Through below script we are able to find out who is culprit for this activity:-
==============================================================
DECLARE @enable INT
SELECT TOP 1 @enable = convert(INT, value_in_use)
FROM sys.configurations
WHERE NAME = ‘default trace enabled’
IF @enable = 1 –default trace enabled
BEGIN
DECLARE @date1 DATETIME;
DECLARE @diff1 INT;
DECLARE @curr_trace_file_name VARCHAR(500);
DECLARE @base_trace_file_name VARCHAR(500);
DECLARE @indx1 INT;
SELECT @curr_trace_file_name = path
FROM sys.traces
WHERE is_default = 1;
SET @curr_trace_file_name = reverse(@curr_trace_file_name)
SELECT @indx1 = PATINDEX(‘%%’, @curr_trace_file_name)
SET @curr_trace_file_name = reverse(@curr_trace_file_name)
SET @base_trace_file_name = LEFT(@curr_trace_file_name, len(@curr_trace_file_name) – @indx1) + ‘log.trc’;
SELECT TargetLoginName ‘Dropped Login’
,StartTime ‘At what Time’
,LoginName ‘Dropped By’
,ApplicationName ‘Source Location’
,HostName ‘Host_Name’
FROM::fn_trace_gettable(@base_trace_file_name, DEFAULT)
WHERE EventClass IN (
104
,105
)
AND EventSubclass = 2
END
ELSE
Select ‘Default trace is not enabled’