Code Samples for Businesses, Schools & Developers

Is Location Trusted . . . and does it matter?

First Published 11 Oct 2022                 Last Updated 9 July 2023


1.   Trust Me . . . I'm Safe!

      To reduce the risk of running malicious code, all Office documents including Access apps must first be trusted before any code can be run.
      This gives you the opportunity to first examine the code if you are unsure about its safety

      If you are certain it is safe, there are two ways that the app can be marked as trusted:

a)   Trust the document itself when it is opened

      To do so, click the Enable Content button on the security banner

SecurityBanner

      NOTE:
      The security banner only appears if the Macro Settings are set to the default value: Disable all macros with notification

MacroSettings

b)   Run the document from a trusted location

      To set a trusted location, click File . . . Options . . . Trust Center . . . Trust Center Settings . . .Trusted Locations

TrustedLocations

      Browse to the folder you want to trust and choose whether to trust subfolders. Then click OK

      Doing this adds a new key to the registry. For example:

RegistryLocations

      It is possible to edit the registry using code . . . but only if your app is already trusted!

      Alternatively a script file can be created for this purpose. For example, when a text file with a .reg suffix is run, the listed keys are added to the registry

RegistryScript

      I use this approach when distributing my commercial apps to ensure they ALWAYS run from a trusted location


2.   How can you check whether the app is trusted?

      Probably the simplest approach is to type the following code in the VBE Immediate window

      ?CurrentProject.IsTrusted



      This returns True if:
      a)   the Enable Content button has been clicked.
      b)   the Macros Settings value is Enable All Macros (not recommended; potentially dangerous code can run).
            This is because there is no restriction on code running.
      c)   the app is running from a trusted location

      Of course, if the project isn't trusted, the code cannot run. If so, the following message is shown:

MacrosDisabled



3.   How can you check which method has been applied for a particular Access app?

      Run the following code from a standard module to check if the location is trusted:

      CODE:

Option Compare Database
Option Explicit

Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003

Const REG_SZ = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY = 3
Const REG_DWORD = 4
Const REG_MULTI_SZ = 7

'--------------------------------------------------------

Function IsLocationTrusted() As Boolean

On Error GoTo Err_Handler

      IsLocationTrusted = False

      Dim strComputer As String, hDefKey As Long, strKeyPath As String, strSubKeyPath As String, strAccessVersion As String
      Dim strValueName As String, strValue As Variant, I As Integer, oReg As Object
      Dim strSubkey As Variant, arrSubKeys As Variant, arrValueNames As Variant, arrTypes As Variant, uValue As Variant

      ' Get Access version, computer name, registry tree and key path
      strAccessVersion = SysCmd(acSysCmdAccessVer)
      strComputer = "."      ' Use . for current machine
      hDefKey = HKEY_CURRENT_USER
      strKeyPath = "SOFTWARE\Microsoft\Office\" & strAccessVersion & "\Access\Security\Trusted Locations"

      ' Connect to registry provider on target machine with current user
      Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

      ' Enum the subkeys of the key path we've chosen
      oReg.EnumKey hDefKey, strKeyPath, arrSubKeys

      For Each strSubkey In arrSubKeys

            ' Get its value names and types
            strSubKeyPath = strKeyPath & "\" & strSubkey
            oReg.EnumValues hDefKey, strSubKeyPath, arrValueNames, arrTypes

            For I = LBound(arrValueNames) To UBound(arrValueNames)
                  strValueName = arrValueNames(I)

                  Select Case arrTypes(I)

                  ' Show a REG_DWORD value
                  Case REG_DWORD
                        oReg.GetDWORDValue hDefKey, strSubKeyPath, strValueName, uValue

                  ' Show a REG_SZ value
                  Case REG_SZ
                        oReg.GetStringValue hDefKey, strSubKeyPath, strValueName, strValue

                        If strValueName = "Path" Then
                              If uValue = 1 Then 'AllowSubfolders=True
                                    If InStr(CurrentProject.Path, strValue) <> 0 Then 'match found
                                          IsLocationTrusted = True
                                          GoTo Trusted
                                    End If
                              Else 'uValue=0; AllowSubfolders=False
                                    If CurrentProject.Path = strValue Then 'match found
                                          IsLocationTrusted = True
                                          GoTo Trusted
                                    End If
                              End If
                        End If

                  End Select

            Next I

      Next strSubkey

Trusted:
      Debug.Print "IsLocationTrusted = " & IsLocationTrusted

      If IsLocationTrusted Then
            'additional info
            Debug.Print ""
            Debug.Print "TrustedLocation = " & strSubkey
            Debug.Print "Path = " & strValue
            Debug.Print "AllowSubfolders = " & uValue
            Debug.Print "The current project folder is trusted for Access " & strAccessVersion
      End If

Exit_Handler:
      Exit Function

Err_Handler:
      MsgBox "Error " & Err & " in IsLocationTrusted procedure: " & vbCrLf & Err.description
      GoTo Exit_Handler

End Function



      Example output (in the VBE Immediate window):

      Trusted location

IsLocationTrusted = True
--------------------------------
TrustedLocation = Location2
Path = G:\MyFiles\
AllowSubfolders = 1
The current project folder is trusted for Access 16.0



      Non trusted location

IsLocationTrusted = False




4.   Which is better? Trusted Document or Trusted Location?

      You would probably expect that both methods are the same in terms of their effect on your application. Surprisingly that is NOT the case.

      A fellow Access developer, Aleksander Wojtasz, recently contacted me about this issue.
      He had noticed that his code ran far slower when the document was trusted by clicking Enable Content but not run from a trusted location.
      This affected his code adversely as his employer prevents users from changing macro settings or assigning new trusted locations.

      Aleksander also provided an example app for me to test for myself. Here are the results from my tests - all times in milliseconds

      Trusted document
      Macro Setting 2 (Enable Content)		       Trusted document
      Macro Setting 4 (Enable all macros)		       Trusted location
            857             37             31
            895             41             40
            907             31             32
            870             43             40
            863             39             37


      The time to safely run the code as a trusted document was about 20 times longer than when run from a trusted location or with macros unchecked.
      It appears that additional checking is done on each occasion the code is run causing a slowdown

      I contacted Microsoft about this issue. A long serving member of the Access team confirmed my results and added further explanation as follows:

      I can reproduce the issue with the Macro setting causing a significant performance impact.
      It looks like this may be related to some recent work done by the VBA team to do malware detection, so we will likely direct the issue to the VBA team.

      Here is a blog post that describes the feature: Office VBA + AMSI: Parting the veil on malicious macros - Microsoft Security Blog
      And here is a page Malicious macros were found that specifically states that the AMSI scan does not occur if a file is in a trusted location, or if the VBA macros
      are signed with a certificate.

      See my article: Using the new VBA Project Signing feature which discusses code signing certificates in more detail.

      If you do not have a code signing certificate, you should ALWAYS run your Access apps from a trusted location if possible.



5.   Click to download:

      The module code is available in the attached (zipped) file.
      After unzipping, you can then import the modTrustedLocation.bas file directly into the Visual Basic Editor

          modTrustedLocation      (bas - zipped)



6.   UPDATE 13 Oct 2022

      The latest changes to the Access 365 'roadmap' were published in a new blog article by Michael Aldridge today:
            Our Road Ahead - Microsoft Access Engineering Priorities Oct 2022

AccessPriorities

     Although disappointingly short of significant new items, the list does include a new feature to support macro signing with a digital signature.
     This is a long overdue feature which should fix the code slowdown issue described above where Access apps cannot be run from trusted locations.

     The feature is already available to those on the Insiders (Beta) channel and is likely to be rolled out to the current channel soon.



7.   UPDATE 15 Jan 2023

     I am pleased to say that the new VBA project signing feature was released to the current channel with version 2212 on 4 January 2023

      However, it is not available to those running older versions of Access.

Please use the contact form to let me know whether you found this article useful or if you have any questions.



Colin Riddington           Mendip Data Systems                 Last Updated 9 July 2023



Return to Code Samples Page




Return to Top