At the Orlando .NET Code Camp (the second largest in the US, the largest being South Florida), I did a presentation on OpenXml which is the format behind Office 2007/2010. At this session I was asked a question to which I had no answer.
The question was ‘If I have a password protected Excel from either 2007 or 2010 file, can I use the trick of renaming a file to a zip and then examining the XML to extract the information in that spreadsheet. Well I could not answer this but noted it down for later. So after a little investigation here are my findings.
There are three level’s of password protection offered in Excel (note that I’m using Excel 2010, so there may be differences in 2007). Under the review ribbon bar section, in the Changes tab, there are two of the three options
- Protect sheet – which protects the data in a particular sheet, it can also include formatting, adding/deleting rows and columns, etc
- Protect workbook – which protects the structure of the workbook i.e. the number of sheets, window layout, etc
These two options protect the spreadsheet but the file can still be easily opened by end users and worked with no password required. So renaming the spreadsheet to a zip file, opening it up and editing the xml files I located and removed the protection that these options add. After opening back up in Excel, everything works as expected from an unprotected spreadsheet. Not unsurprising as these options are not meant to protect sensitive documents, only to stop a user changing the document through carelessness or whatever. I will leave it to you, to figure out which xml file contains the protection element.
The third option is also confusingly called Protect Workbook, but is located under the File/Info tab. From this you can password protect a file such that it cannot be opened without specifying a password. I presumed that after password protecting the file, and saving what I would have is a password protected zip file masquerading as an Excel document. So I renamed it to a zip extension and attempted to open it. Well that didn’t work, that may just be that I’m using an older version of a zip package or more likely MS is encrypting the entire zip file after creation. This was interesting and although not quite what I expected, the file is protected as expected.
So you cannot retrieve the contents of a password protected spreadsheet for which you have forgotten that password by simply renaming it to .ZIP and opening it.