DBCC WritePage的具体用法

DBCC WritePage的具体用法

http://www.sqlnotes.info/2011/11/23/dbcc-writepage/.

DBCC WritePage is a dangerous undocumented DBCC command. It’s useful in your sandbox to change data, crash objects, and do some fun things you may think of. But never ever use it in your productions. Using DBCC WritePage command is at your own risk. . I will give you demos on how to use dbcc writepage to perform simple insert, delete, and update on a table.

dbcc writepage ({'dbname' | dbid}, fileid, pageid, offset, length, data [, directORbufferpool])

{‘dbname’ | dbid}
Database name or database id
fileid
File id in sys.database_files
pageid
Page number in the file
offset
Starting position of the data you want to change
length
number of bytes to be written to the page
data
data to be written. It’s binary, for example 0x13432
directORbufferpool
2 possible values, 0 and 1. When it’s 0, which is also the default value, the data modification is done at buffer level, related data will be calculated automatically such as page hash. When it’s 1, the modification is written to disk directly, related values, such as page hash, will not be recalculated automatically. Unless you want to test your math level…

Prepare Data
First of all, let’s prepare some data for test.

01
use master
02
set nocount on
03
if DB_ID('test') is not null
04
begin
05
alter database test set read_only with rollback immediate
06
drop database test
07
end
08
go
09
create database test;
10
go
11
alter database test set recovery simple
12
alter database test set auto_create_statistics off
13
alter database test set auto_update_statistics off
14
alter database test set allow_snapshot_isolation off
15
alter database test set read_committed_snapshot off
16
go
17
use test
18
create table test(id int not null, t char(20) not null)
19
insert into test values(1, REPLICATE('a', 20))
20
insert into test values(2, REPLICATE('b', 20))
21
insert into test values(3, REPLICATE('c', 20))
22
select * from test
23
/*
24
id t
25
----------- --------------------
26
1 aaaaaaaaaaaaaaaaaaaa
27
2 bbbbbbbbbbbbbbbbbbbb
28
3 cccccccccccccccccccc
29
*/
We have 3 records in table test. Then let’s check where the data located

1
dbcc traceon(3604) with no_infomsgs
2
go
3
dbcc ind(test,'test', 1) with no_infomsgs -- first parameter is the database name, second is table name
4
/*
5
PageFID PagePID IAMFID IAMPID ObjectID --I removed rest of the columns returning from dbcc ind
6
------- ----------- ------ ----------- -----------
7
1 154 NULL NULL 2105058535 -- this is IAM page
8
1 153 1 154 2105058535 -- this is database
9
*/
Then let’s check what’s on the page

1
dbcc page(test, 1, 153, 2) with no_infomsgs
It will return

01
PAGE: (1:153)
02

03
BUFFER:
04

05
BUF @0x0000000085FC0A00
06

07
bpage = 0x0000000085570000 bhash = 0x0000000000000000 bpageno = (1:153)
08
bdbid = 13 breferences = 0 bcputicks = 0
09
bsampleCount = 0 bUse1 = 28677 bstat = 0xc0010b
10
blog = 0x212121bb bnext = 0x0000000000000000
11

12
PAGE HEADER:
13

14
Page @0x0000000085570000
15

16
m_pageId = (1:153) m_headerVersion = 1 m_type = 1
17
m_typeFlagBits = 0x4 m_level = 0 m_flagBits = 0x8000
18
m_objId (AllocUnitId.idObj) = 27 m_indexId (AllocUnitId.idInd) = 256
19
Metadata: AllocUnitId = 72057594039697408
20
Metadata: PartitionId = 72057594038779904 Metadata: IndexId = 0
21
Metadata: ObjectId = 2105058535 m_prevPage = (0:0) m_nextPage = (0:0)
22
pminlen = 28 m_slotCnt = 3 m_freeCnt = 7997
23
m_freeData = 189 m_reservedCnt = 0 m_lsn = (99:68:2)
24
m_xactReserved = 0 m_xdesId = (0:0) m_ghostRecCnt = 0
25
m_tornBits = 0
26

27
Allocation Status
28

29
GAM (1:2) = ALLOCATED SGAM (1:3) = ALLOCATED
30
PFS (1:1) = 0x61 MIXED_EXT ALLOCATED 50_PCT_FULL DIFF (1:6) = CHANGED
31
ML (1:7) = NOT MIN_LOGGED
32

33
DATA:
34

35
Memory Dump @0x000000001103C000
36

37
000000001103C000: 01010400 00800001 00000000 00001c00 †................
38
000000001103C010: 00000000 00000300 1b000000 3d1fbd00 †............=.½.
39
000000001103C020: 99000000 01000000 63000000 44000000 †........c...D...
40
000000001103C030: 02000000 00000000 00000000 00000000 †................
41
000000001103C040: 01000000 00000000 00000000 00000000 †................
42
000000001103C050: 00000000 00000000 00000000 00000000 †................
43
000000001103C060: 10001c00 01000000 61616161 61616161 †........aaaaaaaa
44
000000001103C070: 61616161 61616161 61616161 02000010 †aaaaaaaaaaaa....
45
000000001103C080: 001c0002 00000062 62626262 62626262 †.......bbbbbbbbb
46
000000001103C090: 62626262 62626262 62626202 00001000 †bbbbbbbbbbb.....
47
000000001103C0A0: 1c000300 00006363 63636363 63636363 †......cccccccccc
48
000000001103C0B0: 63636363 63636363 63630200 00000021 †cccccccccc.....!
49
000000001103C0C0: 21212121 21212121 21212121 21212121 †!!!!!!!!!!!!!!!!
50
000000001103C0D0: 21212121 21212121 21212121 21212121 †!!!!!!!!!!!!!!!!
51
....
52
000000001103DFE0: 21212121 21212121 21212121 21212121 †!!!!!!!!!!!!!!!!
53
000000001103DFF0: 21212121 21212121 21219e00 7f006000 †!!!!!!!!!!ž...`.
54

55
OFFSET TABLE:
56

57
Row - Offset
58
2 (0x2) - 158 (0x9e)
59
1 (0x1) - 127 (0x7f)
60
0 (0x0) - 96 (0x60)
Update Record
I put update first since it’s the simplest comparing other 2 examples.

01
dbcc traceon(2588) with no_infomsgs
02
go
03
-- change the first record
04
dbcc writepage(test, 1, 153, 105, 3, 0x626364)
05
go
06
select * from test
07
/*
08
id t
09
----------- --------------------
10
1 abcdaaaaaaaaaaaaaaaa
11
2 bbbbbbbbbbbbbbbbbbbb
12
3 cccccccccccccccccccc
13
*/
Look at the result, the first record is changed to abcdaaaaaaaaaaaaaaaa from aaaaaaaaaaaaaaaaaaaa. Run dbcc checktable('test'). No error return. That’s great.

Insert
First, let’s check the slot array from the dump of dbcc page, line 53. The first record is at 0x0060 and the second is at 0x007f. The size of the record is 31, 0x7f – 0x60 = 0x1f = 31. Copy the binary from that range

0x10001c00010000006161616161616161616161616161616161616161020000

Segment in blue: Record header
Segment in maroon: The the first field. It’s 4 byte integer value. Lower address value contains lower byte in the integer. The value of it is 0x00000001.
Segment in red: The second field.
Segment in gray: I don’t know what that is. If you know, please tell me.
base on that, we can make a new record below. The location we should put the new record is saved in m_freeData in the header.

0x10001c00040000006162636465666768696a6b6c6d6e6f7071727374020000

Now let’s use dbcc page to put the record to the page atbyte 189 which is 0x00BD in hexadecimal.

01
-- I assume you have turned on trace flag 2588
02
--write new record to the page, you will not get any errors after running this statement
03
dbcc writepage(test, 1, 153, 189, 31, 0x10001c00040000006162636465666768696a6b6c6d6e6f7071727374020000)
04

05
--Add a new record into the slot array at the end of the page. Ignore the page validation error.
06
dbcc writepage(test, 1, 153, 8184, 2, 0xbd00) -- change slot array
07

08
--Change number of count of record on the page from 3 to 4. Ignore the page validation error.
09
dbcc writepage(test, 1, 153, 22, 2, 0x0400) -- change m_slotCnt
10

11
--Change the location where the free space starting from. Ignore the page validation error.
12
--page has 8192 bytes. First 96 bytes is the header of the page
13
--we have 4 records, each of them is 31 bytes.
14
--So the free space will be
15
--8192-96-4*31-4*2 (this is the size of slot array) = 7964 = 0x1f1c
16
dbcc writepage(test, 1, 153, 28, 2, 0x1C1F) -- change m_freeCnt
17

18
--Change the location where the free space starting from. Ignore the page validation error.
19
--This can be calculated by m_freeData = length of the record = 189 + 31 = 220 = 0x00dc
20
dbcc writepage(test, 1, 153, 30, 2, 0xDC00) -- change m_freeData
21

22
dbcc checktable('test')
23
/*
24
DBCC results for 'test'.
25
There are 4 rows in 1 pages for object "test".
26
DBCC execution completed. If DBCC printed error messages, contact your system administrator.
27
*/
28

29
--good, we passed dbcc checktable test
30
select * from test
31
/*
32
id t
33
----------- --------------------
34
1 abcdaaaaaaaaaaaaaaaa
35
2 bbbbbbbbbbbbbbbbbbbb
36
3 cccccccccccccccccccc
37
4 abcdefghijklmnopqrst
38
*/
Delete
Now let’s remove the record where id = 3. It’s way simple to remove a record from a heap than from a B-Tree. We only need to change the slot array to 0x0000 then update some values on the page header. You will see the page validation error for each of the step. You can ignore it. Finally, we will run dbcc checktable to verify the changes.

01
--change the slot array from offset 8186
02
dbcc writepage(test, 1, 153, 8186, 2, 0x0000) -- change slot array
03

04
--change number of records on the page in the page header
05
dbcc writepage(test, 1, 153, 22, 2, 0x0400) -- change m_slotCnt
06

07
--change free bytes on the page.
08
--before deletion, page has 7964 free bytes
09
--after deletion, 31 bytes freed from the page and 2 bytes freed from the slot array
10
--So the free count is 7964+31+2=7997=0x1f3d
11
dbcc writepage(test, 1, 153, 28, 2, 0x3B1F) -- change m_freeCnt
12

13
-- Then update other flags
14
dbcc writepage(test, 1, 153, 38, 2, 0x1f00) -- change m_reservedCnt
15
dbcc writepage(test, 1, 153, 50, 2, 0x1f00) -- change m_xactReserved
16
dbcc writepage(test, 1, 153, 4, 1, 0x08) -- change m_flagBits
17
go
18
dbcc checktable('test')
19
/*
20
DBCC results for 'test'.
21
There are 3 rows in 1 pages for object "test".
22
DBCC execution completed. If DBCC printed error messages, contact your system administrator.
23
*/
24
--perfect, we passed dbcc checktable test
25
select * from test
26
/*
27
id t
28
----------- --------------------
29
1 abcdaaaaaaaaaaaaaaaa
30
2 bbbbbbbbbbbbbbbbbbbb
31
4 abcdefghijklmnopqrst
32
*/
The record where id = 3 is gone! Cheers! It’s not easy to manipulate data on a page by dbcc writepage command especially when you don’t have official documentation. These 3 experiments took me about 2 hours. That’s just the modification on heap with fixed length required columns on one page. It will be way more complicated for other type of manipulationi since they may need you to deal with nulls, variable lengh columns, out of row data, IAM, PFS, GAM, SGAM,…to much information.
Finally, I would like remind you — !!DON’T RUN THIS COMMAND ON YOUR PRODUCTION SERVERS!! ALL YOUR OPERATIONS ARE LOGGED IN SQL Server ERROR LOG.

 


      • Loverly Article John. Dangerous stuff but great for demos of Internals

      • Great article, John! And scary too.

      • Hi John

        I think that the segment in gray correspond to the null bitmap and the variable-lengh column offset array. First two bytes represent the number of columns in the record (02). Next two bytes are the number of variable lengh columns (00). The last two bytes (00) represent the offset to the start of the first lengh-variable column.

        • Thanks Ruben, My initial guess was same as yours but I knew that the bits right after fixed length columns are supposed to be NULL bitmap. There is no nullable columns in the table so there is no NULL bitmap. However, I don’t have variable length columns here neither, why SQL Server needs to record such information and let sapce to be wasted. interesting though.

      • You really should remove this post – where did you learn about the undocumented (and completely NDA) final option to the command? AFAIK it’s never been discussed outside of Microsoft…

      • Sigh – I see someone documented my undocumented option in the help. I guess this isn’t NDA – but it’s just irresponsible blogging about this (which is why I haven’t done so ever). You really should remove this – it’s going to cause people more trouble than help.

        • Paul, I’m responsible for the accuracy of my blog posts and findings. I could find this by using official commands about 2 hours. Others can do this as well. Microsoft should really close this command or at least make it not so easy to reach for supporting purpose. I do respect for you opinion. I put password on this post and share it within MCM community.

      • John, excellent post and whilst I agree that this is a scary post, I don’t believe it should be removed since I dont think dbcc writepage is a huge secret – though it’s parameters are probably less well known. Rather than take down, I’d argue for a bigger warning at the top and bottom of the post.

        Thanks again.

      • Just came across this – first time I’ve seen the last option.
        Awesome blog post, but I’d have to agree with Paul that it is pretty dicey.

        If you can’t run a hex editor this might be a viable alternative, but boy does it invite people to corrupt their databases!

        Hey, this an MCM’s blog after all, if you can’t take the heat, don’t play with matches…

      • Hi John,

        very interesting article but i think a very important fact was omitted about this command and that is that the effect of this dbcc command isn’t logged in the transaction log and therefore can’t be executed in the context of an transaction an by that i’m think it is a only way road. I wonder if the request from Paul wasn’t connected with this situation.

        Also i think the last sentence “ALL YOUR OPERATIONS ARE LOGGED IN SQL Server LOG.” should be changed because when we read it we can misinterpret and think that you are talking about the transaction log (some people use sql server log and transaction log interchangeably) which is exactly the opposite of the truth.

        Anyway.. excelent article

      • Hello, why DBCC writepage not directly modify SQL2005 and SQL2008 and SQL2008r2 contents?
        If DBCC writepage (‘ full ‘, 1, 15238, 8100, 1, 0 x00, 1) can modify content, but do not calculate page checksum;
        DBCC writepage (‘ full ‘, 1, 15238, 8100, 1, 0 x00, 0) that can’t modify data.

        • The last parameter 1 means write the data bypass the buffer pool. The checksum value is not calculated in this case.
          When the data in the buffer pool is not valid, you can’t modify the buffer pool.

          • Hello, why DBCC writepage not directly modify SQL2005 and SQL2008 and SQL2008r2 contents?
            DBCC writepage (‘ dbname ‘, 1, pageid, 8100, 1, 0 x00) that can’t modify SQL2005 data. In SQL2000 version can, senior version can’t, I think can fix content can recount checksum, could you tell me what should I do, can modify the content and can generate checksum again?

            • Yes, one way you get the checksum is that select records from the table that has corrupted page. You will see error Msg 824…incorrect checksum(expected:…actual…) the actual is the correct checksum value. Use DBCC write page with direct option on to write the checksum.

      • Hi, DBCC writepage work in SQL2005 and above version, not calculation check? Why?

      • Hi, DBCC writepage work in SQL2005 and above version, not calculation checksum? Why?

posted @ 2014-10-25 13:38  桦仔  阅读(414)  评论(0编辑  收藏  举报