Microsoft KB Archive/294698

= How to configure Jet 4.0 to prevent unsafe functions from running in Access 2003 =

Article ID: 294698

Article Last Modified on 12/29/2006

-

APPLIES TO


 * Microsoft Office Access 2003

-



This article was previously published under Q294698



Moderate: Requires basic macro, coding, and interoperability skills.

This article applies only to a Microsoft Access database (.mdb).



For a Microsoft Access 2000 and Access 2002 version of this article, see 239482.

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
The Microsoft Jet 4.0 database engine permits you to call unsafe Microsoft Visual Basic for Applications functions through the Microsoft Jet Expression Service. The Jet Expression Service is used to evaluate expressions in forms, in reports, and in queries.

For example, the following SQL statement may cause all files to be deleted from the current folder on your computer: SELECT Shell(&quot;Cmd /c del *.*&quot;) As c1 From Customers The security risk occurs when expressions contain Visual Basic for Applications commands that can do damage to the computer that is running the query, such as Shell commands to delete files or to format the computer.

IN THIS TASK

 * Introduction
 * Understand how to enable or how to disable Sandbox mode
 * Implement Sandbox mode operations
 * Use Sandbox mode operations with Jet 4.0 Service Pack 3 and later
 * Understand Visual Basic for Applications functions that cause errors when called from a Jet query or an Access property when using Jet 4.0 Service Pack 8
 * Understand Access functions and Access properties that are blocked by Jet 4.0 Sandbox mode



INTRODUCTION
The evaluation of expressions is a behavior that is desirable in many circumstances. However, if part of the expression contains a Shell command, the Shell command is parsed and then executed on the computer.

You can use Sandbox mode to block such operations. However, the default for Jet 4.0 Sandbox mode is not to enable Sandbox mode for queries that are run in Microsoft Access. Sandbox mode is enabled for all other non-Access applications, such as Open Database Connectivity (ODBC).

back to the top

Understand how to enable or how to disable Sandbox mode
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You can enable Sandbox mode for non-Access applications. To do this, you must install Microsoft Jet 4.0 Service Pack 3 (SP3) or later. After you install this update, the next time that you run Jet a new registry key is added to the registry. This new registry key prevents this type of possible security risk. The following is the registry key that is added:

For more information about how to obtain the latest Jet 4.0 Service Pack, click the following article number to view the article in the Microsoft Knowledge Base:

239114 How to obtain the latest service pack for the Microsoft Jet 4.0 Database Engine

To make your system more resistant to malicious attacks, and at the same time make it possible for older applications to keep running, the operation of Sandbox mode changed in Jet 4.0 Service Pack 8 so that Sandbox mode is completely under your control.

You can set the registry value to the following values, with 0 (zero) being the most permissive and 3 being the least permissive. This registry value is of type DWORD.

When you set the Sandbox mode registry value in Access 2003, this registry value is tied to the Macro Security Level. When you set the Macro Security Level to Medium or to High, you are offered the option to block unsafe expressions. When you use the option to block unsafe expressions, this sets SandboxMode = 3. When you set Macro Security Level to Low, you are offered the option to turn off expression blocking. When you use the option to turn off expression blocking, this sets SandboxMode = 2. Access 2003 preferentially runs with Jet expression blocking turned on. If you open a database in Access 2003 with Macro Security Level set to Medium or set to High and Sandbox mode set to SandboxMode = 2, you are prompted to turn on expression blocking.

After you enable Sandbox mode, and then you try to use the unsafe Visual Basic for Applications functions in a Jet 4.0 query, you receive the following error message:

Undefined function 'functionname' in expression

back to the top

Implement Sandbox mode operations
How you can implement Sandbox mode is extended in Jet 4.0 Service Pack 8 to be more compatible with Access databases. Previous implementations of Sandbox mode were too restrictive for most Access applications. Starting with Jet 4.0 Service Pack 8, the enhanced Sandbox mode continues to block unsafe Visual Basic for Applications functions, but Jet 4.0 Service Pack 8 now permits the execution of user-defined functions. Additionally, when you run Jet 4.0 Sandbox mode in combination with Access 2003, Jet 4.0 Sandbox mode can block certain Access functions and Access properties that are considered potentially unsafe.

back to the top

Use Sandbox mode operations with Jet 4.0 Service Pack 3 and later
You can use the following list of functions in Jet queries when Sandbox mode is enabled. Any functions that do not appear in the list are not available in Sandbox mode.

back to the top

Understand Visual Basic for Applications functions that cause errors when called from a Jet query or an Access property when using Jet 4.0 Service Pack 8
The following Visual Basic for Applications functions will cause an error when the functions are called from an expression in a Jet query or from an Access property:

back to the top

Understand Access functions and Access properties that are blocked by Jet 4.0 Sandbox mode
Jet 4.0 Sandbox mode blocks the following Access functions and properties when called from an expression in a Jet query or from an Access property. These functions and these properties are blocked only when enhanced Sandbox mode is running in Access 2003.

'Application Object'

BoundObjectFrame Object

Combobox Object

Control Object

CurrentProject Object

CustomControl Object

Form Object

Hyperlink Object

Listbox Object

ObjectFrame Object

Report Object

SmartTagAction Property

Screen Object

back to the top

Additional query words: acc2003 Access 2003

Keywords: kbappsolobj kberrmsg kbhowtomaster kbinfo kbregistry kbfix KB294698

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.