Sandboxie need not be complicated to understand. In fact, it really only requires a fundamental understanding of objects and containers, the technical names for files (objects) and folders/directories (containers). The sandboxie application resides in c:\program files\sandboxie, just as any other application normally does when it is installed (not mention x64, just speaking generically). This is the program itself. Sandboxie is a type of light virtualization. Its purpose is to keep what happens in the sandbox from affecting the real system. To do this, it creates a special directory - Code: c:\Sandbox Within this special directory are sub-directories, one for each sandbox you have created. If for example you create a sandbox for browsing, called Browsers, then you would see this - Code: c:\Sandbox\Browsers At first, this sub-directory may not hold much. But once you start an application in that sandbox, files and folders may be created. The key here is to understand "may be created". When you start an application in a sandbox, the application is, by default, allowed to READ any file it needs to run. These may be dependency files, like a dynamic link library (dll) or a config file or even a registry key(s). If the application only reads these files, but does not attempt to MODIFY or WRITE anything, then there is nothing to protect. However, if the app does attempt to MODIFY or WRITE, anything at all, a COPY is created of what WOULD HAVE CHANGED. This copy is created in the corresponding sandbox directory. For example, if you opened notepad.exe, and then tried to modify c:\boot.cfg, notepad is allowed to READ and OPEN the real c:\boot.cfg file. BUT, once it goes to MODIFY that file, a COPY is made. Understanding the structure of the c:\Sandbox directory now becomes helpful. Suppose we have a sandbox named TEST which we used to modify boot.cfg in. We would expect to see - Code: c:\Sandbox\TEST Once we attempt to MODIFY the boot.cfg file, Sandboxie sort of "recreates" the directory and file structure, within the sandbox, to mimic the real system location(s). It does this by chopping the file system into 2 parts - Drive and User. It would look like this - Code: c:\Sandbox\TEST\Drive c:\Sandbox\TEST\User Now there is some logic to follow within the sandbox. If the boot.cfg file was located in the c: drive, then the COPY that Sandboxie made (which was modified from the original) would be located like this - Code: c:\Sandbox\TEST\Drive\C\boot.cfg If the boot.cfg file was on a different drive, maybe a different hdd, like the e: drive, it would appear like this - Code: c:\Sandbox\TEST\Drive\E\boot.cfg If the boot.cfg was on the desktop, it would appear like this - Code: c:\Sandbox\TEST\User\Current\Desktop\boot.cfg One can then go "searching" for thier files, within the c:\Sandbox directory, if they know where the original file was to begin with. If a directory/file was never MODIFIED within the sandbox, then it won't appear there. So one can see that Sandboxie allows sandboxed apps to access the real system, but when things happen that could potentially modify the real system, they are instead contained within the c:\Sandbox directory. It is common to "lose" things when using Sandboxie. They aren't really lost so much as they are not in a place that Sandboxie monitors. For simplicity, Sandboxie assumes most people will save things to their "User Profile" area. This would be the desktop or the tradtional "My Documents" area. Vista and win7 now use a bit different structure, but the idea is the same. What Sandboxie does is to monitor these areas. If it finds a file was CREATED or MODIFIED, in the sandbox, in any of these areas, it offers a convenient way to RECOVER these files. When you recover a file, a hole is poked in the sandbox, which allows these CREATED or MODIFIED files to be written/changed to the REAL LIVE LOCATIONS. One can imagine that if they downloaded or modified a document, they probably want to keep the changes, FOR REAL, so Sandboxie attempts to help you recover them from the segregated sandbox to the live system. Behind the scenes, nothing has changed. Any files or folders that are CREATED or MODIFIED by a sandboxed app get written to c:\Sandbox somewhere. A nifty helper tool like recovery makes it easier for the user is all. While recovering files and folders from monitored areas like the User Profile is easy, many times people "lose" things that are not in those areas. Again, nothing has changed, Sandboxie dutifully CREATES or make a COPY of things in the appropriate c:\Sandbox directory. But, if the item(s) are not in the User Profile area, Sandboxie offers no easy help. Here you have some options. If you know where the file/folder is that you want to keep (that is, put on the real system) you can open windows explorer, navigate to the correct c:\Sandbox sub-directory, and copy/cut and then paste it to where you really want it to be. Another option is to go into the Sandbox Settings and add a monitored directory. As an example, suppose that you create the directory Code: c:\my_videos and you house all the home movies from your family there that you download from the internet. You don't suspect these videos are malicious, because your brother/sister uploads them for you to see, not some internet cracker. But, you are using Sandboxie, and you always run your browser in a sandbox. When you download these videos, Sandboxie dutifully keeps CREATED or MODIFIED items out of the real system and in the sandbox. But, since this is a custom directory, Sandboxie does not monitor it. You could use windows explorer and navigate to Code: c:\sandbox\browser\drive\c\my_videos and copy/paste them to the real c:\my_videos location. Or, you could add c:\my_videos to the "Quick Recovery" area of the sandbox settings. Now whenever a CREATED or MODIFIED file is found in the sandbox, in that directory, Sandboxie will prompt you to recover it, making it more convenient. Many people worry about thier bookmarks and things when they are using thier browser sandboxed. They don't want "unwanted" things to come into thier real system from thier browser, but they do want to make bookmarks/favorites that will stay. In the sandbox settings area there are some "application settings" that will allow this to happen. It is called giving "direct access". In effect, you are "opening a hole" in the security of Sandboxie that allows "direct access" to the bookmarks file. When the sandboxed browser creates a bookmark, it is NOT created in the c:\Sandbox directory, but rather DIRECTLY to the real live location. There is nothing to recover because it never happened in the c:\Sandbox directory in the first place. Direct Access is an advanced setting of Sandboxie. You can create direct access to just about anywhere or anything. However, it does negate any protection that Sandboxie provides. As well, you can Restrict Access. I mentioned early on that when a sandboxed app starts, Sandboxie allows it to READ or ACCESS about anything, but anything MODIFIED will stay in the sandbox. You can restrict a sandbox from accessing things as well. In our example of a sandboxed notepad.exe accessing c:\boot.cfg, one could restrict that file from being accessed at all. Now the sandboxed notepad.exe cannot open that file at all. By now your eyes are crossing from this wall of text. Don't worry though, if you did not understand where your files went, or you want to make Sandboxie easier to use, these basic outlines hold much power. If you can understand these principles, you are well on your way to using Sandboxie to its fullest potential. Sul.