Sandboxie Plus 1.0.7

Can confirm this behaviour too. This UAC prompt started happening to me when I moved directly from 0.9.8.d to 1.0.2 (I think - definitely before 1.0.3 anyway). At first I thought it was a Windows 11 quirk, but then it's happening on all of my Win 10 laptops too since updating them from 0.9.8d straight to 1.0.3, and has continued to the present version I'm on (1.0.5). Like @algo1 reports, it isn't every restart, I'd guess it happens 1 in 3 or 4 times. It might not happen for over a week, but then it might happen 3 days in a row. There's no obvious pattern to it that I can tell. It is mostly on restart, but can also be after a shutdown too (fast startup is NOT enabled). Until I click OK on the UAC there's a big red X across the Sandman tray icon. The only thing that seems to not work as expected if I've had this UAC prompt (and allowed it), is Office365 Click to run apps do not load with Sandboxie (they get stuck on an orange "updating" window - even though they are not updating, & are in fact already up-to-date). Again, I initially thought that was a Win 11 thing, but I observe the same behaviour - 100% reproducibly - on all my laptops now I've moved to 1.0.x on them too. If no UAC prompt - Office works fine. If a UAC prompt - I have to reboot until a get a time when Sandboxie loads the driver without a UAC prompt, and then Office will work again. Every other app seems to be unaffected though.

All installations have been clean installations with brand new ini files. I have tried uninstalling and reinstalling on a few machines in case some installation glitch, but that has not fixed it.

Thanks @algo1 - I've been meaning to report this for a while but haven't had a chance to.

 

Indeed I think with this latter observation @catspyjamas might be on to something. As I do not use Office365 because I've always been advocating strongly in favor of offline-variants of MS-Office I've indeed been wondering why with every Sandboxie-plus installation/upgrade a pop-up would come up requesting to shut down some Office365-startup-routine(?) first. I used to ok-ing that request but was alarmed at first when I ran initially into this as I would never voluntarily have auto-started anything in connection with Office365 and so was already thinking about some hidden malware here until I found out that this is Win10-standard-behavior.

Nevertheless I was glad to see that as of some recent Sandboxie-upgrade (v1.0.x) this nag-screen had been gone for good. But a gut-feeling now tells me that that may have exactly been the point-in-time when also those UAC/driver-problems were initiated. Not sure about that, though.

 

Hiya @algol1 - just regarding that pop up you get when installing Sandboxie, stating Sandboxie needs to close Office apps to complete the installation - that's actually been going on as part of the installation since I have been using Sandboxie on Vista back in 2008 or 2009 ish, including when Office was installed by a CD and not click-to-run. But now you mention it, I'm not sure if I did get that prompt on new installations of 1.0.x. But to be honest I wasn't deliberately looking out for it to remember. Anyway, it took me ages to work out the pattern of when Office would and wouldn't work, with trying to enable and disable various settings in Sandboxie, but in the end this UAC prompt on reboots or after shutdowns is what seems to be the common denominator, and it happens with an out-of the box installation with no settings changed, and with and without Win32k hooking enabled. It's the same on all of the laptops in the house. If I don't get that UAC prompt on booting up, Office will load under Sandboxie without issue.

This is what I get when I launch an Office app if I've had a UAC prompt to allow Sandboxie Manager:




And this is said UAC prompt I get sometimes on booting up:



EDIT - actually djkilla over the page reports the same behaviour of the intermittent UAC prompt on booting with the Classic version of Sandboxie as well. I installed Classic 5.55.6 on the gutless spare laptop I keep for my Godson, and it definitely had the pop up to OK closing Office apps on installation, I do recall that as it reminded me that I want to take Office365 off that machine to free up an installation for another machine. I just can't recall if I had that with Plus 1.0.x. on my other ones. Sometime after work in the coming days I'll install 1.0.7 on a machine and report back if I get the Office is closing apps thingy during installation.

 

this is realy strange why would it fail on boot but than start fine.
can you please inspect the vent log for errors related to starting sandboxie on boot, please.

 

I only got a starting problem with the new classic version once while being on SUA. It wanted admin pw to start something for sandboxie. I allowed it with admin pw. So far it hadn't happened again.

And I also skipped the version 5.55.6 (or was it also 5.55.5?) and updated directly to 5.55.7, 64bit classic.

 

If it's a UWP app then it can't be done because Sandboxie can't virtualize apps running in AppContainer mode.

BTW, I haven't followed the thread, but has the problem with Intel's 11th Gen CPU's been fixed?

 

I think so unless i missted one there wera a few

 

OK cool, great job. I believe you fixed it with some new hooking technique?

 

Hopefully this info will help you.



Log Name: System
Source: SbieSvc
Date: 1/9/2022 7:44:46 AM
Event ID: 9234
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: <Removed>
Description:
SBIE9234 Service startup error level 9153 status=C0000001 error=-1073741823
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="SbieSvc" />
<EventID Qualifiers="49409">9234</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2022-01-09T12:44:46.7477124Z" />
<EventRecordID>120893</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer><Removed></Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>level 9153 status=C0000001 error=-1073741823</Data>
</EventData>
</Event>

 

Not sure if that is in connection with randomly triggering the UAC-prompt b/c I then OK that prompt and everything will continue as normal.

But now that you've been asking about Sbie-related entries I've looked into that matter and found some Sbie-related errors that have occurred on an (ir-)regular basis as of recently with quite some frequency and which will usually emerge in a group of 3:


Hope that helps to identify the issue.

 

Ok try disabling the Win32k hook mechanism and tell me if that solves the reboot issue.

 

I'll try doing that on my Win 10 machines and report back (the Win 11 machine needs that setting enabled for Edge to work properly). It might take a good few days because the UAC prompt is very intermittent. I've a feeling I already eliminated that as a cause on the Win 11 machine, but will give it a go.

 

Well I don't really see what else I coud'l have changed that could break the start only at boot.
The csrss.exe error makes sense, possibly sometimes the sbie service starts before this service, and than BAM the driver fails to localize it, therefor fails to initialize the win32k hooking mechanism.

 

Would that cause Office to fail to launch as per my above post David? Because that happens on all 7 machines every time if I get that UAC prompt. No UAC prompt and Office works just fine.

 

That would be very strange, I mean sbie is injecting a dll into the office click to run service, but that is done by the driver. So if the driver failed to load it shouldn't have done anything to the click to run service.

 

Yeah, I didn't think so. Neither the tzuk or sophos versions were able to. Still, I held out hope for some SBIE Plus magic.

Thanks!

 

@DavidXanatos Hmmm. Well there is definitely a relationship between the two happening. Fortunately I very rarely run Office under Sandboxie, and that's the only thing this UAC prompt happening seems to break. Just at work on a quick break atm, but when I get a chance on my days off I'll change all the Win 10 laptops to disabling the hooking, and I'll check my event viewer logs too and post back if I see anything for SBIE and/or Office when the prompt happens.

 

That will have to wait a few days as currently I'm following a different lead. I've meanwhile disabled autostart of that ominous Office_Click_to_Run-service as I always find it annoying being bossed around by the OS to auto-run routines on my PC which I'm not going to use on purpose.

And after reading @catspyjamas' post I suddenly had that gut-feeling that the UAC-issue might have started exactly once that Sbie-installation-nag-screen to shut down OfficeClickToRun-Service had disappeared.

Bottom line so far: since OfficeClickToRun-Service autostart has been disabled no further UAC-hiccups have occurred for more than 12 hours now - but because of the intermittent nature of the UAC-phenomenon I'll have to wait for another 2 days or so to determine if that really could be the culprit. As soon as UAC occurs without OfficeClickToRun-Service autostarted I'll give Win32k-hook a try.

 

Old habits die hard, they say. Young, emerging theories on the other hand can be rather short-lived. UAC-hiccup occurred again, even with OfficeClickToRun-Service not started - and so Win32k-hook is off now, as requested. Will report back if that really helps.

 

I think I found what's causing the UAC issue. So every time I do a clean install (not an upgrade on top of the current version), I always redo my settings in Sandboxie. I don't use a backup ini file of the last version of Sandboxie. So this time I decided to do a clean install but not enter my settings. I rebooted the computer which always pops up a UAC about the Sandboxie service after doing a clean install. Well this time the UAC didn't pop up. So I entered my settings in Sandboxie then rebooted the computer and UAC popped up. I think what's causing it is selecting Drop Rights. I'll do more testing to be sure.

Sandboxie Classic 5.55.7 (64-bit)

 

@DjKilla I have already ruled out Drop Rights being enabled as the cause. It's not enabled on my machines but still happens intermittently both with and without drop rights enabled. I think the win32 hook thingy is likely, but as the problem is so very intermittent, it's going to take about a week of shutdowns and restarts with the hooking disabled to know for sure.

 

My machine here with me has the very same 3 errors in event viewer that are, at least from my shift-work/double-shift frazzled memory, timed for when I last had the UAC prompt. Haven't had a chance to look at the other machines at home yet. I'm keeping hooking enabled on my Win11 machine as it needs that for a feature of Edge to work. So next time I get a UAC prompt on that machine I'll check if those errors definitely coincide.

 

Yea, it's not Drop Rights. I have two more things to try tomorrow. If my theory on what it is doesn't work, then I'm at a loss.

 

Hey @DjKilla , not sure if you saw David's replies above in response to the errors in the event log that alogo1 posted. David is thinking at this point it is likely to be the new setting in Sandboxie that enables win32 hooking by default. The explanation is in reply #38.

You can disable this function in the global settings. Someone running Classic might be able to help you with where and how to do that in the Classic version. ATM I just have a laptop with me running the Plus version. In the Plus version you go to Options > Global Settings > Advanced Config > then untick "Hook selected win32k system calls to enable GPU acceleration". A reboot is needed after to allow the change to take proper effect. My feeling when he suggested that, was that I had already tried that on my Windows 11 machine, but now I feel I didn't really give that a proper go, as at the time I was focused on trying to figure out why Office apps would sometimes fail to load with Sandboxie. I didn't connect the intermittent UAC prompt with the Office issue, but it's been some weeks now and I can see that the two are 100% related. I thought it was a Sandboxie + Office + Windows 11 thing. But having upgraded my Windows 10 machines from 0.9.8d to version 1.0.3, and then 1.0.5, I find I am having the same issue with Office & UAC prompts on them now too. This hooking thing was introduced in 1.0.x and the corresponding Classic version. As the problem is intermittent, it might take some time with hooking disabled to see if the issue persists.

(PS Apologies if I'm not making sense - let me know if not. Have just completed a double shift at the end of a six day stretch with some really sick patients on my watch. My brain is literally porridge now).

 

To solve the starting issue you can also try one or booth attached *.reg files
FailureActions.reg makes the sbie svc restart on failure after a delay of 1 minute
the DependOnService.reg might avoid the csrss.exe issue but as there is no service entry for csrss.exe I had to pick some random early starting service instead.

If DependOnService works reliably that would be a good solution.