Overcome the Trust Center nuisance

Published on
75,013 Points
14 Endorsements
Last Modified:
Editor's Choice
A man of stark contrasts, love of nature, curiosity of technology and passion of helping my fellow man.
Hello EE,

Today we will discuss a problem that most Microsoft Office (2007 and up) developers have (or are very likely to) encountered while deploying a new application to their users.

The problem
A new security feature was introduced in the Microsoft Office 2007 suite, the Trust Center. It is meant to prevent malicious code from running on the machine of an unsuspecting user, on the opening of an office file via an AutoExec macro, or code in the "OnLoad"/"OnOpen" events of the startup form.

Every time a Microsoft Office file that was created on a different machine is opened, it is checked by the Trust Center, to insure that the file doesn't contain malicious content. The Trust Center doesn't have database of malicious code nor does it have heuristic scanning capabilities. Since the Trust Center doesn't have a way of identifying which macros are legitimate, it will check for any of the following:
* Microsoft Visual Basic for Application (VBA) macros
* COM add-ins (in a non-trusted folder)
* Smart tags
* Smart Documents
* Extensible Style sheet Language (XSL) documents
If any of the above exists the Trust Center will disable all of the above content.
A Security Warning will pop-up.
Security Warning
Now the user has two (main) options. (a) Disable content, by clicking the x in the right side of the bar. (b) Enable the content (either by trusting the file or the location).

Although the Trust Center was created to protect the user it can be a great nuisance to the developer. When the content is blocked the users may be able to mess-up\change things that they weren't meant to change.

The solution
The only workaround for this security feature is to add the location of your application to the Trust Center's list of trusted locations before your project is opened by the user for the first time. The Trust Center's locations are stored in the Registry, to add new locations we must modify the registry. Let's take a look at the different settings and where they are stored.

There are three vital keys, and two recommended keys.

The vital keys are; AllowNetworkLocations, AllowSubfolders and Path.

The recommended keys are; Date and Description. I recommend using them because it enables tracking of the trusted locations.

Key locations

The AllowNetworkLocations key is stored under
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations

Open in new window

All the other keys are stored under
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\NameOfYourLocation

Open in new window

Where 14.0 is the version of Microsoft Office that you have installed (14.0 is Office 2010, 12.0 is Office 2007), and NameOfYourLocation is any unique name you want (make sure it doesn't clash with an existing one).

Key settings

By default network locations will always not be trusted. To change this we will add a REG_DWORD (binary) key:
The name of the key is: AllowNetworkLocations
The value of the key is: 1

NOTE: Unlike the other settings which are private to the each specific key, the AllowNetworkLocations key is a global key and will affect all trusted locations.

By default when a location is trusted, its sub-folders will not be trusted. To change that, we will add a REG_DWORD (binary) key.
The name of the key is: AllowSubfolders
The value of the key is: 1

The value of the key is the full path to your project (don't forget the ending slash).
To add a new location to the list we will add a REG_SZ (string) key to the following entry:
The name of the key is: Path
The value of the key is: C:\YourPath\

Date is the date that the location was added to the registry. It is formatted like this: (Format: DD.MM.YYYY hh:nn)
To add the date we will add a REG_SZ (string) key:
The name of the key is: Date
The value of the key is: [YourDate]

Description is the description of your project.
To add a description we will add a REG_SZ (string) key:
The name of the key is: Description
The value of the key is: YourDescription

Practical application

One way to add to the trusted location list is via an AutoExec macro or the "OnLoad"/"OnOpen" events of the startup form, the main disadvantage is that since all content will be blocked, the macro\code will only run once the content is enabled, which means that your application will cause the security warning to trigger the first time it's launched. If you are still interested in using this technique please read this and this.

There are locations which are trusted by default. If you install your files in one of those locations, you won't be troubled by security prompts. For more than one reason; that isn't recommended. If you would like to pursue this course please read this comprehensive Microsoft article, it lists all of those locations.

Therefore the recommended solution would be to do so as part of your setup routine. In this article we will discuss several ways that the developer can accomplish that. The options as I see them are: (1) For Access Only - Using the Package Solution Wizard. (2) Using an external program. (3) Using a VBScript. (4) Running a .reg file.

Package Solution Wizard

The Package Solution Wizard is intended to help developers distribute their Microsoft Access applications. For a guide how to use it please read this.

In the second-to-last step, in the second half of the screen you will have an option to add "Additional Registry Keys". Add the following keys:
Root = CU
Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyProject
Name = Path
Value = D:\Custom\Folder

Open in new window

If you want to trust sub-folders too add the following:
Root = CU
Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyProject
Name = AllowSubfolders
Value = #00000001

Open in new window

If you want to trust network locations add the following:
Root = CU
Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations
Name = AllowNetworkLocations
Value = #00000001

Open in new window

Don't forget to change the Office version and name of your project to suite your needs.

External Program

Gunter Avenius created a simple program to add a directory to the list of trusted locations. The reason I have mentioned it here is that it can be called from the command line, and it also has a switch to run the program silently.

There are four separate programs; AddPath.exe for Access 2007, AddPath2010.exe for Access 2010, AddPathExcel2010.exe for Excel 2010, AddPathWord2010.exe for Word 2010.
They support the following parameters:
/Path: Folder to be added. Default is the location of the program.
/noSubFolder: Only the folder or folder/subfolders will be trusted. Default will trust subfolders.
/s: Silent Mode, will suppress user interaction.
/LangEN: English Message Boxes. Default is German.
/AllowNetwork:1 : Allow Trusted Locations on my network. By default network locations will not be trusted.

Here is a sample (the parameters are bold):

C:\MyFolder\AddPath.exe /Path C:\MyFolder\SecondFolder\ /noSubFolder /s

Any combination of the parameters can be used, just add them at the end of the line.
The program and further documentation can be found at the author's website.

Run the program with the desired switches as part of your installation routine.


Copy the following code to a text file and save it with the vbs extension:
Option Explicit

Const HKEY_CURRENT_USER = &H80000001

Dim strProgram
Dim strFolder
Dim strDescription
Dim blnAllowSubFolders             
Dim blnAllowNetworkLocations
Dim blnCurrentTrusted
Dim strParentKey
Dim objRegistry
Dim intHighest
Dim arrChildKeys
Dim strChildKey
Dim strValueName
Dim strNewKey
Dim strFullPath
Dim strValue

strProgram = "Access"                          'Name of Microsoft program that's being set for
strFolder = "D:\Custom\Folder"           'Path to set as a Trusted Location
strDescription = "my custom folder"   'Description of the Trusted Location
blnAllowSubFolders = True                   'Trust sub folders (True or False)
blnAllowNetworkLocations = False       'Trust a network location (True or False)

strParentKey = "Software\Microsoft\Office\14.0\" & strProgram & "\Security\Trusted Locations"
intHighest = -1
blnCurrentTrusted = False

Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv")

objRegistry.EnumKey HKEY_CURRENT_USER, strParentKey, arrChildKeys
'get the highest key number'
On Error Resume Next
For Each strChildKey In arrChildKeys
	If Left(strChildKey,8)="Location" Then
		If CInt(Mid(strChildKey, 9)) > intHighest Then
			intHighest = CInt(Mid(strChildKey, 9))
		End If
		'check to see if the folder is already trusted' 
		strValueName = "Path"
		strFullPath = strParentKey & "\" & strChildKey
		objRegistry.GetExpandedStringValue HKEY_CURRENT_USER,strFullPath,strValueName,strValue
		If strValue = strFolder Then
			blnCurrentTrusted = True
		End If
	End If

If blnCurrentTrusted Then
	MsgBox """ & strFolder & """ & " is already a Trusted Location.", vbInformation
	'add new'
	If intHighest = 999 Then
		MsgBox "Location count exceeded - unable to write trusted location to registry", vbInformation
		strNewKey = strParentKey & "\Location" & CStr(intHighest + 1)
		objRegistry.CreateKey HKEY_CURRENT_USER, strNewKey
		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Path", strFolder
		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Description", strDescription
		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Date", CStr(Now())
		If blnAllowSubFolders Then
			objRegistry.SetDWORDValue HKEY_CURRENT_USER, strNewKey, "AllowSubFolders", 1
		End If
		If blnAllowNetworkLocations Then
			objRegistry.SetDWORDValue HKEY_CURRENT_USER, strParentKey, "AllowNetworkLocations", 1
		End If
		MsgBox """ & strFolder & """ & " added as a Trusted Location.", "Success"
	End If
End If 

Open in new window

Many different versions of this script are available on the net, and I adapted this one based on my personal preferences.  Don't forget to change the lines 21-25 to suit your needs.

Run the VBscript as part of your installation routine.

.reg File

Copy the following code to a text file and save it with the reg extension:

Windows Registry Editor Version 5.00

Open in new window

To trust network locations copy this line:
  [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations]

Open in new window

This is the most important part, it includes the actual path. Copy it to the text file, and make sure that you change the values (on the right of the equal sign) to suite your needs.
 [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyLocation]
"Date"="12.11.2012 14:58"

Open in new window

Please note the double slashes in the path.

If you want to disable trusting subfolders either remove the AllowSubFolders line or change the value to dword:00000000. If you want you can remove the Date and Description lines.

Run the reg file as part of your installation routine.

Administrative Comment

by:Eric AKA Netminder

Congratulations! Your article has been published.

Page Editor

Expert Comment

by:Mark Tremel
Great article.  One addition I made to the code was to make it flexible to different versions of office.  Replace lines 26 and 27 with this:

strVersion = Application.VERSION
strParentKey = "Software\Microsoft\Office\" & strVersion & "\" & strProgram & "\Security\Trusted Locations"   '16.0 is Office 16/365, 12.0 is Office 2007

Thanks again.
LVL 28

Author Comment

Thanks Mark, good addition.

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

Join & Write a Comment

Basic Overview of office 365 user portal
Learn the basics of Skype For Business in office 365

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month