How to test Excel 2003 & 2007 macro security level

[Tom]

I want to test Excel's macro security level before loading a worksheet with
macros.

What's the "best" way to do this?

In 2003, I believe I can test the Registry
HKEY_CURRENT_USER\Software\Microsoft\Office\9\Excel\Security\Level

In 2007, it appears from my testing that the same test would be on
HKEY_CURRENT_USER\Software\Microsoft\Office\12\Excel\Security\VBAWarnings

I'd have preferred to use the Application.AutomationSecurity property rather
than the registry, but testing it under 2007 (Vista) it doesn't seem to
change when I change the security level in Excel's UI.

I'm quite surprised that apparently a non-Administrative Vista user can
simply change the VBAWarnings registry variable to enable macros. Seems like
a weak link in the security model.

Anyone have any suggestions?

 

[Jialiang Ge [MSFT]]

Hello

According to the TechNet article
http://technet2.microsoft.com/Office/en-us/library/03d787aa-598d-40a9-87ec-3
1a8ea80e0371033.mspx?mfr=true, Secion: VBA macro settings, there are four
main types of security setting for macros:
o Settings for changing the default behavior of macros.
o Settings for changing VBA.
o Settings for changing macro behavior in applications that are started
programmatically through Automation.
o Settings for preventing virus-scanning programs from scanning encrypted
macros.

The macro setting you mentioned in the beginning of the post belongs to the
first type "Settings for changing the default behavior of macros". It
corresponds to the VBAWarning registry and can be configured by uses
because it is a user level setting: HKEY_CURRENT_USER. And as far as I
know, the only way to change this setting is through the registry.

Application.AutomationSecurity, the application-specific automation
security settings, belong to the third type: "Settings for changing macro
behavior in applications that are started programmatically through
Automation". According to the section "Programming-related security issues"
in http://office.microsoft.com/en-us/ork2003/HA011403181033.aspx, the
Application.AutomationSecurity allows programmers a means of controlling
how security is handled when a macro call another macro or external
program. It has three possible values: msoAutomationSecurityLow,
msoAutomationSecurityByUI, msoAutomationSecurityForceDisable. Therefore,
Application.AutomationSecurity is different from the macro security level
you mentioned in the post. The corresponding registry for
Application.AutomationSecurity is
HKCU\Software\Microsoft\Office\Common\Security\AutomationSecurity
This is a DWORD key and it can have the following values:
3 = msoAutomationSecurityForceDisable, disable macros by default.
2 = msoAutomationSecurityByUI use the security value that is currently
set in the Trust Center UI for each of the applications.
1 = msoAutomationSecurityLow , current default for most apps, macros in
enabled.
For other information about the AutomationSecurity property, please refer
to
The AutomationSecurity property behavior has changed in Office 2003
http://support.microsoft.com/kb/825939

Please let me know if you have any other concerns, or need anything else.

Sincerely,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
For MSDN subscribers whose posts are left unanswered, please check this
document: http://blogs.msdn.com/msdnts/pages/postingAlias.aspx

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express/Windows Mail, please make sure
you clear the check box "Tools/Options/Read: Get 300 headers at a time" to
see your reply promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Tom]

Thanks for the information, Jialang.

I'd like to clarify what you said in light of my specific needs.

My application (in a high level language) launches Excel using OLE
Automation: ('Excel.Application')

Our application then uses the open command via OLE to open a worksheet:

Open(FileName := C:\Sample.xls,
UpdateLinks := 0,ReadOnly := False,
IgnoreReadOnlyRecommended := False);

We then use OLE to run a macro in the workbook: Run( 'Workbookname!PopUp');

My question: What is the best way on XP and Vista to detect whether the
user's Excel (2003 and 2007) are configured to allow the macro to run?

We know the version of Excel they're running (by reading the properties of
the .exe associated with .xls files).

In XP with Excel 2003, we've been checking the
HKEY_CURRENT_USER\Software\Microsoft\Office\9\Excel\Security\Level key to
determine whether the macro will run.

Will this key continue to work on Vista when running Excel 2003?

Does the
HKEY_CURRENT_USER\Software\Microsoft\Office\12\Excel\Security\VBAWarnings
key serve the same function with Excel 2007?

 

[Jialiang Ge [MSFT]]

Hello

Generally speaking, the 'BEST' way is not to set the macro security low
because it may give a greate chance for some potentially dangerous code to
run. The 'BEST' way is to digitally sign the trusted macros or put the
macros in a trusted location. The macro security level had better be set to
high.

If you insist lowering the security level, we could change the VBAWarnings
as illustrated in the previous reply. But please do remember to set the
value back after the macro is run.

Will this key continue to work on Vista when running Excel 2003?

Yes, but I think the key for Excel 2003 should be
HKEY_CURRENT_USER\Software\Microsoft\Office\11\Excel\Security\Level
The internal code for Excel 2003 is 11, rather than 9.

Does the HKEY_CURRENT_USER\Software\Microsoft\
Office\12\Excel\Security\VBAWarnings key serve the
same function with Excel 2007?

Yes.

If you have further questions, please feel free to let me know.

Sincerely,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

=================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from your issue.
=================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jialiang Ge [MSFT]]

Hi,

Would you mind letting me know the result of the suggestions? If you need
further assistance, feel free to let me know. I will be more than happy to
be of assistance.

Have a great day!

Sincerely,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

=================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from your issue.
=================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Tom]

Your answer was exactly what I needed to know. Thank you so much for
providing me with a clear explanation of how macro security is checked in
Excel.

Tom