This build is a maintenance release, fixing various issues

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added "FuncSkipHook=FunctionName" option to selectively disable certain function hooks

Changed

• improved the support certificate entry box
• changing the language no longer requires a restart on Plus UI
• fixed issue with high CPU load when using SbieCtrl to change settings

Fixed

• fixed issue with Firefox/Chromium browsers that have been compiled with the MinGW toolchain #538
• fixed issues with folder recovery on Plus UI #1840 #1380

This build is a maintenance release, fixing various issues

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Fixed

• fixed issue with video playback in firefox introduced in the previouse build #1831
• fixed BSOD issue with driver #1811
• fixed issue with editing start restriction entries
• fixed issue with netwirk options tab #1825
• fixed portable mode issue when runnign sandman as admin #1764

This build is a maintenance release, fixing various issues

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added drag and drop support for groups #1775
• added del key support to the box view for all entry types #1779
• added warning when trying to run explorer.exe in a box with OpenCOM #1716

Fixed

• fixed crash issue in the sandman ui #1772
• fixed issue some installers when EnableObjectFiltering is enabled #1795
• fixed to allow NtCreateSymbolicLinkObject to be used safely in the sandbox
• added workaround for a vivaldi hooking issue #1783
  -- Note: its a very provisional fix hence it can be disabled with UseVivaldiWorkaround=n
• fixed registry issue with snapshots #1782
• fixed issue with box grouping #1778 #1777 #1776
• fixed more issue with box grouping #1698 #1697
• fixed issues with snadshot ui #1696 #1695
• fixed issue with recovery dialog focus #1374

This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.

Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe

To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.

Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.

Given that this build changes a couple of core mechanics it is possible that in some special cases this can lead to an incompatibility.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.18 / 5.55.18] - 2022-04-13

Added

• added minor browsers to BlockSoftwareUpdaters template (by APMichael) #1784

Changed

• Failed memory read attempts to unboxed processes will no longer cause message 2111 by default
  -- Note: the message can be enabled in the settings if desired with "NotifyProcessAccessDenied=y"
• reordered BlockSoftwareUpdaters template (by APMichael) #1785

Fixed

• fixed pipe impersonation in compartment mode
• fixed issue with box clean-up introduced in a recent build
• fixed missing trace log cleanup command #1773
• fixed unpin did not work #1694

[1.0.17 / 5.55.17] - 2022-04-02

Added

• added checkbox for easy read access to memory of unsandboxed processes (old Sbie behaviour, not recommended)

Changed

• improved OpenProcess/OpenThread logging

Fixed

• fixed crash issue with the new monitor mode
• fixed issue with resource access entry parsing

[1.0.16 / 5.55.16] - 2022-04-01

Added

• FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
  -- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
• Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe

Changed

• EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
• the $: syntax now accepts a wildcard $:* no more specialized wildcards though

fixed

• fixed NtGetNextProcess being fully disabled instead of properly filtered
• fixed reworked image name resolution when creating new processes in a sandbox
• fixed regression with HideOtherBoxes=y #1743 #1666

This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.

Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe

To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.

Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.

Given that this build changes a couple of core mechanics it is possible that in some special cases this can lead to an incompatibility.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.17 / 5.55.17] - 2022-04-02

Added

• added checkbox for easy read access to memory of unsandboxed processes (old Sbie behaviour, not recommended)

Changed

• improved OpenProcess/OpenThread logging

Fixed

• fixed crash issue with the new monitor mode
• fixed issue with resource access entry parsing

[1.0.16 / 5.55.16] - 2022-04-01

Added

• FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
  -- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
• Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe

Changed

• EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
• the $: syntax now accepts a wildcard $:* no more specialized wildcards though

fixed

• fixed NtGetNextProcess being fully disabled instead of properly filtered
• fixed reworked image name resolution when creating new processes in a sandbox
• fixed regression with HideOtherBoxes=y #1743 #1666

This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.

Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe

To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.

Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.

Given that this build changes a couple of core mechanics it is possible that in some special cases this can lead to an incompatibility.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
  -- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
• Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe

Changed

• EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
• the $: syntax now accepts a wildcard $:* no more specialized wildcards though

fixed

• fixed NtGetNextProcess being fully disabled instead of properly filtered
• fixed reworked image name resolution when creating new processes in a sandbox
• fixed regression with HideOtherBoxes=y #1743 #1666

Note: A few SBIE2101 warnings were reported between v1.0.10 and v1.0.15 releases, for more info: #1743

This build fixed a couple of security issues and other bugs.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.15 / 5.55.15] - 2022-03-24

Fixed

• fixed memory corruption introduced in the last build causing Chrome to crash sometimes
• FIXED SECURITY ISSUE: NtCreateSymbolicLinkObject was not filtered (thanks Diversenok)

[1.0.14 / 5.55.14] - 2022-03-23

Added

• added notification to warn that the default update checker is lagging behind the newest release on GitHub, to ensure that only bug-free builds are offered as updates #1682
• added main browsers to BlockSoftwareUpdaters template (by Dyras) #1630
• added a warning when Sandboxie-Plus.ini is not writeable #1681
• added clean-up for critical sections (by chunyou128) #1686

Changed

• improved command line handling for breakout processes #1655
• disabled SBIE2193 notification (by isaak654) #1690
• improved error message 6004 #1719

Fixed

• fixed dark mode issue with the new tray list
• fixed not showing a warning when Sandboxie-Plus.ini is not writeable #1681
• fixed issue with software compatibility checkbox (thanks MitchCapper) #1678
• fixed issue with events on box closure not always being executed #1658
• fixed memory leaks in key_merge.c
• fixed issue enumerating registry keys in privacy mode
• fixed settings issue introduced in 1.0.13 #1684
• fixed crash issue when parsing firewall port options
• FIXED SECURITY ISSUE: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges #1714

This build fixed a security issue.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added notification to warn that the default update checker is lagging behind the newest release on GitHub, to ensure that only bug-free builds are offered as updates #1682
• added main browsers to BlockSoftwareUpdaters template (by Dyras) #1630
• added a warning when Sandboxie-Plus.ini is not writeable #1681
• added clean-up for critical sections (by chunyou128) #1686

Changed

• improved command line handling for breakout processes #1655
• disabled SBIE2193 notification (by isaak654) #1690
• improved error message 6004 #1719

Fixed

• fixed dark mode issue with the new tray list
• fixed not showing a warning when Sandboxie-Plus.ini is not writeable #1681
• fixed issue with software compatibility checkbox (thanks MitchCapper) #1678
• fixed issue with events on box closure not always being executed #1658
• fixed memory leaks in key_merge.c
• fixed issue enumerating registry keys in privacy mode
• fixed settings issue introduced in 1.0.13 #1684
• fixed crash issue when parsing firewall port options
• FIXED SECURITY ISSUE: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges #1714

This build fixed a security issue.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Fixed

• FIXED SECURITY ISSUE: Hard link creation was not properly filtered (thanks Diversenok)
• fixed issue with checking the certificate entry.

This build fixed a lot of various issues.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added mini dump creation to Sandman.exe in case it crashes

Changed

• disabled Chrome and Firefox phishing entries in new sandboxes (by isaak654) #1616
• updated Mozilla paths for the BlockSoftwareUpdaters template (by isaak654) #1623
• renamed "Pause Forced Programs Rules" command to "Pause Forcing Programs" (Plus only)
• reworked tray icon generation now using overlays, added busy overlay

Fixed

• fixed issue with accessing network drives in privacy mode #1617
• fixed issue with ping in compartment mode #1608
• fixed SandMan UI freezing when a lot of processes are created and closed in a box
• fixed Editing existing 'Run Menu' Command Line entry not being recognized #1648
• fixed blue screen issue in driver (thanks Diversenok)
• fixed incompatibility with Windows 11 Insider Build 22563.1 #1654

This build fixed a lot of various issues.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added optional tray notification when box content gets auto-deleted
• added FreeDownloadManager template
• added warning when opening unsandboxed regedit #1606
• added languages files that were missing in official Qt 5.15.2 (by DevSplash) #1605

Changed

• the asynchronous box operations introduced in the last build are now disabled by default
• moved sys tray options from general to shell integration tab
• removed "AlwaysUseWin32kHooks", now these win32 hooks are always enabled
  -- Note: you can use "UseWin32kHooks=program.exe,n" to disable them for selected programs
• updated Listary template to v6 (by isaak654) #1610

Fixed

• fixed compatibility issue with SECUROM #1597
• fixed modality issue #1615
• fixed special form of OpenWinClass in Templates.ini d6d9588

This build fixed a lot of various issues.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added option to show only boxes in tray with running processes #1186
  -- additional option shows only pinned boxes, in box options a box can be set to be always shown in tray list (Pinned)
• added Options menu command to reset the GUI #1589
• added Run Un-Sandboxed context menu option
• added new trigger OnBoxDelete that allows to specify a command that is run UNBOXED just before the box content gets deleted
  -- note: this can be used as a replacement to DeleteCommand #591
• selected box operations (deletion) no longer show the progress dialog 1061
  -- if a box with a running operation shows a blinking hour glass icon, the context menu can be used to cancel the operation

Changed

• HideHostProcess=program.exe can now be used to hide Sandboxie services #1336
• updater blocking is now done using a template called BlockSoftwareUpdaters
• enhanced StartProgram=... makes StartCommand=... obsolete
  -- for same functionality as StartCommand=..., use StartProgram=%SbieHome%\Start.exe ...
• merged Auto Start General tab with the Auto Exec Advanced tab into a universal Triggers Advanced tab

Fixed

• fixed a couple issues with the new breakout process feature and improved security (thanks Diversenok)
• fixed issues with re-opening windows already open #1584
• fixed issue with desktop access #1588
• fixed issue about command line invocation handling #1133
• fixed UI issue with main window state when switching always on top attribute #1169
• fixed issue with box context menu in tray list 1106
• fixed issue with AutoExec=...
• fixed issues where canceling box deletion operations didn't work 1061
• fixed issue with DPI scalling and color picker dialog #803

Removed

• removed UseRpcMgmtSetComTimeout=AppXDeploymentClient.dll,y used for Free Download Manager as it broke other things
  -- only if you use Free Download Manager together with the setting RpcMgmtSetComTimeout=n in a sandbox, you have to add the line manually to your Sandboxie.ini

This build fixed a lot of various issues, some of them quite old, as well as a security issue related to some internal COM workarounds.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• SandMan now causes all boxed processes to update their path settings in real time when access options were modified
• added new maintenance menu option "Uninstall All" to quickly remove all components when running in portable mode
• added version number to the title bar of Sandboxie Classic
• added option to return not to a snapshot but to an empty box state while keeping all snapshots
• Sandboxie-Plus.ini can now be placed in C:\ProgramData\Sandboxie-Plus\ folder and takes precedence (for business use)
• added support for AF_UNIX on Windows to resolve issues with OpenJDK17 and later #1009 #1520 #1521

Changed

• reworked breakout mechanism to be service based and not allowing the parent process to access the broken out child process
• enabled creation of directory junctions for sandboxed processes #1375
• restored back AutoRecover=y on box creation #1554
• improved snapshot support #1220
• renamed "Disable Forced Programs" command to "Pause Forced Programs Rules" (Plus only)

Fixed

• fixed BreakoutProcess not working with EnableObjectFiltering=y
• FIXED SECURITY ISSUE: when starting COMSRV unboxed, the returned process handle had full access
• fixed issue with progress dialog #1562
• fixed issue with handling directory junctions in Sandboxie #1396
• fixed a handle leak in File_NtCloseImpl
• fixed border issues on maximized windows introduced in the last build #1561
• fixed a couple of index overruns (thanks 7eRoM) #1571
• fixed issues with sysnative directory #1403
• fixed issue with starting SandMan when running sandboxed from context menu #1579
• fixed dark mode flash issue with main window creation #1231
• fixed issues with snapshot error handling #350
• fixed issues with the always on top option (Plus only)

This build fixed many issues, and adds a new functionality: "BreakoutProcess=program.exe" which allows to preset programs to be able to escape a sandbox, hence this is a feature rather for compartmentalization than security. But in the way it is implemented, a breakout process will be captured by another sandbox if it is configured as a forced process for it. So a possibly security related use case would be to have a box dedicated to run your web browser only, where it is forced, and have it configured as a breakout process for all other boxes or globally. In this scenario, no matter what boxed or unboxed application starts a browser, it will always run in the browser box.

This new feature is enabled only for certified project supporters, if I reach 250 patrons it will be made available to all users, please consider supporting the development of Sandboxie-Plus: https://www.patreon.com/DavidXanatos

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added Portuguese of Portugal on Plus UI (by JNylson, isaak654, mpheath) #1497
• added "BreakoutProcess=program.exe", with this option selected applications can be started unboxed from within a box #1500
  -- the program image must be located outside the sandbox for this to work
  -- if another sandbox has "ForceProcess=program.exe" configured, it will capture the process
  -- use case: set up a box with a Web browser forced, when another box opens a website, this will happen in the dedicated browser box
  -- Note: "BreakoutFolder=some\path" is also available
• added silent uninstall switch /remove /S for Classic installer (by sredna) #1532

Changed

• The filename "sandman_pt" was changed to "sandman_pt_BR" (Brazilian Portuguese) #1497
• The filename "sandman_ua" was changed to "sandman_uk" (Ukrainian) #1527
  -- Note: Translators are encouraged to follow the Localization notes and tips before creating a new pull request
• updated Firefox update blocker (discovered by isaak654) #1545

Fixed

• fixed issue with opening all file access OpenFilePath=* #971
• fixed issue with opening network shares #1529
• fixed possible upgrade issue with Classic installer (by isaak654) 130c43a
• fixed minor issues with Classic installer (by sredna) #1533
• fixed issue with Ldr_FixImagePath_2 #1507
• when using "Run Sandboxed" with SandMan UI and the UI is off, it wil stay off.
• fixed issue with Util_GetProcessPidByName that should resolve the driver sometimes failing to start at boot #1451
• SandMan will now run in background like SbieCtrl when starting a boxed process post506
• fixed taskbar not showing with persistent box border in full screen post474
• fixed box border not spanning across multiple monitors #1512
• fixed issues with border when using DPI scaling #1506
• fixed DPI issues with Qt #1368
• fixed issue with bright flashing on window creation when in dark mode #1231
• fixed issues with the PortableRootDir setting #1509
• fixed issue with the settings window crashing when the driver was not connected
• fixed DPI issues with Finder Tool #912
• fixed another issue with reused process IDs #1547
• fixed issue introduced in 1.0.6 related to SeAccessCheckByType #1548

This build fixed various issues with the previous build and adds some new functionality

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.7 / 5.55.7] - 2022-01-06

Added

• added experimental option "CreateToken=y" to create a new token instead of repurposing an existing one
• added option "DisableRTBlacklist=y" allowing to disable the hardcoded runtime class blacklist
• added new template "DeviceSecurity" to lock down access to device drivers on the system
  -- Note: This template requires RuleSpecificity being available to work properly
• added option to set a custom ini editor in the Plus UI #1475
• added option "LingerLeniency=n" to solve issue #997

Changed

• reworked syscall invocation code in the driver
  -- Win32k hooking is now compatible with HVCI #1483

Fixed

• fixed memory leak in driver (conf_user.c)
• fixed issue with file renaming in open paths introduced in 1.0.6
• fixed issue causing Chromium browsers not closing properly #1496
• fixed issue with start.exe #1517 #1516
• fixed SandMan issue with reused process IDs
• fixed KmdUtil sometimes not properly terminating the driver #1493

Removed

• removed OpenToken as it is only a shorthand for UnrestrictedToken=y and UnfilteredToken=y set together

This build fixed various issues with the previous build and adds some new functionality

This build introduced an issue with renaming files in open paths, resulting in potential loss of data, like opened browser bookmarks. Hence it was set to pre-release, while 1.0.5 does not have this issue.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• replaced "Open with" with a Sandboxie dialog to work on Windows 10 #1138
• added ability to run Win32 store apps in App Compartment mode (on Windows 11 requires COM to be open)
  -- Note: this does not mean UWP store apps, just regular win32 apps packaged to be deployed via the store
• added new debug options "UnstrippedToken=y" and "KeepUserGroup=y"
• added double click to recover files and folders in recovery window #1466
• added Ukrainian language on Plus UI (by SuperMaxusa) #1488

Changed

• "UseSbieWndStation=y" is now the default behaviour #1442
• disabled Win32k hooking when HVCI is enabled due to an incompatibility (BSOD) #1483

Fixed

• fixed box initialization issue in Privacy mode #1469
• fixed issue with shortcuts creation introduced in a recent build #1471
• fixed various issues in Privacy Enhanced boxes and rule specificity
• fixed issue with SeAccessCheckByType and alike
• fixed issues with Win32k hooking on 32 bit Windows #1479

Removed

• removed obsolete SkyNet rootkit detection from 32 bit build

The following issues were detected in this release and they will be fixed on v1.0.6: #1469 #1471

The 1.0.x line of builds is finally ready for a final release as version 1.0.5

The first major feature is Privacy Mode, here most of the PC is set to be treated like a Write[File/Key]Path meaning the sandbox locations are writable but the unsandboxed locations are not readable. The Hard disk appears empty except for C:\Windows and C:\Program Files and the registry only allows reading of the machine but not user root keys. This way sandboxed processes can work but can not access private user data.

To make this mode useful an other feature has been implemented called “Rule Specificity” it can be enabled independently but is always enabled in Privacy enhanced boxes. It allows to specify rules to override other rules, this is not based on specifying an order or priority, but instead by measuring how specific a rule is and always attributing the highest priority to the most specific rule.
Here the specificity is measures by the path length that matches the rule, except the last wildcard.

So for example the built in privacy rules plus a custom one
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles*
NormalFilePath=C:\Program Files*
NormalFilePath=C:\Windows*
WriteFilePath=C:*
Here the rules are ordered by their specificity.
Also there is a new type Normal[File/Key/Ipc]Path which defines a default sandbox behavior for a path.

The next major feature is "App Compartment" mode "NoSecurityIsolation=y", this is a new mode of operation which disables the token based security isolation, which brings the security down to the level of other sand boxing solutions, but by doing so greatly improves compatibility. For all use cases where the goal is only compartmentalization, running multiple instances, etc, but not hard core security this mode is preferable as it should avoid many typical sandboxie issues caused by processes running with a heavily restricted token.
In this mode file system and registry accesses are still being filtered to enforce the access rules, this filtering can be disabled with "NoSecurityFiltering=y"

To ensure this “unsecure” mode is at least as secure as the sandboxing offered by other sandboxing products, a new object access filter was added that can be enabled with "EnableObjectFiltering=y" in the global settings.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.5 / 5.55.5] - 2021-12-25

Added

• sandbox top level exception handler to create crash dumps
  -- it can be enabled per process or globally using "EnableMiniDump=process.exe,y" or "EnableMiniDump=y" respectively
  -- the dump flags can be set as hex with "MiniDumpFlags=0xAABBCCDD"
  -- a preselected flag set for a verbose dump can be set with "MiniDumpFlags=Extended"
  -- Note: created dump files are located at: C:\Sandbox\%USER%\%SANDBOX%
• added template support for Osiris and Slimjet browsers (by Dyras) #1454

Changed

• improved SbieDll initialization a bit
• doubled size of Name_Buffer_Depth #1342
• improved text filter in the templates view #1456

Fixed

• fixed issue with forced process display #1447
• fixed crash issue with GetClassName #1448
• fixed minor UI issue #1382
• fixed UI language preset issue #1348
• fixed grouping issues in SandMan UI #1358
• fixed issue with EnableWin32kHooks #1458

Installers re-released with the following fix:

• fixed regression when launching Office apps #1468

[1.0.4 / 5.55.4] - 2021-12-20

Added

• Mechanism to hook Win32 system calls now also works for 32 bit applications running under WoW64
• Added customization to Win32k hooking mechanism, as by default only GdiDdDDI* hooks are installed
  -- You can force the installation of other hooks by specifying them with "EnableWin32Hook=..."
  -- or disable the installation of the default hooks with "DisableWin32Hook=..."
  -- Please note that some Win32k hooks may cause BSODs or undefined behaviour. (!)
  -- The most obviously problematic Win32k hooks are blacklisted, this can be bypassed with "IgnoreWin32HookBlacklist=y"
• added debug option "AdjustBoxedSystem=n" to disable the adjustment of service ACLs running with a system token
• added "NoUACProxy=y" option together with the accompanying template, in order to disable UAC proxy
  -- Note: Boxes configured in compartment mode activate this template by default
• added UI option to change default RpcMgmtSetComTimeout preset
• added Plus installer option to start the default browser under Sandboxie through a desktop shortcut
• added more entries to the Plus installer (current translations on Languages.iss file need to be updated)

Changed

• "EnableWin32kHooks=y" is now enabled by default, as no issues were reported in 1.0.3
  -- Note: currently only the GdiDdDDI* hooks are applied, required for Chromium HW acceleration
• Cleaned up low level hooking code a bit
• "RunRpcssAsSystem=y" is now auto applied for boxes in "App Compartment" mode when "RunServicesAsSystem=y" or "MsiInstallerExemptions=y" are present

Fixed

• fixed RPC handling in case a requested open service is not running #1443
• fixed a hooking issue with NdrClientCall2 in 32 bit applications
• fixed issue with start directory to run sandboxed when using SandMan #1436
• fixed issue with recovering from network share locations #1435

[1.0.3 / 5.55.3] - 2021-12-12

Added

• added mechanism to hook Win32k system calls on Windows 10 and later, this should resolve the issue with Chromium HW acceleration
  -- Note: this mechanism does not, yet, work for 32 bit applications running under WoW64
  -- to enable it, add "EnableWin32kHooks=y" to the global ini section, this feature is highly experimental (!)
  -- the hooks will be automatically applied to Chromium GPU processes
  -- to force Win32k hooks for all processes in a selected box, add "AlwaysUseWin32kHooks=program.exe,y" #1261 #1395

Fixed

• fixed bug in GetVersionExW making "OverrideOsBuild=..." not working #605 #1426
• fixed issue with some UTF-8 characters when used in the ini file
• fixed isolation issue with Virtual Network Editor #1102

[1.0.2 / 5.55.2] - 2021-12-08

Fixed

• fixed recovery window not refreshing count on reload #1402
• fixed printing issue introduced in 1.0.0 #1397
• fixed issues with CreateProcess function #1408

[1.0.1 / 5.55.1] - 2021-12-06

Added

• added checkboxes to most major box options lists
• added SumatraPDF templates (by Dyras) #1391

Changed

• rolled back change to "OpenClsid=..." handling
• made all major lists in the box options editable

Fixed

• fixed issue with read only paths introduced in 1.0.0
• fixed BSOD issue introduced in the 1.0.0 build #1389
• fixed multiple BITS notifications while running sandboxed Chromium browsers (by isaak654) ca320ec #1081
• fixed executables selection for "Run Menu" entries (by isaak654) #1379
• fixed SetCursorPos and ClipCursor ignoring DPI awareness (by alvinhochun) #1394

Removed

• removed Virtual Desktop Manager template (by isaak654) d775807 #1326

[1.0.0 / 5.55.0] - 2021-11-17

Added

• added Privacy enhanced mode, sandboxes with "UsePrivacyMode=y" will not allow read access to locations containing user data
  -- all locations except generic Windows system paths will need to be opened explicitly for read and/or write access
  -- using "NormalFilePath=...", "NormalKeyPath=...", "NormalIpcPath=..." allows to open locations to be readable and sandboxed

• added new "App Compartment" mode of operation, it is enabled by adding "NoSecurityIsolation=y" to the box configuration
  -- in this mode, security is traded in for compatibility, it should not be used for untrusted applications
  -- Note: in this mode, file and registry filtering are still in place, hence processes run without administrative privileges
  -- it is reasonably safe, all filtering can be disabled with "NoSecurityFiltering=y"

• added experimental use of ObRegisterCallbacks to filter object creation and duplication
  -- this filtering is independent from the regular SbieDrv's syscall-based filtering, hence it also applies to App Compartments
  -- with it enabled, an application running in a compartment will not be able to manipulate processes running outside the sandbox
  -- Note: this feature improves the security of unisolated App Compartment boxes
  -- to enable this feature, set "EnableObjectFiltering=y" in the global section and reload the driver
  -- when globally activated, the filtering can be disabled for individual boxes with "DisableObjectFilter=y"

• added "DontOpenForBoxed=n", this option disables the discrimination of boxed processes for open file and open key directives
  -- this behaviour does not really improve security anyways, but may be annoying, also app compartments always disable this

• added setting to entirely open access to the COM infrastructure

Changed

• reworked the resource access path matching mechanism to optionally apply more specific rules over less specific ones
  -- for example "OpenFilePath=C:\User\Me\AppData\Firefox takes precedence over "WriteFilePath=C:\User\Me"
  -- to enable this new behaviour, add "UseRuleSpecificity=y" to your Sandboxie.ini, this behaviour is always enabled in Privacy enhanced mode
  -- added "NormalFilePath=..." to restore default Sandboxie behaviour on a given path
  -- added "OpenConfPath=...", which similarly to "OpenPipePath=..." is a "OpenKeyPath=..." variant which applies to executables located in the sandbox
• removed option to copy a box during creation, instead the box context menu offers a duplication option
• reworked the box creation dialog to offer new box types

Fixed

• fixed SBIE1401 notification during Sandboxie Plus uninstall (by mpheath) 68fa37d
• fixed memory leak in driver handling FLT_FILE_NAME_INFORMATION (by Therzok) #1371

System call hooking for Win32k system calls is now enabled by default, it is still used only for a hand full of calls currently, as required to get chromium Hardware Acceleration acceleration to work properly. This feature now also works for 32 bit applications running under WoW64.

This feature can be configured here, if you would to experience SbieDrv.sys related BSOD's try disabling it:

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• Mechanism to hook Win32 system calls now also works for 32 bit applications running under WoW64
• Added customization to Win32k hooking mechanism, as by default only GdiDdDDI* hooks are installed
  -- You can force the installation of other hooks by specifying them with "EnableWin32Hook=..."
  -- or disable the installation of the default hooks with "DisableWin32Hook=..."
  -- Please note that some Win32k hooks may cause BSODs or undefined behaviour. (!)
  -- The most obviously problematic Win32k hooks are blacklisted, this can be bypassed with "IgnoreWin32HookBlacklist=y"
• added debug option "AdjustBoxedSystem=n" to disable the adjustment of service ACLs running with a system token
• added "NoUACProxy=y" option together with the accompanying template, in order to disable UAC proxy
  -- Note: Boxes configured in compartment mode activate this template by default
• added UI option to change default RpcMgmtSetComTimeout preset
• added Plus installer option to start the default browser under Sandboxie through a desktop shortcut
• added more entries to the Plus installer (current translations on Languages.iss file need to be updated)

Changed

• "EnableWin32kHooks=y" is now enabled by default, as no issues were reported in 1.0.3
  -- Note: currently only the GdiDdDDI* hooks are applied, required for Chromium HW acceleration
• Cleaned up low level hooking code a bit
• "RunRpcssAsSystem=y" is now auto applied for boxes in "App Compartment" mode when "RunServicesAsSystem=y" or "MsiInstallerExemptions=y" are present

Fixed

• fixed RPC handling in case a requested open service is not running #1443
• fixed a hooking issue with NdrClientCall2 in 32 bit applications
• fixed issue with start directory to run sandboxed when using SandMan #1436
• fixed issue with recovering from network share locations #1435

This build introduced a new major feature, system call hooking for Win32k system calls, it is used only for a hand full of calls currently, and is currently not working for 32 bit applications running on a 64 bit host, that limitation is being worked on.

This feature resolves the Hardware Acceleration issues with Chromium based browsers, it can be enabled like this:

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added mechanism to hook Win32k system calls on Windows 10 and later, this should resolve the issue with Chromium HW acceleration
  -- Note: this mechanism does not, yet, work for 32 bit applications running under WoW64
  -- to enable it, add "EnableWin32kHooks=y" to the global ini section, this feature is highly experimental (!)
  -- the hooks will be automatically applied to Chromium GPU processes
  -- to force Win32k hooks for all processes in a selected box, add "AlwaysUseWin32kHooks=program.exe,y" #1261 #1395

Fixed

• fixed bug in GetVersionExW making "OverrideOsBuild=..." not working #605 #1426
• fixed issue with some UTF-8 characters when used in the ini file
• fixed isolation issue with Virtual Network Editor #1102

This build fixes bugs introduced recently

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[1.0.2 / 5.55.2] - 2021-12-08

Fixed

• fixed recovery window not refreshing count on reload #1402
• fixed printing issue introduced in 1.0.0 #1397
• fixed issues with CreateProcess function #1408