<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Overcome the Trust Center nuisance

Published on
78,827 Points
48,927 Views
14 Endorsements
Last Modified:
Awarded
Editor's Choice
MacroShadow
A man of stark contrasts, love of nature, curiosity of technology and passion of helping my fellow man.
Hello EE,

Today we will discuss a problem that most Microsoft Office (2007 and up) developers have (or are very likely to) encountered while deploying a new application to their users.

The problem
A new security feature was introduced in the Microsoft Office 2007 suite, the Trust Center. It is meant to prevent malicious code from running on the machine of an unsuspecting user, on the opening of an office file via an AutoExec macro, or code in the "OnLoad"/"OnOpen" events of the startup form.

Every time a Microsoft Office file that was created on a different machine is opened, it is checked by the Trust Center, to insure that the file doesn't contain malicious content. The Trust Center doesn't have database of malicious code nor does it have heuristic scanning capabilities. Since the Trust Center doesn't have a way of identifying which macros are legitimate, it will check for any of the following:
* Microsoft Visual Basic for Application (VBA) macros
* COM add-ins (in a non-trusted folder)
* Smart tags
* Smart Documents
* Extensible Style sheet Language (XSL) documents
If any of the above exists the Trust Center will disable all of the above content.
A Security Warning will pop-up.
Security Warning
Now the user has two (main) options. (a) Disable content, by clicking the x in the right side of the bar. (b) Enable the content (either by trusting the file or the location).

Although the Trust Center was created to protect the user it can be a great nuisance to the developer. When the content is blocked the users may be able to mess-up\change things that they weren't meant to change.

The solution
The only workaround for this security feature is to add the location of your application to the Trust Center's list of trusted locations before your project is opened by the user for the first time. The Trust Center's locations are stored in the Registry, to add new locations we must modify the registry. Let's take a look at the different settings and where they are stored.

There are three vital keys, and two recommended keys.

The vital keys are; AllowNetworkLocations, AllowSubfolders and Path.

The recommended keys are; Date and Description. I recommend using them because it enables tracking of the trusted locations.

Key locations

The AllowNetworkLocations key is stored under
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations

Open in new window


All the other keys are stored under
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\NameOfYourLocation

Open in new window


Where 14.0 is the version of Microsoft Office that you have installed (14.0 is Office 2010, 12.0 is Office 2007), and NameOfYourLocation is any unique name you want (make sure it doesn't clash with an existing one).

Key settings

AllowNetworkLocations:
By default network locations will always not be trusted. To change this we will add a REG_DWORD (binary) key:
The name of the key is: AllowNetworkLocations
The value of the key is: 1

NOTE: Unlike the other settings which are private to the each specific key, the AllowNetworkLocations key is a global key and will affect all trusted locations.

AllowSubfolders
By default when a location is trusted, its sub-folders will not be trusted. To change that, we will add a REG_DWORD (binary) key.
The name of the key is: AllowSubfolders
The value of the key is: 1

Path
The value of the key is the full path to your project (don't forget the ending slash).
To add a new location to the list we will add a REG_SZ (string) key to the following entry:
The name of the key is: Path
The value of the key is: C:\YourPath\

Date
Date is the date that the location was added to the registry. It is formatted like this: (Format: DD.MM.YYYY hh:nn)
To add the date we will add a REG_SZ (string) key:
The name of the key is: Date
The value of the key is: [YourDate]

Description
Description is the description of your project.
To add a description we will add a REG_SZ (string) key:
The name of the key is: Description
The value of the key is: YourDescription

Practical application

One way to add to the trusted location list is via an AutoExec macro or the "OnLoad"/"OnOpen" events of the startup form, the main disadvantage is that since all content will be blocked, the macro\code will only run once the content is enabled, which means that your application will cause the security warning to trigger the first time it's launched. If you are still interested in using this technique please read this and this.

There are locations which are trusted by default. If you install your files in one of those locations, you won't be troubled by security prompts. For more than one reason; that isn't recommended. If you would like to pursue this course please read this comprehensive Microsoft article, it lists all of those locations.

Therefore the recommended solution would be to do so as part of your setup routine. In this article we will discuss several ways that the developer can accomplish that. The options as I see them are: (1) For Access Only - Using the Package Solution Wizard. (2) Using an external program. (3) Using a VBScript. (4) Running a .reg file.

Package Solution Wizard

The Package Solution Wizard is intended to help developers distribute their Microsoft Access applications. For a guide how to use it please read this.

In the second-to-last step, in the second half of the screen you will have an option to add "Additional Registry Keys". Add the following keys:
Root = CU
Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyProject
Name = Path
Value = D:\Custom\Folder

Open in new window


If you want to trust sub-folders too add the following:
Root = CU
Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyProject
Name = AllowSubfolders
Value = #00000001

Open in new window


If you want to trust network locations add the following:
Root = CU
Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations
Name = AllowNetworkLocations
Value = #00000001

Open in new window


Don't forget to change the Office version and name of your project to suite your needs.

External Program

Gunter Avenius created a simple program to add a directory to the list of trusted locations. The reason I have mentioned it here is that it can be called from the command line, and it also has a switch to run the program silently.

There are four separate programs; AddPath.exe for Access 2007, AddPath2010.exe for Access 2010, AddPathExcel2010.exe for Excel 2010, AddPathWord2010.exe for Word 2010.
They support the following parameters:
/Path: Folder to be added. Default is the location of the program.
/noSubFolder: Only the folder or folder/subfolders will be trusted. Default will trust subfolders.
/s: Silent Mode, will suppress user interaction.
/LangEN: English Message Boxes. Default is German.
/AllowNetwork:1 : Allow Trusted Locations on my network. By default network locations will not be trusted.

Here is a sample (the parameters are bold):

C:\MyFolder\AddPath.exe /Path C:\MyFolder\SecondFolder\ /noSubFolder /s

Any combination of the parameters can be used, just add them at the end of the line.
The program and further documentation can be found at the author's website.

Run the program with the desired switches as part of your installation routine.

VBScript

Copy the following code to a text file and save it with the vbs extension:
Option Explicit

Const HKEY_CURRENT_USER = &H80000001

Dim strProgram
Dim strFolder
Dim strDescription
Dim blnAllowSubFolders             
Dim blnAllowNetworkLocations
Dim blnCurrentTrusted
Dim strParentKey
Dim objRegistry
Dim intHighest
Dim arrChildKeys
Dim strChildKey
Dim strValueName
Dim strNewKey
Dim strFullPath
Dim strValue

strProgram = "Access"                          'Name of Microsoft program that's being set for
strFolder = "D:\Custom\Folder"           'Path to set as a Trusted Location
strDescription = "my custom folder"   'Description of the Trusted Location
blnAllowSubFolders = True                   'Trust sub folders (True or False)
blnAllowNetworkLocations = False       'Trust a network location (True or False)

strParentKey = "Software\Microsoft\Office\14.0\" & strProgram & "\Security\Trusted Locations"
intHighest = -1
blnCurrentTrusted = False

Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv")

objRegistry.EnumKey HKEY_CURRENT_USER, strParentKey, arrChildKeys
'get the highest key number'
On Error Resume Next
For Each strChildKey In arrChildKeys
	If Left(strChildKey,8)="Location" Then
		If CInt(Mid(strChildKey, 9)) > intHighest Then
			intHighest = CInt(Mid(strChildKey, 9))
		End If
		
		'check to see if the folder is already trusted' 
		strValueName = "Path"
		strFullPath = strParentKey & "\" & strChildKey
		objRegistry.GetExpandedStringValue HKEY_CURRENT_USER,strFullPath,strValueName,strValue
		If strValue = strFolder Then
			blnCurrentTrusted = True
		End If
	End If
Next

If blnCurrentTrusted Then
	MsgBox """ & strFolder & """ & " is already a Trusted Location.", vbInformation
Else
	'add new'
	If intHighest = 999 Then
		MsgBox "Location count exceeded - unable to write trusted location to registry", vbInformation
	Else
		strNewKey = strParentKey & "\Location" & CStr(intHighest + 1)
		
		objRegistry.CreateKey HKEY_CURRENT_USER, strNewKey
		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Path", strFolder
		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Description", strDescription
		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Date", CStr(Now())
		
		If blnAllowSubFolders Then
			objRegistry.SetDWORDValue HKEY_CURRENT_USER, strNewKey, "AllowSubFolders", 1
		End If
		
		If blnAllowNetworkLocations Then
			objRegistry.SetDWORDValue HKEY_CURRENT_USER, strParentKey, "AllowNetworkLocations", 1
		End If
		
		MsgBox """ & strFolder & """ & " added as a Trusted Location.", "Success"
	End If
End If 

Open in new window


Many different versions of this script are available on the net, and I adapted this one based on my personal preferences.  Don't forget to change the lines 21-25 to suit your needs.

Run the VBscript as part of your installation routine.

.reg File

Copy the following code to a text file and save it with the reg extension:

Windows Registry Editor Version 5.00

Open in new window


To trust network locations copy this line:
  [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations]
"AllowNetworkLocations"=dword:00000001

Open in new window


This is the most important part, it includes the actual path. Copy it to the text file, and make sure that you change the values (on the right of the equal sign) to suite your needs.
 [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyLocation]
"Date"="12.11.2012 14:58"
"Description"="MyProject"
"Path"="C:\\MyFolder\\SecondFolder\\"
"AllowSubfolders"=dword:00000001

Open in new window


Please note the double slashes in the path.

If you want to disable trusting subfolders either remove the AllowSubFolders line or change the value to dword:00000000. If you want you can remove the Date and Description lines.

Run the reg file as part of your installation routine.
14
Comment
Author:MacroShadow
4 Comments
 

Administrative Comment

by:Eric AKA Netminder
MacroShadow,

Congratulations! Your article has been published.

ericpete
Page Editor
0

Expert Comment

by:Mark Tremel
Great article.  One addition I made to the code was to make it flexible to different versions of office.  Replace lines 26 and 27 with this:

strVersion = Application.VERSION
strParentKey = "Software\Microsoft\Office\" & strVersion & "\" & strProgram & "\Security\Trusted Locations"   '16.0 is Office 16/365, 12.0 is Office 2007

Thanks again.
0
LVL 28

Author Comment

by:MacroShadow
Thanks Mark, good addition.
0

Expert Comment

by:pcalabria
Thanks for all of your help.

I have been on vacation and am now back to work.  I had hoped to take care of this before leaving, but everything I do seems to take longer than it should.  Sound familiar?

I prefer to keep the question open until I can determine which solution works best for me.  Thanks everyone who has helped, your patience in allow me to best use this service is appreciated!

Calabria
0

Featured Post

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Join & Write a Comment

There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…
Discover the basics of using Outlook 2016 from office 365.

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month