Intel 11 Gen and AMD 5900X compatybility Issue

It seams that some new mitigation policies windows 10 uses on platforms with Intel 11 Gen CPU's or AMD 5900X CPU's cause issues with sandboxie, particularly when trying to run Chroum 90+ and many derivatives.

See: https://www.wilderssecurity.com/threads/sandboxie-plus-0-7.436454/page-15 and ongoing

Since I unfortunately don't have such a machine on hand right now, I wanted to ask if there is someone here with the right hardware and could set up an empty windows for me I could get remote control of, install visual studio and debug the issue on the affected hardware.

I would assume that the new stack protection features are also available inside a Virtual Machine so a empty windows 10 VM on the right hardware would probably also work.


Cheers
David X.

 

Thanks for your stupendous job. You're amazing. One man show. Efficiency. Quality.

This is real love for Sandboxie.

 

He doesn't say specifically which CPU he is using, but I suspect this dude has affected hardware given his description of what does and doesn't work for him, and the error details he is getting: https://github.com/sandboxie-plus/Sandboxie/issues/225#issuecomment-859914312

I'd ask him myself but I can't remember the details of the github account I made many moons ago lol. (May need to make another...)

It's a very old and actually unrelated thread that he's used to post in, but his comment is only 7 days old, and perfectly describes behaviour I see on my 11th gen with Sandboxie and all Chrome browsers except for Edge.

 

please try this sbie dll: https://xanasoft.com/Downloads/SbieDll_5.50.8b.zip
does it resolve the chrome issue for you?

 

Unfortunately not with my 11th gen, the same WerFault.exe error. Thanks for trying

 

hmm... i really need to get my hands on one of those machines, any volunteers ?

 

update on this issue, I had the opportunity to order some new hardware for my lab and ofcause picked a 5600X ryzen so with that I should be able to reproduce the issue when it comes and no otehr problems manifest.

 

That's great to hear!

 

That's great David, thanks. Hopefully the fix (once you've figured it) is will also translate over to Intel 11th gen CPUs too. I have some professional development stuff on my only 11th gen machine, and work will not allow me to do any remote access stuff with it. :/ Edge and Firefox remain unaffected and working beautifully.

 

So I can confirm that the Control-flow Enforcement Technology (CET) Shadow Stack is the culprit, also when you disable it in Deffender for chrome.exe chrome works just fine on the 5600x cpu.
that said, there does not seam to be a UI option to disable this system wide.

Now fixing the issue may be a bit complicated, as this mitigation policy is set in the PE header of the executable so,
its in place before we can hook anything, I'm looking into a few possible options now....

 

Many thanks for the quick update

Would you explain how to disable for individual exe in defender exactly?

 

chrome.reg

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe]
"MitigationOptions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,00,\
  00,00,00,00,00,00
"MitigationAuditOptions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00
"EAFModules"=""

for other apps repalce chrome.exe with the name of the other exe

 

Many thanks!

PS: tried with Brave and indeed x64 can now start sandboxed. However it becomes very unresponsive due to high CPU loads with both brave.exe and ntoskrnl.exe

 

the high cpu load is probably an unrelated issue

 

I see, although the last x64 version without shadow stack runs normally. Will give chrome a try tomorrow

 

Excellet! Great news, @DavidXanatos!

With your reg-hack current Chrome-browser is back in play and running sandboxed on my "11th-gen-Intel"-machine again.

Having that said after changing "chrome.exe" against "opera.exe" in the above code I was looking forward to get current Opera-browsers running sandboxed as well. But - tough luck! The sandbox-tray-icon gets filled, no error-message any longer, but unfortunately the browser will not launch.

So your reg-hack does the trick for Chrome - but not for Opera. Is there anything other necessary beyond changing "chrome.exe" against "opera.exe"? Do I perhaps need to enter some qualified path to the true location of "opera.exe" into that reg-entry above (as I have more than one instances of "opera.exe" installed)?

Or do I have to import corresponding reg-entries for "launcher.exe" first as well as "opera.exe" is actually called by "launcher.exe"?

Any ideas or suggestions to get current Opera running sandboxed again would be greatly appreciated.

 

Oh great work David!! Argh I haven't got my 11th gen machine here to test! But is it a ryzen 5600x or 5900x you've got there @DavidXanatos ? My understanding was this CET/Stack overflow issue (from the articles I sent you) relates only to ryzen 5900 and newer, and 11th gen CPUs with Chromium v 90 and above.

@algol1 do you use Vivaldi? That's the other one that will need testing. Vivaldi and Opera tend to behave very similarly when it comes to working or not with Sandboxie (from versions back to invincea days).

 

@algol try also adding the launcher

@catspyjamas CET/Stack Protection is a feature in all 5xxx ryzens not just the top end 5900x and yea I got the small 5600x for testing but as said its all the same micro architecture with the same features just different core count and clock speeds. AMD is not Intel to castrate features out of the cheaper models.

I'm waiting for the Zen 3 threadrippers before I do a proper upgrade of my workstation, the current test CPU ist just for a small test machine in my lab.

 

Ah OK. To be honest I don't know anything about Ryzen. My last AMD machine was back in the early days of Vista!

 

You were right, brave loads fine with a new profile, thanks again. Also this is on a 11th gen not Ryzen 5xxx

 

@DavidXanatos (or another brainbox!) - this reg hack - after implementing it, does it also alter something for chrome/chromium browsers when they are NOT loaded in Sandboxie? If it does, does it lower anything from a security perspective when not running with Sandboxie? I ask because there is the odd time when I do use my browsers without Sandboxie.

 

Unfortunately I don't use Vivaldi and never have. So it wouldn't make much sense if I started testing it now as I lack the experience and comparison to what it should look like in contrast to its pre-fault appearance.

As for your question about this "reg-hack" altering security for Chrome-browsers run outside a sandbox: I'm no expert here - but logic would imply that of course it does. By simply turning off/disabling "CET/Stack Protection" for that program on a general OS-level. But then again it can only eliminate any gain in security introduced by "CET/Stack Protection" on those most recent-level machines. In other words one would assume that it can't get worse than returning to the commonly prevalent status-quo.

 

What a Heureka-moment! After months of current Opera-browser refusing to launch and ever increasing, more and more annoying error messages (of type "SBIE2101 Object name not found") even with Opera v75 (still running on Chromium v.89) I can now report that the most recent release of Opera is now up and running sandboxed as well! And all those intermittent "SBIE2101 Object name not found"-error messages seem to be gone for good as well.

The (preliminary) solution has been - as @DavidXanatos has already suggestet - to preparing 2 new variants of his "reg-hack" above, one for "opera.exe" (which by itself turned out to be insufficient for Opera) and another one for "launcher.exe" and importing both of them into the registry.

Voila! Good to go - for now, until a real fix for "CET/Stack Protection" can be achieved. Looking forward to that!

 

yes you don't get stack protection from chrome also not unsandboxed


A proper fix will be included in the next release, as it seams it was only necessary to rework the sys-call hooking mechanism a bit, for whatever reasons the old dev's decided to abuse a return instruction to do a jump instead of just doing a jump, no idea why. But that is code results in exactly what the CET mitigation is trying to avoid, i.e. no returns to addresses that haven't been put on the stack by a call.

 

Thanks @DavidXanatos , that's helpful to know. Will the next release that includes the Ryzen 5x/11th gen fix, also force Chrome/Chromium browsers v 90+ to run without stack protection when not run with Sandboxie? Or just the about reg hack that's a workaround for now? If it's at all possible, it would be good to keep stack protection for Chromium browsers when not running with Sandboxie.

Many thanks for the time and effort you're putting into Sandboxie - both in terms of product development and fixing issues as they pop up.