I am trying to delete server audit which was capturing logon events defined in server audit specification as follows:
CREATE SERVER AUDIT SPECIFICATION [System Login Audit]
FOR SERVER AUDIT [System Logins]
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (AUDIT_CHANGE_GROUP),
ADD (DBCC_GROUP),
ADD (DATABASE_PERMISSION_CHANGE_GROUP),
ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (SERVER_PERMISSION_CHANGE_GROUP),
ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP),
ADD (DATABASE_CHANGE_GROUP),
ADD (DATABASE_OBJECT_CHANGE_GROUP),
ADD (SERVER_PRINCIPAL_CHANGE_GROUP),
ADD (LOGIN_CHANGE_PASSWORD_GROUP),
ADD (SERVER_STATE_CHANGE_GROUP),
ADD (DATABASE_OWNERSHIP_CHANGE_GROUP),
ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),
ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP)
WITH (STATE = ON)
I managed to delete mentioned above server audit specification but still can not delete related server audit. My attempt to disable it with command
ALTER SERVER AUDIT [System Logins] WITH (STATE = OFF)
ends up being blocked by something and won't let me delete it.
My most radical attempt was to execute this command while running SQL Server service in single-user mode with SQL Server Agent and SQL Server CEIP service both being disabled.
Ok. As I wrote in the comments, I was trying to delete the server audit which was blocked by that very server audit which was capturing changes to server metadata what can be illustrated by running the query:
select * from sys.dm_tran_locks where request_session_id = <that_session_id>see sample output of the queryMetaphorically speaking this was like cutting tree branch while sitting on it.
Apparently, running server in just single-user mode, which I tried earlier was not enough.
The solution was to start SQL Server in minimal configuration (-f) with monitoring features disabled (-x)
net start "SQL Server (MSSQLSERVER)" /x /f /mSQLCMDand then to disable audit by running statement in SQLCMD:ALTER SERVER AUDIT [System Logins] WITH (STATE = OFF)