This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added global hotkey to terminate all boxed processes (by default Ctrl+Break)
• the Run Sandboxed dialog can now be handled by the Sandman UI.
• added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
  -- note: this allows Chrome and other programs to use the job system for additional isolation
• added librewolf.exe to the list of Firefox derivatives #927
• added run regedit sandboxed menu command
• added new support settings tab to Sandman UI for updates and stuff
• added code integrity verification to Sbie service and UI
• added template for Vivaldi Notes (by isaak654) #948

Changed

• Replaced the Process List used by the driver with a much faster Hash Map implementation
  -- Note: this change provides an almost static system call speed of 1.2us irregardless of the running process count
  -- The old list, with 100 programs running required: 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
  -- Note: some of the slowdown was affecting also non sandboxed applications due to how the driver handles certain callbacks
• Replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
• Replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
  -- not yet enabled in production build
• the presence of default box is only checked on connect
• the portable dir dialog now shows the directory #924
• when terminated boxed processes now we first try doing that by terminating the job object
• the driver now by default can terminate problematic processes without the help of the service
• box delete routine now retries up to 10 times to fix #954
• Replaced the Process List used by the service with a much faster Hash Map implementation
• Replaced the per-process Thread List used by the service with a much faster Hash Map implementation

Fixed

• fixed faulty initialization in SetServiceStatus (by flamencist) #921
• fixed buttons position in Classic UI settings (by isaak654) #914
• fixed missing password length check in the Sandman UI #925
• fixed issues opening job objects by name
• fixed missing permission check when reopening job object handles (thanks Diversenok)
• fixed issue with some Chromium 90+ hooks affecting PDF plugin in derived browsers #930 #817
• fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
• fixed minor setting issue #957
• fixed minor UI issue with resource access COM settings #958
• fixed an issue with NtQueryKey using NtQueryObject instead #951
• fixed crash in key.c when failing to resolve key paths
• added workaround for topmost modality issue #873
  -- the notification window is not only topmost for 5 seconds
• fixed an issue deleting directories introduced in 5.49.5
• fixed an issue with box copies

Removed

• removed switch for "BlockPassword=n" as it does not seem to be working #938
  -- it's recommended to use "OpenSamEndpoint=y" to allow for password change in windows 10

This build fixes many issues and brings usability improvements.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• Sandboxie now applies by default "Close...=!,..." directives to non-excluded images if they are located in a sandbox
  -- added 'AlwaysCloseForBoxed=n' to disable this behaviour as it may not be always desired, and it doesn't provide extra security
• added process image information to Sandman UI
• localized template categories in the Plus UI
• added "DisableResourceMonitor=y" to disable resource access monitor for selected boxes
• added option to show trace entries only for the selected sandbox
• added "UseVolumeSerialNumbers=y" that allows drive letters to be suffixed with the volume SN in the \drive\ sandbox location
  -- it helps to avoid files mixed together on multiple pendrives using the same letter
  -- note: this option is not compatible with the recovery function of the Classic UI, only SandMan UI is fully compatible

Changed

• portable cleanup message now has y/n/c options
• consolidated Proc_CreateProcessInternalW and Proc_CreateProcessInternalW_RS5 to remove duplicate code
• the ElevateCreateProcess fix, as sometimes applied by the Program Compatibility Assistant, will no longer be emulated by default
  -- use 'ApplyElevateCreateProcessFix=y' or 'ApplyElevateCreateProcessFix=program.exe,y' to enable it
• trace log gets disabled only when it has no entries and the logging is stopped

Fixed

• fixed APC issue with the new global hook emulation mechanism and WoW64 processes
• fixed IPv6 issues with BlockPort options
• fixed an issue with CheatEngine when "OpenWinClass=*" was specified
• fixed memory corruption in SbieDrv
• fixed crash issue with process elevation on CreateProcess calls
• fixed process elevation when running in the built-in administrator account
• fixed template preview resetting unsaved entries in box options window
• fixed an issue with driver verifier and user handles
• fixed driver memory leak of FLT_FILE_NAME_INFORMATION objects
• fixed broken clipboard introduced in 5.50.0
• fixed dcom launch issue on windows 7 32 bit introduced in 5.50.0
• properly fixed an issue with Driver Verifier and user handles
• fixed an issue with CreateWindow function introduced with 0.8.0
• fixed issue with outdated BoxDisplayOrder entries being retained

This build fixes many issues and brings usability improvements.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• Sandboxie now applies by default "Close...=!,..." directives to non-excluded images if they are located in a sandbox
  -- added 'AlwaysCloseForBoxed=n' to disable this behaviour as it may not be always desired, and it doesn't provide extra security
• added process image information to Sandman UI
• localized template categories in the Plus UI
• added "DisableResourceMonitor=y" to disable resource access monitor for selected boxes
• added option to show trace entries only for the selected sandbox
• added "UseVolumeSerialNumbers=y" that allows drive letters to be suffixed with the volume SN in the \drive\ sandbox location
  -- it helps to avoid files mixed together on multiple pendrives using the same letter
  -- note: this option is not compatible with the recovery function of the Classic UI, only SandMan UI is fully compatible

Changed

• portable cleanup message now has y/n/c options
• consolidated Proc_CreateProcessInternalW and Proc_CreateProcessInternalW_RS5 to remove duplicate code
• the ElevateCreateProcess fix, as sometimes applied by the Program Compatibility Assistant, will no longer be emulated by default
  -- use 'ApplyElevateCreateProcessFix=y' or 'ApplyElevateCreateProcessFix=program.exe,y' to enable it
• trace log gets disabled only when it has no entries and the logging is stopped

Fixed

• fixed APC issue with the new global hook emulation mechanism and WoW64 processes
• fixed IPv6 issues with BlockPort options
• fixed an issue with CheatEngine when "OpenWinClass=*" was specified
• fixed memory corruption in SbieDrv
• fixed crash issue with process elevation on CreateProcess calls
• fixed process elevation when running in the built-in administrator account
• fixed template preview resetting unsaved entries in box options window
• fixed an issue with driver verifier and user handles
• fixed driver memory leak of FLT_FILE_NAME_INFORMATION objects
• fixed broken clipboard introduced in 5.50.0
• fixed dcom launch issue on windows 7 32 bit introduced in 5.50.0

This build fixes many issues and brings usability improvements.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• Sandboxie now applies by default "Close...=!,..." directives to non-excluded images if they are located in a sandbox
  -- added 'AlwaysCloseForBoxed=n' to disable this behaviour as it may not be always desired, and it doesn't provide extra security
• added process image information to Sandman UI
• localized template categories in the Plus UI
• added "DisableResourceMonitor=y" to disable resource access monitor for selected boxes
• added option to show trace entries only for the selected sandbox
• added "UseVolumeSerialNumbers=y" that allows drive letters to be suffixed with the volume SN in the \drive\ sandbox location
  -- it helps to avoid files mixed together on multiple pendrives using the same letter
  -- note: this option is not compatible with the recovery function of the Classic UI, only SandMan UI is fully compatible

Changed

• portable cleanup message now has y/n/c options
• consolidated Proc_CreateProcessInternalW and Proc_CreateProcessInternalW_RS5 to remove duplicate code
• the ElevateCreateProcess fix, as sometimes applied by the Program Compatibility Assistant, will no longer be emulated by default
  -- use 'ApplyElevateCreateProcessFix=y' or 'ApplyElevateCreateProcessFix=program.exe,y' to enable it
• trace log gets disabled only when it has no entries and the logging is stopped

Fixed

• fixed APC issue with the new global hook emulation mechanism and WoW64 processes
• fixed IPv6 issues with BlockPort options
• fixed an issue with CheatEngine when "OpenWinClass=*" was specified
• fixed memory corruption in SbieDrv
• fixed crash issue with process elevation on CreateProcess calls
• fixed process elevation when running in the built-in administrator account
• fixed template preview resetting unsaved entries in box options window

This build fixes many issues wich chrome and chromium based browsers

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• with "OpenClipboard=n" clipboard access for a sandbox can be now disabled

Changed

• now by default the OpenBluetooth template is enabled to enable compatybility with unity games
• "PreferExternalManifest=program.exe,y" can now be set on a per process basis

Fixed

• fixed compiled issues with the most recent vs2019 update
• fixed issue with vivaldi browser
• fixed some issues with box options in the plus ui
• fixed some issues with hw acceleration in chromium based browsers
• the stop all command now issues "kmdutill scandll" first to solve issues when the SbieDll.Dll is in use
• workaround for electorn apps, by forcing a additional commandline argument on the gpu renderer process

This build fixes many issues and improves on two important core mechanics.
Additionally it solves the signature issue with windows 7 the provisionally signed driver shouldn't be longer needed.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added "UseSbieWndStation=y" to emulate CreateDesktop for selected processes, not only for Firefox and Chrome
• added option to drop the console host process integrity, now you can use "DropConHostIntegrity=y"
• added option to easily add local templates
• added option to disable file migration prompt
• added UI options for variouse security isolation features
• added missing functionality to set template values in the plus UI

Changed

• reworked window hooking mechanism to improve performance
  -- resolves issues with file save dialogs taking 30+ sec to open
  -- this fix greatly improves the win32 GUI performance of sandboxed processes
• reworked RPC resolver to be ini configurable
  -- the following options are now deprecated:
  --- "UseRpcMgmtSetComTimeout=some.dll,n", so use "RpcPortBinding=some.dll,*,TimeOut=y"
  --- "OpenUPnP=y", "OpenBluetooth=y", "OpenSmartCard=n" use the new templates instead
  -- See the Templates.ini for usage examples
• Align default settings of AutoRecover and Favorites to the Plus version (thanks isaak654)
• list of email clients and browsers is now centralized on Dll_GetImageType

Fixed

• fixed process-specific hooks being applied to all processes in a given sandbox
• fixed issue with messages and templates sometimes not being properly displayed in the SandMan UI
• fixed issue with compatibility settings not being applied properly
• fixed auto delete issue that got introduced with 0.7.1
• fixed issue with NtSetInformationFile, FileDispositionInformation resulting in Opera installer failing
• fixed issue with MacType introduced in the 0.7.2 build
• fixed global sandboxed windows hooks not working when window rename option is disabled
• fixed issue with saving local templates
• fixed issue when using runas to start a process that was created outside of the Sandboxie supervision
  -- since the runas facility is not accessible by default, this did not constitute a security issue
  -- to enable runas functionality, add "OpenIpcPath=\RPC Control\SECLOGON" to your Sandboxie.ini
  -- please take note that doing so may open other yet unknown issues
• fixed a driver compatibility issue with Windows 10 32 bit Insider Preview Build 21337
• fixed issues with driver signature for windows 7
• fixed minor issue with logging internet blocks
• fixed issue with file recovery when located on a network share
• fixed ui issue with CallTrace
• fixed crated sandbox links gettign double extension
• fixed misplaced labels in the classic ui (thanks isaak654)
• fixed separator line in Sbiectrl (thanks isaak654)

This build fixes many issues and improves on two important core mechanics.
Additionally it solves the signature issue with windows 7 the provisionally signed driver shouldn't be longer needed.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added "UseSbieWndStation=y" to emulate CreateDesktop for selected processes, not only for Firefox and Chrome
• added option to drop the console host process integrity, now you can use "DropConHostIntegrity=y"
• added option to easily add local templates

Changed

• reworked window hooking mechanism to improve performance
  -- resolves issues with file save dialogs taking 30+ sec to open
  -- this fix greatly improves the win32 GUI performance of sandboxed processes
• reworked RPC resolver to be ini configurable
  -- the following options are now deprecated:
  --- "UseRpcMgmtSetComTimeout=some.dll,n", so use "RpcPortBinding=some.dll,*,TimeOut=y"
  --- "OpenUPnP=y", "OpenBluetooth=y", "OpenSmartCard=n" use the new templates instead
  -- See the Templates.ini for usage examples

Fixed

• fixed process-specific hooks being applied to all processes in a given sandbox
• fixed issue with messages and templates sometimes not being properly displayed in the SandMan UI
• fixed issue with compatibility settings not being applied properly
• fixed auto delete issue that got introduced with 0.7.1
• fixed issue with NtSetInformationFile, FileDispositionInformation resulting in Opera installer failing
• fixed issue with MacType introduced in the 0.7.2 build
• fixed global sandboxed windows hooks not working when window rename option is disabled
• fixed issue with saving local templates
• fixed issue when using runas to start a process that was created outside of the Sandboxie supervision
  -- since the runas facility is not accessible by default, this did not constitute a security issue
  -- to enable runas functionality, add "OpenIpcPath=\RPC Control\SECLOGON" to your Sandboxie.ini
  -- please take note that doing so may open other yet unknown issues
• fixed a driver compatibility issue with Windows 10 32 bit Insider Preview Build 21337
• fixed issues with driver signature for windows 7

This build fixes again a few security issues, as well as brings some new functionality and expands on the tracing features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[0.7.2 / 5.49.0] - 2021-03-05

Added

• added option to alter reported Windows version "OverrideOsBuild=7601" for Windows 7 SP1
• the trace log can now be structured like a tree with processes as root items and threads as branches

Changed

• SandboxieCrypto now always migrates the CatRoot2 files in order to prevent locking of real files
• greatly improved trace log performance
• MSI Server can now run with the "FakeAdminRights=y" and "DropAdminRights=y" options
  -- special service allowance for the MSI Server can be disabled with "MsiInstallerExemptions=n"
• changed SCM access check behaviour; non elevated users can now start services with a user token
  -- elevation is now only required to start services with a system token
• reworked the trace log mechanism to be more verbose
• reworked RPC mechanism to be more flexible

Fixed

• fixed issues with some installers introduced in 5.48.0
• fixed "add user to sandbox" in the Plus UI
• FIXED SECURITY ISSUE: the HostInjectDll mechanism allowed for local privilege escalation (thanks hg421)
• Classic UI no longer allows to create a sandbox with an invalid or reserved device name

This build fixes again a few security issues, as well as brings some new functionality and expands on the tracing features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• sandboxed indicator for tray icons, the tooltip now contains [#] if enabled
• the trace log buffer can now be adjusted with "TraceBufferPages=2560"
  -- the value denotes the count of 4k large pages to be used, here for a total of 10 MB
• new functionality to the list finder
• Enchanced RpcMgmtSetComTimeout handing with "UseRpcMgmtSetComTimeout=some.dll,n"
  -- this option allows to specify for each individual dll if RpcMgmtSetComTimeout should be used or not
  -- this setting takes precedence over hard coded and per process presets
  -- "UseRpcMgmtSetComTimeout=some.dll" and "UseRpcMgmtSetComTimeout=some.dll,y" are equivalent
• Added "FakeAdminRights=y" option that makes processes in a given box think thay have admin permissions
  -- this option is recomended to be used in combination with "DropAdminRights=y" to improve securits
  -- With "FakeAdminRights=y" and "DropAdminRights=y" installers should still work
• added RPC support for SSDP API (the Simple Service Discovery Protocol), Enable with "OpenUPnP=y"

Changed

• improved RPC debugging
• improved IPC handling around RpcMgmtSetComTimeout
  -- required exceptions have been hard coded for specific calling dll's
• the LogApi dll is now using Sbies tracing facility to logg events instead of an own pipe server
• SbieCrypto no longer triggers message 1313
• changed enum process API now more (no limit) than 511 proceses per box can be enumerated
• Reorganized box settings a bit
• Made COM tracing more verbose

Fixed

• FIXED SECURITY ISSUE: elevated sandboxed processes could access volumes/disks for reading (thanks hg421)
• fixed crash issue around SetCurrentProcessExplicitAppUserModelID observed with GoogleUpdate.exe
• fixed issue with resource monitor sort by timestamp
• FIXED SECURITY ISSUE: a race condition in the driver allowed to obtain a elevated rights handle to a process (thanks typpos)
• FIXED SECURITY ISSUE: "\RPC Control\samss lpc" is now filtered by the driver (thanks hg421)
  -- this allowed elevated processes to change passwords, delete users and alike, to disable filtering use "OpenSamEndpoint=y"
• FIXED SECURITY ISSUE: "\Device\DeviceApi\CMApi" is now filtered by the driver (thanks hg421)
  -- this allowed elevated processes to change hardware configuration, to disable filtering use "OpenDevCMApi=y"
• fixed issues with webcam access when the DevCMApi filtering is in place
• fixed issue with free download manager for 'AppXDeploymentClient.dll' RpcMgmtSetComTimeout=y is used
• fixed not all WinRM files were blocked by the driver, with "BlockWinRM=n" this file block can be disabled

This build fixes again a few security issues, as well as brings some new functionality and expands on the tracing features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• sandboxed indicator for tray icons, the tooltip now contains [#] if enabled
• the trace log buffer can now be adjusted with "TraceBufferPages=2560"
  -- the value denotes the count of 4k large pages to be used, here for a total of 10 MB
• new functionality to the list finder

Changed

• improved RPC debugging
• improved IPC handling around RpcMgmtSetComTimeout, "RpcMgmtSetComTimeout=n" is now the default behavioure
  -- required exceptions have been hard coded for specific calling dll's
• the LogApi dll is now using Sbies tracing facility to logg events instead of an own pipe server

Fixed

• FIXED SECURITY ISSUE: elevated sandboxed processes could access volumes/disks for reading (thanks hg421)
• fixed crash issue around SetCurrentProcessExplicitAppUserModelID observed with GoogleUpdate.exe
• fixed issue with resource monitor sort by timestamp
• FIXED SECURITY ISSUE: a race condition in the driver allowed to obtain a elevated rights handle to a process (thanks typpos)
• FIXED SECURITY ISSUE: "\RPC Control\samss lpc" is now filtered by the driver (thanks hg421)
  -- this allowed elevated processes to change passwords, delete users and alike, to disable filtering use "OpenSamEndpoint=y"
• FIXED SECURITY ISSUE: "\Device\DeviceApi\CMApi" is now filtered by the driver (thanks hg421)
  -- this allowed elevated processes to change hardware configuration, to disable filtering use "OpenDevCMApi=y"

This build fixed a couple issues one of them introduced in the last build.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added UI Language auto detection

Fixed

• fixed brave.exe is now properly recognized as chrome based not firefox based
• fixed issue introduced in 0.6.5 with recent edge builds
  -- the 0.6.5 behavioure can be set ona per process basis using "RpcMgmtSetComTimeout=POPPeeper.exe,n"
• fixed grouping issues
• fixed main windows restore state from tray

This build fixes many bugs and improves compatibility with various programs, see the ChangeLog for more Details.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added detection for waterfox.exe, Palemoon.exe, basilisk.exe and brave.exe firefox forks
• added bluetooth API support, IPC port can be opened with "OpenBluetooth=y"
  -- this should resolve issues with many unity games hanging on startup for a long time
• added enhanced RPC/IPC interface tracing
• when DefaultBox is not found by the SandMan UI, it will be recreated
• "Disable Forced Programs" time is now saved and reloaded

Changed

• reduced sandman cpu usage
• sandboxie.ini and templates.ini can now be UTF8 encoded
  -- this feature is experimental, files without a UTF-8 Signature should be recognized also
  -- "ByteOrderMark=yes" is obsolete, sandboxie.ini is now always saved with a BOM/Signature
• legacy language files can now be UTF8 encoded
• reworked file migration behaviour, removed hardcoded lists in favour of templates
  -- you can now use "CopyAlways=", "DontCopy=" and "CopyEmpty=" that support the same syntax as "OpenFilePath="
  -- "CopyBlockDenyWrite=program.exe,y" makes a write open call to a file that won't be copied fail instead of turning it read only
• removed hardcoded SkipHook list in favour of templates

Fixed

• fixed old memory pool leak in the sbie driver
• fixed issue with item selection in the access restrictions ui
• fixed updater crash in sbiectrl.exe
• fixed issues wih RPC calls introduced in sbie 5.33.1
• fixed recently broken terminate all command
• fixed a couple minor UI issues with Sandman UI
• fixed IPC issue with windows 7 and 8 resulting in process termination
• fixed "recover to" functionality

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added comfirmation prompts to terminate all commands
• added window title to boxed process info
• added winspy based sandboxed window finder
• added option to view disabled boxes and double click on box to enable it

Changed

• reset columns now resized them to fit the content, also "Reset Columns" can now be localized
• modal windows are now centered to the parent
• improved new box window

Fixed

• fixed issues with window modality
• fixed issues when main window was set to be always on top
• fixed an driver issue with windows 10 insider build 21286
• fixed issues with snapshot dialog
• fixed an issue when writing to a path that aready exist in the napshot but not outside

This build resolves an issue with the registry isolation present since window 10 CU.
Further more it adds many minor usability improvements and fixes many UI bugs with the new SandMan UI.
See the change log for a full list.

Sandboxie-Plus-x64-v0.5.5.exe SHA256: b4929200bd4c217579dedca8577b3a74e1e4217249792f64e6ba49ecab408afd
Sandboxie-Plus-x86-v0.5.5.exe SHA256: cdb5f3f07a09443f1e13f7cd048be63b123840a9b81f3ff6258b10b2e1254882
Provisional Windows 7 Drivers.zip SHA256: b7eaa60e96721973c36aa0b00b75e4085dda3c366facc65aa554d935d7494879
Sandboxie-Classic-x64-v5.46.4.exe SHA256: 24dcdce3244bde707f57bde1af372733752d8238076443250871c3f048e4ed9c
Sandboxie-Classic-x86-v5.46.4.exe SHA256: 5052f70fe6ee277c76fb77cfb2c63194d6f19ce9edb5cb107c9269358e93c8fa

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added "SandboxService=..." to force selected services to be started in the sandbox
• added template cleanup functionality to plus UI
• allow internet prompt now also allow internet access pemanently
• added browse button for box root folder in the SandMan UI
• added explorer info message
• added option to keep the sandman UI always on top
• added drag and drop file on to sandman exe to open/run it sandboxed
• added start SandMan UI when a sandboxed application starts
• recovery window can now list all files
• added file cunter to recovery window
• when "NoAddProcessToJob=y" is specified chrome and alike now can fully use the job system
  -- Note: "NoAddProcessToJob=y" reduces the box isolation, but the affected functions are mostly covered by UIPI anyways
• added obtimized default column widths to the sbie view

Changed

• improved access tracing, removed redundant entries
• OpenIpcPath=\BaseNamedObjects[CoreUI]-* is now hardcoded in the driver no need for the template entry
• WindowsFontCache is now open by default
• refactored some IPC code in the driver
• updated templates (thanks isaak654)
• when trying to take a snapshot of an empty sandbox a proper error message is displayed
• new layout for the recovery window
• sbie view sorting is now case insensitive

Fixed

• fixed issue allowing to bypass the registry isolation, present since Windows 10 Creators Update
• fixed creation time not always being properly updated in the SandMan UI
• fixed issue child window closing terminating application when main was hidden
• fixed issues with non modal windows
• fixed issues connecting in portable mode to driver
• fixed minor issues with snapshot window
• fixed missing error message when atempting to create an aleady existing sandbox
• fixed issue allowing to save setting when a sandbox was alrady deleted
• fixed issues with disabled items in dark mode
• fixed some dialogs not closing on esc
• fixed tab stops on many windows

This build tests some driver changes improving on resource access tracing.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Changed

• improved access tracing, removed redundant entries
• OpenIpcPath=\BaseNamedObjects[CoreUI]-* is now hardcoded in the driver no need for the template entry
• WindowsFontCache is now open by default
• refactored some IPC code in the driver

Fixed

• fixed creation time not always being properly updated in the SandMan UI

Urgent security fixes (thanks @diversenok)

Build 5.46.0 resolves many box isolation issues some of them critical that could allow rogue applications to escape the sandbox. It is highly advised to upgrade quickly to the new builds. For further details please review the change log below.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Hotfix2 (5.46.2) Changelog

Added

• added "CallTrace=*" to log all system calls to the access log

Changed

• improved ipc logging code
• improved MSG_2101 logging

Fixed

• fixed more issues with ipc tracing
• fixed SBIE2101 issue with crome and derivatives

Hotfix (5.46.1) Changelog

Added

• added "RunServiceAsSystem=..." allows specific named services to be ran as system

Changed

• refactored some code around SCM access

Fixed

• fixed a crash issue in SbieSvc.exe introduced with the last build
• fixed issue with sandman ui update check

Removed

• removed "ProtectRpcSs=y" due to incompatybility with new isolation defaults

Release ( 5.46.0) Changelog

Added

• Sandboxie now strips particularly problematic privileges from sandboxed system tokens
  -- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
  -- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
• added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
  -- those resources are open by default but for a hardened box its desired to close them
• added print spooler filter to prevent printers from being set up outside the sandbox
  -- the filter can be disabled with "OpenPrintSpooler=y"
• added overwrite prompt when recovering an already existing file
• added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
• added more compatybility templates (thanks isaak654)

Changed

• Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
  -- use "RunServicesAsSystem=y" to enable the old legacy behavior
  -- Note: sandboxed services with a system token are still sandboxed and restricted
  -- However not granting them a system token in the first place removes possible exploit vectors
  -- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
• Reworked dynamic IPC port handling
• Improved Resource Monitor status strings

Fixed

• fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
• fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
• fixed issue with ipc tracing
• fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
  -- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
• fixed hooking issues SBIE2303 with chrome, edge and possibly others
• fixed failed check for running processes when performing snapshot operations
• fixed some box option checkboxes were not properly initialized
• fixed unavailable options are not properly disabled when sandman is not connected to the driver
• fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
• added missing localization to generic list commands
• fixed issue with "iconcache_*" when runngin sandboxed explorer
• fixed more issues with groups

Urgent security fixes (thanks @diversenok)

Build 5.46.0 resolves many box isolation issues some of them critical that could allow rogue applications to escape the sandbox. It is highly advised to upgrade quickly to the new builds. For further details please review the change log below.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Hotfix Changelog

Added

• added "RunServiceAsSystem=..." allows specific named services to be ran as system

Changed

• refactored some code around SCM access

Fixed

• fixed a crash issue in SbieSvc.exe introduced with the last build
• fixed issue with sandman ui update check

Removed

• removed "ProtectRpcSs=y" due to incompatybility with new isolation defaults

Release Changelog

Added

• Sandboxie now strips particularly problematic privileges from sandboxed system tokens
  -- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
  -- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
• added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
  -- those resources are open by default but for a hardened box its desired to close them
• added print spooler filter to prevent printers from being set up outside the sandbox
  -- the filter can be disabled with "OpenPrintSpooler=y"
• added overwrite prompt when recovering an already existing file
• added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
• added more compatybility templates (thanks isaak654)

Changed

• Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
  -- use "RunServicesAsSystem=y" to enable the old legacy behavior
  -- Note: sandboxed services with a system token are still sandboxed and restricted
  -- However not granting them a system token in the first place removes possible exploit vectors
  -- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
• Reworked dynamic IPC port handling
• Improved Resource Monitor status strings

Fixed

• fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
• fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
• fixed issue with ipc tracing
• fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
  -- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
• fixed hooking issues SBIE2303 with chrome, edge and possibly others
• fixed failed check for running processes when performing snapshot operations
• fixed some box option checkboxes were not properly initialized
• fixed unavailable options are not properly disabled when sandman is not connected to the driver
• fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
• added missing localization to generic list commands
• fixed issue with "iconcache_*" when runngin sandboxed explorer
• fixed more issues with groups

Urgent security fixes (thanks @diversenok)

Build 5.46.0 resolves many box isolation issues some of them critical that could allow rogue applications to escape the sandbox. It is highly advised to upgrade quickly to the new builds. For further details please review the change log below.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• Sandboxie now strips particularly problematic privileges from sandboxed system tokens
  -- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
  -- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
• added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
  -- those resources are open by default but for a hardened box its desired to close them
• added print spooler filter to prevent printers from being set up outside the sandbox
  -- the filter can be disabled with "OpenPrintSpooler=y"
• added overwrite prompt when recovering an already existing file
• added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
• added more compatybility templates (thanks isaak654)

Changed

• Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
  -- use "RunServicesAsSystem=y" to enable the old legacy behavior
  -- Note: sandboxed services with a system token are still sandboxed and restricted
  -- However not granting them a system token in the first place removes possible exploit vectors
  -- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
• Reworked dynamic IPC port handling
• Improved Resource Monitor status strings

Fixed

• fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
• fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
• fixed issue with ipc tracing
• fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
  -- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
• fixed hooking issues SBIE2303 with chrome, edge and possibly others
• fixed failed check for running processes when performing snapshot operations
• fixed some box option checkboxes were not properly initialized
• fixed unavailable options are not properly disabled when sandman is not connected to the driver
• fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
• added missing localization to generic list commands
• fixed issue with "iconcache_*" when runngin sandboxed explorer
• fixed more issues with groups

This is a maintenance release it brings some small new features and fixes many minor issues.

The plus installer was improved it now provides a extract function and creates the required Sandboxie.ini and Sandboxie-plus.ini for portable operations.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added prompt to choose if links in the sandman ui should be open in a sandboxed or unsandboxed browser
• added more recovery options, "recovery & ..." and more recver to options
• added "ClosedClsid=" to block com objects from being used when thay cause compatybility issues
• added "ClsidTrace=*" option to trace COM usage
• added "ClosedRT=" option to block access to problematic Windows RT interfaces
• added option to make a link for any selected process to sandman ui
• added option to reset all hidden messages
• added more process presets "Force program" and "allow internet access"
• added "SpecialImage=chrome,some_electron_app.exe" option to sandboxie.ini, valid image types "chrome", "firefox"
  -- with this option you can enable special hardcoded workarounds to new obscure forks of those browsers
• added german translation (thanks bastik-1001) to the sandman UI
• added russian translation (thanks lufog) to the sandman UI
• added portuguese translation (thanks JNylson ) to the sandman UI
• added settings for the porteble boxed root folder option
• added process name to resource log
• added command line column to the process view in the sandman UI

Changed

• changed docs and update urls to the new sandboxie-plus.com domain
• greately improved the innos etup script (thanks mpheath)
• "OpenClsid=" and "ClosedClsid=" now support specifyed a program or group name
• by default when started in portable mode the sandbox folder will be located to the parent directory of the sandboxie instance

Fixed

• grouping menu not fully working in the new sandman ui
• fixed can't set quick recovery in sandman ui
• fixed resource leak when loading process icons in sandman ui
• fixed issue with OpenToken debug options
• fixed chrome crashing on websites that cause the invocation of "FindAppUriHandlersAsync"
• fixed issue connecting to the driver when starting in portable mode
• fixed missing template setup when creating new boxes
• fixed a few issues wiht group handling
• fixed issue with GetRawInputDeviceInfo when runnign a 32 bit program on a 64 bis system
• fixed issue when pressing apply int he "Resource Access" tab the last edited value was not always applyed
• fixed issue merging entries in resource access monitor

removed

• removed obsolete "OpenDefaultClsid=n" use "ClosedClsid=" with the aproproate values instead
• removed suspend/resume menu entry, pooling that state wasts substantial cpu cycles, use task explorer for that functionality

This is a maintenance release it brings some small new features and fixes many minor issues.

The plus installer was improved it now provides a extract function and creates the required Sandboxie.ini and Sandboxie-plus.ini for portable operations.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added prompt to choose if links in the sandman ui should be open in a sandboxed or unsandboxed browser
• added more recovery options, "recovery & ..." and more recver to options
• added "ClosedClsid=" to block com objects from being used when thay cause compatybility issues
• added "ClsidTrace=*" option to trace COM usage
• added "ClosedRT=" option to block access to problematic Windows RT interfaces
• added option to make a link for any selected process to sandman ui
• added option to reset all hidden messages
• added more process presets "Force program" and "allow internet access"
• added "SpecialImage=chrome,some_electron_app.exe" option to sandboxie.ini, valid image types "chrome", "firefox"
  -- with this option you can enable special hardcoded workarounds to new obscure forks of those browsers
• added german translation (thanks bastik-1001) to the sandman UI
• added russian translation (thanks lufog) to the sandman UI
• added portuguese translation (thanks JNylson ) to the sandman UI

Changed

• changed docs and update urls to the new sandboxie-plus.com domain
• greately improved the innos etup script (thanks mpheath)
• "OpenClsid=" and "ClosedClsid=" now support specifyed a program or group name
• by default when started in portable mode the sandbox folder will be located to the parent directory of the sandboxie instance

Fixed

• grouping menu not fully working in the new sandman ui
• fixed can't set quick recovery in sandman ui
• fixed resource leak when loading process icons in sandman ui
• fixed issue with OpenToken debug options
• fixed chrome crashing on websites that cause the invocation of "FindAppUriHandlersAsync"
• fixed issue connecting to the driver when starting in portable mode
• fixed missing template setup when creating new boxes

removed

• removed obsolete "OpenDefaultClsid=n" use "ClosedClsid=" with the aproproate values instead
• removed suspend/resume menu entry, pooling that state wasts substantial cpu cycles, use task explorer for that functionality