Sandboxie-Plus v1.8.0

Cool! Thanks for digging that up

 

I changed the local template I'm using to use 'WriteFilePath' instead of 'ClosedFilePath' as you suggested.

The result is that Firefox, Edge, and Chrome each sometimes (not always) fail to start properly. They fail in the same way as they did before I created the local template with 'ClosedFilePath'.

 

@txhawkeye Can you test with shorter FileRootPath path for the box without adding the ClosedFilePaths? It would be nice if you also shorten the sandbox name.

Code:

FileRootPath=C:\SB\%SANDBOX%

Code:

[FF]
.
.
.
FileRootPath=C:\SB\%SANDBOX%

 

@busy I changed FileRootPath to 'FileRootPath=C:\SB\%SANDBOX%', changed the sandbox name to '[FF]', and deleted the reference to the local template to prevent ClosedFilePath from being used in the sandbox. I confirmed via TaskExplorer that ClosedFilePath was not being invoked.

With these changes Firefox still intermittently failed to start properly in the same way as all other configuration options I've tried that don't use ClosedFilePath.

 

@txhawkeye Have you tried closing each folder in the root directories separately? (Except the ones you allow) Then try removing them one by one.


ClosedFilePath=C:
ClosedFilePath=E:

Code:

ClosedFilePath=C:\SomeFolder1
ClosedFilePath=C:\SomeFolder2
ClosedFilePath=C:\SomeFolder3

ClosedFilePath=E:\SomeFolder1
ClosedFilePath=E:\SomeFolder2
ClosedFilePath=E:\SomeFolder3

 

@busy I did limited experimentation a while back. I'll do a thorough test with each folder to see if I can isolate a particular folder that is responsible. It will take a while to do this, but I will report back when complete. Thanks for your suggestions!

 

I'm not using the latest Sandboxie version, but I couldn't install 4K Video Downloader because it's a MSI file and the Windows Installer service could not be accessed, is this already fixed?

https://www.softpedia.com/get/Internet/Download-Managers/4k-Video-Downloader.shtml

 

Try with:

Code:

FakeAdminRights=y
MsiInstallerExemptions=y

 

OK thanks, so this should be added to the global settings?

 

No, to the particular sandbox settings where the program will be installed.

 

OK cool, will try this. I remember that months ago people complained about MSI files not being able to install, I thought this was already fixed, but apparently you need to edit the config file yourself. Perhaps this can become a setting in the GUI.

 

If you are using the Plus (UI), you can also set it from the interface.

Sandbox Options > Security Options > Security Hardening

• Make applications think they are running elevated (allows to run installers safely) [FakeAdminRights]
  
• Allow MSIServer to run with a sandboxed system token and apply other exceptions if required [MsiInstallerExemptions]

 

I was using Firefox with Sandboxie last night and after some brief surfing I noticed that I wasn't sandboxed at all. It was like the old days when I always found a way to go live when thinking I was sandboxed. (I nipped that in the bud ages ago).

Anyway, for those who aren't aware it's very easy to go live by mistake with any program. All one has to do is launch a program via Sandboxie and right click on the programs icon in your taskbar.

There you get three options (pictured below). It's the first one you want to steer clear of. Even though it says the name of the sandbox before the program name it will not launch another sandboxed window. It will launch the program live.

Perhaps most of you are aware of this, but I just wanted to give a heads up for the few who don't.


https://u.cubeupload.com/Fizbin/20230304173155.png

 

this is why force processes exists ....

 

@busy I've done extensive testing using your recommended approach of isolating which folder(s) cause intermittent startup failures for Firefox, Edge, and Chrome when using 'UsePrivacyMode=y'.

It turns out there are 2 folders for which I need to use ClosedFilePath in order to avoid intermittent startup problems:

• C:\Users\%USER%\AppData
• E:\Internet

I should point out the following:

• My Downloads folder resides in E:\Internet\Files
• My Firefox profiles (of which I have 6) reside in E:\Internet\Firefox
• My Outlook files reside in E:\Internet\Outlook

Thus, there are elements of Firefox, Edge, and Chrome that reside on 2 drives:

• The AppData folders on C:
• The Downloads folder for Firefox, Edge and Chrome on E:
• The Firefox profiles on E:

For some time I've suspected the intermittent startup failures that started with SBIE+ 1.5.3 may be due to a timing problem of some sort. Perhaps having the relevant files residing on two drives has something to do with it? All I know is that the only way I've found to prevent the intermittent startup failures on SBIE+ 1.5.3 or higher is to use ClosedFilePath on the two folders mentioned above.

@DavidXanatos: do you have any thoughts?

 

@txhawkeye Did you also test the subfolders of the troublesome folders? Also are you using file/folder linking between the two drives? (symbolic link or junction)

Can you try by blocking the dll files in the AppData folder before running the subfolder test?

Code:

ClosedFilePath=C:\Users\%USER%\AppData\*.dll

If the number of subfolders is large; you test half of the folders first, then the other half if necessary, based on the result. First test the "AppData" folder while the other one is closed then you close the AppData folder while testing the other one.

 

I totally forgot about that function. thanks! However, there is still a way to launch an app unsandboxed even if it's added to forced programs.

All you need to do is hit CTRL and SHIFT and click on the app's shortcut, IF the shortcut contains a target like... "C:\Program Files\Sandboxie\Start.exe" /box DefaultBox "C:\Program Files\Mozilla Firefox\firefox.exe

I don't know if this 'loop hole' was intentional or not but I kind of like it because sometimes I need to run Firefox live and having to remove it from the forced process list would be a pain. Of course, most people are probably going to use a normal shortcut for a forced process app. In which case, this won't apply.

BTW, I removed the colon after the word /box in that target because it created a smiley face.

EDIT: Just realized there is a disabled forced programs function too.

 

@busy There are no symbolic links or junctions that I am aware of. I used the properties settings in File Explorer for the Download folder to move it to E:\Internet\Files. I believe Windows stores the Downloads path in registry key

Code:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\{374DE290-123F-4565-9164-39C4925E467B}

Firefox's profiles.ini file contains the profile names and paths for each of the profiles known to Firefox. The profiles.ini is located in

.

I did additional testing, all with Firefox since that is my primary browser.

Test 1: Commented out existing ClosedFilePaths & added your suggested ClosedFilePath

Code:

#ClosedFilePath=C:\Users\%USER%\AppData
#ClosedFilePath=E:\Internet
ClosedFilePath=C:\Users\%USER%\AppData\*.dll

Result: intermittent startup failures.

Test 2: Commented out the ClosedFilePath for C:\Users\%USER%\AppData

Code:

#ClosedFilePath=C:\Users\%USER%\AppData
ClosedFilePath=E:\Internet

Result: Intermittent startup failures

Test 3: Commented out the ClosedFilePath for E:\Internet

Code:

ClosedFilePath=C:\Users\%USER%\AppData
#ClosedFilePath=E:\Internet

Result: Intermittent startup failures

Test 4: Commented out the ClosedFilePath for E:\Internet and added ClosedFilePaths for all of the subfolders in E:\Internet

Code:

ClosedFilePath=C:\Users\%USER%\AppData
#ClosedFilePath=E:\Internet
ClosedFilePath=E:\Internet\Files
ClosedFilePath=E:\Internet\Firefox
ClosedFilePath=E:\Internet\IE
ClosedfilePath=E:\Internet\Outlook

Result: Intermittent startup failures

Test 5: Returned to original ClosedFilePaths

Code:

ClosedFilePath=C:\Users\%USER%\AppData
ClosedFilePath=E:\Internet

Result: No startup failures

Summary: The only combination of ClosedFilePaths that eliminate intermittent startup problems are the ones in Test 5.

 

OK cool, will check it out, thanks.

 

Can you try with the following setting? Maybe the update function is preventing other functions from executing.

Sandboxie Plus > Global Settings > General Config > Run box operations asynchronously whenever possible (like content deletion)

 

Just out of curiosity, how does Forced Programs/Folders work? Does it write something in the registry? (Don't need the long, just the short)

 

The short: Files that are located inside folders that are set up as Forced folders, will run sandboxed automatically when they are executed.

Programs that are set as Forced programs will run sandoxed automatically when they run.

Bo

 

Thanks for the reply and explanation, but I was just curious how Sandboxie is able to perform this.