This build fixes bugs introduced in the last pre-release build

Known Issues

• printing does not work, will be fixed in the next release

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added checkboxes to most major box options lists
• added SumatraPDF templates (by Dyras) #1391

Changed

• rolled back change to "OpenClsid=..." handling
• made all major lists in the box options editable

Fixed

• fixed issue with read only paths introduced in 1.0.0
• fixed BSOD issue introduced in the 1.0.0 build #1389
• fixed multiple BITS notifications while running sandboxed Chromium browsers (by isaak654) ca320ec #1081
• fixed executables selection for "Run Menu" entries (by isaak654) #1379
• fixed SetCursorPos and ClipCursor ignoring DPI awareness (by alvinhochun) #1394

Removed

• removed Virtual Desktop Manager template (by isaak654) d775807 #1326

Version 1.0.0 is here and brings a lot of new major features, hence its a pre release, test it and expect new bugs as well, at least in the new features. I expect the final being 1.1.0 or so

The first major feature is Privacy Mode, here most of the PC is set to be treated like a Write[File/Key]Path meaning the sandbox locations are writable but the unsandboxed locations are not readable. The Hard disk appears empty except for C:\Windows and C:\Program Files and the registry only allows reading of the machine but not user root keys. This way sandboxed processes can work but can not access private user data.

To make this mode useful an other feature has been implemented called “Rule Specificity” it can be enabled independently but is always enabled in Privacy enhanced boxes. It allows to specify rules to override other rules, this is not based on specifying an order or priority, but instead by measuring how specific a rule is and always attributing the highest priority to the most specific rule.
Here the specificity is measures by the path length that matches the rule, except the last wildcard.

So for example the built in privacy rules plus a custom one
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles*
NormalFilePath=C:\Program Files*
NormalFilePath=C:\Windows*
WriteFilePath=C:*
Here the rules are ordered by their specificity.
Also there is a new type Normal[File/Key/Ipc]Path which defines a default sandbox behavior for a path.

The next major feature is "App Compartment" mode "NoSecurityIsolation=y", this is a new mode of operation which disables the token based security isolation, which brings the security down to the level of other sand boxing solutions, but by doing so greatly improves compatibility. For all use cases where the goal is only compartmentalization, running multiple instances, etc, but not hard core security this mode is preferable as it should avoid many typical sandboxie issues caused by processes running with a heavily restricted token.
In this mode file system and registry accesses are still being filtered to enforce the access rules, this filtering can be disabled with "NoSecurityFiltering=y"

To ensure this “unsecure” mode is at least as secure as the sandboxing offered by other sandboxing products, a new object access filter was added that can be enabled with "EnableObjectFiltering=y" in the global settings.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added Privacy enhanced mode, sandboxes with "UsePrivacyMode=y" will not allow read access to locations containing user data
  -- all locations except generic Windows system paths will need to be opened explicitly for read and/or write access
  -- using "NormalFilePath=...", "NormalKeyPath=...", "NormalIpcPath=..." allows to open locations to be readable and sandboxed

• added new "App Compartment" mode of operation, it's enabled by adding "NoSecurityIsolation=y" to the box configuration
  -- in this mode, security is traded in for compatibility, it should not be used for untrusted applications
  -- note: in this mode, file and registry filtering are still in place, hence processes run without administrative privileges
  -- it is reasonably safe, all filtering can be disabled with "NoSecurityFiltering=y"

• added experimental use of ObRegisterCallbacks to filter object creation and duplication
  -- this filtering is independent from the regular SbieDrv's syscall-based filtering, hence it also applies to App Compartments
  -- with it enabled, an application running in a compartment will not be able to manipulate processes running outside the sandbox
  -- Note: this feature improves the security of unisolated App Compartment boxes
  -- to enable this feature, set "EnableObjectFiltering=y" in the global section and reload the driver
  -- when globally activated, the filtering can be disabled for individual boxes with "DisableObjectFilter=y"

• added "DontOpenForBoxed=n", this option disables the discrimination of boxed processes for open file and open key directives
  -- this behaviour does not really improve security anyways, but may be annoying, also app compartments always disable this

• added setting to entirely open access to the COM infrastructure

Changed

• reworked the resource access path matching mechanism to optionally apply more specific rules over less specific ones
  -- for example "OpenFilePath=C:\User\Me\AppData\Firefox takes precedence over "WriteFilePath=C:\User\Me"
  -- to enable this new behaviour, add "UseRuleSpecificity=y" to your Sandboxie.ini, this behaviour is always enabled in Privacy enhanced mode
  -- added "NormalFilePath=..." to restore default Sandboxie behaviour on a given path
  -- added "OpenConfPath=...", which similarly to "OpenPipePath=..." is a "OpenKeyPath=..." variant which applies to executables located in the sandbox
• removed option to copy a box during creation, instead the box context menu offers a duplication option
• reworked the box creation dialog to offer new box types

Fixed

• fixed SBIE1401 notification during Sandboxie Plus uninstall (by mpheath) 68fa37d
• fixed memory leak in driver handling FLT_FILE_NAME_INFORMATION (by Therzok) #1371

This build fixes many bugs.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added checkbox if the user wants SandMan.exe to be started after installation #1318
• added template for Windows 10 virtual desktop manager #1326

Changed

• "OpenClsid=..." is no longer restricted to CLSCTX_LOCAL_SERVER execution contexts only
  -- this allows to run objects with the CLSCTX_INPROC_SERVER flag in the COM helper service
• in the trace view, now multiple types can be selected at once
• a few Plus UI entries were made translatable (by gexgd0419) #1320
• changed default "terminate all boxed processes" key to Shift+Pause (by isaak654) #1337

Fixed

• fixed ini writing issue with SbieCtrl and the new ini handling mechanism #1331
• fixed issue with trace log filtering
• fixed space issue about German language on Plus installer (by mpheath) #1333
• restored Waterfox phishing template entries with a proper fix (by APMichael) #1334

This build fixes many bugs.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added explicit lines on Plus installer to delete empty shell registry keys at uninstall time (by mpheath) 3f661a8

Fixed

• fixed template sections not showing in editor #1287
• fixed autodelete box content broken in the previous build #1296 #1324
• fixed crash in "Browse Content" window #1313
• fixed issue with icon resolution on Windows 7 #1310
• fixed invalid "No Inet" status in the status column #1312
• fixed Windows Explorer search box not working (by isaak654) #1002
• fixed Waterfox phishing template (by Dyras) #1309
• fixed issue with Chinese translation files on Plus installer (by mpheath) #1317
• fixed autorun registry key path on Plus installer (by mpheath) abd2d44
• fixed memory corruption in SbieSvc.exe

This build fixes many bugs.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added ability to save trace log to file on Plus UI
• added French language on Plus UI (by clexanis) #1155

Changed

• network traffic trace is now properly logged to the driver log instead of to the kernel debug log
• Plus installer will autostart SandMan.exe after install to fix a taskbar icon issue #3040211
• Classic installer will show the license agreement when updating #1187

Fixed

• fixed template sections not showing in editor #1287
• fixed issue with app ID resulting in some apps showing two button groups in the taskbar #1101
• fixed issue with maximum ini value length on Plus UI #1293
• fixed issue handling an empty Sandboxie.ini that got introduced recently #1292
• fixed issue with "SpecialImages" template (by Coverlin) #1288 #1289
• fixed issue with box emptying #1296
• fixed issues wich some languages #1304
• fixed issue with mounted directories #1302
• added missing translation for qt libraries #1305
• fixed issue with Windows compatibility assistant #1265
• fixed issue with process image specific settigns #1307

This build fixes many bugs and add some new features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added debug switch to disable Sbie console redirection "NoSandboxieConsole=y"
  -- note that this was previously part of "NoSandboxieDesktop=y"
• added Sbie+ version to the log #1277
• added uninstall cleanup of extra files for the Plus installer (by mpheath) #1235
• added set language for Sandman for the Plus installer (by mpheath) #1241
• added EventLog messages with SbieMsg.dll for the Plus installer (by mpheath)
• group expansion state is now saved
• added additional filters to the trace tab
• added a new section [DefaultTemplates] in Templates.ini which contains mandatory templates that are always applied 0c9ecb0

Changed

• reworked and extended RPC logging
• reintroduced the "UseRpcMgmtSetComTimeout=some.dll,n" setting to be used when no "RpcPortBinding" entry is specified
  --- this allows to enable/disable out of box RPC binding independently from the timeout setting
• the "BoxNameTitle" value can now be set explicitly on a per image name basis #1190

Fixed

• fixed inability to delete read-only files from sandboxed explorer #1237
• fixed wrong recovery target in Plus UI #1274
• fixed SBIE2101 issue introduced with 0.9.7a #1279
• fixed sorting in the box picker window #1269
• fixed tray refresh issue #1250
• fixed tray activity display #1221
• fixed recovery window not displaying in taskbar #1195
• fixed dark theme preset not updating in real time #1270
• fixed Microsoft Edge complaining about "FakeAdminRights=y" #1271
• fixed issue with using local template in the global section #1212
• fixed issue with git.exe from MinGW freezing #1238
• fixed issue with search highlighting when using in dark mode

Removed

• removed the ability to sort the trace log as it took too much CPU

This is a test build which includes a lot of internal changes, required for future features and improvements.
This build changes how the sandboxie.ini is handled, hence it is recommended to create a backup just in case.

This build fixes two issues handling sandboxie.ini introduced in the 0.9.7 build

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.9.7e / 5.52.5] - 2021-10-09

Changed

• reworked the settings handling once again, now the driver mainteains teh order when enumerating,
  -- but for good performance there is a hash map held in paralell for quick exact lookups

[0.9.7d / 5.52.4] - 2021-10-06

Fixed

• fixed yet another ini issue with the sbiectrl

[0.9.7c / 5.52.3] - 2021-10-05

Fixed

• fixed yet another handling bug with SbieApi_EnumBoxesEx

[0.9.7b / 5.52.2] - 2021-10-04

Fixed

• fixed issue about loading not Unicode Sandboxie.ini introduced with the previous build

[0.9.7 / 5.52.1] - 2021-10-02

Added

• added forced process indicator to process status column #1174
• added "SbieTrace=y" option to trace the interaction between Sandboxie processes and the Sandboxie core components
• when initializing an empty sandbox, MSI debug keys are set to generate the debug output of MSI installer service
• added "DisableComProxy=y" allowing to disable COM proxying through the service
• added "ProcessLimit=..." that allows to limit the max count of processes in a sandbox #1230
• added missing IPC logging

Changed

• reworked SbieSvc ini server to allow settings caching and greatly improve performance
  -- Now comments in the Sandboxie.ini are being preserved as well as the order of all entries
• enabled configuration section list replacement with a hash map to improve configuration performance
• improved progress and status messages for the Plus installer (by mpheath) #1168
• reworked RpcSs start mechanics, sandboxed RpcSs and DcomLaunch can now be run as system, use "RunRpcssAsSystem=y"
  -- note: this is generally not recommended for security reasons but may be needed for compatibility in some scenarios
• reworked WTSQueryUserToken handling to work properly in all scenarios
• reworked configuration value list to use a hash table for better performance

Fixed

• fixed Plus upgrade install in Windows 7 (by mpheath) #1194
• fixed custom autoexec commands being executed on each box start instead of only on the initialization
• fixed a design issue limiting the maximal amount of processes in one box to 511
• fixed handle leaks in the lingering process monitor mechanism
• fixed issue with opening device paths like "\??\FltMgr"
• fixed build issue with an explicit FileDigestAlgorithm option for driver sign (by isaak654) #1210
• fixed issue with resource access log sometimes getting corrupted
• fixed issue with Microsoft Office Click-to-Run #428 #882

removed

• removed support for Microsoft EMET (Enhanced Mitigation Experience Toolkit), as it was EOL in 2018
• removed support for Messenger Plus! Live, as MSN Messenger is EOL since 2013
• disabled Turkish language on Plus UI for inactivity (by isaak654) #1215

This is a test build which includes a lot of internal changes, required for future features and improvements.
This build changes how the sandboxie.ini is handled, hence it is recommended to create a backup just in case.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added forced process indicator to process status column #1174
• added "SbieTrace=y" option to trace the interaction between Sandboxie processes and the Sandboxie core components
• when initializing an empty sandbox, MSI debug keys are set to generate the debug output of MSI installer service
• added "DisableComProxy=y" allowing to disable COM proxying through the service
• added "ProcessLimit=..." that allows to limit the max count of processes in a sandbox #1230
• added missing IPC logging

Changed

• reworked SbieSvc ini server to allow settings caching and greatly improve performance
  -- Now comments in the Sandboxie.ini are being preserved as well as the order of all entries
• enabled configuration section list replacement with a hash map to improve configuration performance
• improved progress and status messages for the Plus installer (by mpheath) #1168
• reworked RpcSs start mechanics, sandboxed RpcSs and DcomLaunch can now be run as system, use "RunRpcssAsSystem=y"
  -- note: this is generally not recommended for security reasons but may be needed for compatibility in some scenarios
• reworked WTSQueryUserToken handling to work properly in all scenarios
• reworked configuration value list to use a hash table for better performance

Fixed

• fixed Plus upgrade install in Windows 7 (by mpheath) #1194
• fixed custom autoexec commands being executed on each box start instead of only on the initialization
• fixed a design issue limiting the maximal amount of processes in one box to 511
• fixed handle leaks in the lingering process monitor mechanism
• fixed issue with opening device paths like "\??\FltMgr"
• fixed build issue with an explicit FileDigestAlgorithm option for driver sign (by isaak654) #1210
• fixed issue with resource access log sometimes getting corrupted
• fixed issue with Microsoft Office Click-to-Run #428 #882

removed

• removed support for Microsoft EMET (Enhanced Mitigation Experience Toolkit), as it was EOL in 2018
• removed support for Messenger Plus! Live, as MSN Messenger is EOL since 2013
• disabled Turkish language on Plus UI for inactivity (by isaak654) #1215

This release fixes an incompatibility with windows 11 build 22449 as well as fixes many bugs, it also improves a lot on the recovery feature and adds some minor otehr UI features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added ability to rename groups #1152
• added ability to define a custom order for the sandboxes, they can be moved by using the move context menu, or holding Alt + Arrow Key
• added recovery to list to the recovery window: #988
• added finder to the recovery window

Changed

• updated the BlockPort rule inside Template_BlockPorts to the new NetworkAccess format (by isaak654) #1162
• default for immediate recovery behaviour is now to show the recovery window instead of using the notifications window #988
• the new run dialog now requires a double-click #1171
• reworked the recovery window

Fixed

• fixed issue with create group menu #1151
• fixed issue that caused a box to lose its group association when renaming
• fixed issue with Thunderbird 91+ #1156
• fixed an issue with file disposition handling #1161
• fixed issue with Windows 11 22449.1000 #1164
• fixed SRWare Iron template (by Dyras) #1146
• fixed label positioning in Classic UI (by isaak654) #1088
• fixed an old issue that occurred when only an asterisk was set as path #971

This release fixes an incompatibility with windows server 2022 and presumably Windows 21H2 (once its out), it also adds a hand full of useful improvements allowing automatically starting selected boxes at system boot, as well as auto start the box content.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added option to run a sandbox in session 0
  -- Note: the processes then have a system token, hence its recommended to enable "DropAdminRights=y"
• when the UI is run with admin privileges it now can terminate sandboxed processes in other sessions
• added "StartSystemBox=" option to auto run a box on sbie start/system boot in session 0
  -- Note: box start is done through issuing start.exe /box:[name] auto_run
• add start.exe auto_run command to start all sandboxed auto start locations
• add start.exe /keep_alive command line switch it keeps a process running in the box untill it gracefully terminates
• added "StartCommand=" it starts a complex command through start.exe on box startup
• added menu option to start regedit and load the box reg key

Changed

• changed command prompt icon and string from "terminal" to "command prompt" #1135
• sys tray can now also use the classic icon #963
• reworked box menu layout a bit

fixed

• fixed driver compatybility with windows server 2022 (build 20348) #1143
• fixed issue with creating shortcuts #1134

This is a maintenance release, fixing a few bugs and improving the usability with various small new features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

added

• added clear commands to log sub menus #391
• added option to disable prompt to confirm process termination #514
• added settings to sandboxie-plus.ini "Options/InstantRecovery" to use the recovery window instad of the notification popUp #988
• added ability to rename a non empty sandbox #1100
• added ability to remove a non empty sandbox
• added file browser window to sandman ui to cover the files view functionality of sbie ctrl #578

Changed

• generic error in sbie ui now show the status code as hex and provide a string description when available

fixed

• "del" shortcut to terminate a process did not always work
• fixed group display issue #1094
• fixed issue when using run sandboxed on a file located already in a sandbox #1099

This build adds a new functionality to use Windows Filtering Platform (WFP) to implement a per sandbox firewall.
This functionality needs to be enabled in the global Sandboxie settings, and the driver needs to be reloaded (or the PC rebooted) for the feature to be activated. Once this is done the firewall rules which can be configured in the network options of each sandbox, will be enforced by the driver.
If the WFP support is not enabled the same rules still can be set and are used, but will be applied only by a set of user mode hooks, unlike the WFP implementation they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application.

The rational behind implementing this functionality in user and kernel mode (driver) instead of driver only is twofold for once it allows for debugging of the rule processing code as booth modes use the same code to make decisions based on the preset rules. Second the WFP callouts are global i.e. they are triggered for any process on the system whether its sandboxed or not, in the lather case they don't do anything and the use of a hash map to identify sandboxed programs that require action should provide optimal performance. That said users who run a 3rd party firewall which they may prefer may not want to many firewalls being active at once, while still wanting to use some per sandbox network rules for compatibility and not security reasons.

Also please note that with this build the old "BlockPort=..." functionality is completely dropped, the default port block rules are now implemented by the new user mode firewall component, if you have custom BlockPort entries in your sandboxie ini they will need to be updated by hand to the new format, for example "BlockPort=137,138,139,445" -> "NetworkAccess=*,Block;Port=137,138,139,445"

The rules are applied based on a specific decision priority:

1. A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs
2. A rule with a Port or IP trumps a rule without
   2a. A rule with ip and port trums a rule with ip or port only
   2b. A rule with one ip trumps a rule with an ip range that is besides that on the same level
3. Block rules trump allow rules
4. A rule without a protocol means all protocols, a rule with a protocol trumps a rule without if its the only difference

The rule editing UI allows for testing rules, in the row below the rule list one can enter program name, port, ip and protocol to see which rules are in play and which rule will be applied in the end.

When configuring per process network access restrictions and WFP is enabled it is possible to choose between a WFP based approach and the old sandboxie way of blocking the network device end points. The later approach is more absolute, but is know for causing some application to crash.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.9.3 / 5.51.3] - 2021-08-08

added

• ability to use the "run unsandboxed" option with Sandboxie links #614

Fixed

• fixed "run outside sandbox" issue on Classic build #614
• fixed open template does not load the edit tab #1054
• fixed issue with "explore sandboxed" #972
• fixed start directory for sandboxed processes #1071
• fixed issue with language auto-detection #1018
• fixed issue with multiple files with the same name, by always showing the extension #1041
• fixed multiple program grouping issues with the SandMan UI #1054
• fixed "no disk" error #966
• fixed issue with 32bit build using qMake, the -O2 option resulted in a crash in the QSbieAPI.dll #995
• fixed issue with UserSettings introduced in a recent build #1054

[0.9.2 / 5.51.2] - 2021-08-07

Added

• added ability to reconfigure the driver, which allows enabling/disabling WFP and other features without a reload/reboot

Changed

• reorganized and improved the settings window
• improved the tray icon a bit, the sand is now more yellow

Fixed

• fixed issue with process start handling introduced in 5.51.0 #1063
• fixed issue with quick recovery introduced in 5.51.0
• fixed incompatibility with CET Hardware-enforced Stack Protection on Intel 11th gen and AMD Ryzen 5XXX CPUs #1067 #1012

removed

• commented out all Windows XP-specific support code from the driver

[0.9.1 / 5.51.1] - 2021-07-31

Added

• added tray icon indicating broken connection to the driver if it happens
• added option to customize the tray icon
• added "DllSkipHook=some.dll" option to disable installation of hooks into selected DLLs
• added localization support for Plus installer (by yfdyh000 and mpheath) #923

Changed

• reworked NtClose handling for better performance and extendibility
• improved tray box menu and list

Fixed

• fixed issue with fake admin and some NSIS installers #1052
• fixed more issued with FileDispositionInformation behaviour, which resulted in bogus file deletion handling
• fixed issue with checking WFP status
• fixed issue WFP failing to initialize at boot
• fixed issue with tray sandbox options not being available just after boot
• fixed issue access changed flag not being properly set in box options #1065

[0.9.0 / 5.51.0] - 2021-07-29

Added

• added support for Windows Filtering Platform (WFP) to be used instead of the device-based network blocking scheme
  -- to enable this support, add 'NetworkEnableWFP=y' to the global section and reboot or reload the driver
  -- to use WFP for a specific sandbox, add 'AllowNetworkAccess=n'
  -- you can allow certain processes by using 'AllowNetworkAccess=program.exe,y'
  -- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section
  -- in this case you can exempt entire sandboxes by adding 'AllowNetworkAccess=y' to specific boxes
  -- you can block certain processes by using 'AllowNetworkAccess=program.exe,n'
  -- Note: WFP is less absolute than the old approach, using WFP will filter only TCP/UDP communication
  -- restricted boxed processes will still be able to resolve domain names using the system service
  -- however, they will not be able to send or receive data packets directly
  -- the advantages of WFP is that filter rules can be implemented by restricting communication only to specified addresses or selected ports using "NetworkAccess=..."
• added fully functional rule-based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
  -- the mechanism replaces the old "BlockPort=..." functionality
  -- Note: this filter applies only to outgoing connections/traffic, for incoming traffic either the WFP mode or a third-party firewall is needed
  -- like the old user mode based mechanism, malicious applications can bypass it by unhooking certain functions
  -- hence it's recommended to use the kernel mode WFP-based mechanism when reliable isolation is required
• added new trace option "NetFwTrace=*" to trace the actions of the firewall components
  -- please note that the driver only trace logs the kernel debug output, use DbgView.exe to log
• API_QUERY_PROCESS_INFO can now be used to get the impersonation token of a sandboxed thread
  -- Note: this capability is used by TaskExplorer to allow inspecting sandbox-internal tokens
  -- Note: a process must have administrative privileges to be able to use this API
• added a UI option to switch "MsiInstallerExemptions=y" on and off
  -- just in case a future Windows build breaks something in the systemless mode
• added sample code for ObRegisterCallbacks to the driver
• added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" that allow to disable file and registry filtering
  -- Note: these options are for testing only and disable core parts of the sandbox isolation
• added a few command line options to SandMan.exe

Changed

• greatly improved the performance of the trace log, but it's no longer possible to log to both SandMan and SbieCtrl at the same time
• reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination

Fixed

• added missing hook for ConnectEx function

This build finalizes the rework started with 0.9.0 and fixes a major issue with chrome on 11th gen intel and 5xxxX amd cpu's

See release 0.9.0 for more details about the new features: https://github.com/sandboxie-plus/Sandboxie/releases/tag/0.9.0a

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.9.2 / 5.51.2] - 2021-08-07

Added

• added ability to reconfigure teh driver, allowing to enable/disable WFP and otehr features without a reload/reboot

Fixed

• fixed issue with process start handling introduced in 5.51.0 #1063
• fixed issue with quick recovery introduced in 5.51.0
• fixed incompatybility with CET Hardware-enforced Stack Protection on intel 11th gen and AMD 5xxxX cpu's #1067 #1012

removed

• commented out all windows xp specific support code

This build is a Test build, testing the new functionality to use Windows Filtering Platform (WFP) to implement a per sandbox firewall.
This functionality needs to be enabled in the global Sandboxie settings, and the driver needs to be reloaded (or the PC rebooted) for the feature to be activated. Once this is done the firewall rules which can be configured in the network options of each sandbox, will be enforced by the driver.

See release 0.9.0 for more details about this feature: https://github.com/sandboxie-plus/Sandboxie/releases/tag/0.9.0a

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.9.1 / 5.51.1] - 2021-07-31

Added

• added tray icon indicating no connection to the driver if it happens
• added option to customize the tray icon
• added "DllSkipHook=some.dll" option to disable installation of hooks into selected DLLs
• added localization support for Plus installer (by yfdyh000 and mpheath) #923

Changed

• reworked NtClose handling for better performance and extendibility
• improved tray box menu and list

Fixed

• fixed issue with fake admin and some NSIS installers #1052
• fixed more issued with FileDispositionInformation behaviour, which resulted in bogus file deletion handling
• fixed issue with checking WFP status
• fixed issue WFP failing to initialize at boot
• fixed issue with tray sandbox options not being available just after boot
• fixed issue access changed flag not being proeprly set in box options #1065

This build is a Test build, a BETA RELEASE, testing the new functionality to use Windows Filtering Platform (WFP) to implement a per sandbox firewall.
This functionality needs to be enabled in the global Sandboxie settings, and the driver needs to be reloaded (or the PC rebooted) for the feature to be activated. Once this is done the firewall rules which can be configured in the network options of each sandbox, will be enforced by the driver.
If the WFP support is not enabled the same rules still can be set and are used, but will be applied only by a set of user mode hooks, unlike the WFP implementation they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application.

The rational behind implementing this functionality in user and kernel mode (driver) instead of driver only is twofold for once it allows for debugging of the rule processing code as booth modes use the same code to make decisions based on the preset rules. Second the WFP callouts are global i.e. they are triggered for any process on the system whether its sandboxed or not, in the lather case they don't do anything and the use of a hash map to identify sandboxed programs that require action should provide optimal performance. That said users who run a 3rd party firewall which they may prefer may not want to many firewalls being active at once, while still wanting to use some per sandbox network rules for compatibility and not security reasons.

Also please note that with this build the old "BlockPort=..." functionality is completely dropped, the default port block rules are now implemented by the new user mode firewall component, if you have custom BlockPort entries in your sandboxie ini they will need to be updated by hand to the new format, for example "BlockPort=137,138,139,445" -> "NetworkAccess=*,Block;Port=137,138,139,445"

The rules are applied based on a specific decision priority:

1. A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs
2. A rule with a Port or IP trumps a rule without
   2a. A rule with ip and port trums a rule with ip or port only
   2b. A rule with one ip trumps a rule with an ip range that is besides that on the same level
3. Block rules trump allow rules
4. A rule without a protocol means all protocols, a rule with a protocol trumps a rule without if its the only difference

The rule editing UI allows for testing rules, in the row below the rule list one can enter program name, port, ip and protocol to see which rules are in play and which rule will be applied in the end.

When configuring per process network access restrictions and WFP is enabled it is possible to choose between a WFP based approach and the old sandboxie way of blocking the network device end points. The later approach is more absolute, but is know for causing some application to crash.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added support for Windows Filtering Platform (WFP) to be used instead of the device-based network blocking scheme
  -- to enable this support, add 'NetworkEnableWFP=y' to the global section and reboot or reload the driver
  -- to use WFP for a specified sandbox, add 'AllowNetworkAccess=n' to said box
  -- you can exempt certain processes from blocking by using 'AllowNetworkAccess=program.exe,y'
  -- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section
  -- in this case you can exempt entire boxes by adding 'AllowNetworkAccess=n' to said boxes
  -- specifying 'AllowNetworkAccess=program.exe,n' will block the access only for the named process
  -- Note: WFP is less absolute than the old approach, using WFP will filter only TCP/UDP communication
  -- restricted boxed processes will still be able to resolve domain names using the system service
  -- however, they will not be able to send or receive data packets directly
  -- the advantages of WFP is that filter rules can be implemented by restricting communication only to specified addresses or selected ports using "NetworkAccess=..."
• added fully functional rule-based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
  -- the mechanism replaces the old "BlockPort=..." functionality
  -- Note: this filter applies only to outgoing connections/traffic, for incoming traffic either the WFP mode or a third-party firewall is needed
  -- like the old user mode based mechanism, malicious applications can bypass it by unhooking certain functions
  -- hence it's recommended to use the kernel mode WFP-based mechanism when reliable isolation is required
  -- Note: the main reason this mechanism was added in user mode is to allow for easier debugging
• added new trace option "NetFwTrace=*" to trace the actions of the firewall components
  -- please note that the driver only trace logs the kernel debug output, use DbgView.exe to log
• API_QUERY_PROCESS_INFO can now be used to get the impersonation token of a sandboxed thread
  -- Note: this capability is used by TaskExplorer to allow inspecting sandbox-internal tokens
  -- Note: a process must have administrative privileges to be able to use this API
• added a UI option to switch "MsiInstallerExemptions=y" on and off
  -- just in case, if a future Windows build breaks something in the systemless mode
• added sample code for ObRegisterCallbacks to the driver
• added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" that allow to disable file and registry filtering
  -- Note: these options are for testing only and disable core parts of the sandbox isolation
• added a few command line options to SandMan.exe

Changed

• greatly improved the performance of the trace log, but it's no longer possible to log to both SandMan and SbieCtrl at the same time
• changed code integrity verification policies
  -- code signature validation of user mode components is disabled when Windows is booted in test-signing mode
• reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination

Fixed

• added missing hook for ConnectEx function

This build is a maintenance release, it fixes various minor issues with the 0.8.8 release

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.8.9 / 5.50.9] - 2021-07-28 HotFix 2

Fixed

Fixed issue with registering session leader

[0.8.9 / 5.50.9] - 2021-07-28 HotFix 1

Fixed

Fixed issue with windows 7

[0.8.9 / 5.50.9] - 2021-07-27

Changed

• updated a few icons
• updated GitHub build action to use Qt 5.15.2
• improved the "full" tray icon to be more distinguishable from the "empty" one
• changed code integrity verification policies
  -- code signature is no longer required to change config, to protect presets use the existing "EditAdminOnly=y"

Fixed

• fixed issue with systemless MSI mode introduced in the last build
• fixed MSI installer not being able to create the action server mechanism on Windows 11
• fixed MSI installer not working in systemless mode on Windows 11
• fixed Inno Setup script not being able to remove shell integration keys during Sandboxie Plus uninstall (by mpheath) #1037

This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.8.8 / 5.50.8] - 2021-07-13

Changed

• MSIServer no longer requires being run as system; this completes the move to not use system tokens in a sandbox by default
  -- the security-enhanced option "MsiInstallerExemptions=n" is now the default behaviour

Fixed

• fixed issue with the "Explore Sandboxed" command #972
• rolled back the switch from using NtQueryKey to NtQueryObject as it seems to break some older Windows 10 versions like 1803 #984
  -- this change was introduced to fix #951
  -- to use NtQueryObject the option "UseObjectNameForKeys=y" can be added to Sandboxie.ini

[0.8.7b / 5.50.7] - 2021-07-11

Fixed

• fixed issue with boxes that had auto-delete activated introduced in the previous build #986

[0.8.7 / 5.50.7] - 2021-07-10

Added

• added option to always auto-pick the DefaultBox #959
  -- when this option is enabled, the normal behaviour with a box selection dialog can be brought up by holding down CTRL
• added option to hide a sandbox from the "run in box" dialog
  -- useful to avoid listing insecure compatibility test boxes for example
• added box options to system tray #439 #272

Changed

• changed default "terminate all boxed processes" key from Ctrl+Pause to Ctrl+Alt+Pause #974
• Start.exe no longer links in unused MFC code, which reduced its file size from over 2.5 MB to below 250 KB
• updated the main SandMan and tray icon #963
• improved the box tree-style view

Fixed

• added additional delay and retries to KmdUtil.exe to mitigate issues when unloading the driver #968
• fixed issue with SbieCtrl not being properly started after setup #969
• fixed issue with "explore sandboxed" shell option #972
• fixed issue when running SandMan elevated #932
• fixed new box selection dialog showing disabled boxes
• fixed issue updating box active status

Removed

• removed Online Armor support as this product is deprecated since 2016

[0.8.6 / 5.50.6] - 2021-07-07

Added

• added LibreWolf template (by Dyras) #929

Fixed

• fixed performance bug introduced in 0.8.5

[0.8.5 / 5.50.5] - 2021-07-06

Added

• added global hotkey to terminate all sandboxed processes (default: Ctrl+Pause)
• the Run Sandboxed dialog can now be handled by the SandMan UI
• added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
  -- Note: this allows Chrome and other programs to use the job system for additional isolation
• added Librewolf.exe to the list of Firefox derivatives #927
• added run regedit sandboxed menu command
• added new support settings tab to SandMan UI for updates and news
• added code integrity verification to Sbie service and UI
• added template for Vivaldi Notes (by isaak654) #948

Changed

• replaced the Process List used by the driver with a much faster Hash Map implementation
  -- Note: this change provides an almost static system call speed of 1.2µs regardless of the running process count
  -- The old list, with 100 programs running required 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
  -- Note: some of the slowdown was also affecting non-sandboxed applications due to how the driver handles certain callbacks
• replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
• replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
  -- not yet enabled in production build
• the presence of the default box is only checked on connect
• the portable directory dialog now shows the directory #924
• when terminated, boxed processes now first try doing that by terminating the job object
• the driver now can terminate problematic processes by default without the help of the service
• the box delete routine now retries up to 10 times, see #954
• replaced the Process List used by the service with a much faster Hash Map implementation
• replaced the per-process Thread List used by the service with a much faster Hash Map implementation

Fixed

• fixed faulty initialization in SetServiceStatus (by flamencist) #921
• fixed buttons position in Classic UI settings (by isaak654) #914
• fixed missing password length check in the SandMan UI #925
• fixed issues opening job objects by name
• fixed missing permission check when reopening job object handles (thanks Diversenok)
• fixed issue with some Chromium 90+ hooks affecting the display of PDFs in derived browsers #930 #817
• fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
• fixed minor setting issue #957
• fixed minor UI issue with resource access COM settings #958
• fixed an issue with NtQueryKey using NtQueryObject instead #951
• fixed crash in key.c when failing to resolve key paths
• added workaround for topmost modality issue #873
  -- the notification window is not only topmost for 5 seconds
• fixed an issue deleting directories introduced in 5.49.5
• fixed an issue when creating box copies

Removed

• removed switch for "BlockPassword=n" as it does not seem to be working #938
  -- it's recommended to use "OpenSamEndpoint=y" to allow password changes in Windows 10

This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.8.7b / 5.50.7] - 2021-07-11 (Hot-Fix 2)

Fixed

• fixed issue with boxes that had auto-delete activated introduced in the previous build #986

[0.8.7 / 5.50.7] - 2021-07-10

Added

• added option to always auto-pick the DefaultBox #959
  -- when this option is enabled, the normal behaviour with a box selection dialog can be brought up by holding down CTRL
• added option to hide a sandbox from the "run in box" dialog
  -- useful to avoid listing insecure compatibility test boxes for example
• added box options to system tray #439 #272

Changed

• changed default "terminate all boxed processes" key from Ctrl+Pause to Ctrl+Alt+Pause #974
• Start.exe no longer links in unused MFC code, which reduced its file size from over 2.5 MB to below 250 KB
• updated the main SandMan and tray icon #963
• improved the box tree-style view

Fixed

• added additional delay and retries to KmdUtil.exe to mitigate issues when unloading the driver #968
• fixed issue with SbieCtrl not being properly started after setup #969
• fixed issue with "explore sandboxed" shell option #972
• fixed issue when running SandMan elevated #932
• fixed new box selection dialog showing disabled boxes
• fixed issue updating box active status

Removed

• removed Online Armor support as this product is deprecated since 2016

[0.8.6 / 5.50.6] - 2021-07-07 (Hot-Fix 1)

Added

• added LibreWolf template (by Dyras) #929

Fixed

• fixed performance bug introduced in 0.8.5

[0.8.5 / 5.50.5] - 2021-07-06 (Pre-Release)

Added

• added global hotkey to terminate all sandboxed processes (default: Ctrl+Pause)
• the Run Sandboxed dialog can now be handled by the SandMan UI
• added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
  -- Note: this allows Chrome and other programs to use the job system for additional isolation
• added Librewolf.exe to the list of Firefox derivatives #927
• added run regedit sandboxed menu command
• added new support settings tab to SandMan UI for updates and news
• added code integrity verification to Sbie service and UI
• added template for Vivaldi Notes (by isaak654) #948

Changed

• replaced the Process List used by the driver with a much faster Hash Map implementation
  -- Note: this change provides an almost static system call speed of 1.2µs regardless of the running process count
  -- The old list, with 100 programs running required 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
  -- Note: some of the slowdown was also affecting non-sandboxed applications due to how the driver handles certain callbacks
• replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
• replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
  -- not yet enabled in production build
• the presence of the default box is only checked on connect
• the portable directory dialog now shows the directory #924
• when terminated, boxed processes now first try doing that by terminating the job object
• the driver now can terminate problematic processes by default without the help of the service
• the box delete routine now retries up to 10 times, see #954
• replaced the Process List used by the service with a much faster Hash Map implementation
• replaced the per-process Thread List used by the service with a much faster Hash Map implementation

Fixed

• fixed faulty initialization in SetServiceStatus (by flamencist) #921
• fixed buttons position in Classic UI settings (by isaak654) #914
• fixed missing password length check in the SandMan UI #925
• fixed issues opening job objects by name
• fixed missing permission check when reopening job object handles (thanks Diversenok)
• fixed issue with some Chromium 90+ hooks affecting the display of PDFs in derived browsers #930 #817
• fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
• fixed minor setting issue #957
• fixed minor UI issue with resource access COM settings #958
• fixed an issue with NtQueryKey using NtQueryObject instead #951
• fixed crash in key.c when failing to resolve key paths
• added workaround for topmost modality issue #873
  -- the notification window is not only topmost for 5 seconds
• fixed an issue deleting directories introduced in 5.49.5
• fixed an issue when creating box copies

Removed

• removed switch for "BlockPassword=n" as it does not seem to be working #938
  -- it's recommended to use "OpenSamEndpoint=y" to allow password changes in Windows 10

This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.8.7 / 5.50.7] - 2021-07-10

Added

• added option to always auto pick the DefautlBox sandbox #959
  -- when this option is enabled the normal behavioure with a box selection dialog can be achived holding down CTRL
• added option to hide boxed form the run in box dialog
  -- usefull to avoidl listing for example insecure compatybility test boxes
• added box options to sys tray #439 #272

Changed

• changed default terminate all boxed processes key from Ctrl+Break to Ctrl+Alt+Break #974
• start.exe does no longer link in all that unused MFC code reduced file size form over 2.5MB to below 250KB
• updated the main sandman and tray icon #963
• improved the bov view tree style

Fixed

• added additional delay and retryes to kmdutill.exe to mitigate issues when unloading the driver #968
• fixed issue with sbiectrl not being properly started after setup #969
• fixed issue with explore sandboxed shell option #972
• fixed issue when running sandman elevated #932
• fixed new box selection dialog showing disabled boxes
• fixed issue updating box active status

Removed

• removed Online Armor support as this product is deprecated since 2016

[0.8.6 / 5.50.6] - 2021-07-07 (Hot-Fix)

Added

• added LibreWolf template (by Dyras) #929

Fixed

• fixed performance bug introduced in 0.8.5

[0.8.5 / 5.50.5] - 2021-07-06 (Pre-Release)

Added

• added global hotkey to terminate all boxed processes (by default Ctrl+Break)
• the Run Sandboxed dialog can now be handled by the Sandman UI.
• added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
  -- note: this allows Chrome and other programs to use the job system for additional isolation
• added librewolf.exe to the list of Firefox derivatives #927
• added run regedit sandboxed menu command
• added new support settings tab to Sandman UI for updates and stuff
• added code integrity verification to Sbie service and UI
• added template for Vivaldi Notes (by isaak654) #948
• added LibreWolf template (by Dyras) #929

Changed

• Replaced the Process List used by the driver with a much faster Hash Map implementation
  -- Note: this change provides an almost static system call speed of 1.2us irregardless of the running process count
  -- The old list, with 100 programs running required: 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
  -- Note: some of the slowdown was affecting also non sandboxed applications due to how the driver handles certain callbacks
• Replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
• Replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
  -- not yet enabled in production build
• the presence of default box is only checked on connect
• the portable dir dialog now shows the directory #924
• when terminated boxed processes now we first try doing that by terminating the job object
• the driver now by default can terminate problematic processes without the help of the service
• box delete routine now retries up to 10 times to fix #954
• Replaced the Process List used by the service with a much faster Hash Map implementation
• Replaced the per-process Thread List used by the service with a much faster Hash Map implementation

Fixed

• fixed faulty initialization in SetServiceStatus (by flamencist) #921
• fixed buttons position in Classic UI settings (by isaak654) #914
• fixed missing password length check in the Sandman UI #925
• fixed issues opening job objects by name
• fixed missing permission check when reopening job object handles (thanks Diversenok)
• fixed issue with some Chromium 90+ hooks affecting PDF plugin in derived browsers #930 #817
• fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
• fixed minor setting issue #957
• fixed minor UI issue with resource access COM settings #958
• fixed an issue with NtQueryKey using NtQueryObject instead #951
• fixed crash in key.c when failing to resolve key paths
• added workaround for topmost modality issue #873
  -- the notification window is not only topmost for 5 seconds
• fixed an issue deleting directories introduced in 5.49.5
• fixed an issue when creating box copies

Removed

• removed switch for "BlockPassword=n" as it does not seem to be working #938
  -- it's recommended to use "OpenSamEndpoint=y" to allow for password change in windows 10

This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added global hotkey to terminate all boxed processes (by default Ctrl+Break)
• the Run Sandboxed dialog can now be handled by the Sandman UI.
• added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
  -- note: this allows Chrome and other programs to use the job system for additional isolation
• added librewolf.exe to the list of Firefox derivatives #927
• added run regedit sandboxed menu command
• added new support settings tab to Sandman UI for updates and stuff
• added code integrity verification to Sbie service and UI
• added template for Vivaldi Notes (by isaak654) #948
• added LibreWolf template (by Dyras) #929

Changed

• Replaced the Process List used by the driver with a much faster Hash Map implementation
  -- Note: this change provides an almost static system call speed of 1.2us irregardless of the running process count
  -- The old list, with 100 programs running required: 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
  -- Note: some of the slowdown was affecting also non sandboxed applications due to how the driver handles certain callbacks
• Replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
• Replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
  -- not yet enabled in production build
• the presence of default box is only checked on connect
• the portable dir dialog now shows the directory #924
• when terminated boxed processes now we first try doing that by terminating the job object
• the driver now by default can terminate problematic processes without the help of the service
• box delete routine now retries up to 10 times to fix #954
• Replaced the Process List used by the service with a much faster Hash Map implementation
• Replaced the per-process Thread List used by the service with a much faster Hash Map implementation

Fixed

• fixed faulty initialization in SetServiceStatus (by flamencist) #921
• fixed buttons position in Classic UI settings (by isaak654) #914
• fixed missing password length check in the Sandman UI #925
• fixed issues opening job objects by name
• fixed missing permission check when reopening job object handles (thanks Diversenok)
• fixed issue with some Chromium 90+ hooks affecting PDF plugin in derived browsers #930 #817
• fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
• fixed minor setting issue #957
• fixed minor UI issue with resource access COM settings #958
• fixed an issue with NtQueryKey using NtQueryObject instead #951
• fixed crash in key.c when failing to resolve key paths
• added workaround for topmost modality issue #873
  -- the notification window is not only topmost for 5 seconds
• fixed an issue deleting directories introduced in 5.49.5
• fixed an issue when creating box copies
• fixed performance bug introduced in 0.8.5

Removed

• removed switch for "BlockPassword=n" as it does not seem to be working #938
  -- it's recommended to use "OpenSamEndpoint=y" to allow for password change in windows 10