How to configure Jet 4.0 to prevent unsafe functions from running in Access 2003

View products that this article applies to.

This article was previously published under Q294698

INTRODUCTION

The evaluation of expressions is a behavior that is desirable in many circumstances. However, if part of the expression contains a Shell command, the Shell command is parsed and then executed on the computer.

You can use Sandbox mode to block such operations. However, the default for Jet 4.0 Sandbox mode is not to enable Sandbox mode for queries that are run in Microsoft Access. Sandbox mode is enabled for all other non-Access applications, such as Open Database Connectivity (ODBC).

Back to the top

Understand how to enable or how to disable Sandbox mode

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

You can enable Sandbox mode for non-Access applications. To do this, you must install Microsoft Jet 4.0 Service Pack 3 (SP3) or later. After you install this update, the next time that you run Jet a new registry key is added to the registry. This new registry key prevents this type of possible security risk. The following is the registry key that is added:

\\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\engines\SandboxMode

For more information about how to obtain the latest Jet 4.0 Service Pack, click the following article number to view the article in the Microsoft Knowledge Base:

239114 (http://support.microsoft.com/kb/239114/ ) How to obtain the latest service pack for the Microsoft Jet 4.0 Database Engine

To make your system more resistant to malicious attacks, and at the same time make it possible for older applications to keep running, the operation of Sandbox mode changed in Jet 4.0 Service Pack 8 so that Sandbox mode is completely under your control.

You can set the registry value to the following values, with 0 (zero) being the most permissive and 3 being the least permissive. This registry value is of type DWORD.

Collapse this tableExpand this table

Setting	Description
0	Sandbox mode is disabled at all times.
1	Sandbox mode is used for Access applications, but not for non-Access Applications.
2	Sandbox mode is used for non-Access applications, but not for Access Applications. This is the default value.
3	Sandbox mode is used at all times.

When you set the Sandbox mode registry value in Access 2003, this registry value is tied to the Macro Security Level. When you set the Macro Security Level to Medium or to High, you are offered the option to block unsafe expressions. When you use the option to block unsafe expressions, this sets SandboxMode = 3. When you set Macro Security Level to Low, you are offered the option to turn off expression blocking. When you use the option to turn off expression blocking, this sets SandboxMode = 2. Access 2003 preferentially runs with Jet expression blocking turned on. If you open a database in Access 2003 with Macro Security Level set to Medium or set to High and Sandbox mode set to SandboxMode = 2, you are prompted to turn on expression blocking.

After you enable Sandbox mode, and then you try to use the unsafe Visual Basic for Applications functions in a Jet 4.0 query, you receive the following error message:

Undefined function 'functionname' in expression

Back to the top

Implement Sandbox mode operations

How you can implement Sandbox mode is extended in Jet 4.0 Service Pack 8 to be more compatible with Access databases. Previous implementations of Sandbox mode were too restrictive for most Access applications. Starting with Jet 4.0 Service Pack 8, the enhanced Sandbox mode continues to block unsafe Visual Basic for Applications functions, but Jet 4.0 Service Pack 8 now permits the execution of user-defined functions. Additionally, when you run Jet 4.0 Sandbox mode in combination with Access 2003, Jet 4.0 Sandbox mode can block certain Access functions and Access properties that are considered potentially unsafe.

Back to the top

Use Sandbox mode operations with Jet 4.0 Service Pack 3 and later

You can use the following list of functions in Jet queries when Sandbox mode is enabled. Any functions that do not appear in the list are not available in Sandbox mode.

Collapse this tableExpand this table

ABS	array	ASC	ASCB	ASCW	ATN
CBOOL	CBYTE	CCUR	CDATE	CDBL	choose
CHR	CHR$	CHRB	CHRB$	CHRW	CHRW$
CINT	CLNG	COS	CSNG	CSTR	CVAR
CvDate	CVErr	date	DATE$	DATEADD	dateDiff
datePart	DATESERIAL	DATEVALUE	day	DDB	error
error$	EXP	fix	format	format$	fv
hex	hex$	HOUR	IIF	IMEStatus	inStr
INT	IPMT	IRR	isDate	isEmpty	ISERROR
isNull	isNumeric	isObject	lCase	lCase$	LEFT
LEFT$	LEFTB	LEFTB$	LEN	LENB	LOG
lTrim	lTrim$	MID	MID$	MIDB	MIDB$
MINUTE	MIRR	MONTH	NOW	NPER	NPV
oct	oct$	partition	PMT	PPMT	PV
QBColor	RATE	RGB	RIGHT	RIGHT$	RIGHTB
RIGHTB$	rnd	round	rTrim	rTrim$	SECOND
sgn	SIN	SLN	space	space$	sqr
str	str$	strComp	strConv	string	string$
switch	SYD	TAN	TIME	TIME$	timer
timeSerial	TIMEVALUE	TRIM	TRIM$	typeName	uCase
uCase$	val	varType	WEEKDAY	YEAR

Back to the top

Understand Visual Basic for Applications functions that cause errors when called from a Jet query or an Access property when using Jet 4.0 Service Pack 8

The following Visual Basic for Applications functions will cause an error when the functions are called from an expression in a Jet query or from an Access property:

Collapse this tableExpand this table

AppActivate	Beep	Calendar	CallByName	ChDir
ChDrive	Command	Command$	CreateObject	CurDir
CurDir$	DeleteSetting	DoEvents	Environ	Environ$
EOF	Err	FileAttr	FileCopy	FileDateTime
FileLen	FreeFile	GetAllSettings	GetAttr	GetObject
GetSetting	Input	Input$	InputB	InputB$
Kill	Load	Loc	LOF	Randomize
Reset	SaveSetting	Seek	SendKeys	SetAttr
Shell	Spc	Tab	Unload	UserForms
Width	Dir	Erl	MacID

Back to the top

Understand Access functions and Access properties that are blocked by Jet 4.0 Sandbox mode

Jet 4.0 Sandbox mode blocks the following Access functions and properties when called from an expression in a Jet query or from an Access property. These functions and these properties are blocked only when enhanced Sandbox mode is running in Access 2003.

Application Object

Collapse this tableExpand this table

AddAutoCorrect	AddToFavorites	ADOConnectString	AnswerWizard	Application
Assistant	AutoCorrect	BeginUndoable	CloseCurrentDatabase	CodeContextObject
CodeDb	COMAddIns	CommandBars	CompactRepair	ConvertAccessProject
CreateAccessProject	CreateAdditionalData	CreateControl	CreateControlEx	CreateDataAccessPage
CreateForm	CreateGroupLevel	CreateNewWorkgroupFile	CreateReport	CreateReportControl
CreateReportControlEx	CurrentDb	DataAccessPages	DBEngine	DDEExecute
DDEInitiate	DDEPoke	DDERequest	DDETerminate	DDETerminateAll
DefaultWebOptions	DefaultWorkspaceClone	DelAutoCorrect	DeleteControl	DeleteReportControl
DoCmd	Echo	ExportXML	FeatureInstall	FileDialog
FileSearch	FollowHyperlink	GetHiddenAttribute	ImportXML	InsertText
LanguageSettings	LoadFromText	LoadPicture	Modules	NewAccessProject
NewCurrentDatabase	NewFileTaskPane	OpenAccessProject	OpenCurrentDatabase	Parent
ProductCode	Quit	References	RefreshDatabaseWindow	RefreshTitleBar
ReloadAddIns	ReplaceModule	Run	RunCommand	SaveAsText
SetDefaultWorkGroupFile	SetHiddenAttribute	SetOption	SetUndoRecording	SysCmd
TransformXML	VBE	BuilderString	MSODebugOptions	VGXFrameInterval
WizHook