Introduction
If your SQL Server environment uses the SSIS Catalog (SSISDB), there’s one startup procedure you should leave alone: sp_ssis_startup. It’s a frequent target of security hardening scripts and scanner recommendations, but disabling it creates real operational problems that are easy to overlook until something breaks at an inconvenient time. This post explains what it actually does, why security tools flag it, and why the right answer is almost always to leave it enabled.
What the SSIS Catalog is
The SSIS Catalog (SSISDB) is the central repository for SSIS projects, packages, configurations, and execution history. It’s where you manage deployments, track execution status, and troubleshoot failures, both through SSMS and directly through the SSISDB catalog views and stored procedures.
What sp_ssis_startup actually does
When enabled, SQL Server executes sp_ssis_startup automatically at service startup. The procedure itself is minimal. It calls SSISDB.catalog.startup, which performs one specific task: reconciling the state of any package executions that were active when the instance last went down. If SQL Server was restarted mid-execution, those runs need to be marked appropriately rather than left in a permanent “Running” state.
That’s it. It’s a targeted cleanup routine, not a broad or privileged operation.
Why security tools flag it
Security scanners flag sp_ssis_startup because auto-executing startup procedures are a known persistence technique. In SQL Server, any procedure in master can be registered to run at startup via sp_procoption, and that flag is visible in sys.procedures as is_auto_executed = 1. Scanners treat any entry in that list as a potential red flag by default, regardless of what the procedure actually does.
The threat model here is worth understanding clearly. Registering or modifying a startup procedure requires sysadmin membership, and the procedure must live in master. If an attacker already has sysadmin, disabling sp_ssis_startup is the least of your concerns. You have a full compromise. The startup mechanism itself is not the vulnerability; unrestricted sysadmin access is.
What happens if you disable it
This is where the real-world impact shows up. If sp_ssis_startup is disabled and the SQL Server service restarts, executions that were active at the time of shutdown will remain in status 2 (Running) rather than being corrected to status 6 (Ended Unexpectedly). That stale state ripples through in a few ways.
The SSMS Active Operations and All Executions reports pull from SSISDB views, so your monitoring dashboards will show incorrect execution counts and statuses. Any job or runbook that checks for currently active executions before starting a new run may refuse to execute because it sees a ghost execution still marked as running. Troubleshooting becomes harder too. When catalog.executions and catalog.operation_messages are in an inconsistent state, root cause analysis takes longer and the history you’re relying on can’t be trusted.
None of these failures are loud. They tend to surface quietly as scheduling conflicts or misleading reports, which makes them harder to connect back to the configuration change that caused them.
Verifying your configuration
To check whether sp_ssis_startup is currently registered for auto-execution:
USE master;
GO
SELECT p.name,
p.is_auto_executed
FROM sys.procedures AS p
WHERE p.name = N'sp_ssis_startup';To review SSISDB catalog properties including retention and cleanup settings:
USE SSISDB;
GO
SELECT property_name, property_value
FROM catalog.catalog_properties;To inspect recent executions and their statuses:
USE SSISDB;
GO
SELECT TOP 20
execution_id, folder_name, project_name, package_name,
status, start_time, end_time
FROM catalog.executions
ORDER BY start_time DESC;Recommended approach
Keep sp_ssis_startup enabled if you’re using SSISDB. It is part of Microsoft’s intended catalog maintenance behavior and has been verified against the SQL Server 2019, 2022, and 2025 documentation. If a security review flags it, the right response is to document its purpose and scope, not to disable it. Limit and audit sysadmin membership separately. That’s where the actual exposure lives.