Jason Brimhall shows how you can see when someone calls xp_cmdshell, including the call details:
What was the wait_type? Well, the obscure wait_type was calledĀ PREEMPTIVE_OS_PIPEOPS. What causes this wait? As it turns out, this is a generic wait that is caused by SQL pipe related activities such asĀ xp_cmdshell.
Knowing this much information however does not get us to the root cause of this particular problem for this client. How do we get there? This is another case for Extended Events (XEvents).
Read on for two ways to approach this, both using Extended Events.