Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Overcome the Trust Center nuisance

Joe Howard
CERTIFIED EXPERT
A man of stark contrasts, love of nature, curiosity of technology and passion of helping my fellow man.
Published:
Updated:
Hello EE,

Today we will discuss a problem that most Microsoft Office (2007 and up) developers have (or are very likely to) encountered while deploying a new application to their users.

The problem
A new security feature was introduced in the Microsoft Office 2007 suite, the Trust Center. It is meant to prevent malicious code from running on the machine of an unsuspecting user, on the opening of an office file via an AutoExec macro, or code in the "OnLoad"/"OnOpen" events of the startup form.

Every time a Microsoft Office file that was created on a different machine is opened, it is checked by the Trust Center, to insure that the file doesn't contain malicious content. The Trust Center doesn't have database of malicious code nor does it have heuristic scanning capabilities. Since the Trust Center doesn't have a way of identifying which macros are legitimate, it will check for any of the following:
* Microsoft Visual Basic for Application (VBA) macros
* COM add-ins (in a non-trusted folder)
* Smart tags
* Smart Documents
* Extensible Style sheet Language (XSL) documents
If any of the above exists the Trust Center will disable all of the above content.
A Security Warning will pop-up.
Security Warning
Now the user has two (main) options. (a) Disable content, by clicking the x in the right side of the bar. (b) Enable the content (either by trusting the file or the location).

Although the Trust Center was created to protect the user it can be a great nuisance to the developer. When the content is blocked the users may be able to mess-up\change things that they weren't meant to change.

The solution
The only workaround for this security feature is to add the location of your application to the Trust Center's list of trusted locations before your project is opened by the user for the first time. The Trust Center's locations are stored in the Registry, to add new locations we must modify the registry. Let's take a look at the different settings and where they are stored.

There are three vital keys, and two recommended keys.

The vital keys are; AllowNetworkLocations, AllowSubfolders and Path.

The recommended keys are; Date and Description. I recommend using them because it enables tracking of the trusted locations.

Key locations

The AllowNetworkLocations key is stored under
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations

Open in new window


All the other keys are stored under
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\NameOfYourLocation

Open in new window


Where 14.0 is the version of Microsoft Office that you have installed (14.0 is Office 2010, 12.0 is Office 2007), and NameOfYourLocation is any unique name you want (make sure it doesn't clash with an existing one).

Key settings

AllowNetworkLocations:
By default network locations will always not be trusted. To change this we will add a REG_DWORD (binary) key:
The name of the key is: AllowNetworkLocations
The value of the key is: 1

NOTE: Unlike the other settings which are private to the each specific key, the AllowNetworkLocations key is a global key and will affect all trusted locations.

AllowSubfolders
By default when a location is trusted, its sub-folders will not be trusted. To change that, we will add a REG_DWORD (binary) key.
The name of the key is: AllowSubfolders
The value of the key is: 1

Path
The value of the key is the full path to your project (don't forget the ending slash).
To add a new location to the list we will add a REG_SZ (string) key to the following entry:
The name of the key is: Path
The value of the key is: C:\YourPath\

Date
Date is the date that the location was added to the registry. It is formatted like this: (Format: DD.MM.YYYY hh:nn)
To add the date we will add a REG_SZ (string) key:
The name of the key is: Date
The value of the key is: [YourDate]

Description
Description is the description of your project.
To add a description we will add a REG_SZ (string) key:
The name of the key is: Description
The value of the key is: YourDescription

Practical application

One way to add to the trusted location list is via an AutoExec macro or the "OnLoad"/"OnOpen" events of the startup form, the main disadvantage is that since all content will be blocked, the macro\code will only run once the content is enabled, which means that your application will cause the security warning to trigger the first time it's launched. If you are still interested in using this technique please read this and this.

There are locations which are trusted by default. If you install your files in one of those locations, you won't be troubled by security prompts. For more than one reason; that isn't recommended. If you would like to pursue this course please read this comprehensive Microsoft article, it lists all of those locations.

Therefore the recommended solution would be to do so as part of your setup routine. In this article we will discuss several ways that the developer can accomplish that. The options as I see them are: (1) For Access Only - Using the Package Solution Wizard. (2) Using an external program. (3) Using a VBScript. (4) Running a .reg file.

Package Solution Wizard

The Package Solution Wizard is intended to help developers distribute their Microsoft Access applications. For a guide how to use it please read this.

In the second-to-last step, in the second half of the screen you will have an option to add "Additional Registry Keys". Add the following keys:
Root = CU
                      Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyProject
                      Name = Path
                      Value = D:\Custom\Folder

Open in new window


If you want to trust sub-folders too add the following:
Root = CU
                      Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyProject
                      Name = AllowSubfolders
                      Value = #00000001

Open in new window


If you want to trust network locations add the following:
Root = CU
                      Key = Software\Microsoft\Office\14.0\Access\Security\Trusted Locations
                      Name = AllowNetworkLocations
                      Value = #00000001

Open in new window


Don't forget to change the Office version and name of your project to suite your needs.

External Program

Gunter Avenius created a simple program to add a directory to the list of trusted locations. The reason I have mentioned it here is that it can be called from the command line, and it also has a switch to run the program silently.

There are four separate programs; AddPath.exe for Access 2007, AddPath2010.exe for Access 2010, AddPathExcel2010.exe for Excel 2010, AddPathWord2010.exe for Word 2010.
They support the following parameters:
/Path: Folder to be added. Default is the location of the program.
/noSubFolder: Only the folder or folder/subfolders will be trusted. Default will trust subfolders.
/s: Silent Mode, will suppress user interaction.
/LangEN: English Message Boxes. Default is German.
/AllowNetwork:1 : Allow Trusted Locations on my network. By default network locations will not be trusted.

Here is a sample (the parameters are bold):

C:\MyFolder\AddPath.exe /Path C:\MyFolder\SecondFolder\ /noSubFolder /s

Any combination of the parameters can be used, just add them at the end of the line.
The program and further documentation can be found at the author's website.

Run the program with the desired switches as part of your installation routine.

VBScript

Copy the following code to a text file and save it with the vbs extension:
Option Explicit
                      
                      Const HKEY_CURRENT_USER = &H80000001
                      
                      Dim strProgram
                      Dim strFolder
                      Dim strDescription
                      Dim blnAllowSubFolders             
                      Dim blnAllowNetworkLocations
                      Dim blnCurrentTrusted
                      Dim strParentKey
                      Dim objRegistry
                      Dim intHighest
                      Dim arrChildKeys
                      Dim strChildKey
                      Dim strValueName
                      Dim strNewKey
                      Dim strFullPath
                      Dim strValue
                      
                      strProgram = "Access"                          'Name of Microsoft program that's being set for
                      strFolder = "D:\Custom\Folder"           'Path to set as a Trusted Location
                      strDescription = "my custom folder"   'Description of the Trusted Location
                      blnAllowSubFolders = True                   'Trust sub folders (True or False)
                      blnAllowNetworkLocations = False       'Trust a network location (True or False)
                      
                      strParentKey = "Software\Microsoft\Office\14.0\" & strProgram & "\Security\Trusted Locations"
                      intHighest = -1
                      blnCurrentTrusted = False
                      
                      Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv")
                      
                      objRegistry.EnumKey HKEY_CURRENT_USER, strParentKey, arrChildKeys
                      'get the highest key number'
                      On Error Resume Next
                      For Each strChildKey In arrChildKeys
                      	If Left(strChildKey,8)="Location" Then
                      		If CInt(Mid(strChildKey, 9)) > intHighest Then
                      			intHighest = CInt(Mid(strChildKey, 9))
                      		End If
                      		
                      		'check to see if the folder is already trusted' 
                      		strValueName = "Path"
                      		strFullPath = strParentKey & "\" & strChildKey
                      		objRegistry.GetExpandedStringValue HKEY_CURRENT_USER,strFullPath,strValueName,strValue
                      		If strValue = strFolder Then
                      			blnCurrentTrusted = True
                      		End If
                      	End If
                      Next
                      
                      If blnCurrentTrusted Then
                      	MsgBox """ & strFolder & """ & " is already a Trusted Location.", vbInformation
                      Else
                      	'add new'
                      	If intHighest = 999 Then
                      		MsgBox "Location count exceeded - unable to write trusted location to registry", vbInformation
                      	Else
                      		strNewKey = strParentKey & "\Location" & CStr(intHighest + 1)
                      		
                      		objRegistry.CreateKey HKEY_CURRENT_USER, strNewKey
                      		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Path", strFolder
                      		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Description", strDescription
                      		objRegistry.SetStringValue HKEY_CURRENT_USER, strNewKey, "Date", CStr(Now())
                      		
                      		If blnAllowSubFolders Then
                      			objRegistry.SetDWORDValue HKEY_CURRENT_USER, strNewKey, "AllowSubFolders", 1
                      		End If
                      		
                      		If blnAllowNetworkLocations Then
                      			objRegistry.SetDWORDValue HKEY_CURRENT_USER, strParentKey, "AllowNetworkLocations", 1
                      		End If
                      		
                      		MsgBox """ & strFolder & """ & " added as a Trusted Location.", "Success"
                      	End If
                      End If 

Open in new window


Many different versions of this script are available on the net, and I adapted this one based on my personal preferences.  Don't forget to change the lines 21-25 to suit your needs.

Run the VBscript as part of your installation routine.

.reg File

Copy the following code to a text file and save it with the reg extension:

Windows Registry Editor Version 5.00

Open in new window


To trust network locations copy this line:
  [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations]
                      "AllowNetworkLocations"=dword:00000001

Open in new window


This is the most important part, it includes the actual path. Copy it to the text file, and make sure that you change the values (on the right of the equal sign) to suite your needs.
 [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\MyLocation]
                      "Date"="12.11.2012 14:58"
                      "Description"="MyProject"
                      "Path"="C:\\MyFolder\\SecondFolder\\"
                      "AllowSubfolders"=dword:00000001

Open in new window


Please note the double slashes in the path.

If you want to disable trusting subfolders either remove the AllowSubFolders line or change the value to dword:00000000. If you want you can remove the Date and Description lines.

Run the reg file as part of your installation routine.
14
58,268 Views
Joe Howard
CERTIFIED EXPERT
A man of stark contrasts, love of nature, curiosity of technology and passion of helping my fellow man.

Comments (3)

Mark TremelChief Technical Coordinator

Commented:
Great article.  One addition I made to the code was to make it flexible to different versions of office.  Replace lines 26 and 27 with this:

strVersion = Application.VERSION
strParentKey = "Software\Microsoft\Office\" & strVersion & "\" & strProgram & "\Security\Trusted Locations"   '16.0 is Office 16/365, 12.0 is Office 2007

Thanks again.
CERTIFIED EXPERT

Author

Commented:
Thanks Mark, good addition.
pcalabriaFounder and CEO

Commented:
Thanks for all of your help.

I have been on vacation and am now back to work.  I had hoped to take care of this before leaving, but everything I do seems to take longer than it should.  Sound familiar?

I prefer to keep the question open until I can determine which solution works best for me.  Thanks everyone who has helped, your patience in allow me to best use this service is appreciated!

Calabria

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.