Moderate: Requires basic macro, coding, and interoperability skills.
This article applies only to a Microsoft Access database (.mdb).
For a Microsoft Access 2000 and Access 2002 version of this article, see
239482.
This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY
The Microsoft Jet 4.0 database engine permits you to call unsafe Microsoft Visual Basic for Applications functions through the Microsoft Jet Expression Service. The Jet Expression Service is used to evaluate expressions in forms, in reports, and in queries.
For example, the following
SQL statement may cause all files to be deleted from the current folder on your computer:
SELECT Shell("Cmd /c del *.*") As c1 From CustomersThe security risk occurs when expressions contain Visual Basic for Applications commands that can do damage to the computer that is running the query, such as Shell commands to delete files or to format the computer.
IN THIS TASK
INTRODUCTION
The evaluation of expressions is a behavior that is desirable in many circumstances. However, if part of the expression contains a Shell command, the Shell command is parsed and then executed on the computer.
You can use Sandbox mode to block such operations. However, the default for Jet 4.0 Sandbox mode is not to enable Sandbox mode for queries that are run in Microsoft Access. Sandbox mode is enabled for all other non-Access applications, such as Open Database Connectivity (ODBC).
back to the topUnderstand how to enable or how to disable
Sandbox mode
Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own
risk.
You can enable Sandbox mode for non-Access applications. To do this, you must install Microsoft Jet 4.0 Service Pack 3 (SP3) or later. After you install this update, the next time that you run Jet a new registry key is added to the registry. This new registry key prevents this type of possible security risk. The following is the registry key that is added:
\\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\engines\SandboxMode
For more information about how to obtain the latest Jet 4.0 Service Pack, click the following article number to view the article in the Microsoft Knowledge Base:
239114
How to obtain the latest service pack for the Microsoft Jet 4.0 Database Engine
To make your system more resistant to malicious
attacks, and at the same time make it possible for older applications to
keep running, the operation of Sandbox mode changed in Jet 4.0 Service Pack 8 so that Sandbox mode is completely
under your control.
You can set the registry value to the following values, with
0 (zero) being the most permissive and 3 being the least permissive. This registry value is of type DWORD.
|
| 0 | Sandbox mode is disabled at all times. |
| 1 | Sandbox mode is used for Access applications, but
not for non-Access Applications. |
| 2 | Sandbox mode is used for non-Access applications,
but not for Access Applications. This is the default value. |
| 3 | Sandbox mode is used at all times. |
When you set the Sandbox mode registry value in Access 2003, this registry value is tied to the Macro Security Level. When you set the Macro Security Level to Medium or to High, you are offered the option to block unsafe expressions. When you use the option to block unsafe expressions, this sets SandboxMode = 3. When you set Macro Security Level to Low, you are offered the option to turn off expression blocking. When you use the option to turn off expression blocking, this sets SandboxMode = 2. Access 2003 preferentially runs with Jet expression blocking turned on. If you open a database in Access 2003 with Macro Security Level set to Medium or set to High and Sandbox mode set to SandboxMode = 2, you are prompted to turn on expression blocking.
After you enable Sandbox mode, and then you try to use
the unsafe Visual Basic for Applications functions in a Jet 4.0 query, you
receive the following error message:
Undefined function 'functionname' in expression
back to the topImplement Sandbox mode
operations
How you can implement Sandbox mode is extended in Jet 4.0 Service
Pack 8 to be more compatible with Access databases. Previous implementations of
Sandbox mode were too restrictive for most Access applications. Starting with
Jet 4.0 Service Pack 8, the enhanced Sandbox mode continues to block unsafe
Visual Basic for Applications functions, but Jet 4.0 Service Pack 8 now permits the execution of
user-defined functions. Additionally, when you run Jet 4.0 Sandbox mode in combination with Access 2003, Jet 4.0 Sandbox mode can block certain Access functions and Access properties that are considered potentially unsafe.
back to the topUse Sandbox mode operations with Jet 4.0 Service Pack 3 and later
You can use the following list of functions in Jet queries when Sandbox mode is enabled. Any functions that do not appear in the list are not available in Sandbox mode.
| ABS | array | ASC | ASCB |
ASCW | ATN |
| CBOOL | CBYTE | CCUR | CDATE |
CDBL | choose |
| CHR | CHR$ | CHRB | CHRB$ |
CHRW | CHRW$ |
| CINT | CLNG | COS | CSNG |
CSTR | CVAR |
| CvDate | CVErr | date | DATE$ |
DATEADD | dateDiff |
| datePart | DATESERIAL | DATEVALUE |
day | DDB | error |
| error$ | EXP | fix | format |
format$ | fv |
| hex | hex$ | HOUR | IIF |
IMEStatus | inStr |
| INT | IPMT | IRR | isDate |
isEmpty | ISERROR |
| isNull | isNumeric | isObject |
lCase | lCase$ | LEFT |
| LEFT$ | LEFTB | LEFTB$ | LEN |
LENB | LOG |
| lTrim | lTrim$ | MID | MID$ |
MIDB | MIDB$ |
| MINUTE | MIRR | MONTH | NOW |
NPER | NPV |
| oct | oct$ | partition | PMT |
PPMT | PV |
| QBColor | RATE | RGB | RIGHT |
RIGHT$ | RIGHTB |
| RIGHTB$ | rnd | round | rTrim |
rTrim$ | SECOND |
| sgn | SIN | SLN | space |
space$ | sqr |
| str | str$ | strComp | strConv |
string | string$ |
| switch | SYD | TAN | TIME |
TIME$ | timer |
| timeSerial | TIMEVALUE | TRIM |
TRIM$ | typeName | uCase |
| uCase$ | val | varType |
WEEKDAY | YEAR |
back to the topUnderstand Visual Basic for Applications functions that cause errors when called from a Jet query or an Access property when using Jet 4.0 Service Pack 8
The following Visual Basic for Applications functions will
cause an error when the functions are called from an expression in a Jet query
or from an Access property:
| AppActivate | Beep | Calendar | CallByName | ChDir |
| ChDrive | Command | Command$ | CreateObject | CurDir |
| CurDir$ | DeleteSetting | DoEvents | Environ | Environ$ |
| EOF | Err | FileAttr | FileCopy | FileDateTime |
| FileLen | FreeFile | GetAllSettings | GetAttr | GetObject |
| GetSetting | Input | Input$ | InputB | InputB$ |
| Kill | Load | Loc | LOF | Randomize |
| Reset | SaveSetting | Seek | SendKeys | SetAttr |
| Shell | Spc | Tab | Unload | UserForms |
| Width | | | | |
back to the topUnderstand Access functions and Access properties that are blocked by Jet 4.0 Sandbox mode
Jet 4.0 Sandbox mode blocks the following Access functions and properties when called from an expression in a Jet query or from an Access property. These functions and these properties are blocked only when enhanced Sandbox mode is running in Access 2003.
Application Object | AddAutoCorrect | AddToFavorites |
ADOConnectString | AnswerWizard | Application |
| Assistant | AutoCorrect | BeginUndoable
| CloseCurrentDatabase | CodeContextObject |
| CodeDb | COMAddIns | CommandBars |
CompactRepair | ConvertAccessProject |
| CreateAccessProject | CreateAdditionalData |
CreateControl | CreateControlEx | CreateDataAccessPage |
| CreateForm | CreateGroupLevel |
CreateNewWorkgroupFile | CreateReport | CreateReportControl
|
| CreateReportControlEx | CurrentDb |
DataAccessPages | DBEngine | DDEExecute |
| DDEInitiate | DDEPoke | DDERequest |
DDETerminate | DDETerminateAll |
| DefaultWebOptions | DefaultWorkspaceClone |
DelAutoCorrect | DeleteControl | DeleteReportControl |
| DoCmd | Echo | ExportXML
| FeatureInstall | FileDialog |
| FileSearch | FollowHyperlink |
GetHiddenAttribute | ImportXML | InsertText |
| LanguageSettings | LoadFromText
| LoadPicture | Modules | NewAccessProject |
| NewCurrentDatabase | NewFileTaskPane |
OpenAccessProject | OpenCurrentDatabase | Parent |
| ProductCode | Quit | References |
RefreshDatabaseWindow | RefreshTitleBar |
| ReloadAddIns |
ReplaceModule | Run | RunCommand | SaveAsText
|
| SetDefaultWorkGroupFile | SetHiddenAttribute
| SetOption | SetUndoRecording | SysCmd |
| TransformXML | VBE | | | |
BoundObjectFrame Object Combobox Object Control Object CurrentProject Object | AccessConnection | BaseConnectionString |
CloseConnection | Connection | OpenConnection |
CustomControl Object Form Object | Dynaset | Recordset |
RecordsetClone | |
Hyperlink Object | AddToFavorites | CreateNewDocument | Follow
| |
Listbox Object ObjectFrame Object Report Object SmartTagAction Property Screen Object back to the top