I want to add on certain feature in MS Office. Currently, I am looking at VBA to develop it. However, it seems that running macros requires security disabled. This means that if I distribute the VBA program, other people need to enable macros to run. (Security issues)
The problem now is, how do I distribute the VBA that I wrote? E.g. in a .exe file? And is there any other method to go about creating this add on?
I downloaded some add on for MS Word and it seems that it is written in C++ and it is in .dll format.
Thanks.
You can run macros in a document/template/add-in even in "high" security mode, if:
the VBA project is digitally signed
the user agrees to 'trust' the publisher of the digital signature
The first time the user runs a macro signed with your digital signature, they'll get a prompt saying "the macros are signed by YourCompanyName - do you want to trust all add-ins from this publisher". If they click "yes", they won't see the prompt again - and your macros will run.
See this link for details of how to create a digital signature.
Visual Studio Tools for Office (VSTO) allows you to author extensions to Microsoft Office using any .NET language, including Visual C++. Such extensions would indeed compile to DLL-files, and after installation on a client machine, they wouldn't require the user to dismiss any additional security warnings. You will need Visual Studio 2005/2008 Professional in order to use the VSTO framework.
Wikipedia has more information about VSTO, including a comparison with VBA. Amazon seems to have a fair amount of books on the subject as well.
Related
After moving into a new desktop with Outlook 2019 installed, my VBA Macros wouldn't run. It was failing silently. Finally I triggered this error message:
An error occured while attempting to verify the VBA project's signature. Macros will be disabled.
And the VBA editor states:
The macros in this project are disabled…
I tried answers Microsoft Outlook 2013: Error verify VBA project signature, but the information is outdated.
The advice given by Signing your own macros with SelfCert.exe worked fine. I’m not going to duplicate the write-up, which has excellent visual aids. Here’s what I learned in my own words. Maybe this will help you avoid wading through the whole article. (That’s not to say it’s hard to read.)
Here are the steps:
Create a self-signed certificate
Sign the macro with the certificate
Verify your Outlook security settings
Run for the first time
Here are more details.
One needs to have a certificate to digitally sign one’s macros. For most of us, that means creating a self-signed certificate, which is probably why you searched for an answer to this problem. Office has a utility to do this. I have the 64-bit version of Office, so I ran C:\Program Files\Microsoft Office\root\Office16\SelfCert.exe (see the article I linked to for other versions).
In the VBA Editor (ALT+F11) where you created the macro, choose:
Tools-> Digital Signature…
You should see that the current VBA project isn’t signed yet. That’s the problem. Unlike 2013, when you press the Choose… button you’ll get a screen to select the certificate you just created. (Installation was automatic.)
Next navigate:
File-> Options-> Trust Center-> Trust Center Settings…-> Macro Settings
Ensure this option is selected: Notifications for digitally signed macros, all other macros disabled
Restart Outlook. When you exit, you’ll be prompted to save changes to your VBA project. Choose “Yes”.
When you run your newly-signed macro the first time, you’ll be notified. Select that you’ll always trust the macros or documents from this publisher and you won’t be prompted again.
When I try to run Outlook via Interop using the profile name it opens a dialog for the password. This script is running from Windows Task Scheduler Task. Does it use the admin account when running these tasks? The profile been made and my email account is the only one loaded in here.
The Always prompt for login credentials is unchecked for the account listed in the profile.
This is a network computer in domain. Outlook 2010.
Profile Switch(link):
Process.Start("Outlook", "/profile profilename")
'logs in with a prompt for the password
How can I pass the password in code and avoid the dialog?
Alternatively, I have a macro that does what I need, but I have not been able to get it to run when the profile loads. This would solve the problem as well. Macros enabled is checked in the Trust Center.
Thanks
First, you need to run both application under the same security context to be able to automate one from another.
This app is being launched from Windows Task Scheduler
Microsoft does not currently recommend, and does not support, Automation of Microsoft Office applications from any unattended, non-interactive client application or component (including ASP, ASP.NET, DCOM, and NT Services), because Office may exhibit unstable behavior and/or deadlock when Office is run in this environment.
If you are building a solution that runs in a server-side context, you should try to use components that have been made safe for unattended execution. Or, you should try to find alternatives that allow at least part of the code to run client-side. If you use an Office application from a server-side solution, the application will lack many of the necessary capabilities to run successfully. Additionally, you will be taking risks with the stability of your overall solution. Read more about that in the Considerations for server-side Automation of Office article.
As a workaround, you may consider usign a low-level API on which Outlook is based on - Extended MAPI. Or any third-party wrapper around that API such as Redemption.
Yesterday I upgraded from win 8.1 to win 10. In Outlook 2013 under win 8.1 I had a VBA script (macro) which was automatically adding BCC to every mail I have sent. This script was digitally signed so that I can have the Macro setting like this: "Notifications for digitally signed macros, all other macros disabled" without asking me to enable this macro every time I start the Outlook. Now it doesn't work any more. The script is working well if I set this macro security setting to: "Enable all macros" - but I don't want to use this setting because of security reasons.
So obviously the problem is somewhere in digital signing of the VBA script. I did it all from the beginning: I removed the previous certificate, created new one using the SELFCERT.EXE, and did all the procedure like with win 8.1 and everything went well like described here except that part in which it should ask only for the first time if I trust the publisher and I should check "always trust macros from this publisher". I cannot invoke this window. Maybe this points out to some problem or inconsistency: it should show this window for me to check it but is not showing because I previously under win 8.1 already have checked it...?
Has anybody some idea how to solve this?
Thanks!
I got it finally!
The only thing I had to do was to run Outlook as administrator. As soon as I did that, the window with "trust all documents from this publisher" appeared and after I clicked it everything after that worked like before.
I had the same issue after upgrading from Windows 7 x32 to Windows 10 but with Outlook 2010 rather than 2013. Tried all sorts of thing without success.
What eventually worked for me was to go into the Trust Center, Macro Settings, and check the box "Apply macro security settings to installed add-ins" as well as the 'Notifications for digitally signed macros' option.
The 'Disable all macros' option gets greyed out.
Click OK and exit Outlook.
Next time you open Outlook you will be asked to accept each of the installed add-ins as well as your self-certified VBA project - but this is a one-time requirement. As belt and braces I allowed it to install the certificates automatically. In my case at least, from then on all my macros ran normally :-)
Hope that helps!
I realize this thread is dated, but I discovered the reason Bzek's solution worked. I don't want to run Outlook as an Administrator, but I also did want my macros to function as they had in W7. The potential solution from Kopweb didn't work for me.
The good news is that a simple check box click in the Advanced section of the Cert properties for 'client authentication' did the trick. Restart Outlook normally and the macros should work. See the image below:
Cert - Advanced Options
I have built template-based add ins for Word and Excel version 2003 and previous. Those versions always required the the code to be digitally signed so that it would run on machines that had macro security turned on.
I am now working on some template based add ins for Office 2010 (to be delivered as a protected .dotm file. The add ins will create custom ribbons that provide business functionality. It looks like while I can do code signing, I no longer need to do code signing if I install my .dotm file into [user profile]\Roaming\Microsoft\Word\Startup. Can anyone verify this? In my limited testing this seems to work and I am interested in distributing this to some computers out of our domain where my code signing certificate is not trusted.
Any help would greatly appreciated. Thanks.
Yes, that has been the case since Word 97 to Word 2010 - dot/dotm files in the STARTUP folder are not checked for signing (apparently because getting them into that folder is supposed to be a manual effort). It will work without signing as long as someone has not disabled STARTUP folder add-ins (the KB on how someone would disable it is here http://support.microsoft.com/kb/921541 under section "Disable the Startup folder add-ins").
Is there a way to automate code signing a VBA project in a Word 2003 and/or Word 2007 document?
By automate I mean via a command line utility or via Word VBA automation?
Motivation: I would like to code sign several Word templates as part of an automated daily build and distribution cycle. Right now we have to do this manually by opening each document in Word and resigning.
Thank you,
Malcolm
I've never seen a way to do this. I had an automated build of a template years ago and at the end I popped up a message box saying "you have to go sign the template now" and then opened VBA for them. Just saying I feel your pain I guess.
This may be worth a look:
http://winbatch.com/
For anyone coming across this question a decade later, it seems to be possible to automate signing of VBA projects using SignTool in the Windows 10 SDK as described in this Microsoft Support page. I'll quote the specific instructions here too:
Download and install the Windows 10 SDK.
Download Officesips.exe from Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects.
To sign files and verify the signatures in files, register Msosip.dll and Msosipx.dll, and then run Offsign.bat. The detailed steps are included in the Readme.txt file in the installation folder of Officesips.exe.
Note: Use the x86 version of SignTool in the "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86" folder when you run Offsign.bat.
Haven't done this myself yet but likely will in the near future. I'll update this answer if I learn anything.
I do not believe there is an automated way to do this because it would defeat the security of code-signing VBA Project signing.
The two message digests are compared,
and if any part of the file has been
modified or corrupted, the digests
will not match and the contents of the
file can't be trusted. The
verification process will fail
regardless of how the file was
modified - whether through corruption,
a macro virus, or programmatic changes
made by an add-in or Office solution.
The verification process will also
fail if the file wasn't signed with a
valid certificate; that is, if the
certificate had expired, or had been
forged, altered, or corrupted. If
another user modifies the VBA project,
the Office 2000 application removes
the current signature and prompts the
user to re-sign the VBA project; if
the user doesn't sign the VBA project
or signs it with another certificate,
the file may fail the verification
process.
Inserted from
http://msdn.microsoft.com/en-us/library/aa190113(office.10).aspx
Code signing has the additional level of security in the fact that a developer must compile source code. A macro is not compiled and can be distributed as text. Therefore, automating macro signing would open a large security hole. Manually siging a macro is similar to Outlook prompting the user to allow programmatic access to the address book.