Windows policy Lock Pages in Memory option and SQL Server instance in VM

This Windows policy (Lock Pages in Memory option) must be enabled for SQL Server service account. That’s because, setting this option can increase the performance of SQL Server instance running on the virtual machine (VM) where paging memory to disk is expected.

When not enabled, there is a risk that SQL Server buffer pool pages may be paged out from physical memory to virtual memory on disk.

*Note: Only applies to SQL Server instances running on the virtual machine (VM).

This Windows policy determines which accounts can use a process to keep data in physical memory, preventing the system from paging the data to virtual memory on disk.

Note

Locking pages in memory may boost performance when paging memory to disk is expected.

SET NOCOUNT ON;

DECLARE @CMDShellFlag [bit] ,

@CheckCommand [nvarchar](256);

DECLARE @xp_cmdshell_output TABLE

(

[output] [varchar](8000)

);

IF NOT EXISTS ( SELECT *

FROM [sys].[configurations]

WHERE [name] = N'xp_cmdshell'

AND [value_in_use] = 1 )

BEGIN

SET @CMDShellFlag = 1;

EXEC [sp_configure] 'show advanced options', 1;

RECONFIGURE;

EXEC [sp_configure] 'xp_cmdshell', 1;

RECONFIGURE;

EXEC [sp_configure] 'show advanced options', 0;

RECONFIGURE;

END

SELECT @CheckCommand = 'EXEC [master]..[xp_cmdshell]' + SPACE(1) + QUOTENAME('whoami /priv', '''');

INSERT INTO @xp_cmdshell_output

( [output] )

EXEC [sys].[sp_executesql] @CheckCommand;

IF EXISTS ( SELECT *

FROM @xp_cmdshell_output

WHERE [output] LIKE '%SeLockMemoryPrivilege%enabled%' )

SELECT 'Windows policy Lock Pages in Memory option is enabled' AS [Finding];

ELSE

SELECT 'Windows policy Lock Pages in Memory option is disabled' AS [Finding];

IF @CMDShellFlag = 1

BEGIN

EXEC [sp_configure] 'show advanced options', 1;

RECONFIGURE;

EXEC [sp_configure] 'xp_cmdshell', 0;

RECONFIGURE;

EXEC [sp_configure] 'show advanced options', 0;

RECONFIGURE;

END

SET NOCOUNT OFF;

Here are instructions to enable Lock Pages in Memory option Windows policy:

1. On the Start menu, click Run. In the Open box, type gpedit.msc.
2. On the Local Group Policy Editor console, expand Computer Configuration, and then expand Windows Settings.
3. Expand Security Settings, and then expand Local Policies.
4. Select the User Rights Assignment folder. The policies will be displayed in the details pane.
5. In the pane, double-click Lock pages in memory.
6. In the Local Security Setting – Lock pages in memory dialog box, click Add User or Group.
7. In the Select Users, Service Accounts, or Groups dialog box, add SQL Server Service Startup account.
8. Restart SQL Server for this change to take effect.

script to check whether or not this Windows policy is enabled for SQL Server Service Startup account: