Installing an application within a sandbox

Discussion in 'sandboxing & virtualization' started by DIV, May 20, 2020.

  1. DIV

    DIV Registered Member

    Joined:
    Jun 4, 2018
    Posts:
    20
    Location:
    Oz
    I was interested in installing an application within a sandbox. I am running Windows 8.1 and the sandbox is Sandboxie.

    Unlike some other users I wasn't worried about malware with this, as I trust the source of the file, and it scans clean too.
    I was just thinking that I might need it as a once-off, and instead of cluttering up the system directories and registries with new entries, and having to uninstall it later, maybe it'd be less likely to leave a permanent 'imprint' on my system if I just installed it within a sandbox.

    I tried it out, attempting to run the application's installer from within Sandboxie, and I got two alerts. One was from either the installer itself or Sandboxie, but the other was from Windows asking if I wanted to proceed because the changes that the software wanted to make are 'system changes' that require Administrator privileges (which I have).
    So my question is this: if I install into a sandbox, why is Windows alerting me about system changes?
    Where would the sandboxed installer be writing to, and would there be any trace of it after I close/clear the sandbox?

    By the way, I didn't proceed, so I am also not sure if the installed software would have worked correctly once installed in the sandbox.
    Another thing I was wondering is that often when installing new software without a sandbox we need to reboot our system (especially in past times). Could that also be a requirement when installing in a sandbox?? If so, (how) could it be implemented??

    Thanks,
    DIV
     
  2. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    596
    Location:
    Austria
    Surely other members can give you better answers than me. So I will restrict to a short answer only to the following aspect:
    Because Windows does not know that you use it from within the sandbox. :D If a system change is necessary (e.g. in connection with the installation) it will happen (unless you have imposed some restrictions in your Sandboxie settings). The fine thing is that these changes will be gone again as soon as you close (and empty) your sandbox. :thumb:

    PS: Bo (or other experts) - please correct me if this explanation was too simple.
     
    Last edited: May 20, 2020
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Perhaps the alert from Windows is similar to this:

    Sin título.jpg

    In my case, the message just flashes real quick as I run as Administrator and disable UAC. But either way, once you run the installer sandboxed, the installation runs under the supervision of Sandboxie. So, dont be put off by the message, you can try the intallation.

    By the way, the programs I install sandboxed, I do for identical reasons as you described.
    To know if a piece of software will install sandboxed or work properly afterward, you have to go thru the installation.

    Keep in mind, not all software installs sandboxed. Sandboxie is restrictive software, it allows programs to do just barely enough so they work properly, so, we cant expect every piece of software to install sandboxed. The more complicated the software, the lesser the chances the software will install or work sandboxed.

    You can help programs to install sandboxed. How? Create dedicated sandboxes for programs you install in a sandbox. And run the installer in the sandbox with default settings. Dont use restrictions in sandboxes you dedicate for installing programs. If you do set restrictions in this sandboxes, the programs won't install sandboxed.

    Regarding reboots. If a program requires a reboot, there is nothing we can do about. So, this programs might work or might not.

    Bo
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Totally agree with your explanation, Peter. And, the simpler, the better.

    Bo
     
  5. DIV

    DIV Registered Member

    Joined:
    Jun 4, 2018
    Posts:
    20
    Location:
    Oz
    Thanks for your advice!

    Bo, the screenshot you captured looks pretty much like what I saw. I don't have UAC disabled, so in my case the screenshotted dialogue box pops up about half a second before the UAC warning covers the entire screen, which is why I had trouble seeing what it was.
    In particular that little "note" at the bottom of the dialogue box is quite informative, but written in small grey text at the bottom I had no chance to read it, because if I didn't accept the UAC pop-up, then the first dialogue box automatically closed too!
    Text transcribed here to help anyone searching:
    "Note: the program will continue to execute under the supervision of Sandboxie, even after Administrator privileges have been granted."

    I am still feeling surprised that the sandboxed installer would write to system folders. I thought they got written to some other location and then Sandboxie 'fools' the application running in the sandbox into thinking that those necessary installation files are in some protected folder (under Programs or Windows or User, perhaps), when in reality (according to my previous thought) they're not. Maybe I am getting muddled with what a VM does.
    Or maybe I should ask it like this: is the UAC warning that I see running inside or outside the sandbox? If it is running inside the sandbox then it makes a bit more sense to me.

    OK, so it sounds like for 'trustworthy' software it's just a matter of try it and see, and there shouldn't be any remnants left at the end.

    With regard to rebooting (and I didn't get that far, so don't know if it was required for this particular installer), my experience in the past suggests that it used to be very common, because of (in my simplistic understanding) a conflict between the installer that might want to update a file (maybe a DLL), and other software (maybe the OS itself) that is currently using that file. More recent software seems less likely to need rebooting to complete the installation, and may be able to advise the user what software is causing the conflict so that the user can close that application. Therefore I was guessing that for more recent software there'd be less need to reboot, especially as — matching Bo's advice — I had in mind to run a 'dedicated' sandbox for the installer (and then the application itself) (i.e. without running any other applications in that sandbox), so I imagine that could mean there're fewer possible opportunities for conflicts to arise.
    [Although now I am wondering what happens if an application running outside the sandbox has a lock on a file that the installer wants to change. It seems as though that shouldn't matter....]

    —DIV


    P.S. Feel free to point me to a good resource on how sandboxes work....
     
  6. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    596
    Location:
    Austria
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    You are right about the application being fooled, but it gets fooled into thinking that is writing to the system files that it is supposed to be writing to but in reality is writing to a copy of this files that Sandboxie makes and places inside the sandbox folder. Like here, Irfanview thinks it installs to Program files but in reality it installs inside a copy of the Programs files folder thats placed by SBIE inside the Sandbox folder. You can navigate to your Sandbox folder, and look inside, without fear. If you click on something by mistake that you shouldn't, it will run sandboxed. Here, the Sandbox is called JPEG.

    Sin títu.jpg

    Bo
     
  8. DIV

    DIV Registered Member

    Joined:
    Jun 4, 2018
    Posts:
    20
    Location:
    Oz
    Thanks, Bo and Peter.

    It's been a while since I last used Sandboxie (see the dates below!), but I did find the same behaviour as you described.

    Files were written to a 'sandbox' folder, such as C:\Sandbox\[username]\DefaultBox. In the view below the file names suggest some things that are standing in for registry entries (I'm guessing from the string "RegHive").
    Further in the directory structure (not visible in the screenshot) I can find duplicated Word documents that were automatically copied there by Sandboxie when I opened them in a sandboxed instance of Word (just for reading; I didn't save them from within Word).

    One easily readable file there is DONT-USE.TXT. As an example, that file does indeed open up in a sandboxed instance of my text viewer (Notepad), even when just naïvely double-clicked from the ordinary (unsandboxed) File Explorer.

    I also recall in the past using it to run my web browser, and when I would save files from there to the sandboxed location mimicking (say) the Downloads directory, I would then have to manually tell Sandboxie afterwards if I wanted to move* it out of the sandbox to the 'real' Downloads folder (say), in order to make that file accessible without a sandboxed viewer, and moreover so that it wouldn't be lost when the sandbox is deleted at some later date.

    * Sandboxie calls this "recovering" the file.

    —DIV
     

    Attached Files:

    Last edited: May 20, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.