Not getting UAC elevation prompt in standard isolation box in recent versions

Not sure since which version but up to the latest 1.10.1, can't get UAC prompt in standard isolation, e.g. from DefaultBox tray menu: Run -> Standard Applications -> Command Prompt (as Admin). The window opens without UAC prompt and not getting admin right. Running Sandboxie-Plus x64 in portable mode with empty ini on Windows 10 22H2. AV is windows defender. Might not be a sandboxie issue, confirmation or unable to reproduce by others would be appreciated

 

If the DropAdminRights and/or FakeAdminRights settings are enabled, the UAC prompt will not be displayed.

 

Thanks Busy but neither DropAdminRight nor FakeAdminRight is enabled. With DropAdminRight on, running "Command Prompt (as Admin)" leads to "Cannot manage device map" and the cmd window has no admin right as expected

 

Does it give the same error when you try Run > Run Program (check Run as UAC) > cmd?

 

@busy I guess you can't reproduce?

 

Are you running Sandboxie Manager as administrator?

 

Yes I am running with my account as admin with UAC prompt enabled in Windows

 

You're probably getting this error because you're running the Sandboxie Manager (SandMan.exe) as administrator.

(with DropAdminRight=n) That's why the UAC prompt doesn't appear because SandMan is already running as administrator.
(with DropAdminRight=y) That's why it gives "Cannot manage device map" error. ( bug? @DavidXanatos )

1. Do not run SandMan.exe as administrator.
2. Also set the config files to be readable/modifiable by PC\Users account. (or recreate them under PC\Users account)

• Sandboxie.ini
• Sandboxie-Plus.ini

 

Thanks and tried it. Indeed UAC now pop up but cmd started from the run dialog with "Run as UAC" enabled still would not give an admin command prompt

 

Does the cmd window title say Administrator?

 

Yes but "net session >nul 2>&1 && echo Success || echo Failure" returns Failure

 

Please see the following link for further information:

Code:

https://github.com/sandboxie-plus/Sandboxie/issues/2452#issuecomment-1328275894

 

Thanks! It's interesting that it is necessary to give up all the security isolations to have real admin right in cmd. It wasn't like that before but I guess behind the scene must have been the same, i.e. security isolations were dropped when running admin cmd under yellow box in previous versions

 

no no nono admin was always fully isolated in yellow box,
not sure why it does not work for you with a yelow box run cmd as admin should give you a admin looking fully isolated command prompt

 

Good to know that it should work, but then why #2452 on github is marked not a bug? It seems to be the same issue I have...

 

The user in #2452 wanted to use a command which would communicate with a component outside the sandbox,
even when a program is run as admin in a sandbox, when seen by a unsandboxed component it will look like a heavenly restricted process with no administrative privileges.

This can only work in a green box.

But many other administrative operations like running installers, reading files and folders not accessible to regular users, etc... can be done within the sandbox by a program started in the sandbox as admin.
It will within the sandbox look like admin and can do all admins can do within a box, it will for the box look like it has an elevated token, etc...

You have not specified in which way you are "not getting admin right", hence my reply.
For the typical things one may want to do reasonably in a sandbox with admin rights like installing software, that should work fine, and if you want to do something that alters the actual system you should not do it in a sandbox to begin with.

 

By without admin right, I meant "net session >nul 2>&1 && echo Success || echo Failure" returns Failure. I do get success with a green box. Can you confirm you get success with a yellow box?

I agree what to do with the admin right should be the focus. I tried to use Python's winreg to create and save isolated registry keys but got "[WinError 5] Access is Denied". Initially I thought it was due to the cmd prompt in a yellow box not getting admin right, but now I know denied access occurs even for a cmd prompt in a green box with admin right. Maybe sandboxie blocks admin right to python.exe even if started from cmd prompt with admin right?

 

No with net commands which talk to host components i also get a failure in a yellow box, that's intentional

 

Understood, thanks

Would it be possible to use python's winreg package to modify/create keys in isolated registry hives?

 

i have never tried if you provide a running example and info hoiw it whould behave and what it does in sandbox i could take a look on it.