How to configure Jet 4.0 to prevent unsafe functions from running in Access 2000 and Access 2002 (239482)



The information in this article applies to:

  • Microsoft Access 2000
  • Microsoft Access 2002
  • Microsoft ODBC Driver for Access 4.0
  • Microsoft Office 2000 Professional

This article was previously published under Q239482
This article applies only to a Microsoft Access database (.mdb).

Moderate: Requires basic macro, coding, and interoperability skills.
For a Microsoft Office Access 2003 version of this article, see 294698.

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

The Microsoft Jet 4.0 database engine permits you to call unsafe Microsoft Visual Basic for Applications functions through the Microsoft Jet Expression Service. The Jet Expression Service is used to evaluate expressions in forms, in reports, and in queries.

For example, the following SQL statement may cause all files to be deleted from the current folder on your computer:
SELECT Shell("Cmd /c del *.*") As c1 From Customers
Note The Shell command in this example works in Microsoft Windows NT. You must modify the command as follows for the command to work on a computer that is running Microsoft Windows 95 or Microsoft Windows 98:
SELECT Shell("Command.com /c del *.*") As c1 From Customers
The security risk occurs when expressions contain Visual Basic for Applications commands that can do damage to the computer that is running the query, such as Shell commands to delete files or to format the computer.

IN THIS TASK

INTRODUCTION

The evaluation of expressions is a behavior that is desirable in many circumstances. However, if part of the expression contains a Shell command, the Shell command is parsed and then executed on the computer.

You can use Sandbox mode to block such operations. However, the default for Jet 4.0 Sandbox mode is not to enable Sandbox mode for queries that are run in Microsoft Access. Sandbox mode is enabled for all other non-Access applications, such as Open Database Connectivity (ODBC).

back to the top

Understand how to enable or how to disable Sandbox mode

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can enable Sandbox mode for non-Access applications. To do this, you must install Microsoft Jet 4.0 Service Pack 3 (SP3) or later. After you install this update, the next time that you run Jet a new registry key is added to the registry. This new registry key prevents this type of possible security risk. The following is the registry key that is added:

\\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\engines\SandboxMode

For additional information about how to obtain the latest Jet 4.0 Service Pack, click the following article number to view the article in the Microsoft Knowledge Base:

239114 How to obtain the latest service pack for the Microsoft Jet 4.0 Database Engine

To make your system more resistant to malicious attacks, and at the same time make it possible for older applications to keep running, the operation of Sandbox mode changed in Jet 4.0 Service Pack 8 so that Sandbox mode is completely under your control.

You can set the key to the following values, with 0 (zero) being the most permissive and 3 being the least permissive:

SettingDescription
0Sandbox mode is disabled at all times.
1Sandbox mode is used for Access applications, but not for non-Access Applications.
2Sandbox mode is used for non-Access applications, but not for Access Applications. This is the default value.
3Sandbox mode is used at all times.

After you enable Sandbox mode, and then you try to use the unsafe Visual Basic for Applications functions in a Jet 4.0 query, you receive the following error message:

Undefined function 'functionname' in expression
back to the top

Implement Sandbox mode operations

How you can implement Sandbox mode is extended in Jet 4.0 Service Pack 8 to be more compatible with Access databases. Previous implementations of Sandbox mode were too restrictive for most Access applications. Starting with Jet 4.0 Service Pack 8, the enhanced Sandbox mode continues to block unsafe Visual Basic for Applications functions, but Jet 4.0 Service Pack 8 now permits the execution of user-defined functions.

back to the top

Use Sandbox mode operations with Jet 4.0 Service Pack 3 and later

You can use the following list of functions in Jet queries when Sandbox mode is enabled. Any functions that do not appear in the list are not available in Sandbox mode.
ABS array ASC ASCB ASCW ATN
CBOOL CBYTE CCUR CDATE CDBL choose
CHR CHR$ CHRB CHRB$ CHRW CHRW$
CINT CLNG COS CSNG CSTR CVAR
CvDate CVErr date DATE$ DATEADD dateDiff
datePart DATESERIAL DATEVALUE day DDB error
error$ EXP fix format format$ fv
hex hex$ HOUR IIF IMEStatus inStr
INT IPMT IRR isDate isEmpty ISERROR
isNull isNumeric isObject lCase lCase$ LEFT
LEFT$ LEFTB LEFTB$ LEN LENB LOG
lTrim lTrim$ MID MID$ MIDB MIDB$
MINUTE MIRR MONTH NOW NPER NPV
oct oct$ partition PMT PPMT PV
QBColor RATE RGB RIGHT RIGHT$ RIGHTB
RIGHTB$ rnd round rTrim rTrim$ SECOND
sgn SIN SLN space space$ sqr
str str$ strComp strConv string string$
switch SYD TAN TIME TIME$ timer
timeSerial TIMEVALUE TRIM TRIM$ typeName uCase
uCase$ val varType WEEKDAY YEAR

back to the top

Understand Visual Basic for Applications functions that cause errors when called from a Jet query or an Access property when using Jet 4.0 Service Pack 8

The following Visual Basic for Applications functions will cause an error when the functions are called from an expression in a Jet query or from an Access property:
AppActivateBeepCalendarCallByNameChDir
ChDriveCommandCommand$CreateObjectCurDir
CurDir$DeleteSettingDoEventsEnvironEnviron$
EOFErrFileAttrFileCopyFileDateTime
FileLenFreeFileGetAllSettingsGetAttrGetObject
GetSettingInputInput$InputBInputB$
KillLoadLocLOFRandomize
ResetSaveSettingSeekSendKeysSetAttr
ShellSpcTabUnloadUserForms
Width

back to the top

Modification Type:MajorLast Reviewed:8/10/2004
Keywords:kbhowto kbConfig kbinfo kbfix KB239482 kbAudDeveloper