How to configure Jet 4.0 to prevent unsafe functions from running in Access 2003

Article translations Article translations
Article ID: 294698 - View products that this article applies to.
This article was previously published under Q294698
Expand all | Collapse all

On This Page

INTRODUCTION

The evaluation of expressions is a behavior that is desirable in many circumstances. However, if part of the expression contains a Shell command, the Shell command is parsed and then executed on the computer.

You can use Sandbox mode to block such operations. However, the default for Jet 4.0 Sandbox mode is not to enable Sandbox mode for queries that are run in Microsoft Access. Sandbox mode is enabled for all other non-Access applications, such as Open Database Connectivity (ODBC).

Understand how to enable or how to disable Sandbox mode

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


You can enable Sandbox mode for non-Access applications. To do this, you must install Microsoft Jet 4.0 Service Pack 3 (SP3) or later. After you install this update, the next time that you run Jet a new registry key is added to the registry. This new registry key prevents this type of possible security risk. The following is the registry key that is added:

\\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\engines\SandboxMode


For more information about how to obtain the latest Jet 4.0 Service Pack, click the following article number to view the article in the Microsoft Knowledge Base:
239114 How to obtain the latest service pack for the Microsoft Jet 4.0 Database Engine
To make your system more resistant to malicious attacks, and at the same time make it possible for older applications to keep running, the operation of Sandbox mode changed in Jet 4.0 Service Pack 8 so that Sandbox mode is completely under your control.

You can set the registry value to the following values, with 0 (zero) being the most permissive and 3 being the least permissive. This registry value is of type DWORD.

Collapse this tableExpand this table
SettingDescription
0Sandbox mode is disabled at all times.
1Sandbox mode is used for Access applications, but not for non-Access Applications.
2Sandbox mode is used for non-Access applications, but not for Access Applications. This is the default value.
3Sandbox mode is used at all times.

When you set the Sandbox mode registry value in Access 2003, this registry value is tied to the Macro Security Level. When you set the Macro Security Level to Medium or to High, you are offered the option to block unsafe expressions. When you use the option to block unsafe expressions, this sets SandboxMode = 3. When you set Macro Security Level to Low, you are offered the option to turn off expression blocking. When you use the option to turn off expression blocking, this sets SandboxMode = 2. Access 2003 preferentially runs with Jet expression blocking turned on. If you open a database in Access 2003 with Macro Security Level set to Medium or set to High and Sandbox mode set to SandboxMode = 2, you are prompted to turn on expression blocking.

After you enable Sandbox mode, and then you try to use the unsafe Visual Basic for Applications functions in a Jet 4.0 query, you receive the following error message:

Undefined function 'functionname' in expression

Implement Sandbox mode operations

How you can implement Sandbox mode is extended in Jet 4.0 Service Pack 8 to be more compatible with Access databases. Previous implementations of Sandbox mode were too restrictive for most Access applications. Starting with Jet 4.0 Service Pack 8, the enhanced Sandbox mode continues to block unsafe Visual Basic for Applications functions, but Jet 4.0 Service Pack 8 now permits the execution of user-defined functions. Additionally, when you run Jet 4.0 Sandbox mode in combination with Access 2003, Jet 4.0 Sandbox mode can block certain Access functions and Access properties that are considered potentially unsafe.

Use Sandbox mode operations with Jet 4.0 Service Pack 3 and later


You can use the following list of functions in Jet queries when Sandbox mode is enabled. Any functions that do not appear in the list are not available in Sandbox mode.
Collapse this tableExpand this table
ABS array ASC ASCB ASCW ATN
CBOOL CBYTE CCUR CDATE CDBL choose
CHR CHR$ CHRB CHRB$ CHRW CHRW$
CINT CLNG COS CSNG CSTR CVAR
CvDate CVErr date DATE$ DATEADD dateDiff
datePart DATESERIAL DATEVALUE day DDB error
error$ EXP fix format format$ fv
hex hex$ HOUR IIF IMEStatus inStr
INT IPMT IRR isDate isEmpty ISERROR
isNull isNumeric isObject lCase lCase$ LEFT
LEFT$ LEFTB LEFTB$ LEN LENB LOG
lTrim lTrim$ MID MID$ MIDB MIDB$
MINUTE MIRR MONTH NOW NPER NPV
oct oct$ partition PMT PPMT PV
QBColor RATE RGB RIGHT RIGHT$ RIGHTB
RIGHTB$ rnd round rTrim rTrim$ SECOND
sgn SIN SLN space space$ sqr
str str$ strComp strConv string string$
switch SYD TAN TIME TIME$ timer
timeSerial TIMEVALUE TRIM TRIM$ typeName uCase
uCase$ val varType WEEKDAY YEAR

Understand Visual Basic for Applications functions that cause errors when called from a Jet query or an Access property when using Jet 4.0 Service Pack 8

The following Visual Basic for Applications functions will cause an error when the functions are called from an expression in a Jet query or from an Access property:

Collapse this tableExpand this table
AppActivateBeepCalendarCallByNameChDir
ChDriveCommandCommand$CreateObjectCurDir
CurDir$DeleteSettingDoEventsEnvironEnviron$
EOFErrFileAttrFileCopyFileDateTime
FileLenFreeFileGetAllSettingsGetAttrGetObject
GetSettingInputInput$InputBInputB$
KillLoadLocLOFRandomize
ResetSaveSettingSeekSendKeysSetAttr
ShellSpcTabUnloadUserForms
WidthDir Erl MacID


Understand Access functions and Access properties that are blocked by Jet 4.0 Sandbox mode

Jet 4.0 Sandbox mode blocks the following Access functions and properties when called from an expression in a Jet query or from an Access property. These functions and these properties are blocked only when enhanced Sandbox mode is running in Access 2003.

Application Object
Collapse this tableExpand this table
AddAutoCorrect AddToFavorites ADOConnectString AnswerWizard Application
Assistant AutoCorrect BeginUndoable CloseCurrentDatabase CodeContextObject
CodeDb COMAddIns CommandBars CompactRepair ConvertAccessProject
CreateAccessProject CreateAdditionalData CreateControl CreateControlEx CreateDataAccessPage
CreateForm CreateGroupLevel CreateNewWorkgroupFile CreateReport CreateReportControl
CreateReportControlEx CurrentDb DataAccessPages DBEngine DDEExecute
DDEInitiate DDEPoke DDERequest DDETerminate DDETerminateAll
DefaultWebOptions DefaultWorkspaceClone DelAutoCorrect DeleteControl DeleteReportControl
DoCmd Echo ExportXML FeatureInstall FileDialog
FileSearch FollowHyperlink GetHiddenAttribute ImportXML InsertText
LanguageSettings LoadFromText LoadPicture ModulesNewAccessProject
NewCurrentDatabase NewFileTaskPane OpenAccessProject OpenCurrentDatabase Parent
ProductCodeQuit References RefreshDatabaseWindow RefreshTitleBar
ReloadAddIns ReplaceModuleRunRunCommand SaveAsText
SetDefaultWorkGroupFile SetHiddenAttribute SetOptionSetUndoRecording SysCmd
TransformXML VBEBuilderString MSODebugOptions VGXFrameInterval
WizHook
BoundObjectFrame Object
Collapse this tableExpand this table
Object


Combobox Object
Collapse this tableExpand this table
Recordset


Control Object
Collapse this tableExpand this table
Object

CurrentProject Object
Collapse this tableExpand this table
AccessConnection BaseConnectionString CloseConnection Connection OpenConnection


CustomControl Object
Collapse this tableExpand this table
Object


Form Object
Collapse this tableExpand this table
Dynaset Recordset RecordsetCloneChartSpace
ConnectControl ConnectSynch Module PivotTable


Hyperlink Object
Collapse this tableExpand this table
AddToFavorites CreateNewDocument Follow


Listbox Object
Collapse this tableExpand this table
Recordset


ObjectFrame Object
Collapse this tableExpand this table
Object


Report Object
Collapse this tableExpand this table
Recordset


SmartTagAction Property
Collapse this tableExpand this table
Execute


Screen Object
Collapse this tableExpand this table
ActiveDataAccessPage

Properties

Article ID: 294698 - Last Review: December 29, 2006 - Revision: 5.4
APPLIES TO
  • Microsoft Office Access 2003
Keywords: 
kbappsolobj kberrmsg kbhowtomaster kbinfo kbregistry kbfix KB294698

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com