Hardened Sandbox with Data Protection - App can't run the default browser to open an URL

When I click on the link I expect Firefox ESR to be launched by Portable Thunderbird.

Then I get this msgbox


If I change Thunderbird's box to an orange one, no issues.

Firefox ESR is portable as well, set as default browser.
Thunderbird is portable too.
Both programs are in a non-system partition.

Fwiw, now that I'm exploring red boxes, I've been solving various issues by opening access to some reg keys using NormalKeyPath=.

 

Try these:

Code:

NormalKeyPath=*\UrlAssociations\*
NormalKeyPath=*_classes\*

For File Extensions:

Code:

NormalKeyPath=*\FileAssociations\*

 

@busy thanks a lot.

I swear I search on many interwebs using different approaches. Like an hour I spent looking for that reg keys to no avail

Guess I need to improve a bit my skills

[Q] How do you get what reg keys are needed?
TIA

 

Setting Telegram's Red Box, same issue.
Found a missing line that needs to be added:

Code:

NormalKeyPath=*\ApplicationAssociationToasts\*

Dunno but I think 3 hrs of work to narrow and pinpoint this line is quite a bit excessive.
Do you know a better way to do it faster? Do you actually do it faster?

 

Mostly trial and error. Also you can use 3rd party tools like Process Monitor.

 

For example, if this registry key is working, you just keep searching in it.

Code:

NormalKeyPath=*\Software\Microsoft\Windows\*

or

HKEY_USERS

Code:

NormalKeyPath=*\user\*\Software\Microsoft\Windows\*

HKEY_LOCAL_MACHINE

Code:

NormalKeyPath=*\machine\*\Software\Microsoft\Windows\*

 

@DavidXanatos

Did you tighten the Red Boxes a bit further?
Chrome (not portable) can't open/run properly or at all on sbie plus 1.5.3

 

Tried with new empty box and it runs OK. (v107)

 

Yes on a new empty box set to autodelete chrome actually runs but the profile is broken.
I think it got to do with some new restrictions @DavidXanatos added to sbie plus 1.5.3


Chrome's installed using default directories.
I set 7 different profiles.
Each profile is run independently using a dedicated shortcut and a dedicated sandbox for each one

Code:

"C:\Program Files\Sandboxie-Plus\Start.exe" /box:Chrome_MrX "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Profile 1"

and so on.

 

aarg..... no not restrictions I changed how empty profile folder are created in blue boxes
the old apparently better way was not windows 7 compatible....
so I'll have to look into a new better way that work with 7 and still creates all the needed folders,
I could go with a cheap hard-coded list lol....

 

It's too much for me trying to fix Chrome and other broken apps. I went back to sb+ 1.5.2
Thanks @busy and @DavidXanatos

 

I did some testing. With the new, true path check and create base folders, changes:

TLDR: OpenFilePath rule does not work if the true path or its parent does not exist. [and programs will not work as expected]
TLDR2: See list #5

For Chrome:

Code:

"C:\Program Files\Sandboxie-Plus\Start.exe" /box:TestBox "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Profile 1"

1. If the true path, Profile 1 or its parent, doesn't exist. Chrome.exe lingers.
   
   Code:

   [TestBox]
   UsePrivacyMode=y
   OpenFilePath=*\Profile 1\*
   

2. If the true path, User Data or its parent, doesn't exist. Chrome.exe crashes.
   
   Code:

   [TestBox]
   UsePrivacyMode=y
   OpenFilePath=*\User Data\*
   

3. If the true path, Chrome or its parent, doesn't exist. Chrome.exe crashes.
   
   Code:

   [TestBox]
   UsePrivacyMode=y
   OpenFilePath=*\Chrome\*
   

4. If the true path, Google or its parent, exist. Chrome.exe starts and writes outside of the box as expected. [because parent, %LocalAppData%, folder exist?]
   
   Code:

   [TestBox]
   UsePrivacyMode=y
   OpenFilePath=*\Google\*
   

5. If the true path, Google or its parent, exist. Chrome.exe starts but writes only into the sandbox. [but OpenFilePath is not working, bug?] {probably a different case from this issue}
   Both use same path pattern.
   
   Code:

   [TestBox]
   UsePrivacyMode=y
   OpenFilePath=*\Google\*
   NormalFilePath=*\Google\*
   

6. If the true path, Google or its parent, exist. Chrome.exe starts. [OpenFilePath is working]
   Both use different path pattern.
   
   Code:

   [TestBox]
   UsePrivacyMode=y
   OpenFilePath=*\Google\*
   NormalFilePath=*\Local\*
   

 

Thanks @busy for taking the time to investigate.

That must be it. Sbie+ 1.5.2 works fine on my tweaked scenario.
FWIW I have and always have had Desktop, Documents and Downloads redirected to an adjacent partition: D:\

 

So with v1.5.3, there are two workarounds — either creating missing true folders by hand or defining broader rules, which defeats the purpose of data protection.

Code:

mkdir "%LocalAppData%\Google\Chrome\User Data\"

or

Code:

[TestBox]
UsePrivacyMode=y
OpenFilePath=*\Google\*
NormalFilePath=*\Local\*

 

I don't understand how to implement this. On my setup Chrome's already installed and has real paths and files on the real filesystem.

Didn't work.

What happened to v1.5.3?
On v1.5.2 all seems to work as it should be on Red Boxes.

 

How is it a problem that OpenFilePath does not work if the parent path does not exist? if it does not exist the access would fail anyways.

Also my fixes were only to directory listings thats a usecase for explorer. exe and cmd.exe -> dir edge and any thign just accesses thair paths without checking fodler listings.

I don't think that fix "fixed fake paths being listed even if true paths do not exist #2403"

i think what broke things is "fixed UsePrivacyMode=y compatibility with Windows 7 #2423" as now we create much less default paths as before.

 

@DavidXanatos Understood.

@Mr.X Ignore my writings. Can you share an example config? Also It would be better if you can show it by recording video.

 

I'm running more tests and I think I'm getting this to work.

Why OpenFilePath=*\Google\* and not NormalFilePath=*\Google\* ?

 

What exactly you want to see, Sbie's config or Chrome's?

Sometimes when I click on any profile Chrome opens first attempt, mostly doesn't though.
Sometimes, mostly, chrome.exe opens and hangs in the sandbox showing no gui. I have to kill the process via sandman.

 

With Sandboxie-Plus 1.9.0 + this Sbie.dll-1.9.1 my main issues are resolved, so it seems.
Some other minor issues remain though, such as dark theme for some apps can't be detected without this line:

Code:

NormalKeyPath=HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\*

Another issue is in order to some apps read folder redirections other than the default path and for example D:\Desktop, these couple of lines must be added in my ini file:

Code:

NormalKeyPath=HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*
NormalKeyPath=HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*

So one question for @DavidXanatos : could you add support to Sandboxie for more compatibility on red boxes?

 

please try this sbiedll there is a fix for normalfilepath https://github.com/sandboxie-plus/Sandboxie/issues/2588#issuecomment-1518079842

 

Thanks David, I already did so please my previous post once again.

 

I'll add those 3 lined to the [TemplateSModPaths] of the next build

 

Almost got all my boxes in red color
Waiting for the three lines to be added into [TemplateSModPaths] and ApproveWinNtSysCall=CreateTimer to make them all red.

Spoiler

 

@DavidXanatos

My portable apps run in red boxes in order to launch the default browser I need to add these lines:

Code:

NormalKeyPath=*\UrlAssociations\*
NormalKeyPath=*_classes\*
NormalKeyPath=*\ApplicationAssociationToasts\*

and

For file extensions:

Code:

NormalKeyPath=*\FileAssociations\*

Could you add those lines to the [TemplateSModPaths] too in the next build please?