Changelog

[1.xx.0 / 5.xx.0] - 2022-??-??

Added

added 'AllowForceSystem=y' to allow forcing system processes, warning misusing this can break windows!
added OnFileRecovery trigger allowing to check files before recovering them #2202

Changed

disabled a couple driver based workarounds for boxes in compartment mode as then thay should not be required
uncomment: - added optional alternative IPC naming scheme

[1.9.0 / 5.64.0] - 2022-??-??

Added

added ability to fore sandboxed processes to use a pre defined socks 5 proxy
added ability to intercept DNS queries such that thay can be log and/or redirected

[1.8.0 / 5.63.0] - 2022-??-??

Added

added new user proxy mechanism to enable user cspecific operations
added Support for EFS using the user proxy #1980
-- to enable add 'EnableEFS=y' to the sandbox config
todo: add ui for efs

[1.7.0 / 5.62.0] - 2022-??-??

Added

added option to prevent processes located outside teh sandbox from loading boxed dll's
-- to enable it use "ProtectHostImages=y"
add option to block box inter programs but not box extern once
todo: add ui

[1.6.0 / 5.61.0] - 2022-??-??

Added

added ability to import/export boxes into 7z files
added nt object view to trace log

todo: add remember my choice to the sandbox picker
todo: add supprot for silent mode / no notification when gaming

Changed

restructured the box context menu a bit

[1.5.0 / 5.60.0] - 2022-09-??

Added

Added support for Windows on ARM64 #1321 #645
-- Ported SbieDrv for ARM64
-- Ported low level injection mechanism for ARM64/ARM64EC
-- Ported syscall hooks for ARM64/ARM64EC
-- Ported sbiedll.dll to ARM64/ARM64EC
-- Note: ARM32 on ARM64 is not implemented and will terminate with Message SBIE2338
-- Note: When sandboxie is running it disables the use of CHPE Binaries for x86 processes globally,
this is required for the forced processes functionality, this behavioure can be disabled by
adding the global option "DisableCHPE=n" to the sandboxie.ini, then x86 processes
started outside the sandbox instead of being forced will be terminated with Message SBIE2338

fixed

fixed issue with win32 hooks in x86 applications

Changed

reworked API compatibility check

[1.4.x / 5.59.x] - 2022-09-??

Changed

In sbie 5.28 and later WinInetCache is open, this breks IE's source view, hence it can now be disabled with 'CloseWinInetCache=y'

[1.4.0 / 5.59.0] - 2022-09-30

Added

added integrated run from start menu #1836
addes start menu enumeration #1570
added UI for breakout processes #1904
added option to customize box double click action
added new advnaced tab in the advanced tab alowing to configure proces specific and otehr advanced options
added "SeparateUserFolders=y" and "SandboxieLogon=y" to the box option dialog
added icons to option section labels

Changed

preapred for Qt 6.2
resructured the general settings page
resructured the sandbox options page, added a new tab and moved some of the advanced options there

[1.3.5 / 5.58.5] - 2022-09-26

Added

added localization to Windows 11 shell menu #2229

Changed

improved recovery window behaviour in Plus UI #2266

Fixed

fixed issues with stale data in Sandboxie-Plus.ini #2248 (thanks okrc)
fixed issue with dummy manifests #2252
fixed issue with XYplorer #2230
fixed crash in Plus UI e9e21c2
fixed m_pCleanUpButton is displayed empty when NoIcons=1 #2273 (thanks okrc)

[1.3.4 / 5.58.4] - 2022-09-19

Added

Added NoRenameWinClass to the Plus UI
Added Windows.UI.* to the list of hardcoded well-known classes to resolve issues with WinUI apps #2109

Changed

NoRenameWinClass now supports wildcards

Fixed

fixed issue with default box not being detected on start #2195
fixed move sandbox menu issue #2225 (thanks okrc)
fixed issues with stale data in Sandboxie-Plus.ini #2234 (thanks okrc)
fixed autostart issue #2219
fixed firewall UI issue, all programs entries were missing *, prefix #2247
fixed BlockPorts template with a missing *, prefix 4420ba4
fixed issues with various Electron apps #2217 #2235 #2201 #2166
-- now the default behaviour is UseElectronWorkaround=n

Removed

removed obsolete VPNTunnel template

[1.3.3 / 5.58.3] - 2022-09-12

Added

added domain\user notation when the LogFile registry setting is applied as workaround for #2207
-- usage: in "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" add REG_SZ "LogFile" with "3;[path]\Sandboxie.log"
added option to block host processes from accessing sandboxed ones #2132
-- usage: DenyHostAccess=Program.exe,y
-- note: by default, this protection only applies for write access, that is, unsandboxed processes will still be able to obtain read-only access
-- to prevent host processes from obtaining read access, ConfidentialBox=y must also be set, which require a supporter certificate
added compatibility template for ReHIPS
added creation of all default folders in privacy box type #2218

Changed

improved SandMan settings behaviour for non admin users #2123

Fixed

fixed issues with group moving via drag and drop
approved more required syscalls #2190
fixed issues when deleting box content and the file panel view is open
fixed issue with config protection #2206
fixed issue with default box #2195
fixed issue with keyboard delete shortcut for process termination

Removed

removed obsolete Online Armor template

[1.3.2 / 5.58.2] - 2022-08-30

Added

added icons to sub tabs in the box options dialog
recovery and message pop-up menu options are not persisting across UI restarts any more
added new box color, a white box indicates that its not really a sandbox and is displayed when the user specified OpenFilePath=* or alike

Changed

Sandboxie no longer issues message 1301 when forced processes are temporarily disabled
-- the message can be re-enabled with "NotifyForceProcessDisabled=y"
reworked the "Open COM" checkbox mechanism in the plus UI
-- Now it uses a template and it can also keep COM closed while OpenIpcPath=* is set

Fixed

fixed compatibility issue with Proxifier #2163
fixed encoding issue with Korean translation #2173
fixed issues with update available message

[1.3.1 / 5.58.1] - 2022-08-20

Added

added ability to switch the fusion theme independently from the dark theme
added ability to download updates from the support page
added missing system calls to the hardened box type 88bc06a b775264 04b2377 (thanks Mr.X)
added search box to the Plus UI Settings and box options dialog #2134
added Korean translation to the Plus UI #2133 (thanks VenusGirl)
added grouping to SandMan tray menu #2148

Changed

improved info label
the vintage mode look is even more vintage now
reloading the configuration with the SandMan command "Options -> Reload ini file" now updates the list of approved syscalls
made rule specificity more specific, now a rule with less wildcards overrules a rule with more wildcards
-- Note: trailing wildcards are evaluated separately

Fixed

fixed issue with displaying sandbox configuration #2111
fixed flashing issue when switching views #2050
fixed inconsistencies with various checkboxes in the Plus UI ef4ac1b 06c89e3
fixed a certificate validation issue 238cb44
fixed issue with "UseRuleSpecificity" setting #2124 file.c#L965-L966

[1.3.0 / 5.58.0] - 2022-08-09

Added

added hook configuration for ntoskrnl/ntdll
-- individual ntdll hooks can be disabled using "DisableWinNtHook=..."
added new Super Extra Security Enhanced Box Mode; add "UseSecurityMode=y" to enable
-- when this setting is enabled, it combines "SysCallLockDown=y" which limits the use of NT system calls with "DropAdminRights=y" and "RestrictDevices=y"
-- only calls configured in the global section as "ApproveWinNtSysCall=..."/"ApproveWin32SysCall=..." will be executed with the original token
-- all non-approved NT syscalls will be executed with the sandboxed token, this may break compatibility in certain scenarios
-- additional syscalls may need to be allowed, this has to be done in the [GlobalSettings] and the driver must be restarted
-- Note: boxes created as Security Enhanced with prior builds will be displayed as normal in the UI from now on
-- the Security Enhanced icons are now repurposed for the new Super Extra Security Enhanced Box Mode
-- Note: The new enhanced security features require a supporter certificate
added browse option to the "force process" tab

Changed

replaced the "DeviceSecurity" template with a dedicated setting "RestrictDevices=y"
-- Note: when needed, more "NormalFilePath=..." entries can be added to open specific devices
rule specificity is now even more specific, an exact rule now overrules those ending with a wildcard

[1.2.8b / 5.57.7] - 2022-08-08

Fixed

fixed issue with context menu setup on Windows 11
fixed column issue in vintage mode #2103

[1.2.8 / 5.57.7] - 2022-08-05

Fixed

fixed missing uninstall routine in SandMan

[1.2.7 / 5.57.7] - 2022-07-31

Added

added option for alternating row colours in all lists #2073

Changed

SandboxieLogon is now disabled by default as it wasn't compatible with third-party malware tools #2025
the access view list now adds the trailing "*" to file and key paths the same way the driver does 2039
setup of shell integration is now done by SandMan, not the installer
uninstaller can now remove the sandbox folders #1235

[1.2.6 / 5.57.6] - 2022-07-25

Changed

reworked saving of global options

Fixed

fixed issue with the Delete Content option #2043
fixed issue with box preferences #2046
fixed issue with the Delete V2 registry

[1.2.5 / 5.57.5] - 2022-07-22

Changed

improved a few icons

Fixed

fixed a certificate validation issue

[1.2.4 / 5.57.4] - 2022-07-21

Added

added a delete button to the recovery window #2024

Changed

improved the tree selection display

Fixed

fixed issues with the file panel
fixed issue with some key bindings #2030
fixed issue with RemoveSidName when terminating SbieSvc
fixed issue with the new hooking mechanism
fixed BSOD issue with Win32k hooks introduced in 1.2.0 #2035
fixed issue with element11 and electron workaround #2023

[1.2.3 / 5.57.3] - 2022-07-13

Fixed

fixed issues with the new menu code

Changed

reworked frame drawing

[1.2.2 / 5.57.2] - 2022-07-13

Fixed

fixed issues with frame drawing
fixed issues with the tray and box menu introduced in the last build
removed focus rectangle from the tree list

Changed

refactored menu creation code

[1.2.1 / 5.57.1] - 2022-07-11

Added

added Swedish translation to the Plus UI (thanks pb1)
added Vintage View Mode to make SandMan UI look like SbieCtrl
added alternative tray menu mechanics
added ability to auto-generate sandbox icons based on the border colour

Changed

changed box group icon to a dedicated one
"browse content" is now available as a side panel in the main window
animated hourglass icon overlay

Fixed

fixed DPI issue on Windows 7
fixed issue with Software Compatibility tab
fixed issue with OpenKeyPath introduced in build 1.1.1 #2006

[1.2.0 / 5.57.0] - 2022-06-28

Added

re-engineered "SandboxieLogon=y"; it's on by default, as every sandbox gets its own SID now
-- Note: this enforces strict isolation of sandboxes from each other.

Changed

reworked hook management, unloaded DLLs are properly unhooked now #1243
the box order is now stored in Sandboxie-Plus.ini
improved DPI scaling behaviour

[1.1.3 / 5.56.3] - 2022-06-20

Added

added group-first sorting #1922

Changed

updated Classic UI Swedish translation (thanks pb1)
restored Plus UI Turkish translation #1419 (thanks fmbxnary)

Fixed

fixed issue with recovery window on delete #1948
fixed double-click issue on path column #1951
"AllowBoxedJobs=n" is back to the default behaviour as issues were reported #1954
fixed issue with internet block #1955
fixed grouping issue in the Plus UI #1950
fixed issue with CredentialUIBroker.exe on Windows 11 with Win32k hooks #1839
fixed issue with Delete V2 #1939

[1.1.2 / 5.56.2] - 2022-06-14

Added

added missing file recovery log to SandMan #425
the immediate recovery window will now auto-close when all files have been recovered #1498
the immediate recovery window of SandMan is always on top by default like in SbieCtrl; this can be disabled with "Options/RecoveryOnTop=n" #1465
added option to toggle immediate recovery from the presets submenu #1653
added option to disable file recovery and message pop-up globally
added per box refresh option #1945

Changed

the desktop security workaround used for Chrome, Firefox and Acrobat can now be enabled for all processes using "UseSbieDeskHack=y"
improved double-click behaviour #1935
box size info is refreshed on file recovery

Fixed

fixed issue with unnecessary Sandboxie config reloads introduced in 1.1.1 #1938
fixed issue with recovery window focus #1374
fixed issues with desktop objects introduced in 1.1.1 #1934
fixed issues with Edge startup boost using a GPO preset #1913

[1.1.1 / 5.56.1] - 2022-06-07

Added

compatibility templates can now be viewed from the settings window #1891
the refresh command is now bound to F5 #1885
added more first start wizard options
added option to permanently disable immediate recovery for any given box when it opens #1478
double-click on the path column now opens the box root in explorer #1924

Changed

changed Move Box behaviour #1879
improved implementation of the PreferExternalManifest option
Win32k hooks are now by default only used for Edge and Chromium apps as they cause issues with other software #1902 #1912 #1897
"AllowBoxedJobs=y" is now the default behaviour

Fixed

fixed Edge issue with Windows 11 after KB5014019
fixed issues with the new Delete V2 mechanism when using "SeparateUserFolders=y" #1885
fixed credential issue #1770
fixed force process priorities #1883
fixed issues with the new Delete V2 mechanism
fixed issue with the Windows 11 menu on older Windows builds 1877
refresh now works without WatchBoxSize option #1885
fixed crash issue with WatchBoxSize=true #1885
fixed issue with recovery folder paths #1840
fixed issues with Sbie desktop and wndStation affecting Acrobat Reader #1863
fixed issues with box grouping #1921 #1920
fixed issues when changing language #1914
fixed issue with BreakoutFolder #1908
fixed issue with SbieDll.dll for x86 exception handling
fixed issues with application-specific hives (RegLoadAppKey) affecting Visual Studio #1576 #1452

[1.1.0 / 5.56.0] - 2022-05-24

Added

added support for NtRenameKey (this requires UseRegDeleteV2=y) #205
added box size info #1780

Changed

reworked the mechanism Sandboxie uses to mark host files as deleted
-- under the new behaviour a data file (FilePaths.dat) is created in the box root instead of dummy files
-- it can be enabled with UseFileDeleteV2=y and also for the registry with UseRegDeleteV2=y which creates a reg file (RegPaths.dat)
reworked the TlsNameBuffer mechanism to be more versatile and less error-prone
significantly reduced the CPU usage of SandMan.exe

Fixed

fixed folder rename issues (this requires UseFileDeleteV2=y) #71
fixed issue with process access #1603
fixed translation issue #1864
fixed UI issue with the box selection window #1867
fixed UI issue when switching languages #1871

[1.0.22 / 5.55.22] - 2022-05-15

Added

added auto-update download and silent install option to SandMan.exe #917
trace monitor mode can save to file now #1851
trace log now shows IPC object type information
added support for Windows 11 context menus

Fixed

fixed SandMan crash issue #1846
fixed issue with Windows Server 2022 build 20348
fixed translation switching issues #1852

[1.0.21 / 5.55.21] - 2022-05-10

Added

added "FuncSkipHook=FunctionName" option to selectively disable certain function hooks

Changed

improved the support certificate entry box
changing the language no longer requires a restart on Plus UI
fixed issue with high CPU load when using SbieCtrl to change settings

Fixed

fixed issue with Firefox/Chromium browsers that have been compiled with the MinGW toolchain #538
fixed issues with folder recovery on Plus UI #1840 #1380

[1.0.20 / 5.55.20] - 2022-05-02

Fixed

fixed issue with Firefox video playback introduced in the previous build #1831
fixed driver-related BSOD #1811
fixed issue with editing start restriction entries
fixed issue with the network options tab #1825
fixed portable mode issue if SandMan is run as admin #1764

[1.0.19 / 5.55.19] - 2022-04-21

Added

added drag and drop support for groups #1775
added Del key support to the box view for all entry types #1779
added warning when trying to run explorer.exe in a box with COM open #1716

Fixed

fixed crash issue in the SandMan UI #1772
fixed issue with some installers when EnableObjectFiltering is enabled #1795
fixed allowing NtCreateSymbolicLinkObject to be safely used in the sandbox
added workaround for a Vivaldi hooking issue #1783
-- Note: this fix is provisional, it can be disabled with UseVivaldiWorkaround=n
fixed registry issue with snapshots #1782
fixed issue with box grouping #1778 #1777 #1776
fixed further issues with box grouping #1698 #1697
fixed issues with snapshot UI #1696 #1695
fixed issue with recovery dialog focus #1374

[1.0.18 / 5.55.18] - 2022-04-13

Added

added minor browsers to the BlockSoftwareUpdaters template (by APMichael) #1784

Changed

failed memory read attempts to unboxed processes will no longer cause message 2111 by default
-- Note: the message can still be enabled in the settings with "NotifyProcessAccessDenied=y"
reordered the BlockSoftwareUpdaters template (by APMichael) #1785

Fixed

fixed pipe impersonation in compartment mode
fixed issue with box clean-up introduced in a recent build
fixed missing trace log clean-up command #1773
fixed inability to unpin programs that have been pinned to the run menu #1694

[1.0.17 / 5.55.17] - 2022-04-02

Added

added checkbox for easy read access to memory of unsandboxed processes (old Sbie behaviour, not recommended)

Changed

improved OpenProcess/OpenThread logging

Fixed

fixed crash issue with the new monitor mode
fixed issue with resource access entry parsing

[1.0.16 / 5.55.16] - 2022-04-01

Added

FIXED SECURITY ISSUE ID-20: memory of unsandboxed processes can no longer be read, exceptions are possible
-- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe

Changed

EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
the $: syntax now accepts a wildcard $:* no more specialized wildcards though

Fixed

fixed NtGetNextProcess being fully disabled instead of properly filtered
fixed reworked image name resolution when creating new processes in a sandbox
fixed regression with HideOtherBoxes=y #1743 #1666

[1.0.15 / 5.55.15] - 2022-03-24

Fixed

fixed memory corruption introduced in the last build causing Chrome to crash sometimes
FIXED SECURITY ISSUE ID-18: NtCreateSymbolicLinkObject was not filtered (thanks Diversenok)

[1.0.14 / 5.55.14] - 2022-03-23

Added

added notification to warn that the default update checker is lagging behind the newest release on GitHub, to ensure that only bug-free builds are offered as updates #1682
added main browsers to BlockSoftwareUpdaters template (by Dyras) #1630
added a warning when Sandboxie-Plus.ini is not writeable #1681
added clean-up for critical sections (by chunyou128) #1686

Changed

improved command line handling for breakout processes #1655
disabled SBIE2193 notification (by isaak654) #1690
improved error message 6004 #1719

Fixed

fixed dark mode issue with the new tray list
fixed not showing a warning when Sandboxie-Plus.ini is not writeable #1681
fixed issue with software compatibility checkbox (thanks MitchCapper) #1678
fixed issue with events on box closure not always being executed #1658
fixed memory leaks in key_merge.c
fixed issue enumerating registry keys in privacy mode
fixed settings issue introduced in 1.0.13 #1684
fixed crash issue when parsing firewall port options
FIXED SECURITY ISSUE ID-19: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges #1714

[1.0.13 / 5.55.13] - 2022-03-08

Fixed

FIXED SECURITY ISSUE ID-17: Hard link creation was not properly filtered (thanks Diversenok)
fixed issue with checking the certificate entry.

[1.0.12 / 5.55.12] - 2022-03-02

Added

added mini dump creation to SandMan.exe in case it crashes

Changed

disabled Chrome and Firefox phishing entries in new sandboxes (by isaak654) #1616
updated Mozilla paths for the BlockSoftwareUpdaters template (by isaak654) #1623
renamed "Pause Forced Programs Rules" command to "Pause Forcing Programs" (Plus only)
reworked tray icon generation now using overlays, added busy overlay

Fixed

fixed issue with accessing network drives in privacy mode #1617
fixed issue with ping in compartment mode #1608
fixed SandMan UI freezing when a lot of processes are created and closed in a box #1607
fixed Editing existing 'Run Menu' Command Line entry not being recognized #1648
fixed blue screen issue in driver (thanks Diversenok)
fixed incompatibility with Windows 11 Insider Build 22563.1 #1654

[1.0.11 / 5.55.11] - 2022-02-13

Added

added optional tray notification when box content gets auto-deleted
added FreeDownloadManager template
added warning when opening unsandboxed regedit #1606
added languages files that were missing in official Qt 5.15.2 (by DevSplash) #1605

Changed

the asynchronous box operations introduced in the last build are now disabled by default
moved sys tray options from general to shell integration tab
removed "AlwaysUseWin32kHooks", now these Win32 hooks are always enabled
-- Note: you can use "UseWin32kHooks=program.exe,n" to disable them for selected programs
updated Listary template to v6 (by isaak654) #1610

Fixed

fixed compatibility issue with SECUROM #1597
fixed modality issue #1615
fixed special form of OpenWinClass in Templates.ini d6d9588

[1.0.10 / 5.55.10] - 2022-02-06

Added

added option to show only boxes in tray with running processes #1186
-- additional option shows only pinned boxes, in box options a box can be set to be always shown in tray list (Pinned)
added Options menu command to reset the GUI #1589
added "Run Un-Sandboxed" context menu option
added new trigger "OnBoxDelete" that allows to specify a command that is run UNBOXED just before the box content gets deleted
-- Note: this can be used as a replacement to "DeleteCommand" #591
selected box operations (deletion) no longer show the progress dialog #1061
-- if a box with a running operation shows a blinking hour glass icon, the context menu can be used to cancel the operation

Changed

"HideHostProcess=program.exe" can now be used to hide Sandboxie services #1336
updater blocking is now done using a template called BlockSoftwareUpdaters
enhanced "StartProgram=..." makes "StartCommand=..." obsolete
-- for same functionality as "StartCommand=...", use "StartProgram=%SbieHome%\Start.exe ..."
merged "Auto Start" General tab with the "Auto Exec" Advanced tab into a universal "Triggers" Advanced tab

Fixed

fixed a couple issues with the new breakout process feature and improved security (thanks Diversenok)
fixed issues with re-opening windows already open #1584
fixed issue with desktop access #1588
fixed issue about command line invocation handling #1133
fixed UI issue with main window state when switching always on top attribute #1169
fixed issue with box context menu in tray list 1106
fixed issue with "AutoExec=..."
fixed issues where cancelling box deletion operations didn't work #1061
fixed issue with DPI scaling and colour picker dialog #803

Removed

removed "UseRpcMgmtSetComTimeout=AppXDeploymentClient.dll,y" used for Free Download Manager as it broke other things
-- only if you use Free Download Manager together with the setting "RpcMgmtSetComTimeout=n" in a sandbox, you have to add the line manually to your Sandboxie.ini

[1.0.9 / 5.55.9] - 2022-01-31

Added

SandMan now causes all boxed processes to update their path settings in real time when access options were modified
added new maintenance menu option "Uninstall All" to quickly remove all components when running in portable mode
added version number to the title bar of Sandboxie Classic
added option to return not to a snapshot but to an empty box state while keeping all snapshots
Sandboxie-Plus.ini can now be placed in C:\ProgramData\Sandboxie-Plus\ folder and takes precedence (for business use)
added support for AF_UNIX on Windows to resolve issues with OpenJDK17 and later #1009 #1520 #1521

Changed

reworked breakout mechanism to be service based and not allowing the parent process to access the broken out child process
enabled creation of directory junctions for sandboxed processes #1375
restored back "AutoRecover=y" on box creation #1554
improved snapshot support #1220
renamed "Disable Forced Programs" command to "Pause Forced Programs Rules" (Plus only)

Fixed

fixed BreakoutProcess not working with "EnableObjectFiltering=y"
FIXED SECURITY ISSUE ID-16: when starting COMSRV unboxed, the returned process handle had full access
fixed issue with progress dialog #1562
fixed issue with handling directory junctions in Sandboxie #1396
fixed a handle leak in File_NtCloseImpl
fixed border issues on maximized windows introduced in the last build #1561
fixed a couple of index overruns (thanks 7eRoM) #1571
fixed issues with sysnative directory #1403
fixed issue with starting SandMan when running sandboxed from context menu #1579
fixed dark mode flash issue with main window creation #1231
fixed issues with snapshot error handling #350
fixed issues with the always on top option (Plus only)

[1.0.8 / 5.55.8] - 2022-01-18

Added

added Portuguese of Portugal on Plus UI (by JNylson, isaak654, mpheath) #1497
added "BreakoutProcess=program.exe", with this option selected applications can be started unboxed from within a box #1500
-- the program image must be located outside the sandbox for this to work
-- if another sandbox has "ForceProcess=program.exe" configured, it will capture the process
-- use case: set up a box with a Web browser forced, when another box opens a website, this will happen in the dedicated browser box
-- Note: "BreakoutFolder=some\path" is also available
added silent uninstall switch /remove /S for Classic installer (by sredna) #1532

Changed

The filename "sandman_pt" was changed to "sandman_pt_BR" (Brazilian Portuguese) #1497
The filename "sandman_ua" was changed to "sandman_uk" (Ukrainian) #1527
-- Note: Translators are encouraged to follow the Localization notes and tips before creating a new pull request
updated Firefox update blocker (discovered by isaak654) #1545

Fixed

fixed issue with opening all file access OpenFilePath=* #971
fixed issue with opening network shares #1529
fixed possible upgrade issue with Classic installer (by isaak654) 130c43a
fixed minor issues with Classic installer (by sredna) #1533
fixed issue with Ldr_FixImagePath_2 #1507
when using "Run Sandboxed" with SandMan UI and the UI is off, it will stay off.
fixed issue with Util_GetProcessPidByName that should resolve the driver sometimes failing to start at boot #1451
SandMan will now run in background like SbieCtrl when starting a boxed process post506
fixed taskbar not showing with persistent box border in full screen post474
fixed box border not spanning across multiple monitors #1512
fixed issues with border when using DPI scaling #1506
fixed DPI issues with Qt #1368
fixed issue with bright flashing on window creation when in dark mode #1231
fixed issues with the PortableRootDir setting #1509
fixed issue with the settings window crashing when the driver was not connected
fixed DPI issues with Finder Tool #912
fixed another issue with reused process IDs #1547
fixed issue introduced in 1.0.6 related to SeAccessCheckByType #1548

[1.0.7 / 5.55.7] - 2022-01-06

Added

added experimental option "CreateToken=y" to create a new token instead of repurposing an existing one
added option "DisableRTBlacklist=y" allowing to disable the hardcoded runtime class blacklist
added new template "DeviceSecurity" to lock down access to device drivers on the system
-- Note: This template requires RuleSpecificity being available to work properly
added option to set a custom ini editor in the Plus UI #1475
added option "LingerLeniency=n" to solve issue #997

Changed

reworked syscall invocation code in the driver
-- Win32k hooking is now compatible with HVCI #1483

Fixed

fixed memory leak in driver (conf_user.c)
fixed issue with file renaming in open paths introduced in 1.0.6
fixed issue causing Chromium browsers not closing properly #1496
fixed issue with start.exe #1517 #1516
fixed SandMan issue with reused process IDs
fixed KmdUtil sometimes not properly terminating the driver #1493

Removed

removed OpenToken as it is only a shorthand for UnrestrictedToken=y and UnfilteredToken=y set together

[1.0.6 / 5.55.6] - 2021-12-31

Added

replaced "Open with" with a Sandboxie dialog to work on Windows 10 #1138
added ability to run Win32 store apps in App Compartment mode (on Windows 11 requires COM to be open)
-- Note: this does not mean UWP store apps, just regular Win32 apps packaged to be deployed via the store
added new debug options "UnstrippedToken=y" and "KeepUserGroup=y"
added double-click to recover files and folders in recovery window #1466
added Ukrainian language on Plus UI (by SuperMaxusa) #1488

Changed

"UseSbieWndStation=y" is now the default behaviour #1442
disabled Win32k hooking when HVCI is enabled due to an incompatibility (BSOD) #1483

Fixed

fixed box initialization issue in Privacy mode #1469
fixed issue with shortcuts creation introduced in a recent build #1471
fixed various issues in Privacy Enhanced boxes and rule specificity
fixed issue with SeAccessCheckByType and alike
fixed issues with Win32k hooking on 32 bit Windows #1479

Removed

removed obsolete SkyNet rootkit detection from 32 bit build

[1.0.5 / 5.55.5] - 2021-12-25

Added

sandbox top level exception handler to create crash dumps
-- it can be enabled per process or globally using "EnableMiniDump=process.exe,y" or "EnableMiniDump=y" respectively
-- the dump flags can be set as hex with "MiniDumpFlags=0xAABBCCDD"
-- a preselected flag set for a verbose dump can be set with "MiniDumpFlags=Extended"
-- Note: created dump files are located at: C:\Sandbox\%USER%\%SANDBOX%
added template support for Osiris and Slimjet browsers (by Dyras) #1454

Changed

improved SbieDll initialization a bit
doubled size of Name_Buffer_Depth #1342
improved text filter in the templates view #1456

Fixed

fixed issue with forced process display #1447
fixed crash issue with GetClassName #1448
fixed minor UI issue #1382
fixed UI language preset issue #1348
fixed grouping issues in SandMan UI #1358
fixed issue with EnableWin32kHooks #1458

Installers re-released with the following fix:

fixed regression when launching Office apps #1468

[1.0.4 / 5.55.4] - 2021-12-20

Added

mechanism to hook Win32 system calls now also works for 32 bit applications running under WoW64
added customization to Win32k hooking mechanism, as by default only GdiDdDDI* hooks are installed
-- You can force the installation of other hooks by specifying them with "EnableWin32Hook=..."
-- or disable the installation of the default hooks with "DisableWin32Hook=..."
-- Please note that some Win32k hooks may cause BSODs or undefined behaviour. (!)
-- The most obviously problematic Win32k hooks are blacklisted, this can be bypassed with "IgnoreWin32HookBlacklist=y"
added debug option "AdjustBoxedSystem=n" to disable the adjustment of service ACLs running with a system token
added "NoUACProxy=y" option together with the accompanying template, in order to disable UAC proxy
-- Note: Boxes configured in compartment mode activate this template by default
added UI option to change default RpcMgmtSetComTimeout preset
added Plus installer option to start the default browser under Sandboxie through a desktop shortcut
added more entries to the Plus installer (current translations on Languages.iss file need to be updated)

Changed

"EnableWin32kHooks=y" is now enabled by default, as no issues were reported in 1.0.3
-- Note: currently only the GdiDdDDI* hooks are applied, required for Chromium HW acceleration
cleaned up low level hooking code a bit
"RunRpcssAsSystem=y" is now auto applied for boxes in "App Compartment" mode when "RunServicesAsSystem=y" or "MsiInstallerExemptions=y" are present

Fixed

fixed RPC handling in case a requested open service is not running #1443
fixed a hooking issue with NdrClientCall2 in 32 bit applications
fixed issue with start directory to run sandboxed when using SandMan #1436
fixed issue with recovering from network share locations #1435

[1.0.3 / 5.55.3] - 2021-12-12

Added

added mechanism to hook Win32k system calls on Windows 10 and later, this should resolve the issue with Chromium HW acceleration
-- Note: this mechanism does not, yet, work for 32 bit applications running under WoW64
-- to enable it, add "EnableWin32kHooks=y" to the global ini section, this feature is highly experimental (!)
-- the hooks will be automatically applied to Chromium GPU processes
-- to force Win32k hooks for all processes in a selected box, add "AlwaysUseWin32kHooks=program.exe,y" #1261 #1395

Fixed

fixed bug in GetVersionExW making "OverrideOsBuild=..." not working #605 #1426
fixed issue with some UTF-8 characters when used in the ini file
fixed isolation issue with Virtual Network Editor #1102

[1.0.2 / 5.55.2] - 2021-12-08

Fixed

fixed recovery window not refreshing count on reload #1402
fixed printing issue introduced in 1.0.0 #1397
fixed issues with CreateProcess function #1408

[1.0.1 / 5.55.1] - 2021-12-06

Added

added checkboxes to most major box options lists
added SumatraPDF templates (by Dyras) #1391

Changed

rolled back change to "OpenClsid=..." handling
made all major lists in the box options editable

Fixed

fixed issue with read only paths introduced in 1.0.0
fixed BSOD issue introduced in the 1.0.0 build #1389
fixed multiple BITS notifications while running sandboxed Chromium browsers (by isaak654) ca320ec #1081
fixed executables selection for "Run Menu" entries (by isaak654) #1379
fixed SetCursorPos and ClipCursor ignoring DPI awareness (by alvinhochun) #1394

Removed

removed Virtual Desktop Manager template (by isaak654) d775807 #1326

[1.0.0 / 5.55.0] - 2021-11-17

Added

added Privacy enhanced mode, sandboxes with "UsePrivacyMode=y" will not allow read access to locations containing user data
-- all locations except generic Windows system paths will need to be opened explicitly for read and/or write access
-- using "NormalFilePath=...", "NormalKeyPath=...", "NormalIpcPath=..." allows to open locations to be readable and sandboxed
added new "App Compartment" mode of operation, it is enabled by adding "NoSecurityIsolation=y" to the box configuration
-- in this mode, security is traded in for compatibility, it should not be used for untrusted applications
-- Note: in this mode, file and registry filtering are still in place, hence processes run without administrative privileges
-- it is reasonably safe, all filtering can be disabled with "NoSecurityFiltering=y"
added experimental use of ObRegisterCallbacks to filter object creation and duplication
-- this filtering is independent from the regular SbieDrv's syscall-based filtering, hence it also applies to App Compartments
-- with it enabled, an application running in a compartment will not be able to manipulate processes running outside the sandbox
-- Note: this feature improves the security of non-isolated App Compartment boxes
-- to enable this feature, set "EnableObjectFiltering=y" in the global section and reload the driver
-- when globally activated, the filtering can be disabled for individual boxes with "DisableObjectFilter=y"
added "DontOpenForBoxed=n", this option disables the discrimination of boxed processes for open file and open key directives
-- this behaviour does not really improve security anyway, but may be annoying, also app compartments always disable this
added setting to entirely open access to the COM infrastructure

Changed

reworked the resource access path matching mechanism to optionally apply more specific rules over less specific ones
-- for example "OpenFilePath=C:\User\Me\AppData\Firefox takes precedence over "WriteFilePath=C:\User\Me\"
-- to enable this new behaviour, add "UseRuleSpecificity=y" to your Sandboxie.ini, this behaviour is always enabled in Privacy enhanced mode
-- added "NormalFilePath=..." to restore default Sandboxie behaviour on a given path
-- added "OpenConfPath=...", which similarly to "OpenPipePath=..." is a "OpenKeyPath=..." variant which applies to executables located in the sandbox
removed option to copy a box during creation, instead the box context menu offers a duplication option
reworked the box creation dialog to offer new box types

Fixed

fixed SBIE1401 notification during Sandboxie Plus uninstall (by mpheath) 68fa37d
fixed memory leak in driver handling FLT_FILE_NAME_INFORMATION (by Therzok) #1371

[0.9.8d / 5.53.3] - 2021-11-01

Added

added checkbox if the user wants SandMan.exe to be started after installation #1318
added template for Windows 10 virtual desktop manager #1326

Changed

"OpenClsid=..." is no longer restricted to CLSCTX_LOCAL_SERVER execution contexts only
-- this allows to run objects with the CLSCTX_INPROC_SERVER flag in the COM helper service
in the trace view, now multiple types can be selected at once
a few Plus UI entries were made translatable (by gexgd0419) #1320
changed default "terminate all boxed processes" key to Shift+Pause (by isaak654) #1337

Fixed

fixed ini writing issue with SbieCtrl and the new ini handling mechanism #1331
fixed issue with trace log filtering
fixed space issue about German language on Plus installer (by mpheath) #1333
restored Waterfox phishing template entries with a proper fix (by APMichael) #1334

[0.9.8c / 5.53.2] - 2021-10-24

Added

added explicit lines on Plus installer to delete empty shell registry keys at uninstall time (by mpheath) 3f661a8

Fixed

fixed template sections not showing in editor #1287
fixed autodelete box content broken in the previous build #1296 #1324
fixed crash in "Browse Content" window #1313
fixed issue with icon resolution #1310
fixed invalid "No Inet" status in the status column #1312
fixed Windows Explorer search box not working (by isaak654) #1002
fixed Waterfox phishing template (by Dyras) #1309
fixed issue with Chinese translation files on Plus installer (by mpheath) #1317
fixed autorun registry key path on Plus installer (by mpheath) abd2d44
fixed memory corruption in SbieSvc.exe

[0.9.8b / 5.53.1] - 2021-10-19

Added

added ability to save trace log to file on Plus UI
added French language on Plus UI (by clexanis) #1155

Changed

network traffic trace is now properly logged to the driver log instead of to the kernel debug log
Plus installer will autostart SandMan.exe after install to fix a taskbar icon issue #3040211
Classic installer will show the license agreement when updating #1187

Fixed

fixed template sections not showing in editor #1287
fixed issue with app ID resulting in some apps showing two button groups in the taskbar #1101
fixed issue with maximum ini value length on Plus UI #1293
fixed issue handling an empty Sandboxie.ini that got introduced recently #1292
fixed issue with "SpecialImages" template (by Coverlin) #1288 #1289
fixed issue with box emptying #1296
fixed issues with some languages #1304
fixed issue with mounted directories #1302
added missing translation for Qt libraries #1305
fixed issue with Windows compatibility assistant #1265
fixed issue with specific process image settings #1307

[0.9.8 / 5.53.0] - 2021-10-15

Added

added debug switch to disable Sbie console redirection "NoSandboxieConsole=y"
-- Note: this was previously part of "NoSandboxieDesktop=y"
added Sbie+ version to the log #1277
added uninstall clean-up of extra files for the Plus installer (by mpheath) #1235
added set language for Sandman for the Plus installer (by mpheath) #1241
added EventLog messages with SbieMsg.dll for the Plus installer (by mpheath)
group expansion state is now saved
added additional filters to the trace tab
added a new section [DefaultTemplates] in Templates.ini which contains mandatory templates that are always applied 0c9ecb0

Changed

reworked and extended RPC logging
reintroduced the "UseRpcMgmtSetComTimeout=some.dll,n" setting to be used when no "RpcPortBinding" entry is specified
--- this allows to enable/disable out of box RPC binding independently from the timeout setting
the "BoxNameTitle" value can now be set explicitly on a per image name basis #1190

Fixed

fixed inability to delete read-only files from the sandboxed explorer #1237
fixed wrong recovery target in Plus UI #1274
fixed SBIE2101 issue introduced with 0.9.7a #1279
fixed sorting in the box picker window #1269
fixed tray refresh issue #1250
fixed tray activity display #1221
fixed recovery window not displaying in taskbar #1195
fixed dark theme preset not updating in real time #1270
fixed Microsoft Edge complaining about "FakeAdminRights=y" #1271
fixed issue with using local template in the global section #1212
fixed issue with git.exe from MinGW freezing #1238
fixed issue with search highlighting in dark mode

Removed

removed the ability to sort the trace log as it took too much CPU

[0.9.7e / 5.52.5] - 2021-10-09

Changed

reworked the settings handling once again, now the driver maintains the order when enumerating, but for good performance there is a Hash Map held in parallel for quick exact lookups

[0.9.7d / 5.52.4] - 2021-10-06

Fixed

fixed yet another ini issue with the SbieCtrl

[0.9.7c / 5.52.3] - 2021-10-05

Fixed

fixed yet another handling bug with SbieApi_EnumBoxesEx

[0.9.7b / 5.52.2] - 2021-10-04

Fixed

fixed issue about loading a non-Unicode Sandboxie.ini that was introduced in the previous build

[0.9.7 / 5.52.1] - 2021-10-02

Added

added forced process indicator to process status column #1174
added "SbieTrace=y" option to trace the interaction between Sandboxie processes and Sandboxie core components
when initializing an empty sandbox, MSI debug keys are set to generate the debug output of MSI installer service
added "DisableComProxy=y" allowing to disable COM proxying through the service
added "ProcessLimit=..." which allows limiting the maximum number of processes in a sandbox #1230
added missing IPC logging

Changed

reworked SbieSvc ini server to allow settings caching and greatly improve performance
-- Now comments in the Sandboxie.ini are being preserved as well as the order of all entries
enabled configuration section list replacement with a hash map to improve configuration performance
improved progress and status messages for the Plus installer (by mpheath) #1168
reworked RpcSs start mechanics, sandboxed RpcSs and DcomLaunch can now be run as system, use "RunRpcssAsSystem=y"
-- Note: this is generally not recommended for security reasons but may be needed for compatibility in some scenarios
reworked WTSQueryUserToken handling to work properly in all scenarios
reworked configuration value list to use a hash table for better performance

Fixed

fixed Plus upgrade install in Windows 7 (by mpheath) #1194
fixed custom autoexec commands being executed on each box start instead of only during the initialization
fixed a design issue limiting the maximum amount of processes per sandbox to 511
fixed handle leaks in the lingering process monitor mechanism
fixed issue with opening device paths like "\??\FltMgr"
fixed build issue with an explicit FileDigestAlgorithm option for driver sign (by isaak654) #1210
fixed issue with resource access log sometimes getting corrupted
fixed issue with Microsoft Office Click-to-Run #428 #882

Removed

removed support for Microsoft EMET (Enhanced Mitigation Experience Toolkit), as it was EOL in 2018
removed support for Messenger Plus! Live, as MSN Messenger is EOL since 2013
disabled Turkish language on Plus UI for inactivity (by isaak654) #1215

[0.9.6 / 5.51.6] - 2021-09-12

Added

added ability to rename groups #1152
added ability to define a custom order for the sandboxes, they can be moved by using the move context menu, or holding Alt + Arrow Key
added recovery to list to the recovery window: #988
added finder to the recovery window

Changed

updated the BlockPort rule inside Template_BlockPorts to the new NetworkAccess format (by isaak654) #1162
default for immediate recovery behaviour is now to show the recovery window instead of using the notifications window #988
the new run dialog now requires a double-click #1171
reworked the recovery window

Fixed

fixed issue with create group menu #1151
fixed issue that caused a box to lose its group association when renaming
fixed issue with Thunderbird 91+ #1156
fixed an issue with file disposition handling #1161
fixed issue with Windows 11 22449.1000 #1164
fixed SRWare Iron template (by Dyras) #1146
fixed label positioning in Classic UI (by isaak654) #1088
fixed an old issue that occurred when only an asterisk was set as path #971

[0.9.5 / 5.51.5] - 2021-08-30

Added

added option to run a sandbox in session 0
-- Note: the processes then have a system token, hence it's recommended to enable "DropAdminRights=y"
if the UI is run with admin privileges, it can terminate sandboxed processes in other sessions now
added "StartSystemBox=" option to auto-run a box on Sbie start/system boot in session 0
-- Note: box start is done by issuing Start.exe /box:[name] auto_run
add Start.exe auto_run command to start all sandboxed auto-start locations
add Start.exe /keep_alive command line switch which keeps a process running in the box until it gracefully terminates
added "StartCommand=" which starts a complex command through Start.exe on box startup
added menu option to start regedit and load the box's registry key
added system tray option in the Plus UI to show Classic icon #963

Changed

changed command prompt icon and string from "Terminal" to "Command Prompt" #1135
reworked box menu layout a bit

Fixed

fixed driver compatibility with Windows Server 2022 (build 20348) #1143
fixed issue with creating shortcuts #1134

Installers re-released on 2021-08-31 with the following fix:

fixed KmdUtil warning 1061 after Plus upgrade (by mpheath) #968 #1139

[0.9.4 / 5.51.4] - 2021-08-22

Added

added clear commands to log submenus #391
added option to disable process termination prompt #514
added "Options/InstantRecovery" setting to sandboxie-plus.ini to use the recovery window instead of the notification pop-up #988
added ability to rename a non-empty sandbox #1100
added ability to remove a non-empty sandbox
added file browser window to SandMan UI to cover the file-view functionality of SbieCtrl #578

Changed

generic errors in Sbie UI now show the status code as hex and provide a string description when available

Fixed

fixed "del" shortcut to terminate a process not always working
fixed group display issue #1094
fixed issue when using "Run Sandboxed" on a file that is already located in a sandbox #1099

[0.9.3 / 5.51.3] - 2021-08-08

Read the developer's notes about the new WFP functionality.

Added

ability to use the "run unsandboxed" option with Sandboxie links #614

Fixed

fixed "run outside sandbox" issue on Classic build #614
fixed open template does not load the edit tab #1054
fixed issue with "explore sandboxed" #972
fixed start directory for sandboxed processes #1071
fixed issue with language auto-detection #1018
fixed issue with multiple files with the same name, by always showing the extension #1041
fixed multiple program grouping issues with the SandMan UI #1054
fixed "no disk" error #966
fixed issue with 32bit build using qMake, the -O2 option resulted in a crash in the QSbieAPI.dll #995
fixed issue with UserSettings introduced in a recent build #1054

[0.9.2 / 5.51.2] - 2021-08-07 (pre-release)

Added

added ability to reconfigure the driver, which allows enabling/disabling WFP and other features without a reload/reboot

Changed

reorganized and improved the settings window
improved the tray icon a bit, the sand is now more yellow

Fixed

fixed issue with process start handling introduced in 5.51.0 #1063
fixed issue with quick recovery introduced in 5.51.0
fixed incompatibility with CET Hardware-enforced Stack Protection on Intel 11th gen and AMD Ryzen 5XXX CPUs #1067 #1012

Removed

commented out all Windows XP-specific support code from the driver

[0.9.1 / 5.51.1] - 2021-07-31 (pre-release)

Added

added tray icon indicating broken connection to the driver if it happens
added option to customize the tray icon
added "DllSkipHook=some.dll" option to disable installation of hooks into selected DLLs
added localization support for Plus installer (by yfdyh000 and mpheath) #923

Changed

reworked NtClose handling for better performance and extendibility
improved tray box menu and list

Fixed

fixed issue with fake admin and some NSIS installers #1052
fixed more issued with FileDispositionInformation behaviour, which resulted in bogus file deletion handling
fixed issue with checking WFP status
fixed issue WFP failing to initialize at boot
fixed issue with tray sandbox options not being available just after boot
fixed issue access changed flag not being properly set in box options #1065

[0.9.0 / 5.51.0] - 2021-07-29 (pre-release)

Added

added support for Windows Filtering Platform (WFP) to be used instead of the device-based network blocking scheme
-- to enable this support, add 'NetworkEnableWFP=y' to the global section and reboot or reload the driver
-- to use WFP for a specific sandbox, add 'AllowNetworkAccess=n'
-- you can allow certain processes by using 'AllowNetworkAccess=program.exe,y'
-- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section
-- in this case you can exempt entire sandboxes by adding 'AllowNetworkAccess=y' to specific boxes
-- you can block certain processes by using 'AllowNetworkAccess=program.exe,n'
-- Note: WFP is less absolute than the old approach, using WFP will filter only TCP/UDP communication
-- restricted boxed processes will still be able to resolve domain names using the system service
-- however, they will not be able to send or receive data packets directly
-- the advantages of WFP is that filter rules can be implemented by restricting communication only to specified addresses or selected ports using "NetworkAccess=..."
added fully functional rule-based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
-- the mechanism replaces the old "BlockPort=..." functionality
-- Note: this filter applies only to outgoing connections/traffic, for incoming traffic either the WFP mode or a third-party firewall is needed
-- like the old user mode based mechanism, malicious applications can bypass it by unhooking certain functions
-- hence it's recommended to use the kernel mode WFP-based mechanism when reliable isolation is required
added new trace option "NetFwTrace=*" to trace the actions of the firewall components
-- please note that the driver only trace logs the kernel debug output, use DbgView.exe to log
API_QUERY_PROCESS_INFO can now be used to get the impersonation token of a sandboxed thread
-- Note: this capability is used by TaskExplorer to allow inspecting sandbox-internal tokens
-- Note: a process must have administrative privileges to be able to use this API
added a UI option to switch "MsiInstallerExemptions=y" on and off
-- just in case a future Windows build breaks something in the systemless mode
added sample code for ObRegisterCallbacks to the driver
added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" that allow to disable file and registry filtering
-- Note: these options are for testing only and disable core parts of the sandbox isolation
added a few command line options to SandMan.exe

Changed

greatly improved the performance of the trace log, but it's no longer possible to log to both SandMan and SbieCtrl at the same time
reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination

Fixed

added missing hook for ConnectEx function

[0.8.9 / 5.50.9] - 2021-07-28 HotFix 2

Fixed

Fixed issue with registering session leader

[0.8.9 / 5.50.9] - 2021-07-28 HotFix 1

Fixed

Fixed issue with Windows 7

[0.8.9 / 5.50.9] - 2021-07-27

Changed

updated a few icons
updated GitHub build action to use Qt 5.15.2
improved the "full" tray icon to be more distinguishable from the "empty" one
changed code integrity verification policies #1003
-- code signature is no longer required to change config, to protect presets use the existing "EditAdminOnly=y"

Fixed

fixed issue with systemless MSI mode introduced in the last build
fixed MSI installer not being able to create the action server mechanism on Windows 11
fixed MSI installer not working in systemless mode on Windows 11
fixed Inno Setup script not being able to remove shell integration keys during Sandboxie Plus uninstall (by mpheath) #1037

[0.8.8 / 5.50.8] - 2021-07-13

Changed

MSIServer no longer requires being run as system; this completes the move to not use system tokens in a sandbox by default
-- the security-enhanced option "MsiInstallerExemptions=n" is now the default behaviour

Fixed

fixed issue with the "explore sandboxed" command #972
rolled back the switch from using NtQueryKey to NtQueryObject as it seems to break some older Windows 10 versions like 1803 #984
-- this change was introduced to fix #951
-- to use NtQueryObject the option "UseObjectNameForKeys=y" can be added to Sandboxie.ini

[0.8.7b / 5.50.7] - 2021-07-11

Fixed

fixed issue with boxes that had auto-delete activated introduced in the previous build #986

[0.8.7 / 5.50.7] - 2021-07-10

Added

added option to always auto-pick the DefaultBox #959
-- when this option is enabled, the normal behaviour with a box selection dialog can be brought up by holding down CTRL
added option to hide a sandbox from the "run in box" dialog
-- useful to avoid listing insecure compatibility test boxes for example
added box options to system tray #439 #272

Changed

changed default "terminate all boxed processes" key from Ctrl+Pause to Ctrl+Alt+Pause #974
Start.exe no longer links in unused MFC code, which reduced its file size from over 2.5 MB to below 250 KB
updated the main SandMan and tray icon #963
improved the box tree-style view

Fixed

added additional delay and retries to KmdUtil.exe to mitigate issues when unloading the driver #968
fixed issue with SbieCtrl not being properly started after setup #969
fixed issue with "explore sandboxed" shell option #972
fixed issue when running SandMan elevated #932
fixed new box selection dialog showing disabled boxes
fixed issue updating box active status

Removed

removed Online Armor support as this product is deprecated since 2016

[0.8.6 / 5.50.6] - 2021-07-07

Added

added LibreWolf template (by Dyras) #929

Fixed

fixed performance bug introduced in 0.8.5

[0.8.5 / 5.50.5] - 2021-07-06

Added

added global hotkey to terminate all sandboxed processes (default: Ctrl+Pause)
the "Run Sandboxed" dialog can now be handled by the SandMan UI
added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
-- Note: this allows Chrome and other programs to use the job system for additional isolation
added Librewolf.exe to the list of Firefox derivatives #927
added run regedit sandboxed menu command
added new support settings tab to SandMan UI for updates and news
added code integrity verification to Sbie service and UI
added template for Vivaldi Notes (by isaak654) #948

Changed

replaced the Process List used by the driver with a much faster Hash Map implementation
-- Note: this change provides an almost static system call speed of 1.2µs regardless of the running process count
-- The old list, with 100 programs running required 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
-- Note: some of the slowdown was also affecting non-sandboxed applications due to how the driver handles certain callbacks
replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
-- not yet enabled in production build
the presence of the default box is only checked on connect
the portable directory dialog now shows the directory #924
when terminated, boxed processes now try terminating the job object first
the driver now can terminate problematic processes by default without the help of the service
the box delete routine now retries up to 10 times, see #954
replaced the Process List used by the service with a much faster Hash Map implementation
replaced the per-process Thread List used by the service with a much faster Hash Map implementation

Fixed

fixed faulty initialization in SetServiceStatus (by flamencist) #921
fixed buttons position in Classic UI settings (by isaak654) #914
fixed missing password length check in the SandMan UI #925
fixed issues opening job objects by name
fixed missing permission check when reopening job object handles (thanks Diversenok)
fixed issue with some Chromium 90+ hooks affecting the display of PDFs in derived browsers #930 #817
fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
fixed minor setting issue #957
fixed minor UI issue with resource access COM settings #958
fixed an issue with NtQueryKey using NtQueryObject instead #951
fixed crash in key.c when failing to resolve key paths
added workaround for topmost modality issue #873
-- the notification window is not only topmost for 5 seconds
fixed an issue deleting directories introduced in 5.49.5
fixed an issue when creating box copies

Removed

removed switch for "BlockPassword=n" as it does not seem to be working #938
-- it's recommended to use "OpenSamEndpoint=y" to allow password changes in Windows 10

[0.8.2 / 5.50.2] - 2021-06-15

Changed

split anti-phishing rules per browser (by isaak654) #910

Fixed

properly fixed an issue with Driver Verifier and user handles #906
fixed an issue with CreateWindow function introduced with 0.8.0
fixed issue with outdated BoxDisplayOrder entries being retained #900

[0.8.1 / 5.50.1] - 2021-06-14

Fixed

fixed an issue with Driver Verifier and user handles
fixed driver memory leak of FLT_FILE_NAME_INFORMATION objects
fixed broken clipboard introduced in 5.50.0 #899
fixed DcomLaunch issue on Windows 7 32 bit introduced in 5.50.0 #898

[0.8.0 / 5.50.0] - 2021-06-13

Added

Normally Sandboxie applies "Close...=!,..." directives to non-excluded images if they are located in a sandbox
-- added 'AlwaysCloseForBoxed=n' to disable this behaviour as it may not be always desired, and it doesn't provide extra security
added process image information to SandMan UI
localized template categories in the Plus UI #727
added "DisableResourceMonitor=y" to disable resource access monitor for selected boxes #886
added option to show trace entries only for the selected sandbox #886
added "UseVolumeSerialNumbers=y" that allows drive letters to be suffixed with the volume SN in the \drive\ sandbox location
-- it helps to avoid files mixed together on multiple pendrives using the same letter
-- Note: this option is not compatible with the recovery function of the Classic UI, only SandMan UI is fully compatible
added "ForceRestart=PicoTorrent.exe" to the PicoTorrent template in order to fix a compatibility issue #720
added localization support for RPC templates (by isaak654) #736

Changed

portable clean-up message now has yes/no/cancel options #874
consolidated Proc_CreateProcessInternalW and Proc_CreateProcessInternalW_RS5 to remove duplicate code
the ElevateCreateProcess fix, as sometimes applied by the Program Compatibility Assistant, will no longer be emulated by default #858
-- use 'ApplyElevateCreateProcessFix=y' or 'ApplyElevateCreateProcessFix=program.exe,y' to enable it
trace log gets disabled only when it has no entries and the logging is stopped

Fixed

fixed APC issue with the new global hook emulation mechanism and WoW64 processes #780 #779
fixed IPv6 issues with BlockPort options
fixed an issue with CheatEngine when "OpenWinClass=*" was specified #786
fixed memory corruption in SbieDrv #838
fixed crash issue with process elevation on CreateProcess calls #858
fixed process elevation when running in the built-in administrator account #3
fixed template preview resetting unsaved entries in box options window #621

[0.7.5 / 5.49.8] - 2021-06-05

Added

clipboard access for a sandbox can now be disabled with "OpenClipboard=n" #794

Changed

now the OpenBluetooth template is enabled by default for compatibility with Unity games #799
"PreferExternalManifest=program.exe,y" can now be set on a per-process basis

Fixed

fixed compiler issues with the most recent VS2019 update
fixed issue with Vivaldi browser #821
fixed some issues with box options in the Plus UI #879
fixed some issues with hardware acceleration in Chromium based browsers #795
the "Stop All" command now issues "KmdUtil scandll" first to solve issues when the SbieDll.dll is in use
workaround for Electron apps, by forcing an additional command line argument on the GPU renderer process #547 #310 #215
fixed issue with Software Compatibility tab that doesn't always show template names correctly #774

[0.7.4 / 5.49.7] - 2021-04-11

Added

added option to disable file migration prompt in the Plus UI with PromptForFileMigration=n #643
added UI options for various security isolation features
added missing functionality to set template values in the Plus UI
added templates for Popcorn-Time, Clementine Music Player, Strawberry Music Player, 32-bit MPC-HC (by Dyras) #726 #737

Changed

align default settings of AutoRecover and Favourites to the Plus version (thanks isaak654) #747
list of email clients and browsers is now centralized in Dll_GetImageType
localstore.rdf reference in Templates.ini was replaced with xulstore.json (by isaak654) #751

Fixed

fixed minor issue with logging internet blocks
fixed issue with file recovery when located on a network share #711
fixed UI issue with CallTrace #769
fixed sandbox shortcuts receiving double extension upon creation #770
fixed misplaced labels in the Classic UI (thanks isaak654) #759
fixed separator line in SbieCtrl (thanks isaak654) #761
fixed broken paths in The Bat! template (by isaak654) #756
fixed issue about media players that attempt to write unneeded media files inside the box (by Dyras) #743 #536

[0.7.3 / 5.49.5] - 2021-03-27

Added

added "UseSbieWndStation=y" to emulate CreateDesktop for selected processes, not only Firefox and Chrome #635
added option to drop the console host process integrity, now you can use "DropConHostIntegrity=y" #678
added option to easily add local templates
added new torrent clients and media players templates (by Dyras) #719

Changed

reworked window hooking mechanism to improve performance #697 #519 #662 #69 #109 #193
-- resolves issues with file save dialogs taking 30+ seconds to open
-- this fix greatly improves the Win32 GUI performance of sandboxed processes
reworked RPC resolver to be ini-configurable
-- the following options are now deprecated:
--- "UseRpcMgmtSetComTimeout=some.dll,n", so use "RpcPortBinding=some.dll,*,TimeOut=y"
--- "OpenUPnP=y", "OpenBluetooth=y", "OpenSmartCard=n", so use the new RPC templates instead
-- See Templates.ini for usage examples

Fixed

fixed process-specific hooks being applied to all processes in a given sandbox
fixed issue with messages and templates sometimes not being properly displayed in the SandMan UI
fixed issue with compatibility settings not being applied properly
fixed auto delete issue that got introduced with 0.7.1 #637
fixed issue with NtSetInformationFile, FileDispositionInformation resulting in Opera installer failing
fixed issue with MacType introduced in the 0.7.2 build #676
fixed global sandboxed windows hooks not working when window rename option is disabled
fixed issue with saving local templates
fixed issue when using runas to start a process that was created outside of the Sandboxie supervision #688
-- since the runas facility is not accessible by default, this did not constitute a security issue
-- to enable runas functionality, add "OpenIpcPath=\RPC Control\SECLOGON" to your Sandboxie.ini
-- please take note that doing so may open other yet unknown issues
fixed a driver compatibility issue with Windows 10 32 bit Insider Preview Build 21337
fixed issues with driver signature for Windows 7

[0.7.2 / 5.49.0] - 2021-03-04

Added

added option to alter reported Windows version "OverrideOsBuild=7601" for Windows 7 SP1 #605
the trace log can now be structured like a tree with processes as root items and threads as branches

Changed

SandboxieCrypto now always migrates the CatRoot2 files in order to prevent locking of real files
greatly improved trace log performance
MSI Server can now run with the "FakeAdminRights=y" and "DropAdminRights=y" options #600
-- special service allowance for the MSI Server can be disabled with "MsiInstallerExemptions=n"
changed SCM access check behaviour; non elevated users can now start services with a user token
-- elevation is now only required to start services with a system token
reworked the trace log mechanism to be more verbose
reworked RPC mechanism to be more flexible

Fixed

fixed issues with some installers introduced in 5.48.0 #595
fixed "add user to sandbox" in the Plus UI #597
FIXED SECURITY ISSUE ID-15: the HostInjectDll mechanism allowed for local privilege escalation (thanks hg421)
Classic UI no longer allows to create a sandbox with an invalid or reserved device name #649

[0.7.1 / 5.48.5] - 2021-02-21

Added

enhanced RpcMgmtSetComTimeout handling with "UseRpcMgmtSetComTimeout=some.dll,n"
-- this option allows to specify if RpcMgmtSetComTimeout should be used or not for each individual dll
-- this setting takes precedence over hard-coded and per-process presets
-- "UseRpcMgmtSetComTimeout=some.dll" and "UseRpcMgmtSetComTimeout=some.dll,y" are equivalent
added "FakeAdminRights=y" option that makes processes think they have admin permissions in a given box
-- this option is recommended to be used in combination with "DropAdminRights=y" to improve security
-- with "FakeAdminRights=y" and "DropAdminRights=y" installers should still work
added RPC support for SSDP API (the Simple Service Discovery Protocol), you can enable it with "OpenUPnP=y"

Changed

SbieCrypto no longer triggers message 1313
changed enum process API; now more than 511 processes per box can be enumerated (no limit)
reorganized box settings a bit
made COM tracing more verbose
"RpcMgmtSetComTimeout=y" is now again the default behaviour, it seems to cause less issues overall

Fixed

fixed issues with webcam access when the DevCMApi filtering is in place
fixed issue with free download manager for 'AppXDeploymentClient.dll', so RpcMgmtSetComTimeout=y will be used by default for this one #573
fixed not all WinRM files were blocked by the driver, with "BlockWinRM=n" this file block can be disabled
fixed Sandboxie Classic crash when saving any option in Sandbox Settings -> Appearance (by typpos) #586

[0.7.0 / 5.48.0] - 2021-02-14

Added

sandboxed indicator for tray icons, the tooltip now contains [#] if enabled
the trace log buffer can now be adjusted with "TraceBufferPages=2560"
-- the value denotes the count of 4K large pages to be used; here for a total of 10 MB
new functionality for the list finder

Changed

improved RPC debugging
improved IPC handling around RpcMgmtSetComTimeout; "RpcMgmtSetComTimeout=n" is now the default behaviour
-- required exceptions have been hard-coded for specific calling DLLs
the LogApi dll is now using Sbie's tracing facility to log events instead of its own pipe server

Fixed

FIXED SECURITY ISSUE ID-11: elevated sandboxed processes could access volumes/disks for reading (thanks hg421)
-- this protection option can be disabled by using "AllowRawDiskRead=y"
fixed crash issue around SetCurrentProcessExplicitAppUserModelID observed with GoogleUpdate.exe
fixed issue with Resource Monitor sort by timestamp
fixed invalid Opera bookmarks path (by isaak654) #542
FIXED SECURITY ISSUE ID-12: a race condition in the driver allowed to obtain an elevated rights handle to a process (thanks typpos) #549
FIXED SECURITY ISSUE ID-13: "\RPC Control\samss lpc" is now filtered by the driver (thanks hg421) #553
-- this allowed elevated processes to change passwords, delete users and alike; to disable filtering use "OpenSamEndpoint=y"
FIXED SECURITY ISSUE ID-14: "\Device\DeviceApi\CMApi" is now filtered by the driver (thanks hg421) #552
-- this allowed elevated processes to change hardware configuration; to disable filtering use "OpenDevCMApi=y"

[0.6.7 / 5.47.1] - 2021-02-01

Added

added UI language auto-detection

Fixed

fixed Brave.exe now being properly recognized as Chrome-, not Firefox-based
fixed issue introduced in 0.6.5 with recent Edge builds
-- the 0.6.5 behaviour can be set on a per-process basis using "RpcMgmtSetComTimeout=POPPeeper.exe,n"
fixed grouping issues #445
fixed main window restore state from tray #288

[0.6.5 / 5.47.0] - 2021-01-31

Added

added detection for Waterfox.exe, Palemoon.exe and Basilisk.exe Firefox forks as well as Brave.exe #468
added Bluetooth API support, IPC port can be opened with "OpenBluetooth=y" #319
-- this should resolve issues with many Unity games hanging on startup for a long time
added enhanced RPC/IPC interface tracing
when DefaultBox is not found by the SandMan UI, it will be recreated
"Disable Forced Programs" time is now saved and reloaded

Changed

reduced SandMan CPU usage
Sandboxie.ini and Templates.ini can now be UTF-8 encoded #461 #197
-- this feature is experimental, files without a UTF-8 Signature should be recognized also
-- "ByteOrderMark=yes" is obsolete, Sandboxie.ini is now always saved with a BOM/Signature
legacy language files can now be UTF-8 encoded
reworked file migration behaviour, removed hardcoded lists in favour of templates #441
-- you can now use "CopyAlways=", "DontCopy=" and "CopyEmpty=" that support the same syntax as "OpenFilePath="
-- "CopyBlockDenyWrite=program.exe,y" makes a write open call to a file that won't be copied fail instead of turning it read-only
removed hardcoded SkipHook list in favour of templates

Fixed

fixed old memory pool leak in the Sbie driver #444
fixed issue with item selection in the access restrictions UI
fixed updater crash in SbieCtrl.exe #450
fixed issues with RPC calls introduced in Sbie 5.33.1
fixed recently broken 'terminate all' command
fixed a couple minor UI issues with SandMan UI
fixed IPC issue with Windows 7 and 8 resulting in process termination
fixed "recover to" functionality

[0.6.0 / 5.46.5] - 2021-01-25

Added

added confirmation prompts to terminate all commands
added window title to boxed process info #360
added WinSpy based sandboxed window finder #351
added option to view disabled boxes and double-click on box to enable it

Changed

"Reset Columns" now resizes them to fit the content, and it can now be localized #426
modal windows are now centered to the parent #417
improved new box window #417

Fixed

fixed issues with window modality #409
fixed issues when main window was set to be always on top #417
fixed a driver issue with Windows 10 insider build 21286
fixed issues with snapshot dialog #416
fixed an issue when writing to a path that already exists in the snapshot but not outside #415

[0.5.5 / 5.46.4] - 2021-01-17

Added

added "SandboxService=..." to force selected services to be started in the sandbox
added template clean-up functionality to Plus UI
added internet prompt to now also allow internet access permanently
added browse button for box root folder in the SandMan UI #382
added explorer info message #352
added option to keep the SandMan UI always on top
allow drag and drop file onto SandMan.exe to run it sandboxed #355
added start SandMan UI when a sandboxed application starts #367
recovery window can now list all files
added file counter to recovery window
when "NoAddProcessToJob=y" is specified, Chrome and related browsers now can fully use the job system
-- Note: "NoAddProcessToJob=y" reduces the box isolation, but the affected functions are mostly covered by UIPI anyway
added optimized default column widths to Sbie view
added template support for Yandex and Ungoogled Chromium browsers (by isaak654)

Changed

updated templates with multiple browsers fixes (thanks isaak654)
when trying to take a snapshot of an empty sandbox a proper error message is displayed #381
new layout for the recovery window
Sbie view sorting is now case insensitive

Fixed

fixed issue child window closing terminating application when main was hidden #349
fixed issues with non modal windows #349
fixed issues connecting to driver in portable mode
fixed minor issues with snapshot window
fixed missing error message when attempting to create an already existing sandbox #359
fixed issue allowing to save setting when a sandbox was already deleted #359
fixed issues with disabled items in dark mode #359
fixed some dialogs not closing when pressing Esc #359
fixed tab stops on many windows

[0.5.4d / 5.46.3] - 2021-01-11

Changed

improved access tracing, removed redundant entries
OpenIpcPath=\BaseNamedObjects[CoreUI]-* is now hardcoded in the driver no need for the template entry
WindowsFontCache is now open by default
refactored some IPC code in the driver

Fixed

FIXED SECURITY ISSUE ID-10: the registry isolation could be bypassed, present since Windows 10 Creators Update
fixed creation time not always being properly updated in the SandMan UI

[0.5.4c / 5.46.2] - 2021-01-10

Added

added "CallTrace=*" to log all system calls to the access log

Changed

improved IPC logging code
improved MSG_2101 logging

Fixed

fixed more issues with IPC tracing
fixed SBIE2101 issue with Chrome and derivatives

[0.5.4b / 5.46.1] - 2021-01-08

Added

added "RunServiceAsSystem=..." allows specific named services to be run as system

Changed

refactored some code around SCM access

Fixed

fixed a crash issue in SbieSvc.exe introduced with the last build
fixed issue with SandMan UI update check
FIXED SECURITY ISSUE ID-9: a Sandboxed process could start sandboxed as system even with DropAdminRights in place

Removed

removed "ProtectRpcSs=y" due to incompatibility with new isolation defaults

[0.5.4 / 5.46.0] - 2021-01-06

Added

FIXED SECURITY ISSUE ID-4: Sandboxie now strips particularly problematic privileges from sandboxed system tokens
-- with those a process could attempt to bypass the sandbox isolation (thanks Diversenok)
-- old legacy behaviour can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
-- those resources are open by default, but for a hardened box it is desired to close them
FIXED SECURITY ISSUE ID-5: added print spooler filter to prevent printers from being set up outside the sandbox
-- the filter can be disabled with "OpenPrintSpooler=y"
added overwrite prompt when recovering an already existing file
added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
added more compatibility templates (thanks isaak654) #294

Changed

Changed Emulated SCM behaviour, boxed services are no longer by default started as boxed system
-- use "RunServicesAsSystem=y" to enable the old legacy behaviour
-- Note: sandboxed services with a system token are still sandboxed and restricted
-- However not granting them a system token in the first place removes possible exploit vectors
-- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
reworked dynamic IPC port handling
improved Resource Monitor status strings

Fixed

FIXED SECURITY ISSUE ID-6: processes could spawn processes outside the sandbox (thanks Diversenok)
FIXED SECURITY ISSUE ID-7: bug in the dynamic IPC port handling allowed to bypass IPC isolation
fixed issue with IPC tracing
FIXED SECURITY ISSUE ID-8: CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
-- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
fixed hooking issues SBIE2303 with Chrome, Edge and possibly others #68 #166
fixed failed check for running processes when performing snapshot operations
fixed some box options checkboxes were not properly initialized
fixed unavailable options are not properly disabled when SandMan is not connected to the driver
fixed MSI installer issue, not being able to create "C:\Config.msi" folder on Windows 20H2 #219
added missing localization to generic list commands
fixed issue with "iconcache_*" when running sandboxed explorer
fixed more issues with groups

[0.5.3b / 5.45.2] - 2021-01-02

Added

added settings for the portable boxed root folder option
added process name to resource log
added command line column to the process view in the SandMan UI

Fixed

fixed a few issues with group handling #262
fixed issue with GetRawInputDeviceInfo when running a 32 bit program on a 64 bit system
fixed issue when pressing apply in the "Resource Access" tab; the last edited value was not always applied
fixed issue merging entries in Resource Access Monitor

[0.5.3a / 5.45.2] - 2020-12-29

Added

added prompt to choose if links in the SandMan UI should be opened in a sandboxed or unsandboxed browser #273
added more recovery options
added "ClosedClsid=" to block COM objects from being used when they cause compatibility issues
added "ClsidTrace=*" option to trace COM usage
added "ClosedRT=" option to block access to problematic Windows RT interfaces
added option to make a link for any selected process to SandMan UI
added option to reset all hidden messages
added more process presets "force program" and "allow internet access"
added "SpecialImage=chrome,some_electron_app.exe" option to Sandboxie.ini, valid image types "chrome", "firefox"
-- with this option you can enable special hardcoded workarounds to new obscure forks of those browsers
added German translation (thanks bastik-1001) to the SandMan UI
added Russian translation (thanks lufog) to the SandMan UI
added Portuguese translation (thanks JNylson ) to the SandMan UI

Changed

changed docs and update URLs to the new sandboxie-plus.com domain
greatly improved the setup script (thanks mpheath)
"OpenClsid=" and "ClosedClsid=" now support specifying a program or group name
by default, when started in portable mode, the sandbox folder will be located in the parent directory of the Sandboxie instance

Fixed

grouping menu not fully working in the new SandMan UI #277
fixed not being able to set quick recovery in SandMan UI
fixed resource leak when loading process icons in SandMan UI
fixed issue with OpenToken debug options
fixed Chrome crashing on websites that cause the invocation of "FindAppUriHandlersAsync" #198
fixed issue connecting to the driver when starting in portable mode
fixed missing template setup when creating new boxes

removed

removed obsolete "OpenDefaultClsid=n" use "ClosedClsid=" with the appropriate values instead
removed suspend/resume menu entry, pooling that state wastes substantial CPU cycles; use task explorer for that functionality

[0.5.2a / 5.45.1] - 2020-12-23

Fixed

fixed translation support in the SandMan UI
fixed sandboxed explorer issue #289
fixed simplified Chinese localization

[0.5.2 / 5.45.1] - 2020-12-23

Added

added advanced new box creation dialog to SandMan UI
added show/hide tray context menu entry
added refresh button to file recovery dialog
added mechanism to load icons from {install-dir}/Icons/{icon}.png for UI customization
added tray indicator to show disabled forced program status in the SandMan UI
added program name suggestions to box options in SandMan UI
added saving of column sizes in the options window

Changed

reorganized the advanced box options a bit
changed icons (thanks Valinwolf for picking the new ones) #235
updated Templates.ini (thanks isaak654) #256 #258
increased max value for disable forced process time in SandMan UI

Fixed

fixed BSOD introduced in 5.45.0 when using Windows 10 "core isolation" #221
fixed minor issue with lingering/leader processes
fixed menu issue in SandMan UI
fixed issue with stop behaviour page in SandMan UI
fixed issue with Plus installer not displaying KmdUtil window
fixed SandMan UI saving UI settings on Windows shutdown
fixed issue with Plus installer autorun #247
fixed issue with legacy installer not removing all files
fixed a driver compatibility issue with Windows 20H1 and later #228
-- this solves "stop pending", LINE messenger hanging and other issues...
fixed quick recovery issue in SbieCtrl.exe introduced in 5.45.0 #224
fixed issue advanced hide process settings not saving
fixed some typos in the UI (thanks isaak654) #252 #253 #254
fixed issue with GetRawInputDeviceInfo failing when boxed processes are put in a job object #176 #233
-- this fix resolves issues with CP2077 and other games not getting keyboard input (thanks Rostok)
fixed failing ClipCursor won't longer span the message log
fixed issue with adding recovery folders in SandMan UI
fixed issue with Office 2019 template when using a non-default Sbie install location
fixed issue setting last access attribute on sandboxed folders #218
fixed issue with process start signal

[0.5.1 / 5.45.0] - 2020-12-12

Added

added simple view mode

Changed

updated SandMan UI to use Qt 5.15.1

Fixed

fixed crash issue with progress dialog
fixed progress dialog cancel button not working for update checker
fixed issue around NtQueryDirectoryFile when deleting sandbox content
fixed dark theme in the notification window
fixed issue with disable force programs tray menu

[0.5.0 / 5.45.0] - 2020-12-06

Added

added new notification window
added user interactive control mechanism when using the new SandMan UI
-- when a file exceeds the copy limit instead of failing, the user is prompted if the file should be copied or not
-- when internet access is blocked it now can be exempted in real time by the user
added missing file recovery and auto/quick recovery functionality #188 #178
added silent MSG_1399 boxed process start notification to keep track of short lived boxed processes
added ability to prevent system wide process starts, Sandboxie can now instead of just alerting also block processed on the alert list
-- set "StartRunAlertDenied=y" to enable process blocking
the process start alert/block mechanism can now also handle folders use "AlertFolder=..."
added ability to merge snapshots #151
added icons to the sandbox context menu in the new UI
added more advanced options to the sandbox options window
added file migration progress indicator
added more run commands and custom run commands per sandbox
-- the box settings users can now specify programs to be available from the box run menu
-- also processes can be pinned to that list from the presets menu
added more Windows 10 specific template presets
added ability to create desktop shortcuts to sandboxed items
added icons to box option tabs
added box grouping
added new debug option "DebugTrace=y" to log debug output to the trace log
added check for updates to the new SandMan UI
added check for updates to the legacy SbieCtrl UI

Changed

File migration limit can now be disabled by specifying "CopyLimitKb=-1" #526
improved and refactored message logging mechanism, reducing memory usage by factor of 2
terminated boxed processes are now kept listed for a couple of seconds
reworked sandbox deletion mechanism of the new UI
restructured sandbox options window
SbieDLL.dll can now be compiled with an up to date ntdll.lib (Thanks to TechLord from Team-IRA for help)
improved automated driver self repair

Fixed

fixed issues migrating files > 4GB
fixed an issue that would allow a malicious application to bypass the internet blockade
fixed issue when logging messages from a non-sandboxed process, added process_id parameter to API_LOG_MESSAGE_ARGS
fixed issues with localization
fixed issue using file recovery in legacy UI SbieCtrl.exe when "SeparateUserFolders=n" is set
when a program is blocked from starting due to restrictions no redundant messages are issued any more
fixed UI not properly displaying async errors
fixed issues when a snapshot operation failed
fixed some special cases of IpcPath and WinClass in the new UI
fixed driver issues with WHQL passing compatibility testing
fixed issues with Classic installer

[0.4.5 / 5.44.1] - 2020-11-16

Added

added "Terminate all processes" and "disable forced programs" commands to tray menu in SandMan UI
program start restrictions settings now can be switched between a white list and a black list
-- programs can be terminated and blacklisted from the context menu
added additional process context menu options, lingering and leader process can be now set from menu
added option to view template presets for any given box
added text filter to templates view
added new compatibility templates:
-- Windows 10 core UI component: OpenIpcPath=\BaseNamedObjects[CoreUI]-* solving issues with Chinese Input and Emojis #120 #88
-- Firefox Quantum, access to Windows's FontCachePort for compatibility with Windows 7
added experimental debug option "OriginalToken=y" which lets sandboxed processes retain their original unrestricted token
-- This option is comparable with "OpenToken=y" and is intended only for testing and debugging, it BREAKS most SECURITY guarantees (!)
added debug option "NoSandboxieDesktop=y" it disables the desktop proxy mechanism
-- Note: without an unrestricted token with this option applications won't be able to start
added debug option "NoSysCallHooks=y" it disables the sys call processing by the driver
-- Note: without an unrestricted token with this option applications won't be able to start
added ability to record verbose access traces to the Resource Monitor
-- use ini options "FileTrace=", "PipeTrace=", "KeyTrace=", "IpcTrace=", "GuiTrace=" to record all events
-- replace "" to log only: "A" - allowed, "D" - denied, or "I" - ignore events
added ability to record debug output strings to the Resource Monitor
-- use ini option DebugTrace=y to enable

Changed

AppUserModelID string no longer contains Sandboxie version string
now by default Sbie's application manifest hack is disabled, as it causes problems with version checking on Windows 10
-- to enable old behaviour add "PreferExternalManifest=y" to the global or the box specific ini section
the resource log mechanism can now handle multiple strings to reduce on string copy operations

Fixed

fixed issue with disabling some restriction settings failed
fixed disabling of internet block from the presets menu sometimes failed
the software compatibility list in the SandMan UI now shows the proper template names
fixed use of freed memory in the driver
replaced swprintf with snwprintf to prevent potential buffer overflow in SbieDll.dll
fixed bad list performance with resource log and API log in SandMan UI

[0.4.4 / 5.44.0] - 2020-11-03

Added

added SbieLdr (experimental)

Changed

moved code injection mechanism from SbieSvc to SbieDll
moved function hooking mechanism from SbieDrv to SbieDll
introduced a new driverless method to resolve wow64 ntdll base address

removed

removed support for Windows Vista x64

[0.4.3 / 5.43.7] - 2020-11-03

Added

added disable forced programs menu command to the SandMan UI

Fixed

fixed file rename bug introduced with an earlier Driver Verifier fix #174 #153
fixed issue saving access lists
fixed issue with program groups parsing in the SandMan UI
fixed issue with internet access restriction options #177 #185
fixed issue deleting sandbox when located on a drive directly #139

[0.4.2 / 5.43.6] - 2020-10-10

Added

added "explore box" content menu option

Fixed

fixed thread handle leak in SbieSvc and other components #144
msedge.exe is now categorized as a Chromium derivate
fixed Chrome 86+ compatibility bug with Chrome's own sandbox #149

[0.4.1 / 5.43.5] - 2020-09-12

Added

added core version compatibility check to SandMan UI
added shell integration options to SbiePlus

Changed

SbieCtrl no longer auto-shows the tutorial on first start
when hooking to the trampoline, the migrated section of the original function is no longer noped out
-- it caused issues with Unity games

Fixed

fixed colour issue with vertical tabs in dark mode
fixed wrong path separators when adding new forced folders
fixed directory listing bug introduced in 5.43
fixed issues with settings window when not being connected to driver
fixed issue when starting SandMan UI as admin
fixed auto-content-delete not working with SandMan UI

[0.4.0 / 5.43] - 2020-09-05

Added

added a proper custom installer to the Plus release
added sandbox snapshot functionality to Sbie core
-- filesystem is saved incrementally, the snapshots built upon each other
-- each snapshot gets a full copy of the box registry for now
-- each snapshot can have multiple children snapshots
added access status to Resource Monitor
added setting to change border width #113
added snapshot manager UI to SandMan
added template to enable authentication with an Yubikey or comparable 2FA device
added UI for program alert
added software compatibility options to the UI

Changed

SandMan UI now handles deletion of sandbox content on its own
no longer adding redundant resource accesses as new events

Fixed

fixed issues when hooking functions from delay loaded libraries
fixed issues when hooking an already hooked function
fixed issues with the new box settings editor

Removed

removes deprecated workaround in the hooking mechanism for an obsolete anti-malware product

[0.3.5 / 5.42.1] - 2020-07-19

Added

added settings window
added translation support
added dark theme
added auto start option
added sandbox options
added debug option "NoAddProcessToJob=y"

Changed

improved empty sandbox tray icon
improved message parsing
updated homepage links

Fixed

fixed ini issue with SandMan.exe when renaming sandboxes
fixed ini auto reload bug introduced in the last build
fixed issue when hooking delayed loaded libraries

[0.3 / 5.42] - 2020-07-04

Added

API_QUERY_PROCESS_INFO can be now used to get the original process token of sandboxed processes
-- Note: this capability is used by TaskExplorer to allow inspecting sandbox internal tokens
added option "KeepTokenIntegrity=y" to make the Sbie token keep its initial integrity level (debug option)
-- Note: Do NOT USE Debug Options if you don't know their security implications (!)
added process id to log messages very useful for debugging
added finder to resource log
added option "HideHostProcess=program.exe" to hide unsandboxed host processes
-- Note: Sbie hides by default processes from other boxes, this behaviour can now be controlled with "HideOtherBoxes=n"
Sandboxed RpcSs and DcomLaunch can now be run as system with the option "ProtectRpcSs=y" however this breaks the sandboxed explorer and others
Built-in Clsid whitelist can now be disabled with "OpenDefaultClsid=n"
Processes can be now terminated with the del key, and require a confirmation
added sandboxed window border display to SandMan.exe
added notification for Sbie log messages
added Sandbox Presets submenu allowing to quickly change some settings
-- Enable/Disable API logging, logapi_dll's are now distributed with SbiePlus
-- And other: Drop admin rights; Block/Allow internet access; Block/Allow access to files on the network
added more info to the sandbox status column
added path column to SbieModel
added info tooltips in SbieView

Changed

reworked ApiLog, added PID and PID filter
auto config reload on in change is now delayed by 500ms to not reload multiple times on incremental changes
Sandbox names now replace "_" with " " for display allowing to use names that are made of separated words

Fixed

added missing PreferExternalManifest initialization to portable mode
FIXED SECURITY ISSUE ID-2: fixed permission issues with sandboxed system processes
-- Note: you can use "ExposeBoxedSystem=y" for the old behaviour (debug option)
FIXED SECURITY ISSUE ID-3: fixed missing SCM access check for sandboxed services (thanks Diversenok)
-- Note: to disable the access check use "UnrestrictedSCM=y" (debug option)
fixed missing initialization in service server that caused sandboxed programs to crash when querying service status
fixed many bugs that caused the SbieDrv.sys to BSOD when running with Driver Verifier enabled #57
-- 0xF6 in GetThreadTokenOwnerPid and File_Api_Rename
-- missing non optional parameter for FltGetFileNameInformation in File_PreOperation
-- 0xE3 in Key_StoreValue and Key_PreDataInject

[0.2.2 / 5.41.2] - 2020-06-19

Added

added option "SeparateUserFolders=n" to no longer have the user profile files stored separately in the sandbox
added "SandboxieLogon=y" - it makes processes run under the SID of the "Sandboxie" user instead of the Anonymous user
-- Note: the global option "AllowSandboxieLogon=y" must be enabled, the "Sandboxie" user account must be manually created first and the driver reloaded, else process start will fail
improved debugging around process creation errors in the driver

Fixed

fixed some log messages going lost after driver reload
found a workable fix for the MSI installer issue, see Proc_CreateProcessInternalW_RS5

[0.2.1 / 5.41.1] - 2020-06-18

Added

added different sandbox icons for different types
-- Red LogAPI/BSA enabled
-- more to come 😀
added progress window for async operations that take time
added DPI awareness #56
the driver file is now obfuscated to avoid false positives
additional debug options to Sandboxie.ini OpenToken=y that combines UnrestrictedToken=y and UnfilteredToken=y
-- Note: using these options weakens the sandboxing, they are intended for debugging and may be used for better application virtualization later

Changed

SbieDll.dll when processing InjectDll now looks in the SbieHome folder for the DLLs if the entered path starts with a backslash
-- i.e. "InjectDll=\LogAPI\i386\logapi32v.dll" or "InjectDll64=\LogAPI\amd64\logapi64v.dll"

Fixed

IniWatcher did not work in portable mode
service path fix broke other services, now properly fixed, maybe
found workaround for the MSI installer issue

[0.2 / 5.41.0] - 2020-06-08

Added

IniWatcher, the .ini is now reloaded automatically every time it changes
added Maintenance menu to the Sandbox menu, allowing to install/uninstall and start/stop Sandboxie driver, service
SandMan.exe now is packed with Sbie files and when no Sbie is installed acts as a portable installation
added option to clean-up logs

Changed

Sbie driver now first checks the home path for the configuration file Sandboxie.ini before checking SystemRoot

Fixed

FIXED SECURITY ISSUE ID-1: sandboxed processes could obtain a write handle on non sandboxed processes (thanks Diversenok)
-- this allowed to inject code in non sandboxed processes
fixed issue boxed services not starting when the path contained a space
NtQueryInformationProcess now returns the proper sandboxed path for sandboxed processes

[0.1 / 5.40.2] - 2020-06-01

Added

created a new Qt based UI names SandMan (Sandboxie Manager)
Resource Monitor now shows the PID
added basic API call log using updated BSA LogApiDll

Changed

reworked Resource Monitor to work with multiple event consumers
reworked log to work with multiple event consumers

[5.40.1] - 2020-04-10

Added

"Other" type for the Resource Access Monitor
-- added call to StartService to the logged Resources

Fixed

fixed "Windows Installer Service could not be accessed" that got introduced with Windows 1903