SQL SERVER – Unable to Attach Database Files – The PageAudit Property is Incorrect – Ransomware Attack

5 years ago

Recently one of my clients contacted me after reading my blog above Ransomware on the SQL Server machine. In this blog, we would learn about error The PageAudit property is incorrect.

Here is my earlier blog on the ransomware topic. SQL SERVER – How to Protect Your Database from Ransomware?

Here were the errors in SQL Server ERRORLOG when the database was trying to startup.

Msg 5172, Level 16, State 15, Line 1
The header for file ‘E:\SQLMDF\FINANCE_DB\FINANCE_DB.mdf’ is not a valid database file header. The PageAudit property is incorrect.
Msg 945, Level 14, State 2, Line 1
Database ‘FINANCE_DB’ cannot be opened due to inaccessible files or insufficient memory or disk space. See the SQL Server errorlog for details.
Msg 5069, Level 16, State 1, Line 1
ALTER DATABASE statement failed.
Msg 5172, Level 16, State 15, Line 1
The header for file ‘E:\SQLMDF\FINANCE_DB\FINANCE_DB.mdf’ is not a valid database file header. The PageAudit property is incorrect.
Msg 922, Level 14, State 1, Line 1
Database ‘FINANCE_DB’ is being recovered. Waiting until recovery is finished.

Initially, I was not aware of the ransomware attack on this server. So, I used my usual method to read MDF file header without attaching it.

SQL SERVER – FIX – Error: One or more files do not match the primary file of the database

Here are the commands.

DBCC CHECKPRIMARYFILE(N'E:\SQLMDF\FINANCE_DB\FINANCE_DB.mdf',0); --IsMDF
DBCC CHECKPRIMARYFILE(N'E:\SQLMDF\FINANCE_DB\FINANCE_DB.mdf',2)
DBCC CHECKPRIMARYFILE(N'E:\SQLMDF\FINANCE_DB\FINANCE_DB.mdf',3)

As we can see from the output and the first command said it is not a valid file (output = 0) and the rest two commands failed with error:

Msg 5171, Level 16, State 1, Line 2
E:\SQLMDF\FINANCE_DB\FINANCE_DB.mdf is not a primary database file.

WORKAROUND/SOLUTION

There is nothing technical which a SQLDBA can do in this situation. I was able to find one good link which might help someone.

To find out which ransomware attacked you, please visit this site. Once ransomware name is identified, check if it is possible to decrypt files using known keys.

All the best to try various option to recover your data!

Reference: Pinal Dave (https://blog.SQLAuthority.com)

Ransomware, SQL Audit, SQL Error Messages, SQL Log, SQL Scripts, SQL Server

SQL SERVER – How to DROP or DELETE Suspect Database?

SQL SERVER – Rebuild Index Job Failed – Error: 9002 – The Transaction Log for Database ‘PinalDB’ is Full Due to ‘LOG_BACKUP’

2 Comments. Leave new

Bert
August 29, 2018 4:20 pm
I can’t imagine what a nightmare having ransomware on your SQL Server must be!
Reply
- Pinal Dave
  August 30, 2018 10:42 pm
  Oh yeah. The worst part – backups are kept on same machine.
  Reply