Word Macro Security vs Document Protection — Differences Explained

What macro security actually does

Macro security in Word controls whether VBA macros embedded in a document are allowed to run. The setting is at the application level (Word Options > Trust Center > Trust Center Settings > Macro Settings), not the document level. You can choose from: Disable all macros without notification, Disable all macros with notification (default), Disable all macros except digitally signed macros, or Enable all macros.

The macro security setting is stored in the Windows Registry (HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\AccessVBOM) and in user-specific XML files. It is NOT stored in the document. When a user is blocked from running macros, the issue is with their Word configuration, not with the document itself.

There is no password for macro security itself. Word does not ask for a password to enable or disable macros. The gate is a registry key or group policy setting, not an encrypted hash. Recovery from 'I can't run macros' is a matter of changing the Trust Center setting, not password recovery.

What document protection actually does

Word document protection (Review > Restrict Editing) offers three restriction types: Formatting restrictions (limit formatting to a selection of styles), Editing restrictions (no changes, comments only, or filling in forms), and Start enforcement (optionally with a password).

When a password is set for document protection, Word stores a SHA-1 hash of the password in the document's XML (settings.xml inside the .docx archive). The hash can be removed structurally — like Excel sheet protection, it is not encryption, just a verification gate.

Document protection does NOT encrypt the document content. Any tool that can open the .docx ZIP and edit the XML can remove the <w:documentProtection> element. The document content is always readable regardless of the protection password.

VBA project password vs macro security

The VBA project password (Tools > VBAProject Properties > Protection > Lock project for viewing) is frequently confused with macro security. The VBA password prevents viewing/editing the macro source code, but does NOT prevent the macros from running. Macro security (Trust Center) controls whether macros run at all.

VBA project password removal follows the same structural patching technique as Excel VBA: open the .docm (or .doc with VBA) as a ZIP, extract vbaProject.bin, patch the DPB protection flag, repackage. The macro code itself is compressed plaintext in the binary stream — the password only gates the UI.

Macro security has no recovery component because there's no password. If a user says 'I can't run macros in Word', the answer is always Trust Center settings or group policy, never hashcat or structural patching.

Document protection recovery techniques

For .docx files with editing restrictions: (1) open the file in Word, save as a new name (Word sometimes drops protection if the password is an empty string). (2) Unzip the .docx, open word/settings.xml, find the <w:documentProtection> element and delete it, rezip. (3) Use LibreOffice Writer which ignores Word protection entirely. (4) Copy-paste the content into a new document.

For .doc (binary format) files with protection: use a hex editor to locate the protection bytes in the OLE2 compound document. The protection flag is at a known offset. Commercial tools like Word Password Recovery Magic automate this.

None of these techniques involve password recovery via cracking — the protection is structurally removable in all cases. The only scenario where hashcat is relevant is if the file has file-open password encryption (Tools > Protect Document > Encrypt with Password).

File-open encryption in Word

Word supports file-open password encryption (Encrypt with Password in the Info panel). This IS real encryption — AES-256 with SHA-512 KDF (mode 9600 equivalent) for modern .docx files, or RC4 for legacy .doc files (modes 9700-9800). When a file-open password is set, the content is encrypted and cannot be read without the password.

File-open password recovery is the only scenario in Word that requires cryptographic recovery services. The hashcat mode depends on the Office version: Office 2007 (.docx) uses mode 9400, Office 2010 uses mode 9500, Office 2013+ uses mode 9600. Legacy .doc files use mode 9700 (Office 97-2000) or mode 9800 (Office 2000-2003).

Unlike document protection (which is structural), file-open encryption cannot be bypassed. The password must be cracked or found through recovery techniques. This is the boundary between DIY structural removal and professional password recovery service.

Practical scenarios and correct responses

Scenario: 'I can't edit this Word document, it asks for a password' — this is document protection, structural removal works in seconds. No cracking needed.

Scenario: 'I can't run macros in Word' — this is macro security settings in Trust Center, not a password. Change the macro security level to 'Disable all macros with notification' and then enable macros for the specific document.

Scenario: 'I can't view the VBA code, it asks for a password' — this is VBA project password, structural patching of vbaProject.bin. Removal is trivial with the right tool.

Scenario: 'Word asks for a password just to open the document' — this is file-open encryption. Cryptographic recovery via hashcat is the only path. This is where recovery services help.

Security recommendations for 2026

Use the correct layer for your actual threat model: file-open encryption for confidentiality (no one should read the content), document protection for collaboration discipline (prevent accidental edits), VBA project password for code obfuscation (not security), macro security digital signing (trusted publisher certificates) for enterprise distribution.

Document protection and VBA passwords are structural — they protect against casual users, not determined ones. Treat them as UI barriers, not security measures. If the content genuinely needs protection, use file-open encryption with a strong password or Information Rights Management.

For enterprises: use Group Policy to centrally manage macro security (significant reduction in macro malware incidents). Use Azure Information Protection for content-level security that works across Office Online, Desktop, and Mobile.

Identifying Word security issues

1. 1

   Check what's blocked

   Can't open at all? = file-open encryption. Can open but can't edit? = document protection. Can open but can't view VBA? = VBA project password. Can open but macros don't run? = macro security settings.

2. 2

   For file-open encryption

   Requires cryptographic password recovery. Run free analysis to check hashcat mode and feasibility.

3. 3

   For document protection

   Stucturally removable. Remove <w:documentProtection> from settings.xml in the .docx ZIP.

4. 4

   For VBA project password

   Patch DPB flag in vbaProject.bin. Automated tools available.

5. 5

   For macro security

   Word Options > Trust Center > Macro Settings. No password involved.

Frequently Asked Questions

Related Reading