'DOMAIN\\UserWithRights', '<StrongPassword>';
```
- Then run xp_cmdshell from a non-sysadmin login that uses this proxy. The Windows process will run under the proxy account, which must have the necessary file, folder, and cmd.exe permissions.
Re-test after any change
- After adjusting permissions or configuring a proxy, restart the SQL Server service if service account or local security policy changes were made, then re-run the minimal whoami test and proceed to the batch file.

If error 5 persists even when running xp_cmdshell 'whoami' as sysadmin and after confirming cmd.exe and folder permissions, the next step is to inspect OS-level security policies (for example, Software Restriction Policies or additional endpoint security) that may be blocking process creation for the SQL Server service account.

References:

Share via

The error was while running the store procedure runs xp_cmdshell to run a batch file

1 additional answer

Your answer