Applies ToAccess for Microsoft 365 Access 2024 Access 2021 Access 2019 Access 2016

This article explains how to use an Access security feature called sandbox mode. In sandbox mode, Access blocks “unsafe” expressions: any expression that uses functions or properties that could be exploited by malicious users to gain access to drives, files, or other resources for which they do not have authorization. For example, functions such as Kill and Shell could be used to damage data and files on a computer, so they are blocked in sandbox mode.

Note: This topic does not apply to Access web apps or Access web databases, and does not cover other Access security features.

In this article

Overview

Sandbox mode is a security feature that prevents Access from running certain expressions that could be unsafe. These unsafe expressions are blocked regardless of whether the database has been ‘trusted’ – its content enabled.

How sandbox mode is set

You use a registry key to specify whether Access should run in sandbox mode. Sandbox mode is enabled by default – the registry key value is set to enable sandbox mode when Access is installed on a computer. If you want to allow all expressions to run, you can change the registry key value to disable sandbox mode.

Trusted databases

Regardless of whether sandbox mode is enabled in the registry, Access won’t allow potentially unsafe expressions to run unless the database file either is located in a trusted location, or bears a valid trust signature. If a database isn’t “trusted” Access uses sandbox mode.

The following drawing shows the decision process that Access follows when it encounters an unsafe expression.

The decision process for enabling or disabling sandbox mode

If you are not familiar with the registry, or you are not comfortable with changing registry keys yourself, ask for help from someone who is familiar and comfortable with changing the registry. You must have administrator permissions on the computer to change the registry values.

Top of Page

Disable sandbox mode (run unsafe expressions)

In some installations, you can disable sandbox mode by changing the value of a registry key.

Note: Not all installations of Access will include the SandBoxMode registry key referred to in the procedure below. If you do not find the registry key, we do not recommend adding it, as it could interfere with Office updates.

Caution      Incorrectly editing the registry may severely damage your operating system, requiring you to reinstall it. Microsoft cannot guarantee that problems resulting from editing the registry incorrectly can be resolved. Before editing the registry, back up any valuable data. For the most recent information about using and protecting your computer's registry, see Microsoft Windows Help.

Change the registry key

Important: Following these steps allows unsafe expressions to run in all instances of Access for all users on the computer.

  1. Close all instances of Access that are running on the computer for which you want to disable sandbox mode.

  2. Press the Windows key, type Run, and press ENTER.

  3. In the Open box, type regedit and then press ENTER.

    The Registry Editor starts.

  4. The specific location of the registry key will vary depending upon what version of Access you are running, the bitness (32 bit or 64 bit) of your Windows and Access version, and if you have a click-to-run installation. If you're having trouble finding the right registry key from the possible options displayed below, try searching the registry for Access Connectivity Engine.

    Expand the HKEY_LOCAL_MACHINE folder and navigate to the following registry key:

    If you're using Access 2016 or Access 2019, try looking here: \Software\Microsoft\Office\16.0\Access Connectivity Engine\Engines or here: \Software\WOW6432Node\Microsoft\Office\16.0\Access Connectivity Engine\Engines

    If you're using the 32 bit Microsoft 365 subscription version of Access or a 32 bit click-to run installation of Access try looking here: Software\Microsoft\Office\ClickToRun\Registry\Machine\Software\Microsoft\Office\16.0\Access Connectivity Engine\Engines

    ...or here:

    Software\Microsoft\Office\ClickToRun\Registry\Machine\Software\Microsoft\Office\15.0\Access Connectivity Engine\Engines

    If you're using the 64 bit Microsoft 365 subscription version of Access or a 64 bit click-to run installation of Access try looking here: Software\Microsoft\Office\ClickToRun\Registry\Machine\Software\Wow6432Node\Microsoft\Office\16.0\Access Connectivity Engine\Engines

    ...or here:

    Software\Microsoft\Office\ClickToRun\Registry\Machine\Software\Wow6432Node\Microsoft\Office\15.0\Access Connectivity Engine\Engines

  5. In the right pane of the registry editor, under Name, double-click SandBoxMode if it is present. If you don’t find the SandBoxMode registry key, we do not recommend adding it, as it could interfere with Office updates.

    The Edit DWORD Value dialog box appears.

  6. In the Value Data field, change the value from 3 to 2, and then click OK.

  7. Close the Registry Editor.

Important: Remember that if you do not first enable the content in the database, Access disables any unsafe expressions regardless of whether you change this registry setting.

You can set the registry value to the following values, with 0 (zero) being the most permissive and 3 being the least permissive.

Setting

Description

0

Sandbox mode is disabled at all times.

1

Sandbox mode is used for Access, but not for non-Access programs.

2

Sandbox mode is used for non-Access programs, but not for Access.

3

Sandbox mode is used at all times. This is the default value, set when you install Access.

Top of Page

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.