fixed an issue with IPC handling that potentially could have been used to bypass isolation
fixed missing isolation of AddPortExA allowing to set up printer ports outside the sandbox
"\RPC Control\LSARPC_ENDPOINT" is no longer open by default CVE-2019-13502
fixed hooking issues SBIE2303 with chrome, edge and possibly others
[0.5.3b / 5.45.2] - 2020-12-02
Added
added settings for the porteble boxed root folder option
added process name to resource log
added command line column to the process view in the sandman UI
Fixed
fixed a few issues wiht group handling
fixed issue with GetRawInputDeviceInfo when runnign a 32 bit program on a 64 bis system
fixed issue when pressing apply int he "Resource Access" tab the last edited value was not always applyed
fixed issue merging entries in resource access monitor
[0.5.3a / 5.45.2] - 2020-12-29
Added
added prompt to choose if links in the Sandman UI should be opened in a sandboxed or unsandboxed browser
added more recovery options
added "ClosedClsid=" to block com objects from being used when they cause compatibility issues
added "ClsidTrace=*" option to trace COM usage
added "ClosedRT=" option to block access to problematic Windows RT interfaces
added option to make a link for any selected process to SandMan UI
added option to reset all hidden messages
added more process presets "force program" and "allow internet access"
added "SpecialImage=chrome,some_electron_app.exe" option to sandboxie.ini, valid image types "chrome", "firefox"
-- with this option you can enable special hardcoded workarounds to new obscure forks of those browsers
added German translation (thanks bastik-1001) to the SandMan UI
added Russian translation (thanks lufog) to the SandMan UI
added Portuguese translation (thanks JNylson ) to the SandMan UI
Changed
changed docs and update URLs to the new sandboxie-plus.com domain
greately improved the setup script (thanks mpheath)
"OpenClsid=" and "ClosedClsid=" now support specifying a program or group name
by default, when started in portable mode, the sandbox folder will be located in the parent directory of the sandboxie instance
Fixed
grouping menu not fully working in the new SandMan UI
fixed not being able to set quick recovery in SandMan UI
fixed resource leak when loading process icons in SandMan UI
fixed issue with OpenToken debug options
fixed Chrome crashing on websites that cause the invocation of "FindAppUriHandlersAsync"
fixed issue connecting to the driver when starting in portable mode
fixed missing template setup when creating new boxes
removed
removed obsolete "OpenDefaultClsid=n" use "ClosedClsid=" with the apropriate values instead
removed suspend/resume menu entry, pooling that state wastes substantial CPU cycles; use task explorer for that functionality
[0.5.2a / 5.45.1] - 2020-12-23
Fixed
fixed translation support in the SandMan UI
fixed sandboxed explorer issue
fixed simplified Chinese localization
[0.5.2 / 5.45.1] - 2020-12-23
Added
added advanced new box creation dialog to SandMan UI
added show/hide tray context menu entry
added refresh button to file recovery dialog
added mechanism to load icons from {install-dir}/Icons/{icon}.png for UI customization
added tray indicator to show disabled forced program status in the SandMan UI
added program name suggestions to box options in SandMan UI
added saving of column sizes in the options window
Changed
reorganized the advanced box options a bit
changed icons (thanks Valinwolf for picking the new ones)
updated Template.ini (thanks isaak654)
increates max value for disable forced process time in SandMan UI
Fixed
fixed BSOD introduced in 5.45.0 when using Windows 10 "core isolation"
fixed minor issue with lingering/leader processes
fixed menu issue in SandMan UI
fixed issue with stop behaviour page in SandMan UI
fixed issue with Plus installer not displaying kmdutil window
fixed SandMan UI saving UI settings on windows shutdown
fixed issue with Plus installer autorun
fixed issue with legacy installer not removing all files
fixed a driver compatibility issue with Windows 20H1 and later
-- this solves "stop pending", LINE messenger hanging and other issues...
fixed quick recovery issue in SbieCtrl.exe introduced in 5.45.0
fixed issue advanced hide process settings not saving
fixed some typos in the UI (thanks isaak654)
fixed issue with GetRawInputDeviceInfo failing when boxed processes are put in a job object
-- this fix resolves issues with CP2077 and other games not getting keyboard input (thanks Rostok)
fixed failing ClipCursor won't longer span the message log
fixed issue with adding recovery folders in SandMan UI
fixed issue with Office 2019 template when using a non-default Sbie install location
fixed issue setting last access attribute on sandboxed folders
fixed issue with process start signal
[0.5.1 / 5.45.0] - 2020-12-12
Added
added simple view mode
Changed
updated SandMan UI to use Qt5.15.1
Fixed
fixed crash issue with progress dialog
fixed progress dialog cancel button not working for update checker
fixed issue around NtQueryDirectoryFile when deleting sandbox content
fixed dark theme in the notification window
fixed issue with disable force programs tray menu
[0.5.0 / 5.45.0] - 2020-12-06
Added
added new notification window
added user interactive control mechanism when using the new SandMan UI
-- when a file exceeds the copy limit instead of failing, the user is prompted if the file should be copied or not
-- when internet access is blocked it now can be exempted in real time by the user
added missing file recovery and auto/quick recovery functionality
added silent MSG_1399 boxed process start notification to keep track of short lived boxed processes
added ability to prevent system wide process starts, sandboxie can now instead of just alerting also block processed on the alert list
-- set "StartRunAlertDenied=y" to enable process blocking
the process start alert/block mechanism can now also handle folders use "AlertFolder=..."
added ability to merge snapshots
added icons to the sandbox context menu in the new UI
added more advanced options to the sandbox options window
added file migration progress indicator
added more run commands and custom run commands per sandbox
-- the box settings users can now specify programs to be available from the box run menu
-- also processes can be pinned to that list from the presets menu
added more windows 10 specific template presets
added ability to create desktop shortcuts to sandboxed items
added icons to box option tabs
added box grouping
added new debug option "DebugTrace=y" to log debug output to the trace log
added check for updates to the new SandMan UI
added check for updates to the legacy SbieCtrl UI
Changed
File migration limit can now be disabled by specifying "CopyLimitKb=-1"
improved and refactored message logging mechanism, reducing memory usage by factor of 2
terminated boxed processes are now kept listed for a couple of seconds
reworked sandbox deletion mechanism of the new UI
restructured sandbox options window
SbieDLL.dll can now be compiled with an up to date ntdll.lib (Thanks to TechLord from Team-IRA for help)
improved automated driver self repair
Fixed
fixed issues migrating files > 4GB
fixed an issue that would allow a malicious application to bypass the internet blockade
fixed issue when logging messages from a non-sandboxed process, added process_id parameter to API_LOG_MESSAGE_ARGS
fixed issues with localization
fixed issue using file recovery in legacy ui SbieCtrl.exe when "SeparateUserFolders=n" is set
when a program is blocked from starting due to restrictions no redundant messages are issues anymore
fixed UI not properly displaying async errors
fixed issues when a snapshot operation failed
fixed some special cases of IpcPath and WinClass in the new UI
fixed driver issues with WHQL passing compatibility testing
fixed issues with classical installer
[0.4.5 / 5.44.1] - 2020-11-16
Added
added "Terminate all processes" and "disable forced programs" commands to tray menu in SandMan ui
program start restrictions settings now can be switched between a white list and a black list
-- programs can be terminated and blacklisted from the context menu
added additional process context menu options, lingering and leader process can be now set from menu
added option to view template presets for any given box
added text filter to template view
added new compatibility templates:
-- Windows 10 core UI component: OpenIpcPath=\BaseNamedObjects[CoreUI]-* solving issues with Chinese Input and Emojis
-- FireFox Quantum, access to windows FontCachePort for compatibility with Windows 7
added experimental debug option "OriginalToken=y" which lets sandboxed processes retain their original unrestricted token
-- This option is comparable with "OpenToken=y" and is intended only for testing and debugging, it BREAKS most SECURITY guarantees (!)
added debug option "NoSandboxieDesktop=y" it disables the desktop proxy mechanism
-- Note: without an unrestricted token with this option applications won't be able to start
added debug option "NoSysCallHooks=y" it disables the sys call processing by the driver
-- Note: without an unrestricted token with this option applications won't be able to start
added ability to record verbose access traces to the resource monitor
-- use ini options "FileTrace=", "PipeTrace=", "KeyTrace=", "IpcTrace=", "GuiTrace=" to record all events
-- replace "" to log only: "A" - allowed, "D" - denied, or "I" - ignore events
added ability to record debug output strings to the resource monitor,
-- use ini option DebugTrace=y to enable
Changed
AppUserModelID sting no longer contains sandboxie version string
now by default sbie's application manifest hack is disabled, as it causes problems with version checking on windows 10
-- to enable old behaviour add "PreferExternalManifest=y" to the global or the box specific ini section
the resource log mechanism can now handle multiple strings to reduce on string copy operations
Fixed
fixed issue with disabling some restriction settings failed
fixed disabling of internet block from the presets menu sometimes failed
the software compatibility list in the sandman UI now shows the proper template names
fixed use of freed memory in the driver
replaced swprintf with snwprintf to prevent potential buffer overflow in SbieDll.dll
fixed bad list performance with resource log and api log in SandMan UI
[0.4.4 / 5.44.0] - 2020-11-03
Added
added SbieLdr (experimental)
Changed
moved code injection mechanism from SbieSvc to SbieDll
moved function hooking mechanism from SbieDrv to SbieDll
introduced a new driverless method to resolve wow64 ntdll base address
removed
removed support for windows vista x64
[0.4.3 / 5.43.7] - 2020-11-03
Added
added disable forced programs menu command to the sandman ui
Fixed
fixed file rename bug introduced with an earlier driver verifier fix
fixed issue saving access lists
fixed issue with program groups parsing in the SandMan UI
fixed issue with internet access restriction options
fixed issue deleting sandbox when located on a drive directly
[0.4.2 / 5.43.6] - 2020-10-10
Added
added explore box content menu option
Fixed
fixed thread handle leak in SbieSvc and other components
msedge.exe is now categorized as a chromium derivate
fixed chrome 86+ compatibility bug with chrome's own sandbox
[0.4.1 / 5.43.5] - 2020-09-12
Added
added core version compatibility check to sandman UI
added shell integration options to SbiePlus
Changed
SbieCtrl does not longer auto show the tutorial on first start
when hooking, the to the trampoline migrated section of the original function is no longer noped out
-- it caused issues with unity games, will be investigated and re enabled later
Fixed
fixed color issue with vertical tabs in dark mode
fixed wrong path separators when adding new forced folders
fixed directory listing bug introduced in 5.43
fixed issues with settings window when not being connected to driver
fixed issue when starting sandman ui as admin
fixed auto content delete not working with sandman ui
[0.4.0 / 5.43] - 2020-09-05
Added
added a proper custom installer to the Plus release
added sandbox snapshot functionality to sbie core
-- filesystem is saved incrementally, the snapshots built upon each other
-- each snapshot gets a full copy of the box registry for now
-- each snapshot can have multiple children snapshots
added access status to resource monitor
added setting to change border width
added snapshot manager UI to SandMan
added template to enable authentication with an Yubikey or comparable 2FA device
added ui for program alert
added software compatibility options to the UI
Changed
SandMan UI now handles deletion of sandbox content on its own
no longer adding redundant resource accesses as new events
Fixed
fixed issues when hooking functions from delay loaded libraries
fixed issues when hooking an already hooked function
fixed issues with the new box settings editor
Removed
removes deprecated workaround in the hooking mechanism for an obsolete antimalware product
[0.3.5 / 5.42.1] - 2020-07-19
Added
Added settings window
added translation support
added dark theme
added auto start option
added sandbox options
added debug option "NoAddProcessToJob=y"
Changed
improved empty sandbox tray icon
improved message parsing
updated homepage links
Fixed
fixed ini issue with sandman.exe when renaming sandboxes
fixed ini auto reload bug introduced in the last build
fixed issue when hooking delayed loaded libraries
[0.3 / 5.42] - 2020-07-04
Added
API_QUERY_PROCESS_INFO can be now used to get the original process token of sandboxed processes
-- Note: this capability is used by TaskExplorer to allow inspecting sandbox internal tokens
Added option "KeepTokenIntegrity=y" to make the sbie token keep its initial integrity level (debug option)
-- Note: Do NOT USE Debug Options if you don't know their security implications (!)
Added process id to log messages very useful for debugging
Added finder to resource log
Added option to hide host processes "HideHostProcess=[name]"
-- Note: Sbie hides by default processes from other boxes, this behaviour can now be controlled with "HideOtherBoxes=n"
Sandboxed RpcSs and DcomLaunch can now be run as system with the option "ProtectRpcSs=y" however this breaks sandboxed explorer and other
Built In Clsid whitelist can now be disabled with "OpenDefaultClsid=n"
Processes can be now terminated with the del key, and require a confirmation
Added sandboxed window border display to SandMan.exe
Added notification for sbie log messages
Added Sandbox Presets sub menu allowing to quickly change some settings
-- Enable/Disable API logging, logapi_dll's are now distributed with SbiePlus
-- And other: Drop admin rights; Block/Allow internet access; Block/Allow access to files on the network
Added more info to the sandbox status column
Added path column to SbieModel
Added info tooltips in SbieView
Changed
Reworked ApiLog, added pid and pid filter
Auto config reload on in change is now delayed by 500ms to not reload multiple times on incremental changes
Sandbox names now replace "_" with " " for display allowing to use names that are made of separated words
Fixed
added mising PreferExternalManifest itialization to portable mode
fixed permission issues with sandboxed system processes
-- Note: you can use "ExposeBoxedSystem=y" for the old behaviour (debug option)
fixed missing SCM access check for sandboxed services
-- Note: to disable the access check use "UnrestrictedSCM=y" (debug option)
fixed missing initialization in service server that caused sandboxed programs to crash when querying service status
fixed many bugs that caused the SbieDrv.sys to BSOD when run with MSFT Driver Verifier active
-- 0xF6 in GetThreadTokenOwnerPid and File_Api_Rename
-- missing non optional parameter for FltGetFileNameInformation in File_PreOperation
-- 0xE3 in Key_StoreValue and Key_PreDataInject
[0.2.2 / 5.41.2] - 2020-06-19
Added
added option SeparateUserFolders=n to no longer have the user profile files stored separately in the sandbox
added SandboxieLogon=y it makes processes run under the SID of the "Sandboxie" user instead of the Anonymous user
-- Note: the global option AllowSandboxieLogon=y must be enabled, the "Sandboxie" user account must be manually created first and the driver reloaded, else process start will fail
improved debugging around process creation errors in the driver
Fixed
fixed some log messages going lost after driver reload
found a workable fix for the MSI installer issue, see Proc_CreateProcessInternalW_RS5
[0.2.1 / 5.41.1] - 2020-06-18
Added
added different sandbox icons for different types
-- Red LogAPI/BSA enabled
-- More to come 😀
Added progress window for async operations that take time
added DPI awareness
the driver file is now obfuscated to avoid false positives
additional debug options to sandboxie.ini OpenToken=y that combines UnrestrictedToken=y and UnfilteredToken=y
-- Note: using these options weakens the sandboxing, they are intended for debugging and may be used for better application virtualization later
Changed
SbieDll.dll when processing InjectDll now looks in the SbieHome folder for the Dll's if the entered path starts with a backslash
-- i.e. "InjectDll=\LogAPI\i386\logapi32v.dll" or "InjectDll64=\LogAPI\amd64\logapi64v.dll"
Fixed
IniWatcher did not work in portable mode
service path fix broke other services, now properly fixed, maybe
found workaround for the msi installer issue
[0.2 / 5.41.0] - 2020-06-08
Added
IniWatcher, no more clicking reload, the ini is now reloaded automatically every time it changes
Added Maintenance menu to the Sandbox menu, allowing to install/uninstall and start/stop sandboxie driver, service
SandMan.exe now is packed with Sbie files and when no sbie is installed acts as a portable installation
Added option to clean up logs
Changed
sbie driver now first checks the home path for the sbie ini before checking SystemRoot
Fixed
Fixed a resource leak when running sandboxed
Fixed issue boxed services not starting when the path contained a space
NtQueryInformationProcess now returns the proper sandboxed path for sandboxed processes
[0.1 / 5.40.2] - 2020-06-01
Added
Created a new Qt based UI names SandMan (Sandboxie Manager)
Resource monitor now shows the PID
Added basic API call log using updated BSA LogApiDll
Changed
reworked resource monitor to work with multiple event consumers
reworked log to work with multiple event consumers
[5.40.1] - 2020-04-10
Added
"Other" type for the Resource Access Monitor
-- added call to StartService to the logged Resources
Fixed
fixed "Windows Installer Service could not be accessed" that got introduced with Windows 1903