Sandboxie Basics - the sandboxed file system

Sandboxie need not be complicated to understand. In fact, it really only requires a fundamental understanding of objects and containers, the technical names for files (objects) and folders/directories (containers).

The sandboxie application resides in c:\program files\sandboxie, just as any other application normally does when it is installed (not mention x64, just speaking generically). This is the program itself.

Sandboxie is a type of light virtualization. Its purpose is to keep what happens in the sandbox from affecting the real system. To do this, it creates a special directory -

Code:

c:\Sandbox

Within this special directory are sub-directories, one for each sandbox you have created. If for example you create a sandbox for browsing, called Browsers, then you would see this -

Code:

c:\Sandbox\Browsers

At first, this sub-directory may not hold much. But once you start an application in that sandbox, files and folders may be created. The key here is to understand "may be created".

When you start an application in a sandbox, the application is, by default, allowed to READ any file it needs to run. These may be dependency files, like a dynamic link library (dll) or a config file or even a registry key(s). If the application only reads these files, but does not attempt to MODIFY or WRITE anything, then there is nothing to protect.

However, if the app does attempt to MODIFY or WRITE, anything at all, a COPY is created of what WOULD HAVE CHANGED. This copy is created in the corresponding sandbox directory. For example, if you opened notepad.exe, and then tried to modify c:\boot.cfg, notepad is allowed to READ and OPEN the real c:\boot.cfg file. BUT, once it goes to MODIFY that file, a COPY is made.

Understanding the structure of the c:\Sandbox directory now becomes helpful. Suppose we have a sandbox named TEST which we used to modify boot.cfg in. We would expect to see -

Code:

c:\Sandbox\TEST

Once we attempt to MODIFY the boot.cfg file, Sandboxie sort of "recreates" the directory and file structure, within the sandbox, to mimic the real system location(s). It does this by chopping the file system into 2 parts - Drive and User. It would look like this -

Code:

c:\Sandbox\TEST\Drive
c:\Sandbox\TEST\User

Now there is some logic to follow within the sandbox. If the boot.cfg file was located in the c: drive, then the COPY that Sandboxie made (which was modified from the original) would be located like this -

Code:

c:\Sandbox\TEST\Drive\C\boot.cfg

If the boot.cfg file was on a different drive, maybe a different hdd, like the e: drive, it would appear like this -

Code:

c:\Sandbox\TEST\Drive\E\boot.cfg

If the boot.cfg was on the desktop, it would appear like this -

Code:

c:\Sandbox\TEST\User\Current\Desktop\boot.cfg

One can then go "searching" for thier files, within the c:\Sandbox directory, if they know where the original file was to begin with. If a directory/file was never MODIFIED within the sandbox, then it won't appear there.

So one can see that Sandboxie allows sandboxed apps to access the real system, but when things happen that could potentially modify the real system, they are instead contained within the c:\Sandbox directory.

It is common to "lose" things when using Sandboxie. They aren't really lost so much as they are not in a place that Sandboxie monitors.

For simplicity, Sandboxie assumes most people will save things to their "User Profile" area. This would be the desktop or the tradtional "My Documents" area. Vista and win7 now use a bit different structure, but the idea is the same.

What Sandboxie does is to monitor these areas. If it finds a file was CREATED or MODIFIED, in the sandbox, in any of these areas, it offers a convenient way to RECOVER these files. When you recover a file, a hole is poked in the sandbox, which allows these CREATED or MODIFIED files to be written/changed to the REAL LIVE LOCATIONS. One can imagine that if they downloaded or modified a document, they probably want to keep the changes, FOR REAL, so Sandboxie attempts to help you recover them from the segregated sandbox to the live system.

Behind the scenes, nothing has changed. Any files or folders that are CREATED or MODIFIED by a sandboxed app get written to c:\Sandbox somewhere. A nifty helper tool like recovery makes it easier for the user is all.

While recovering files and folders from monitored areas like the User Profile is easy, many times people "lose" things that are not in those areas. Again, nothing has changed, Sandboxie dutifully CREATES or make a COPY of things in the appropriate c:\Sandbox directory. But, if the item(s) are not in the User Profile area, Sandboxie offers no easy help.

Here you have some options. If you know where the file/folder is that you want to keep (that is, put on the real system) you can open windows explorer, navigate to the correct c:\Sandbox sub-directory, and copy/cut and then paste it to where you really want it to be. Another option is to go into the Sandbox Settings and add a monitored directory.

As an example, suppose that you create the directory

Code:

c:\my_videos

and you house all the home movies from your family there that you download from the internet. You don't suspect these videos are malicious, because your brother/sister uploads them for you to see, not some internet cracker.

But, you are using Sandboxie, and you always run your browser in a sandbox. When you download these videos, Sandboxie dutifully keeps CREATED or MODIFIED items out of the real system and in the sandbox. But, since this is a custom directory, Sandboxie does not monitor it. You could use windows explorer and navigate to

Code:

c:\sandbox\browser\drive\c\my_videos

and copy/paste them to the real c:\my_videos location.

Or, you could add c:\my_videos to the "Quick Recovery" area of the sandbox settings. Now whenever a CREATED or MODIFIED file is found in the sandbox, in that directory, Sandboxie will prompt you to recover it, making it more convenient.

Many people worry about thier bookmarks and things when they are using thier browser sandboxed. They don't want "unwanted" things to come into thier real system from thier browser, but they do want to make bookmarks/favorites that will stay. In the sandbox settings area there are some "application settings" that will allow this to happen. It is called giving "direct access". In effect, you are "opening a hole" in the security of Sandboxie that allows "direct access" to the bookmarks file. When the sandboxed browser creates a bookmark, it is NOT created in the c:\Sandbox directory, but rather DIRECTLY to the real live location. There is nothing to recover because it never happened in the c:\Sandbox directory in the first place.

Direct Access is an advanced setting of Sandboxie. You can create direct access to just about anywhere or anything. However, it does negate any protection that Sandboxie provides.

As well, you can Restrict Access. I mentioned early on that when a sandboxed app starts, Sandboxie allows it to READ or ACCESS about anything, but anything MODIFIED will stay in the sandbox. You can restrict a sandbox from accessing things as well. In our example of a sandboxed notepad.exe accessing c:\boot.cfg, one could restrict that file from being accessed at all. Now the sandboxed notepad.exe cannot open that file at all.

By now your eyes are crossing from this wall of text. Don't worry though, if you did not understand where your files went, or you want to make Sandboxie easier to use, these basic outlines hold much power. If you can understand these principles, you are well on your way to using Sandboxie to its fullest potential.

Sul.

 

Well written Sul. Cheers..

 

Hi Sully , top to bottom, very nice.

Bo

 

What a great explanation - that's going to help a lot of people!

 

Great job sully It is very helpful for my understanding...

 

How timely! After much research and trepidation, I am finally installing SBIE for the first time on my pc's today. Your explanations will surely help guide me in the process. Appreciating your efforts, Sully!

 

Wonderfully organized and written and as always accurate and understandable even to those of us who simply use our computers without having much technical background. Thank you Sully.

Gary

 

Just re-installed Sandboxie. It's not offering quick Recovery on download completion. I have to go into SB & manually release the file.

1. Remind what to tick plz to initiate quick Recovery.
   
2. Where do I put my old ini file & will that automatically restore all my old settings.

How quick one forgets.

 

1) Sandbox settings>Recovery>Quick recovery>add folders where you want quick recovery.

2) You can replace the ini file located in Windows.

Bo

 

Well done, Sul!

 

Very well written, Sully

This should be sticky or recommended thread for all new users seeking help with Sandboxie.

 

Excellent 'how to' for sandboxIE, thank you, helped clear up a few things I didn't fully understand.

 

Would there be interest in other "Sandboxie Basics" threads? There are still a number of other topics that seem to be misunderstood and might benefit from a "laymans" description.

Sul.

 

Yes definitely! I would certainly read it and see if I learn something new.

 

Not sure it would qualify as "Sandboxie Basics" but maybe a laymans thread that covers additional hardening and security settings for Sandboxie.

 

I created this thread in hopes of there being one place to answer this common question.

It seems quite a few found it helpful. Hardening and other more advanced topics could be done, but are much more specific in nature.

Its a good idea and one I have contemplated before. I will think about how I could write such an article in a general sense, if that is possible.

Sul.

 

Sully thank you! Your contributions are always excellent reading. And yes, if you wish to continue on this path, there are so many users of Sandboxie, beginners and not that will make it definitely worthwhile.

 

After briefly playing with SBE in the past I'm on verge of changing my whole security approach.
This post along with https://www.wilderssecurity.com/showthread.php?t=333443 have played no small part.
Just wanted to say thanks for a couple of great postings... MORE !!!
Also think this should be sticky, most of the reasons why someone may visit a SBE sub-forum are within these two posts IMO an ideal first point of call
Thanks again

 

Nice post Sully, you've explained things so well You've also played no small part in rekindling my interest in Sandboxie, so I've re-installed it and will use it primarily for testing purposes.

 

great explanation .... can go to the help file Sandboxie.

graces Sully

 

As always a superbly written piece there Sully,most useful for those new to sandboxing.

 

Thanks for the great post Sully! I'm thinking of giving SBIE another try.

 

Hopefully you will inform us here on Wilder Security about your test results with tightly configured Sandboxie?

 

To set Firefox bookmarks to be saved while running sandboxed, you need to allow direct access to bookmarks: Sandbox settings>Applications>Web browser>Firefox, and tick "Allow Direct access to Firefox bookmarks and history database".

Bo

 

Excellent thread. Don't know how I missed it earlier.

Best regards my dear friend Sully,

Mohamed