diff --git a/Content/MessagesFromSandboxie.html b/Content/MessagesFromSandboxie.html
index f4da661c9..ab253af3c 100644
--- a/Content/MessagesFromSandboxie.html
+++ b/Content/MessagesFromSandboxie.html
@@ -887,9 +887,11 @@ <h2 id="log-messages-to-a-file">Log Messages To A File</h2>
 <p>It's possible to log <em>Messages From Sandboxie</em> to a file with a simple configuration inside the registry:</p>
 <pre><code class="language-cmd">reg.exe add &quot;HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc&quot; /t REG_SZ /v LogFile /d &quot;2;C:\Windows\System32\LogFiles\Sandboxie.log&quot; /f
 </code></pre>
-<p>The <code>LogFile</code> value consists of two pieces of information:
-- <code>2</code> is the log level. Only two values are correct: <code>2</code> (classic log) or <code>3</code> (log with process SID)
-- <code>C:\Windows\System32\LogFiles\Sandboxie.log</code> is the full path of the log</p>
+<p>The <code>LogFile</code> value consists of two pieces of information:</p>
+<ul>
+<li><code>2</code> is the log level. Only two values are correct: <code>2</code> (classic log) or <code>3</code> (log with process SID)</li>
+<li><code>C:\Windows\System32\LogFiles\Sandboxie.log</code> is the full path of the log</li>
+</ul>
 <p>Example of output for a log level of 2:</p>
 <pre><code>2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox]
 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox]
@@ -905,9 +907,11 @@ <h2 id="log-messages-to-a-file">Log Messages To A File</h2>
 <pre><code class="language-cmd">reg.exe add &quot;HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc&quot; /t REG_SZ /v LogFile /d &quot;2;C:\Windows\System32\LogFiles\Sandboxie.log&quot; /f
 reg.exe add &quot;HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc&quot; /t REG_SZ /v MultiLog /d &quot;1308,1307&quot; /f
 </code></pre>
-<p>This simple configuration will:
-- put all logs without filter inside <code>C:\Windows\System32\LogFiles\Sandboxie.log</code>
-- create <em>one file per box</em> (ie: <code>C:\Windows\System32\LogFiles\Sandboxie_DefaultBox.log</code>) with only event 1308 and 1307</p>
+<p>This simple configuration will:</p>
+<ul>
+<li>put all logs without filter inside <code>C:\Windows\System32\LogFiles\Sandboxie.log</code></li>
+<li>create <em>one file per box</em> (ie: <code>C:\Windows\System32\LogFiles\Sandboxie_DefaultBox.log</code>) with only event 1308 and 1307</li>
+</ul>
               
             </div>
           </div><footer>
diff --git a/Content/MessagesFromSandboxie/index.html b/Content/MessagesFromSandboxie/index.html
index 600904d42..cb6e6784c 100644
--- a/Content/MessagesFromSandboxie/index.html
+++ b/Content/MessagesFromSandboxie/index.html
@@ -887,9 +887,11 @@ <h2 id="log-messages-to-a-file">Log Messages To A File</h2>
 <p>It's possible to log <em>Messages From Sandboxie</em> to a file with a simple configuration inside the registry:</p>
 <pre><code class="language-cmd">reg.exe add &quot;HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc&quot; /t REG_SZ /v LogFile /d &quot;2;C:\Windows\System32\LogFiles\Sandboxie.log&quot; /f
 </code></pre>
-<p>The <code>LogFile</code> value consists of two pieces of information:
-- <code>2</code> is the log level. Only two values are correct: <code>2</code> (classic log) or <code>3</code> (log with process SID)
-- <code>C:\Windows\System32\LogFiles\Sandboxie.log</code> is the full path of the log</p>
+<p>The <code>LogFile</code> value consists of two pieces of information:</p>
+<ul>
+<li><code>2</code> is the log level. Only two values are correct: <code>2</code> (classic log) or <code>3</code> (log with process SID)</li>
+<li><code>C:\Windows\System32\LogFiles\Sandboxie.log</code> is the full path of the log</li>
+</ul>
 <p>Example of output for a log level of 2:</p>
 <pre><code>2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox]
 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox]
@@ -905,9 +907,11 @@ <h2 id="log-messages-to-a-file">Log Messages To A File</h2>
 <pre><code class="language-cmd">reg.exe add &quot;HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc&quot; /t REG_SZ /v LogFile /d &quot;2;C:\Windows\System32\LogFiles\Sandboxie.log&quot; /f
 reg.exe add &quot;HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc&quot; /t REG_SZ /v MultiLog /d &quot;1308,1307&quot; /f
 </code></pre>
-<p>This simple configuration will:
-- put all logs without filter inside <code>C:\Windows\System32\LogFiles\Sandboxie.log</code>
-- create <em>one file per box</em> (ie: <code>C:\Windows\System32\LogFiles\Sandboxie_DefaultBox.log</code>) with only event 1308 and 1307</p>
+<p>This simple configuration will:</p>
+<ul>
+<li>put all logs without filter inside <code>C:\Windows\System32\LogFiles\Sandboxie.log</code></li>
+<li>create <em>one file per box</em> (ie: <code>C:\Windows\System32\LogFiles\Sandboxie_DefaultBox.log</code>) with only event 1308 and 1307</li>
+</ul>
               
             </div>
           </div><footer>
diff --git a/PlusContent/BoxSnapshots.html b/PlusContent/BoxSnapshots.html
index 8bf5e0431..91188439c 100644
--- a/PlusContent/BoxSnapshots.html
+++ b/PlusContent/BoxSnapshots.html
@@ -885,25 +885,31 @@ <h1 id="box-snapshots-for-sandboxie-plus">Box Snapshots (for Sandboxie Plus)</h1
 <p><img alt="" src="../Media/Box_Snapshot2.png" /></p>
 <p><strong>Caveat:</strong> Snapshots must be created with box AutoDelete disabled. To do so, open the Sandman GUI and double-click on the desired box to bring up the box options window. Then, click on 'File Options' and, under 'Box Delete Options', uncheck the option to AutoDelete content, and press OK (bottom right) to apply any changes. See image below.</p>
 <p><img alt="" src="../Media/Box_AutoDelete.png" /></p>
-<p><strong>Installing Software to a Box and Creating a Snapshot:</strong>
-- Select a box, disable AutoDelete, install the software to this box, set it up just the way you like.
-- Then, close the box, create a snapshot and enable box AutoDelete.
-- Now, this box will revert to the snapshot you created whenever it is closed.</p>
-<p><strong>Updating Software Installed to a Box:</strong>
-- Create a pre-update snapshot (for a baseline you can revert to, if need be).
-- Disable box AutoDelete, update the software and test.
-- If all is well, create a post-update snapshot, enable box AutoDelete.
-- This automatically makes the last (post-update) snapshot the default.
-- If there are problems, you can revert to the pre-update snapshot.
-- You can always revert to any of the snapshots that you create for a box!</p>
+<p><strong>Installing Software to a Box and Creating a Snapshot:</strong></p>
+<ul>
+<li>Select a box, disable AutoDelete, install the software to this box, set it up just the way you like.</li>
+<li>Then, close the box, create a snapshot and enable box AutoDelete.</li>
+<li>Now, this box will revert to the snapshot you created whenever it is closed.</li>
+</ul>
+<p><strong>Updating Software Installed to a Box:</strong></p>
+<ul>
+<li>Create a pre-update snapshot (for a baseline you can revert to, if need be).</li>
+<li>Disable box AutoDelete, update the software and test.</li>
+<li>If all is well, create a post-update snapshot, enable box AutoDelete.</li>
+<li>This automatically makes the last (post-update) snapshot the default.</li>
+<li>If there are problems, you can revert to the pre-update snapshot.</li>
+<li>You can always revert to any of the snapshots that you create for a box!</li>
+</ul>
 <p>You have the ability to create a snapshot, remove a snapshot, revert to a snapshot or (starting with <strong>Sandboxie Plus v1.0.9</strong>) revert to an empty box while retaining all snapshots.</p>
 <p><strong>Caveat:</strong> It is wise to use the snapshot features only for boxes whose location is on a real disk (and not on a ramdisk).</p>
-<p><strong>Additional Details:</strong>
-- Each snapshot is created its own folder, labeled snapshot-n,  where the number n is the snapshot id. You can change this label.
-- All snapshot folders for a given box are inside the box folder.
-- The snapshot layout and information on the current (default) snapshot are saved in the file <strong>snapshot.ini</strong> in the box folder.
-- The <strong>File-System</strong> snapshots are incremental. Files are duplicated only when changed (just as with real files on the host).
-- The <strong>Registry</strong> snapshots are NOT incremental. Each snapshot has a full copy and only the most recent reg hive file is used.</p>
+<p><strong>Additional Details:</strong></p>
+<ul>
+<li>Each snapshot is created its own folder, labeled snapshot-n,  where the number n is the snapshot id. You can change this label.</li>
+<li>All snapshot folders for a given box are inside the box folder.</li>
+<li>The snapshot layout and information on the current (default) snapshot are saved in the file <strong>snapshot.ini</strong> in the box folder.</li>
+<li>The <strong>File-System</strong> snapshots are incremental. Files are duplicated only when changed (just as with real files on the host).</li>
+<li>The <strong>Registry</strong> snapshots are NOT incremental. Each snapshot has a full copy and only the most recent reg hive file is used.</li>
+</ul>
               
             </div>
           </div><footer>
diff --git a/PlusContent/BoxSnapshots/index.html b/PlusContent/BoxSnapshots/index.html
index 02e066b26..15c2348ad 100644
--- a/PlusContent/BoxSnapshots/index.html
+++ b/PlusContent/BoxSnapshots/index.html
@@ -885,25 +885,31 @@ <h1 id="box-snapshots-for-sandboxie-plus">Box Snapshots (for Sandboxie Plus)</h1
 <p><img alt="" src="../../Media/Box_Snapshot2.png" /></p>
 <p><strong>Caveat:</strong> Snapshots must be created with box AutoDelete disabled. To do so, open the Sandman GUI and double-click on the desired box to bring up the box options window. Then, click on 'File Options' and, under 'Box Delete Options', uncheck the option to AutoDelete content, and press OK (bottom right) to apply any changes. See image below.</p>
 <p><img alt="" src="../../Media/Box_AutoDelete.png" /></p>
-<p><strong>Installing Software to a Box and Creating a Snapshot:</strong>
-- Select a box, disable AutoDelete, install the software to this box, set it up just the way you like.
-- Then, close the box, create a snapshot and enable box AutoDelete.
-- Now, this box will revert to the snapshot you created whenever it is closed.</p>
-<p><strong>Updating Software Installed to a Box:</strong>
-- Create a pre-update snapshot (for a baseline you can revert to, if need be).
-- Disable box AutoDelete, update the software and test.
-- If all is well, create a post-update snapshot, enable box AutoDelete.
-- This automatically makes the last (post-update) snapshot the default.
-- If there are problems, you can revert to the pre-update snapshot.
-- You can always revert to any of the snapshots that you create for a box!</p>
+<p><strong>Installing Software to a Box and Creating a Snapshot:</strong></p>
+<ul>
+<li>Select a box, disable AutoDelete, install the software to this box, set it up just the way you like.</li>
+<li>Then, close the box, create a snapshot and enable box AutoDelete.</li>
+<li>Now, this box will revert to the snapshot you created whenever it is closed.</li>
+</ul>
+<p><strong>Updating Software Installed to a Box:</strong></p>
+<ul>
+<li>Create a pre-update snapshot (for a baseline you can revert to, if need be).</li>
+<li>Disable box AutoDelete, update the software and test.</li>
+<li>If all is well, create a post-update snapshot, enable box AutoDelete.</li>
+<li>This automatically makes the last (post-update) snapshot the default.</li>
+<li>If there are problems, you can revert to the pre-update snapshot.</li>
+<li>You can always revert to any of the snapshots that you create for a box!</li>
+</ul>
 <p>You have the ability to create a snapshot, remove a snapshot, revert to a snapshot or (starting with <strong>Sandboxie Plus v1.0.9</strong>) revert to an empty box while retaining all snapshots.</p>
 <p><strong>Caveat:</strong> It is wise to use the snapshot features only for boxes whose location is on a real disk (and not on a ramdisk).</p>
-<p><strong>Additional Details:</strong>
-- Each snapshot is created its own folder, labeled snapshot-n,  where the number n is the snapshot id. You can change this label.
-- All snapshot folders for a given box are inside the box folder.
-- The snapshot layout and information on the current (default) snapshot are saved in the file <strong>snapshot.ini</strong> in the box folder.
-- The <strong>File-System</strong> snapshots are incremental. Files are duplicated only when changed (just as with real files on the host).
-- The <strong>Registry</strong> snapshots are NOT incremental. Each snapshot has a full copy and only the most recent reg hive file is used.</p>
+<p><strong>Additional Details:</strong></p>
+<ul>
+<li>Each snapshot is created its own folder, labeled snapshot-n,  where the number n is the snapshot id. You can change this label.</li>
+<li>All snapshot folders for a given box are inside the box folder.</li>
+<li>The snapshot layout and information on the current (default) snapshot are saved in the file <strong>snapshot.ini</strong> in the box folder.</li>
+<li>The <strong>File-System</strong> snapshots are incremental. Files are duplicated only when changed (just as with real files on the host).</li>
+<li>The <strong>Registry</strong> snapshots are NOT incremental. Each snapshot has a full copy and only the most recent reg hive file is used.</li>
+</ul>
               
             </div>
           </div><footer>
diff --git a/PlusContent/Sandboxie-Insider.html b/PlusContent/Sandboxie-Insider.html
index e687f6972..17a3e0e57 100644
--- a/PlusContent/Sandboxie-Insider.html
+++ b/PlusContent/Sandboxie-Insider.html
@@ -901,12 +901,14 @@
 <p><a href="../Content/BreakoutDocument.html">Document Breakout</a> is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandbox instance of the associated application.</p>
 </li>
 </ul>
-<p>Please note that:
-- The Sandboxie Plus insider builds are not like the Windows insider builds which are buggy and rushed.
-- The new things in the insider builds are limited to new functionality and new features.
-- Experimental things that may impact compatibility are tested in the public GitHub preview channel.
-- The Sandboxie Plus insider builds are based on stable final releases, with new functionality added on top.
-- The insider builds are compiled with Qt6 and provided as a unified x64/ARM64 installer.</p>
+<p>Please note that:</p>
+<ul>
+<li>The Sandboxie Plus insider builds are not like the Windows insider builds which are buggy and rushed.</li>
+<li>The new things in the insider builds are limited to new functionality and new features.</li>
+<li>Experimental things that may impact compatibility are tested in the public GitHub preview channel.</li>
+<li>The Sandboxie Plus insider builds are based on stable final releases, with new functionality added on top.</li>
+<li>The insider builds are compiled with Qt6 and provided as a unified x64/ARM64 installer.</li>
+</ul>
               
             </div>
           </div><footer>
diff --git a/PlusContent/Sandboxie-Insider/index.html b/PlusContent/Sandboxie-Insider/index.html
index 2fe4b5039..c1938e075 100644
--- a/PlusContent/Sandboxie-Insider/index.html
+++ b/PlusContent/Sandboxie-Insider/index.html
@@ -901,12 +901,14 @@
 <p><a href="../../Content/BreakoutDocument/">Document Breakout</a> is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandbox instance of the associated application.</p>
 </li>
 </ul>
-<p>Please note that:
-- The Sandboxie Plus insider builds are not like the Windows insider builds which are buggy and rushed.
-- The new things in the insider builds are limited to new functionality and new features.
-- Experimental things that may impact compatibility are tested in the public GitHub preview channel.
-- The Sandboxie Plus insider builds are based on stable final releases, with new functionality added on top.
-- The insider builds are compiled with Qt6 and provided as a unified x64/ARM64 installer.</p>
+<p>Please note that:</p>
+<ul>
+<li>The Sandboxie Plus insider builds are not like the Windows insider builds which are buggy and rushed.</li>
+<li>The new things in the insider builds are limited to new functionality and new features.</li>
+<li>Experimental things that may impact compatibility are tested in the public GitHub preview channel.</li>
+<li>The Sandboxie Plus insider builds are based on stable final releases, with new functionality added on top.</li>
+<li>The insider builds are compiled with Qt6 and provided as a unified x64/ARM64 installer.</li>
+</ul>
               
             </div>
           </div><footer>
diff --git a/PlusContent/Sandboxie-Live.html b/PlusContent/Sandboxie-Live.html
index 5cdfb55eb..ad70437fc 100644
--- a/PlusContent/Sandboxie-Live.html
+++ b/PlusContent/Sandboxie-Live.html
@@ -883,15 +883,19 @@
 <li>Preview - GitHub Pre-Releases</li>
 </ol>
 <p>There the user can also select how to behave when a "New Version" (where an installer is available) or a "Version Update" (where only individual files of the existing installation will be updated) is found.</p>
-<p>For a "New Version", the following options are available:
-- Notify
-- Download &amp; Notify
-- Download &amp; Install</p>
-<p>For a "Version Update", the following options are available:
-- Ignore
-- Notify
-- Download &amp; Notify
-- Download &amp; Install</p>
+<p>For a "New Version", the following options are available:</p>
+<ul>
+<li>Notify</li>
+<li>Download &amp; Notify</li>
+<li>Download &amp; Install</li>
+</ul>
+<p>For a "Version Update", the following options are available:</p>
+<ul>
+<li>Ignore</li>
+<li>Notify</li>
+<li>Download &amp; Notify</li>
+<li>Download &amp; Install</li>
+</ul>
 <p>There is no "Ignore" option for "New Version", as that is covered by disabling the update check.</p>
 <p>In the "Stable" channel, a check for "Version Update" is only available to supporters with a valid certificate. In this channel, all updates are signed and consist of the latest compatibility templates and urgent bug-fixes and translations.</p>
 <p>In the "Preview" channel, the "Version Update" consists of unsigned test builds (except the signed driver) released every few days (like 1.6.0, 1.6.1a and 1.6.1b), as here the updates contain not only half-tested fixes but also new functionality which may not yet be free of bugs.</p>
diff --git a/PlusContent/Sandboxie-Live/index.html b/PlusContent/Sandboxie-Live/index.html
index a16dbb2d0..011cdccb3 100644
--- a/PlusContent/Sandboxie-Live/index.html
+++ b/PlusContent/Sandboxie-Live/index.html
@@ -883,15 +883,19 @@
 <li>Preview - GitHub Pre-Releases</li>
 </ol>
 <p>There the user can also select how to behave when a "New Version" (where an installer is available) or a "Version Update" (where only individual files of the existing installation will be updated) is found.</p>
-<p>For a "New Version", the following options are available:
-- Notify
-- Download &amp; Notify
-- Download &amp; Install</p>
-<p>For a "Version Update", the following options are available:
-- Ignore
-- Notify
-- Download &amp; Notify
-- Download &amp; Install</p>
+<p>For a "New Version", the following options are available:</p>
+<ul>
+<li>Notify</li>
+<li>Download &amp; Notify</li>
+<li>Download &amp; Install</li>
+</ul>
+<p>For a "Version Update", the following options are available:</p>
+<ul>
+<li>Ignore</li>
+<li>Notify</li>
+<li>Download &amp; Notify</li>
+<li>Download &amp; Install</li>
+</ul>
 <p>There is no "Ignore" option for "New Version", as that is covered by disabling the update check.</p>
 <p>In the "Stable" channel, a check for "Version Update" is only available to supporters with a valid certificate. In this channel, all updates are signed and consist of the latest compatibility templates and urgent bug-fixes and translations.</p>
 <p>In the "Preview" channel, the "Version Update" consists of unsigned test builds (except the signed driver) released every few days (like 1.6.0, 1.6.1a and 1.6.1b), as here the updates contain not only half-tested fixes but also new functionality which may not yet be free of bugs.</p>
diff --git a/PlusContent/WFPSupport.html b/PlusContent/WFPSupport.html
index 710aed86c..da78811f4 100644
--- a/PlusContent/WFPSupport.html
+++ b/PlusContent/WFPSupport.html
@@ -934,8 +934,10 @@ <h3 id="implementing-network-access-rules-in-sandboxie-plus">Implementing networ
   <code>NetworkAccess=chrome.exe,Allow;Port=80,443;Address=111.222.333.444</code> - allow chrome.exe to access one IP address</p>
 </li>
 </ul>
-<p><strong>BlockPorts template:</strong>
-- <code>NetworkAccess=*,Block;Port=137,138,139,445</code> - enabled by default since version <a href="https://github.com/sandboxie-plus/Sandboxie/commit/4420ba4448a797b7369917058c34e8a78c2ec9fc">1.3.4 / 5.58.4</a></p>
+<p><strong>BlockPorts template:</strong></p>
+<ul>
+<li><code>NetworkAccess=*,Block;Port=137,138,139,445</code> - enabled by default since version <a href="https://github.com/sandboxie-plus/Sandboxie/commit/4420ba4448a797b7369917058c34e8a78c2ec9fc">1.3.4 / 5.58.4</a></li>
+</ul>
               
             </div>
           </div><footer>
diff --git a/PlusContent/WFPSupport/index.html b/PlusContent/WFPSupport/index.html
index e080ae37d..b7747e500 100644
--- a/PlusContent/WFPSupport/index.html
+++ b/PlusContent/WFPSupport/index.html
@@ -934,8 +934,10 @@ <h3 id="implementing-network-access-rules-in-sandboxie-plus">Implementing networ
   <code>NetworkAccess=chrome.exe,Allow;Port=80,443;Address=111.222.333.444</code> - allow chrome.exe to access one IP address</p>
 </li>
 </ul>
-<p><strong>BlockPorts template:</strong>
-- <code>NetworkAccess=*,Block;Port=137,138,139,445</code> - enabled by default since version <a href="https://github.com/sandboxie-plus/Sandboxie/commit/4420ba4448a797b7369917058c34e8a78c2ec9fc">1.3.4 / 5.58.4</a></p>
+<p><strong>BlockPorts template:</strong></p>
+<ul>
+<li><code>NetworkAccess=*,Block;Port=137,138,139,445</code> - enabled by default since version <a href="https://github.com/sandboxie-plus/Sandboxie/commit/4420ba4448a797b7369917058c34e8a78c2ec9fc">1.3.4 / 5.58.4</a></li>
+</ul>
               
             </div>
           </div><footer>
diff --git a/PlusContent/privacy-mode.html b/PlusContent/privacy-mode.html
index 70f9d34a3..dc730f4c8 100644
--- a/PlusContent/privacy-mode.html
+++ b/PlusContent/privacy-mode.html
@@ -883,23 +883,33 @@ <h1 id="privacy-mode">Privacy Mode</h1>
 <p>The setting for a privacy enhanced box can be enabled by adding <code>UsePrivacyMode=y</code> to the box settings section of <strong><a href="../Content/SandboxieIni.html">Sandboxie Ini</a></strong>. It can also be enabled in the Sandman UI. Right-click on a box and select "Sandbox Options" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as "Sandbox with Data Protection" (with a <strong>blue</strong> box icon) and click OK to apply changes. The status column of Sandman UI labels this box as <strong>Privacy Enhanced</strong>.</p>
 <p><img alt="" src="../Media/Box_PrivacyMode.png" /></p>
 <p><strong>What is User Space?</strong> AppGuard refers to <a href="https://malwaretips.com/threads/run-by-smartscreen-utility.65145/post-561364">user space</a> as "computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives." Think of "user space" as everything outside the <strong>system</strong> (where the core operating system and programs live), in other words, outside the <code>C:\Windows</code>, <code>C:\Program Files</code>, and <code>C:\Program Files (x86)</code> folders!</p>
-<p>Internally, a privacy enhanced box is based on three defaults:
-1. <strong>Allow read access to system resources:</strong>
-- <code>C:\Windows</code>
-- <code>C:\Program Files</code>
-- <code>C:\Program Files (x86)</code>
-- <code>C:\ProgramData\Microsoft</code> (since <strong>Sandboxie Plus v1.12.7</strong>)
-- Registry resources under HKLM (but not HKCU) are readable and can be sandboxed.
-- <strong>Note:</strong> The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using <code>Write[File/Key]Path</code>) if desired.</p>
+<p>Internally, a privacy enhanced box is based on three defaults:</p>
 <ol>
-<li><strong>Hide (and block access to) user space:</strong></li>
+<li>
+<p><strong>Allow read access to system resources:</strong></p>
+</li>
+<li>
+<p><code>C:\Windows</code></p>
+</li>
+<li><code>C:\Program Files</code></li>
+<li><code>C:\Program Files (x86)</code></li>
+<li><code>C:\ProgramData\Microsoft</code> (since <strong>Sandboxie Plus v1.12.7</strong>)</li>
+<li>Registry resources under HKLM (but not HKCU) are readable and can be sandboxed.</li>
+<li>
+<p><strong>Note:</strong> The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using <code>Write[File/Key]Path</code>) if desired.</p>
+</li>
+<li>
+<p><strong>Hide (and block access to) user space:</strong></p>
+</li>
 <li>
 <p>In user space, a privacy box works in <strong>default block</strong> mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking <a href="RuleSpecificity.html">Rule Specificity</a>.</p>
 </li>
 <li>
 <p><strong>Enable <a href="RuleSpecificity.html">Rule Specificity:</a></strong></p>
 </li>
-<li>Internally, rule specificity is <strong>always enabled</strong> in privacy mode. It uses the <strong><a href="../Content/NormalFilePath.html">Normal</a></strong> path directive (<code>Normal[File/Ipc/Key]Path</code>) to open selected locations to be <strong>readable and sandboxed</strong>. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for <strong>blue</strong>  boxes (based on privacy mode) but also for <strong>red</strong> boxes (with both privacy mode <strong>and</strong> <a href="security-mode.html">security mode</a> enabled).</li>
+<li>
+<p>Internally, rule specificity is <strong>always enabled</strong> in privacy mode. It uses the <strong><a href="../Content/NormalFilePath.html">Normal</a></strong> path directive (<code>Normal[File/Ipc/Key]Path</code>) to open selected locations to be <strong>readable and sandboxed</strong>. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for <strong>blue</strong>  boxes (based on privacy mode) but also for <strong>red</strong> boxes (with both privacy mode <strong>and</strong> <a href="security-mode.html">security mode</a> enabled).</p>
+</li>
 </ol>
 <p><strong>Recent Changes:</strong> Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with <strong>Sandboxie Plus v1.8.0</strong>, all built-in access rules have been moved to a set of default templates (included in the file <strong>Templates.ini</strong> under the <code>[TemplatePModPaths]</code> section) for easier management.</p>
               
diff --git a/PlusContent/privacy-mode/index.html b/PlusContent/privacy-mode/index.html
index 7cec5bbd6..223be7e5d 100644
--- a/PlusContent/privacy-mode/index.html
+++ b/PlusContent/privacy-mode/index.html
@@ -883,23 +883,33 @@ <h1 id="privacy-mode">Privacy Mode</h1>
 <p>The setting for a privacy enhanced box can be enabled by adding <code>UsePrivacyMode=y</code> to the box settings section of <strong><a href="../../Content/SandboxieIni/">Sandboxie Ini</a></strong>. It can also be enabled in the Sandman UI. Right-click on a box and select "Sandbox Options" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as "Sandbox with Data Protection" (with a <strong>blue</strong> box icon) and click OK to apply changes. The status column of Sandman UI labels this box as <strong>Privacy Enhanced</strong>.</p>
 <p><img alt="" src="../../Media/Box_PrivacyMode.png" /></p>
 <p><strong>What is User Space?</strong> AppGuard refers to <a href="https://malwaretips.com/threads/run-by-smartscreen-utility.65145/post-561364">user space</a> as "computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives." Think of "user space" as everything outside the <strong>system</strong> (where the core operating system and programs live), in other words, outside the <code>C:\Windows</code>, <code>C:\Program Files</code>, and <code>C:\Program Files (x86)</code> folders!</p>
-<p>Internally, a privacy enhanced box is based on three defaults:
-1. <strong>Allow read access to system resources:</strong>
-- <code>C:\Windows</code>
-- <code>C:\Program Files</code>
-- <code>C:\Program Files (x86)</code>
-- <code>C:\ProgramData\Microsoft</code> (since <strong>Sandboxie Plus v1.12.7</strong>)
-- Registry resources under HKLM (but not HKCU) are readable and can be sandboxed.
-- <strong>Note:</strong> The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using <code>Write[File/Key]Path</code>) if desired.</p>
+<p>Internally, a privacy enhanced box is based on three defaults:</p>
 <ol>
-<li><strong>Hide (and block access to) user space:</strong></li>
+<li>
+<p><strong>Allow read access to system resources:</strong></p>
+</li>
+<li>
+<p><code>C:\Windows</code></p>
+</li>
+<li><code>C:\Program Files</code></li>
+<li><code>C:\Program Files (x86)</code></li>
+<li><code>C:\ProgramData\Microsoft</code> (since <strong>Sandboxie Plus v1.12.7</strong>)</li>
+<li>Registry resources under HKLM (but not HKCU) are readable and can be sandboxed.</li>
+<li>
+<p><strong>Note:</strong> The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using <code>Write[File/Key]Path</code>) if desired.</p>
+</li>
+<li>
+<p><strong>Hide (and block access to) user space:</strong></p>
+</li>
 <li>
 <p>In user space, a privacy box works in <strong>default block</strong> mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking <a href="../RuleSpecificity/">Rule Specificity</a>.</p>
 </li>
 <li>
 <p><strong>Enable <a href="../RuleSpecificity/">Rule Specificity:</a></strong></p>
 </li>
-<li>Internally, rule specificity is <strong>always enabled</strong> in privacy mode. It uses the <strong><a href="../../Content/NormalFilePath/">Normal</a></strong> path directive (<code>Normal[File/Ipc/Key]Path</code>) to open selected locations to be <strong>readable and sandboxed</strong>. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for <strong>blue</strong>  boxes (based on privacy mode) but also for <strong>red</strong> boxes (with both privacy mode <strong>and</strong> <a href="../security-mode/">security mode</a> enabled).</li>
+<li>
+<p>Internally, rule specificity is <strong>always enabled</strong> in privacy mode. It uses the <strong><a href="../../Content/NormalFilePath/">Normal</a></strong> path directive (<code>Normal[File/Ipc/Key]Path</code>) to open selected locations to be <strong>readable and sandboxed</strong>. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for <strong>blue</strong>  boxes (based on privacy mode) but also for <strong>red</strong> boxes (with both privacy mode <strong>and</strong> <a href="../security-mode/">security mode</a> enabled).</p>
+</li>
 </ol>
 <p><strong>Recent Changes:</strong> Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with <strong>Sandboxie Plus v1.8.0</strong>, all built-in access rules have been moved to a set of default templates (included in the file <strong>Templates.ini</strong> under the <code>[TemplatePModPaths]</code> section) for easier management.</p>
               
diff --git a/index.html b/index.html
index a1e05eee5..9f7fa6b5f 100644
--- a/index.html
+++ b/index.html
@@ -928,5 +928,5 @@ <h2 id="contribute">Contribute</h2>
 
 <!--
 MkDocs version : 1.5.3
-Build Date UTC : 2024-10-03 13:33:12.873248+00:00
+Build Date UTC : 2024-10-03 14:41:15.385528+00:00
 -->
diff --git a/search/search_index.json b/search/search_index.json
index e754c2d1b..20fa8f45a 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config":{"indexing":"full","lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"Sandboxie documentation Introduction Sandboxie is a sandbox-based isolation software for Windows that lets you try and run untrusted applications without worrying about unwanted changes to your files or registry. After Sandboxie became open source , it was decided to release the documentation, so that it would be accessible and easily updated by the community, as opposed to the dated documentation available at sandboxie-plus.com and other archived sources. Get Sandboxie Feature/Edition comparison | System requirements | Download the latest release Contribute If you have development, testing or translation skills, then feel free to check out our Contribution guidelines .","title":"Sandboxie documentation"},{"location":"#sandboxie-documentation","text":"","title":"Sandboxie documentation"},{"location":"#introduction","text":"Sandboxie is a sandbox-based isolation software for Windows that lets you try and run untrusted applications without worrying about unwanted changes to your files or registry. After Sandboxie became open source , it was decided to release the documentation, so that it would be accessible and easily updated by the community, as opposed to the dated documentation available at sandboxie-plus.com and other archived sources.","title":"Introduction"},{"location":"#get-sandboxie","text":"Feature/Edition comparison | System requirements | Download the latest release","title":"Get Sandboxie"},{"location":"#contribute","text":"If you have development, testing or translation skills, then feel free to check out our Contribution guidelines .","title":"Contribute"},{"location":"Content/AdvancedTopics/","text":"Advanced Topics Sandbox Hierarchy discusses how Sandboxie isolates programs. Privacy Concerns for programs running under Sandboxie. Information about the Sandboxie Service Programs . Instructions for use of Resource Access Monitor with Sandboxie Classic. Instructions for use of Trace Logging with Sandboxie Plus. Read How To Use Win Dbg to identify problems with Sandboxie. Go to Help Topics .","title":"Advanced Topics"},{"location":"Content/AdvancedTopics/#advanced-topics","text":"Sandbox Hierarchy discusses how Sandboxie isolates programs. Privacy Concerns for programs running under Sandboxie. Information about the Sandboxie Service Programs . Instructions for use of Resource Access Monitor with Sandboxie Classic. Instructions for use of Trace Logging with Sandboxie Plus. Read How To Use Win Dbg to identify problems with Sandboxie. Go to Help Topics .","title":"Advanced Topics"},{"location":"Content/AlertFolder/","text":"Alert Folder AlertFolder is a global setting in Sandboxie Ini available since v0.5.0 / 5.45.0. It specifies path patterns that, if started outside the sandbox, will cause Sandboxie to issue message SBIE1301 . Usage: . . . [GlobalSettings] AlertFolder=%ProgramFiles%\\Mozilla Firefox Related Sandboxie Plus setting: Options menu > Global Settings > Program Control > Program Alerts See also: Alert Process .","title":"Alert Folder"},{"location":"Content/AlertFolder/#alert-folder","text":"AlertFolder is a global setting in Sandboxie Ini available since v0.5.0 / 5.45.0. It specifies path patterns that, if started outside the sandbox, will cause Sandboxie to issue message SBIE1301 . Usage: . . . [GlobalSettings] AlertFolder=%ProgramFiles%\\Mozilla Firefox Related Sandboxie Plus setting: Options menu > Global Settings > Program Control > Program Alerts See also: Alert Process .","title":"Alert Folder"},{"location":"Content/AlertProcess/","text":"Alert Process AlertProcess is a global setting in Sandboxie Ini . It specifies names of programs that, if started outside the sandbox, will cause Sandboxie to issue message SBIE1301 . Usage: . . . [GlobalSettings] AlertProcess=iexplore.exe AlertProcess=firefox.exe Related Sandboxie Control settings: * Program Settings * Configure Menu > Alert Programs Related Sandboxie Plus setting: * Options menu > Global Settings > Program Control > Program Alerts See also: Alert Folder .","title":"Alert Process"},{"location":"Content/AlertProcess/#alert-process","text":"AlertProcess is a global setting in Sandboxie Ini . It specifies names of programs that, if started outside the sandbox, will cause Sandboxie to issue message SBIE1301 . Usage: . . . [GlobalSettings] AlertProcess=iexplore.exe AlertProcess=firefox.exe Related Sandboxie Control settings: * Program Settings * Configure Menu > Alert Programs Related Sandboxie Plus setting: * Options menu > Global Settings > Program Control > Program Alerts See also: Alert Folder .","title":"Alert Process"},{"location":"Content/AllPages/","text":"All Pages A Advanced Topics Alert Folder Alert Process Allow Raw Disk Read Allow Spooler Print To File Appearance Settings Applications Settings Applying a Supporter Certificate Auto Delete Auto Exec Auto Recover Auto Recover Ignore B Block Drivers (removed since Sandboxie v4.xx) Block Fake Input (removed since Sandboxie v4.xx) Block Net Param Block Network Files Block Password (obsolete) Block Port (removed since Sandboxie v0.9.0 / 5.51.0) Block Screen Capture Block Sys Param (removed since Sandboxie v4.xx) Block Win Hooks (removed since Sandboxie v4.xx) Border Color Box Encryption Box Name Title Box Preset Comparison Box Root Folder (deprecated since Sandboxie v3.xx) Box Snapshots Breakout Document Breakout Folder Breakout Process Byte Order Mark (removed since Sandboxie v0.6.5 / 5.47.0) C Close Print Spooler Closed Clsid Path Closed File Path Closed Ipc Path Closed Key Path Closed RT Code Injection Compartment Mode Confidential Box Config Level Configuration Protection Configure Menu Copy Limit Kb Copy Limit Silent Cover Boxed Windows D Delete Command Delete Sandbox Delete Settings Delete V2 Deprecated/Obsolete/Removed Sandboxie Ini Settings Description Detecting Key Loggers Disable RT Blacklist DNS Filter Drop Admin Rights E Edit Admin Only Edit Password Email Protection Enabled Expandable Variables External Tutorials F FAQ Email FAQ Virus Feature Comparison File Menu File Migration Settings File Root Path Files And Folders View Firefox Tips Force Disable Admin Only Force Disable Seconds Force Folder Force Process Forget Password Frequently Asked Questions G General Tips Getting Started Getting Started Part Five Getting Started Part Four Getting Started Part Six Getting Started Part Three Getting Started Part Two H Help Menu Help Topics Hide Host Process Hide Message Hide Other Boxes How It Works How To Use Win Dbg I ImDisk Integration Immediate Recovery Inject Dll Inject Dll 64 Internet Explorer Tips Ipc Root Path Isolation Mechanism J K Key Root Path Known Conflicts L Leader Process Linger Exempt Wnds Linger Process M Messages From Sandboxie Monitor Admin Only Msi Installer Exemptions N Never Delete No Rename Win Class Normal File Path Normal Ipc Path Normal Key Path Notify Direct Disk Access Notify Internet Access Denied Notify Process Access Denied Notify Start Run Access Denied Nt Namespace Isolation Nt Status Codes O Open Clipboard Open Clsid Open Conf Path Open Credentials Open File Path Open Ipc Path Open Key Path Open Pipe Path Open Print Spooler Open Protected Storage Open Win Class P Paper Analogy Popup Message Log Portable Sandbox Privacy Concerns Privacy Mode Process Limit Process Limit 1 (removed since Sandboxie v0.7.1 / 5.48.5) Process Limit 2 (removed since Sandboxie v0.7.1 / 5.48.5) Program Name Prefix Program Settings Program Start Settings Program Stop Settings Programs View Prompt For File Migration Protect Host Images Protected Storage Proxy Support Q Quick Recovery R RAM Disk Support Ransomware Read File Path Read Ipc Path Read Key Path Recover Folder Recovery Settings Resource Access Resource Access Monitor for Sandboxie Classic Resource Access Settings Restrictions Settings Rule Specificity S Sandbox Hierarchy Sandbox Menu Sandbox Settings Sandboxie Sandboxie Control Sandboxie Ini Sandboxie Insider Sandboxie Live Sandboxie Plus Sandboxie Plus Migration Guide Sandboxie Plus UI Features Sandboxie Portable Sandboxie Trace SandboxieDrv use of undocumented kernel exports SBIE DLL API SBIE Messages SBIE1101 SBIE1102 SBIE1103 SBIE1104 SBIE1105 SBIE1106 SBIE1108 SBIE1109 SBIE1110 SBIE1111 SBIE1112 SBIE1113 SBIE1114 SBIE1116 SBIE1119 SBIE1120 SBIE1121 SBIE1122 SBIE1151 SBIE1152 SBIE1153 SBIE1201 SBIE1202 SBIE1203 SBIE1204 SBIE1211 SBIE1212 SBIE1213 SBIE1214 (obsolete) SBIE1215 (obsolete) SBIE1216 (obsolete) SBIE1222 SBIE1223 SBIE1224 SBIE1241 SBIE1242 (obsolete since Sandboxie 0.9.0 / 5.51.0) SBIE1301 SBIE1303 (obsolete since Sandboxie 5.31.4) SBIE1304 (obsolete) SBIE1306 SBIE1307 SBIE1308 SBIE1309 (obsolete) SBIE1310 (obsolete since Sandboxie 5.31.4) SBIE1311 (obsolete) SBIE1312 SBIE1313 SBIE1314 SBIE1401 SBIE1402 SBIE1403 SBIE1404 SBIE1405 SBIE1406 SBIE1408 SBIE1409 SBIE1410 SBIE1411 SBIE1412 SBIE2102 SBIE2103 SBIE2104 SBIE2108 SBIE2111 SBIE2191 SBIE2192 SBIE2193 (obsolete since Sandboxie 1.0.14 / 5.55.14) SBIE2202 SBIE2203 SBIE2204 SBIE2205 SBIE2206 SBIE2207 SBIE2208 SBIE2209 SBIE2210 SBIE2211 SBIE2212 SBIE2213 SBIE2214 SBIE2217 SBIE2218 SBIE2219 SBIE2220 SBIE2221 SBIE2222 SBIE2223 SBIE2303 SBIE2304 SBIE2305 SBIE2306 SBIE2307 SBIE2308 SBIE2309 SBIE2310 SBIE2311 SBIE2312 SBIE2313 SBIE2314 SBIE2315 SBIE2316 SBIE2317 SBIE2318 SBIE2321 SBIE2322 SBIE2323 SBIE2326 SBIE2327 SBIE2331 SBIE2332 SBIE2334 SBIE3207 SBIE3208 SBIE3209 SBIE9101 SBIE9153 SBIE9154 SBIE9156 SBIE9201 SBIE9202 SBIE9203 SBIE9204 SBIE9205 SBIE9206 SBIE9207 SBIE9208 SBIE9251 SBIE9252 SBIE9253 SBIE9302 SBIE9304 SBIE9305 Secure Delete Sandbox Security Mode Separate User Folders Service Programs Shell Folders Show For Run In Start Command Line Start Program Start Service Supporter Certificate System Event Log T Technical Aspects Test Email Configuration Trace logging Translations Tray Icon Menu U Usage Tips USB Sandboxing Use Privacy Mode Use Rule Specificity Use SbieDesk Hack Use Security Mode User Accounts Settings V View Menu W WFP Support Windows 8 Windows XP Mode Write File Path Write Key Path X Y Yes Or No Settings Z","title":"All Pages"},{"location":"Content/AllPages/#all-pages","text":"","title":"All Pages"},{"location":"Content/AllPages/#a","text":"Advanced Topics Alert Folder Alert Process Allow Raw Disk Read Allow Spooler Print To File Appearance Settings Applications Settings Applying a Supporter Certificate Auto Delete Auto Exec Auto Recover Auto Recover Ignore","title":"A"},{"location":"Content/AllPages/#b","text":"Block Drivers (removed since Sandboxie v4.xx) Block Fake Input (removed since Sandboxie v4.xx) Block Net Param Block Network Files Block Password (obsolete) Block Port (removed since Sandboxie v0.9.0 / 5.51.0) Block Screen Capture Block Sys Param (removed since Sandboxie v4.xx) Block Win Hooks (removed since Sandboxie v4.xx) Border Color Box Encryption Box Name Title Box Preset Comparison Box Root Folder (deprecated since Sandboxie v3.xx) Box Snapshots Breakout Document Breakout Folder Breakout Process Byte Order Mark (removed since Sandboxie v0.6.5 / 5.47.0)","title":"B"},{"location":"Content/AllPages/#c","text":"Close Print Spooler Closed Clsid Path Closed File Path Closed Ipc Path Closed Key Path Closed RT Code Injection Compartment Mode Confidential Box Config Level Configuration Protection Configure Menu Copy Limit Kb Copy Limit Silent Cover Boxed Windows","title":"C"},{"location":"Content/AllPages/#d","text":"Delete Command Delete Sandbox Delete Settings Delete V2 Deprecated/Obsolete/Removed Sandboxie Ini Settings Description Detecting Key Loggers Disable RT Blacklist DNS Filter Drop Admin Rights","title":"D"},{"location":"Content/AllPages/#e","text":"Edit Admin Only Edit Password Email Protection Enabled Expandable Variables External Tutorials","title":"E"},{"location":"Content/AllPages/#f","text":"FAQ Email FAQ Virus Feature Comparison File Menu File Migration Settings File Root Path Files And Folders View Firefox Tips Force Disable Admin Only Force Disable Seconds Force Folder Force Process Forget Password Frequently Asked Questions","title":"F"},{"location":"Content/AllPages/#g","text":"General Tips Getting Started Getting Started Part Five Getting Started Part Four Getting Started Part Six Getting Started Part Three Getting Started Part Two","title":"G"},{"location":"Content/AllPages/#h","text":"Help Menu Help Topics Hide Host Process Hide Message Hide Other Boxes How It Works How To Use Win Dbg","title":"H"},{"location":"Content/AllPages/#i","text":"ImDisk Integration Immediate Recovery Inject Dll Inject Dll 64 Internet Explorer Tips Ipc Root Path Isolation Mechanism","title":"I"},{"location":"Content/AllPages/#j","text":"","title":"J"},{"location":"Content/AllPages/#k","text":"Key Root Path Known Conflicts","title":"K"},{"location":"Content/AllPages/#l","text":"Leader Process Linger Exempt Wnds Linger Process","title":"L"},{"location":"Content/AllPages/#m","text":"Messages From Sandboxie Monitor Admin Only Msi Installer Exemptions","title":"M"},{"location":"Content/AllPages/#n","text":"Never Delete No Rename Win Class Normal File Path Normal Ipc Path Normal Key Path Notify Direct Disk Access Notify Internet Access Denied Notify Process Access Denied Notify Start Run Access Denied Nt Namespace Isolation Nt Status Codes","title":"N"},{"location":"Content/AllPages/#o","text":"Open Clipboard Open Clsid Open Conf Path Open Credentials Open File Path Open Ipc Path Open Key Path Open Pipe Path Open Print Spooler Open Protected Storage Open Win Class","title":"O"},{"location":"Content/AllPages/#p","text":"Paper Analogy Popup Message Log Portable Sandbox Privacy Concerns Privacy Mode Process Limit Process Limit 1 (removed since Sandboxie v0.7.1 / 5.48.5) Process Limit 2 (removed since Sandboxie v0.7.1 / 5.48.5) Program Name Prefix Program Settings Program Start Settings Program Stop Settings Programs View Prompt For File Migration Protect Host Images Protected Storage Proxy Support","title":"P"},{"location":"Content/AllPages/#q","text":"Quick Recovery","title":"Q"},{"location":"Content/AllPages/#r","text":"RAM Disk Support Ransomware Read File Path Read Ipc Path Read Key Path Recover Folder Recovery Settings Resource Access Resource Access Monitor for Sandboxie Classic Resource Access Settings Restrictions Settings Rule Specificity","title":"R"},{"location":"Content/AllPages/#s","text":"Sandbox Hierarchy Sandbox Menu Sandbox Settings Sandboxie Sandboxie Control Sandboxie Ini Sandboxie Insider Sandboxie Live Sandboxie Plus Sandboxie Plus Migration Guide Sandboxie Plus UI Features Sandboxie Portable Sandboxie Trace SandboxieDrv use of undocumented kernel exports SBIE DLL API SBIE Messages SBIE1101 SBIE1102 SBIE1103 SBIE1104 SBIE1105 SBIE1106 SBIE1108 SBIE1109 SBIE1110 SBIE1111 SBIE1112 SBIE1113 SBIE1114 SBIE1116 SBIE1119 SBIE1120 SBIE1121 SBIE1122 SBIE1151 SBIE1152 SBIE1153 SBIE1201 SBIE1202 SBIE1203 SBIE1204 SBIE1211 SBIE1212 SBIE1213 SBIE1214 (obsolete) SBIE1215 (obsolete) SBIE1216 (obsolete) SBIE1222 SBIE1223 SBIE1224 SBIE1241 SBIE1242 (obsolete since Sandboxie 0.9.0 / 5.51.0) SBIE1301 SBIE1303 (obsolete since Sandboxie 5.31.4) SBIE1304 (obsolete) SBIE1306 SBIE1307 SBIE1308 SBIE1309 (obsolete) SBIE1310 (obsolete since Sandboxie 5.31.4) SBIE1311 (obsolete) SBIE1312 SBIE1313 SBIE1314 SBIE1401 SBIE1402 SBIE1403 SBIE1404 SBIE1405 SBIE1406 SBIE1408 SBIE1409 SBIE1410 SBIE1411 SBIE1412 SBIE2102 SBIE2103 SBIE2104 SBIE2108 SBIE2111 SBIE2191 SBIE2192 SBIE2193 (obsolete since Sandboxie 1.0.14 / 5.55.14) SBIE2202 SBIE2203 SBIE2204 SBIE2205 SBIE2206 SBIE2207 SBIE2208 SBIE2209 SBIE2210 SBIE2211 SBIE2212 SBIE2213 SBIE2214 SBIE2217 SBIE2218 SBIE2219 SBIE2220 SBIE2221 SBIE2222 SBIE2223 SBIE2303 SBIE2304 SBIE2305 SBIE2306 SBIE2307 SBIE2308 SBIE2309 SBIE2310 SBIE2311 SBIE2312 SBIE2313 SBIE2314 SBIE2315 SBIE2316 SBIE2317 SBIE2318 SBIE2321 SBIE2322 SBIE2323 SBIE2326 SBIE2327 SBIE2331 SBIE2332 SBIE2334 SBIE3207 SBIE3208 SBIE3209 SBIE9101 SBIE9153 SBIE9154 SBIE9156 SBIE9201 SBIE9202 SBIE9203 SBIE9204 SBIE9205 SBIE9206 SBIE9207 SBIE9208 SBIE9251 SBIE9252 SBIE9253 SBIE9302 SBIE9304 SBIE9305 Secure Delete Sandbox Security Mode Separate User Folders Service Programs Shell Folders Show For Run In Start Command Line Start Program Start Service Supporter Certificate System Event Log","title":"S"},{"location":"Content/AllPages/#t","text":"Technical Aspects Test Email Configuration Trace logging Translations Tray Icon Menu","title":"T"},{"location":"Content/AllPages/#u","text":"Usage Tips USB Sandboxing Use Privacy Mode Use Rule Specificity Use SbieDesk Hack Use Security Mode User Accounts Settings","title":"U"},{"location":"Content/AllPages/#v","text":"View Menu","title":"V"},{"location":"Content/AllPages/#w","text":"WFP Support Windows 8 Windows XP Mode Write File Path Write Key Path","title":"W"},{"location":"Content/AllPages/#x","text":"","title":"X"},{"location":"Content/AllPages/#y","text":"Yes Or No Settings","title":"Y"},{"location":"Content/AllPages/#z","text":"","title":"Z"},{"location":"Content/AllowRawDiskRead/","text":"Allow Raw Disk Read AllowRawDiskRead is a sandbox setting in Sandboxie Ini available since v0.7.0 / 5.48.0. This setting can be used to disable protection which prevents elevated sandboxed processes from accessing volumes/disks for reading. . . . [DefaultBox] AllowRawDiskRead=y Related Sandboxie Plus setting: Sandbox Options > File Options > Allow elevated sandboxed applications to read the harddrive","title":"Allow Raw Disk Read"},{"location":"Content/AllowRawDiskRead/#allow-raw-disk-read","text":"AllowRawDiskRead is a sandbox setting in Sandboxie Ini available since v0.7.0 / 5.48.0. This setting can be used to disable protection which prevents elevated sandboxed processes from accessing volumes/disks for reading. . . . [DefaultBox] AllowRawDiskRead=y Related Sandboxie Plus setting: Sandbox Options > File Options > Allow elevated sandboxed applications to read the harddrive","title":"Allow Raw Disk Read"},{"location":"Content/AllowSpoolerPrintToFile/","text":"Allow Spooler Print To File AllowSpoolerPrintToFile is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] AllowSpoolerPrintToFile=n This setting can be used to prevent sandboxed applications from printing to file. By default, Sandboxie blocks all CreateFile calls that ask for write access for a sandboxed spoolsv.exe .","title":"Allow Spooler Print To File"},{"location":"Content/AllowSpoolerPrintToFile/#allow-spooler-print-to-file","text":"AllowSpoolerPrintToFile is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] AllowSpoolerPrintToFile=n This setting can be used to prevent sandboxed applications from printing to file. By default, Sandboxie blocks all CreateFile calls that ask for write access for a sandboxed spoolsv.exe .","title":"Allow Spooler Print To File"},{"location":"Content/AppearanceSettings/","text":"Appearance Settings Sandboxie Control > Sandbox Settings > Appearance: Normally, Sandboxie inserts the Sandboxie marks [#] in the title bar of windows associated with sandboxed programs. You can use the first checkbox to override this default behavior and prevent the Sandboxie marks from appearing. You can use the second checkbox to extend this default behavior to also insert the name of the sandbox between the [#] marks. This is useful when you frequently use the same programs in more than one sandbox. Note: It is not possible to enable both checkboxes at the same time. Sandboxie can also draw a colored border around the active (foreground) window, if that windows belongs to a sandboxed program. Use the third checkbox to enable this behavior and choose the border color for programs in this sandbox. Related Sandboxie Ini setting: BoxNameTitle , BorderColor .","title":"Appearance Settings"},{"location":"Content/AppearanceSettings/#appearance-settings","text":"Sandboxie Control > Sandbox Settings > Appearance: Normally, Sandboxie inserts the Sandboxie marks [#] in the title bar of windows associated with sandboxed programs. You can use the first checkbox to override this default behavior and prevent the Sandboxie marks from appearing. You can use the second checkbox to extend this default behavior to also insert the name of the sandbox between the [#] marks. This is useful when you frequently use the same programs in more than one sandbox. Note: It is not possible to enable both checkboxes at the same time. Sandboxie can also draw a colored border around the active (foreground) window, if that windows belongs to a sandboxed program. Use the third checkbox to enable this behavior and choose the border color for programs in this sandbox. Related Sandboxie Ini setting: BoxNameTitle , BorderColor .","title":"Appearance Settings"},{"location":"Content/ApplicationsSettings/","text":"Applications Settings Applications\" Settings Group Sandboxie Control > Sandbox Settings > Applications. This group of settings pages offers quick configuration of Sandboxie for use with other applications, particularly the various well-known Web browsers and email programs, but also some third-party applications that are known to require special configuration in Sandboxie. Web Browser Sandboxie Control > Sandbox Settings > Applications > Web Browser This settings sub-group is itself divided into three sub-groups: Internet Explorer See also: Internet Explorer Tips Firefox See also: Firefox Tips Other Browsers This settings page offers quick configuration for the following browsers: Internet Explorer, Mozilla Firefox and SeaMonkey, the Opera Web browser, Maxthon 2, and Google Chrome. Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. If you use non-default locations for the data (profile) folders used by your Web browsers, make sure to also visit the Applications > Folders settings page to specify the alternate locations. Two special settings on the Internet Explorer settings page: Save outside sandbox: History of search strings and invoked commands. For detailed information, see Sandboxie Ini setting: OpenProtectedStorage . Save outside sandbox: Account information for Hotmail and Messenger. (no longer available since Sandboxie v0.8.0 / 5.50.0). For detailed information, see Sandboxie Ini setting: OpenCredentials . See also Save Outside Sandbox in Internet Explorer Tips for more information and recommendations. Email Reader Sandboxie Control > Sandbox Settings > Applications > Email Reader This settings page offers quick configuration for the following email programs: Outlook Express Office Outlook Windows Vista Mail Windows Live Mail Mozilla Thunderbird Mozilla SeaMonkey Opera Mail IncrediMail Eudora The Bat! Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. You may also need to tell Sandboxie where your mailbox data files reside, in the following cases: If your mailbox resides in a non-default or non-standard location. If you use the Eudora or The-Bat! email software. To do that, open Sandbox Settings > Applications > Folders , select your email software from the drop-down list, and then select a folder location to be associated with it. After completing the email configuration, you may want to test it, to make sure that even when running under Sandboxie, new emails are not lost when you delete the sandbox. To do that, follow the steps outlined in Test Email Configuration . If your email program is not known to Sandboxie, you can use Sandbox Settings > Resource Access > File Access > Direct Access to explicitly add direct access to the folder containing your mailbox data files. See also message SBIE2212 , Email Protection , and FAQ Email . Miscellaneous The following settings pages are used to enable configurations for third-party software, categorized by subject. There are settings pages for PDF and printing software, for password and security software, for desktop utilities and other miscellaneous programs and settings. Select (highlight) the desired configuration and click the Open Web Site button to visit the vendor Web site for a particular program recognized by Sandboxie. Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. In some cases, you also specify the locations of the data files used by the third-party software. Use Applications > Folders settings page to specify the alternate locations. Local Sandboxie Control > Sandbox Settings > Applications > Local Use this settings page to enter your own custom settings as an application configuration package that can be easily enabled or disabled for a particular sandbox. For more information about designing your own application configuration packages, or templates, consult the Templates.ini file in the Sandboxie installation folder. Folders Sandboxie Control > Sandbox Settings > Applications > Folders Use this settings page to specify any alternate (non-default) folder locations for the data files used by applications for which you have enabled in (or add to) the sandbox. First, select (highlight) the desired application, then click the Add button to specify the alternate location. Accessibility Settings Sandboxie Control > Sandbox Settings > Applications > Accessibility This settings page offers quick configuration for the following screen reading programs: JAWS NVDA Windows-Eyes System Access Accessibility support in Windows allows any program to provide hints and information about the content it is displaying. Screen reader software typically uses these hints to offer more detail about the content of the screen. Normally, the isolation of Sandboxie prevents the screen reader from accessing the accessibility hints provided by the sandboxed program. Enabling the setting will weaken the protection of the Sandboxie in order to permit two-way communication between the screen reader program and the sandboxed program. You may wish to enable Sandbox Settings > Restrictions > Drop Rights to compensate for the lost protection.","title":"Applications Settings"},{"location":"Content/ApplicationsSettings/#applications-settings","text":"","title":"Applications Settings"},{"location":"Content/ApplicationsSettings/#applications-settings-group","text":"Sandboxie Control > Sandbox Settings > Applications. This group of settings pages offers quick configuration of Sandboxie for use with other applications, particularly the various well-known Web browsers and email programs, but also some third-party applications that are known to require special configuration in Sandboxie.","title":"Applications\" Settings Group"},{"location":"Content/ApplicationsSettings/#web-browser","text":"Sandboxie Control > Sandbox Settings > Applications > Web Browser This settings sub-group is itself divided into three sub-groups:","title":"Web Browser"},{"location":"Content/ApplicationsSettings/#internet-explorer","text":"See also: Internet Explorer Tips","title":"Internet Explorer"},{"location":"Content/ApplicationsSettings/#firefox","text":"See also: Firefox Tips","title":"Firefox"},{"location":"Content/ApplicationsSettings/#other-browsers","text":"This settings page offers quick configuration for the following browsers: Internet Explorer, Mozilla Firefox and SeaMonkey, the Opera Web browser, Maxthon 2, and Google Chrome. Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. If you use non-default locations for the data (profile) folders used by your Web browsers, make sure to also visit the Applications > Folders settings page to specify the alternate locations. Two special settings on the Internet Explorer settings page: Save outside sandbox: History of search strings and invoked commands. For detailed information, see Sandboxie Ini setting: OpenProtectedStorage . Save outside sandbox: Account information for Hotmail and Messenger. (no longer available since Sandboxie v0.8.0 / 5.50.0). For detailed information, see Sandboxie Ini setting: OpenCredentials . See also Save Outside Sandbox in Internet Explorer Tips for more information and recommendations.","title":"Other Browsers"},{"location":"Content/ApplicationsSettings/#email-reader","text":"Sandboxie Control > Sandbox Settings > Applications > Email Reader This settings page offers quick configuration for the following email programs: Outlook Express Office Outlook Windows Vista Mail Windows Live Mail Mozilla Thunderbird Mozilla SeaMonkey Opera Mail IncrediMail Eudora The Bat! Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. You may also need to tell Sandboxie where your mailbox data files reside, in the following cases: If your mailbox resides in a non-default or non-standard location. If you use the Eudora or The-Bat! email software. To do that, open Sandbox Settings > Applications > Folders , select your email software from the drop-down list, and then select a folder location to be associated with it. After completing the email configuration, you may want to test it, to make sure that even when running under Sandboxie, new emails are not lost when you delete the sandbox. To do that, follow the steps outlined in Test Email Configuration . If your email program is not known to Sandboxie, you can use Sandbox Settings > Resource Access > File Access > Direct Access to explicitly add direct access to the folder containing your mailbox data files. See also message SBIE2212 , Email Protection , and FAQ Email .","title":"Email Reader"},{"location":"Content/ApplicationsSettings/#miscellaneous","text":"The following settings pages are used to enable configurations for third-party software, categorized by subject. There are settings pages for PDF and printing software, for password and security software, for desktop utilities and other miscellaneous programs and settings. Select (highlight) the desired configuration and click the Open Web Site button to visit the vendor Web site for a particular program recognized by Sandboxie. Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. In some cases, you also specify the locations of the data files used by the third-party software. Use Applications > Folders settings page to specify the alternate locations.","title":"Miscellaneous"},{"location":"Content/ApplicationsSettings/#local","text":"Sandboxie Control > Sandbox Settings > Applications > Local Use this settings page to enter your own custom settings as an application configuration package that can be easily enabled or disabled for a particular sandbox. For more information about designing your own application configuration packages, or templates, consult the Templates.ini file in the Sandboxie installation folder.","title":"Local"},{"location":"Content/ApplicationsSettings/#folders","text":"Sandboxie Control > Sandbox Settings > Applications > Folders Use this settings page to specify any alternate (non-default) folder locations for the data files used by applications for which you have enabled in (or add to) the sandbox. First, select (highlight) the desired application, then click the Add button to specify the alternate location.","title":"Folders"},{"location":"Content/ApplicationsSettings/#accessibility-settings","text":"Sandboxie Control > Sandbox Settings > Applications > Accessibility This settings page offers quick configuration for the following screen reading programs: JAWS NVDA Windows-Eyes System Access Accessibility support in Windows allows any program to provide hints and information about the content it is displaying. Screen reader software typically uses these hints to offer more detail about the content of the screen. Normally, the isolation of Sandboxie prevents the screen reader from accessing the accessibility hints provided by the sandboxed program. Enabling the setting will weaken the protection of the Sandboxie in order to permit two-way communication between the screen reader program and the sandboxed program. You may wish to enable Sandbox Settings > Restrictions > Drop Rights to compensate for the lost protection.","title":"Accessibility Settings"},{"location":"Content/AutoDelete/","text":"Auto Delete AutoDelete is a sandbox setting in Sandboxie Ini . It is typically specified as AutoDelete=y, and indicates that the contents of the sandbox should be automatically deleted as soon as the last sandboxed process is terminated. For example: . . . [DefaultBox] AutoDelete=y Related Sandboxie Control setting: Sandbox Settings > Delete > Invocation Related Sandboxie Plus setting: Sandbox Options > File Options > Box Delete options > Auto delete content when last sandboxed process terminates","title":"Auto Delete"},{"location":"Content/AutoDelete/#auto-delete","text":"AutoDelete is a sandbox setting in Sandboxie Ini . It is typically specified as AutoDelete=y, and indicates that the contents of the sandbox should be automatically deleted as soon as the last sandboxed process is terminated. For example: . . . [DefaultBox] AutoDelete=y Related Sandboxie Control setting: Sandbox Settings > Delete > Invocation Related Sandboxie Plus setting: Sandbox Options > File Options > Box Delete options > Auto delete content when last sandboxed process terminates","title":"Auto Delete"},{"location":"Content/AutoExec/","text":"Auto Exec AutoExec is a sandbox setting in Sandboxie Ini . It specifies a list of commands that are executed every time the sandbox is initially populated. Examples: . . . [DefaultBox] AutoExec=regedit /s c:\\defaultbox.reg AutoExec=cmd /c del /f \"%windir%\\system32\\someExploitableDLL.dll\" The first example shows using AutoExec to populate the sandboxed registry in some way. The second example shows using AutoExec to delete an undesirable DLL file. In both cases the customization takes place only within the sandbox. Multiple AutoExec settings may be specified for a single sandbox. The commands listed are executed one by one. The commands (whether one or any number of them) are executed once in the life-time of a particular sandbox. To get Sandboxie to execute these commands again, the sandbox must be deleted. This is true even if the command execution fails -- it will not be executed again, unless the sandbox is deleted. At this time, there is no corresponding Sandboxie Control configuration for this setting. Technical Details Each AutoExec command, as it is executed by Sandboxie, is recorded in the registry of that sandbox, in the key HKEY_CURRENT_USER\\Software\\SandboxieAutoExec . The command will not be executed if it was already recorded in the sandboxed registry. Thus, deleting the sandbox clears all recorded AutoExec commands, so they are executed again the next time any sandboxed program starts in that sandbox. But it is also possible to get them to execute again, by manually deleting the command from that sandboxed registry key.","title":"Auto Exec"},{"location":"Content/AutoExec/#auto-exec","text":"AutoExec is a sandbox setting in Sandboxie Ini . It specifies a list of commands that are executed every time the sandbox is initially populated. Examples: . . . [DefaultBox] AutoExec=regedit /s c:\\defaultbox.reg AutoExec=cmd /c del /f \"%windir%\\system32\\someExploitableDLL.dll\" The first example shows using AutoExec to populate the sandboxed registry in some way. The second example shows using AutoExec to delete an undesirable DLL file. In both cases the customization takes place only within the sandbox. Multiple AutoExec settings may be specified for a single sandbox. The commands listed are executed one by one. The commands (whether one or any number of them) are executed once in the life-time of a particular sandbox. To get Sandboxie to execute these commands again, the sandbox must be deleted. This is true even if the command execution fails -- it will not be executed again, unless the sandbox is deleted. At this time, there is no corresponding Sandboxie Control configuration for this setting. Technical Details Each AutoExec command, as it is executed by Sandboxie, is recorded in the registry of that sandbox, in the key HKEY_CURRENT_USER\\Software\\SandboxieAutoExec . The command will not be executed if it was already recorded in the sandboxed registry. Thus, deleting the sandbox clears all recorded AutoExec commands, so they are executed again the next time any sandboxed program starts in that sandbox. But it is also possible to get them to execute again, by manually deleting the command from that sandboxed registry key.","title":"Auto Exec"},{"location":"Content/AutoRecover/","text":"Auto Recover AutoRecover is a sandbox setting in Sandboxie Ini . It is typically specified as AutoRecover=y , and enables the Immediate Recovery extension of Quick Recovery . Usage: . . . [DefaultBox] AutoRecover=y Related Sandboxie Control setting: Sandbox Settings > Recovery > Immediate Recovery","title":"Auto Recover"},{"location":"Content/AutoRecover/#auto-recover","text":"AutoRecover is a sandbox setting in Sandboxie Ini . It is typically specified as AutoRecover=y , and enables the Immediate Recovery extension of Quick Recovery . Usage: . . . [DefaultBox] AutoRecover=y Related Sandboxie Control setting: Sandbox Settings > Recovery > Immediate Recovery","title":"Auto Recover"},{"location":"Content/AutoRecoverIgnore/","text":"Auto Recover Ignore AutoRecoverIgnore is a sandbox setting in Sandboxie Ini . It specifies folders or file types that should be ignored by the Immediate Recovery extension of Quick Recovery . For example: . . . [DefaultBox] AutoRecoverIgnore=.part AutoRecoverIgnore=%Desktop% AutoRecoverIgnore=C:\\Folder The first example excludes from Immediate Recovery any files ending in .part . These files are created by the download manager of the Mozilla browsers, and represent incomplete downloads. When the download completes, the .part extension is removed from the file, thus making it eligible for Immediate Recovery. Note that .part is a default setting. The second and third examples exclude the specified folders from Immediate Recovery. Related Sandboxie Control setting: Sandbox Settings > Recovery > Immediate Recovery","title":"Auto Recover Ignore"},{"location":"Content/AutoRecoverIgnore/#auto-recover-ignore","text":"AutoRecoverIgnore is a sandbox setting in Sandboxie Ini . It specifies folders or file types that should be ignored by the Immediate Recovery extension of Quick Recovery . For example: . . . [DefaultBox] AutoRecoverIgnore=.part AutoRecoverIgnore=%Desktop% AutoRecoverIgnore=C:\\Folder The first example excludes from Immediate Recovery any files ending in .part . These files are created by the download manager of the Mozilla browsers, and represent incomplete downloads. When the download completes, the .part extension is removed from the file, thus making it eligible for Immediate Recovery. Note that .part is a default setting. The second and third examples exclude the specified folders from Immediate Recovery. Related Sandboxie Control setting: Sandbox Settings > Recovery > Immediate Recovery","title":"Auto Recover Ignore"},{"location":"Content/BlockDrivers/","text":"Block Drivers This feature was removed in SBIE version 4.+ and up. It is no longer available. BlockDrivers was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to load drivers into the operating system. However, this setting did not govern the installation of new drivers -- see more below. Usage: . . . [DefaultBox] BlockDrivers=n Specifying n indicates that a sandboxed program may load drivers into the operating system. If this is not done, Sandboxie will deny the driver load attempt, and instead issue message SBIE2103 . Note: Disabling the protection afforded by BlockDrivers is not recommended. Driver Installation Before a driver can be loaded, it must first be installed. Driver installation is not affected by the BlockDrivers setting. To allow driver installation, you should add the following OpenKeyPath setting: OpenKeyPath=HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services And you should additionally open the driver file, using OpenFilePath. This is needed because the driver path that will be set in the registry (in a key created below CurrentControlSet\\Services) will typically not point inside the sandbox. OpenFilePath=c:\\program files\\MyNewSoftware\\SoftwareDriver.sys Note: Allowing sandboxed programs to install drivers is not recommended. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Drivers"},{"location":"Content/BlockDrivers/#block-drivers","text":"This feature was removed in SBIE version 4.+ and up. It is no longer available. BlockDrivers was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to load drivers into the operating system. However, this setting did not govern the installation of new drivers -- see more below. Usage: . . . [DefaultBox] BlockDrivers=n Specifying n indicates that a sandboxed program may load drivers into the operating system. If this is not done, Sandboxie will deny the driver load attempt, and instead issue message SBIE2103 . Note: Disabling the protection afforded by BlockDrivers is not recommended. Driver Installation Before a driver can be loaded, it must first be installed. Driver installation is not affected by the BlockDrivers setting. To allow driver installation, you should add the following OpenKeyPath setting: OpenKeyPath=HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services And you should additionally open the driver file, using OpenFilePath. This is needed because the driver path that will be set in the registry (in a key created below CurrentControlSet\\Services) will typically not point inside the sandbox. OpenFilePath=c:\\program files\\MyNewSoftware\\SoftwareDriver.sys Note: Allowing sandboxed programs to install drivers is not recommended. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Drivers"},{"location":"Content/BlockFakeInput/","text":"Block Fake Input This feature was removed in SBIE version 4 and up. It is no longer available. BlockFakeInput was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to manufacture fake keyboard input and send it to windows of applications running outside that sandbox. Usage: . . . [DefaultBox] BlockFakeInput=n Keyboard input is received by the active, highlighted window. This is true whether the keyboard input was manufactured by a program (fake input), or coming from the keyboard (real input). By default, Sandboxie will allow a program running in a sandbox to manufacture fake input, provided the recipient window belongs to an application which is running in the same sandbox. If the fake input will end up in a window outside that sandbox, Sandboxie will discard the input and issue message SBIE1304 . Specifying BlockFakeInput=n indicates that a sandboxed program should be allowed to manufacture fake keyboard input, regardless of the recipient of that input. To experiment with this setting, you can run a sandboxed instance of osk.exe , the Windows on-screen keyboard. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access","title":"Block Fake Input"},{"location":"Content/BlockFakeInput/#block-fake-input","text":"This feature was removed in SBIE version 4 and up. It is no longer available. BlockFakeInput was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to manufacture fake keyboard input and send it to windows of applications running outside that sandbox. Usage: . . . [DefaultBox] BlockFakeInput=n Keyboard input is received by the active, highlighted window. This is true whether the keyboard input was manufactured by a program (fake input), or coming from the keyboard (real input). By default, Sandboxie will allow a program running in a sandbox to manufacture fake input, provided the recipient window belongs to an application which is running in the same sandbox. If the fake input will end up in a window outside that sandbox, Sandboxie will discard the input and issue message SBIE1304 . Specifying BlockFakeInput=n indicates that a sandboxed program should be allowed to manufacture fake keyboard input, regardless of the recipient of that input. To experiment with this setting, you can run a sandboxed instance of osk.exe , the Windows on-screen keyboard. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access","title":"Block Fake Input"},{"location":"Content/BlockNetParam/","text":"Block Net Param BlockNetParam is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will allow sandboxed programs to change network and firewall parameters. Usage: . . . [DefaultBox] BlockNetParam=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change network and firewall parameters.","title":"Block Net Param"},{"location":"Content/BlockNetParam/#block-net-param","text":"BlockNetParam is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will allow sandboxed programs to change network and firewall parameters. Usage: . . . [DefaultBox] BlockNetParam=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change network and firewall parameters.","title":"Block Net Param"},{"location":"Content/BlockNetworkFiles/","text":"Block Network Files BlockNetworkFiles is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will block sandboxed programs from accessing network files and folders without specifically opened. . . . [DefaultBox] BlockNetworkFiles=n Specifying n indicates that a sandboxed program may access network files without specifically opened, in this case \"Net Share\" will appear in sandbox status. Related Sandboxie Plus setting: Sandbox Options > Network Options > Other Options > Block network files and folders, unless specifically opened Related Sandboxie Plus setting when creating a new sandbox with \"Configure advanced options\" selected: Sandbox Isolation options > Network Access > Allow access to network files and folders","title":"Block Network Files"},{"location":"Content/BlockNetworkFiles/#block-network-files","text":"BlockNetworkFiles is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will block sandboxed programs from accessing network files and folders without specifically opened. . . . [DefaultBox] BlockNetworkFiles=n Specifying n indicates that a sandboxed program may access network files without specifically opened, in this case \"Net Share\" will appear in sandbox status. Related Sandboxie Plus setting: Sandbox Options > Network Options > Other Options > Block network files and folders, unless specifically opened Related Sandboxie Plus setting when creating a new sandbox with \"Configure advanced options\" selected: Sandbox Isolation options > Network Access > Allow access to network files and folders","title":"Block Network Files"},{"location":"Content/BlockPassword/","text":"Block Password This feature is obsolete. If you use Windows 10 or later, we recommend OpenSamEndpoint since version 0.7.0 / 5.48.0: #938 BlockPassword is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will allow sandboxed programs to change the password of user accounts. Usage: . . . [DefaultBox] BlockPassword=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change the user account password. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Password"},{"location":"Content/BlockPassword/#block-password","text":"This feature is obsolete. If you use Windows 10 or later, we recommend OpenSamEndpoint since version 0.7.0 / 5.48.0: #938 BlockPassword is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will allow sandboxed programs to change the password of user accounts. Usage: . . . [DefaultBox] BlockPassword=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change the user account password. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Password"},{"location":"Content/BlockPort/","text":"Block Port This feature was removed since v0.9.0 / 5.51.0. If you have custom BlockPort entries in your Sandboxie Ini , they will need to be updated by hand to the new format, so for example BlockPort=137,138,139,445 becomes NetworkAccess=*,Block;Port=137,138,139,445 (currently included in the Templates.ini file under the [Template_BlockPorts] section). BlockPort was a sandbox setting in Sandboxie Ini . It specified IP port numbers to block for outgoing communications. Usage: . . . [DefaultBox] BlockPort=137-139,445 BlockPort=*,80,8080 The port numbers listed above are associated with the SMB/CIFS network file sharing subsystem. The primary purpose of this setting is to block outgoing communications on SMB/CIFS ports, in order to prevent a rogue sandboxed program from accessing files through the SMB/CIFS subsystem, rather than by issuing direct requests to the local system. The setting can be specified repeatedly over multiple lines and the effects will accumulate. Port ranges may be specified as shown in the first example. The second example shows negated use: Block all ports except those specified following the asterisk (star) character. This setting is not configurable through Sandboxie Control, except to enable or disable a pre-defined list of default blocked ports: Sandbox Settings > Applications > Miscellaneous > Default list of blocked TCP/IP ports Note that this setting will prevent programs such as smbclient from properly running under Sandboxie. In case this is required, the setting can be turned off.","title":"Block Port"},{"location":"Content/BlockPort/#block-port","text":"This feature was removed since v0.9.0 / 5.51.0. If you have custom BlockPort entries in your Sandboxie Ini , they will need to be updated by hand to the new format, so for example BlockPort=137,138,139,445 becomes NetworkAccess=*,Block;Port=137,138,139,445 (currently included in the Templates.ini file under the [Template_BlockPorts] section). BlockPort was a sandbox setting in Sandboxie Ini . It specified IP port numbers to block for outgoing communications. Usage: . . . [DefaultBox] BlockPort=137-139,445 BlockPort=*,80,8080 The port numbers listed above are associated with the SMB/CIFS network file sharing subsystem. The primary purpose of this setting is to block outgoing communications on SMB/CIFS ports, in order to prevent a rogue sandboxed program from accessing files through the SMB/CIFS subsystem, rather than by issuing direct requests to the local system. The setting can be specified repeatedly over multiple lines and the effects will accumulate. Port ranges may be specified as shown in the first example. The second example shows negated use: Block all ports except those specified following the asterisk (star) character. This setting is not configurable through Sandboxie Control, except to enable or disable a pre-defined list of default blocked ports: Sandbox Settings > Applications > Miscellaneous > Default list of blocked TCP/IP ports Note that this setting will prevent programs such as smbclient from properly running under Sandboxie. In case this is required, the setting can be turned off.","title":"Block Port"},{"location":"Content/BlockScreenCapture/","text":"Block Screen Capture BlockScreenCapture is a sandbox setting in Sandboxie Ini available since v1.13.6 / 5.68.6. If enabled, it will prevent sandboxed processes from accessing the images of the window outside the sandbox. For example: . . . [DefaultBox] BlockScreenCapture=y A setting similar to BlockScreenCapture is CoverBoxedWindows . Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Prevent sandboxed processes from capturing window images","title":"Block Screen Capture"},{"location":"Content/BlockScreenCapture/#block-screen-capture","text":"BlockScreenCapture is a sandbox setting in Sandboxie Ini available since v1.13.6 / 5.68.6. If enabled, it will prevent sandboxed processes from accessing the images of the window outside the sandbox. For example: . . . [DefaultBox] BlockScreenCapture=y A setting similar to BlockScreenCapture is CoverBoxedWindows . Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Prevent sandboxed processes from capturing window images","title":"Block Screen Capture"},{"location":"Content/BlockSysParam/","text":"Block Sys Param BlockSysParam feature was removed in SBIE version 4.+ and up. It is no longer available. BlockSysParam was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to change various system parameters. Usage: . . . [DefaultBox] BlockSysParam=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change various system parameters, such as the desktop wallpaper. For an extensive discussion about the system parameters that can be changed, please consult the discussion on the SystemParametersInfo API on the Microsoft MSDN web site. Technical Note: When Sandboxie blocks a request to change a system parameter, this is logged in the Resource Access Monitor as operation (SystemParametersInfo:nnnnnnnn) where nnnnnnnn is a hexadecimal value corresponding to the uiAction parameter passed to the SystemParametersInfo API. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Sys Param"},{"location":"Content/BlockSysParam/#block-sys-param","text":"BlockSysParam feature was removed in SBIE version 4.+ and up. It is no longer available. BlockSysParam was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to change various system parameters. Usage: . . . [DefaultBox] BlockSysParam=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change various system parameters, such as the desktop wallpaper. For an extensive discussion about the system parameters that can be changed, please consult the discussion on the SystemParametersInfo API on the Microsoft MSDN web site. Technical Note: When Sandboxie blocks a request to change a system parameter, this is logged in the Resource Access Monitor as operation (SystemParametersInfo:nnnnnnnn) where nnnnnnnn is a hexadecimal value corresponding to the uiAction parameter passed to the SystemParametersInfo API. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Sys Param"},{"location":"Content/BlockWinHooks/","text":"Block Win Hooks BlockWinHooks feature was removed in SBIE version 4.+ and up. It is no longer available. BlockWinHooks was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to install system-global hooks. Usage: . . . [DefaultBox] BlockWinHooks=n One application may attach to other applications in the system by employing a mechanism called windows hooks. This mechanism associates a component of the requesting application (called a DLL file) with all other applications. By default, Sandboxie denies a request to install a global hook, and will instead convert the hook into an application-specific hook, and install this converted hook only into applications running in the same sandbox as the requesting application. In effect, this restricts the effect of global hooks to a specific sandbox, and increases the protection provided by Sandboxie while still allowing applications that rely on global hooks to execute correctly. Specifying BlockWinHooks=n disables this protection, and allows a sandboxed application to install global hooks into all running applications, both inside and outside the sandbox. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Win Hooks"},{"location":"Content/BlockWinHooks/#block-win-hooks","text":"BlockWinHooks feature was removed in SBIE version 4.+ and up. It is no longer available. BlockWinHooks was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to install system-global hooks. Usage: . . . [DefaultBox] BlockWinHooks=n One application may attach to other applications in the system by employing a mechanism called windows hooks. This mechanism associates a component of the requesting application (called a DLL file) with all other applications. By default, Sandboxie denies a request to install a global hook, and will instead convert the hook into an application-specific hook, and install this converted hook only into applications running in the same sandbox as the requesting application. In effect, this restricts the effect of global hooks to a specific sandbox, and increases the protection provided by Sandboxie while still allowing applications that rely on global hooks to execute correctly. Specifying BlockWinHooks=n disables this protection, and allows a sandboxed application to install global hooks into all running applications, both inside and outside the sandbox. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Win Hooks"},{"location":"Content/BorderColor/","text":"Border Color BorderColor is a sandbox setting in Sandboxie Ini . It controls whether Sandboxie displays a colored border around the active foreground window, if that windows belongs to a sandboxed application. Usage: . . . [DefaultBox] BorderColor=#00FFFF,ttl,6 BorderColor=#00FFFF,off,6 BorderColor=#00FFFF,on,6 Its default value is \"#00FFFF,ttl,6\" . The number represents the default pixel width of the drawn border and can be omitted. Sandboxie doesn't draw the border if BorderColor ends with \",off,6\" , while in previous versions it was \",n\" . The color is specified in HTML-like RGB color notation: The hash mark prefixes a hexadecimal (base-16) number that is exactly 6-digits long. The first two hex digits denote the red component of the color. The next two hex digits denote the green component of the color. The last two hex digits denote the blue component of the color. The border will not be drawn when Sandboxie Control is not running. Related Sandboxie Control setting: Sandbox Settings > Appearance","title":"Border Color"},{"location":"Content/BorderColor/#border-color","text":"BorderColor is a sandbox setting in Sandboxie Ini . It controls whether Sandboxie displays a colored border around the active foreground window, if that windows belongs to a sandboxed application. Usage: . . . [DefaultBox] BorderColor=#00FFFF,ttl,6 BorderColor=#00FFFF,off,6 BorderColor=#00FFFF,on,6 Its default value is \"#00FFFF,ttl,6\" . The number represents the default pixel width of the drawn border and can be omitted. Sandboxie doesn't draw the border if BorderColor ends with \",off,6\" , while in previous versions it was \",n\" . The color is specified in HTML-like RGB color notation: The hash mark prefixes a hexadecimal (base-16) number that is exactly 6-digits long. The first two hex digits denote the red component of the color. The next two hex digits denote the green component of the color. The last two hex digits denote the blue component of the color. The border will not be drawn when Sandboxie Control is not running. Related Sandboxie Control setting: Sandbox Settings > Appearance","title":"Border Color"},{"location":"Content/BoxNameTitle/","text":"Box Name Title BoxNameTitle is a sandbox setting in Sandboxie Ini . It controls whether Sandboxie displays the name of the sandbox in the title bar of a window that belongs to a sandboxed application. Usage: . . . [DefaultBox] BoxNameTitle=y By default, Sandboxie only displays the sandboxed [#] indicator in the title bar of a window that belongs to a sandboxed application. For example: [#] Sandboxie - Front Page - Windows Internet Explorer [#] Specifying BoxNameTitle=y places the sandbox name in the title bar: [#] [DefaultBox] Sandboxie - Front Page - Windows Internet Explorer [#] Related Sandboxie Control setting: Sandbox Settings > Appearance","title":"Box Name Title"},{"location":"Content/BoxNameTitle/#box-name-title","text":"BoxNameTitle is a sandbox setting in Sandboxie Ini . It controls whether Sandboxie displays the name of the sandbox in the title bar of a window that belongs to a sandboxed application. Usage: . . . [DefaultBox] BoxNameTitle=y By default, Sandboxie only displays the sandboxed [#] indicator in the title bar of a window that belongs to a sandboxed application. For example: [#] Sandboxie - Front Page - Windows Internet Explorer [#] Specifying BoxNameTitle=y places the sandbox name in the title bar: [#] [DefaultBox] Sandboxie - Front Page - Windows Internet Explorer [#] Related Sandboxie Control setting: Sandbox Settings > Appearance","title":"Box Name Title"},{"location":"Content/BoxRootFolder/","text":"Box Root Folder This setting is deprecated. Please use FileRootPath instead. BoxRootFolder is a global setting in Sandboxie Ini . It specifies the folder containing all sandboxes. One sub-folder is created within the container folder for each sandbox in active use. In Sandboxie version 3 and later, the FileRootPath setting is the preferred way to specify the location of sandboxes, and takes precedence over BoxRootFolder in case both settings exist. Note that as any other sandbox setting, the FileRootPath may appear in the GlobalSettings section, and in that case, it applies to all sandboxes. See Sandbox Hierarchy for more information. Usage: . . . [GlobalSettings] BoxRootFolder=C:\\Sandbox Related Sandboxie Control setting: Sandbox menu > Set Container Folder","title":"Box Root Folder"},{"location":"Content/BoxRootFolder/#box-root-folder","text":"This setting is deprecated. Please use FileRootPath instead. BoxRootFolder is a global setting in Sandboxie Ini . It specifies the folder containing all sandboxes. One sub-folder is created within the container folder for each sandbox in active use. In Sandboxie version 3 and later, the FileRootPath setting is the preferred way to specify the location of sandboxes, and takes precedence over BoxRootFolder in case both settings exist. Note that as any other sandbox setting, the FileRootPath may appear in the GlobalSettings section, and in that case, it applies to all sandboxes. See Sandbox Hierarchy for more information. Usage: . . . [GlobalSettings] BoxRootFolder=C:\\Sandbox Related Sandboxie Control setting: Sandbox menu > Set Container Folder","title":"Box Root Folder"},{"location":"Content/BreakoutDocument/","text":"Breakout Document BreakoutDocument is a sandbox setting in Sandboxie Ini available since v1.8.5 / 5.63.5. It specifies which documents shall be opened unsandboxed when opened from within the sandbox. Usage: . . . [DefaultBox] BreakoutDocument=C:\\path\\*.txt BreakoutDocument=C:\\path\\*.jpg","title":"Breakout Document"},{"location":"Content/BreakoutDocument/#breakout-document","text":"BreakoutDocument is a sandbox setting in Sandboxie Ini available since v1.8.5 / 5.63.5. It specifies which documents shall be opened unsandboxed when opened from within the sandbox. Usage: . . . [DefaultBox] BreakoutDocument=C:\\path\\*.txt BreakoutDocument=C:\\path\\*.jpg","title":"Breakout Document"},{"location":"Content/BreakoutFolder/","text":"Breakout Folder BreakoutFolder is a sandbox setting in Sandboxie Ini available since v1.0.8 / 5.55.8. It forces a folder's content to run unsandboxed even if started from inside the sandbox. Usage: . . . [DefaultBox] BreakoutFolder=C:\\Downloads BreakoutFolder=E:\\ BreakoutFolder=C:\\App\\* BreakoutFolder=C:\\App? BreakoutFolder=C:\\?pp\\* The first example specifies that any content inside the folder \"C:\\Downloads\" will be launched unsandboxed. Entire drives can also be specified as shown in the second example. The third and fourth lines show basic characters from wildcards. * defines any subfolder beyond App folder (App\\1, App\\1\\1 and etc.). ? defines a single character from folder (Appa, App8 and etc.) but not subfolders. Also, you can combine several wildcards to match the specified folder name and subfolders. NOTE: * Shortcuts that link to a program outside the specified folders will be launched sandboxed. For example: if you place a shortcut inside a broken out folder and it links to some program in a non broken out folder, then the shortcut will launch sandboxed. Check BreakoutProcess for information on breaking out programs. Also check ForceFolder , the counterpart of this setting, which forces a folder's content to launch sandboxed.","title":"Breakout Folder"},{"location":"Content/BreakoutFolder/#breakout-folder","text":"BreakoutFolder is a sandbox setting in Sandboxie Ini available since v1.0.8 / 5.55.8. It forces a folder's content to run unsandboxed even if started from inside the sandbox. Usage: . . . [DefaultBox] BreakoutFolder=C:\\Downloads BreakoutFolder=E:\\ BreakoutFolder=C:\\App\\* BreakoutFolder=C:\\App? BreakoutFolder=C:\\?pp\\* The first example specifies that any content inside the folder \"C:\\Downloads\" will be launched unsandboxed. Entire drives can also be specified as shown in the second example. The third and fourth lines show basic characters from wildcards. * defines any subfolder beyond App folder (App\\1, App\\1\\1 and etc.). ? defines a single character from folder (Appa, App8 and etc.) but not subfolders. Also, you can combine several wildcards to match the specified folder name and subfolders. NOTE: * Shortcuts that link to a program outside the specified folders will be launched sandboxed. For example: if you place a shortcut inside a broken out folder and it links to some program in a non broken out folder, then the shortcut will launch sandboxed. Check BreakoutProcess for information on breaking out programs. Also check ForceFolder , the counterpart of this setting, which forces a folder's content to launch sandboxed.","title":"Breakout Folder"},{"location":"Content/BreakoutProcess/","text":"Breakout Process BreakoutProcess is a sandbox setting in Sandboxie Ini available since v1.0.8 / 5.55.8. It specifies which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. Usage: . . . [DefaultBox] BreakoutProcess=ProgramName.exe BreakoutProcess=Program*.exe BreakoutProcess=Program?.exe BreakoutProcess=Pro?ram*.exe * defines any name after Program (Program0Test1.exe, Program5Test92G.exe and etc.). ? defines one character from name (Program1.exe, Programg.exe and etc.). Also, you can combine several wildcards to match the specified name. Specifying ProgramName indicates the application that should be launched unsandboxed. Alternatively, the program's path can be specified. Priority System: If you set a program to breakout from a sandbox and force it to be sandboxed in another, this acts as a useful priority system. Example: Let's say you happen to use your browser as a PDF viewer and have 2 sandboxes \"Browser\" and \"Email\". Assume you received a PDF through an email and would rather have the PDF launch a browser tab in the respective \"Browser\" sandbox rather than the current (\"Email\") sandbox. You can break out your browser exe in the \"Email\" sandbox and force it in the \"Browser\" sandbox. Check ForceProcess for more information.","title":"Breakout Process"},{"location":"Content/BreakoutProcess/#breakout-process","text":"BreakoutProcess is a sandbox setting in Sandboxie Ini available since v1.0.8 / 5.55.8. It specifies which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. Usage: . . . [DefaultBox] BreakoutProcess=ProgramName.exe BreakoutProcess=Program*.exe BreakoutProcess=Program?.exe BreakoutProcess=Pro?ram*.exe * defines any name after Program (Program0Test1.exe, Program5Test92G.exe and etc.). ? defines one character from name (Program1.exe, Programg.exe and etc.). Also, you can combine several wildcards to match the specified name. Specifying ProgramName indicates the application that should be launched unsandboxed. Alternatively, the program's path can be specified. Priority System: If you set a program to breakout from a sandbox and force it to be sandboxed in another, this acts as a useful priority system. Example: Let's say you happen to use your browser as a PDF viewer and have 2 sandboxes \"Browser\" and \"Email\". Assume you received a PDF through an email and would rather have the PDF launch a browser tab in the respective \"Browser\" sandbox rather than the current (\"Email\") sandbox. You can break out your browser exe in the \"Email\" sandbox and force it in the \"Browser\" sandbox. Check ForceProcess for more information.","title":"Breakout Process"},{"location":"Content/ByteOrderMark/","text":"Byte Order Mark This feature was removed since v0.6.5 / 5.47.0. ByteOrderMark was a global setting in Sandboxie Ini . It was typically specified as ByteOrderMark=y (see Yes Or No Settings ), and indicated that Sandboxie Control should insert a UTF-16 UNICODE Byte Order Mark (BOM) character at the top of the configuration file. Usage: . . . [GlobalSettings] ByteOrderMark=y This setting must be edited into Sandboxie Ini , then Sandboxie configuration must be manually reloaded . Following this, the next time Sandboxie Control rewrites the configuration, it will insert the UNICODE BOM character into the very first two bytes in the Sandboxie Ini configuration file, thus: (hex.) FF FE. You need only bother with this setting if both these statements are true: You plan to edit the Sandboxie Ini file manually; Your text editor cannot recognize that Sandboxie Ini file is a UNICODE text file.","title":"Byte Order Mark"},{"location":"Content/ByteOrderMark/#byte-order-mark","text":"This feature was removed since v0.6.5 / 5.47.0. ByteOrderMark was a global setting in Sandboxie Ini . It was typically specified as ByteOrderMark=y (see Yes Or No Settings ), and indicated that Sandboxie Control should insert a UTF-16 UNICODE Byte Order Mark (BOM) character at the top of the configuration file. Usage: . . . [GlobalSettings] ByteOrderMark=y This setting must be edited into Sandboxie Ini , then Sandboxie configuration must be manually reloaded . Following this, the next time Sandboxie Control rewrites the configuration, it will insert the UNICODE BOM character into the very first two bytes in the Sandboxie Ini configuration file, thus: (hex.) FF FE. You need only bother with this setting if both these statements are true: You plan to edit the Sandboxie Ini file manually; Your text editor cannot recognize that Sandboxie Ini file is a UNICODE text file.","title":"Byte Order Mark"},{"location":"Content/ClosePrintSpooler/","text":"Close Print Spooler ClosePrintSpooler is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] ClosePrintSpooler=n This setting can be used to prevent sandboxed applications from interacting with the print spooler service. When set to y , sandboxed applications will be unable to interact with the print spooler service - for example, print. Added as part of 0.5.4 / 5.46.0 version. Interaction with OpenPrintSpooler . . . [DefaultBox] ClosePrintSpooler=n OpenPrintSpooler=n When both settings are configured as shown above, requests from sandboxed applications to the print spooler are selectively filtered. This means that certain actions related to the print spooler are permitted (\"open\") while others are restricted (\"closed\"). Specifically, this configuration allows for printing operations but restricts activities that would modify printer configurations or the installation/removal of printers on the system.","title":"Close Print Spooler"},{"location":"Content/ClosePrintSpooler/#close-print-spooler","text":"ClosePrintSpooler is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] ClosePrintSpooler=n This setting can be used to prevent sandboxed applications from interacting with the print spooler service. When set to y , sandboxed applications will be unable to interact with the print spooler service - for example, print. Added as part of 0.5.4 / 5.46.0 version.","title":"Close Print Spooler"},{"location":"Content/ClosePrintSpooler/#interaction-with-openprintspooler","text":". . . [DefaultBox] ClosePrintSpooler=n OpenPrintSpooler=n When both settings are configured as shown above, requests from sandboxed applications to the print spooler are selectively filtered. This means that certain actions related to the print spooler are permitted (\"open\") while others are restricted (\"closed\"). Specifically, this configuration allows for printing operations but restricts activities that would modify printer configurations or the installation/removal of printers on the system.","title":"Interaction with OpenPrintSpooler"},{"location":"Content/ClosedClsid/","text":"Closed Clsid ClosedClsid is a sandbox setting in Sandboxie Ini available since v0.5.3a / 5.45.2. It specifies the COM class identifiers for unsandboxed COM objects that should not be accessible by a sandboxed program. Usage: . . . [DefaultBox] ClosedClsid={8BC3F05E-D86B-11D0-A075-00C04FB68820} This example makes the Windows Management and Instrumentation not accessible to sandboxed programs. Related Sandboxie Plus setting: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Closed","title":"Closed Clsid"},{"location":"Content/ClosedClsid/#closed-clsid","text":"ClosedClsid is a sandbox setting in Sandboxie Ini available since v0.5.3a / 5.45.2. It specifies the COM class identifiers for unsandboxed COM objects that should not be accessible by a sandboxed program. Usage: . . . [DefaultBox] ClosedClsid={8BC3F05E-D86B-11D0-A075-00C04FB68820} This example makes the Windows Management and Instrumentation not accessible to sandboxed programs. Related Sandboxie Plus setting: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Closed","title":"Closed Clsid"},{"location":"Content/ClosedFilePath/","text":"Closed File Path ClosedFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks files and folders from being accessed by sandboxed programs. Shell Folders may be specified. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedFilePath=!iexplore.exe,%Cookies% ClosedFilePath=%Personal% ClosedFilePath=!iexplore.exe,\\Device\\RawIp ClosedFilePath=!iexplore.exe,\\Device\\Ip* ClosedFilePath=!iexplore.exe,\\Device\\Tcp* ClosedFilePath=!iexplore.exe,\\Device\\Afd* The example blocks any program other than Internet Explorer ( iexplore.exe ) from accessing the folder containing downloaded Internet cookies for the active user account. This would block any downloaded malicious software from spying on cookies. (Note that this does not stop browser extensions, like add-on toolbars, from looking into the Cookies folder, because these extensions execute inside the Internet Explorer program process.) The second example shows how to configure Sandboxie to block sandboxed programs from accessing the Documents folder. The value specified for ClosedFilePath can include wildcards. For more information on this, including examples that show the use of wildcards, see OpenFilePath . The third example (spanning four lines) disables Internet access within a sandbox except for Internet Explorer ( iexplore.exe ). See also Sandbox Settings > Restrictions > Internet Access . Note: Unlike the corresponding OpenFilePath setting, the ClosedFilePath settings always applies to sandboxed programs, whether the program executable file resides within the sandbox, or out of it. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Closed","title":"Closed File Path"},{"location":"Content/ClosedFilePath/#closed-file-path","text":"ClosedFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks files and folders from being accessed by sandboxed programs. Shell Folders may be specified. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedFilePath=!iexplore.exe,%Cookies% ClosedFilePath=%Personal% ClosedFilePath=!iexplore.exe,\\Device\\RawIp ClosedFilePath=!iexplore.exe,\\Device\\Ip* ClosedFilePath=!iexplore.exe,\\Device\\Tcp* ClosedFilePath=!iexplore.exe,\\Device\\Afd* The example blocks any program other than Internet Explorer ( iexplore.exe ) from accessing the folder containing downloaded Internet cookies for the active user account. This would block any downloaded malicious software from spying on cookies. (Note that this does not stop browser extensions, like add-on toolbars, from looking into the Cookies folder, because these extensions execute inside the Internet Explorer program process.) The second example shows how to configure Sandboxie to block sandboxed programs from accessing the Documents folder. The value specified for ClosedFilePath can include wildcards. For more information on this, including examples that show the use of wildcards, see OpenFilePath . The third example (spanning four lines) disables Internet access within a sandbox except for Internet Explorer ( iexplore.exe ). See also Sandbox Settings > Restrictions > Internet Access . Note: Unlike the corresponding OpenFilePath setting, the ClosedFilePath settings always applies to sandboxed programs, whether the program executable file resides within the sandbox, or out of it. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Closed","title":"Closed File Path"},{"location":"Content/ClosedIpcPath/","text":"Closed Ipc Path ClosedIpcPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks resources from being accessed by sandboxed programs. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedIpcPath=\\RPC Control\\AudioSrv Unlike sandboxed files, folders and registry keys, Sandboxie will generally not allow a sandboxed program to access a non-sandboxed resource. The exceptions to this rule are if the resource was specified in an OpenIpcPath setting, or if Sandboxie by default recognizes the resource and exposes it for use inside the sandbox. The ClosedIpcPath setting is typically useful to block those resources that Sandboxie recognizes by default. In the example above, the AudioSrv resource is blocked. This resource provides access to audio hardware, in other words, it enables sandboxed programs to generate sound. By blocking it, the sandboxed program is essentially muted. This setting accepts wildcards. For more information on the use of wildcards in the OpenXxxPath and ClosedXxxPath settings, see OpenFilePath . Note: Unlike the corresponding OpenIpcPath setting, the ClosedKeyPath settings always applies to sandboxed programs, whether the program executable file resides within the sandbox, or out of it. Related Sandboxie Control setting: Sandbox Settings > Resource Access > IPC Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Closed","title":"Closed Ipc Path"},{"location":"Content/ClosedIpcPath/#closed-ipc-path","text":"ClosedIpcPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks resources from being accessed by sandboxed programs. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedIpcPath=\\RPC Control\\AudioSrv Unlike sandboxed files, folders and registry keys, Sandboxie will generally not allow a sandboxed program to access a non-sandboxed resource. The exceptions to this rule are if the resource was specified in an OpenIpcPath setting, or if Sandboxie by default recognizes the resource and exposes it for use inside the sandbox. The ClosedIpcPath setting is typically useful to block those resources that Sandboxie recognizes by default. In the example above, the AudioSrv resource is blocked. This resource provides access to audio hardware, in other words, it enables sandboxed programs to generate sound. By blocking it, the sandboxed program is essentially muted. This setting accepts wildcards. For more information on the use of wildcards in the OpenXxxPath and ClosedXxxPath settings, see OpenFilePath . Note: Unlike the corresponding OpenIpcPath setting, the ClosedKeyPath settings always applies to sandboxed programs, whether the program executable file resides within the sandbox, or out of it. Related Sandboxie Control setting: Sandbox Settings > Resource Access > IPC Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Closed","title":"Closed Ipc Path"},{"location":"Content/ClosedKeyPath/","text":"Closed Key Path ClosedKeyPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks registry keys from being accessed by sandboxed programs. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedKeyPath=!msimn.exe,HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager The example blocks any program other than Outlook Express ( msimn.exe ) from accessing the registry key containing configured email accounts for the active user account. The value specified for ClosedKeyPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: ClosedKeyPath only blocks access to registry keys outside the sandbox, which have not yet been copied (or created) in the sandbox. Note: Unlike the corresponding OpenKeyPath setting, the ClosedKeyPath settings are always applied to programs in the sandbox, regardless of whether the program's executable file is inside or outside the sandbox. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Closed","title":"Closed Key Path"},{"location":"Content/ClosedKeyPath/#closed-key-path","text":"ClosedKeyPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks registry keys from being accessed by sandboxed programs. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedKeyPath=!msimn.exe,HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager The example blocks any program other than Outlook Express ( msimn.exe ) from accessing the registry key containing configured email accounts for the active user account. The value specified for ClosedKeyPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: ClosedKeyPath only blocks access to registry keys outside the sandbox, which have not yet been copied (or created) in the sandbox. Note: Unlike the corresponding OpenKeyPath setting, the ClosedKeyPath settings are always applied to programs in the sandbox, regardless of whether the program's executable file is inside or outside the sandbox. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Closed","title":"Closed Key Path"},{"location":"Content/ClosedRT/","text":"Closed RT ClosedRT is a sandbox setting in Sandboxie Ini available since v0.5.3a / 5.45.2. It specifies the problematic Windows RT interfaces that should not be accessible by a sandboxed program. Usage: . . . [DefaultBox] ClosedRT=ExampleRT This example makes the ExampleRT interface not accessible to sandboxed programs. Related Sandboxie Plus setting: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Closed RT","title":"Closed RT"},{"location":"Content/ClosedRT/#closed-rt","text":"ClosedRT is a sandbox setting in Sandboxie Ini available since v0.5.3a / 5.45.2. It specifies the problematic Windows RT interfaces that should not be accessible by a sandboxed program. Usage: . . . [DefaultBox] ClosedRT=ExampleRT This example makes the ExampleRT interface not accessible to sandboxed programs. Related Sandboxie Plus setting: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Closed RT","title":"Closed RT"},{"location":"Content/CodeInjection/","text":"Code Injection Sandboxie employs a particularly low level approach of injecting its code into processes during creation. Trigger The driver registers a PsSetCreateProcessNotifyRoutine callback and when this is triggered inspects if the process should be sandboxed, when it decides so it blocks and requests the SbieSvc service to inject a loader into the process image. Alternatively a suspended process can be created and the driver triggered to put it into a sandbox by using API_START_PROCESS and resuming the process once the driver has finished. The injection mechanism itself can be adapted to be utilized without the driver. As of version 5.44 the loader code has been moved from the SbieSvc.exe to SbieDll.dll. Overview The Code Injection mechanism is made up of 3 components, the injector itself, a low-level shell code (LowLevel.dll), and the to be injected payload (SbieDll.dll). Note that the LowLevel.dll is embedded into the loader as a resource. Remote Injection The injection is done calling _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle) and providing the required arguments, the function then: Starts with preparing a data block lowdata of type SBIELOW_DATA , and filling in various values like is_wow64, bHostInject and others... Then it uses SbieDll_InjectLow_CopyCode to allocate sizeof(shell_code) + sizeof(SBIELOW_J_TABLE) + 0x400 bytes of Memory in the target process and write the shell code to it. This function also, in an unrelated last step, copies 48 bytes from the begin of ntdll!LdrInitializeThunk into lowdata.LdrInitializeThunk_tramp . Then if dup_drv_handle was set SbieDll_InjectLow_SendHandle is used to open a handle to the driver and duplicate it into the process, saving its value to lowdata.api_device_handle . Then duplicates of a couple of required NTDLL functions are saved to the lowdata data block, and the address of the SBIELOW_J_TABLE section is stored to lowdata.Sbie64bitJumpTable . Then the actual trampoline is build by SbieDll_InjectLow_BuildTramp in lowdata.LdrInitializeThunk_tramp . Now the function uses SbieDll_InjectLow_CopySyscalls to allocate and fill in another memory segment syscall_data . This block is made up of 2 sections one containing information from the driver that are used to hook all system calls, this is optionally done by the shell code when bHostInject == 0 , that is followed by the SBIELOW_EXTRA_DATA that points to values stored behind it in the memory block. The data stored there a couple of offsets, as well as the full paths to the SbieDll.dll that is to be injected later on. The address of that auxiliary memory is saved to lowdata.syscall_data and the lowdata block is written with SbieDll_InjectLow_CopyData directly into the shell code memory. Finally the ntdll!LdrInitializeThunk in the target process gets overwritten using SbieDll_InjectLow_WriteJump with a jump instruction into the shell code's entry point. Now the process can be resumed and the injected code will do its thing. An important note to make here is that this function does the same for native 64 bit and wow64 emulated 32 bit processes, in fact, on a 64-bit system the injected shell code is always 64 bit. Only much later in the initialization of the process running under wow64 it switches to 32-bit. Shell Code (LowLevel.dll) operation The LowLevel.dll is written partially in assembler and partially in C, its base address is set to 0 to gain position independence. The initial entry point _Start retrieves the current address and calculates the addresses of the data block data of type SBIELOW_DATA and those of a couple of helper functions written in assembler, with those values as parameter it calls the EntrypointC function handing off the operation to the C portion. The EntrypointC function ensures that it will be executed only once, using a spinlock, and then checks if the data->bHostInject field is set to 0 it first hooks all the ntdll sys call functions using InitSyscalls then it prepares the later loading of the SbieDll.dll using InitInject and, on 64 bit systems only, it calls InitConsole to modify the ConsoleHandle. If bHostInject != 0 the function only calls InitInject . Last the trampoline to the original function data->LdrInitializeThunk_tramp is called. InitInject The InitInject function checks if the process is running natively (i.e. 32-bit on a x86 system or 64-bit in a x64 system), or if it's running under wow64 (that is a 32-bit process on a 64-bit system) and selects either the native ntdll base address or the one of the wow64 ntdll. On Windows versions prior to 8, that address was located in KUSER_SHARED_DATA::Wow64SharedInformation structure, but not on later versions. Sandboxie used the driver to record the address of the wow64 ntdll during image loading and InitInject queried the driver for it. Since version 5.44, however, it's driver independent, the loader code uses NtQueryVirtualMemory to find the image base address and saves it into the ntdll_wow64_base field of the data block. At this point the top portion of the data->syscall_data before the SBIELOW_EXTRA_DATA region is no longer required and is repurposed to store temporary data of the type INJECT_DATA . The function then finds the addresses of LdrLoadDll , LdrGetProcedureAddress , NtRaiseHardError and RtlFindActivationContextSectionString using a custom FindDllExport lookup function by parsing through the previously selected ntdll image, these addresses are stored into the INJECT_DATA region, then a couple values from the SBIELOW_EXTRA_DATA are also copied into that region, containing paths to the SbieDll.dll (both 32 and 64 bit paths), as well as the name of kernel32.dll. On 64-bit systems the function distinguishes between the native and the wow64 execution, in the latter case branching off to InitInjectWow64 . In the native case it continues with hooking the RtlFindActivationContextSectionString function in the ntdll.dll. An original copy of the functions begin is first saved to the INJECT_DATA structure. The address of the structure is written into the detour function which is implemented in assembler. Then the RtlFindActivationContextSectionString begin is overwritten with a jump instruction to the detour function. Last a pointer to the SBIELOW_DATA region is saved into the very top of the INJECT_DATA region, and the function exits. In the wow64 case InitInjectWow64 sets up the RtlFindActivationContextSectionString hook on the 32-bit version of the function in the wow64 ntdll.dll in a similar way. RtlFindActivationContextSectionString Detour In contrary to the above operations which are always executed natively, the RtlFindActivationContextSectionString detour function is executed in the mode matching the bit-ness of the started process. The function first restores the original RtlFindActivationContextSectionString begin. Then it loads the kernel32.dll followed by loading the SbieDll.dll and retrieving the address of Ordinal 1. Then it saves value of the first argument to the INJECT_DATA structure and replaces it with a pointer to said structure. Finally, it jumps to address of Ordinal 1, it uses a jump rather than call to invoke it so that when it returns it will return directly to the current caller. Payload (SbieDll.dll) operation The SbieDll.dll hook entry point Dll_Ordinal1 function starts of by obtaining a few required values from the INJECT_DATA structure that was passed as first argument, like the address of SBIELOW_DATA data block, and the original value of the first argument. Having copied the required values, it can free the no longer needed INJECT_DATA , formally syscall_data region. The function now checks if bHostInject is set to 0 in which case it Calls SbieDll!Dll_InitInjected this function hooks pretty much everything, ?, last but not least it calls SbieDll!Ldr_Init which sets up callbacks for dll loading and calls SbieDll!Ldr_Inject_Init . If bHostInject != 0 however SbieDll!Ldr_Inject_Init is called directly from Dll_Ordinal1 . Once the initialization is completed Dll_Ordinal1 runs the real RtlFindActivationContextSectionString with its original arguments and returns. As if all this hooking wouldn?t be enough SbieDll!Ldr_Inject_Init sets up yet an other hook, this time targeting the actual entry point of the starting process. The function saves the initial bytes of the entry point, and overwrites it with a jump to SbieDll!Ldr_Inject_Entry64 or to SbieDll!Ldr_Inject_Entry32 respectively. Those are implemented in assembler, they pass a pointer to the return address location as argument to SbieDll!Ldr_Inject_Entry and clean up the stack, then they return to the begin of the entry point. Ldr_Inject_Entry This function first restores the original entry point function from SbieDll!Ldr_Inject_SaveBytes and changes its caller?s return address to point to the begin of the entry point. This way once the caller returns the real entry point will be invoked. Then the function checks if bHostInject is set to 0 in which case it first calls SbieDll!Ldr_LoadInjectDlls and then SbieDll!Dll_InitExeEntry which performs the last initialization steps. If bHostInject != 0 it calls only SbieDll!Ldr_LoadInjectDlls this function checks the Sandboxie.ini for the InjectDll or the InjectDll64 respectively, and loads the additional dll?s if any are configured.","title":"Code Injection"},{"location":"Content/CodeInjection/#code-injection","text":"Sandboxie employs a particularly low level approach of injecting its code into processes during creation.","title":"Code Injection"},{"location":"Content/CodeInjection/#trigger","text":"The driver registers a PsSetCreateProcessNotifyRoutine callback and when this is triggered inspects if the process should be sandboxed, when it decides so it blocks and requests the SbieSvc service to inject a loader into the process image. Alternatively a suspended process can be created and the driver triggered to put it into a sandbox by using API_START_PROCESS and resuming the process once the driver has finished. The injection mechanism itself can be adapted to be utilized without the driver. As of version 5.44 the loader code has been moved from the SbieSvc.exe to SbieDll.dll.","title":"Trigger"},{"location":"Content/CodeInjection/#overview","text":"The Code Injection mechanism is made up of 3 components, the injector itself, a low-level shell code (LowLevel.dll), and the to be injected payload (SbieDll.dll). Note that the LowLevel.dll is embedded into the loader as a resource.","title":"Overview"},{"location":"Content/CodeInjection/#remote-injection","text":"The injection is done calling _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle) and providing the required arguments, the function then: Starts with preparing a data block lowdata of type SBIELOW_DATA , and filling in various values like is_wow64, bHostInject and others... Then it uses SbieDll_InjectLow_CopyCode to allocate sizeof(shell_code) + sizeof(SBIELOW_J_TABLE) + 0x400 bytes of Memory in the target process and write the shell code to it. This function also, in an unrelated last step, copies 48 bytes from the begin of ntdll!LdrInitializeThunk into lowdata.LdrInitializeThunk_tramp . Then if dup_drv_handle was set SbieDll_InjectLow_SendHandle is used to open a handle to the driver and duplicate it into the process, saving its value to lowdata.api_device_handle . Then duplicates of a couple of required NTDLL functions are saved to the lowdata data block, and the address of the SBIELOW_J_TABLE section is stored to lowdata.Sbie64bitJumpTable . Then the actual trampoline is build by SbieDll_InjectLow_BuildTramp in lowdata.LdrInitializeThunk_tramp . Now the function uses SbieDll_InjectLow_CopySyscalls to allocate and fill in another memory segment syscall_data . This block is made up of 2 sections one containing information from the driver that are used to hook all system calls, this is optionally done by the shell code when bHostInject == 0 , that is followed by the SBIELOW_EXTRA_DATA that points to values stored behind it in the memory block. The data stored there a couple of offsets, as well as the full paths to the SbieDll.dll that is to be injected later on. The address of that auxiliary memory is saved to lowdata.syscall_data and the lowdata block is written with SbieDll_InjectLow_CopyData directly into the shell code memory. Finally the ntdll!LdrInitializeThunk in the target process gets overwritten using SbieDll_InjectLow_WriteJump with a jump instruction into the shell code's entry point. Now the process can be resumed and the injected code will do its thing. An important note to make here is that this function does the same for native 64 bit and wow64 emulated 32 bit processes, in fact, on a 64-bit system the injected shell code is always 64 bit. Only much later in the initialization of the process running under wow64 it switches to 32-bit.","title":"Remote Injection"},{"location":"Content/CodeInjection/#shell-code-lowleveldll-operation","text":"The LowLevel.dll is written partially in assembler and partially in C, its base address is set to 0 to gain position independence. The initial entry point _Start retrieves the current address and calculates the addresses of the data block data of type SBIELOW_DATA and those of a couple of helper functions written in assembler, with those values as parameter it calls the EntrypointC function handing off the operation to the C portion. The EntrypointC function ensures that it will be executed only once, using a spinlock, and then checks if the data->bHostInject field is set to 0 it first hooks all the ntdll sys call functions using InitSyscalls then it prepares the later loading of the SbieDll.dll using InitInject and, on 64 bit systems only, it calls InitConsole to modify the ConsoleHandle. If bHostInject != 0 the function only calls InitInject . Last the trampoline to the original function data->LdrInitializeThunk_tramp is called.","title":"Shell Code (LowLevel.dll) operation"},{"location":"Content/CodeInjection/#initinject","text":"The InitInject function checks if the process is running natively (i.e. 32-bit on a x86 system or 64-bit in a x64 system), or if it's running under wow64 (that is a 32-bit process on a 64-bit system) and selects either the native ntdll base address or the one of the wow64 ntdll. On Windows versions prior to 8, that address was located in KUSER_SHARED_DATA::Wow64SharedInformation structure, but not on later versions. Sandboxie used the driver to record the address of the wow64 ntdll during image loading and InitInject queried the driver for it. Since version 5.44, however, it's driver independent, the loader code uses NtQueryVirtualMemory to find the image base address and saves it into the ntdll_wow64_base field of the data block. At this point the top portion of the data->syscall_data before the SBIELOW_EXTRA_DATA region is no longer required and is repurposed to store temporary data of the type INJECT_DATA . The function then finds the addresses of LdrLoadDll , LdrGetProcedureAddress , NtRaiseHardError and RtlFindActivationContextSectionString using a custom FindDllExport lookup function by parsing through the previously selected ntdll image, these addresses are stored into the INJECT_DATA region, then a couple values from the SBIELOW_EXTRA_DATA are also copied into that region, containing paths to the SbieDll.dll (both 32 and 64 bit paths), as well as the name of kernel32.dll. On 64-bit systems the function distinguishes between the native and the wow64 execution, in the latter case branching off to InitInjectWow64 . In the native case it continues with hooking the RtlFindActivationContextSectionString function in the ntdll.dll. An original copy of the functions begin is first saved to the INJECT_DATA structure. The address of the structure is written into the detour function which is implemented in assembler. Then the RtlFindActivationContextSectionString begin is overwritten with a jump instruction to the detour function. Last a pointer to the SBIELOW_DATA region is saved into the very top of the INJECT_DATA region, and the function exits. In the wow64 case InitInjectWow64 sets up the RtlFindActivationContextSectionString hook on the 32-bit version of the function in the wow64 ntdll.dll in a similar way.","title":"InitInject"},{"location":"Content/CodeInjection/#rtlfindactivationcontextsectionstring-detour","text":"In contrary to the above operations which are always executed natively, the RtlFindActivationContextSectionString detour function is executed in the mode matching the bit-ness of the started process. The function first restores the original RtlFindActivationContextSectionString begin. Then it loads the kernel32.dll followed by loading the SbieDll.dll and retrieving the address of Ordinal 1. Then it saves value of the first argument to the INJECT_DATA structure and replaces it with a pointer to said structure. Finally, it jumps to address of Ordinal 1, it uses a jump rather than call to invoke it so that when it returns it will return directly to the current caller.","title":"RtlFindActivationContextSectionString Detour"},{"location":"Content/CodeInjection/#payload-sbiedlldll-operation","text":"The SbieDll.dll hook entry point Dll_Ordinal1 function starts of by obtaining a few required values from the INJECT_DATA structure that was passed as first argument, like the address of SBIELOW_DATA data block, and the original value of the first argument. Having copied the required values, it can free the no longer needed INJECT_DATA , formally syscall_data region. The function now checks if bHostInject is set to 0 in which case it Calls SbieDll!Dll_InitInjected this function hooks pretty much everything, ?, last but not least it calls SbieDll!Ldr_Init which sets up callbacks for dll loading and calls SbieDll!Ldr_Inject_Init . If bHostInject != 0 however SbieDll!Ldr_Inject_Init is called directly from Dll_Ordinal1 . Once the initialization is completed Dll_Ordinal1 runs the real RtlFindActivationContextSectionString with its original arguments and returns. As if all this hooking wouldn?t be enough SbieDll!Ldr_Inject_Init sets up yet an other hook, this time targeting the actual entry point of the starting process. The function saves the initial bytes of the entry point, and overwrites it with a jump to SbieDll!Ldr_Inject_Entry64 or to SbieDll!Ldr_Inject_Entry32 respectively. Those are implemented in assembler, they pass a pointer to the return address location as argument to SbieDll!Ldr_Inject_Entry and clean up the stack, then they return to the begin of the entry point.","title":"Payload (SbieDll.dll) operation"},{"location":"Content/CodeInjection/#ldr_inject_entry","text":"This function first restores the original entry point function from SbieDll!Ldr_Inject_SaveBytes and changes its caller?s return address to point to the begin of the entry point. This way once the caller returns the real entry point will be invoked. Then the function checks if bHostInject is set to 0 in which case it first calls SbieDll!Ldr_LoadInjectDlls and then SbieDll!Dll_InitExeEntry which performs the last initialization steps. If bHostInject != 0 it calls only SbieDll!Ldr_LoadInjectDlls this function checks the Sandboxie.ini for the InjectDll or the InjectDll64 respectively, and loads the additional dll?s if any are configured.","title":"Ldr_Inject_Entry"},{"location":"Content/ConfidentialBox/","text":"Confidential Box ConfidentialBox is a sandbox setting in Sandboxie Ini . . . . [DefaultBox] ConfidentialBox=y Use the 'ConfidentialBox=y' option to prevent the host process from reading access to the isolated process. Technical Details For more information, see Box Encryption and Box Preset Comparison .","title":"Confidential Box"},{"location":"Content/ConfidentialBox/#confidential-box","text":"ConfidentialBox is a sandbox setting in Sandboxie Ini . . . . [DefaultBox] ConfidentialBox=y Use the 'ConfidentialBox=y' option to prevent the host process from reading access to the isolated process. Technical Details For more information, see Box Encryption and Box Preset Comparison .","title":"Confidential Box"},{"location":"Content/ConfigLevel/","text":"Config Level Note: In Sandboxie versions before 3.xx, ConfigLevel was a global setting in the [GlobalSettings] section. The global ConfigLevel setting is no longer used, and is ignored if it exists in the configuration file. ConfigLevel is a sandbox setting in Sandboxie Ini . It is used by Sandboxie Control to manage default configuration for a sandbox. When ConfigLevel is missing, not a number, or a number below 9, Sandboxie Control will add the following configuration to the sandbox: . . . [DefaultBox] ConfigLevel=9 Template=OpenSmartCard Template=OpenBluetooth Note that ConfigLevel value was changed from 8 to 9 with the release of Sandboxie v0.7.5 / 5.49.8. In the future, new configuration levels may be added in later versions of Sandboxie.","title":"Config Level"},{"location":"Content/ConfigLevel/#config-level","text":"Note: In Sandboxie versions before 3.xx, ConfigLevel was a global setting in the [GlobalSettings] section. The global ConfigLevel setting is no longer used, and is ignored if it exists in the configuration file. ConfigLevel is a sandbox setting in Sandboxie Ini . It is used by Sandboxie Control to manage default configuration for a sandbox. When ConfigLevel is missing, not a number, or a number below 9, Sandboxie Control will add the following configuration to the sandbox: . . . [DefaultBox] ConfigLevel=9 Template=OpenSmartCard Template=OpenBluetooth Note that ConfigLevel value was changed from 8 to 9 with the release of Sandboxie v0.7.5 / 5.49.8. In the future, new configuration levels may be added in later versions of Sandboxie.","title":"Config Level"},{"location":"Content/ConfigurationProtection/","text":"Configuration Protection Initially, anyone using Sandboxie Control or the Sandman UI can change any aspect of the Sandboxie configuration, which is stored in the Sandboxie Ini configuration file. Additionally, anyone with access to the configuration text file can also manipulate the configuration and reload it into Sandboxie. It is possible to activate protection of Sandboxie Ini configuration file from unauthorized changes. Sandboxie offers four modes of protection: Only Administrator user accounts can make changes (See also: EditAdminOnly .) Password must be entered in order to make changes (See also: EditPassword .) Only Administrator user accounts can use Pause Forcing Programs command (See also: ForceDisableAdminOnly .) Clear password when main window becomes hidden (See also: ForgetPassword.) All modes can be active at the same time. The protection applies to the Global Settings , Sandbox Settings and Template Settings sections of the Sandboxie Ini configuration file. It does not apply to any User Settings sections, which store per-user preferences. To activate the protection in Sandboxie Control , use the Configure menu > Lock Configuration command. To activate the protection in Sandman , use the Options menu > Global Settings > Advanced Config > Sandboxie.ini Presets > Config Protection command. To prevent circumvention of the protection, please consider the following points: Placement of the configuration file: As discussed in the Sandboxie Ini page, Sandboxie looks for its configuration file in the Windows folder first, and in the Sandboxie installation folder second. The protection should be applied to a configuration file that is located in the Windows folder. If the protection is applied to the configuration file in the Sandboxie installation folder, an attacker might create an empty configuration file in the Windows folder. This will effectively deactivate the protection the next time Sandboxie reads its configuration. This would happen because Sandboxie would switch to using the new empty configuration file, for which protection is not activated. Access to the configuration file: Adjust the permissions on the Sandboxie Ini configuration file to allow write access only to the SYSTEM account. Any other user account must still be able to read the configuration, so read access should be allowed to the user group Authenticated Users or Everyone .","title":"Configuration Protection"},{"location":"Content/ConfigurationProtection/#configuration-protection","text":"Initially, anyone using Sandboxie Control or the Sandman UI can change any aspect of the Sandboxie configuration, which is stored in the Sandboxie Ini configuration file. Additionally, anyone with access to the configuration text file can also manipulate the configuration and reload it into Sandboxie. It is possible to activate protection of Sandboxie Ini configuration file from unauthorized changes. Sandboxie offers four modes of protection: Only Administrator user accounts can make changes (See also: EditAdminOnly .) Password must be entered in order to make changes (See also: EditPassword .) Only Administrator user accounts can use Pause Forcing Programs command (See also: ForceDisableAdminOnly .) Clear password when main window becomes hidden (See also: ForgetPassword.) All modes can be active at the same time. The protection applies to the Global Settings , Sandbox Settings and Template Settings sections of the Sandboxie Ini configuration file. It does not apply to any User Settings sections, which store per-user preferences. To activate the protection in Sandboxie Control , use the Configure menu > Lock Configuration command. To activate the protection in Sandman , use the Options menu > Global Settings > Advanced Config > Sandboxie.ini Presets > Config Protection command. To prevent circumvention of the protection, please consider the following points: Placement of the configuration file: As discussed in the Sandboxie Ini page, Sandboxie looks for its configuration file in the Windows folder first, and in the Sandboxie installation folder second. The protection should be applied to a configuration file that is located in the Windows folder. If the protection is applied to the configuration file in the Sandboxie installation folder, an attacker might create an empty configuration file in the Windows folder. This will effectively deactivate the protection the next time Sandboxie reads its configuration. This would happen because Sandboxie would switch to using the new empty configuration file, for which protection is not activated. Access to the configuration file: Adjust the permissions on the Sandboxie Ini configuration file to allow write access only to the SYSTEM account. Any other user account must still be able to read the configuration, so read access should be allowed to the user group Authenticated Users or Everyone .","title":"Configuration Protection"},{"location":"Content/ConfigureMenu/","text":"Configure Menu Sandboxie Control > Configure Menu Program Alerts The Program Alerts command opens the following window in which you can configure Sandboxie to issue message SBIE1301 whenever specific programs start outside any sandbox. Use the Add Program button to open the Program Groups window and select a program to add. For example, iexplore.exe for Internet Explorer, or firefox.exe for Firefox. Alternatively, Internet Explorer is typically found in the folder C:\\Program Files\\Internet Explorer . Mozilla Firefox is typically found in the folder C:\\Program Files\\Mozilla Firefox . If the desired program is already running sandboxed, you can also use Program Settings to specify that message SBIE1301 should be issued for the program. Related Sandboxie Ini setting: AlertProcess . Windows Shell Integration The Windows Shell Integration command opens a window which controls how Sandboxie Control integrates into and associates itself with your Windows desktop. It can also be used to create desktop shortcut icons to run your programs sandboxed. By default, all settings in the window are enabled. The top frame indicates when Sandboxie Control should start: When Windows starts will integrate Sandboxie Control into the startup sequence When a sandboxed program starts will start Sandboxie Control (if it is not already running) when a sandboxed program starts. This applies to programs that are started explicitly through Sandboxie, such as when using the Run Sandboxed commands, or shortcuts created using Add Shortcut Icons (see below). It also applies to forced programs and forced folders . The middle frame deals with shortcut icons: Add desktop shortcut for starting Web browser under Sandboxie creates (when checked) or removes (when cleared) the Sandboxed Web Browser shortcut icon on your desktop. Add Quick Launch shortcut for starting Web browser under Sandboxie creates (when checked) or removes (when cleared) the Sandboxed Web Browser shortcut icons on your Quick Launch bar. The Quick Launch bar is typically adjacent to the Windows Start menu button. Add Shortcut Icons creates a shortcut icon on your desktop to run a specific program under the supervision of Sandboxie. The program is selected from the Sandboxie Start menu. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation, and they can be used to create desktop shortcuts. To remove desktop shortcuts created using Add Shortcut Icons , simply delete them from your desktop. The bottom frame controls \"right-click\" shell integration: Add right-click action \"Run Sandboxed\" to files and folders enables (when checked) or removes (when cleared) the Run Sandboxed option which appears when you click the right mouse button on a file or folder on your desktop or in Windows Explorer. Add sandboxes as targets for \"Send To\" action enables (when checked) or removes (when cleared) the available sandboxes as an option in the Send To action that appears when you click the right mouse button on a file or folder on your desktop or in Windows Explorer. If this setting is enabled, Sandboxie Control will automatically update the list of Send To targets whenever sandboxes are created or removed. Software Compatibility The Software Compatibility command opens a window with a list of available compatibility templates. Forget Hidden Messages Whenever Sandboxie Control displays one or more SBIE Messages , you have the option to hide future instances of the message. This is accomplished by highlighting and clicking the Hide command: Note that messages are filtered by message code alone. For instance, the picture above shows message SBIE1304 with information detail osk.exe . Hiding that message will hide all future instances of message SBIE1304, regardless of the information detail. The Forget Hidden Messages command tells Sandboxie to stop filtering messages, and resume the display of all SBIExxxx messages that occurs. Tips When Sandboxie Control displays a warning or notification message box, it usually includes a checkbox labeled In the future, don't show this message. If you mark the checkbox, that particular message will not be displayed again. The Show All Tips command tells Sandboxie to disregard any such use of the checkboxes, and resume displaying of all warnings and notifications. The Hide All Tips command tells Sandboxie to consider all checkboxes as checked, and not display any warnings or notifications. Lock Configuration Please see Configuration Protection . Edit Configuration Opens the system text editor (typically, Windows Notepad ) to edit the Sandboxie Ini configuration file. The Reload Configuration command will be automatically invoked when the editor is closed. Note: Manual editing of Sandboxie.ini is not recommended. You are advised to use Sandbox Settings and other configuration windows in Sandboxie Control to make any changes to the configuration of Sandboxie. Note: The Sandboxie Ini configuration file is usually located in the Windows folder, and cannot be modified by non-privileged user accounts. If you use Windows with User Account Control (UAC), you may have to elevate to an Administrator account before you can modify Sandboxie.ini. Reload Configuration Forces Sandboxie to reload its configuration from the Sandboxie Ini configuration file. Go to Sandboxie Control , Help Topics .","title":"Configure Menu"},{"location":"Content/ConfigureMenu/#configure-menu","text":"Sandboxie Control > Configure Menu","title":"Configure Menu"},{"location":"Content/ConfigureMenu/#program-alerts","text":"The Program Alerts command opens the following window in which you can configure Sandboxie to issue message SBIE1301 whenever specific programs start outside any sandbox. Use the Add Program button to open the Program Groups window and select a program to add. For example, iexplore.exe for Internet Explorer, or firefox.exe for Firefox. Alternatively, Internet Explorer is typically found in the folder C:\\Program Files\\Internet Explorer . Mozilla Firefox is typically found in the folder C:\\Program Files\\Mozilla Firefox . If the desired program is already running sandboxed, you can also use Program Settings to specify that message SBIE1301 should be issued for the program. Related Sandboxie Ini setting: AlertProcess .","title":"Program Alerts"},{"location":"Content/ConfigureMenu/#windows-shell-integration","text":"The Windows Shell Integration command opens a window which controls how Sandboxie Control integrates into and associates itself with your Windows desktop. It can also be used to create desktop shortcut icons to run your programs sandboxed. By default, all settings in the window are enabled. The top frame indicates when Sandboxie Control should start: When Windows starts will integrate Sandboxie Control into the startup sequence When a sandboxed program starts will start Sandboxie Control (if it is not already running) when a sandboxed program starts. This applies to programs that are started explicitly through Sandboxie, such as when using the Run Sandboxed commands, or shortcuts created using Add Shortcut Icons (see below). It also applies to forced programs and forced folders . The middle frame deals with shortcut icons: Add desktop shortcut for starting Web browser under Sandboxie creates (when checked) or removes (when cleared) the Sandboxed Web Browser shortcut icon on your desktop. Add Quick Launch shortcut for starting Web browser under Sandboxie creates (when checked) or removes (when cleared) the Sandboxed Web Browser shortcut icons on your Quick Launch bar. The Quick Launch bar is typically adjacent to the Windows Start menu button. Add Shortcut Icons creates a shortcut icon on your desktop to run a specific program under the supervision of Sandboxie. The program is selected from the Sandboxie Start menu. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation, and they can be used to create desktop shortcuts. To remove desktop shortcuts created using Add Shortcut Icons , simply delete them from your desktop. The bottom frame controls \"right-click\" shell integration: Add right-click action \"Run Sandboxed\" to files and folders enables (when checked) or removes (when cleared) the Run Sandboxed option which appears when you click the right mouse button on a file or folder on your desktop or in Windows Explorer. Add sandboxes as targets for \"Send To\" action enables (when checked) or removes (when cleared) the available sandboxes as an option in the Send To action that appears when you click the right mouse button on a file or folder on your desktop or in Windows Explorer. If this setting is enabled, Sandboxie Control will automatically update the list of Send To targets whenever sandboxes are created or removed.","title":"Windows Shell Integration"},{"location":"Content/ConfigureMenu/#software-compatibility","text":"The Software Compatibility command opens a window with a list of available compatibility templates.","title":"Software Compatibility"},{"location":"Content/ConfigureMenu/#forget-hidden-messages","text":"Whenever Sandboxie Control displays one or more SBIE Messages , you have the option to hide future instances of the message. This is accomplished by highlighting and clicking the Hide command: Note that messages are filtered by message code alone. For instance, the picture above shows message SBIE1304 with information detail osk.exe . Hiding that message will hide all future instances of message SBIE1304, regardless of the information detail. The Forget Hidden Messages command tells Sandboxie to stop filtering messages, and resume the display of all SBIExxxx messages that occurs.","title":"Forget Hidden Messages"},{"location":"Content/ConfigureMenu/#tips","text":"When Sandboxie Control displays a warning or notification message box, it usually includes a checkbox labeled In the future, don't show this message. If you mark the checkbox, that particular message will not be displayed again. The Show All Tips command tells Sandboxie to disregard any such use of the checkboxes, and resume displaying of all warnings and notifications. The Hide All Tips command tells Sandboxie to consider all checkboxes as checked, and not display any warnings or notifications.","title":"Tips"},{"location":"Content/ConfigureMenu/#lock-configuration","text":"Please see Configuration Protection .","title":"Lock Configuration"},{"location":"Content/ConfigureMenu/#edit-configuration","text":"Opens the system text editor (typically, Windows Notepad ) to edit the Sandboxie Ini configuration file. The Reload Configuration command will be automatically invoked when the editor is closed. Note: Manual editing of Sandboxie.ini is not recommended. You are advised to use Sandbox Settings and other configuration windows in Sandboxie Control to make any changes to the configuration of Sandboxie. Note: The Sandboxie Ini configuration file is usually located in the Windows folder, and cannot be modified by non-privileged user accounts. If you use Windows with User Account Control (UAC), you may have to elevate to an Administrator account before you can modify Sandboxie.ini.","title":"Edit Configuration"},{"location":"Content/ConfigureMenu/#reload-configuration","text":"Forces Sandboxie to reload its configuration from the Sandboxie Ini configuration file. Go to Sandboxie Control , Help Topics .","title":"Reload Configuration"},{"location":"Content/CopyLimitKb/","text":"Copy Limit Kb CopyLimitKb is a sandbox setting in Sandboxie Ini . Existing files that are modified by sandboxed programs have to be copied into the sandbox first. This setting specifies the file size limit for this copy operation. Files larger than the limit will not be copied into the sandbox, and cannot be modified by sandboxd programs. The limit is specified in units of kilobytes (1 kilobyte = 1024 bytes). For more information, see SBIE2102 . Usage: . . . [DefaultBox] CopyLimitKb=128000 This example specifies that only files smaller than (approx.) 128MB will be copied into the sandbox DefaultBox , when needed. Files larger than this limit can only be read, not updated, by sandboxed programs. The default setting is 49152 kilobytes, or 48 megabytes. Setting CopyLimitKb to some value for one sandbox does not change the default value for other sandboxes. The size limit and alert message can be configured in SandboxSettings > File Migration . Related Sandboxie Ini setting: CopyLimitSilent","title":"Copy Limit Kb"},{"location":"Content/CopyLimitKb/#copy-limit-kb","text":"CopyLimitKb is a sandbox setting in Sandboxie Ini . Existing files that are modified by sandboxed programs have to be copied into the sandbox first. This setting specifies the file size limit for this copy operation. Files larger than the limit will not be copied into the sandbox, and cannot be modified by sandboxd programs. The limit is specified in units of kilobytes (1 kilobyte = 1024 bytes). For more information, see SBIE2102 . Usage: . . . [DefaultBox] CopyLimitKb=128000 This example specifies that only files smaller than (approx.) 128MB will be copied into the sandbox DefaultBox , when needed. Files larger than this limit can only be read, not updated, by sandboxed programs. The default setting is 49152 kilobytes, or 48 megabytes. Setting CopyLimitKb to some value for one sandbox does not change the default value for other sandboxes. The size limit and alert message can be configured in SandboxSettings > File Migration . Related Sandboxie Ini setting: CopyLimitSilent","title":"Copy Limit Kb"},{"location":"Content/CopyLimitSilent/","text":"Copy Limit Silent CopyLimitSilent is a sandbox setting in Sandboxie Ini . It is typically specified as CopyLimitSilent=y (see Yes Or No Settings ), and indicates that Sandboxie should not issue alert message SBIE2102 . Usage: . . . [DefaultBox] CopyLimitSilent=y Related Sandboxie Ini setting: CopyLimitKb .","title":"Copy Limit Silent"},{"location":"Content/CopyLimitSilent/#copy-limit-silent","text":"CopyLimitSilent is a sandbox setting in Sandboxie Ini . It is typically specified as CopyLimitSilent=y (see Yes Or No Settings ), and indicates that Sandboxie should not issue alert message SBIE2102 . Usage: . . . [DefaultBox] CopyLimitSilent=y Related Sandboxie Ini setting: CopyLimitKb .","title":"Copy Limit Silent"},{"location":"Content/CoverBoxedWindows/","text":"Cover Boxed Windows CoverBoxedWindows is a sandbox setting in Sandboxie Ini available since v1.13.6 / 5.68.6. If enabled, it will block host processes from taking screenshots of sandboxed processes. . . . [DefaultBox] CoverBoxedWindows=y A setting similar to CoverBoxedWindows is BlockScreenCapture . Related Sandboxie Plus setting: Sandbox Options > Security Options > Box Protection > Prevent processes from capturing window images from sandboxed windows","title":"Cover Boxed Windows"},{"location":"Content/CoverBoxedWindows/#cover-boxed-windows","text":"CoverBoxedWindows is a sandbox setting in Sandboxie Ini available since v1.13.6 / 5.68.6. If enabled, it will block host processes from taking screenshots of sandboxed processes. . . . [DefaultBox] CoverBoxedWindows=y A setting similar to CoverBoxedWindows is BlockScreenCapture . Related Sandboxie Plus setting: Sandbox Options > Security Options > Box Protection > Prevent processes from capturing window images from sandboxed windows","title":"Cover Boxed Windows"},{"location":"Content/Delete-V2/","text":"Sandboxie's new filesystem and registry virtualization scheme can be enabled by adding UseFileDeleteV2=y and UseRegDeleteV2=y to the Sandboxie.ini, which changes the mechanism of how host files/keys are marked within the sandbox as deleted. The old scheme worked by creating a dummy file/key with a specified invalid creation date and marking the file/key as deleted. This scheme did fail when a folder/key containing \u201cdeleted\u201d items was moved and a new folder of the same name created. Furthermore, for every path access it required the entire parent path to be scanned to see if one of the parents hasn\u2019t been marked deleted. The new Scheme saves this information in the FilePaths.dat/KeyPaths.dat files in the box root. Furthermore, when a folder/key is renamed within the sandbox, a redirection entry is created such that listing of the host content in the box under the new location is working.","title":"Delete V2"},{"location":"Content/DeleteCommand/","text":"Delete Command DeleteCommand is a sandbox setting in Sandboxie Ini . It specifies the command to issue to physically delete the contents of the sandbox. Its primary purpose is to make it possible to plug a third-party secure deletion utility into Sandboxie. See Secure Delete Sandbox . Usage: . . . [DefaultBox] DeleteCommand=%SystemRoot%\\System32\\cmd.exe /c RMDIR /s /q \"%SANDBOX%\" The example is the default setting used when DeleteCommand is not explicitly specified, and invokes the Windows RMDIR command to remove the sandbox folder. For more examples, see Secure Delete Sandbox . When specifying this setting, make sure to include \"%SANDBOX%\" (with quote marks) in the command. Note: Secure deletion is a privacy measure, not a security measure. Both regular deletion and secure deletion effectively remove undesired software that was collected into the sandbox. See Secure Delete Sandbox . Related Sandboxie Control setting: Sandbox Settings > Delete > Command","title":"Delete Command"},{"location":"Content/DeleteCommand/#delete-command","text":"DeleteCommand is a sandbox setting in Sandboxie Ini . It specifies the command to issue to physically delete the contents of the sandbox. Its primary purpose is to make it possible to plug a third-party secure deletion utility into Sandboxie. See Secure Delete Sandbox . Usage: . . . [DefaultBox] DeleteCommand=%SystemRoot%\\System32\\cmd.exe /c RMDIR /s /q \"%SANDBOX%\" The example is the default setting used when DeleteCommand is not explicitly specified, and invokes the Windows RMDIR command to remove the sandbox folder. For more examples, see Secure Delete Sandbox . When specifying this setting, make sure to include \"%SANDBOX%\" (with quote marks) in the command. Note: Secure deletion is a privacy measure, not a security measure. Both regular deletion and secure deletion effectively remove undesired software that was collected into the sandbox. See Secure Delete Sandbox . Related Sandboxie Control setting: Sandbox Settings > Delete > Command","title":"Delete Command"},{"location":"Content/DeleteSandbox/","text":"Delete Sandbox Sandboxie Control > Sandbox Menu > Delete Contents Sandboxie Control > Tray Icon Menu > Delete Contents The Delete Sandbox window appears when the sandbox is about to be deleted. The window is split into two areas: The upper part (about 3/4 of the window) shows the Quick Recovery display and controls, and operates in the same way as the Quick Recovery window. See Quick Recovery for more information. The lower part counts the size of the sandbox (in files, folders, and bytes of disk space) and contains the Delete Sandbox button which initiates delete processing for the sandbox. The window is displayed when the Sandbox Menu > Sandbox > Delete Contents command (or the corresponding command from the Tray Icon Menu ) is invoked. The window is also displayed if the sandbox is configured for automatic delete (see Sandbox Settings > Delete > Invocation ), and any files are eligible for Quick Recovery . Note that if no files are eligible, the sandbox is deleted silently, without displaying the Delete Sandbox window. Note that the Delete Sandbox command terminates any programs that are running in the sandbox and initiates the delete process. An empty sandbox will be immediately available to run programs as soon as you click the Delete Sandbox button. While the delete process is undergoing on the old sandbox, the Sandboxie tray icon changes to a red X icon to indicate that sandbox delete is in progress. In correct operation, the red X icon should not remain displayed for more than a few seconds. Go to Quick Recovery , Sandboxie Control , Help Topics .","title":"Delete Sandbox"},{"location":"Content/DeleteSandbox/#delete-sandbox","text":"Sandboxie Control > Sandbox Menu > Delete Contents Sandboxie Control > Tray Icon Menu > Delete Contents The Delete Sandbox window appears when the sandbox is about to be deleted. The window is split into two areas: The upper part (about 3/4 of the window) shows the Quick Recovery display and controls, and operates in the same way as the Quick Recovery window. See Quick Recovery for more information. The lower part counts the size of the sandbox (in files, folders, and bytes of disk space) and contains the Delete Sandbox button which initiates delete processing for the sandbox. The window is displayed when the Sandbox Menu > Sandbox > Delete Contents command (or the corresponding command from the Tray Icon Menu ) is invoked. The window is also displayed if the sandbox is configured for automatic delete (see Sandbox Settings > Delete > Invocation ), and any files are eligible for Quick Recovery . Note that if no files are eligible, the sandbox is deleted silently, without displaying the Delete Sandbox window. Note that the Delete Sandbox command terminates any programs that are running in the sandbox and initiates the delete process. An empty sandbox will be immediately available to run programs as soon as you click the Delete Sandbox button. While the delete process is undergoing on the old sandbox, the Sandboxie tray icon changes to a red X icon to indicate that sandbox delete is in progress. In correct operation, the red X icon should not remain displayed for more than a few seconds. Go to Quick Recovery , Sandboxie Control , Help Topics .","title":"Delete Sandbox"},{"location":"Content/DeleteSettings/","text":"Delete Settings \"Delete\" Settings Group Sandboxie Control > Sandbox Settings > Delete: Here you configure when and how Sandboxie deletes the sandbox. Invocation Sandboxie Control > Sandbox Settings > Delete > Invocation: Use this settings page to indicate when you want the sandbox deleted: Deleted only by explicit request: Keep both checkboxes cleared Deleted regularly and automatically: Mark the first checkbox Never deleted: Mark the second checkbox Note that while both checkboxes can be cleared, only one checkbox can be marked at any time. As long as the second checkbox is marked, Sandboxie will not initiate any delete operation on the sandbox, even if you explicitly ask for it. Important: This does not protect the sandbox from being deleted by other programs. Related Sandboxie Ini settings: AutoDelete , NeverDelete , DeleteCommand . Command Sandboxie Control > Sandbox Settings > Delete > Command: Use this settings page to specify the system command that will be used to delete the sandbox. By default this is a simple RMDIR (remove directory) command. People who are concerned with privacy issues may choose to use secure deletion instead, as described in more detail in Secure Delete Sandbox . You can use the buttons to select a preset command. The RMDIR button selects the simple RMDIR noted above. The SDelete button uses SDelete by SysInternals/Microsoft to delete the contents of sandbox. Note that you will need to adjust the path to the command. The Eraserl button uses Eraser by Heidi Computers to delete the contents of sandbox.","title":"Delete Settings"},{"location":"Content/DeleteSettings/#delete-settings","text":"","title":"Delete Settings"},{"location":"Content/DeleteSettings/#delete-settings-group","text":"Sandboxie Control > Sandbox Settings > Delete: Here you configure when and how Sandboxie deletes the sandbox.","title":"\"Delete\" Settings Group"},{"location":"Content/DeleteSettings/#invocation","text":"Sandboxie Control > Sandbox Settings > Delete > Invocation: Use this settings page to indicate when you want the sandbox deleted: Deleted only by explicit request: Keep both checkboxes cleared Deleted regularly and automatically: Mark the first checkbox Never deleted: Mark the second checkbox Note that while both checkboxes can be cleared, only one checkbox can be marked at any time. As long as the second checkbox is marked, Sandboxie will not initiate any delete operation on the sandbox, even if you explicitly ask for it. Important: This does not protect the sandbox from being deleted by other programs. Related Sandboxie Ini settings: AutoDelete , NeverDelete , DeleteCommand .","title":"Invocation"},{"location":"Content/DeleteSettings/#command","text":"Sandboxie Control > Sandbox Settings > Delete > Command: Use this settings page to specify the system command that will be used to delete the sandbox. By default this is a simple RMDIR (remove directory) command. People who are concerned with privacy issues may choose to use secure deletion instead, as described in more detail in Secure Delete Sandbox . You can use the buttons to select a preset command. The RMDIR button selects the simple RMDIR noted above. The SDelete button uses SDelete by SysInternals/Microsoft to delete the contents of sandbox. Note that you will need to adjust the path to the command. The Eraserl button uses Eraser by Heidi Computers to delete the contents of sandbox.","title":"Command"},{"location":"Content/DeprecatedSandboxieIniSettings/","text":"Deprecated/Obsolete/Removed Sandboxie Ini Settings The following settings are deprecated, obsolete or removed: BlockDrivers (removed before the open source release) BlockFakeInput (removed before the open source release) BlockPassword (obsolete) BlockPort (removed) BlockSysParam (removed before the open source release) BlockWinHooks (removed before the open source release) BoxRootFolder (deprecated) ByteOrderMark (removed) ProcessLimit1 (removed) ProcessLimit2 (removed)","title":"Deprecated/Obsolete/Removed Sandboxie Ini Settings"},{"location":"Content/DeprecatedSandboxieIniSettings/#deprecatedobsoleteremoved-sandboxie-ini-settings","text":"The following settings are deprecated, obsolete or removed: BlockDrivers (removed before the open source release) BlockFakeInput (removed before the open source release) BlockPassword (obsolete) BlockPort (removed) BlockSysParam (removed before the open source release) BlockWinHooks (removed before the open source release) BoxRootFolder (deprecated) ByteOrderMark (removed) ProcessLimit1 (removed) ProcessLimit2 (removed)","title":"Deprecated/Obsolete/Removed Sandboxie Ini Settings"},{"location":"Content/Description/","text":"Description Description is a sandbox settings in Sandboxie Ini . It specifies free text, which can explain, for example, the purpose of the sandbox. . . . [DefaultBox] Description=Example<BR>text. . . . [PrivateBox] Description=Access denied to sensitive file locations ClosedFilePath=%Personal% ClosedFilePath=D:\\MyDocs The <BR> sequence in the text is used to indicate a line break. The free text is displayed in a balloon pop-up in the Run Sandboxed sandbox selection dialog box.","title":"Description"},{"location":"Content/Description/#description","text":"Description is a sandbox settings in Sandboxie Ini . It specifies free text, which can explain, for example, the purpose of the sandbox. . . . [DefaultBox] Description=Example<BR>text. . . . [PrivateBox] Description=Access denied to sensitive file locations ClosedFilePath=%Personal% ClosedFilePath=D:\\MyDocs The <BR> sequence in the text is used to indicate a line break. The free text is displayed in a balloon pop-up in the Run Sandboxed sandbox selection dialog box.","title":"Description"},{"location":"Content/DetectingKeyLoggers/","text":"Detecting Key Loggers Go to Help Topics , Usage Tips . Overview It is very difficult to reliably detect all classes of key-loggers. This section first explains why this is so, and concludes by offering a possible defense against them. First, a distinction must be made between several classes of key-loggers: external key-loggers rootkit key-loggers windows hook key-loggers windows message key-loggers scripted key-loggers External Key-Loggers External (or hardware) key-loggers are devices that connect to your computer in some way. Two examples are a small device plugged between the keyboard and the computer, or a device that snoops on radio signals transmitted by a wireless keyboard. The common principle of key-loggers in this class is that they are external to the Windows system on which they are spying. Software running within Windows cannot detect, remove or protect against external key-loggers. The other classes of key-loggers described here are software key-loggers which do operate within Windows. Rootkit Key-Loggers Rootkit key-loggers record keystrokes at the lowest software level, typically by positioning themselves as a second keyboard hardware driver (a filter driver, in Windows terminology). Once installed, this class of key-loggers may provide the best logging facilities, and may be difficult to get rid of. But to be installed in the first place, this key-logger needs the explicit help of the operating system, and so is easily blocked by Sandboxie. If such a key-logger attempts to install, Sandboxie should report an informational message SBIE2103 , unless the BlockDrivers setting (see also Sandbox Settings > Restrictions > Low-Level Access ) was explicitly used to disable this protection. Windows Hook Key-Loggers These key-loggers don't masquerade as hardware drivers, but they still have to ask the operating system to load them (or hook them ) into every program executing on the desktop. It is not uncommon for applications to install such hooks as part of normal operation, and blocking all of them would prevent some programs from running successfully inside the sandbox. Removed From Sandboxie - Block Hooks Command The approach Sandboxie takes is to honor the hook request partially, by applying the hook only to applications in the same sandbox as the requesting application. The BlockWinHooks setting (see also Sandbox Settings > Restrictions > Low-Level Access ) may be used to explicitly disable this protection. Windows Message Key-Loggers This class of key-loggers doesn't need any assistance from the operating system, and can only reliably record activity within one program. However, from the point of view of a supervisory program like Sandboxie, they don't do anything suspicious, and so cannot be stopped. In order for a program running on the desktop to actually process the keyboard input, the operating system sends that program a message describing the input. The message key-logger, which is likely running in the same process space as the program being logged, can snoop on these messages in a variety of ways, which don't raise suspicion. Typically this key-logger will be a secret Web browser plugin (or a secret component of a plugin), so it can easily record keyboard activity related to the Web browser. Scripted Key-Loggers This class of key-loggers target and compromise the Web site you will be visiting. This is in contrast to the three other forms of key-loggers discussed here, which target and compromise your own computer. The JavaScript and VBScript languages offer facilities for a Web page to react to keystrokes. Legitimate uses of these facilities enable the creation of sophisticated Web pages. For example, consider how Google and Yahoo! searches react to the keys you type in order to suggest a possible search string. Exploiting security weaknesses in a Web site, a spy embeds a scripted key-logger into one of the pages in the site. These key-logger are practically indistinguishable from other scripts on the same site, and can use the same script facilities to react to your keystrokes, record them or transmit them to a third-party site. Defending Against Key-Logger Sandboxie is not designed to detect or disable key-loggers, but it is designed to make sure that sandboxed software stays in the sandbox, that such software can't integrate into Windows, and that it can be completely discarded when you delete the sandbox. This means that if you take care to carry out all untrusted activity in the sandbox, you can always delete the sandbox to undo the effects of that activity, and restore your computer to a trusted state. The first step is to make sure your system is not infected by malicious key-loggers, prior to using Sandboxie. A system scan by an anti-virus or anti-malware tool should help here. Then carry out all untrusted activity -- such as browsing the Web, reading email, and testing unknown programs -- only in the restricted area of the sandbox. This doesn't mean you won't be infected by key-loggers, but it does mean you can get rid of them: You can make sure you stop all of them, by telling Sandboxie to stop all activity in all sandboxes. See also the Terminate All Programs command in the File Menu and the Tray Icon Menu . Once stopped, you can discard the traces of their program code, by deleting the contents of the sandbox. See also Delete Sandbox . Once discarded, they can no longer record your keyboard activity, and you are safe to browse to trusted sites and enter your passwords. Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. Another protection measure against a key-logger is to configure Sandboxie to deny access to the Internet for anything other than your Web browser, in an attempt to prevent the key-logger from sending out the recorded information. See the setting for \"the only program that can access the Internet\" in Program Settings . Note two caveats: The Internet access feature is neither a replacement for a proper firewall, nor was it designed as a mechanism to counter or hinder key-loggers. Some key-loggers could possibly circumvent the Internet access restriction by hijacking the Web browser to be used as a vehicle through which to send out the recorded information. Go to Help Topics , Usage Tips .","title":"Detecting Key Loggers"},{"location":"Content/DetectingKeyLoggers/#detecting-key-loggers","text":"Go to Help Topics , Usage Tips .","title":"Detecting Key Loggers"},{"location":"Content/DetectingKeyLoggers/#overview","text":"It is very difficult to reliably detect all classes of key-loggers. This section first explains why this is so, and concludes by offering a possible defense against them. First, a distinction must be made between several classes of key-loggers: external key-loggers rootkit key-loggers windows hook key-loggers windows message key-loggers scripted key-loggers","title":"Overview"},{"location":"Content/DetectingKeyLoggers/#external-key-loggers","text":"External (or hardware) key-loggers are devices that connect to your computer in some way. Two examples are a small device plugged between the keyboard and the computer, or a device that snoops on radio signals transmitted by a wireless keyboard. The common principle of key-loggers in this class is that they are external to the Windows system on which they are spying. Software running within Windows cannot detect, remove or protect against external key-loggers. The other classes of key-loggers described here are software key-loggers which do operate within Windows.","title":"External Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#rootkit-key-loggers","text":"Rootkit key-loggers record keystrokes at the lowest software level, typically by positioning themselves as a second keyboard hardware driver (a filter driver, in Windows terminology). Once installed, this class of key-loggers may provide the best logging facilities, and may be difficult to get rid of. But to be installed in the first place, this key-logger needs the explicit help of the operating system, and so is easily blocked by Sandboxie. If such a key-logger attempts to install, Sandboxie should report an informational message SBIE2103 , unless the BlockDrivers setting (see also Sandbox Settings > Restrictions > Low-Level Access ) was explicitly used to disable this protection.","title":"Rootkit Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#windows-hook-key-loggers","text":"These key-loggers don't masquerade as hardware drivers, but they still have to ask the operating system to load them (or hook them ) into every program executing on the desktop. It is not uncommon for applications to install such hooks as part of normal operation, and blocking all of them would prevent some programs from running successfully inside the sandbox. Removed From Sandboxie - Block Hooks Command The approach Sandboxie takes is to honor the hook request partially, by applying the hook only to applications in the same sandbox as the requesting application. The BlockWinHooks setting (see also Sandbox Settings > Restrictions > Low-Level Access ) may be used to explicitly disable this protection.","title":"Windows Hook Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#windows-message-key-loggers","text":"This class of key-loggers doesn't need any assistance from the operating system, and can only reliably record activity within one program. However, from the point of view of a supervisory program like Sandboxie, they don't do anything suspicious, and so cannot be stopped. In order for a program running on the desktop to actually process the keyboard input, the operating system sends that program a message describing the input. The message key-logger, which is likely running in the same process space as the program being logged, can snoop on these messages in a variety of ways, which don't raise suspicion. Typically this key-logger will be a secret Web browser plugin (or a secret component of a plugin), so it can easily record keyboard activity related to the Web browser.","title":"Windows Message Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#scripted-key-loggers","text":"This class of key-loggers target and compromise the Web site you will be visiting. This is in contrast to the three other forms of key-loggers discussed here, which target and compromise your own computer. The JavaScript and VBScript languages offer facilities for a Web page to react to keystrokes. Legitimate uses of these facilities enable the creation of sophisticated Web pages. For example, consider how Google and Yahoo! searches react to the keys you type in order to suggest a possible search string. Exploiting security weaknesses in a Web site, a spy embeds a scripted key-logger into one of the pages in the site. These key-logger are practically indistinguishable from other scripts on the same site, and can use the same script facilities to react to your keystrokes, record them or transmit them to a third-party site.","title":"Scripted Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#defending-against-key-logger","text":"Sandboxie is not designed to detect or disable key-loggers, but it is designed to make sure that sandboxed software stays in the sandbox, that such software can't integrate into Windows, and that it can be completely discarded when you delete the sandbox. This means that if you take care to carry out all untrusted activity in the sandbox, you can always delete the sandbox to undo the effects of that activity, and restore your computer to a trusted state. The first step is to make sure your system is not infected by malicious key-loggers, prior to using Sandboxie. A system scan by an anti-virus or anti-malware tool should help here. Then carry out all untrusted activity -- such as browsing the Web, reading email, and testing unknown programs -- only in the restricted area of the sandbox. This doesn't mean you won't be infected by key-loggers, but it does mean you can get rid of them: You can make sure you stop all of them, by telling Sandboxie to stop all activity in all sandboxes. See also the Terminate All Programs command in the File Menu and the Tray Icon Menu . Once stopped, you can discard the traces of their program code, by deleting the contents of the sandbox. See also Delete Sandbox . Once discarded, they can no longer record your keyboard activity, and you are safe to browse to trusted sites and enter your passwords. Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. Another protection measure against a key-logger is to configure Sandboxie to deny access to the Internet for anything other than your Web browser, in an attempt to prevent the key-logger from sending out the recorded information. See the setting for \"the only program that can access the Internet\" in Program Settings . Note two caveats: The Internet access feature is neither a replacement for a proper firewall, nor was it designed as a mechanism to counter or hinder key-loggers. Some key-loggers could possibly circumvent the Internet access restriction by hijacking the Web browser to be used as a vehicle through which to send out the recorded information. Go to Help Topics , Usage Tips .","title":"Defending Against Key-Logger"},{"location":"Content/DisableRTBlacklist/","text":"Disable RT Blacklist DisableRTBlacklist is a sandbox setting in Sandboxie Ini available since v1.0.7 / 5.55.7. This setting allows you to disable the hardcoded runtime class blacklist. Usage: . . . [DefaultBox] DisableRTBlacklist=y","title":"Disable RT Blacklist"},{"location":"Content/DisableRTBlacklist/#disable-rt-blacklist","text":"DisableRTBlacklist is a sandbox setting in Sandboxie Ini available since v1.0.7 / 5.55.7. This setting allows you to disable the hardcoded runtime class blacklist. Usage: . . . [DefaultBox] DisableRTBlacklist=y","title":"Disable RT Blacklist"},{"location":"Content/DropAdminRights/","text":"Drop Admin Rights DropAdminRights is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will strip Administrator rights from programs running in this sandbox. Usage: . . . [DefaultBox] DropAdminRights=y The setting in this page causes Sandboxie to strip administrative rights from programs running in this sandbox. Specifically, the security credentials used to start the sandboxed program will not include membership in the Administrators and Power Users groups. Note that this has little effect if you are already running under a non-Administrator user account. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Drop Rights","title":"Drop Admin Rights"},{"location":"Content/DropAdminRights/#drop-admin-rights","text":"DropAdminRights is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will strip Administrator rights from programs running in this sandbox. Usage: . . . [DefaultBox] DropAdminRights=y The setting in this page causes Sandboxie to strip administrative rights from programs running in this sandbox. Specifically, the security credentials used to start the sandboxed program will not include membership in the Administrators and Power Users groups. Note that this has little effect if you are already running under a non-Administrator user account. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Drop Rights","title":"Drop Admin Rights"},{"location":"Content/EditAdminOnly/","text":"Edit Admin Only EditAdminOnly is a global setting in Sandboxie Ini . If specified, Sandboxie Control or Sandman running under user accounts which are not members of the Administrators group will not be able to make any configuration changes in the global settings section or any sandbox section. However, even in that case, they will still be able to make changes in the user settings section. Usage: . . . [GlobalSettings] EditAdminOnly=y This setting is designed for use by network administrators.","title":"Edit Admin Only"},{"location":"Content/EditAdminOnly/#edit-admin-only","text":"EditAdminOnly is a global setting in Sandboxie Ini . If specified, Sandboxie Control or Sandman running under user accounts which are not members of the Administrators group will not be able to make any configuration changes in the global settings section or any sandbox section. However, even in that case, they will still be able to make changes in the user settings section. Usage: . . . [GlobalSettings] EditAdminOnly=y This setting is designed for use by network administrators.","title":"Edit Admin Only"},{"location":"Content/EditPassword/","text":"Edit Password EditPassword is a global setting in Sandboxie Ini . It is managed by the Sandboxie service and specifies a 160-bit SHA1 hash generated from the configuration password. Usage: . . . [GlobalSettings] EditPassword=0D03090004070E09050C0A010100000108010B03 When the Sandboxie Ini configuration file includes this setting, the Sandboxie service will keep the configuration file permanently locked, in order to prevent unauthorized modifications. See also: Configuration Protection .","title":"Edit Password"},{"location":"Content/EditPassword/#edit-password","text":"EditPassword is a global setting in Sandboxie Ini . It is managed by the Sandboxie service and specifies a 160-bit SHA1 hash generated from the configuration password. Usage: . . . [GlobalSettings] EditPassword=0D03090004070E09050C0A010100000108010B03 When the Sandboxie Ini configuration file includes this setting, the Sandboxie service will keep the configuration file permanently locked, in order to prevent unauthorized modifications. See also: Configuration Protection .","title":"Edit Password"},{"location":"Content/EmailProtection/","text":"Email Protection For a shorter version of this discussion, see FAQ Email . It is not uncommon to receive virus in an email message. Traditionally, your anti-virus and anti-spyware software works with your email software to identify malicious software as soon as it is received, or at least, as soon as it begins to execute in your computer. That works well for well-known viruses and spyware, but leaves you vulnerable to zero-day exploits , that is, vulnerable to malicious software that is not yet properly identified by the security software. Sandboxie offers another approach. If you run your email reader program sandboxed under the control of Sandboxie, this protection will also extend to any software spawned by the email reader, such as viruses and spyware, thus severely limiting the effects of the malicious software on your computer. For example, suppose you get an email message with the a virus that presents itself as an attachment called Click_Me_For_Best_Joke_Ever.exe . Suppose you don't know this is a virus, and further suppose that your anti-virus has not yet been updated to identify this particular virus. You click the attachment, and it delivers the best joke ever, but it also secretly installs malicious software. This example may not specifically name any known virus, but it is not at all farfetched. Quoting Wikipedia on Malware : \"Since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for illicit purposes ...\" See also: Construction (from Wikipedia) . If you run your email program sandboxed, then Click_Me_For_Best_Joke_Ever.exe also runs sandboxed, and any changes it makes to the computer, or software it installs, will be confined to the sandbox. These changes will be discarded in their entirety as soon as you delete the sandbox. Sandboxie is not an anti-virus, and will neither identify or warn about viruses. However, Sandboxie treats all software it runs as potentially malicious software which cannot be trusted, and will not let any program -- malicious or legitimate -- to break out of the sandbox and make permanent changes to your computer. Note that the virus itself, in its original form as an email attachment, will remain in your mailbox even after you delete the sandbox. However, a computer virus is a piece of software, not a living creature: It cannot cause any harm your computer by merely being stored in your mailbox. It must be invoked before it can cause harm. Thus if you always run your email program sandboxed, the worst that can happen is that you will rerun the virus inside the sandbox, and then delete the sandbox again. Eventually, your anti-virus will be updated to identify this attachment as malicious software. The following section is concerned with configuring the use of email software with Sandboxie. You may access your email online via a Web browser running under Sandboxie, as is the case with Hotmail, Yahoo! or Gmail, to name three of the many Web mail services. In that case, no special configuration is necessary, and the following section is not relevant. The Sandboxie protection comes at a small cost: You should always keep in mind that Sandboxie considers all content created within the sandbox as discardable content. This means for example, that a malicious program installed by a virus is placed in the sandbox and considered discardable. But it also means that if you save an email message to a file, then that file is also put in the sandbox and will be discarded when the sandbox is deleted. And most importantly, this means that Sandboxie will treat incoming new mail as discardable content. For this reason, you must configure Sandboxie to treat your mailbox data files as trusted content, or you stand to lose important information. To protect against accidental loss of data, Sandboxie will issue message SBIE2212 if you run your email program without first properly configuring Sandboxie. Sandboxie offers easy configuration for most popular email reader programs. See Sandbox Settings > Applications > Email Reader . You may also need to tell Sandboxie where your mailbox data files reside, in the following cases: If your mailbox resides in a non-default or non-standard location. If you use the Eudora or The-Bat! email software. To do that, open Sandbox Settings > Applications > Folders , select your email software from the drop-down list, and then select a folder location to be associated with it. After completing the email configuration, you may want to test it, to make sure that even when running under Sandboxie, new emails are not lost when you delete the sandbox. To do that, follow the steps outlined in Test Email Configuration .","title":"Email Protection"},{"location":"Content/EmailProtection/#email-protection","text":"For a shorter version of this discussion, see FAQ Email . It is not uncommon to receive virus in an email message. Traditionally, your anti-virus and anti-spyware software works with your email software to identify malicious software as soon as it is received, or at least, as soon as it begins to execute in your computer. That works well for well-known viruses and spyware, but leaves you vulnerable to zero-day exploits , that is, vulnerable to malicious software that is not yet properly identified by the security software. Sandboxie offers another approach. If you run your email reader program sandboxed under the control of Sandboxie, this protection will also extend to any software spawned by the email reader, such as viruses and spyware, thus severely limiting the effects of the malicious software on your computer. For example, suppose you get an email message with the a virus that presents itself as an attachment called Click_Me_For_Best_Joke_Ever.exe . Suppose you don't know this is a virus, and further suppose that your anti-virus has not yet been updated to identify this particular virus. You click the attachment, and it delivers the best joke ever, but it also secretly installs malicious software. This example may not specifically name any known virus, but it is not at all farfetched. Quoting Wikipedia on Malware : \"Since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for illicit purposes ...\" See also: Construction (from Wikipedia) . If you run your email program sandboxed, then Click_Me_For_Best_Joke_Ever.exe also runs sandboxed, and any changes it makes to the computer, or software it installs, will be confined to the sandbox. These changes will be discarded in their entirety as soon as you delete the sandbox.","title":"Email Protection"},{"location":"Content/EmailProtection/#sandboxie-is-not-an-anti-virus-and-will-neither-identify-or-warn-about-viruses-however-sandboxie-treats-all-software-it-runs-as-potentially-malicious-software-which-cannot-be-trusted-and-will-not-let-any-program-malicious-or-legitimate-to-break-out-of-the-sandbox-and-make-permanent-changes-to-your-computer","text":"Note that the virus itself, in its original form as an email attachment, will remain in your mailbox even after you delete the sandbox. However, a computer virus is a piece of software, not a living creature: It cannot cause any harm your computer by merely being stored in your mailbox. It must be invoked before it can cause harm. Thus if you always run your email program sandboxed, the worst that can happen is that you will rerun the virus inside the sandbox, and then delete the sandbox again. Eventually, your anti-virus will be updated to identify this attachment as malicious software. The following section is concerned with configuring the use of email software with Sandboxie. You may access your email online via a Web browser running under Sandboxie, as is the case with Hotmail, Yahoo! or Gmail, to name three of the many Web mail services. In that case, no special configuration is necessary, and the following section is not relevant. The Sandboxie protection comes at a small cost: You should always keep in mind that Sandboxie considers all content created within the sandbox as discardable content. This means for example, that a malicious program installed by a virus is placed in the sandbox and considered discardable. But it also means that if you save an email message to a file, then that file is also put in the sandbox and will be discarded when the sandbox is deleted. And most importantly, this means that Sandboxie will treat incoming new mail as discardable content. For this reason, you must configure Sandboxie to treat your mailbox data files as trusted content, or you stand to lose important information. To protect against accidental loss of data, Sandboxie will issue message SBIE2212 if you run your email program without first properly configuring Sandboxie. Sandboxie offers easy configuration for most popular email reader programs. See Sandbox Settings > Applications > Email Reader . You may also need to tell Sandboxie where your mailbox data files reside, in the following cases: If your mailbox resides in a non-default or non-standard location. If you use the Eudora or The-Bat! email software. To do that, open Sandbox Settings > Applications > Folders , select your email software from the drop-down list, and then select a folder location to be associated with it. After completing the email configuration, you may want to test it, to make sure that even when running under Sandboxie, new emails are not lost when you delete the sandbox. To do that, follow the steps outlined in Test Email Configuration .","title":"Sandboxie is not an anti-virus, and will neither identify or warn about viruses. However, Sandboxie treats all software it runs as potentially malicious software which cannot be trusted, and will not let any program -- malicious or legitimate -- to break out of the sandbox and make permanent changes to your computer."},{"location":"Content/Enabled/","text":"Enabled Enabled is a sandbox setting in Sandboxie Ini . It is typically specified as Enabled=y (see Yes Or No Settings ), and indicates that programs can be launched in that sandbox. For example: . . . [InstallBox] Enabled=y Enabled=y,Administrators The first example is the typical form of Enabled , a required part of any sandbox section in the configuration file. It indicates that the sandbox InstallBox can be used for sandboxing. The second example similarly defines the sandbox InstallBox while also restricting its use to the Administrators user accounts group. Any user account or group that is recognized by the local Windows system can be specified. Multiple Enabled lines may be specified if the list of user accounts does not fit in one line. A sandbox that has been restricted to specific users is considered hidden to all other user accounts. Those other user accounts will not see the sandbox listed in Sandboxie Control , and any Force Process or Force Folder settings will not apply to those user accounts. Attempts to explicitly start a program in a sandbox that does not have an associated Enabled=y setting will fail. Related Sandboxie Control setting: Sandbox Settings > User Accounts Related Sandboxie Control command: Sandbox Menu > Reveal Hidden Sandbox","title":"Enabled"},{"location":"Content/Enabled/#enabled","text":"Enabled is a sandbox setting in Sandboxie Ini . It is typically specified as Enabled=y (see Yes Or No Settings ), and indicates that programs can be launched in that sandbox. For example: . . . [InstallBox] Enabled=y Enabled=y,Administrators The first example is the typical form of Enabled , a required part of any sandbox section in the configuration file. It indicates that the sandbox InstallBox can be used for sandboxing. The second example similarly defines the sandbox InstallBox while also restricting its use to the Administrators user accounts group. Any user account or group that is recognized by the local Windows system can be specified. Multiple Enabled lines may be specified if the list of user accounts does not fit in one line. A sandbox that has been restricted to specific users is considered hidden to all other user accounts. Those other user accounts will not see the sandbox listed in Sandboxie Control , and any Force Process or Force Folder settings will not apply to those user accounts. Attempts to explicitly start a program in a sandbox that does not have an associated Enabled=y setting will fail. Related Sandboxie Control setting: Sandbox Settings > User Accounts Related Sandboxie Control command: Sandbox Menu > Reveal Hidden Sandbox","title":"Enabled"},{"location":"Content/ExpandableVariables/","text":"Expandable Variables Some Sandboxie settings may include variables . These are placeholder names which are expanded to (replaced by) text which may be specific to a particular computer and user account. For example, RecoverFolder=%Personal%\\Song_Lyrics In this simple example, Sandboxie expands the variable Personal by the actual folder for the Documents folder. RecoverFolder=C:\\Users\\joe\\Documents\\Song_Lyrics The following table lists the variables that Sandboxie recognizes. Variable Name Expands To SbieHome Root path of Sandboxie installation sandbox Name of sandbox in which the program is running. Example: DefaultBox user username User account in which the program is running. Example: joe sid SID string identifying the user account in which the program is running. Example: S-1-5-21-414-171-1981-1005 session The number of the logon session in which the program is running. Example: 1 ProgramFiles Location of program files folder. Example: C:\\Program Files SystemRoot Location of the Windows installation folder. Example: C:\\Windows SystemDrive First two characters of %SystemRoot%. Example: C: DefaultSpoolDirectory Location of the print spool folder. Example: C:\\Windows\\System32\\spool\\printers UserProfile Location of the user account root folder. Example: C:\\Users\\joe AllUsersProfile Location of the shared user account root folder. Example: C:\\ProgramData HomeDrive HomePath HomeShare Partial locations of the user account root folder, as defined in the registry key: HKEY_CURRENT_USER\\Volatile Environment temp tmp Location of the Windows temporary files folder as defined in the registry key: HKEY_CURRENT_USER\\Environment. Example: C:\\Windows\\Temp Personal AppData Local AppData Favorites And more Locations of user account and system folders as are known to Windows Explorer. For more information, see Shell Folders . Template Variables Global templates are part of the Sandboxie installation and located in the file Templates.ini in the Sandboxie installation folder. Additional local templates may be added to Sandboxie Ini . Any template may reference template variables in the form %Tmpl.SomeVariableName% . These variable names are not built into the core of Sandboxie. They must be defined in Templates.ini or Sandboxie.ini in a [TemplateSettings] section. Overriding Variables Any of the variables in the table above, including the Shell Folders and template variables, can be overridden by the Sandboxie Ini configuration file. To override a variable, add a parameter prefixed with Ovr. . For example: [GlobalSettings] Ovr.SystemRoot=X:\\WIN Ovr.Tmpl.Firefox=C:\\Firefox\\Profiles\\ [DefaultBox] Ovr.Personal=Z:\\MY_FILES RecoverFolder=%Personal% OpenFilePath=%SystemRoot%\\Temp When a variable is overridden in this way, its expanded value will always match the value specified in the configuration file. Registry Fallbacks Some of the variables in the table above are taken from the system registry. Those variables are ProgramFiles and any other variable that appears below ProgramFiles in the table above. For these variables, it is possible to specify \"fallback\" values in the Sandboxie Ini configuration file. To specify a fallback for a variable, add a parameter prefixed with Reg. . For example: [GlobalSettings] Reg.Desktop=%USERPROFILE%\\Desktop [DefaultBox] Reg.Cookies=%USERPROFILE%\\Cookies Note that \"Ovr.\" style overrides (described above) will cause Sandboxie to ignore the registry. On the other hand, Sandboxie only checks \"Reg.\" style fallbacks if the expanded variable cannot be found in the registry. This means that if both Ovr.X and Reg.X are specified for the same variable X, the Ovr.X form will always apply when X is expanded, and the Reg.X form will never apply. It is generally preferable to use \"Ovr.\" style overrides than \"Reg.\" style fallbacks.","title":"Expandable Variables"},{"location":"Content/ExpandableVariables/#expandable-variables","text":"Some Sandboxie settings may include variables . These are placeholder names which are expanded to (replaced by) text which may be specific to a particular computer and user account. For example, RecoverFolder=%Personal%\\Song_Lyrics In this simple example, Sandboxie expands the variable Personal by the actual folder for the Documents folder. RecoverFolder=C:\\Users\\joe\\Documents\\Song_Lyrics The following table lists the variables that Sandboxie recognizes. Variable Name Expands To SbieHome Root path of Sandboxie installation sandbox Name of sandbox in which the program is running. Example: DefaultBox user username User account in which the program is running. Example: joe sid SID string identifying the user account in which the program is running. Example: S-1-5-21-414-171-1981-1005 session The number of the logon session in which the program is running. Example: 1 ProgramFiles Location of program files folder. Example: C:\\Program Files SystemRoot Location of the Windows installation folder. Example: C:\\Windows SystemDrive First two characters of %SystemRoot%. Example: C: DefaultSpoolDirectory Location of the print spool folder. Example: C:\\Windows\\System32\\spool\\printers UserProfile Location of the user account root folder. Example: C:\\Users\\joe AllUsersProfile Location of the shared user account root folder. Example: C:\\ProgramData HomeDrive HomePath HomeShare Partial locations of the user account root folder, as defined in the registry key: HKEY_CURRENT_USER\\Volatile Environment temp tmp Location of the Windows temporary files folder as defined in the registry key: HKEY_CURRENT_USER\\Environment. Example: C:\\Windows\\Temp Personal AppData Local AppData Favorites And more Locations of user account and system folders as are known to Windows Explorer. For more information, see Shell Folders .","title":"Expandable Variables"},{"location":"Content/ExpandableVariables/#template-variables","text":"Global templates are part of the Sandboxie installation and located in the file Templates.ini in the Sandboxie installation folder. Additional local templates may be added to Sandboxie Ini . Any template may reference template variables in the form %Tmpl.SomeVariableName% . These variable names are not built into the core of Sandboxie. They must be defined in Templates.ini or Sandboxie.ini in a [TemplateSettings] section.","title":"Template Variables"},{"location":"Content/ExpandableVariables/#overriding-variables","text":"Any of the variables in the table above, including the Shell Folders and template variables, can be overridden by the Sandboxie Ini configuration file. To override a variable, add a parameter prefixed with Ovr. . For example: [GlobalSettings] Ovr.SystemRoot=X:\\WIN Ovr.Tmpl.Firefox=C:\\Firefox\\Profiles\\ [DefaultBox] Ovr.Personal=Z:\\MY_FILES RecoverFolder=%Personal% OpenFilePath=%SystemRoot%\\Temp When a variable is overridden in this way, its expanded value will always match the value specified in the configuration file.","title":"Overriding Variables"},{"location":"Content/ExpandableVariables/#registry-fallbacks","text":"Some of the variables in the table above are taken from the system registry. Those variables are ProgramFiles and any other variable that appears below ProgramFiles in the table above. For these variables, it is possible to specify \"fallback\" values in the Sandboxie Ini configuration file. To specify a fallback for a variable, add a parameter prefixed with Reg. . For example: [GlobalSettings] Reg.Desktop=%USERPROFILE%\\Desktop [DefaultBox] Reg.Cookies=%USERPROFILE%\\Cookies Note that \"Ovr.\" style overrides (described above) will cause Sandboxie to ignore the registry. On the other hand, Sandboxie only checks \"Reg.\" style fallbacks if the expanded variable cannot be found in the registry. This means that if both Ovr.X and Reg.X are specified for the same variable X, the Ovr.X form will always apply when X is expanded, and the Reg.X form will never apply. It is generally preferable to use \"Ovr.\" style overrides than \"Reg.\" style fallbacks.","title":"Registry Fallbacks"},{"location":"Content/ExternalTutorials/","text":"External Tutorials For the official Getting Started tutorial on this web site, please click: Getting Started Other web sites offer more tutorials: English An Introduction and a Quick Guide to Sandboxie (Tutorial) Using SANDBOXIE to Safely Browse the Internet (PDF) (PDF) Sandboxie Isolation Demonstration (Video) Sandboxie Plus is an open source fork of Sandboxie with a modern interface (Article) German First steps in Sandboxie (PDF) Back Go back to the official Getting Started tutorial.","title":"External Tutorials"},{"location":"Content/ExternalTutorials/#external-tutorials","text":"For the official Getting Started tutorial on this web site, please click: Getting Started Other web sites offer more tutorials: English An Introduction and a Quick Guide to Sandboxie (Tutorial) Using SANDBOXIE to Safely Browse the Internet (PDF) (PDF) Sandboxie Isolation Demonstration (Video) Sandboxie Plus is an open source fork of Sandboxie with a modern interface (Article) German First steps in Sandboxie (PDF) Back Go back to the official Getting Started tutorial.","title":"External Tutorials"},{"location":"Content/FAQEmail/","text":"FAQ Email Questions and answers regarding the use of Sandboxie with email software. For a longer discussion, see Email Protection . Q. Why should I use Sandboxie to run my email software? A. Email software, as any other Internet-facing application, processes data that cannot be completely trusted, as it was received from the Internet. That data -- which is your email -- might contain viruses, and small bits of software designed to exploit vulnerabilities in your email software. By launching your email software under the supervision of Sandboxie, you can confine it to its sandbox, along with any potential viruses and exploits. See Email Protection for more information. Q. Will Sandboxie identify and delete viruses in my email? A. No. Sandboxie leaves this task to your anti-virus and anti-malware software. The job of Sandboxie is to provide the first line of defense and prevent a virus from infecting your computer, and potentially even your anti-virus software. Q. Message SBIE2212 appears when I run my email software in Sandboxie, does this indicate an error? A. No. As a safety measure, Sandboxie refuses to launch your email software under its supervision, until it is properly configured. For more information, see the reference page for message SBIE2212 . To learn how to configure support for your email software, see the next question in this FAQ. Q. How do I configure Sandboxie for use with my email software? A. Open Sandbox Settings > Applications > Email Reader and select the email software that you use. If your mailbox data files are not in the default location, see Sandbox Settings > Applications > Folders . Then, you should also test the configuration; see Test Email Configuration . Q. How do I run my email software under Sandboxie? A. You can use the Run Email Reader command from the Sandbox Menu or Tray Icon Menu of Sandboxie Control . You can also right-click Run Sandboxed on the executable icon for your email software. Q. How can I force my email software to always run under Sandboxie? A. When the software is already running under Sandboxie, go to Program Settings , Page 1, and select the checkbox to Force program to run in this sandbox . You can also use Sandbox Settings > Program Start > Forced Programs to accomplish the same. Q. My email software is periodically updated (automatically or manually). Will the updates become permanent? A. No. The updates will be installed in the sandbox and will disappear when the sandbox is deleted . To properly update your software, launch it outside the supervision of Sandboxie, then initiate the update process. If it is already set as a forced program (see previous question), use the Disable Forced Programs command before starting your email software. Q. Should I create a separate, dedicated sandbox just for email, or can I use the same sandbox for email and web browsing? A. This depends primarily on your habits. If you want the convenience of opening your email software by clicking an email link ( mailto ) in your browser, then you have to use (and configure) the same sandbox for both web browsing and email reading. On the other hand, some people prefer to isolate the two unrelated activities into separate sandboxes. There is no strict answer, and both approaches work well. Q. I want to launch my web browser in a sandbox, but not my email software. When I click an email link ( mailto ), the web browser tries to launch my email software in the sandbox. What should I do? A. You can avoid this issue by right-clicking the email link instead of left (normal) clicking it. The right-click menu will let you copy the email address. Then switch to your email software and paste the email address. If the pasted email address begins with a mailto: prefix, then make sure to delete that prefix, including the colon (:). Q. I want to launch my email software in a different sandbox than my web browser. When I click an email link ( mailto ), the web browser tries to open my email software in the wrong sandbox. What should I do? A. See the answer to the previous question. Q. I have a web mail account and I read my email via my web browser, do I need to configure anything? A. No, because in this case, none of your emails are stored in your computer.","title":"FAQ Email"},{"location":"Content/FAQEmail/#faq-email","text":"Questions and answers regarding the use of Sandboxie with email software. For a longer discussion, see Email Protection .","title":"FAQ Email"},{"location":"Content/FAQEmail/#q-why-should-i-use-sandboxie-to-run-my-email-software","text":"A. Email software, as any other Internet-facing application, processes data that cannot be completely trusted, as it was received from the Internet. That data -- which is your email -- might contain viruses, and small bits of software designed to exploit vulnerabilities in your email software. By launching your email software under the supervision of Sandboxie, you can confine it to its sandbox, along with any potential viruses and exploits. See Email Protection for more information.","title":"Q. Why should I use Sandboxie to run my email software?"},{"location":"Content/FAQEmail/#q-will-sandboxie-identify-and-delete-viruses-in-my-email","text":"A. No. Sandboxie leaves this task to your anti-virus and anti-malware software. The job of Sandboxie is to provide the first line of defense and prevent a virus from infecting your computer, and potentially even your anti-virus software.","title":"Q. Will Sandboxie identify and delete viruses in my email?"},{"location":"Content/FAQEmail/#q-message-sbie2212-appears-when-i-run-my-email-software-in-sandboxie-does-this-indicate-an-error","text":"A. No. As a safety measure, Sandboxie refuses to launch your email software under its supervision, until it is properly configured. For more information, see the reference page for message SBIE2212 . To learn how to configure support for your email software, see the next question in this FAQ.","title":"Q. Message SBIE2212 appears when I run my email software in Sandboxie, does this indicate an error?"},{"location":"Content/FAQEmail/#q-how-do-i-configure-sandboxie-for-use-with-my-email-software","text":"A. Open Sandbox Settings > Applications > Email Reader and select the email software that you use. If your mailbox data files are not in the default location, see Sandbox Settings > Applications > Folders . Then, you should also test the configuration; see Test Email Configuration .","title":"Q. How do I configure Sandboxie for use with my email software?"},{"location":"Content/FAQEmail/#q-how-do-i-run-my-email-software-under-sandboxie","text":"A. You can use the Run Email Reader command from the Sandbox Menu or Tray Icon Menu of Sandboxie Control . You can also right-click Run Sandboxed on the executable icon for your email software.","title":"Q. How do I run my email software under Sandboxie?"},{"location":"Content/FAQEmail/#q-how-can-i-force-my-email-software-to-always-run-under-sandboxie","text":"A. When the software is already running under Sandboxie, go to Program Settings , Page 1, and select the checkbox to Force program to run in this sandbox . You can also use Sandbox Settings > Program Start > Forced Programs to accomplish the same.","title":"Q. How can I force my email software to always run under Sandboxie?"},{"location":"Content/FAQEmail/#q-my-email-software-is-periodically-updated-automatically-or-manually-will-the-updates-become-permanent","text":"A. No. The updates will be installed in the sandbox and will disappear when the sandbox is deleted . To properly update your software, launch it outside the supervision of Sandboxie, then initiate the update process. If it is already set as a forced program (see previous question), use the Disable Forced Programs command before starting your email software.","title":"Q. My email software is periodically updated (automatically or manually). Will the updates become permanent?"},{"location":"Content/FAQEmail/#q-should-i-create-a-separate-dedicated-sandbox-just-for-email-or-can-i-use-the-same-sandbox-for-email-and-web-browsing","text":"A. This depends primarily on your habits. If you want the convenience of opening your email software by clicking an email link ( mailto ) in your browser, then you have to use (and configure) the same sandbox for both web browsing and email reading. On the other hand, some people prefer to isolate the two unrelated activities into separate sandboxes. There is no strict answer, and both approaches work well.","title":"Q. Should I create a separate, dedicated sandbox just for email, or can I use the same sandbox for email and web browsing?"},{"location":"Content/FAQEmail/#q-i-want-to-launch-my-web-browser-in-a-sandbox-but-not-my-email-software-when-i-click-an-email-link-mailto-the-web-browser-tries-to-launch-my-email-software-in-the-sandbox-what-should-i-do","text":"A. You can avoid this issue by right-clicking the email link instead of left (normal) clicking it. The right-click menu will let you copy the email address. Then switch to your email software and paste the email address. If the pasted email address begins with a mailto: prefix, then make sure to delete that prefix, including the colon (:).","title":"Q. I want to launch my web browser in a sandbox, but not my email software. When I click an email link (mailto), the web browser tries to launch my email software in the sandbox. What should I do?"},{"location":"Content/FAQEmail/#q-i-want-to-launch-my-email-software-in-a-different-sandbox-than-my-web-browser-when-i-click-an-email-link-mailto-the-web-browser-tries-to-open-my-email-software-in-the-wrong-sandbox-what-should-i-do","text":"A. See the answer to the previous question.","title":"Q. I want to launch my email software in a different sandbox than my web browser. When I click an email link (mailto), the web browser tries to open my email software in the wrong sandbox. What should I do?"},{"location":"Content/FAQEmail/#q-i-have-a-web-mail-account-and-i-read-my-email-via-my-web-browser-do-i-need-to-configure-anything","text":"A. No, because in this case, none of your emails are stored in your computer.","title":"Q. I have a web mail account and I read my email via my web browser, do I need to configure anything?"},{"location":"Content/FAQVirus/","text":"FAQ Virus Questions and answers regarding Sandboxie and viruses and malware. For brevity, the text below mentions only viruses, but it equally applies to malware. Sandboxie protects your from viruses, malware, ransom-ware, zero day threats, etc. Sandboxie does not need to rely on virus database signature updates, heuristics, etc. If you get a virus in your sandbox, you simply delete the contents of that sandbox and move along. Your host machine, software and browser is not touched. Nothing on your host machine is harmed. Q. What does malicious software do? A. Malicious software is typically designed to infect your computer. This infection is accomplished by the integration with, or the taking over of, various aspects of your Windows operating system. Following this infection, different types of malicious software have different goals. For example, a virus program might spread to more computers, and a spyware program might record your keyboard activity. Q. How does Sandboxie protect against computer viruses? A. Sandboxie considers the program it supervises as potentially harmful, and keeps the programs bound within a sandbox , which is a kind of protective bubble. The program cannot escape the sandbox, and therefore cannot change, harm or infect your computer in any way. When you're done with the program, you delete the sandbox. Q. Does Sandboxie remove viruses? A. Yes, but not in the sense that Sandboxie discards just the viruses, and leaves everything else intact. What Sandboxie does is delete the entire sandbox, which deletes any viruses trapped within the sandbox, as well as any other changes (good or bad) that were attempted by the program running under the supervision of Sandboxie. Q. Is Sandboxie an anti-virus? A. No. While Sandboxie is a countermeasure against malicious software, it works differently from traditional anti-virus software. Unlike an anti-virus, Sandboxie does not attempt to identify or differentiate between \"good\" and \"bad\" (or harmful) programs. An anti-virus might not identify a new virus, and might let it slip by and infect your computer. Sandboxie, on the other hand, considers all programs as potentially harmful, and does not let any program modify your computer in any way. Q. Should I use Sandboxie instead of anti-virus software? A. No. Sandboxie can prevent a virus in the sandbox from escaping into your real computer. However, common sense dictates that it is preferable to prevent the virus from running in the first place. Therefore it is a good idea to use anti-virus software to prevent known threats, while relying on Sandboxie to be your first line of defense against threats that are not yet known to the anti-virus. Q. Is Sandboxie 100% fool-proof? A. No, but it tries to be as close as possible to 100%. At the same time, it is important to remember that Sandboxie is never the only software in your computer. Your other software, including your Windows operating system, might have security holes that could be abused by viruses in ways that no security software can prevent. Therefore it is always important to keep up with software updates. As the saying goes: \"The only truly secure computer is one buried in concrete, with the power turned off and the network cable cut.\" Q. Can the anti-virus detect a virus in the sandbox? A. Yes. Files contained in the sandbox are stored in the hard disk, typically in the folder SANDBOX in drive C. Programs under the supervision of Sandboxie can only operate within this folder, but there is nothing special about the folder itself. The anti-virus software may detect viruses as they arrive into this folder, or at any later time. Q. How should I respond to the anti-virus detecting a virus A. Your anti-virus should tell you where the virus was identified. If the virus was identified within the sandbox (typically, in the SANDBOX folder in drive C), there is little cause for alarm. You can immediately invoke the Delete Sandbox command, or you may direct the anti-virus to delete the virus file, or move it to quarantine. Q. When the anti-virus moves a virus file out of the sandbox and into quarantine, does it bypass Sandboxie? A. No. The anti-virus itself is not operating under the supervision of Sandboxie, even if the virus alert seems to indicate otherwise. Operating outside the sandbox, the anti-virus can reach into the sandbox folder, pull the virus file, and move it into quarantine. The process is similar to Sandboxie Quick Recovery , wherein Sandboxie Control reaches inside the sandbox to pull some file out of it. Q. Will viruses remain in the sandbox after I close all programs in the sandbox? A. Yes and no: 1. No, if your sandbox is set to automatically delete; 2. Yes, in the configuration, but only until you manually delete the contents of the sandbox. It is important to note that a virus file in the sandbox is just that -- a file , not much different from your average text file. Unless you move the file out of the sandbox and invoke it, there is little cause for alarm. Q. Do I have to securely wipe the contents of the sandbox to make sure the virus is gone? A. No. Although you can configure Sandboxie to use a third-party data wiping utility, the key point is to make the virus file itself inaccessible, and this is accomplished even with non-secure deletion. There is, however, an advantage to secure deletion, as discussed in the next answer. Q. Why does my anti-virus detect a virus in the System Volume Information folder? A. The System Restore component in Windows collects various files into the System Volume Information when they are deleted. While the intention is to protect your system, sometimes System Restore ends up making copies of virus files. These virus files are inactive, and even if restored, will be restored into the sandbox, so there is little cause for alarm. Nevertheless, it is a good idea to let your anti-virus get rid of any such virus files. Note that this will not occur if you securely wipe the contents of the sandbox (see previous question). Q. My computer is already infected with a virus, will Sandboxie protect against that virus? A. No. Sandboxie can only protect your computer from the programs that run under the supervision of Sandboxie. The virus which has already infected your computer is running unencumbered outside the supervision of Sandboxie. It might also serve as an infection channel and assist other viruses in the sandbox to break out of the sandbox and infect your computer. It is strongly recommended that you dis-infect your computer as soon as possible, then install Sandboxie to protect against future threats. Q. Does Sandboxie protect against the KillDisk virus? A. Yes. The KillDisk virus works by modifying the hard disk partition directly, bypassing any file systems. This kind of access has been blocked since Sandboxie version 2.33 (early 2006). Q. Can I install an anti-virus (or firewalls or other security software) into the sandbox? A. For most security software, the answer is no. This type of software wants to integrate with Windows in order to monitor access to files and network connections. Sandboxie is designed to isolate programs in the sandbox from the rest of the system, which means the security software will be unable to monitor the system correctly. Note that virus scanner software which does not include active (\"real time\") monitoring should be able to function correctly under Sandboxie. Please note: Not all Anti-virus \"suites\" will work. Sandboxie may not function with certain suites (Kaspersky.)","title":"FAQ Virus"},{"location":"Content/FAQVirus/#faq-virus","text":"Questions and answers regarding Sandboxie and viruses and malware. For brevity, the text below mentions only viruses, but it equally applies to malware. Sandboxie protects your from viruses, malware, ransom-ware, zero day threats, etc. Sandboxie does not need to rely on virus database signature updates, heuristics, etc. If you get a virus in your sandbox, you simply delete the contents of that sandbox and move along. Your host machine, software and browser is not touched. Nothing on your host machine is harmed.","title":"FAQ Virus"},{"location":"Content/FAQVirus/#q-what-does-malicious-software-do","text":"A. Malicious software is typically designed to infect your computer. This infection is accomplished by the integration with, or the taking over of, various aspects of your Windows operating system. Following this infection, different types of malicious software have different goals. For example, a virus program might spread to more computers, and a spyware program might record your keyboard activity.","title":"Q. What does malicious software do?"},{"location":"Content/FAQVirus/#q-how-does-sandboxie-protect-against-computer-viruses","text":"A. Sandboxie considers the program it supervises as potentially harmful, and keeps the programs bound within a sandbox , which is a kind of protective bubble. The program cannot escape the sandbox, and therefore cannot change, harm or infect your computer in any way. When you're done with the program, you delete the sandbox.","title":"Q. How does Sandboxie protect against computer viruses?"},{"location":"Content/FAQVirus/#q-does-sandboxie-remove-viruses","text":"A. Yes, but not in the sense that Sandboxie discards just the viruses, and leaves everything else intact. What Sandboxie does is delete the entire sandbox, which deletes any viruses trapped within the sandbox, as well as any other changes (good or bad) that were attempted by the program running under the supervision of Sandboxie.","title":"Q. Does Sandboxie remove viruses?"},{"location":"Content/FAQVirus/#q-is-sandboxie-an-anti-virus","text":"A. No. While Sandboxie is a countermeasure against malicious software, it works differently from traditional anti-virus software. Unlike an anti-virus, Sandboxie does not attempt to identify or differentiate between \"good\" and \"bad\" (or harmful) programs. An anti-virus might not identify a new virus, and might let it slip by and infect your computer. Sandboxie, on the other hand, considers all programs as potentially harmful, and does not let any program modify your computer in any way.","title":"Q. Is Sandboxie an anti-virus?"},{"location":"Content/FAQVirus/#q-should-i-use-sandboxie-instead-of-anti-virus-software","text":"A. No. Sandboxie can prevent a virus in the sandbox from escaping into your real computer. However, common sense dictates that it is preferable to prevent the virus from running in the first place. Therefore it is a good idea to use anti-virus software to prevent known threats, while relying on Sandboxie to be your first line of defense against threats that are not yet known to the anti-virus.","title":"Q. Should I use Sandboxie instead of anti-virus software?"},{"location":"Content/FAQVirus/#q-is-sandboxie-100-fool-proof","text":"A. No, but it tries to be as close as possible to 100%. At the same time, it is important to remember that Sandboxie is never the only software in your computer. Your other software, including your Windows operating system, might have security holes that could be abused by viruses in ways that no security software can prevent. Therefore it is always important to keep up with software updates. As the saying goes: \"The only truly secure computer is one buried in concrete, with the power turned off and the network cable cut.\"","title":"Q. Is Sandboxie 100% fool-proof?"},{"location":"Content/FAQVirus/#q-can-the-anti-virus-detect-a-virus-in-the-sandbox","text":"A. Yes. Files contained in the sandbox are stored in the hard disk, typically in the folder SANDBOX in drive C. Programs under the supervision of Sandboxie can only operate within this folder, but there is nothing special about the folder itself. The anti-virus software may detect viruses as they arrive into this folder, or at any later time.","title":"Q. Can the anti-virus detect a virus in the sandbox?"},{"location":"Content/FAQVirus/#q-how-should-i-respond-to-the-anti-virus-detecting-a-virus","text":"A. Your anti-virus should tell you where the virus was identified. If the virus was identified within the sandbox (typically, in the SANDBOX folder in drive C), there is little cause for alarm. You can immediately invoke the Delete Sandbox command, or you may direct the anti-virus to delete the virus file, or move it to quarantine.","title":"Q. How should I respond to the anti-virus detecting a virus"},{"location":"Content/FAQVirus/#q-when-the-anti-virus-moves-a-virus-file-out-of-the-sandbox-and-into-quarantine-does-it-bypass-sandboxie","text":"A. No. The anti-virus itself is not operating under the supervision of Sandboxie, even if the virus alert seems to indicate otherwise. Operating outside the sandbox, the anti-virus can reach into the sandbox folder, pull the virus file, and move it into quarantine. The process is similar to Sandboxie Quick Recovery , wherein Sandboxie Control reaches inside the sandbox to pull some file out of it.","title":"Q. When the anti-virus moves a virus file out of the sandbox and into quarantine, does it bypass Sandboxie?"},{"location":"Content/FAQVirus/#q-will-viruses-remain-in-the-sandbox-after-i-close-all-programs-in-the-sandbox","text":"A. Yes and no: 1. No, if your sandbox is set to automatically delete; 2. Yes, in the configuration, but only until you manually delete the contents of the sandbox. It is important to note that a virus file in the sandbox is just that -- a file , not much different from your average text file. Unless you move the file out of the sandbox and invoke it, there is little cause for alarm.","title":"Q. Will viruses remain in the sandbox after I close all programs in the sandbox?"},{"location":"Content/FAQVirus/#q-do-i-have-to-securely-wipe-the-contents-of-the-sandbox-to-make-sure-the-virus-is-gone","text":"A. No. Although you can configure Sandboxie to use a third-party data wiping utility, the key point is to make the virus file itself inaccessible, and this is accomplished even with non-secure deletion. There is, however, an advantage to secure deletion, as discussed in the next answer.","title":"Q. Do I have to securely wipe the contents of the sandbox to make sure the virus is gone?"},{"location":"Content/FAQVirus/#q-why-does-my-anti-virus-detect-a-virus-in-the-system-volume-information-folder","text":"A. The System Restore component in Windows collects various files into the System Volume Information when they are deleted. While the intention is to protect your system, sometimes System Restore ends up making copies of virus files. These virus files are inactive, and even if restored, will be restored into the sandbox, so there is little cause for alarm. Nevertheless, it is a good idea to let your anti-virus get rid of any such virus files. Note that this will not occur if you securely wipe the contents of the sandbox (see previous question).","title":"Q. Why does my anti-virus detect a virus in the System Volume Information folder?"},{"location":"Content/FAQVirus/#q-my-computer-is-already-infected-with-a-virus-will-sandboxie-protect-against-that-virus","text":"A. No. Sandboxie can only protect your computer from the programs that run under the supervision of Sandboxie. The virus which has already infected your computer is running unencumbered outside the supervision of Sandboxie. It might also serve as an infection channel and assist other viruses in the sandbox to break out of the sandbox and infect your computer. It is strongly recommended that you dis-infect your computer as soon as possible, then install Sandboxie to protect against future threats.","title":"Q. My computer is already infected with a virus, will Sandboxie protect against that virus?"},{"location":"Content/FAQVirus/#q-does-sandboxie-protect-against-the-killdisk-virus","text":"A. Yes. The KillDisk virus works by modifying the hard disk partition directly, bypassing any file systems. This kind of access has been blocked since Sandboxie version 2.33 (early 2006).","title":"Q. Does Sandboxie protect against the KillDisk virus?"},{"location":"Content/FAQVirus/#q-can-i-install-an-anti-virus-or-firewalls-or-other-security-software-into-the-sandbox","text":"A. For most security software, the answer is no. This type of software wants to integrate with Windows in order to monitor access to files and network connections. Sandboxie is designed to isolate programs in the sandbox from the rest of the system, which means the security software will be unable to monitor the system correctly. Note that virus scanner software which does not include active (\"real time\") monitoring should be able to function correctly under Sandboxie. Please note: Not all Anti-virus \"suites\" will work. Sandboxie may not function with certain suites (Kaspersky.)","title":"Q. Can I install an anti-virus (or firewalls or other security software) into the sandbox?"},{"location":"Content/FeatureComparison/","text":"Sandboxie Plus and Classic share the same core components, the main difference is that the Classic user interface is no longer under development. Hence, new core functionality is only available in the SandMan user interface of Sandboxie Plus. Likewise, various other new features are only implemented in the SandMan UI. Another difference is that Sandboxie Plus is provided under a custom license , while Sandboxie Classic is provided under a GPL-3.0+ license . Some exclusive functionality is only available to project supporters with a valid Supporter Certificate , see the table below. Starting with version 1.11.0, an Advanced Encryption Pack is also available, which must be obtained in addition to the supporter certificate in order to use sandbox encryption. Please note that a Business Certificate is required to use Sandboxie Plus in a commercial or educational setting! Plus vs. Classic Free Premium Free vs. Premium Free HOME PERSONAL FAMILY PACK BUSINESS ETERNAL Usage Personal Personal Personal Personal Commercial Personal Support reminder Yes No Yes No No No No No PCs per certificate As Certified Personal** Personal Personal and Family*** 1 Personal and Family Expiration As Certified 1 year of use 1 year of updates* 1 year of use 1 year of use No Old builds work after expiration As Certified No Yes No No Sandboxie-Live No No No 1 year of support 1 year of support 1 year of support 1 year of support Yes**** UI dark mode No No Yes Yes Yes Yes Yes Yes Start Menu integration No No Yes Yes Yes Yes Yes Yes Windows 11 context menu No No Yes Yes Yes Yes Yes Yes Box snapshots No No Yes Yes Yes Yes Yes Yes WFP support No Yes (no UI) Yes Yes Yes Yes Yes Yes Privacy enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Security enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Compatibility enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes ARM64 support No No Trial Yes Yes Yes Yes Yes RAM Disk integration No Yes (no UI) No Yes Yes Yes Yes Yes * A personal type certificate, once expired, does not unlock features in builds compiled after its expiration date. Builds compiled before that time retain their exclusive unlocked features state. ** Personal covers all devices you use yourself, so if you have a laptop and a desktop, one certificate covers both. *** A family pack can be used for the entire family, it is not required for the family to live in the same household, so the certificate can be used for children who have moved out or your grandparents. **** For as long as the service exists.","title":"FeatureComparison"},{"location":"Content/FeatureComparisonOld/","text":"Feature Comparison (obsolete) Sandboxie Plus and Classic share the same core components, the main difference is that the Classic UI is no longer under development. Hence, a UI for new core functionality is only available in the SandMan UI of the Sandboxie Plus. Likewise, various other new features are only implemented in the SandMan UI. Another difference is that Sandboxie Plus is provided under a custom license , while Sandboxie Classic is provided under a GPL-3.0+ license . Some exclusive functionality is only available to project supporters with a valid Supporter Certificate . Please note that a Business Certificate is required to use Sandboxie Plus in a commercial or educational setting! \u26a0\ufe0f Warning The following comparison is obsolete as of version 1.11.0 / 5.66.0 , please see the new page . CLASSIC VS. PLUS CLASSIC PLUS LICENSE FREE SUPPORTED FREE SMALL MEDIUM LARGE BUSINESS HUGE Usage - - Personal Personal Personal Personal Commercial Commercial Support reminder Yes No Yes No No No No No PCs per Certificate - As Certified - Personal Personal Personal and Family 1 Personal and Family Expiration - As Certified - 1 year 1 year 2 years 1 year No Old builds work after expiration - As Certified - No Yes Yes Yes Yes UI Dark mode No No Yes Yes Yes Yes Yes Yes Start Menu Integration No No Yes Yes Yes Yes Yes Yes Windows 11 Context menu No No Yes Yes Yes Yes Yes Yes Box Snapshots No No Yes Yes Yes Yes Yes Yes Object Filtering Yes Yes Yes Yes Yes Yes Yes Yes WFP support No Yes (no UI) Yes Yes Yes Yes Yes Yes Privacy enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Security enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Compatibility enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Process Breakout Yes (no UI) Yes (no UI) Yes Yes Yes Yes Yes Yes","title":"Feature Comparison (obsolete)"},{"location":"Content/FeatureComparisonOld/#feature-comparison-obsolete","text":"Sandboxie Plus and Classic share the same core components, the main difference is that the Classic UI is no longer under development. Hence, a UI for new core functionality is only available in the SandMan UI of the Sandboxie Plus. Likewise, various other new features are only implemented in the SandMan UI. Another difference is that Sandboxie Plus is provided under a custom license , while Sandboxie Classic is provided under a GPL-3.0+ license . Some exclusive functionality is only available to project supporters with a valid Supporter Certificate . Please note that a Business Certificate is required to use Sandboxie Plus in a commercial or educational setting! \u26a0\ufe0f Warning The following comparison is obsolete as of version 1.11.0 / 5.66.0 , please see the new page . CLASSIC VS. PLUS CLASSIC PLUS LICENSE FREE SUPPORTED FREE SMALL MEDIUM LARGE BUSINESS HUGE Usage - - Personal Personal Personal Personal Commercial Commercial Support reminder Yes No Yes No No No No No PCs per Certificate - As Certified - Personal Personal Personal and Family 1 Personal and Family Expiration - As Certified - 1 year 1 year 2 years 1 year No Old builds work after expiration - As Certified - No Yes Yes Yes Yes UI Dark mode No No Yes Yes Yes Yes Yes Yes Start Menu Integration No No Yes Yes Yes Yes Yes Yes Windows 11 Context menu No No Yes Yes Yes Yes Yes Yes Box Snapshots No No Yes Yes Yes Yes Yes Yes Object Filtering Yes Yes Yes Yes Yes Yes Yes Yes WFP support No Yes (no UI) Yes Yes Yes Yes Yes Yes Privacy enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Security enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Compatibility enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Process Breakout Yes (no UI) Yes (no UI) Yes Yes Yes Yes Yes Yes","title":"Feature Comparison (obsolete)"},{"location":"Content/FileMenu/","text":"File Menu Sandboxie Control > File Menu Terminate All Programs Sandboxie Control > File Menu > Terminate All Programs The Terminate All Programs command immediately stops all programs running in all sandboxes. There is no window associated with this command. However, you may be warned about the potential loss of any data processed by the programs which are about to be terminated: This warning refers to, for example, any open documents which will not be saved. This warning can be disabled by selecting the checkbox at the bottom: In the future, terminate processes without asking. See also: Terminate All Programs in Tray Icon Menu . Disable Forced Programs Sandboxie Control > File Menu > Disable Forced Programs The Disable Forced Programs toggle command temporarily disables or re-enables forced sandboxing. Normally, any forced programs (or programs in any forced folders ) will automatically start under the supervision of Sandboxie. Forced sandboxing is temporarily suspended when the Disable Forced Programs command is invoked. By default, forced sandboxing is suspended for 10 seconds. The number of seconds can be changed in the following dialog box, which appears when you select this command. Note that the associated command in the Tray Icon Menu does not show this dialog box, and uses the last duration specified, or the default of 10 seconds. For the duration that the Disable Forced Programs mode is in effect: The Sandboxie icon in the system tray area includes a small red X. The \"Disable Forced Programs\" command in the File Menu and Tray Icon Menu appears with a checkmark next to it. Message SBIE1301 will be issued if any forced programs are started. Selecting this command again will cancel the mode, restore the icon to its original appearance, and resume the normal operation of forced sandboxing. See also: Disable Forced Programs in Tray Icon Menu . Run As UAC Administrator Sandboxie Control > File Menu > Run As UAC Administrator The Run As UAC Administrator toggle command tells Sandboxie to ask for elevation to Administrative privileges before starting any programs. This command is only available on Windows when User Account Control (UAC) is in effect, and the user account is not already elevated. If this command is available in the menu, then it is typically necessary to enable it before installing programs into the sandbox, and it is recommended to disable it when that installation is complete. There is no window associated with this command. However, while the Run As UAC Administrator is in effect, the command appears in the File Menu and Tray Icon Menu with a checkmark next to it. See also: Run As UAC Administrator in Tray Icon Menu . Is Window Sandboxed? Sandboxie Control > File Menu > Is Window Sandboxed? The Is Window Sandboxed? command is used to select a window displayed on the screen, and if the window is owned by a sandboxed program, the command displays the name of the program and the sandbox it is running in. To use the command, click and hold the left mouse button on the Finder Tool , that is, the icon of a target within a window. Without releasing the left mouse button, drag the target over the desired window, and when the target is within the boundaries of the desired window, release the left mouse button. If the window is owned by a sandboxed program, Sandboxie will display the program name and sandbox name, will switch the view to Programs View , and highlight that program. Some programs display their windows using customized graphics, and this prevents Sandboxie from showing the [#] indicators in the title bar. In these cases, you can use the Is Window Sandboxed? command to make sure that the window and its related program are running sandboxed. Exit Sandboxie Control > File Menu > Exit The Exit command quits Sandboxie Control . Note that merely closing the window (or selecting the Hide Window command from the Tray Icon Menu ) does not quit Sandboxie Control. Sandboxie is still active and correctly supervise programs even when the front-end application, Sandboxie Control, is inactive. However, the following features are provided by the Sandboxie Control and will not be available when the front-end program is not running: Automatic Delete Sandbox Quick and Immediate Recovery Disable Forced Programs mode (when initiated from the Sandboxie Start program) If you do not wish to see Sandboxie Control in your system tray area, consider configuring the Windows task bar to always hide the icon, rather than exit Sandboxie Control. Go to Sandboxie Control , Tray Icon Menu , Help Topics .","title":"File Menu"},{"location":"Content/FileMenu/#file-menu","text":"Sandboxie Control > File Menu","title":"File Menu"},{"location":"Content/FileMenu/#terminate-all-programs","text":"Sandboxie Control > File Menu > Terminate All Programs The Terminate All Programs command immediately stops all programs running in all sandboxes. There is no window associated with this command. However, you may be warned about the potential loss of any data processed by the programs which are about to be terminated: This warning refers to, for example, any open documents which will not be saved. This warning can be disabled by selecting the checkbox at the bottom: In the future, terminate processes without asking. See also: Terminate All Programs in Tray Icon Menu .","title":"Terminate All Programs"},{"location":"Content/FileMenu/#disable-forced-programs","text":"Sandboxie Control > File Menu > Disable Forced Programs The Disable Forced Programs toggle command temporarily disables or re-enables forced sandboxing. Normally, any forced programs (or programs in any forced folders ) will automatically start under the supervision of Sandboxie. Forced sandboxing is temporarily suspended when the Disable Forced Programs command is invoked. By default, forced sandboxing is suspended for 10 seconds. The number of seconds can be changed in the following dialog box, which appears when you select this command. Note that the associated command in the Tray Icon Menu does not show this dialog box, and uses the last duration specified, or the default of 10 seconds. For the duration that the Disable Forced Programs mode is in effect: The Sandboxie icon in the system tray area includes a small red X. The \"Disable Forced Programs\" command in the File Menu and Tray Icon Menu appears with a checkmark next to it. Message SBIE1301 will be issued if any forced programs are started. Selecting this command again will cancel the mode, restore the icon to its original appearance, and resume the normal operation of forced sandboxing. See also: Disable Forced Programs in Tray Icon Menu .","title":"Disable Forced Programs"},{"location":"Content/FileMenu/#run-as-uac-administrator","text":"Sandboxie Control > File Menu > Run As UAC Administrator The Run As UAC Administrator toggle command tells Sandboxie to ask for elevation to Administrative privileges before starting any programs. This command is only available on Windows when User Account Control (UAC) is in effect, and the user account is not already elevated. If this command is available in the menu, then it is typically necessary to enable it before installing programs into the sandbox, and it is recommended to disable it when that installation is complete. There is no window associated with this command. However, while the Run As UAC Administrator is in effect, the command appears in the File Menu and Tray Icon Menu with a checkmark next to it. See also: Run As UAC Administrator in Tray Icon Menu .","title":"Run As UAC Administrator"},{"location":"Content/FileMenu/#is-window-sandboxed","text":"Sandboxie Control > File Menu > Is Window Sandboxed? The Is Window Sandboxed? command is used to select a window displayed on the screen, and if the window is owned by a sandboxed program, the command displays the name of the program and the sandbox it is running in. To use the command, click and hold the left mouse button on the Finder Tool , that is, the icon of a target within a window. Without releasing the left mouse button, drag the target over the desired window, and when the target is within the boundaries of the desired window, release the left mouse button. If the window is owned by a sandboxed program, Sandboxie will display the program name and sandbox name, will switch the view to Programs View , and highlight that program. Some programs display their windows using customized graphics, and this prevents Sandboxie from showing the [#] indicators in the title bar. In these cases, you can use the Is Window Sandboxed? command to make sure that the window and its related program are running sandboxed.","title":"Is Window Sandboxed?"},{"location":"Content/FileMenu/#exit","text":"Sandboxie Control > File Menu > Exit The Exit command quits Sandboxie Control . Note that merely closing the window (or selecting the Hide Window command from the Tray Icon Menu ) does not quit Sandboxie Control. Sandboxie is still active and correctly supervise programs even when the front-end application, Sandboxie Control, is inactive. However, the following features are provided by the Sandboxie Control and will not be available when the front-end program is not running: Automatic Delete Sandbox Quick and Immediate Recovery Disable Forced Programs mode (when initiated from the Sandboxie Start program) If you do not wish to see Sandboxie Control in your system tray area, consider configuring the Windows task bar to always hide the icon, rather than exit Sandboxie Control. Go to Sandboxie Control , Tray Icon Menu , Help Topics .","title":"Exit"},{"location":"Content/FileMigrationSettings/","text":"File Migration Settings Sandboxie Control > Sandbox Settings > File Migration: Before a sandboxed program can make changes to a file that already exists in your computer, Sandboxie first must make a copy of this file in the sandbox. However, making copies of very large files would be a long operation. For this reason, Sandboxie will only make copies of files that are below a certain maximum size. Files larger than this size will be considered read-only inside the sandbox, and any attempt to modify them will result in message SBIE2102 . Use this settings page to set the maximum size threshold, and whether or not you wish to see message SBIE2102 issued when an attempt is made to modify files larger than that maximum size. Related Sandboxie Ini settings: CopyLimitKb , CopyLimitSilent .","title":"File Migration Settings"},{"location":"Content/FileMigrationSettings/#file-migration-settings","text":"Sandboxie Control > Sandbox Settings > File Migration: Before a sandboxed program can make changes to a file that already exists in your computer, Sandboxie first must make a copy of this file in the sandbox. However, making copies of very large files would be a long operation. For this reason, Sandboxie will only make copies of files that are below a certain maximum size. Files larger than this size will be considered read-only inside the sandbox, and any attempt to modify them will result in message SBIE2102 . Use this settings page to set the maximum size threshold, and whether or not you wish to see message SBIE2102 issued when an attempt is made to modify files larger than that maximum size. Related Sandboxie Ini settings: CopyLimitKb , CopyLimitSilent .","title":"File Migration Settings"},{"location":"Content/FileRootPath/","text":"File Root Path FileRootPath is a sandbox setting in Sandboxie Ini . It specifies the root folder for a particular sandbox. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] FileRootPath=C:\\Sandbox\\MySandbox Related Sandboxie Control setting: Sandbox menu > Set Container Folder Related Sandboxie Plus setting: Options menu > Global Settings > Advanced Config > Sandboxie Config > Sandbox file system root Technical Details The following substitution variables may be useful in this path. Shell Folders variables such as %Personal% which expands to the user's Documents folder The variable %SBIEHOME% which expands to the root of the Sandboxie installation The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security ID (SID) The variable %SESSION% which expands to the Terminal Services session number If FileRootPath is not specified, its default value is constructed using the deprecated BoxRootFolder setting, thus: BoxRootFolder\\Sandbox\\%SANDBOX% If BoxRootFolder is also not specified, then the default setting is: C:\\Sandbox\\%USER%\\%SANDBOX%","title":"File Root Path"},{"location":"Content/FileRootPath/#file-root-path","text":"FileRootPath is a sandbox setting in Sandboxie Ini . It specifies the root folder for a particular sandbox. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] FileRootPath=C:\\Sandbox\\MySandbox Related Sandboxie Control setting: Sandbox menu > Set Container Folder Related Sandboxie Plus setting: Options menu > Global Settings > Advanced Config > Sandboxie Config > Sandbox file system root Technical Details The following substitution variables may be useful in this path. Shell Folders variables such as %Personal% which expands to the user's Documents folder The variable %SBIEHOME% which expands to the root of the Sandboxie installation The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security ID (SID) The variable %SESSION% which expands to the Terminal Services session number If FileRootPath is not specified, its default value is constructed using the deprecated BoxRootFolder setting, thus: BoxRootFolder\\Sandbox\\%SANDBOX% If BoxRootFolder is also not specified, then the default setting is: C:\\Sandbox\\%USER%\\%SANDBOX%","title":"File Root Path"},{"location":"Content/FilesAndFoldersView/","text":"Files And Folders View Sandboxie Control > View Menu > Files and Folders The Files and Folders View is a secondary view mode in Sandboxie Control . It displays the files and folders in each of the sandboxes, organized into a tree of folders, and grouped by sandbox name. Within each sandbox, there are two top-level folders: Quick Recover Folders shows the folders configured to Quick Recovery , and any folders or files contained within these folders. All Files and Folders contains the full contents of the sandbox (as described in Sandbox Hierarchy ) in a friendly way. This folder is itself organized into two folders: Drives shows the sandboxed contents that were created for drives in the system. User Files shows the sandboxed contents of user profile folders. A user profile folder contains folders such as My Documents , Desktop and Favorites . The All Files and Folders folder typically also contains RegHive files which represent the sandboxed copy of the Windows registry. Use the small + or - icon, located at the beginning of each sandbox row, to expand or collapse the display of files and folders in the sandbox. Context Menus The Files and Folders View provides context menus for sandboxes and programs. To display a context menu for the item (sandbox or file or folder) in some row, do one of the following: Click the right mouse button anywhere on the row. Select (highlight) the row using the mouse or keyboard, then press Shift+F10. Select (highlight) the row using the mouse or keyboard, then use the View Menu -> Context Menu command. For a sandbox row, the context menu displayed is the same as Sandbox Menu -> Sandbox Sub-Menu . See there for a full description. For a file or folder, the context menu offers these commands: The Run Sandboxed command opens the file or folder under the supervision of Sandboxie: Executable program files will be invoked directly. Document files will be opened in a sandboxed instance of the program associated with the document type. Folders will be opened in a sandboxed instance of Windows Explorer. The Recover to Same Folder and Recover to Any Folder commands move the file or folder out of the sandbox. See Quick Recovery for a full description. The Add Folder to Quick Recovery command is available in folders below the top-level All Files and Folders folder, and adds the folder to the list of Quick Recovery folders. The Remove Folder from Quick Recovery command is available in folders below the top-level Quick Recovery Folders folder, and removes the folder from the list of Quick Recovery folders. Go to Sandboxie Control , Programs View , Help Topics .","title":"Files And Folders View"},{"location":"Content/FilesAndFoldersView/#files-and-folders-view","text":"Sandboxie Control > View Menu > Files and Folders The Files and Folders View is a secondary view mode in Sandboxie Control . It displays the files and folders in each of the sandboxes, organized into a tree of folders, and grouped by sandbox name. Within each sandbox, there are two top-level folders: Quick Recover Folders shows the folders configured to Quick Recovery , and any folders or files contained within these folders. All Files and Folders contains the full contents of the sandbox (as described in Sandbox Hierarchy ) in a friendly way. This folder is itself organized into two folders: Drives shows the sandboxed contents that were created for drives in the system. User Files shows the sandboxed contents of user profile folders. A user profile folder contains folders such as My Documents , Desktop and Favorites . The All Files and Folders folder typically also contains RegHive files which represent the sandboxed copy of the Windows registry. Use the small + or - icon, located at the beginning of each sandbox row, to expand or collapse the display of files and folders in the sandbox. Context Menus The Files and Folders View provides context menus for sandboxes and programs. To display a context menu for the item (sandbox or file or folder) in some row, do one of the following: Click the right mouse button anywhere on the row. Select (highlight) the row using the mouse or keyboard, then press Shift+F10. Select (highlight) the row using the mouse or keyboard, then use the View Menu -> Context Menu command. For a sandbox row, the context menu displayed is the same as Sandbox Menu -> Sandbox Sub-Menu . See there for a full description. For a file or folder, the context menu offers these commands: The Run Sandboxed command opens the file or folder under the supervision of Sandboxie: Executable program files will be invoked directly. Document files will be opened in a sandboxed instance of the program associated with the document type. Folders will be opened in a sandboxed instance of Windows Explorer. The Recover to Same Folder and Recover to Any Folder commands move the file or folder out of the sandbox. See Quick Recovery for a full description. The Add Folder to Quick Recovery command is available in folders below the top-level All Files and Folders folder, and adds the folder to the list of Quick Recovery folders. The Remove Folder from Quick Recovery command is available in folders below the top-level Quick Recovery Folders folder, and removes the folder from the list of Quick Recovery folders. Go to Sandboxie Control , Programs View , Help Topics .","title":"Files And Folders View"},{"location":"Content/FirefoxTips/","text":"Firefox Tips Tips Specific to Firefox Sandboxie Control > Sandbox Settings > Applications > Web Browser > Firefox Always Run In Sandbox Setting: Force Firefox to run in this sandbox This setting tells Sandboxie to automatically supervise any instance of Firefox as it starts, even if it was not started directly through a Sandboxie facility or command. Updating Firefox and its Add-ons In the default configuration, any updates to Firefox or its add-ons will happen only within the sandbox. When the sandbox is deleted, all such updates will be deleted as well. To avoid this problem, you should run Firefox outside the sandbox when you recognize that any updates are available. Let the normal Firefox finish updating, including any necessary restarts of Firefox. Finally, exit Firefox and restart it under Sandboxie. If Firefox is forced to always run under Sandboxie (as discussed above), use the Disable Forced Programs command to disable forced sandboxing for a duration of several minutes. Then follow the procedure in the preceding paragraph. Finally, use the Disable Forced Programs command again to resume forced sandboxing. Bookmarks, History and Favorites Setting: Allow direct access to Firefox bookmarks and history database This setting allows Firefox running under Sandboxie to store bookmarks outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, bookmarks are stored only in the sandbox, and will be deleted when the sandbox is deleted. Please note that, starting with Firefox 3, the same file (called places.sqlite ) stores both bookmarks and the history of visited sites. Therefore this setting will cause Firefox to also store the history of visited outside the sandbox. One approach to this is to install the PlainOldFavorites add-on, which lets Firefox create and manage Internet Explorer-style Favorites in addition to Mozilla-style bookmarks. Then consult the discussion on favorites in Internet Explorer Tips . Bottom line: * If you don't mind the extra add-on, install PlainOldFavorites to enhance Firefox with Internet Explorer-style favorites, then read the recommendations for handling favorites in Internet Explorer Tips . * If you are happy with Firefox bookmarks, then select this setting. Cookies Setting: Allow direct access to Firefox cookies This setting allows Firefox running under Sandboxie to store cookies outside the sandbox (in a file called cookies.sqlite ), so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. An alternative approach is to this setting is to visit your favorite sites once with a normal Firefox, to get these sites to remember you in their cookies. Then switch to a Firefox under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. Bottom line: If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. If you need web sites that you visit in a sandboxed Firefox to remember you, then select this setting. Phishing Database Setting: Allow direct access to Firefox phishing database This setting allows Firefox running under Sandboxie to update and maintain the database of phishing web sites (a file called urlclassifier*.sqlite ). When this option is not set, then whenever the sandbox is deleted, Firefox might have to spend time to copy the phishing database (potentially a very large file) into the sandbox, and then download updates to the database. The setting is enabled by default. Bottom line: Keep the setting selected. Full Profile Access Setting: Allow direct access to entire Firefox profile folder This setting allows Firefox running under Sandboxie to have access to any data file within the entire Firefox profile. This setting includes any other Firefox data file mentioned above, and overrides all other \"direct access\" setting discussed earlier. Bottom line: Do not select this setting. General Tips Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"Firefox Tips"},{"location":"Content/FirefoxTips/#firefox-tips","text":"","title":"Firefox Tips"},{"location":"Content/FirefoxTips/#tips-specific-to-firefox","text":"Sandboxie Control > Sandbox Settings > Applications > Web Browser > Firefox Always Run In Sandbox Setting: Force Firefox to run in this sandbox This setting tells Sandboxie to automatically supervise any instance of Firefox as it starts, even if it was not started directly through a Sandboxie facility or command. Updating Firefox and its Add-ons In the default configuration, any updates to Firefox or its add-ons will happen only within the sandbox. When the sandbox is deleted, all such updates will be deleted as well. To avoid this problem, you should run Firefox outside the sandbox when you recognize that any updates are available. Let the normal Firefox finish updating, including any necessary restarts of Firefox. Finally, exit Firefox and restart it under Sandboxie. If Firefox is forced to always run under Sandboxie (as discussed above), use the Disable Forced Programs command to disable forced sandboxing for a duration of several minutes. Then follow the procedure in the preceding paragraph. Finally, use the Disable Forced Programs command again to resume forced sandboxing. Bookmarks, History and Favorites Setting: Allow direct access to Firefox bookmarks and history database This setting allows Firefox running under Sandboxie to store bookmarks outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, bookmarks are stored only in the sandbox, and will be deleted when the sandbox is deleted. Please note that, starting with Firefox 3, the same file (called places.sqlite ) stores both bookmarks and the history of visited sites. Therefore this setting will cause Firefox to also store the history of visited outside the sandbox. One approach to this is to install the PlainOldFavorites add-on, which lets Firefox create and manage Internet Explorer-style Favorites in addition to Mozilla-style bookmarks. Then consult the discussion on favorites in Internet Explorer Tips . Bottom line: * If you don't mind the extra add-on, install PlainOldFavorites to enhance Firefox with Internet Explorer-style favorites, then read the recommendations for handling favorites in Internet Explorer Tips . * If you are happy with Firefox bookmarks, then select this setting. Cookies Setting: Allow direct access to Firefox cookies This setting allows Firefox running under Sandboxie to store cookies outside the sandbox (in a file called cookies.sqlite ), so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. An alternative approach is to this setting is to visit your favorite sites once with a normal Firefox, to get these sites to remember you in their cookies. Then switch to a Firefox under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. Bottom line: If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. If you need web sites that you visit in a sandboxed Firefox to remember you, then select this setting. Phishing Database Setting: Allow direct access to Firefox phishing database This setting allows Firefox running under Sandboxie to update and maintain the database of phishing web sites (a file called urlclassifier*.sqlite ). When this option is not set, then whenever the sandbox is deleted, Firefox might have to spend time to copy the phishing database (potentially a very large file) into the sandbox, and then download updates to the database. The setting is enabled by default. Bottom line: Keep the setting selected. Full Profile Access Setting: Allow direct access to entire Firefox profile folder This setting allows Firefox running under Sandboxie to have access to any data file within the entire Firefox profile. This setting includes any other Firefox data file mentioned above, and overrides all other \"direct access\" setting discussed earlier. Bottom line: Do not select this setting.","title":"Tips Specific to Firefox"},{"location":"Content/FirefoxTips/#general-tips","text":"Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"General Tips"},{"location":"Content/ForceDisableAdminOnly/","text":"Force Disable Admin Only ForceDisableAdminOnly is a global setting in Sandboxie Ini . If specified, the Disable Forced Programs mode will only be available to user accounts that are members of the Administrators group. Usage: . . . [GlobalSettings] ForceDisableAdminOnly=y This setting is designed for use by network administrators.","title":"Force Disable Admin Only"},{"location":"Content/ForceDisableAdminOnly/#force-disable-admin-only","text":"ForceDisableAdminOnly is a global setting in Sandboxie Ini . If specified, the Disable Forced Programs mode will only be available to user accounts that are members of the Administrators group. Usage: . . . [GlobalSettings] ForceDisableAdminOnly=y This setting is designed for use by network administrators.","title":"Force Disable Admin Only"},{"location":"Content/ForceDisableSeconds/","text":"Force Disable Seconds ForceDisableSeconds is a global setting in Sandboxie Ini . It specifies the time, in seconds, that the Disable Forced Programs mode will stay in effect. Usage: . . . [GlobalSettings] ForceDisableSeconds=25 ForceDisableSeconds=0 The default value for this setting is 10 seconds. Setting the value to zero effectively disables the Disable Forced Programs feature itself. See also: ForceDisableAdminOnly . The Disable Forced Programs mode is engaged through Sandboxie Control , which can also configure the number of seconds. Use the FileMenu > Disable Forced Programs command, or the same command from the Tray Icon Menu . When active, the Disable Forced Programs mode causes Sandboxie to issue message SBIE1301 whenever a forced program is started.","title":"Force Disable Seconds"},{"location":"Content/ForceDisableSeconds/#force-disable-seconds","text":"ForceDisableSeconds is a global setting in Sandboxie Ini . It specifies the time, in seconds, that the Disable Forced Programs mode will stay in effect. Usage: . . . [GlobalSettings] ForceDisableSeconds=25 ForceDisableSeconds=0 The default value for this setting is 10 seconds. Setting the value to zero effectively disables the Disable Forced Programs feature itself. See also: ForceDisableAdminOnly . The Disable Forced Programs mode is engaged through Sandboxie Control , which can also configure the number of seconds. Use the FileMenu > Disable Forced Programs command, or the same command from the Tray Icon Menu . When active, the Disable Forced Programs mode causes Sandboxie to issue message SBIE1301 whenever a forced program is started.","title":"Force Disable Seconds"},{"location":"Content/ForceFolder/","text":"Force Folder ForceFolder is a sandbox setting in Sandboxie.ini which allows to force folder contents to run inside a specific sandbox. If any files or programs in these folders* (or in a sub-folder of one of these folders) are started outside any sandbox, they will be automatically sandboxed into a particular sandbox. For example: . . . [DefaultBox] ForceFolder=C:\\Download ForceFolder=E:\\ The first example specifies that files/programs started from the C:\\Download folder (or any folders below contained in those folders) will be forced to run sandboxed in the sandbox DefaultBox . The second example specifies that any files/programs started from drive E will be forced to run sandboxed in the sandbox DefaultBox . For CDROM and DVD drives, this includes forcing the AutoRun programs that are automatically started by Windows. Please keep in mind that shortcuts located inside a ForceFolder, that are pointing to a path that is not a ForceFolder, will not start a Sandboxed application. For example: if you place a shortcut inside C:\\ForcedFolder and it points to C:\\SomeOtherPathThatIsNotForced, then the shortcut will trigger a non-sandboxed application. Another consideration is that Modern / Store Apps are not supported. If your default application for opening a specific file type is a Windows Modern app (such as the Photos app in Windows 10), the application will not launch at all. For more information, please see the Known Conflicts page. See also: ForceProcess . If both a ForceFolder and a ForceProcess are applicable to a program that is starting, the ForceFolder setting takes precedence. Related Sandboxie Control setting: Sandbox Settings > Program Start > Forced Folders","title":"Force Folder"},{"location":"Content/ForceFolder/#force-folder","text":"ForceFolder is a sandbox setting in Sandboxie.ini which allows to force folder contents to run inside a specific sandbox. If any files or programs in these folders* (or in a sub-folder of one of these folders) are started outside any sandbox, they will be automatically sandboxed into a particular sandbox. For example: . . . [DefaultBox] ForceFolder=C:\\Download ForceFolder=E:\\ The first example specifies that files/programs started from the C:\\Download folder (or any folders below contained in those folders) will be forced to run sandboxed in the sandbox DefaultBox . The second example specifies that any files/programs started from drive E will be forced to run sandboxed in the sandbox DefaultBox . For CDROM and DVD drives, this includes forcing the AutoRun programs that are automatically started by Windows. Please keep in mind that shortcuts located inside a ForceFolder, that are pointing to a path that is not a ForceFolder, will not start a Sandboxed application. For example: if you place a shortcut inside C:\\ForcedFolder and it points to C:\\SomeOtherPathThatIsNotForced, then the shortcut will trigger a non-sandboxed application. Another consideration is that Modern / Store Apps are not supported. If your default application for opening a specific file type is a Windows Modern app (such as the Photos app in Windows 10), the application will not launch at all. For more information, please see the Known Conflicts page. See also: ForceProcess . If both a ForceFolder and a ForceProcess are applicable to a program that is starting, the ForceFolder setting takes precedence. Related Sandboxie Control setting: Sandbox Settings > Program Start > Forced Folders","title":"Force Folder"},{"location":"Content/ForceProcess/","text":"Force Process ForceProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs. If any of these programs are started outside any sandbox, they will be automatically sandboxed in a particular sandbox. For example: . . . [DefaultBox] ForceProcess=iexplore.exe ForceProcess=firefox.exe ForceProcess=App*.exe ForceProcess=App?.exe [MailBox] ForceProcess=outlook.exe ForceProcess=cl?cke?.exe * defines any character. ? defines one character. The example specifies that Internet Explorer (iexplore.exe), Firefox (firefox.exe), App* (Appga, App03 and etc.). and App? (App1, Appg, Appa and etc.). will be forced to run sandboxed in the sandbox DefaultBox . Outlook.exe and cl?cke? (clicker, clicked and etc.). will be forced to run sandboxed in the sandbox MailBox . Note that the ForceProcess settings only apply to programs that start unsandboxed. If a program is specifically started in a sandbox, or started by a program that is already sandboxed, then ForceProcess settings are not applied. See also: ForceFolder . If both a ForceFolder and a ForceProcess are applicable to a program that is starting, the ForceFolder setting takes precedence. Related Sandboxie Control setting: Sandbox Settings > Program Start > Forced Programs See also: Program Settings .","title":"Force Process"},{"location":"Content/ForceProcess/#force-process","text":"ForceProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs. If any of these programs are started outside any sandbox, they will be automatically sandboxed in a particular sandbox. For example: . . . [DefaultBox] ForceProcess=iexplore.exe ForceProcess=firefox.exe ForceProcess=App*.exe ForceProcess=App?.exe [MailBox] ForceProcess=outlook.exe ForceProcess=cl?cke?.exe * defines any character. ? defines one character. The example specifies that Internet Explorer (iexplore.exe), Firefox (firefox.exe), App* (Appga, App03 and etc.). and App? (App1, Appg, Appa and etc.). will be forced to run sandboxed in the sandbox DefaultBox . Outlook.exe and cl?cke? (clicker, clicked and etc.). will be forced to run sandboxed in the sandbox MailBox . Note that the ForceProcess settings only apply to programs that start unsandboxed. If a program is specifically started in a sandbox, or started by a program that is already sandboxed, then ForceProcess settings are not applied. See also: ForceFolder . If both a ForceFolder and a ForceProcess are applicable to a program that is starting, the ForceFolder setting takes precedence. Related Sandboxie Control setting: Sandbox Settings > Program Start > Forced Programs See also: Program Settings .","title":"Force Process"},{"location":"Content/ForgetPassword/","text":"Forget Password ForgetPassword is a global setting in Sandboxie Ini . If set in Sandboxie Control or Sandman , the configuration password is cleared when the main window is hidden - and will need to be re-entered in order to modify configuration settings. Usage: . . . [GlobalSettings] ForgetPassword=y See also: Configuration Protection . Related Sandboxie Plus setting: Options menu > Global Settings > Advanced Config > Sandboxie.ini Presets > Clear password when main window becomes hidden","title":"Forget Password"},{"location":"Content/ForgetPassword/#forget-password","text":"ForgetPassword is a global setting in Sandboxie Ini . If set in Sandboxie Control or Sandman , the configuration password is cleared when the main window is hidden - and will need to be re-entered in order to modify configuration settings. Usage: . . . [GlobalSettings] ForgetPassword=y See also: Configuration Protection . Related Sandboxie Plus setting: Options menu > Global Settings > Advanced Config > Sandboxie.ini Presets > Clear password when main window becomes hidden","title":"Forget Password"},{"location":"Content/FrequentlyAskedQuestions/","text":"Frequently Asked Questions Overview What is Sandboxie and how is it different than other solutions? How safe would I be, by using Sandboxie? Do I need other solutions if I use Sandboxie? What kinds of programs can I run using Sandboxie? What are the technical requirements to run Sandboxie? Technical How does Sandboxie protect me, technically? Will Sandboxie protect me from malicious key-loggers? Some competing products require a reboot to initiate sandboxing, why? Why am I getting some Messages from Sandbox Driver? Why are so many files copied into the sandbox? What are SandboxieRpcSs and SandboxieDcomLaunch? How can I use Sandboxie to protect myself from viruses in email? How to configure Sandboxie for only an occasional use? Problems How do I make Quick Recovery show my saved favorites and downloads? I saved a downloaded file, a document or an email inside the sandbox, how do I get it out? Why does the wrong program start when I run my default Web browser sandboxed? Why does Sysinternals Process Monitor not work inside the sandbox? If you have a program that doesn't work properly sandboxed, please look it up on the Known Conflicts page before posting a problem report . Back to HelpTopics What is Sandboxie and how is it different than other solutions? Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper. Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely. On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. Thanks to esalkin for the paper metaphor. Thanks to warwagon for the graphics. Back to Table of Contents How safe would I be, by using Sandboxie? You would be quite safe using Sandboxie. It should be noted that, from time to time, people are able to find some vulnerability in Sandboxie, an open hole through which malicious software can still infiltrate the system. This is very rare and is quickly resolved by closing the hole that is the attack vector. Thus it's a good idea to have more traditional anti-malware software. This is is the subject of the following question. Back to Table of Contents Do I need other solutions if I use Sandboxie? Sandboxie may be your first line of defense, but it should certainly be complemented by the more traditional anti-virus and anti-malware solutions. These solutions can let you know if your system does become infected in any way. Typically, those other solutions employ various forms of pattern matching to discover malicious software and other threats. Sandboxie, on the other hand, quite simply does not trust any software code enough to let it out of the sandbox. The combination of the two approaches should keep malicious software -- which is serving the interest of other unknown parties -- out of your computer. Back to Table of Contents What kinds of programs can I run using Sandboxie? You should be able to run most applications sandboxed. Major Web browsers Mail and news readers instant messengers and chat clients peer-to-peer networking Office Suites (MS Office, LibreOffice, OpenOffice) Most games in particular, online games which download extension software code In all cases on this list, your client-side program is exposed to remote software code, which could use the program as a channel to infiltrate your system. By running the program sandboxed, you greatly increase the control you have over that channel. And in addition, you can even install some applications into the sandbox. Back to Table of Contents What are the requirements to run Sandboxie? Sandboxie works on Windows XP SP3 (Up until Sandboxie 5.22 and solely in v5.40 ) Windows Vista SP2 (Up until Sandboxie 5.22) Windows 7 32/64 Windows 8.1 32/64 Windows 10 32/64 ( Modern Apps not supported ) Windows 11 64 ( Modern Apps not supported ) See the download page . Supported Web Browsers (32 & 64 bit supported) Internet Explorer 8, 9, 10 & 11 Microsoft Edge (Chromium) Google Chrome Firefox Opera PaleMoon SeaMonkey Vivaldi Waterfox Brave Browser And many others! Sandboxie does not work on... Windows XP x64 bit Windows 95, 98 or ME Mac or Linux operating systems. Sandboxie should not be installed on Microsoft Server Operating Systems as it's not directly supported. However, we have many users that have deployed it successfully. You can run Sandboxie in a VM Environment (VMWare, VirtualBox, Apple BootCamp, etc.) There are no particular hardware requirements to run Sandboxie. However, we do no test on touchscreen devices (many users have successfully installed Sandboxie on Surface pro and similar devices). Sandboxie needs only a small amount of memory and should have a very small impact on performance. Back to Table of Contents How does Sandboxie protect me, technically? Sandboxie extends the operating system (OS) with sandboxing capabilities by blending into it. Applications can never access hardware such as disk storage directly, they have to ask the OS to do it for them. Since Sandboxie integrates into the OS, it can do what it does without risk of being circumvented. The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexes (Mutants in NT speak), Semaphores, Sections and LPC Ports. For some more information on this, see Sandbox Hierarchy . Sandboxie also takes measures to prevent programs executing inside the sandbox from hijacking non-sandboxed programs and using them as a vehicle to operate outside the sandbox. For the same reason, Sandboxie doesn't allow a sandboxed process from reading the memory of unsandboxed processes and it provides a feature to hide selected host processes from sandboxed processes. For more information about this, see #59 and 0.3 / 5.42 notes . Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program. It should be noted, however, that Sandboxie does not typically prevent the exfiltration of user data by processes running under its supervision without advanced configuration, as the default file and registry access scheme is Allow Read to anything except when the user specified a particular path to be closed. However, by careful configuration of the ClosedFilePath and ClosedKeyPath settings, you can achieve this goal as well. If you want to follow the future development on this, see New privacy enhanced File/Registry access scheme, White list/Template Mode, plans and discussion . Back to Table of Contents Will Sandboxie protect me from malicious key-loggers? Yes, to some extent. First of all, your system (outside the sandbox) must not have been already compromised by an installed key-logger. Sandboxie can not protect against key-loggers that are already running outside the sandbox. You may want to consider always browsing sandboxed, so you don't accidentally get any key-loggers into your system. It is very difficult to reliably detect a key-logger. For a lengthy explanation, see Detecting Key Loggers . So the most important tool Sandboxie offers you for protection against key-loggers, is to delete the sandbox. When you stop all sandboxed activity (in all sandboxes), then proceed to delete the sandbox you're about to use, you can be fairly certain that all key-loggers are dead. Back to Table of Contents Some competing products require a reboot to initiate sandboxing, why? Changes to the computing environment must eventually make their way to disk storage, if they are to be permanent. This obviously applies to files. But it also applies to things like settings and preferences saved in the system registry. Some competing products require a reboot before each use, because they sandbox disk storage as a whole. They provide the operating system and everything in it with a single virtual disk, which is used to trap those permanent changes. The operating system is not designed to use one disk for some tasks, and another disk for other tasks. Therefore a reboot is required to switch to and from the virtual disk. Sandboxie does not require a reboot because it sandboxes access to files, rather than to the disk as a whole. It also sandboxes access to registry keys. It also sandboxes access to many other classes of system components, in order to trick the sandboxed program into believing that it isn't being tricked. This low-level sandboxing in some competing products makes it possible to install a wider range of applications and system tools -- including system drivers -- into the sandbox. Sandboxie can install most applications into the sandbox, but not system software nor drivers. It becomes apparent that, like most other things, each tool has its advantages and disadvantages, and one must choose the best tool for the task at hand. Back to Table of Contents Why am I getting some Messages from Sandbox Driver? Not all messages are errors, some simply inform you of an event that has occurred. For more information, see SBIE Messages and Log Messages To A File . Back to Table of Contents Why are so many files copied into the sandbox? When a program accesses a file, it declares what operations it plans to do on the file: if it plans to read from the file, to write the file, to change its attributes, and so on. Whenever a program declares any kind of write access to a file, Sandboxie copies it into the sandbox. In some cases, programs declare they intend to write to the file when in fact they do not, but nevertheless Sandboxie must copy the file into the sandbox. Back to Table of Contents What are SandboxieRpcSs and SandboxieDcomLaunch? See Service Programs . Back to Table of Contents How can I use Sandboxie to protect myself from viruses in email? See full article: Email Protection . Back to Table of Contents How to configure Sandboxie for only an occasional use? By default Sandboxie is configured to load and start automatically. To have Sandboxie load only when you need it, make the following changes. In Sandboxie Control , open the Configure -> Shell Integration window, and clear the checkbox When Windows starts to stop Sandboxie Control from starting. In Sandboxie Plus, see the Sandboxie-Plus Migration Guide . Open the Windows Services configuration window: Start menu -> Control Panel -> Administrative Tools -> Services . Then locate the Sandboxie Service. Double click to bring up its properties window. Set its Startup type to Manual rather than automatic. The driver component of Sandboxie is started by the Sandboxie Service. Therefore, setting the service to start manually, indirectly also sets the driver to start manually. Starting Sandboxie Control will also start the service. (But note that Administrative rights are required to start a service.) Back to Table of Contents How do I make Quick Recovery show my saved favorites and downloads? You may not see all your folders in Quick Recovery, as only a few are configured by default in the initial installation. See also Quick Recovery . Back to Table of Contents I saved a downloaded file, a document or an email inside the sandbox, how do I get it out? If you read What is Sandboxie then you know Sandboxie is like a transparency layer placed over the paper. (The paper is your computer.) When you save files (downloads, documents, emails, or anything else) through a sandboxed program, these files go into the transparency layer that is the sandbox. You can use Quick Recovery to get these files out. Unless configured otherwise, Quick Recovery looks in your Documents , Favorites , Desktop and Downloads folders. If you save the files to either of these folders, then you can use Quick Recovery to easily get them out. Another approach is configuring one or more folders as an OpenFilePath . Saving files into such folders bypasses the sandbox mechanism, and goes directly to the real folders. Setting this is more complicated, but may also prove useful, in some cases. Back to Table of Contents Why does the wrong program start when I run my default Web browser sandboxed? This happens for some people. In Windows 7, open Control Panel in Icon view and select Default Programs > Set your default programs. You can then select the browser you want as default. In Windows 8/8.1, point to (but do not click) the lower-right or top-right corner of the screen, and then click the Settings icon. In the lower-right corner, click Change PC Settings > Search and apps > Defaults. You can then select the browser you want as default. If using Windows 10/11, ensure that your default Web Browser for Windows is set correctly (click on the Start menu, type \"default apps\" and Choose your default apps). Back to Table of Contents Why does Sysinternals Process Monitor not work inside the sandbox? While Process Monitor can't run sandboxed, it can monitor the activity inside the sandbox. Back to Table of Contents","title":"Frequently Asked Questions"},{"location":"Content/FrequentlyAskedQuestions/#frequently-asked-questions","text":"","title":"Frequently Asked Questions"},{"location":"Content/FrequentlyAskedQuestions/#overview","text":"What is Sandboxie and how is it different than other solutions? How safe would I be, by using Sandboxie? Do I need other solutions if I use Sandboxie? What kinds of programs can I run using Sandboxie? What are the technical requirements to run Sandboxie?","title":"Overview"},{"location":"Content/FrequentlyAskedQuestions/#technical","text":"How does Sandboxie protect me, technically? Will Sandboxie protect me from malicious key-loggers? Some competing products require a reboot to initiate sandboxing, why? Why am I getting some Messages from Sandbox Driver? Why are so many files copied into the sandbox? What are SandboxieRpcSs and SandboxieDcomLaunch? How can I use Sandboxie to protect myself from viruses in email? How to configure Sandboxie for only an occasional use?","title":"Technical"},{"location":"Content/FrequentlyAskedQuestions/#problems","text":"How do I make Quick Recovery show my saved favorites and downloads? I saved a downloaded file, a document or an email inside the sandbox, how do I get it out? Why does the wrong program start when I run my default Web browser sandboxed? Why does Sysinternals Process Monitor not work inside the sandbox? If you have a program that doesn't work properly sandboxed, please look it up on the Known Conflicts page before posting a problem report . Back to HelpTopics","title":"Problems"},{"location":"Content/FrequentlyAskedQuestions/#what-is-sandboxie-and-how-is-it-different-than-other-solutions","text":"Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper. Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely. On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. Thanks to esalkin for the paper metaphor. Thanks to warwagon for the graphics. Back to Table of Contents","title":"What is Sandboxie and how is it different than other solutions?"},{"location":"Content/FrequentlyAskedQuestions/#how-safe-would-i-be-by-using-sandboxie","text":"You would be quite safe using Sandboxie. It should be noted that, from time to time, people are able to find some vulnerability in Sandboxie, an open hole through which malicious software can still infiltrate the system. This is very rare and is quickly resolved by closing the hole that is the attack vector. Thus it's a good idea to have more traditional anti-malware software. This is is the subject of the following question. Back to Table of Contents","title":"How safe would I be, by using Sandboxie?"},{"location":"Content/FrequentlyAskedQuestions/#do-i-need-other-solutions-if-i-use-sandboxie","text":"Sandboxie may be your first line of defense, but it should certainly be complemented by the more traditional anti-virus and anti-malware solutions. These solutions can let you know if your system does become infected in any way. Typically, those other solutions employ various forms of pattern matching to discover malicious software and other threats. Sandboxie, on the other hand, quite simply does not trust any software code enough to let it out of the sandbox. The combination of the two approaches should keep malicious software -- which is serving the interest of other unknown parties -- out of your computer. Back to Table of Contents","title":"Do I need other solutions if I use Sandboxie?"},{"location":"Content/FrequentlyAskedQuestions/#what-kinds-of-programs-can-i-run-using-sandboxie","text":"You should be able to run most applications sandboxed. Major Web browsers Mail and news readers instant messengers and chat clients peer-to-peer networking Office Suites (MS Office, LibreOffice, OpenOffice) Most games in particular, online games which download extension software code In all cases on this list, your client-side program is exposed to remote software code, which could use the program as a channel to infiltrate your system. By running the program sandboxed, you greatly increase the control you have over that channel. And in addition, you can even install some applications into the sandbox. Back to Table of Contents","title":"What kinds of programs can I run using Sandboxie?"},{"location":"Content/FrequentlyAskedQuestions/#what-are-the-requirements-to-run-sandboxie","text":"Sandboxie works on Windows XP SP3 (Up until Sandboxie 5.22 and solely in v5.40 ) Windows Vista SP2 (Up until Sandboxie 5.22) Windows 7 32/64 Windows 8.1 32/64 Windows 10 32/64 ( Modern Apps not supported ) Windows 11 64 ( Modern Apps not supported ) See the download page . Supported Web Browsers (32 & 64 bit supported) Internet Explorer 8, 9, 10 & 11 Microsoft Edge (Chromium) Google Chrome Firefox Opera PaleMoon SeaMonkey Vivaldi Waterfox Brave Browser And many others! Sandboxie does not work on... Windows XP x64 bit Windows 95, 98 or ME Mac or Linux operating systems. Sandboxie should not be installed on Microsoft Server Operating Systems as it's not directly supported. However, we have many users that have deployed it successfully. You can run Sandboxie in a VM Environment (VMWare, VirtualBox, Apple BootCamp, etc.) There are no particular hardware requirements to run Sandboxie. However, we do no test on touchscreen devices (many users have successfully installed Sandboxie on Surface pro and similar devices). Sandboxie needs only a small amount of memory and should have a very small impact on performance. Back to Table of Contents","title":"What are the requirements to run Sandboxie?"},{"location":"Content/FrequentlyAskedQuestions/#how-does-sandboxie-protect-me-technically","text":"Sandboxie extends the operating system (OS) with sandboxing capabilities by blending into it. Applications can never access hardware such as disk storage directly, they have to ask the OS to do it for them. Since Sandboxie integrates into the OS, it can do what it does without risk of being circumvented. The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexes (Mutants in NT speak), Semaphores, Sections and LPC Ports. For some more information on this, see Sandbox Hierarchy . Sandboxie also takes measures to prevent programs executing inside the sandbox from hijacking non-sandboxed programs and using them as a vehicle to operate outside the sandbox. For the same reason, Sandboxie doesn't allow a sandboxed process from reading the memory of unsandboxed processes and it provides a feature to hide selected host processes from sandboxed processes. For more information about this, see #59 and 0.3 / 5.42 notes . Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program. It should be noted, however, that Sandboxie does not typically prevent the exfiltration of user data by processes running under its supervision without advanced configuration, as the default file and registry access scheme is Allow Read to anything except when the user specified a particular path to be closed. However, by careful configuration of the ClosedFilePath and ClosedKeyPath settings, you can achieve this goal as well. If you want to follow the future development on this, see New privacy enhanced File/Registry access scheme, White list/Template Mode, plans and discussion . Back to Table of Contents","title":"How does Sandboxie protect me, technically?"},{"location":"Content/FrequentlyAskedQuestions/#will-sandboxie-protect-me-from-malicious-key-loggers","text":"Yes, to some extent. First of all, your system (outside the sandbox) must not have been already compromised by an installed key-logger. Sandboxie can not protect against key-loggers that are already running outside the sandbox. You may want to consider always browsing sandboxed, so you don't accidentally get any key-loggers into your system. It is very difficult to reliably detect a key-logger. For a lengthy explanation, see Detecting Key Loggers . So the most important tool Sandboxie offers you for protection against key-loggers, is to delete the sandbox. When you stop all sandboxed activity (in all sandboxes), then proceed to delete the sandbox you're about to use, you can be fairly certain that all key-loggers are dead. Back to Table of Contents","title":"Will Sandboxie protect me from malicious key-loggers?"},{"location":"Content/FrequentlyAskedQuestions/#some-competing-products-require-a-reboot-to-initiate-sandboxing-why","text":"Changes to the computing environment must eventually make their way to disk storage, if they are to be permanent. This obviously applies to files. But it also applies to things like settings and preferences saved in the system registry. Some competing products require a reboot before each use, because they sandbox disk storage as a whole. They provide the operating system and everything in it with a single virtual disk, which is used to trap those permanent changes. The operating system is not designed to use one disk for some tasks, and another disk for other tasks. Therefore a reboot is required to switch to and from the virtual disk. Sandboxie does not require a reboot because it sandboxes access to files, rather than to the disk as a whole. It also sandboxes access to registry keys. It also sandboxes access to many other classes of system components, in order to trick the sandboxed program into believing that it isn't being tricked. This low-level sandboxing in some competing products makes it possible to install a wider range of applications and system tools -- including system drivers -- into the sandbox. Sandboxie can install most applications into the sandbox, but not system software nor drivers. It becomes apparent that, like most other things, each tool has its advantages and disadvantages, and one must choose the best tool for the task at hand. Back to Table of Contents","title":"Some competing products require a reboot to initiate sandboxing, why?"},{"location":"Content/FrequentlyAskedQuestions/#why-am-i-getting-some-messages-from-sandbox-driver","text":"Not all messages are errors, some simply inform you of an event that has occurred. For more information, see SBIE Messages and Log Messages To A File . Back to Table of Contents","title":"Why am I getting some Messages from Sandbox Driver?"},{"location":"Content/FrequentlyAskedQuestions/#why-are-so-many-files-copied-into-the-sandbox","text":"When a program accesses a file, it declares what operations it plans to do on the file: if it plans to read from the file, to write the file, to change its attributes, and so on. Whenever a program declares any kind of write access to a file, Sandboxie copies it into the sandbox. In some cases, programs declare they intend to write to the file when in fact they do not, but nevertheless Sandboxie must copy the file into the sandbox. Back to Table of Contents","title":"Why are so many files copied into the sandbox?"},{"location":"Content/FrequentlyAskedQuestions/#what-are-sandboxierpcss-and-sandboxiedcomlaunch","text":"See Service Programs . Back to Table of Contents","title":"What are SandboxieRpcSs and SandboxieDcomLaunch?"},{"location":"Content/FrequentlyAskedQuestions/#how-can-i-use-sandboxie-to-protect-myself-from-viruses-in-email","text":"See full article: Email Protection . Back to Table of Contents","title":"How can I use Sandboxie to protect myself from viruses in email?"},{"location":"Content/FrequentlyAskedQuestions/#how-to-configure-sandboxie-for-only-an-occasional-use","text":"By default Sandboxie is configured to load and start automatically. To have Sandboxie load only when you need it, make the following changes. In Sandboxie Control , open the Configure -> Shell Integration window, and clear the checkbox When Windows starts to stop Sandboxie Control from starting. In Sandboxie Plus, see the Sandboxie-Plus Migration Guide . Open the Windows Services configuration window: Start menu -> Control Panel -> Administrative Tools -> Services . Then locate the Sandboxie Service. Double click to bring up its properties window. Set its Startup type to Manual rather than automatic. The driver component of Sandboxie is started by the Sandboxie Service. Therefore, setting the service to start manually, indirectly also sets the driver to start manually. Starting Sandboxie Control will also start the service. (But note that Administrative rights are required to start a service.) Back to Table of Contents","title":"How to configure Sandboxie for only an occasional use?"},{"location":"Content/FrequentlyAskedQuestions/#how-do-i-make-quick-recovery-show-my-saved-favorites-and-downloads","text":"You may not see all your folders in Quick Recovery, as only a few are configured by default in the initial installation. See also Quick Recovery . Back to Table of Contents","title":"How do I make Quick Recovery show my saved favorites and downloads?"},{"location":"Content/FrequentlyAskedQuestions/#i-saved-a-downloaded-file-a-document-or-an-email-inside-the-sandbox-how-do-i-get-it-out","text":"If you read What is Sandboxie then you know Sandboxie is like a transparency layer placed over the paper. (The paper is your computer.) When you save files (downloads, documents, emails, or anything else) through a sandboxed program, these files go into the transparency layer that is the sandbox. You can use Quick Recovery to get these files out. Unless configured otherwise, Quick Recovery looks in your Documents , Favorites , Desktop and Downloads folders. If you save the files to either of these folders, then you can use Quick Recovery to easily get them out. Another approach is configuring one or more folders as an OpenFilePath . Saving files into such folders bypasses the sandbox mechanism, and goes directly to the real folders. Setting this is more complicated, but may also prove useful, in some cases. Back to Table of Contents","title":"I saved a downloaded file, a document or an email inside the sandbox, how do I get it out?"},{"location":"Content/FrequentlyAskedQuestions/#why-does-the-wrong-program-start-when-i-run-my-default-web-browser-sandboxed","text":"This happens for some people. In Windows 7, open Control Panel in Icon view and select Default Programs > Set your default programs. You can then select the browser you want as default. In Windows 8/8.1, point to (but do not click) the lower-right or top-right corner of the screen, and then click the Settings icon. In the lower-right corner, click Change PC Settings > Search and apps > Defaults. You can then select the browser you want as default. If using Windows 10/11, ensure that your default Web Browser for Windows is set correctly (click on the Start menu, type \"default apps\" and Choose your default apps). Back to Table of Contents","title":"Why does the wrong program start when I run my default Web browser sandboxed?"},{"location":"Content/FrequentlyAskedQuestions/#why-does-sysinternals-process-monitor-not-work-inside-the-sandbox","text":"While Process Monitor can't run sandboxed, it can monitor the activity inside the sandbox. Back to Table of Contents","title":"Why does Sysinternals Process Monitor not work inside the sandbox?"},{"location":"Content/FrontPageAnimation/","text":"","title":"FrontPageAnimation"},{"location":"Content/GeneralTips/","text":"General Tips Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"General Tips"},{"location":"Content/GeneralTips/#general-tips","text":"Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"General Tips"},{"location":"Content/GettingStarted/","text":"Getting Started Part One: Introduction Sandboxie runs your applications in an isolated abstraction area called a sandbox. Under the supervision of Sandboxie, an application operates normally and at full speed, but can't effect permanent changes to your computer. Instead, the changes are effected only in the sandbox. This Getting Started tutorial will show you: How to to use Sandboxie to run your applications How the changes are trapped in the sandbox How to recover important files and documents out of the sandbox How to delete the sandbox Or skip ahead to Getting Started Part Six which discusses a few final points. You can also review the External Tutorials page for more links to tutorials about Sandboxie, some in languages other than English, others are in video form rather than text. Sandboxie Control interface Sandboxie Classic is operated through the Sandboxie Control program. This program adds the yellow Sandboxie icon to the system notification (\"tray\") area of your taskbar: If Sandboxie Control is not already active, you can find it and launch it from the Sandboxie program group in your Windows Start menu: When active, you can use the Sandboxie tray icon to hide and show the main window of Sandboxie Control , by double-clicking the icon. Or, you can right-click the icon and select the first command, which alternates between Hide Window and Show Window . For this tutorial, make sure the main window of Sandboxie Control is visible. You should view this tutorial in a sandboxed Web browser. To do that, use the Getting Started Tutorial (Web) command in the Help Menu of Sandboxie Control , and make sure you tell Sandboxie Control to run your browser sandboxed : The tutorial continues in Getting Started Part Two .","title":"Getting Started"},{"location":"Content/GettingStarted/#getting-started","text":"","title":"Getting Started"},{"location":"Content/GettingStarted/#part-one-introduction","text":"Sandboxie runs your applications in an isolated abstraction area called a sandbox. Under the supervision of Sandboxie, an application operates normally and at full speed, but can't effect permanent changes to your computer. Instead, the changes are effected only in the sandbox. This Getting Started tutorial will show you: How to to use Sandboxie to run your applications How the changes are trapped in the sandbox How to recover important files and documents out of the sandbox How to delete the sandbox Or skip ahead to Getting Started Part Six which discusses a few final points. You can also review the External Tutorials page for more links to tutorials about Sandboxie, some in languages other than English, others are in video form rather than text.","title":"Part One: Introduction"},{"location":"Content/GettingStarted/#sandboxie-control-interface","text":"Sandboxie Classic is operated through the Sandboxie Control program. This program adds the yellow Sandboxie icon to the system notification (\"tray\") area of your taskbar: If Sandboxie Control is not already active, you can find it and launch it from the Sandboxie program group in your Windows Start menu: When active, you can use the Sandboxie tray icon to hide and show the main window of Sandboxie Control , by double-clicking the icon. Or, you can right-click the icon and select the first command, which alternates between Hide Window and Show Window . For this tutorial, make sure the main window of Sandboxie Control is visible. You should view this tutorial in a sandboxed Web browser. To do that, use the Getting Started Tutorial (Web) command in the Help Menu of Sandboxie Control , and make sure you tell Sandboxie Control to run your browser sandboxed : The tutorial continues in Getting Started Part Two .","title":"Sandboxie Control interface"},{"location":"Content/GettingStartedPartFive/","text":"Getting Started Part Five Part Five: Delete Sandbox When you are finished using the application under Sandboxie, and you have recovered the downloaded files, documents and other desired work items, it is a good idea to delete the contents of the sandbox. Click the Delete Contents command in the Tray Icon Menu : You can also invoke the Delete Contents command from the Sandbox Menu in the main window of Sandboxie Control. The Delete Sandbox window appears, giving you one last chance to recover any files still remaining in the sandbox: The upper part of the window in the picture above was introduced in the last part as the Quick Recovery command. The lower part counts the accumulated size of the contents of the sandbox. Finally, when you are sure you have recovered everything you need, click Delete Sandbox to delete the sandbox. Note that regardless of the size of the sandbox, the delete process always takes only a few seconds. This should be considered normal and expected. During this time, the Sandboxie tray icon changes to a red X icon to indicate that sandbox delete is in progress. In the default configuration, the sandbox is not deleted automatically, so you will have to manually invoke the Delete Contents command whenever you want to delete the contents of the sandbox. This behavior can be changed by altering a setting. In the main window of Sandboxie Control , use the Sandbox Menu to open the Sandbox Settings window: The Sandbox Settings window appears. Click on Delete to expand the delete settings group, then on Invocation to show the Delete > Invocation settings page: Place a checkmark in the box Automatically delete contents of sandbox to have Sandboxie automatically invoke the Delete Sandbox command, as described in the settings page. The tutorial concludes in Getting Started Part Six .","title":"Getting Started Part Five"},{"location":"Content/GettingStartedPartFive/#getting-started-part-five","text":"","title":"Getting Started Part Five"},{"location":"Content/GettingStartedPartFive/#part-five-delete-sandbox","text":"When you are finished using the application under Sandboxie, and you have recovered the downloaded files, documents and other desired work items, it is a good idea to delete the contents of the sandbox. Click the Delete Contents command in the Tray Icon Menu : You can also invoke the Delete Contents command from the Sandbox Menu in the main window of Sandboxie Control. The Delete Sandbox window appears, giving you one last chance to recover any files still remaining in the sandbox: The upper part of the window in the picture above was introduced in the last part as the Quick Recovery command. The lower part counts the accumulated size of the contents of the sandbox. Finally, when you are sure you have recovered everything you need, click Delete Sandbox to delete the sandbox. Note that regardless of the size of the sandbox, the delete process always takes only a few seconds. This should be considered normal and expected. During this time, the Sandboxie tray icon changes to a red X icon to indicate that sandbox delete is in progress. In the default configuration, the sandbox is not deleted automatically, so you will have to manually invoke the Delete Contents command whenever you want to delete the contents of the sandbox. This behavior can be changed by altering a setting. In the main window of Sandboxie Control , use the Sandbox Menu to open the Sandbox Settings window: The Sandbox Settings window appears. Click on Delete to expand the delete settings group, then on Invocation to show the Delete > Invocation settings page: Place a checkmark in the box Automatically delete contents of sandbox to have Sandboxie automatically invoke the Delete Sandbox command, as described in the settings page. The tutorial concludes in Getting Started Part Six .","title":"Part Five: Delete Sandbox"},{"location":"Content/GettingStartedPartFour/","text":"Getting Started Part Four Part Four: Quick Recovery You may have noticed that when you saved the file favicon.ico to your desktop folder, earlier, Sandboxie offered Immediate Recovery for that file. However, no such offer was made when you saved test1.txt to the root folder of drive C. This is because the desktop folder is (by default) configured as a recoverable folder location, from which you will typically want to recover files. The root folder of drive C is not considered a recoverable location. The Quick Recovery command scans the recoverable folders and displays a summary of all recoverable files: You can invoke the Quick Recovery command: From the Sandbox Menu in the main window of Sandboxie Control. By right-clicking the Tray Icon Menu at the corner of the screen. The picture above shows favicon.ico as the only recoverable file, because it was the only file saved to a recoverable location -- the desktop folder in this case. Other folder locations that are set as recoverable folders by default are your Documents folder, the Windows Favorites folder. Where applicable, your Downloads folder is also considered a recoverable folder. Since these folders don't contain any files eligible for recovery, they are not listed at all in the picture above. You can use the Add Folder button to add more folders to Quick Recovery. You can switch Sandboxie Control to the Files And Folders View to view and recover any file that resides anywhere in the sandbox. When recovering a file (or a folder), you can choose to recover the file to the corresponding location outside the sandbox -- for example, from the sandboxed desktop folder, to the real desktop. The Recover to Same Folder command (shown as a button in the picture above) does that. Alternatively, you can use the Recover to Any Folder command, which can move the sandboxed file to any folder location in your computer system. Immediate Recovery The Immediate Recovery feature, which was mentioned briefly in the previous part of this guide, is an extension of Quick Recovery . Immediate Recovery keeps scanning the same set of recoverable folders, and will enable you to recover files as soon as they are created: As with Quick Recovery, you can Recover to Same Folder or Recover to Any Folder . Summary: Files must be created in recoverable folders if they are to be noticed by Quick Recovery and Immediate Recovery . You can customize the set of recoverable folders. You can use Files And Folders View to recover files that do not reside in any recoverable folder. The tutorial continues in Getting Started Part Five .","title":"Getting Started Part Four"},{"location":"Content/GettingStartedPartFour/#getting-started-part-four","text":"","title":"Getting Started Part Four"},{"location":"Content/GettingStartedPartFour/#part-four-quick-recovery","text":"You may have noticed that when you saved the file favicon.ico to your desktop folder, earlier, Sandboxie offered Immediate Recovery for that file. However, no such offer was made when you saved test1.txt to the root folder of drive C. This is because the desktop folder is (by default) configured as a recoverable folder location, from which you will typically want to recover files. The root folder of drive C is not considered a recoverable location. The Quick Recovery command scans the recoverable folders and displays a summary of all recoverable files: You can invoke the Quick Recovery command: From the Sandbox Menu in the main window of Sandboxie Control. By right-clicking the Tray Icon Menu at the corner of the screen. The picture above shows favicon.ico as the only recoverable file, because it was the only file saved to a recoverable location -- the desktop folder in this case. Other folder locations that are set as recoverable folders by default are your Documents folder, the Windows Favorites folder. Where applicable, your Downloads folder is also considered a recoverable folder. Since these folders don't contain any files eligible for recovery, they are not listed at all in the picture above. You can use the Add Folder button to add more folders to Quick Recovery. You can switch Sandboxie Control to the Files And Folders View to view and recover any file that resides anywhere in the sandbox. When recovering a file (or a folder), you can choose to recover the file to the corresponding location outside the sandbox -- for example, from the sandboxed desktop folder, to the real desktop. The Recover to Same Folder command (shown as a button in the picture above) does that. Alternatively, you can use the Recover to Any Folder command, which can move the sandboxed file to any folder location in your computer system.","title":"Part Four: Quick Recovery"},{"location":"Content/GettingStartedPartFour/#immediate-recovery","text":"The Immediate Recovery feature, which was mentioned briefly in the previous part of this guide, is an extension of Quick Recovery . Immediate Recovery keeps scanning the same set of recoverable folders, and will enable you to recover files as soon as they are created: As with Quick Recovery, you can Recover to Same Folder or Recover to Any Folder . Summary: Files must be created in recoverable folders if they are to be noticed by Quick Recovery and Immediate Recovery . You can customize the set of recoverable folders. You can use Files And Folders View to recover files that do not reside in any recoverable folder. The tutorial continues in Getting Started Part Five .","title":"Immediate Recovery"},{"location":"Content/GettingStartedPartSix/","text":"Getting Started Part Six Part Six: Conclusion This tutorial has walked you through the basic principles of using and understanding Sandboxie: * How to use Sandboxie to run your applications * How the changes are trapped in the sandbox * How to recover important files and documents out of the sandbox * How to delete the sandbox You can read more tips about using Sandboxie in the Usage Tips page, and in pages about specific web browsers: Internet Explorer Tips and Firefox Tips . An important point to keep in mind when using Sandboxie is that it is designed to isolate programs from each other. Therefore you should expect to lose a small measure of interoperability between programs. For example: Email: Clicking email ( mailto ) links typically causes your web browser to start your email software. This will not work correctly unless Sandboxie is configured to run your email software in that sandbox. See FAQ Email . You can avoid this problem by right-clicking the email link instead of left (normal) clicking it. The right-click menu will let you copy the email address. Then switch to your email software and paste the email address. If the pasted email address begins with a mailto: prefix, then make sure to delete that prefix, including the colon (:). Download manager: Clicking download links is intercepted and handled by software which is operating outside your web browser. When the web browser is running in a sandbox, this might cause it to start the download manager in the sandbox as well, which would probably not be the desired result. You can avoid this problem by right-clicking the download link instead of left (normal) clicking it. The right-click menu will let you copy the link. Then switch to your download manager program, and paste the link to start the download process. On the other hand, you should not expect to lose every measure of interoperability between programs. For example, you may use a dictionary software which should react to keystrokes or mouse-clicks to display information in a pop-up window. Sandboxie may or may not interfere with this, depending on how the dictionary software is designed. When things do not work as expected, please report it on the Sandboxie support and ask for a solution. Please also take some time now to review the many settings in the Sandbox Settings window. The settings are explained clearly, and you will find many settings that allow you to find the best balance between security and convenience. For example, one person may prefer greater security and control over web bookmarks and favorites, by letting them first save into the sandbox, and then recovering selected items through Quick Recovery or Immediate Recovery . (This is the default configuration in Sandboxie.) But another person may prefer to configure Sandboxie such that a sandboxed web browser can directly access the bookmarks or favorites, without an intermediate recovery step, thus sacrificing some security for greater convenience. Sandboxie allows you to find your personal balance of security and convenience. Enjoy! This is the end of the tutorial. Go back to Help Topics , where you can read more Usage Tips .","title":"Getting Started Part Six"},{"location":"Content/GettingStartedPartSix/#getting-started-part-six","text":"","title":"Getting Started Part Six"},{"location":"Content/GettingStartedPartSix/#part-six-conclusion","text":"This tutorial has walked you through the basic principles of using and understanding Sandboxie: * How to use Sandboxie to run your applications * How the changes are trapped in the sandbox * How to recover important files and documents out of the sandbox * How to delete the sandbox You can read more tips about using Sandboxie in the Usage Tips page, and in pages about specific web browsers: Internet Explorer Tips and Firefox Tips . An important point to keep in mind when using Sandboxie is that it is designed to isolate programs from each other. Therefore you should expect to lose a small measure of interoperability between programs. For example: Email: Clicking email ( mailto ) links typically causes your web browser to start your email software. This will not work correctly unless Sandboxie is configured to run your email software in that sandbox. See FAQ Email . You can avoid this problem by right-clicking the email link instead of left (normal) clicking it. The right-click menu will let you copy the email address. Then switch to your email software and paste the email address. If the pasted email address begins with a mailto: prefix, then make sure to delete that prefix, including the colon (:). Download manager: Clicking download links is intercepted and handled by software which is operating outside your web browser. When the web browser is running in a sandbox, this might cause it to start the download manager in the sandbox as well, which would probably not be the desired result. You can avoid this problem by right-clicking the download link instead of left (normal) clicking it. The right-click menu will let you copy the link. Then switch to your download manager program, and paste the link to start the download process. On the other hand, you should not expect to lose every measure of interoperability between programs. For example, you may use a dictionary software which should react to keystrokes or mouse-clicks to display information in a pop-up window. Sandboxie may or may not interfere with this, depending on how the dictionary software is designed. When things do not work as expected, please report it on the Sandboxie support and ask for a solution. Please also take some time now to review the many settings in the Sandbox Settings window. The settings are explained clearly, and you will find many settings that allow you to find the best balance between security and convenience. For example, one person may prefer greater security and control over web bookmarks and favorites, by letting them first save into the sandbox, and then recovering selected items through Quick Recovery or Immediate Recovery . (This is the default configuration in Sandboxie.) But another person may prefer to configure Sandboxie such that a sandboxed web browser can directly access the bookmarks or favorites, without an intermediate recovery step, thus sacrificing some security for greater convenience. Sandboxie allows you to find your personal balance of security and convenience. Enjoy! This is the end of the tutorial. Go back to Help Topics , where you can read more Usage Tips .","title":"Part Six: Conclusion"},{"location":"Content/GettingStartedPartThree/","text":"Getting Started Part Three Part Three: The Sandbox You should now have your Web browser running sandboxed . It can be Internet Explorer or any other browser. The browser program may make changes to your computer. These changes will all be trapped in the sandbox. Try it now. Right-click on the following link, and save the file to your desktop. If you're using Internet Explorer, this is the Save Target As command in the right-click menu. If you're using Firefox, this is the Save Link As command in the right-click menu: favicon.ico In the default and recommended configuration, Sandboxie will identify that a file was saved to an interesting location -- your desktop, in this case -- and will offer Immediate Recovery for the file: Because the point of this exercise is to show that files remain in the sandbox unless recovered, click the Close button on the window above, to tell Sandboxie to keep the file in the sandbox. The file you saved, favicon.ico would appear on your desktop as this icon: If you minimize all windows and examine your desktop, you should not be able to see the new icon, because the file was in fact saved in the sandbox , and not yet recovered. Sandboxie Control initially operates in Programs View where it lists the programs running in the sandbox, but you can use the View Menu to switch the view mode to Files And Folders View which shows the contents of the sandbox. Click Files and Folders in the View menu. Expand the branches (by clicking the + signs) to reveal the contents of the sandbox, arranged into folders. As you can see in the picture directly above, the file favicon.ico that you saved earlier has been placed in the sandboxed desktop folder. In the same way, any file created by any sandboxed program will be placed in a sandbox folder corresponding to the real folder where it should have been placed. Let's try this again, this time with a sandboxed Notepad. To do this, use the Run Any Program command: Sandboxie displays its Run... dialog box. Type notepad : Notepad should start sandboxed: Type a few letters into the new Notepad document, and save it as file test1.txt at the root folder of drive C. Then, look for this file in the root folder of drive C. You should not be able to find it. That's because the file was saved in the sandbox: Summary: Files created or modified by sandboxed programs are initially placed in the sandbox. Files in the sandbox are not visible to programs outside the sandbox. The tutorial continues in Getting Started Part Four .","title":"Getting Started Part Three"},{"location":"Content/GettingStartedPartThree/#getting-started-part-three","text":"","title":"Getting Started Part Three"},{"location":"Content/GettingStartedPartThree/#part-three-the-sandbox","text":"You should now have your Web browser running sandboxed . It can be Internet Explorer or any other browser. The browser program may make changes to your computer. These changes will all be trapped in the sandbox. Try it now. Right-click on the following link, and save the file to your desktop. If you're using Internet Explorer, this is the Save Target As command in the right-click menu. If you're using Firefox, this is the Save Link As command in the right-click menu: favicon.ico In the default and recommended configuration, Sandboxie will identify that a file was saved to an interesting location -- your desktop, in this case -- and will offer Immediate Recovery for the file: Because the point of this exercise is to show that files remain in the sandbox unless recovered, click the Close button on the window above, to tell Sandboxie to keep the file in the sandbox. The file you saved, favicon.ico would appear on your desktop as this icon: If you minimize all windows and examine your desktop, you should not be able to see the new icon, because the file was in fact saved in the sandbox , and not yet recovered. Sandboxie Control initially operates in Programs View where it lists the programs running in the sandbox, but you can use the View Menu to switch the view mode to Files And Folders View which shows the contents of the sandbox. Click Files and Folders in the View menu. Expand the branches (by clicking the + signs) to reveal the contents of the sandbox, arranged into folders. As you can see in the picture directly above, the file favicon.ico that you saved earlier has been placed in the sandboxed desktop folder. In the same way, any file created by any sandboxed program will be placed in a sandbox folder corresponding to the real folder where it should have been placed. Let's try this again, this time with a sandboxed Notepad. To do this, use the Run Any Program command: Sandboxie displays its Run... dialog box. Type notepad : Notepad should start sandboxed: Type a few letters into the new Notepad document, and save it as file test1.txt at the root folder of drive C. Then, look for this file in the root folder of drive C. You should not be able to find it. That's because the file was saved in the sandbox: Summary: Files created or modified by sandboxed programs are initially placed in the sandbox. Files in the sandbox are not visible to programs outside the sandbox. The tutorial continues in Getting Started Part Four .","title":"Part Three: The Sandbox"},{"location":"Content/GettingStartedPartTwo/","text":"Getting Started Part Two Part Two: Run Web Browser To launch your Web browser, find the desktop shortcut icon for Sandboxed Web Browser and click it: Alternatively, right-click the Sandboxie Control tray icon, and navigate the popup Tray Icon Menu to select the Run Web Browser action. A third option is via the Sandbox Menu in the main window of Sandboxie Control: Your Web browser should come up sandboxed . You can tell that a program is sandboxed because its window title bar contains additional Sandboxie [#] indicators: ((NOTE: Newer browsers may not show the # in the title bar, however if you hover your mouse along the edges of the window, it will turn yellow.) (Note: In some computer systems, Sandboxie starts the wrong program when you select Run Web Browser . If this is the case for you, see Frequently Asked Questions to fix this.) The sandboxed program should appear in the main window of Sandboxie Control : The window displays the list of programs that are currently running sandboxed under the supervision of Sandboxie. Initially there is just one sandbox, DefaultBox , however, more sandboxes can be created; see the Create New Sandbox command in the Sandbox Menu . The picture above shows Sandboxie is running three programs. The first, iexplore.exe , stands for Internet Explorer, as this tutorial assumes Internet Explorer is the Web browser in use. If the default Web browser in your system is Firefox, or Opera, then you would see firefox.exe or opera.exe , respectively, as the first program running in the sandbox. The screenshot shows two more programs are running, SandboxieRpcss.exe and SandboxieDcomLaunch.exe . These support programs are part of Sandboxie. If they are needed, they will be automatically started, without any explicit action on your part. See Service Programs . When Sandboxie is actively running programs in any of the sandboxes, the Sandboxie tray icon (at the corner of the screen) displays red dots: The tutorial continues in Getting Started Part Three .","title":"Getting Started Part Two"},{"location":"Content/GettingStartedPartTwo/#getting-started-part-two","text":"","title":"Getting Started Part Two"},{"location":"Content/GettingStartedPartTwo/#part-two-run-web-browser","text":"To launch your Web browser, find the desktop shortcut icon for Sandboxed Web Browser and click it: Alternatively, right-click the Sandboxie Control tray icon, and navigate the popup Tray Icon Menu to select the Run Web Browser action. A third option is via the Sandbox Menu in the main window of Sandboxie Control: Your Web browser should come up sandboxed . You can tell that a program is sandboxed because its window title bar contains additional Sandboxie [#] indicators: ((NOTE: Newer browsers may not show the # in the title bar, however if you hover your mouse along the edges of the window, it will turn yellow.) (Note: In some computer systems, Sandboxie starts the wrong program when you select Run Web Browser . If this is the case for you, see Frequently Asked Questions to fix this.) The sandboxed program should appear in the main window of Sandboxie Control : The window displays the list of programs that are currently running sandboxed under the supervision of Sandboxie. Initially there is just one sandbox, DefaultBox , however, more sandboxes can be created; see the Create New Sandbox command in the Sandbox Menu . The picture above shows Sandboxie is running three programs. The first, iexplore.exe , stands for Internet Explorer, as this tutorial assumes Internet Explorer is the Web browser in use. If the default Web browser in your system is Firefox, or Opera, then you would see firefox.exe or opera.exe , respectively, as the first program running in the sandbox. The screenshot shows two more programs are running, SandboxieRpcss.exe and SandboxieDcomLaunch.exe . These support programs are part of Sandboxie. If they are needed, they will be automatically started, without any explicit action on your part. See Service Programs . When Sandboxie is actively running programs in any of the sandboxes, the Sandboxie tray icon (at the corner of the screen) displays red dots: The tutorial continues in Getting Started Part Three .","title":"Part Two: Run Web Browser"},{"location":"Content/HelpMenu/","text":"Help Menu Sandboxie Control > Help Menu Help Topics (Web) Sandboxie Control > Help Menu > Help Topics (Web) Opens a web browser on the Help Topics page of this online documentation. A window will open to ask if the web browser should run under the supervision of Sandboxie (recommended) or not. See Getting Stated Tutorial (Web) below. Getting Started Tutorial (Web) Sandboxie Control > Help Menu > Getting Started Tutorial (Web) Opens a web browser on the Getting Started page of this online documentation. A window will open to ask if the web browser should run under the supervision of Sandboxie (recommended) or not: Check For Updates Sandboxie Control > Help Menu > Check For Updates This command checks if the Sandboxie web site reports a newer version of Sandboxie than the one installed on the computer. Click the Now button to initiate an immediate check. Click the Next Week button to postpone the check to a later time. Click the Never button to disable automatic check for updates. About Sandboxie Sandboxie Control > Help Menu > About Sandboxie Displays product and registration information for the Sandboxie program. Go to Sandboxie Control , Help Topics .","title":"Help Menu"},{"location":"Content/HelpMenu/#help-menu","text":"Sandboxie Control > Help Menu","title":"Help Menu"},{"location":"Content/HelpMenu/#help-topics-web","text":"Sandboxie Control > Help Menu > Help Topics (Web) Opens a web browser on the Help Topics page of this online documentation. A window will open to ask if the web browser should run under the supervision of Sandboxie (recommended) or not. See Getting Stated Tutorial (Web) below.","title":"Help Topics (Web)"},{"location":"Content/HelpMenu/#getting-started-tutorial-web","text":"Sandboxie Control > Help Menu > Getting Started Tutorial (Web) Opens a web browser on the Getting Started page of this online documentation. A window will open to ask if the web browser should run under the supervision of Sandboxie (recommended) or not:","title":"Getting Started Tutorial (Web)"},{"location":"Content/HelpMenu/#check-for-updates","text":"Sandboxie Control > Help Menu > Check For Updates This command checks if the Sandboxie web site reports a newer version of Sandboxie than the one installed on the computer. Click the Now button to initiate an immediate check. Click the Next Week button to postpone the check to a later time. Click the Never button to disable automatic check for updates.","title":"Check For Updates"},{"location":"Content/HelpMenu/#about-sandboxie","text":"Sandboxie Control > Help Menu > About Sandboxie Displays product and registration information for the Sandboxie program. Go to Sandboxie Control , Help Topics .","title":"About Sandboxie"},{"location":"Content/HelpTopics/","text":"Help Topics Tutorial: Getting Started with Sandboxie General Usage Tips for using Sandboxie Usage Manual for Sandboxie Control Known Conflicts with other programs Frequently Asked Questions Advanced Topics Technical Aspects Reference for error and informational SBIE Messages Sandboxie Start Command Line parameters Configuring Sandboxie through Sandboxie Ini Documentation Index","title":"Help Topics"},{"location":"Content/HelpTopics/#help-topics","text":"","title":"Help Topics"},{"location":"Content/HelpTopics/#tutorial-getting-started-with-sandboxie","text":"","title":"Tutorial: Getting Started with Sandboxie"},{"location":"Content/HelpTopics/#general-usage-tips-for-using-sandboxie","text":"","title":"General Usage Tips for using Sandboxie"},{"location":"Content/HelpTopics/#usage-manual-for-sandboxie-control","text":"","title":"Usage Manual for Sandboxie Control"},{"location":"Content/HelpTopics/#known-conflicts-with-other-programs","text":"","title":"Known Conflicts with other programs"},{"location":"Content/HelpTopics/#frequently-asked-questions","text":"","title":"Frequently Asked Questions"},{"location":"Content/HelpTopics/#advanced-topics","text":"","title":"Advanced Topics"},{"location":"Content/HelpTopics/#technical-aspects","text":"","title":"Technical Aspects"},{"location":"Content/HelpTopics/#reference-for-error-and-informational-sbie-messages","text":"","title":"Reference for error and informational SBIE Messages"},{"location":"Content/HelpTopics/#sandboxie-start-command-line-parameters","text":"","title":"Sandboxie Start Command Line parameters"},{"location":"Content/HelpTopics/#configuring-sandboxie-through-sandboxie-ini","text":"","title":"Configuring Sandboxie through Sandboxie Ini"},{"location":"Content/HelpTopics/#documentation-index","text":"","title":"Documentation Index"},{"location":"Content/HideHostProcess/","text":"Hide Host Process HideHostProcess is a sandbox setting in Sandboxie Ini available since v0.3 / 5.42. It is used to hide unsandboxed host processes. It can also be used to hide Sandboxie services. . . . [DefaultBox] HideHostProcess=program.exe Related Sandboxie Plus setting: Sandbox Options > Advanced Options > Hide Processes","title":"Hide Host Process"},{"location":"Content/HideHostProcess/#hide-host-process","text":"HideHostProcess is a sandbox setting in Sandboxie Ini available since v0.3 / 5.42. It is used to hide unsandboxed host processes. It can also be used to hide Sandboxie services. . . . [DefaultBox] HideHostProcess=program.exe Related Sandboxie Plus setting: Sandbox Options > Advanced Options > Hide Processes","title":"Hide Host Process"},{"location":"Content/HideOtherBoxes/","text":"Hide Other Boxes HideOtherBoxes is a sandbox setting in Sandboxie Ini available since v0.3 / 5.42. By default, Sandboxie enables this feature, which allows processes to be hidden from other boxes. Example of disabling this setting: . . . [DefaultBox] HideOtherBoxes=n Related Sandboxie Plus setting: Sandbox Options > Advanced Options > Hide Processes > Don't allow sandboxed processes to see processes running in other boxes","title":"Hide Other Boxes"},{"location":"Content/HideOtherBoxes/#hide-other-boxes","text":"HideOtherBoxes is a sandbox setting in Sandboxie Ini available since v0.3 / 5.42. By default, Sandboxie enables this feature, which allows processes to be hidden from other boxes. Example of disabling this setting: . . . [DefaultBox] HideOtherBoxes=n Related Sandboxie Plus setting: Sandbox Options > Advanced Options > Hide Processes > Don't allow sandboxed processes to see processes running in other boxes","title":"Hide Other Boxes"},{"location":"Content/HowToUseWinDbg/","text":"How To Use Win Dbg In some rare cases, programs running under the supervision of Sandboxie might not work correctly, without providing any hint to the cause of the malfunction. In these cases, Microsoft's free Debugging Tools for Windows can help to shed more light on the problem or even to identify the cause of the problem. Download and install the latest release of Windows SDK (both 32-bit and 64-bit). If you just need the Debugging Tools for Windows , you can install the debugging tools as a standalone component. The package installs into C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers by default. The package creates an application group called Windows Kits in the Windows Start menu. The application group contains the program WinDbg . You probably should use the 32-bit debugger, even on 64-bit Windows. You only need to use the 64-bit debugger to debug 64-bit programs. For more information, see Choosing the 32-Bit or 64-Bit Debugging Tools . Scenario 1: Start a program from the debugger Start the debugger under Sandboxie by using the Sandboxie Start menu. Sandboxie Control > Sandbox Menu > Run From Start Menu Sandboxie Plus window > right click on your sandbox > Run > Run From Start Menu Then navigate the Sandboxie Start menu to locate and invoke the WinDbg program within the Windows Kits group. The WinDbg debugger should start and open its main window. In the debugger, invoke the File menu > Open Executable command. Then navigate to and select the EXE file for the program that you want to run in the debugger. For example, navigate to and select C:\\Windows\\System32\\notepad.exe The debugger will open a command window, to control (or to debug) the new program. Use the Debug menu > Go command to begin the execution of the program. (You can also press F5.) At this time the debugger status line will change to say BUSY . Proceed to read the section below titled Final Step . Scenario 2: Attach the debugger to a running program In this scenario, you already used Sandboxie to start the program, and the program is already running. Start the debugger normally from the Windows Start menu: Locate and invoke the WinDbg program within the Windows Kits group. The WinDbg debugger should start and open its main window. In the debugger, invoke the File menu > Attach to a Process command. (You can also press F6.) Then identify the EXE file for the program to which you want to attach the debugger. The debugger will open a command window, to control (or to debug) the attached program. If you attached to the a program after it was already exhibiting the problem, then proceed to read the section below titled Final Step . Otherwise use the Debug menu > Go command to continue the execution of the program. (You can also press F5.) At this time the debugger status line will change to say BUSY . Proceed to read the section below titled Final Step . Final Step This section assumes the program in question has already exhibited the problem: If the program gets stuck in a loop, then it should already be stuck. If the program crashes, then it should already have crashed. If the problem condition has not yet occurred, you should now cause the program to malfunction. Once the program exhibits the problem, switch back to the WinDbg debugger command window. If the debugger status line still says BUSY , use the Debug menu > Break command to stop the program. (You can also press Ctrl+Break.) When the debugger status line no longer says BUSY , enter the following commands. Enter one command at a time, then press Enter. .sympath srv*C:\\Symbols*https://msdl.microsoft.com/download/symbols .reload ~* k 99 The third command will cause the debugger to produce some output. When the command completes, please copy the entire debug log. Use the Edit menu > Copy Window Text to Clipboard command to copy the entire debug log to your clipboard, then go back to the Sandboxie support and paste this debug log into your comment. Thank you in advance.","title":"How To Use Win Dbg"},{"location":"Content/HowToUseWinDbg/#how-to-use-win-dbg","text":"In some rare cases, programs running under the supervision of Sandboxie might not work correctly, without providing any hint to the cause of the malfunction. In these cases, Microsoft's free Debugging Tools for Windows can help to shed more light on the problem or even to identify the cause of the problem. Download and install the latest release of Windows SDK (both 32-bit and 64-bit). If you just need the Debugging Tools for Windows , you can install the debugging tools as a standalone component. The package installs into C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers by default. The package creates an application group called Windows Kits in the Windows Start menu. The application group contains the program WinDbg . You probably should use the 32-bit debugger, even on 64-bit Windows. You only need to use the 64-bit debugger to debug 64-bit programs. For more information, see Choosing the 32-Bit or 64-Bit Debugging Tools . Scenario 1: Start a program from the debugger Start the debugger under Sandboxie by using the Sandboxie Start menu. Sandboxie Control > Sandbox Menu > Run From Start Menu Sandboxie Plus window > right click on your sandbox > Run > Run From Start Menu Then navigate the Sandboxie Start menu to locate and invoke the WinDbg program within the Windows Kits group. The WinDbg debugger should start and open its main window. In the debugger, invoke the File menu > Open Executable command. Then navigate to and select the EXE file for the program that you want to run in the debugger. For example, navigate to and select C:\\Windows\\System32\\notepad.exe The debugger will open a command window, to control (or to debug) the new program. Use the Debug menu > Go command to begin the execution of the program. (You can also press F5.) At this time the debugger status line will change to say BUSY . Proceed to read the section below titled Final Step . Scenario 2: Attach the debugger to a running program In this scenario, you already used Sandboxie to start the program, and the program is already running. Start the debugger normally from the Windows Start menu: Locate and invoke the WinDbg program within the Windows Kits group. The WinDbg debugger should start and open its main window. In the debugger, invoke the File menu > Attach to a Process command. (You can also press F6.) Then identify the EXE file for the program to which you want to attach the debugger. The debugger will open a command window, to control (or to debug) the attached program. If you attached to the a program after it was already exhibiting the problem, then proceed to read the section below titled Final Step . Otherwise use the Debug menu > Go command to continue the execution of the program. (You can also press F5.) At this time the debugger status line will change to say BUSY . Proceed to read the section below titled Final Step . Final Step This section assumes the program in question has already exhibited the problem: If the program gets stuck in a loop, then it should already be stuck. If the program crashes, then it should already have crashed. If the problem condition has not yet occurred, you should now cause the program to malfunction. Once the program exhibits the problem, switch back to the WinDbg debugger command window. If the debugger status line still says BUSY , use the Debug menu > Break command to stop the program. (You can also press Ctrl+Break.) When the debugger status line no longer says BUSY , enter the following commands. Enter one command at a time, then press Enter. .sympath srv*C:\\Symbols*https://msdl.microsoft.com/download/symbols .reload ~* k 99 The third command will cause the debugger to produce some output. When the command completes, please copy the entire debug log. Use the Edit menu > Copy Window Text to Clipboard command to copy the entire debug log to your clipboard, then go back to the Sandboxie support and paste this debug log into your comment. Thank you in advance.","title":"How To Use Win Dbg"},{"location":"Content/HowitWorks/","text":"How it Works Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox , depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once. Download Sandboxie now and give it a try!","title":"How it Works"},{"location":"Content/HowitWorks/#how-it-works","text":"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox , depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once. Download Sandboxie now and give it a try!","title":"How it Works"},{"location":"Content/ImmediateRecovery/","text":"Immediate Recovery Immediate Recovery is an extension of Quick Recovery . Both Quick and Immediate Recovery scan the list of folders configured in Sandbox Settings > Recovery > Quick Recovery , and suggest an easy way to move any files (or folders) found out of the sandbox. Quick Recovery is invoked by explicit request, or just before the sandbox is deleted, that is, typically it is invoked after the sandboxed programs have finished running. By contrast, Immediate Recovery works within the sandboxed program, and identifies files as soon as they are created and eligible for recovery. As soon as a file is eligible for recovery, the Immediate Recovery window appears, and as long as the window stays open, any further files that become eligible for recovery will be collected into that window. The upper area (see picture above) shows the files eligible for recovery, while the lower area lists destination folders. To recover files, select one or more files in the upper area, then select a folder from the lower area, and click Recover . (Use the CTRL and SHIFT keys to select multiple files in the upper area). The lower area initially offers just the special destinations Recover to Same Folder and Recover to Any Folder . These work the same as described in Quick Recovery . As you use the Recover to Any Folder command, more destinations will be recorded in the lower area for later use. You can disable this feature by clearing the checkbox Store selected folders for later use in the Browse For Folder dialog box that appears when you invoke the Recover to Any Folder command. Immediate Recovery can be temporarily disabled until all sandboxed activity stops, by marking the checkbox Don't prompt again until all sandboxed programs stop at the bottom of the window. Go to Quick Recovery , Sandboxie Control , Help Topics .","title":"Immediate Recovery"},{"location":"Content/ImmediateRecovery/#immediate-recovery","text":"Immediate Recovery is an extension of Quick Recovery . Both Quick and Immediate Recovery scan the list of folders configured in Sandbox Settings > Recovery > Quick Recovery , and suggest an easy way to move any files (or folders) found out of the sandbox. Quick Recovery is invoked by explicit request, or just before the sandbox is deleted, that is, typically it is invoked after the sandboxed programs have finished running. By contrast, Immediate Recovery works within the sandboxed program, and identifies files as soon as they are created and eligible for recovery. As soon as a file is eligible for recovery, the Immediate Recovery window appears, and as long as the window stays open, any further files that become eligible for recovery will be collected into that window. The upper area (see picture above) shows the files eligible for recovery, while the lower area lists destination folders. To recover files, select one or more files in the upper area, then select a folder from the lower area, and click Recover . (Use the CTRL and SHIFT keys to select multiple files in the upper area). The lower area initially offers just the special destinations Recover to Same Folder and Recover to Any Folder . These work the same as described in Quick Recovery . As you use the Recover to Any Folder command, more destinations will be recorded in the lower area for later use. You can disable this feature by clearing the checkbox Store selected folders for later use in the Browse For Folder dialog box that appears when you invoke the Recover to Any Folder command. Immediate Recovery can be temporarily disabled until all sandboxed activity stops, by marking the checkbox Don't prompt again until all sandboxed programs stop at the bottom of the window. Go to Quick Recovery , Sandboxie Control , Help Topics .","title":"Immediate Recovery"},{"location":"Content/InjectDll/","text":"Inject Dll InjectDll is a sandbox setting in Sandboxie Ini . It tells Sandboxie to \"inject\" some DLL into every program in the sandbox. \"Inject\" means the DLL is . . . [DefaultBox] InjectDll=c:\\Program Files\\Sandboxie Utilities\\Sample.dll You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. Note: The InjectDll setting specifies 32-bit DLLs, and will be ignored in a 64-bit process on 64-bit Windows. Use the InjectDll64 setting to specify 64-bit DLLs. The order of DLLs loaded into the sandboxed program is thus: Ntdll.dll KernelBase.dll (on Windows 7 and later) Kernel32.dll SbieDll.dll (on 64-bit Windows, this can be either the 64-bit SbieDll or the 32-bit SbieDll) InjectDlls (loaded in the order specified in Sandboxie.ini) Optionally, ShimEng (or AppHelp on Windows 7 and later) and related DLLs All statically-linked DLLs The behavior described above applies to Sandboxie version 3.46 and later. Earlier versions of Sandboxie implemented a different behavior which is described below: The injected DLL is loaded into the sandboxed process (or program) after all the statically-linked DLLs are loaded and initialized, but before the program itself begins to execute at its entry point. If the DLL exports the symbol InjectDllMain or InjectDllMain@8 , Sandboxie will call this procedure after the DLL is loaded, and pass the address of the SbieDll module. Declare InjectDllMain in your code: __declspec(dllexport) void __stdcall InjectDllMain( HINSTANCE hSbieDll, ULONG_PTR UnusedParameter); It is recommended to use the hSbieDll parameter as the module instance handle for SbieDll.Dll, instead of relying on GetModuleHandle(\"SbieDll.dll\"). This makes it possible for the injected DLL to interact with SbieDll.dll regardless of the actual name used for SbieDll.dll. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine. At this time, this setting cannot be manipulated from Sandboxie Control . You have to manually edit it into Sandboxie Ini . See also: InjectDll64 , SBIE DLL API , Start Command Line .","title":"Inject Dll"},{"location":"Content/InjectDll/#inject-dll","text":"InjectDll is a sandbox setting in Sandboxie Ini . It tells Sandboxie to \"inject\" some DLL into every program in the sandbox. \"Inject\" means the DLL is . . . [DefaultBox] InjectDll=c:\\Program Files\\Sandboxie Utilities\\Sample.dll You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. Note: The InjectDll setting specifies 32-bit DLLs, and will be ignored in a 64-bit process on 64-bit Windows. Use the InjectDll64 setting to specify 64-bit DLLs. The order of DLLs loaded into the sandboxed program is thus: Ntdll.dll KernelBase.dll (on Windows 7 and later) Kernel32.dll SbieDll.dll (on 64-bit Windows, this can be either the 64-bit SbieDll or the 32-bit SbieDll) InjectDlls (loaded in the order specified in Sandboxie.ini) Optionally, ShimEng (or AppHelp on Windows 7 and later) and related DLLs All statically-linked DLLs The behavior described above applies to Sandboxie version 3.46 and later. Earlier versions of Sandboxie implemented a different behavior which is described below: The injected DLL is loaded into the sandboxed process (or program) after all the statically-linked DLLs are loaded and initialized, but before the program itself begins to execute at its entry point. If the DLL exports the symbol InjectDllMain or InjectDllMain@8 , Sandboxie will call this procedure after the DLL is loaded, and pass the address of the SbieDll module. Declare InjectDllMain in your code: __declspec(dllexport) void __stdcall InjectDllMain( HINSTANCE hSbieDll, ULONG_PTR UnusedParameter); It is recommended to use the hSbieDll parameter as the module instance handle for SbieDll.Dll, instead of relying on GetModuleHandle(\"SbieDll.dll\"). This makes it possible for the injected DLL to interact with SbieDll.dll regardless of the actual name used for SbieDll.dll. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine. At this time, this setting cannot be manipulated from Sandboxie Control . You have to manually edit it into Sandboxie Ini . See also: InjectDll64 , SBIE DLL API , Start Command Line .","title":"Inject Dll"},{"location":"Content/InjectDll64/","text":"Inject Dll 64 InjectDll is a sandbox setting in Sandboxie Ini . It tells Sandboxie to \"inject\" some DLL into every program in the sandbox. \"Inject\" means the DLL is . . . [DefaultBox] InjectDll64=c:\\Program Files\\Sandboxie Utilities\\Sample64.dll You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. Note: The InjectDll64 setting specifies 64-bit DLLs, and will be ignored in a 32-bit process, even on 64-bit Windows. Use the InjectDll setting to specify 32-bit DLLs. See also: InjectDll for a comprehensive discussion.","title":"Inject Dll 64"},{"location":"Content/InjectDll64/#inject-dll-64","text":"InjectDll is a sandbox setting in Sandboxie Ini . It tells Sandboxie to \"inject\" some DLL into every program in the sandbox. \"Inject\" means the DLL is . . . [DefaultBox] InjectDll64=c:\\Program Files\\Sandboxie Utilities\\Sample64.dll You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. Note: The InjectDll64 setting specifies 64-bit DLLs, and will be ignored in a 32-bit process, even on 64-bit Windows. Use the InjectDll setting to specify 32-bit DLLs. See also: InjectDll for a comprehensive discussion.","title":"Inject Dll 64"},{"location":"Content/InternetExplorerTips/","text":"Internet Explorer Tips Tips Specific to Internet Explorer Sandboxie Control > Sandbox Settings > Applications > Web Browser > Internet Explorer Always Run In Sandbox Setting: Force Internet Explorer to run in this sandbox This setting tells Sandboxie to automatically supervise any instance of Internet Explorer as it starts, even if it was not started directly through a Sandboxie facility or command. Internet Explorer with UAC Enabled In Windows Vista/7/8/8.1 with UAC enabled, Internet Explorer maintains two sets of configurations: Normal configuration and administrator configuration. Each set contains its own cookies, home pages and some other settings. When you normally launch Internet Explorer, you get the normal configuration. When you right-click Internet Explorer and select the Run as administrator action, you get the administrator configuration. Under Sandboxie, Internet Explorer selects the Administrator configuration. (But Internet Explorer does not necessarily run as Administrator under Sandboxie.) To fine-tune the administrator configuration, use the Run as administrator right-click action when you run Internet Explorer outside the sandbox. Windows Update on Windows XP When you wish to visit the Windows Update web site, you should run Internet Explorer outside the sandbox. If Internet Explorer is forced to always run under Sandboxie (as discussed above), then use the Disable Forced Programs command to disable forced sandboxing before and after visiting the Windows Update web site. Note the Automatic Updates facility in Windows does not rely on Internet Explorer and should not be affected by any Sandboxie settings related to Internet Explorer. Similarly, the Windows Updates window in Windows Vista also does not rely on Internet Explorer and is also not affected by Sandboxie. Favorites Setting: Allow direct access to Internet Explorer favorites Setting: Add Internet Explorer favorites to Quick Recovery folders These settings allows Internet Explorer running under Sandboxie to store favorites outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, favorites are stored only in the sandbox, and will be deleted when the sandbox is deleted. The first setting (direct access) stores favorites directly outside the sandbox. The second setting ( Quick Recovery ) initially keeps the favorites in the sandbox but offers to recover (move out of the sandbox) any new favorites as they are added. The first setting is more flexible in that you can add, edit and delete favorites freely. The second setting is more secure, but at the cost of some measure of convenience. Bottom line: For greater convenience, select the setting \"Allow direct access to Internet Explorer favorites.\" Cookies Setting: Allow direct access to Internet Explorer cookies This setting allows Internet Explorer running under Sandboxie to store cookies outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. An alternative approach is to this setting is to visit your favorite sites once with a normal Internet Explorer, to get these sites to remember you in their cookies. Then switch to an Internet Explorer under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. Bottom line: If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. If you need web sites that you visit in a sandboxed Internet Explorer to remember you, then select this setting. Feeds Setting: Allow direct access to Internet Explorer feeds This setting allows Internet Explorer running under Sandboxie to store feed links outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, feed links are stored only in the sandbox, and will be deleted when the sandbox is deleted. Internet Explorer perdiocally checks its feeds from a component which is running outside the web browser. That component will not see (and will not check or refresh) feeds that are created in the sandbox when this setting is not in effect. (Technically, the component is a scheduled task. The task is created and altered whenever you use the Feed Settings tab in the Internet Options dialog.) Bottom line: If you work with Internet Explorer feeds, it is recommended that you select this setting. Save Outside Sandbox Setting: Save outside sandbox: History of search strings and invoked commands. Setting: Save outside sandbox: Account information for Hotmail and Messenger. (replaced with OpenCredentials since Sandboxie v0.8.0 / 5.50.0) The first setting allows Internet Explorer running under Sandboxie to store \"AutoComplete\" information, which is typically used for keeping history: History of search strings, or history of commands typed into an input box. The second setting allows Internet Explorer running under Sandboxie to store \"Credentials\" information, which is typically used by Microsoft web sites, such as Hotmail, to remember your Windows Live ID. It is also used by Windows (Live) Messenger. Bottom line: These settings are concerned with privacy more than security. Information that you enter into web sites can be kept permanently (as with a normal browser) or only until you delete the sandbox. To keep it permanently, select these settings. Otherwise, leave the settings unselected. General Tips Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"Internet Explorer Tips"},{"location":"Content/InternetExplorerTips/#internet-explorer-tips","text":"","title":"Internet Explorer Tips"},{"location":"Content/InternetExplorerTips/#tips-specific-to-internet-explorer","text":"Sandboxie Control > Sandbox Settings > Applications > Web Browser > Internet Explorer","title":"Tips Specific to Internet Explorer"},{"location":"Content/InternetExplorerTips/#always-run-in-sandbox","text":"Setting: Force Internet Explorer to run in this sandbox This setting tells Sandboxie to automatically supervise any instance of Internet Explorer as it starts, even if it was not started directly through a Sandboxie facility or command.","title":"Always Run In Sandbox"},{"location":"Content/InternetExplorerTips/#internet-explorer-with-uac-enabled","text":"In Windows Vista/7/8/8.1 with UAC enabled, Internet Explorer maintains two sets of configurations: Normal configuration and administrator configuration. Each set contains its own cookies, home pages and some other settings. When you normally launch Internet Explorer, you get the normal configuration. When you right-click Internet Explorer and select the Run as administrator action, you get the administrator configuration. Under Sandboxie, Internet Explorer selects the Administrator configuration. (But Internet Explorer does not necessarily run as Administrator under Sandboxie.) To fine-tune the administrator configuration, use the Run as administrator right-click action when you run Internet Explorer outside the sandbox.","title":"Internet Explorer with UAC Enabled"},{"location":"Content/InternetExplorerTips/#windows-update-on-windows-xp","text":"When you wish to visit the Windows Update web site, you should run Internet Explorer outside the sandbox. If Internet Explorer is forced to always run under Sandboxie (as discussed above), then use the Disable Forced Programs command to disable forced sandboxing before and after visiting the Windows Update web site. Note the Automatic Updates facility in Windows does not rely on Internet Explorer and should not be affected by any Sandboxie settings related to Internet Explorer. Similarly, the Windows Updates window in Windows Vista also does not rely on Internet Explorer and is also not affected by Sandboxie.","title":"Windows Update on Windows XP"},{"location":"Content/InternetExplorerTips/#favorites","text":"Setting: Allow direct access to Internet Explorer favorites Setting: Add Internet Explorer favorites to Quick Recovery folders These settings allows Internet Explorer running under Sandboxie to store favorites outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, favorites are stored only in the sandbox, and will be deleted when the sandbox is deleted. The first setting (direct access) stores favorites directly outside the sandbox. The second setting ( Quick Recovery ) initially keeps the favorites in the sandbox but offers to recover (move out of the sandbox) any new favorites as they are added. The first setting is more flexible in that you can add, edit and delete favorites freely. The second setting is more secure, but at the cost of some measure of convenience. Bottom line: For greater convenience, select the setting \"Allow direct access to Internet Explorer favorites.\"","title":"Favorites"},{"location":"Content/InternetExplorerTips/#cookies","text":"Setting: Allow direct access to Internet Explorer cookies This setting allows Internet Explorer running under Sandboxie to store cookies outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. An alternative approach is to this setting is to visit your favorite sites once with a normal Internet Explorer, to get these sites to remember you in their cookies. Then switch to an Internet Explorer under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. Bottom line: If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. If you need web sites that you visit in a sandboxed Internet Explorer to remember you, then select this setting.","title":"Cookies"},{"location":"Content/InternetExplorerTips/#feeds","text":"Setting: Allow direct access to Internet Explorer feeds This setting allows Internet Explorer running under Sandboxie to store feed links outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, feed links are stored only in the sandbox, and will be deleted when the sandbox is deleted. Internet Explorer perdiocally checks its feeds from a component which is running outside the web browser. That component will not see (and will not check or refresh) feeds that are created in the sandbox when this setting is not in effect. (Technically, the component is a scheduled task. The task is created and altered whenever you use the Feed Settings tab in the Internet Options dialog.) Bottom line: If you work with Internet Explorer feeds, it is recommended that you select this setting.","title":"Feeds"},{"location":"Content/InternetExplorerTips/#save-outside-sandbox","text":"Setting: Save outside sandbox: History of search strings and invoked commands. Setting: Save outside sandbox: Account information for Hotmail and Messenger. (replaced with OpenCredentials since Sandboxie v0.8.0 / 5.50.0) The first setting allows Internet Explorer running under Sandboxie to store \"AutoComplete\" information, which is typically used for keeping history: History of search strings, or history of commands typed into an input box. The second setting allows Internet Explorer running under Sandboxie to store \"Credentials\" information, which is typically used by Microsoft web sites, such as Hotmail, to remember your Windows Live ID. It is also used by Windows (Live) Messenger. Bottom line: These settings are concerned with privacy more than security. Information that you enter into web sites can be kept permanently (as with a normal browser) or only until you delete the sandbox. To keep it permanently, select these settings. Otherwise, leave the settings unselected.","title":"Save Outside Sandbox"},{"location":"Content/InternetExplorerTips/#general-tips","text":"","title":"General Tips"},{"location":"Content/InternetExplorerTips/#automatic-delete-sandbox","text":"Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running.","title":"Automatic Delete Sandbox"},{"location":"Content/InternetExplorerTips/#highlight-windows-of-programs-running-under-sandboxie","text":"Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"Highlight Windows of Programs Running Under Sandboxie"},{"location":"Content/IpcRootPath/","text":"Ipc Root Path IpcRootPath is a sandbox setting in Sandboxie Ini . It specifies the location within the NT object namespace where a particular sandbox is created. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] IpcRootPath=\\Sandbox\\%BOXNAME% The following substitution variables may be useful in this path. The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security-ID (SID) The variable %SESSION% which expands to the Terminal Services session number If IpcRootPath is not specified, its default value is: \\Sandbox\\%USER%\\%SANDBOX%\\Session %SESSION%_ There is probably no reason to change the default value for this setting, and doing so is not recommended.","title":"Ipc Root Path"},{"location":"Content/IpcRootPath/#ipc-root-path","text":"IpcRootPath is a sandbox setting in Sandboxie Ini . It specifies the location within the NT object namespace where a particular sandbox is created. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] IpcRootPath=\\Sandbox\\%BOXNAME% The following substitution variables may be useful in this path. The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security-ID (SID) The variable %SESSION% which expands to the Terminal Services session number If IpcRootPath is not specified, its default value is: \\Sandbox\\%USER%\\%SANDBOX%\\Session %SESSION%_ There is probably no reason to change the default value for this setting, and doing so is not recommended.","title":"Ipc Root Path"},{"location":"Content/IsolationMechanism/","text":"Isolation Mechanism Processes started under Sandboxie's supervision are created with a very restricted user token, such that they basically don't have the right to access almost anything. In this state, they would be pretty much useless and would crash right away. This token manipulation is done using half a dozen undocumented symbols in the Windows kernel. In a next step, Sandboxie tries to repair that by hooking most ntdll.dll syscalls and replacing them with a redirection to the own SbieDrv driver. The driver then evaluates the calls and enforces the sandboxing rules, for example, no write access outside the sandbox and no read access to closed resources. When a malicious application would unhook ntdll.dll, for example, by trying to use direct syscalls to the Windows kernel, the kernel would see the restricted user token and operations would fail with an access denied. Not all functionality can be restored this way, so Sandboxie also hooks a myriad of other functions in standard Windows DLLs, providing workarounds and redirects through the helper service SbieSvc, although sometimes it opts for disabling some functionality outright. The file system and registry virtualization is implemented on the user level in SbieDll, which is responsible for combining the data from the real system with the ones from the sandbox and for properly redirecting all access attempts. If that mechanism is improperly bypassed, it results in an access denied error.","title":"Isolation Mechanism"},{"location":"Content/IsolationMechanism/#isolation-mechanism","text":"Processes started under Sandboxie's supervision are created with a very restricted user token, such that they basically don't have the right to access almost anything. In this state, they would be pretty much useless and would crash right away. This token manipulation is done using half a dozen undocumented symbols in the Windows kernel. In a next step, Sandboxie tries to repair that by hooking most ntdll.dll syscalls and replacing them with a redirection to the own SbieDrv driver. The driver then evaluates the calls and enforces the sandboxing rules, for example, no write access outside the sandbox and no read access to closed resources. When a malicious application would unhook ntdll.dll, for example, by trying to use direct syscalls to the Windows kernel, the kernel would see the restricted user token and operations would fail with an access denied. Not all functionality can be restored this way, so Sandboxie also hooks a myriad of other functions in standard Windows DLLs, providing workarounds and redirects through the helper service SbieSvc, although sometimes it opts for disabling some functionality outright. The file system and registry virtualization is implemented on the user level in SbieDll, which is responsible for combining the data from the real system with the ones from the sandbox and for properly redirecting all access attempts. If that mechanism is improperly bypassed, it results in an access denied error.","title":"Isolation Mechanism"},{"location":"Content/KeyRootPath/","text":"Key Root Path KeyRootPath is a sandbox setting in Sandboxie Ini . It specifies the registry location where the registry hive for a particular sandbox is mounted. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] KeyRootPath=\\REGISTRY\\USER\\%BOXNAME% The following substitution variables may be useful in this path. The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security-ID (SID) The variable %SESSION% which expands to the Terminal Services session number If KeyRootPath is not specified, its default value is: \\REGISTRY\\USER\\Sandbox %USER% %SANDBOX% The value must begin with the prefix * \\REGISTRY\\USER* or Sandboxie will not be able to mount the registry hive. There is probably no reason to change the default value for this setting, and doing so is not recommended. If Sandboxie cannot successfully mount or un-mount the sandboxed registry hive, it will issue messages SBIE1241 and SBIE2208 , respectively.","title":"Key Root Path"},{"location":"Content/KeyRootPath/#key-root-path","text":"KeyRootPath is a sandbox setting in Sandboxie Ini . It specifies the registry location where the registry hive for a particular sandbox is mounted. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] KeyRootPath=\\REGISTRY\\USER\\%BOXNAME% The following substitution variables may be useful in this path. The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security-ID (SID) The variable %SESSION% which expands to the Terminal Services session number If KeyRootPath is not specified, its default value is: \\REGISTRY\\USER\\Sandbox %USER% %SANDBOX% The value must begin with the prefix * \\REGISTRY\\USER* or Sandboxie will not be able to mount the registry hive. There is probably no reason to change the default value for this setting, and doing so is not recommended. If Sandboxie cannot successfully mount or un-mount the sandboxed registry hive, it will issue messages SBIE1241 and SBIE2208 , respectively.","title":"Key Root Path"},{"location":"Content/KnownConflicts/","text":"Known Conflicts Known conflicts can be resolved by activating application configurations in Sandbox Settings > Applications or in Sandbox Options > App Templates (Plus edition). Not all programs can be installed or run inside Sandboxie Problem: Some applications that invoke services or drivers may not install/run inside Sandboxie. Solution #1: You may have a conflict with a third-party security software installed on your system (see issue #647 and #293 ). If you want to know more about which security suite could be involved, take a look at the archived forums . Solution #2: If you have already tried to install your application in a new empty sandbox, then install it on your host and run it sandboxed. If problems persist, especially with applications working on previous Sandboxie versions, please let us know the details by posting on the GitHub repository . Microsoft Store apps Problem: Microsoft store apps will not work in Sandboxie Classic and Sandboxie Plus. Solution: None at this time. See issue #19 to track any possible change about this. Office 2013/2016/2019 & Office 365 (C2R versions only) Problem: Click to Run versions of Microsoft Office 2013, 2016, 2019 and Office 365 will crash when sandboxed. This includes Outlook 2013 and up. Solution: A fix was included on v0.9.7 / 5.52.1 . Office 2021 Problem: Office 2021 cannot be installed inside a sandbox. Solution: None at this time. See issue #1675 or #1900 to track any possible change about this. Tor Browser Problem: Tor Browser is very slow in a sandbox, crashes or crashes after a certain time. Solution: A fix was included on v1.0.21 / 5.55.21 . HP Universal Print Driver Problem: The HP Universal Printer Status Monitor pop-up component is failing when printing from a sandboxed Web browser. Solution: Open Sandbox Settings > Resource Access > COM Access, click Add and enter this resource name: {D713F357-7920-4B91-9EB6-49054709EC7A} Autodelete feature on Microsoft Edge Problem: Autodelete feature no longer works on Microsoft Edge. Solution: Microsoft Edge was updated with a new setting (under System) called \"Startup boost\", which is enabled by default. It prevents Edge from fully shutting down, so we suggest to disable the option or install v1.1.2 / 5.56.2 or newer versions which include the fix. Steam games Problem: Not all Steam games will function while Sandboxed. Solution: Install the games on your computer, not in a sandbox. Most games can work. However, there are known reports that some simply may not. If you run into a problem with a Steam game, you should make sure Steam client is updated on your host machine. Run Steam not sandboxed, download and install the game on your host computer and then \"right click\" on the game shortcut and select \"Run Sandboxed\" as a workaround. If problems persist, please let us know the details by posting on the GitHub repository . GOG Games and Galaxy Beta Problem: Games from GOG Galaxy may not run while sandboxed. Solution: A partial workaround is available in #1246 . You can \"force\" GOG Program folder so that it works correctly within a sandbox. See also: ForceFolder . No access to microphone or camera on any sandbox in Windows 11 Problem: There is no access to microphone/camera on any sandbox in Windows 11 systems. Solution: A workaround is available in #1669 , but no permanent fix. Tabs sessions on Chromium browsers are sometimes not restored correctly in Sandboxie Problem: Tabs sessions are lost when a Chromium browser is running outside of the sandbox. Solution: No fix yet, but some workarounds are available in #558 . Windows Explorer takes a long time to open folders, drives or context menus Problem: Windows Explorer can take a long time to open while sandboxed on Windows 10 and 11. Solution: No fix yet, see #69 . \"Open With\" dialog does not work in a sandboxed File Explorer instance Problem: \"Open with\" functionality is not working with Sandboxie. Solution: A fix was included on v1.0.6 / 5.55.6 . Can't use the search box in File Explorer Problem: The search box in File Explorer doesn't get focused while sandboxed, and you can't input anything. Solution: A fix was included on v0.9.8c / 5.53.2 . \"Sandboxed service failed to start: BITS\" or \"Request to start service bits was denied\" can appear while a program is sandboxed Problem: BITS service seems to be broken since a few Windows 10 releases, as it's using some parts of WMI which is blocked in Sandboxie. Solution: A workaround was directly included on v1.0.1 / 5.55.1 . I can't find my issue in this list If you would like to search for further issues, please refer to the GitHub repository .","title":"Known Conflicts"},{"location":"Content/KnownConflicts/#known-conflicts","text":"Known conflicts can be resolved by activating application configurations in Sandbox Settings > Applications or in Sandbox Options > App Templates (Plus edition).","title":"Known Conflicts"},{"location":"Content/KnownConflicts/#not-all-programs-can-be-installed-or-run-inside-sandboxie","text":"Problem: Some applications that invoke services or drivers may not install/run inside Sandboxie. Solution #1: You may have a conflict with a third-party security software installed on your system (see issue #647 and #293 ). If you want to know more about which security suite could be involved, take a look at the archived forums . Solution #2: If you have already tried to install your application in a new empty sandbox, then install it on your host and run it sandboxed. If problems persist, especially with applications working on previous Sandboxie versions, please let us know the details by posting on the GitHub repository .","title":"Not all programs can be installed or run inside Sandboxie"},{"location":"Content/KnownConflicts/#microsoft-store-apps","text":"Problem: Microsoft store apps will not work in Sandboxie Classic and Sandboxie Plus. Solution: None at this time. See issue #19 to track any possible change about this.","title":"Microsoft Store apps"},{"location":"Content/KnownConflicts/#office-201320162019-office-365-c2r-versions-only","text":"Problem: Click to Run versions of Microsoft Office 2013, 2016, 2019 and Office 365 will crash when sandboxed. This includes Outlook 2013 and up. Solution: A fix was included on v0.9.7 / 5.52.1 .","title":"Office 2013/2016/2019 &amp; Office 365 (C2R versions only)"},{"location":"Content/KnownConflicts/#office-2021","text":"Problem: Office 2021 cannot be installed inside a sandbox. Solution: None at this time. See issue #1675 or #1900 to track any possible change about this.","title":"Office 2021"},{"location":"Content/KnownConflicts/#tor-browser","text":"Problem: Tor Browser is very slow in a sandbox, crashes or crashes after a certain time. Solution: A fix was included on v1.0.21 / 5.55.21 .","title":"Tor Browser"},{"location":"Content/KnownConflicts/#hp-universal-print-driver","text":"Problem: The HP Universal Printer Status Monitor pop-up component is failing when printing from a sandboxed Web browser. Solution: Open Sandbox Settings > Resource Access > COM Access, click Add and enter this resource name: {D713F357-7920-4B91-9EB6-49054709EC7A}","title":"HP Universal Print Driver"},{"location":"Content/KnownConflicts/#autodelete-feature-on-microsoft-edge","text":"Problem: Autodelete feature no longer works on Microsoft Edge. Solution: Microsoft Edge was updated with a new setting (under System) called \"Startup boost\", which is enabled by default. It prevents Edge from fully shutting down, so we suggest to disable the option or install v1.1.2 / 5.56.2 or newer versions which include the fix.","title":"Autodelete feature on Microsoft Edge"},{"location":"Content/KnownConflicts/#steam-games","text":"Problem: Not all Steam games will function while Sandboxed. Solution: Install the games on your computer, not in a sandbox. Most games can work. However, there are known reports that some simply may not. If you run into a problem with a Steam game, you should make sure Steam client is updated on your host machine. Run Steam not sandboxed, download and install the game on your host computer and then \"right click\" on the game shortcut and select \"Run Sandboxed\" as a workaround. If problems persist, please let us know the details by posting on the GitHub repository .","title":"Steam games"},{"location":"Content/KnownConflicts/#gog-games-and-galaxy-beta","text":"Problem: Games from GOG Galaxy may not run while sandboxed. Solution: A partial workaround is available in #1246 . You can \"force\" GOG Program folder so that it works correctly within a sandbox. See also: ForceFolder .","title":"GOG Games and Galaxy Beta"},{"location":"Content/KnownConflicts/#no-access-to-microphone-or-camera-on-any-sandbox-in-windows-11","text":"Problem: There is no access to microphone/camera on any sandbox in Windows 11 systems. Solution: A workaround is available in #1669 , but no permanent fix.","title":"No access to microphone or camera on any sandbox in Windows 11"},{"location":"Content/KnownConflicts/#tabs-sessions-on-chromium-browsers-are-sometimes-not-restored-correctly-in-sandboxie","text":"Problem: Tabs sessions are lost when a Chromium browser is running outside of the sandbox. Solution: No fix yet, but some workarounds are available in #558 .","title":"Tabs sessions on Chromium browsers are sometimes not restored correctly in Sandboxie"},{"location":"Content/KnownConflicts/#windows-explorer-takes-a-long-time-to-open-folders-drives-or-context-menus","text":"Problem: Windows Explorer can take a long time to open while sandboxed on Windows 10 and 11. Solution: No fix yet, see #69 .","title":"Windows Explorer takes a long time to open folders, drives or context menus"},{"location":"Content/KnownConflicts/#open-with-dialog-does-not-work-in-a-sandboxed-file-explorer-instance","text":"Problem: \"Open with\" functionality is not working with Sandboxie. Solution: A fix was included on v1.0.6 / 5.55.6 .","title":"\"Open With\" dialog does not work in a sandboxed File Explorer instance"},{"location":"Content/KnownConflicts/#cant-use-the-search-box-in-file-explorer","text":"Problem: The search box in File Explorer doesn't get focused while sandboxed, and you can't input anything. Solution: A fix was included on v0.9.8c / 5.53.2 .","title":"Can't use the search box in File Explorer"},{"location":"Content/KnownConflicts/#sandboxed-service-failed-to-start-bits-or-request-to-start-service-bits-was-denied-can-appear-while-a-program-is-sandboxed","text":"Problem: BITS service seems to be broken since a few Windows 10 releases, as it's using some parts of WMI which is blocked in Sandboxie. Solution: A workaround was directly included on v1.0.1 / 5.55.1 .","title":"\"Sandboxed service failed to start: BITS\" or \"Request to start service bits was denied\" can appear while a program is sandboxed"},{"location":"Content/KnownConflicts/#i-cant-find-my-issue-in-this-list","text":"If you would like to search for further issues, please refer to the GitHub repository .","title":"I can't find my issue in this list"},{"location":"Content/LeaderProcess/","text":"Leader Process LeaderProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs that are considered primary in the sandbox, and when they stop running, all other programs in the sandbox are stopped as well. For example: . . . [DefaultBox] LeaderProcess=iexplore.exe iexplore.exe is Internet Explorer. Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Leader Programs See also: Program Settings .","title":"Leader Process"},{"location":"Content/LeaderProcess/#leader-process","text":"LeaderProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs that are considered primary in the sandbox, and when they stop running, all other programs in the sandbox are stopped as well. For example: . . . [DefaultBox] LeaderProcess=iexplore.exe iexplore.exe is Internet Explorer. Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Leader Programs See also: Program Settings .","title":"Leader Process"},{"location":"Content/LingerExemptWnds/","text":"Linger Exempt Wnds LingerExemptWnds is a sandbox setting in Sandboxie Ini available since v1.13.4 / 5.68.4. To make the lingering process monitor mechanism no longer exempt lingering processes with windows from termination. For example: . . . [DefaultBox] LingerExemptWnds=n Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Lingering Programs See also: Program Settings .","title":"Linger Exempt Wnds"},{"location":"Content/LingerExemptWnds/#linger-exempt-wnds","text":"LingerExemptWnds is a sandbox setting in Sandboxie Ini available since v1.13.4 / 5.68.4. To make the lingering process monitor mechanism no longer exempt lingering processes with windows from termination. For example: . . . [DefaultBox] LingerExemptWnds=n Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Lingering Programs See also: Program Settings .","title":"Linger Exempt Wnds"},{"location":"Content/LingerProcess/","text":"Linger Process LingerProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs that will be automatically terminated, when they are the last programs that remain in execution in a particular sandbox. This is useful as some programs occasionally launch helper programs to carry out a specific task, and the helper program remains in execution even after the original program has ended. For example: . . . [DefaultBox] LingerProcess=jusched.exe jusched.exe is part of the Sun Java framework. It is occasionally launched when Internet Explorer starts the Java framework. This LingerProcess example setting specifies that if jusched.exe remains the last program running in the sandbox DefaultBox, then it should be terminated. LingerProcess will not terminate a process, if that process was the first process launched in the sandbox. For example, the default configuration includes Adobe Acrobat Reader as a LingerProcess, because it is typically launched when viewing PDF files through the Web browser, and remains running even after the browser has closed. LingerProcess=acrord32.exe However, if you manually start Adobe Acrobat Reader sandboxed, for example by running it from the Sandboxie Start Menu, then the LingerProcess setting will not apply to that process. Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Lingering Programs See also: Program Settings .","title":"Linger Process"},{"location":"Content/LingerProcess/#linger-process","text":"LingerProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs that will be automatically terminated, when they are the last programs that remain in execution in a particular sandbox. This is useful as some programs occasionally launch helper programs to carry out a specific task, and the helper program remains in execution even after the original program has ended. For example: . . . [DefaultBox] LingerProcess=jusched.exe jusched.exe is part of the Sun Java framework. It is occasionally launched when Internet Explorer starts the Java framework. This LingerProcess example setting specifies that if jusched.exe remains the last program running in the sandbox DefaultBox, then it should be terminated. LingerProcess will not terminate a process, if that process was the first process launched in the sandbox. For example, the default configuration includes Adobe Acrobat Reader as a LingerProcess, because it is typically launched when viewing PDF files through the Web browser, and remains running even after the browser has closed. LingerProcess=acrord32.exe However, if you manually start Adobe Acrobat Reader sandboxed, for example by running it from the Sandboxie Start Menu, then the LingerProcess setting will not apply to that process. Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Lingering Programs See also: Program Settings .","title":"Linger Process"},{"location":"Content/MessagesFromSandboxie/","text":"Messages From Sandboxie The Messages From Sandboxie window is displayed automatically whenever Sandboxie logs at least one error or informational message. (For more information about Sandboxie messages, SBIE Messages .) The window displays one message per line, as in the example below. Clicking the Help button opens the Web browser and navigates to the documentation page for the highlighted message. Clicking the Hide button indicates that you don't wish to receive this message again. If the message contains an information detail, the Hide button hides the message only in combination with that particular detail. For example, the SBIE1304 message shown above has the detail osk.exe . In this case, the Hide button will hide future occurrences of SBIE1304 for osk.exe . If SBIE1304 is issued for some other program name, it will still be displayed. Clicking the Close button closes the window. Log Messages To A File It's possible to log Messages From Sandboxie to a file with a simple configuration inside the registry: reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v LogFile /d \"2;C:\\Windows\\System32\\LogFiles\\Sandboxie.log\" /f The LogFile value consists of two pieces of information: - 2 is the log level. Only two values are correct: 2 (classic log) or 3 (log with process SID) - C:\\Windows\\System32\\LogFiles\\Sandboxie.log is the full path of the log Example of output for a log level of 2: 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] Since version 1.3.3 / 5.58.3, it is possible to pass logs in verbose mode to have the SID of the account used by the target process. Example of output for a log level of 3: 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) Another registry key allows to filter and split logs on specific messages: reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v LogFile /d \"2;C:\\Windows\\System32\\LogFiles\\Sandboxie.log\" /f reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v MultiLog /d \"1308,1307\" /f This simple configuration will: - put all logs without filter inside C:\\Windows\\System32\\LogFiles\\Sandboxie.log - create one file per box (ie: C:\\Windows\\System32\\LogFiles\\Sandboxie_DefaultBox.log ) with only event 1308 and 1307","title":"Messages From Sandboxie"},{"location":"Content/MessagesFromSandboxie/#messages-from-sandboxie","text":"The Messages From Sandboxie window is displayed automatically whenever Sandboxie logs at least one error or informational message. (For more information about Sandboxie messages, SBIE Messages .) The window displays one message per line, as in the example below. Clicking the Help button opens the Web browser and navigates to the documentation page for the highlighted message. Clicking the Hide button indicates that you don't wish to receive this message again. If the message contains an information detail, the Hide button hides the message only in combination with that particular detail. For example, the SBIE1304 message shown above has the detail osk.exe . In this case, the Hide button will hide future occurrences of SBIE1304 for osk.exe . If SBIE1304 is issued for some other program name, it will still be displayed. Clicking the Close button closes the window.","title":"Messages From Sandboxie"},{"location":"Content/MessagesFromSandboxie/#log-messages-to-a-file","text":"It's possible to log Messages From Sandboxie to a file with a simple configuration inside the registry: reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v LogFile /d \"2;C:\\Windows\\System32\\LogFiles\\Sandboxie.log\" /f The LogFile value consists of two pieces of information: - 2 is the log level. Only two values are correct: 2 (classic log) or 3 (log with process SID) - C:\\Windows\\System32\\LogFiles\\Sandboxie.log is the full path of the log Example of output for a log level of 2: 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] Since version 1.3.3 / 5.58.3, it is possible to pass logs in verbose mode to have the SID of the account used by the target process. Example of output for a log level of 3: 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) Another registry key allows to filter and split logs on specific messages: reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v LogFile /d \"2;C:\\Windows\\System32\\LogFiles\\Sandboxie.log\" /f reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v MultiLog /d \"1308,1307\" /f This simple configuration will: - put all logs without filter inside C:\\Windows\\System32\\LogFiles\\Sandboxie.log - create one file per box (ie: C:\\Windows\\System32\\LogFiles\\Sandboxie_DefaultBox.log ) with only event 1308 and 1307","title":"Log Messages To A File"},{"location":"Content/MonitorAdminOnly/","text":"Monitor Admin Only MonitorAdminOnly is a global setting in Sandboxie Ini . If specified, Sandboxie Control running under user accounts which are not members of the Administrators group will not be able to invoke the Resource Access Monitor facility. The rationale is that Resource Access Monitor consumes 64K bytes of system memory for each user session in which it is invoked, so network administrators may wish to prevent their users from invoking that facility. Usage: . . . [GlobalSettings] MonitorAdminOnly=y This setting is designed for use by network administrators.","title":"Monitor Admin Only"},{"location":"Content/MonitorAdminOnly/#monitor-admin-only","text":"MonitorAdminOnly is a global setting in Sandboxie Ini . If specified, Sandboxie Control running under user accounts which are not members of the Administrators group will not be able to invoke the Resource Access Monitor facility. The rationale is that Resource Access Monitor consumes 64K bytes of system memory for each user session in which it is invoked, so network administrators may wish to prevent their users from invoking that facility. Usage: . . . [GlobalSettings] MonitorAdminOnly=y This setting is designed for use by network administrators.","title":"Monitor Admin Only"},{"location":"Content/MsiInstallerExemptions/","text":"Msi Installer Exemptions MsiInstallerExemptions is a sandbox setting in Sandboxie Ini available since v0.7.2 / 5.49.0. . . . [DefaultBox] MsiInstallerExemptions=y Use the 'MsiInstallerExemptions=y' option to allow MSIServer to run with a sandboxed system token and apply other exceptions. This option may help with installing an MSI package. Related Sandboxie Plus setting: Sandbox Options > Security Options > Security Hardening > Allow MSIServer to run with a sandboxed system token and apply other exceptions if required","title":"Msi Installer Exemptions"},{"location":"Content/MsiInstallerExemptions/#msi-installer-exemptions","text":"MsiInstallerExemptions is a sandbox setting in Sandboxie Ini available since v0.7.2 / 5.49.0. . . . [DefaultBox] MsiInstallerExemptions=y Use the 'MsiInstallerExemptions=y' option to allow MSIServer to run with a sandboxed system token and apply other exceptions. This option may help with installing an MSI package. Related Sandboxie Plus setting: Sandbox Options > Security Options > Security Hardening > Allow MSIServer to run with a sandboxed system token and apply other exceptions if required","title":"Msi Installer Exemptions"},{"location":"Content/NeverDelete/","text":"Never Delete NeverDelete is a sandbox setting in Sandboxie Ini . It is typically specified as NeverDelete=y , and indicates that the contents of the sandbox should never be deleted by Sandboxie. For example: . . . [DefaultBox] NeverDelete=y Related Sandboxie Control setting: Sandbox Settings > Delete > Invocation","title":"Never Delete"},{"location":"Content/NeverDelete/#never-delete","text":"NeverDelete is a sandbox setting in Sandboxie Ini . It is typically specified as NeverDelete=y , and indicates that the contents of the sandbox should never be deleted by Sandboxie. For example: . . . [DefaultBox] NeverDelete=y Related Sandboxie Control setting: Sandbox Settings > Delete > Invocation","title":"Never Delete"},{"location":"Content/NoRenameWinClass/","text":"No Rename Win Class NoRenameWinClass is a sandbox setting in Sandboxie Ini . It specifies the window class names that should not be translated by Sandboxie. Usage: . . . [DefaultBox] NoRenameWinClass=ExampleWinClass NoRenameWinClass=program.exe,* The first setting tells Sandboxie to not translate ExampleWinClass window class name by making it accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. The second setting tells Sandboxie to not translate window class names created by program.exe by making them accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. Related Sandboxie Plus setting: Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > No Rename","title":"No Rename Win Class"},{"location":"Content/NoRenameWinClass/#no-rename-win-class","text":"NoRenameWinClass is a sandbox setting in Sandboxie Ini . It specifies the window class names that should not be translated by Sandboxie. Usage: . . . [DefaultBox] NoRenameWinClass=ExampleWinClass NoRenameWinClass=program.exe,* The first setting tells Sandboxie to not translate ExampleWinClass window class name by making it accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. The second setting tells Sandboxie to not translate window class names created by program.exe by making them accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. Related Sandboxie Plus setting: Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > No Rename","title":"No Rename Win Class"},{"location":"Content/NormalFilePath/","text":"Normal File Path Normal File Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Program Name Prefix may be specified. Example: . . . [DefaultBox] NormalFilePath=C:\\Downloads\\ NormalFilePath=*.eml NormalFilePath=iexplore.exe,%Favorites% NormalFilePath=msimn.exe,*.eml Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Normal","title":"Normal File Path"},{"location":"Content/NormalFilePath/#normal-file-path","text":"Normal File Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Program Name Prefix may be specified. Example: . . . [DefaultBox] NormalFilePath=C:\\Downloads\\ NormalFilePath=*.eml NormalFilePath=iexplore.exe,%Favorites% NormalFilePath=msimn.exe,*.eml Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Normal","title":"Normal File Path"},{"location":"Content/NormalIpcPath/","text":"Normal Ipc Path Normal Ipc Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Example: . . . [DefaultBox] NormalIpcPath=\\RPC Control\\AudioSrv Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Normal","title":"Normal Ipc Path"},{"location":"Content/NormalIpcPath/#normal-ipc-path","text":"Normal Ipc Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Example: . . . [DefaultBox] NormalIpcPath=\\RPC Control\\AudioSrv Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Normal","title":"Normal Ipc Path"},{"location":"Content/NormalKeyPath/","text":"Normal Key Path Normal Key Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Program Name Prefix may be specified. Example: . . . [DefaultBox] NormalIpcPath=*BaseNamedObjects*\\__ComCatalogCache__ NormalIpcPath=*BaseNamedObjects*\\ComPlusCOMRegTable NormalIpcPath=*BaseNamedObjects*\\RotHintTable NormalIpcPath=*BaseNamedObjects*\\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5} NormalIpcPath=*BaseNamedObjects*\\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9} NormalIpcPath=\\RPC Control\\actkernel NormalIpcPath=\\RPC Control\\epmapper NormalIpcPath=\\RPC Control\\OLE* NormalIpcPath=\\RPC Control\\LRPC* Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Normal","title":"Normal Key Path"},{"location":"Content/NormalKeyPath/#normal-key-path","text":"Normal Key Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Program Name Prefix may be specified. Example: . . . [DefaultBox] NormalIpcPath=*BaseNamedObjects*\\__ComCatalogCache__ NormalIpcPath=*BaseNamedObjects*\\ComPlusCOMRegTable NormalIpcPath=*BaseNamedObjects*\\RotHintTable NormalIpcPath=*BaseNamedObjects*\\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5} NormalIpcPath=*BaseNamedObjects*\\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9} NormalIpcPath=\\RPC Control\\actkernel NormalIpcPath=\\RPC Control\\epmapper NormalIpcPath=\\RPC Control\\OLE* NormalIpcPath=\\RPC Control\\LRPC* Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Normal","title":"Normal Key Path"},{"location":"Content/NotifyDirectDiskAccess/","text":"Notify Direct Disk Access NotifyDirectDiskAccess is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyDirectDiskAccess=y . Usage: . . . [DefaultBox] NotifyDirectDiskAccess=y Note that the default behavior of Sandboxie is to deny all direct access requests, unless explicit direct access is given to the hard disk device through the OpenFilePath or OpenPipePath settings. Normally, a message is not issued when such access is denied. This setting can not be altered using Sandboxie Control and must be edited in Sandboxie Ini .","title":"Notify Direct Disk Access"},{"location":"Content/NotifyDirectDiskAccess/#notify-direct-disk-access","text":"NotifyDirectDiskAccess is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyDirectDiskAccess=y . Usage: . . . [DefaultBox] NotifyDirectDiskAccess=y Note that the default behavior of Sandboxie is to deny all direct access requests, unless explicit direct access is given to the hard disk device through the OpenFilePath or OpenPipePath settings. Normally, a message is not issued when such access is denied. This setting can not be altered using Sandboxie Control and must be edited in Sandboxie Ini .","title":"Notify Direct Disk Access"},{"location":"Content/NotifyInternetAccessDenied/","text":"Notify Internet Access Denied NotifyInternetAccessDenied is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyInternetAccessDenied=y , and indicates that Sandboxie should issue message SBIE1307 when programs are denied access to the Internet. Usage: . . . [DefaultBox] NotifyInternetAccessDenied=y Related Sandboxie Control setting: Sandbox Settings > Restrictions > Internet Access Related Sandboxie Control setting: Program Settings","title":"Notify Internet Access Denied"},{"location":"Content/NotifyInternetAccessDenied/#notify-internet-access-denied","text":"NotifyInternetAccessDenied is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyInternetAccessDenied=y , and indicates that Sandboxie should issue message SBIE1307 when programs are denied access to the Internet. Usage: . . . [DefaultBox] NotifyInternetAccessDenied=y Related Sandboxie Control setting: Sandbox Settings > Restrictions > Internet Access Related Sandboxie Control setting: Program Settings","title":"Notify Internet Access Denied"},{"location":"Content/NotifyProcessAccessDenied/","text":"Notify Process Access Denied NotifyProcessAccessDenied is a sandbox setting in Sandboxie Ini since v1.0.16 / 5.55.16. It is typically specified as NotifyProcessAccessDenied=y , and indicates that Sandboxie should issue message SBIE2111 when programs are denied reading from the address space of the process. Usage: . . . [DefaultBox] NotifyProcessAccessDenied=y Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Issue message 2111 when a process access is denied For more information, see SBIE2111 .","title":"Notify Process Access Denied"},{"location":"Content/NotifyProcessAccessDenied/#notify-process-access-denied","text":"NotifyProcessAccessDenied is a sandbox setting in Sandboxie Ini since v1.0.16 / 5.55.16. It is typically specified as NotifyProcessAccessDenied=y , and indicates that Sandboxie should issue message SBIE2111 when programs are denied reading from the address space of the process. Usage: . . . [DefaultBox] NotifyProcessAccessDenied=y Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Issue message 2111 when a process access is denied For more information, see SBIE2111 .","title":"Notify Process Access Denied"},{"location":"Content/NotifyStartRunAccessDenied/","text":"Notify Start Run Access Denied NotifyStartRunAccessDenied is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyStartRunAccessDenied=y , and indicates that Sandboxie should issue message SBIE1308 when programs are denied from starting or running. Usage: . . . [DefaultBox] NotifyStartRunAccessDenied=y Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Control setting: Program Settings","title":"Notify Start Run Access Denied"},{"location":"Content/NotifyStartRunAccessDenied/#notify-start-run-access-denied","text":"NotifyStartRunAccessDenied is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyStartRunAccessDenied=y , and indicates that Sandboxie should issue message SBIE1308 when programs are denied from starting or running. Usage: . . . [DefaultBox] NotifyStartRunAccessDenied=y Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Control setting: Program Settings","title":"Notify Start Run Access Denied"},{"location":"Content/NtNamespaceIsolation/","text":"Nt Namespace Isolation NtNamespaceIsolation is a sandbox setting in Sandboxie Ini available since v1.8.0 / 5.63.0. It can be used to disable virtualization for CreateDirectoryObject and OpenDirectoryObject - which will reduce security and remove measures to prevent name squatting. . . . [DefaultBox] NtNamespaceIsolation=n","title":"Nt Namespace Isolation"},{"location":"Content/NtNamespaceIsolation/#nt-namespace-isolation","text":"NtNamespaceIsolation is a sandbox setting in Sandboxie Ini available since v1.8.0 / 5.63.0. It can be used to disable virtualization for CreateDirectoryObject and OpenDirectoryObject - which will reduce security and remove measures to prevent name squatting. . . . [DefaultBox] NtNamespaceIsolation=n","title":"Nt Namespace Isolation"},{"location":"Content/NtStatusCodes/","text":"Nt Status Codes NT status codes may appear in some of the messages issued by Sandboxie. The table below lists common status codes which may help in understanding the specific cause of error. Standard Windows NT Kernel Status Codes for Error Conditions: C0000022 Access denied to an object C0000034 Object not found C000009A Insufficient system resources, typically indicates an out-of-memory condition","title":"Nt Status Codes"},{"location":"Content/NtStatusCodes/#nt-status-codes","text":"NT status codes may appear in some of the messages issued by Sandboxie. The table below lists common status codes which may help in understanding the specific cause of error. Standard Windows NT Kernel Status Codes for Error Conditions: C0000022 Access denied to an object C0000034 Object not found C000009A Insufficient system resources, typically indicates an out-of-memory condition","title":"Nt Status Codes"},{"location":"Content/OpenClipboard/","text":"Open Clipboard OpenClipboard is a sandbox setting in Sandboxie Ini available since v0.7.5 / 5.49.8. It allows to disable clipboard access for a sandbox. For example: . . . [DefaultBox] OpenClipboard=n Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Block read access to the clipboard","title":"Open Clipboard"},{"location":"Content/OpenClipboard/#open-clipboard","text":"OpenClipboard is a sandbox setting in Sandboxie Ini available since v0.7.5 / 5.49.8. It allows to disable clipboard access for a sandbox. For example: . . . [DefaultBox] OpenClipboard=n Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Block read access to the clipboard","title":"Open Clipboard"},{"location":"Content/OpenClsid/","text":"Open Clsid OpenClsid is a sandbox setting in Sandboxie Ini . It specifies the COM class identifiers for unsandboxed COM objects that should be accessible by a sandboxed program. Examples: . . . [DefaultBox] OpenClsid={D713F357-7920-4B91-9EB6-49054709EC7A} This example makes the HP Universal Printer Status Monitor pop-up component accessible to sandboxed programs. Related Sandboxie Control setting: Sandbox Settings > Resource Access > COM Access Related Sandboxie Plus settings: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Open Sandbox Options > Resource Access > COM > Don't use virtualized COM, Open access to hosts COM infrastructure (not recommended)","title":"Open Clsid"},{"location":"Content/OpenClsid/#open-clsid","text":"OpenClsid is a sandbox setting in Sandboxie Ini . It specifies the COM class identifiers for unsandboxed COM objects that should be accessible by a sandboxed program. Examples: . . . [DefaultBox] OpenClsid={D713F357-7920-4B91-9EB6-49054709EC7A} This example makes the HP Universal Printer Status Monitor pop-up component accessible to sandboxed programs. Related Sandboxie Control setting: Sandbox Settings > Resource Access > COM Access Related Sandboxie Plus settings: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Open Sandbox Options > Resource Access > COM > Don't use virtualized COM, Open access to hosts COM infrastructure (not recommended)","title":"Open Clsid"},{"location":"Content/OpenConfPath/","text":"Open Conf Path OpenConfPath is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. It specifies a path pattern, for which Sandboxie will not apply sandboxing for registry keys. This lets sandboxed programs have direct access to update system settings outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular registry key location. It is the same as the OpenKeyPath setting, except that this setting is always applied, whereas OpenKeyPath is only applied if the application is running from a file or folder that is located outside the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenConfPath=firefox.exe,HKEY_LOCAL_MACHINE\\Software\\Mozilla OpenConfPath=firefox.exe,HKEY_CURRENT_USER\\Software\\Mozilla These examples let the Firefox program, firefox.exe , have direct access to the Mozilla registry key trees (both system-wide and per-user registry trees). The value specified for OpenConfPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: This setting does apply even when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, can take advantage of this setting. Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Open for All","title":"Open Conf Path"},{"location":"Content/OpenConfPath/#open-conf-path","text":"OpenConfPath is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. It specifies a path pattern, for which Sandboxie will not apply sandboxing for registry keys. This lets sandboxed programs have direct access to update system settings outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular registry key location. It is the same as the OpenKeyPath setting, except that this setting is always applied, whereas OpenKeyPath is only applied if the application is running from a file or folder that is located outside the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenConfPath=firefox.exe,HKEY_LOCAL_MACHINE\\Software\\Mozilla OpenConfPath=firefox.exe,HKEY_CURRENT_USER\\Software\\Mozilla These examples let the Firefox program, firefox.exe , have direct access to the Mozilla registry key trees (both system-wide and per-user registry trees). The value specified for OpenConfPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: This setting does apply even when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, can take advantage of this setting. Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Open for All","title":"Open Conf Path"},{"location":"Content/OpenCredentials/","text":"Open Credentials OpenCredentials is a sandbox setting in Sandboxie Ini . It is typically specified as OpenCredentials=y (see Yes Or No Settings ), and indicates that Sandboxie should not isolate Windows credentials in the sandbox. For example: . . . [DefaultBox] OpenCredentials=y Indicates that programs running in the DefaultBox sandbox will update the real credential store, rather than a sandboxed instance of it. Windows credentials are used primarily by Windows and Microsoft applications to store user name and password information for: Network shares Microsoft accounts To manage Windows credentials, start Control Panel > User Accounts, select an account, and the click on the Related Task labeled Manage my network passwords. Note: Sandboxie stores credentials in the sandboxed protected storage. Thus, if the setting Save outside sandbox: History of search strings and invoked commands in Sandbox Settings > Applications > Web Browser is enabled, credentials will not be stored in the sandbox, regardless of the OpenCredentials setting. Related Sandboxie Control setting: Save outside sandbox: Account information for Hotmail and Messenger in Sandbox Settings > Applications > Web Browser (no longer available since Sandboxie v0.8.0 / 5.50.0) Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Open System Protected Storage","title":"Open Credentials"},{"location":"Content/OpenCredentials/#open-credentials","text":"OpenCredentials is a sandbox setting in Sandboxie Ini . It is typically specified as OpenCredentials=y (see Yes Or No Settings ), and indicates that Sandboxie should not isolate Windows credentials in the sandbox. For example: . . . [DefaultBox] OpenCredentials=y Indicates that programs running in the DefaultBox sandbox will update the real credential store, rather than a sandboxed instance of it. Windows credentials are used primarily by Windows and Microsoft applications to store user name and password information for: Network shares Microsoft accounts To manage Windows credentials, start Control Panel > User Accounts, select an account, and the click on the Related Task labeled Manage my network passwords. Note: Sandboxie stores credentials in the sandboxed protected storage. Thus, if the setting Save outside sandbox: History of search strings and invoked commands in Sandbox Settings > Applications > Web Browser is enabled, credentials will not be stored in the sandbox, regardless of the OpenCredentials setting. Related Sandboxie Control setting: Save outside sandbox: Account information for Hotmail and Messenger in Sandbox Settings > Applications > Web Browser (no longer available since Sandboxie v0.8.0 / 5.50.0) Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Open System Protected Storage","title":"Open Credentials"},{"location":"Content/OpenFilePath/","text":"Open File Path OpenFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files. This lets sandboxed programs have direct access to update files and folders outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular folder location. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] OpenFilePath=C:\\Downloads\\ OpenFilePath=*.eml OpenFilePath=iexplore.exe,%Favorites% OpenFilePath=msimn.exe,*.eml When reviewing these examples, keep in mind that Sandboxie places a wildcard star at the end of the value, unless a star already appears anywhere in the value . So for example, C:\\Downloads_ becomes _C:\\Downloads* , while *.eml remains unchanged. Wildcard stars are used to specify patterns with variable, unknown parts. For example, a.eml matches only that one file, whereas *.eml matches a.eml , test.eml , important message.eml and so on. But note that neither form matches a.txt . The first example setting specifies that any files (or folders) created in the folder C:\\Downloads (and in any folder below it) will not be sandboxed. Note that the final backslash character is important, because a star will be placed at the end of the string. The second example shows how wildcards can be used to exempt *.eml files from sandboxing, regardless of where they are created. .eml files are typically created by Outlook and Outlook Express, when a message is explicitly saved to disk. The third example setting specifies that the Favorites folder of the active user account should be exempted. This means that new Favorite shortcuts will added outside the sandbox. In this example, a ProgramNamePrefix is used, so the setting only applies to the Internet Explorer program, iexplore.exe The fourth example combines the previous two examples, by showing a path containing a wildcard, applied only to a specific program. Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting. A setting similar to OpenFilePath , which is always applied, is OpenPipePath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Open","title":"Open File Path"},{"location":"Content/OpenFilePath/#open-file-path","text":"OpenFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files. This lets sandboxed programs have direct access to update files and folders outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular folder location. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] OpenFilePath=C:\\Downloads\\ OpenFilePath=*.eml OpenFilePath=iexplore.exe,%Favorites% OpenFilePath=msimn.exe,*.eml When reviewing these examples, keep in mind that Sandboxie places a wildcard star at the end of the value, unless a star already appears anywhere in the value . So for example, C:\\Downloads_ becomes _C:\\Downloads* , while *.eml remains unchanged. Wildcard stars are used to specify patterns with variable, unknown parts. For example, a.eml matches only that one file, whereas *.eml matches a.eml , test.eml , important message.eml and so on. But note that neither form matches a.txt . The first example setting specifies that any files (or folders) created in the folder C:\\Downloads (and in any folder below it) will not be sandboxed. Note that the final backslash character is important, because a star will be placed at the end of the string. The second example shows how wildcards can be used to exempt *.eml files from sandboxing, regardless of where they are created. .eml files are typically created by Outlook and Outlook Express, when a message is explicitly saved to disk. The third example setting specifies that the Favorites folder of the active user account should be exempted. This means that new Favorite shortcuts will added outside the sandbox. In this example, a ProgramNamePrefix is used, so the setting only applies to the Internet Explorer program, iexplore.exe The fourth example combines the previous two examples, by showing a path containing a wildcard, applied only to a specific program. Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting. A setting similar to OpenFilePath , which is always applied, is OpenPipePath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Open","title":"Open File Path"},{"location":"Content/OpenIpcPath/","text":"Open Ipc Path OpenIpcPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for inter-process objects. This lets sandboxed programs access resources and services provided by programs running outside the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenIpcPath=\\RPC Control\\IcaApi OpenIpcPath=\\RPC Control\\seclogon OpenIpcPath=$:program.exe As described in Sandboxie Trace , some sandboxed programs may need access to system resources outside the sandbox, in order to function correctly. After using the Sandboxie trace facility to isolate the needed resources, this setting is used to expose the resources for use by a sandboxed program. OpenIpcPath=\\RPC Control\\IcaApi The first example exposes a resource provided by the Terminal Services subsystem. It can let a sandboxed program talk to that subsystem and discover other Terminal Server sessions active in the computer. But this resource can also be used to terminate programs outside the control of Sandboxie. OpenIpcPath=\\RPC Control\\seclogon The second example exposes the resource provided by the Windows Run As service. It can let a sandboxed program launch another program using the credentials of a different user. The launched program was executed outside of the control of Sandboxie until v0.7.3 / 5.49.5 , which runs it inside the sandbox. This setting accepts wildcards. For more information on the use of wildcards in the OpenXxxPath and ClosedXxxPath settings, see OpenFilePath . OpenIpcPath=$:program.exe The third example permits a program running inside the sandbox to have full access into the address space of a target process running outside the sandbox. The process name of the target process must match the name specified in the setting. When this setting is not specified, Sandboxie allows only read-access by a sandboxed process into a process outside the sandbox. This form of the OpenIpcPath setting does not support wildcards. Note: The examples in this page, if applied, will create vulnerabilities within the sandbox. They are meant only to show why some resources are blocked, and how they can be un-blocked and exposed for use, if necessary. Related Sandboxie Control setting: Sandbox Settings > Resource Access > IPC Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Open","title":"Open Ipc Path"},{"location":"Content/OpenIpcPath/#open-ipc-path","text":"OpenIpcPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for inter-process objects. This lets sandboxed programs access resources and services provided by programs running outside the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenIpcPath=\\RPC Control\\IcaApi OpenIpcPath=\\RPC Control\\seclogon OpenIpcPath=$:program.exe As described in Sandboxie Trace , some sandboxed programs may need access to system resources outside the sandbox, in order to function correctly. After using the Sandboxie trace facility to isolate the needed resources, this setting is used to expose the resources for use by a sandboxed program. OpenIpcPath=\\RPC Control\\IcaApi The first example exposes a resource provided by the Terminal Services subsystem. It can let a sandboxed program talk to that subsystem and discover other Terminal Server sessions active in the computer. But this resource can also be used to terminate programs outside the control of Sandboxie. OpenIpcPath=\\RPC Control\\seclogon The second example exposes the resource provided by the Windows Run As service. It can let a sandboxed program launch another program using the credentials of a different user. The launched program was executed outside of the control of Sandboxie until v0.7.3 / 5.49.5 , which runs it inside the sandbox. This setting accepts wildcards. For more information on the use of wildcards in the OpenXxxPath and ClosedXxxPath settings, see OpenFilePath . OpenIpcPath=$:program.exe The third example permits a program running inside the sandbox to have full access into the address space of a target process running outside the sandbox. The process name of the target process must match the name specified in the setting. When this setting is not specified, Sandboxie allows only read-access by a sandboxed process into a process outside the sandbox. This form of the OpenIpcPath setting does not support wildcards. Note: The examples in this page, if applied, will create vulnerabilities within the sandbox. They are meant only to show why some resources are blocked, and how they can be un-blocked and exposed for use, if necessary. Related Sandboxie Control setting: Sandbox Settings > Resource Access > IPC Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Open","title":"Open Ipc Path"},{"location":"Content/OpenKeyPath/","text":"Open Key Path OpenKeyPath is a sandbox setting in Sandboxie Ini . It specifies a path patterns, for which Sandboxie will not apply sandboxing for registry keys. This lets sandboxed programs have direct access to update system settings outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular registry key location. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenKeyPath=firefox.exe,HKEY_LOCAL_MACHINE\\Software\\Mozilla OpenKeyPath=firefox.exe,HKEY_CURRENT_USER\\Software\\Mozilla These examples let the Firefox program, firefox.exe , have direct access to the Mozilla registry key trees (both system-wide and per-user registry trees). The value specified for OpenKeyPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Open","title":"Open Key Path"},{"location":"Content/OpenKeyPath/#open-key-path","text":"OpenKeyPath is a sandbox setting in Sandboxie Ini . It specifies a path patterns, for which Sandboxie will not apply sandboxing for registry keys. This lets sandboxed programs have direct access to update system settings outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular registry key location. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenKeyPath=firefox.exe,HKEY_LOCAL_MACHINE\\Software\\Mozilla OpenKeyPath=firefox.exe,HKEY_CURRENT_USER\\Software\\Mozilla These examples let the Firefox program, firefox.exe , have direct access to the Mozilla registry key trees (both system-wide and per-user registry trees). The value specified for OpenKeyPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Open","title":"Open Key Path"},{"location":"Content/OpenPipePath/","text":"Open Pipe Path OpenPipePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files. It is the same as the OpenFilePath setting, except that this setting is always applied, whereas OpenFilePath is only applied if the application is running from a file or folder that is located outside the sandbox. See OpenFilePath for general usage instructions. The OpenPipePath setting is primarily intended to allow sandboxed programs access to file communication device resources, which can be identified using the Sandboxie Trace . However, it can also be used to define files and folders that should be exempt (in the way that OpenFilePath exempts files) even for programs that are running from within the sandbox itself. Example usage: . . . [DefaultBox] OpenPipePath=\\Device\\NamedPipe\\wkssvc OpenPipePath=\\Device\\NamedPipe\\srvsvc Will allow the sandboxed program to manage shares and user accounts on the computer, through the resources wkssvc and srvsvc . Note: This specific example is not recommended, as it weakens the protection of the sandbox. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Full Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Open for All","title":"Open Pipe Path"},{"location":"Content/OpenPipePath/#open-pipe-path","text":"OpenPipePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files. It is the same as the OpenFilePath setting, except that this setting is always applied, whereas OpenFilePath is only applied if the application is running from a file or folder that is located outside the sandbox. See OpenFilePath for general usage instructions. The OpenPipePath setting is primarily intended to allow sandboxed programs access to file communication device resources, which can be identified using the Sandboxie Trace . However, it can also be used to define files and folders that should be exempt (in the way that OpenFilePath exempts files) even for programs that are running from within the sandbox itself. Example usage: . . . [DefaultBox] OpenPipePath=\\Device\\NamedPipe\\wkssvc OpenPipePath=\\Device\\NamedPipe\\srvsvc Will allow the sandboxed program to manage shares and user accounts on the computer, through the resources wkssvc and srvsvc . Note: This specific example is not recommended, as it weakens the protection of the sandbox. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Full Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Open for All","title":"Open Pipe Path"},{"location":"Content/OpenPrintSpooler/","text":"Open Print Spooler OpenPrintSpooler is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] OpenPrintSpooler=n This setting prevents sandboxed applications from setting up printers outside the sandbox. The filter can be disabled by setting OpenPrintSpooler=y . Added as part of 0.5.4 / 5.46.0 version. See also ClosePrintSpooler .","title":"Open Print Spooler"},{"location":"Content/OpenPrintSpooler/#open-print-spooler","text":"OpenPrintSpooler is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] OpenPrintSpooler=n This setting prevents sandboxed applications from setting up printers outside the sandbox. The filter can be disabled by setting OpenPrintSpooler=y . Added as part of 0.5.4 / 5.46.0 version. See also ClosePrintSpooler .","title":"Open Print Spooler"},{"location":"Content/OpenProtectedStorage/","text":"Open Protected Storage OpenProtectedStorage is a sandbox setting in Sandboxie Ini . It is typically specified as OpenProtectedStorage=y (see Yes Or No Settings ), and indicates that Sandboxie should not isolate Protected Storage in the sandbox. For example: . . . [DefaultBox] OpenProtectedStorage=y Indicates that programs running in the DefaultBox sandbox will update the global system Protected Storage , rather than a sandboxed instance of it. Related Sandboxie Plus setting: Sandbox Options > App Templates > Templates > Open Protected Storage Related Sandboxie Control setting: Save outside sandbox: History of search strings and invoked commands in Sandbox Settings > Applications > Web Browser","title":"Open Protected Storage"},{"location":"Content/OpenProtectedStorage/#open-protected-storage","text":"OpenProtectedStorage is a sandbox setting in Sandboxie Ini . It is typically specified as OpenProtectedStorage=y (see Yes Or No Settings ), and indicates that Sandboxie should not isolate Protected Storage in the sandbox. For example: . . . [DefaultBox] OpenProtectedStorage=y Indicates that programs running in the DefaultBox sandbox will update the global system Protected Storage , rather than a sandboxed instance of it. Related Sandboxie Plus setting: Sandbox Options > App Templates > Templates > Open Protected Storage Related Sandboxie Control setting: Save outside sandbox: History of search strings and invoked commands in Sandbox Settings > Applications > Web Browser","title":"Open Protected Storage"},{"location":"Content/OpenWinClass/","text":"Open Win Class OpenWinClass is a sandbox setting in Sandboxie Ini . It specifies the class names for unsandboxed windows that should be accessible by a sandboxed program. Examples: . . . [DefaultBox] OpenWinClass=ConsoleWindowClass OpenWinClass=$:program.exe/IgnoreUIPI OpenWinClass=# OpenWinClass=* The first example makes console windows created by the cmd.exe process accessible to sandboxed programs. Normally, Sandboxie will not permit a sandboxed program to access, communicate, close or destroy a window outside the sandbox. The OpenWinClass settings makes an exception to this rule, and allows specific unsandboxed windows to be accessible. Special Forms OpenWinClass=$:program.exe/IgnoreUIPI This permits a program running inside the sandbox to use the PostThreadMessage API to send a message directly to a thread in a target process running outside the sandbox. This form of the OpenWinClass setting does not support wildcards, so the process name of the target process must match the name specified in the setting. OpenWinClass=# This setting tells Sandboxie to not alter window class names created by sandboxed programs. Normally, Sandboxie translates class names such as IEFrame to Sandbox:DefaultBox::IEFrame in order to better separate windows that belong to sandboxed programs from the rest of the windows in the system. However, in some cases, a program outside the sandbox might expect window class names to have a specific name, and therefore might not recognize the windows created by a sandboxed program. Specifying OpenWinClass=# resolves this problem, at the cost of a lesser degree of separation. Note that OpenWinClass=# does not allow communication with any windows outside the sandbox, and may interfere with some drag-and-drop operations. OpenWinClass=* This setting tells Sandboxie to not translate window class names as described above, and also makes all windows in the system accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. Note that OpenWinClass=* allows full communication with all windows outside the sandbox, but may interfere with some drag-and-drop operations. Identifying Window Class Names The unsandboxed windows are identified by their window class name , which is an internal name given to the window by the application that created it. You can use a tool like WinSpy to identify window class names. The Resource Access Monitor tool in Sandboxie Classic and the Trace Logging tool in Sandboxie Plus also display window class names. Related Sandboxie Plus settings: Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > Open Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > Ignore UIPI Sandbox Options > Resource Access > Wnd > Don't alter window class names created by sandboxed programs See also: No Rename Win Class .","title":"Open Win Class"},{"location":"Content/OpenWinClass/#open-win-class","text":"OpenWinClass is a sandbox setting in Sandboxie Ini . It specifies the class names for unsandboxed windows that should be accessible by a sandboxed program. Examples: . . . [DefaultBox] OpenWinClass=ConsoleWindowClass OpenWinClass=$:program.exe/IgnoreUIPI OpenWinClass=# OpenWinClass=* The first example makes console windows created by the cmd.exe process accessible to sandboxed programs. Normally, Sandboxie will not permit a sandboxed program to access, communicate, close or destroy a window outside the sandbox. The OpenWinClass settings makes an exception to this rule, and allows specific unsandboxed windows to be accessible. Special Forms OpenWinClass=$:program.exe/IgnoreUIPI This permits a program running inside the sandbox to use the PostThreadMessage API to send a message directly to a thread in a target process running outside the sandbox. This form of the OpenWinClass setting does not support wildcards, so the process name of the target process must match the name specified in the setting. OpenWinClass=# This setting tells Sandboxie to not alter window class names created by sandboxed programs. Normally, Sandboxie translates class names such as IEFrame to Sandbox:DefaultBox::IEFrame in order to better separate windows that belong to sandboxed programs from the rest of the windows in the system. However, in some cases, a program outside the sandbox might expect window class names to have a specific name, and therefore might not recognize the windows created by a sandboxed program. Specifying OpenWinClass=# resolves this problem, at the cost of a lesser degree of separation. Note that OpenWinClass=# does not allow communication with any windows outside the sandbox, and may interfere with some drag-and-drop operations. OpenWinClass=* This setting tells Sandboxie to not translate window class names as described above, and also makes all windows in the system accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. Note that OpenWinClass=* allows full communication with all windows outside the sandbox, but may interfere with some drag-and-drop operations. Identifying Window Class Names The unsandboxed windows are identified by their window class name , which is an internal name given to the window by the application that created it. You can use a tool like WinSpy to identify window class names. The Resource Access Monitor tool in Sandboxie Classic and the Trace Logging tool in Sandboxie Plus also display window class names. Related Sandboxie Plus settings: Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > Open Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > Ignore UIPI Sandbox Options > Resource Access > Wnd > Don't alter window class names created by sandboxed programs See also: No Rename Win Class .","title":"Open Win Class"},{"location":"Content/PaperAnalogy/","text":"Paper Analogy Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper. Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely and remove any traces left. On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. (Note: The graphics depicts the Sandboxie Control application prior to version 3.20.) Thanks to esalkin for the paper metaphor. Thanks to warwagon for the graphics. See also the Sandboxie demonstration for a different illustration of the same concept.","title":"Paper Analogy"},{"location":"Content/PaperAnalogy/#paper-analogy","text":"Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper. Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely and remove any traces left. On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. (Note: The graphics depicts the Sandboxie Control application prior to version 3.20.) Thanks to esalkin for the paper metaphor. Thanks to warwagon for the graphics. See also the Sandboxie demonstration for a different illustration of the same concept.","title":"Paper Analogy"},{"location":"Content/PlusMigrationGuide/","text":"Sandboxie-Plus Migration Guide This guide shows where all the known Sandboxie functions can be found in the new UI. Main Window The overall layout of the main window of SandMan.exe is exactly the same as the old one in SbieCtrl.exe when the \"Simple View\" is chosen. If the \"Advanced View\" is chosen, there are three additional tabs on the bottom of the window (\"Sbie Messages\" etc.), so it corresponds with what can be seen in the right picture. File and Sandbox Menus All important menu commands can be found in similar locations, although some have been moved. Create New Box dialog The \"Create New Box\" command opens the new box dialog. Unlike in Classic, here a box type preset can be selected. The feature to copy an existing box can be found now on another place. (See the following unit.) Copying Sandbox Configuration To copy a existing box configuration, the \"Duplicate Sandbox\" menu command can be used. View Menu The \"View\" menu offers a few more functions, and the option to enable a simplified view mode. The recovery log is no longer a separate window but a tab at the bottom (visible when the \"Advanced View\" is chosen). View Menu - Files and Folders The modern Sandboxie UI has replaced the \"Files and Folders\" view with a separate window that can be opened from the box context menu. Files and Folders - view / window The window \"Files\" offers the same functionality as the old view, but enhances it by providing a full context menu. Global Settings The new Sandboxie Plus UI has a global settings window (Options --> Global Settings) where all options are located together on vertical tabs instead of having to open individual windows. File System Root In the modern UI, it is possible to change not only the file system root path, but also the registry root and the IPC root. Program Start monitoring Sandboxie Plus can not only warn when unboxed processes are started, but it can also prevent them from starting at all. Shell Integration On this tab, the shell integration can be configured. Most functions are available, although some deprecated features were dropped and other options were moved out. Create Sandbox shortcut To create a shortcut to a boxed program, now an option in the box context menu is to be used, which can be reached quicker. Software Compatibility Also the compatibility dialog is now integrated into the window with the global settings (tab \"Compatibility\"). Lock Configuration Starting with version 1.9.0 / 5.64.0, the Configuration Protection options are located in the sub tab \"Sandboxie.ini Presets\" of the tab \"Advanced Config\". Sandbox Context Menu The sandbox context menu is much more advanced, and contains all the options from the old menu. Double click on the sandbox name now opens the sandbox settings. Explore Contents In addition to being able to explore contents, the \"Box Content\" sub menu allows to mount and browse the sandboxed registry. Sandbox Settings All functionality from the old Sandbox Settings are now located in the Sandbox Options. Some areas are similar, but many have also been moved around. Quick and Immediate Recover The options for Quick Recovery and Immediate Recovery have been merged into one tab (\"File Recovery\"). Delete Options The Delete Options have been moved to the sub tab \"File Options\" of the tab \"General Options\". Delete Command The \"Delete Command\" option can now be found on the sub tab \"Triggers\" of the tab \"Advanced Options\". Program Groups The new UI supports groups just like the old one. Forced Programs and Folders Forced programs and folders are also merged into one tab (\"Program Control\", sub tab \"Force* Programs\"). Lingering Programs & Leader Programs Program stop behaviours are also merged into one tab. File Migration File Migration options have been integrated into the \"File Options\" sub tab of the \"General Options\" tab. Internet Access Sandboxie Plus can not only use the old method of blocking internet access but also the Windows Filtering Platform (WFP), which provides better compatibility. Network Access Additionally, using the WFP facility, a per sandbox firewall can be configured (tab \"Internet Restrictions\" --> sub tab \"Network Firewall Rules\"). Start/Run Access Start restriction options have been promoted to a top level tab. Drop Rights The \"Drop Admin Rights\" option is in the new UI located on the \"Security\" sub tab of the \"General Options\" tab, together with additional security enhancements. Network Files \"Block network files and folders access\" has been moved to the \"Access Restrictions\" sub tab of the \"General Options\" tab. Resource Access The \"Resource Access\" options have been integrated into a joined view which shows all presets in one list, the options can be edited as well as disabled without removing them. Application Compatibility Templates The compatibility Templates are now also presented as a joined view (tab \"App Templates\", sub tab \"Compatibility Templates\"). User Accounts Last but not least, the ability to restrict a box to selected users has been moved to the sub tab \"Users\" of the tab \"Advanced Options\". About Dialog And finally, we have the About dialog. As is apparent, Sandboxie Plus has much more additional options not shown here, as this guide is only meant to facilitate the migration from Sandboxie Classic to Sandboxie Plus.","title":"Sandboxie-Plus Migration Guide"},{"location":"Content/PlusMigrationGuide/#sandboxie-plus-migration-guide","text":"This guide shows where all the known Sandboxie functions can be found in the new UI.","title":"Sandboxie-Plus Migration Guide"},{"location":"Content/PlusMigrationGuide/#main-window","text":"The overall layout of the main window of SandMan.exe is exactly the same as the old one in SbieCtrl.exe when the \"Simple View\" is chosen. If the \"Advanced View\" is chosen, there are three additional tabs on the bottom of the window (\"Sbie Messages\" etc.), so it corresponds with what can be seen in the right picture.","title":"Main Window"},{"location":"Content/PlusMigrationGuide/#file-and-sandbox-menus","text":"All important menu commands can be found in similar locations, although some have been moved.","title":"File and Sandbox Menus"},{"location":"Content/PlusMigrationGuide/#create-new-box-dialog","text":"The \"Create New Box\" command opens the new box dialog. Unlike in Classic, here a box type preset can be selected. The feature to copy an existing box can be found now on another place. (See the following unit.)","title":"Create New Box dialog"},{"location":"Content/PlusMigrationGuide/#copying-sandbox-configuration","text":"To copy a existing box configuration, the \"Duplicate Sandbox\" menu command can be used.","title":"Copying Sandbox Configuration"},{"location":"Content/PlusMigrationGuide/#view-menu","text":"The \"View\" menu offers a few more functions, and the option to enable a simplified view mode. The recovery log is no longer a separate window but a tab at the bottom (visible when the \"Advanced View\" is chosen).","title":"View Menu"},{"location":"Content/PlusMigrationGuide/#view-menu-files-and-folders","text":"The modern Sandboxie UI has replaced the \"Files and Folders\" view with a separate window that can be opened from the box context menu.","title":"View Menu - Files and Folders"},{"location":"Content/PlusMigrationGuide/#files-and-folders-view-window","text":"The window \"Files\" offers the same functionality as the old view, but enhances it by providing a full context menu.","title":"Files and Folders - view / window"},{"location":"Content/PlusMigrationGuide/#global-settings","text":"The new Sandboxie Plus UI has a global settings window (Options --> Global Settings) where all options are located together on vertical tabs instead of having to open individual windows.","title":"Global Settings"},{"location":"Content/PlusMigrationGuide/#file-system-root","text":"In the modern UI, it is possible to change not only the file system root path, but also the registry root and the IPC root.","title":"File System Root"},{"location":"Content/PlusMigrationGuide/#program-start-monitoring","text":"Sandboxie Plus can not only warn when unboxed processes are started, but it can also prevent them from starting at all.","title":"Program Start monitoring"},{"location":"Content/PlusMigrationGuide/#shell-integration","text":"On this tab, the shell integration can be configured. Most functions are available, although some deprecated features were dropped and other options were moved out.","title":"Shell Integration"},{"location":"Content/PlusMigrationGuide/#create-sandbox-shortcut","text":"To create a shortcut to a boxed program, now an option in the box context menu is to be used, which can be reached quicker.","title":"Create Sandbox shortcut"},{"location":"Content/PlusMigrationGuide/#software-compatibility","text":"Also the compatibility dialog is now integrated into the window with the global settings (tab \"Compatibility\").","title":"Software Compatibility"},{"location":"Content/PlusMigrationGuide/#lock-configuration","text":"Starting with version 1.9.0 / 5.64.0, the Configuration Protection options are located in the sub tab \"Sandboxie.ini Presets\" of the tab \"Advanced Config\".","title":"Lock Configuration"},{"location":"Content/PlusMigrationGuide/#sandbox-context-menu","text":"The sandbox context menu is much more advanced, and contains all the options from the old menu. Double click on the sandbox name now opens the sandbox settings.","title":"Sandbox Context Menu"},{"location":"Content/PlusMigrationGuide/#explore-contents","text":"In addition to being able to explore contents, the \"Box Content\" sub menu allows to mount and browse the sandboxed registry.","title":"Explore Contents"},{"location":"Content/PlusMigrationGuide/#sandbox-settings","text":"All functionality from the old Sandbox Settings are now located in the Sandbox Options. Some areas are similar, but many have also been moved around.","title":"Sandbox Settings"},{"location":"Content/PlusMigrationGuide/#quick-and-immediate-recover","text":"The options for Quick Recovery and Immediate Recovery have been merged into one tab (\"File Recovery\").","title":"Quick and Immediate Recover"},{"location":"Content/PlusMigrationGuide/#delete-options","text":"The Delete Options have been moved to the sub tab \"File Options\" of the tab \"General Options\".","title":"Delete Options"},{"location":"Content/PlusMigrationGuide/#delete-command","text":"The \"Delete Command\" option can now be found on the sub tab \"Triggers\" of the tab \"Advanced Options\".","title":"Delete Command"},{"location":"Content/PlusMigrationGuide/#program-groups","text":"The new UI supports groups just like the old one.","title":"Program Groups"},{"location":"Content/PlusMigrationGuide/#forced-programs-and-folders","text":"Forced programs and folders are also merged into one tab (\"Program Control\", sub tab \"Force* Programs\").","title":"Forced Programs and Folders"},{"location":"Content/PlusMigrationGuide/#lingering-programs-leader-programs","text":"Program stop behaviours are also merged into one tab.","title":"Lingering Programs &amp; Leader Programs"},{"location":"Content/PlusMigrationGuide/#file-migration","text":"File Migration options have been integrated into the \"File Options\" sub tab of the \"General Options\" tab.","title":"File Migration"},{"location":"Content/PlusMigrationGuide/#internet-access","text":"Sandboxie Plus can not only use the old method of blocking internet access but also the Windows Filtering Platform (WFP), which provides better compatibility.","title":"Internet Access"},{"location":"Content/PlusMigrationGuide/#network-access","text":"Additionally, using the WFP facility, a per sandbox firewall can be configured (tab \"Internet Restrictions\" --> sub tab \"Network Firewall Rules\").","title":"Network Access"},{"location":"Content/PlusMigrationGuide/#startrun-access","text":"Start restriction options have been promoted to a top level tab.","title":"Start/Run Access"},{"location":"Content/PlusMigrationGuide/#drop-rights","text":"The \"Drop Admin Rights\" option is in the new UI located on the \"Security\" sub tab of the \"General Options\" tab, together with additional security enhancements.","title":"Drop Rights"},{"location":"Content/PlusMigrationGuide/#network-files","text":"\"Block network files and folders access\" has been moved to the \"Access Restrictions\" sub tab of the \"General Options\" tab.","title":"Network Files"},{"location":"Content/PlusMigrationGuide/#resource-access","text":"The \"Resource Access\" options have been integrated into a joined view which shows all presets in one list, the options can be edited as well as disabled without removing them.","title":"Resource Access"},{"location":"Content/PlusMigrationGuide/#application-compatibility-templates","text":"The compatibility Templates are now also presented as a joined view (tab \"App Templates\", sub tab \"Compatibility Templates\").","title":"Application Compatibility Templates"},{"location":"Content/PlusMigrationGuide/#user-accounts","text":"Last but not least, the ability to restrict a box to selected users has been moved to the sub tab \"Users\" of the tab \"Advanced Options\".","title":"User Accounts"},{"location":"Content/PlusMigrationGuide/#about-dialog","text":"And finally, we have the About dialog. As is apparent, Sandboxie Plus has much more additional options not shown here, as this guide is only meant to facilitate the migration from Sandboxie Classic to Sandboxie Plus.","title":"About Dialog"},{"location":"Content/PopupMessageLog/","text":"Popup Message Log Sandboxie popup messages are displayed by Sandboxie Control in the Messages From Sandboxie pop-up window. Please see the documentation for the Messages From Sandboxie pop-up window for more information.","title":"Popup Message Log"},{"location":"Content/PopupMessageLog/#popup-message-log","text":"Sandboxie popup messages are displayed by Sandboxie Control in the Messages From Sandboxie pop-up window. Please see the documentation for the Messages From Sandboxie pop-up window for more information.","title":"Popup Message Log"},{"location":"Content/PortableSandbox/","text":"Portable Sandbox The revised layout of the sandbox that is introduced in version 2.80 allows for greater portability of the sandbox across computers. By redirecting programs to create sandboxed objects which have a nonspecific path, it is possible to populate a sandbox on one computer, then carry this sandbox to another computer and keep using it. For example, consider installing a game program to a portable device such as a USB memory stick which is mounted as drive P. The game may install its files to a folder on drive P, but any menu shortcuts it creates will be installed in the Windows Start menu of the local computer, outside drive P. And any registry keys it creates will also be created in the Windows registry, also outside the USB device. By contrast, if you set the container folder to drive P (for instance P:\\Sandbox ), then install the game into the (sandboxed) drive C, then all objects created by the installation will be redirected to drive P. You can then carry the USB drive to another computer where Sandboxie is installed, and set the container folder on that other computer to drive P. Through the Sandboxie Start menu, you will see the menu shortcuts installed by the game, and when you start it, the game will find its settings as they were recorded in the sandboxed registry. Note that Sandboxie itself is not portable software, but it facilitates the portability of a large number of applications.","title":"Portable Sandbox"},{"location":"Content/PortableSandbox/#portable-sandbox","text":"The revised layout of the sandbox that is introduced in version 2.80 allows for greater portability of the sandbox across computers. By redirecting programs to create sandboxed objects which have a nonspecific path, it is possible to populate a sandbox on one computer, then carry this sandbox to another computer and keep using it. For example, consider installing a game program to a portable device such as a USB memory stick which is mounted as drive P. The game may install its files to a folder on drive P, but any menu shortcuts it creates will be installed in the Windows Start menu of the local computer, outside drive P. And any registry keys it creates will also be created in the Windows registry, also outside the USB device. By contrast, if you set the container folder to drive P (for instance P:\\Sandbox ), then install the game into the (sandboxed) drive C, then all objects created by the installation will be redirected to drive P. You can then carry the USB drive to another computer where Sandboxie is installed, and set the container folder on that other computer to drive P. Through the Sandboxie Start menu, you will see the menu shortcuts installed by the game, and when you start it, the game will find its settings as they were recorded in the sandboxed registry. Note that Sandboxie itself is not portable software, but it facilitates the portability of a large number of applications.","title":"Portable Sandbox"},{"location":"Content/PrivacyConcerns/","text":"Privacy Concerns This is an advanced topic, which explains that even after running a program under Sandboxie, your computer may still record which programs were executed or what they did. It is important to emphasize that this is not a security breach as it will never allow sandboxed programs to infect or otherwise abuse your computer. However, this may be interesting reading for those concerned with the privacy aspects of using Sandboxie. Overview The guiding principle of Sandboxie is to isolate and contain any actions taken by programs that Sandboxie supervises, for the purpose of keeping your computer and operating system in a clean and healthy state. Most of the side effects of running a program under Sandboxie are in fact caused by the very program that is running under Sandboxie, and are gone when the sandbox is deleted. For example, a Web browser running under Sandboxie will record your browsing history in the sandbox, and this history will be completely erased when you delete the sandbox. Thus it is easy to make a small leap of logic from the guiding principle above, and assume that a principle of Sandboxie is to protect your privacy and clean any all traces caused directly or indirectly by any program running under its supervision. However, this assumption would not be correct. Sandboxie puts a great deal of effort into containing the actions taken by the program it supervises, however Sandboxie makes no effect at all to prevent your own Windows operating system from keeping records of what you do in your computer. One who makes the incorrect assumption of extreme concern for privacy on the part of Sandboxie might be surprised to find several kinds of traces and logs in Windows that record which programs have been running, even inside the sandbox. This page will explain the various known mechanisms that record information about the programs you run, either inside or outside the supervision of Sandboxie. Prefetch and SuperFetch Prefetch, introduced in Windows XP, and SuperFetch, introduced in Windows Vista, make up the prefetcher component in Windows. This component is designed to improve application start up time by keeping copies of program files in a location that can be quickly accessed. The copies are kept in a folder called Prefetch that resides within the main Windows folder; typically that is C:\\Windows\\Prefetch . Windows may store copies of programs files in this Prefetch folder even when the programs were executed under Sandboxie. Prefetch behavior can be reduced to caching only programs using during the boot sequence, or to not cache anything at all. Follow these links for more information: https://www.ghacks.net/2008/01/13/enableprefetcher-in-prefetchparameters https://www.howtogeek.com/998/change-superfetch-to-only-cache-system-boot-files-in-vista https://www.howtogeek.com/989/how-to-disable-superfetch-on-windows-vista MUI Cache Windows Explorer records in the registry the names of programs that are launched directly through it. This includes launching programs through the Start menu, the desktop, the quick launch area, or any folder views. It is true even if the right-click \"Run Sandboxed\" action is used to launch the program under Sandboxie. The recorded information is kept in this registry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache If launch a program through a Sandboxie facility (such as the Sandboxie Start menu) or through a program which is already running under Sandboxie, then this information is kept in the registry inside the sandbox. There are various third-party registry cleaning tools that can erase this information. Windows Taskbar On Windows 7 and later, Windows Explorer stores information associated with icons on the taskbar. This information includes the icon for the program and the command used to launch it. The information is stored in files in the following folder, within the user profile folder: %Appdata%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts The Sandbox Settings > Applications > Miscellaneous settings page includes the setting \"Permit programs to update jump lists in the Windows 7 taskbar\". If this setting is enabled, additional files are created in the following folders, within the user profile folder: %Appdata%\\Microsoft\\Windows\\Recent\\CustomDestinations %Appdata%\\Microsoft\\Windows\\Recent\\AutomaticDestinations Windows Page File During its normal course of operation, Windows sometimes needs to put away the contents of memory used by one program in order to make room for another program. The memory contents are stored in the Windows page file . Programs that run under Sandboxie are still running in the same Windows operating system as any other program in the computer, so portions of sandboxed and normal programs may end up sitting side by side in the same page file. It is possible to configure Windows to clear the contents of the page file at shutdown. More information here and here . It is possible to configure Windows to encrypt the contents of the page file: Run secpol.msc to open the Local Security Policy editor Expand the group labeled Public Key Policies Right-click Properties on the item labeled Encrypting File System Select Allow to enable Encrypting File System (EFS) Click Apply and then OK Reboot to put the new setting into effect Windows Hibernate File Similar to the Windows Page File, the hibernate file stores a copy of the memory and state of the system before the computer is turned off as part of the hibernate process. Thus the hibernate file may contain bits of memory that were used by a sandboxed program. System Restore Restore points are snapshots of the state of the operating system at some points in time. The System Restore component in Windows XP and later versions records and restores these snapshots. Snapshots are recorded in the (typically inaccessible) folder called System Volume Information and may include many types of files found throughout the system, including within the folders of the sandbox. Thus it is possible that System Restore will create backup copies in its folders for files or programs that exist only in the sandbox. The System Restore component can be set to ignore files and folders in temporary folders, so moving the sandbox to %TEMP%\\SANDBOX (instead of the default C:\\SANDBOX ) and adding the path within the registry key FilesNotToSnapshot , System Restore should ignore the sandbox when creating a Shadow Copy snapshot. More information here . System, Audit and Other Event Logs Windows sometimes records bits of information about running programs in its various event logs . Typically, very little if any information is logged about a program. However, if security auditing has been enabled for some aspects of the system, Windows will have no trouble logging the details of any actions taken by a program running under Sandboxie. Windows has an Event Viewer program which can be used to view and delete the event logs. More information here . Windows System Tray Icons When a programs which is running under Sandboxie asks to place an icon in the system tray area , Sandboxie lets the program place the icon in the real system tray, which is typically located at the bottom right corner of the display. This has the advantage that interaction with the tray icon of the sandboxed program is as easy as interacting with any other tray icon. However, it also means that Windows will record this icon and its description in the history of all tray icons it has ever displayed. It is possible to manually clear this history in Windows . There may also be third-party registry cleaning tools that can erase this information. Disk Defragmentation Disk defragmenter software can be used to organize the contents of the hard disk at the level of data blocks, so that files may be accessed faster by the operating system. Although this is not a privacy concern, the issue of sandboxed programs being able to defragment the disk has been raised and should be addressed. Sandboxie isolation occurs at the higher file level rather than the lower level of data blocks. Moving data blocks around on the disk has no impact on the isolation of the sandbox, and cannot be used by a malicious program to somehow \"move\" its data out of the sandbox. IP Privacy Sandboxie isolation and protection occurs entirely within the local computer and is not visible to any other remote computer. Thus accessing the Internet using a sandboxed program looks the same as accessing the Internet using a program that is not running under Sandboxie. In both cases the remote computer identifies the accessing computer by its IP address. There are various third-party solutions for anonymous Web access. More information here . Windows DNS Host Cache Sandboxie does not prevent the logging and storage of the hosts file (DNS cache) on your Windows machine. This is written to C:\\Windows\\System32\\drivers\\etc .","title":"Privacy Concerns"},{"location":"Content/PrivacyConcerns/#privacy-concerns","text":"This is an advanced topic, which explains that even after running a program under Sandboxie, your computer may still record which programs were executed or what they did. It is important to emphasize that this is not a security breach as it will never allow sandboxed programs to infect or otherwise abuse your computer. However, this may be interesting reading for those concerned with the privacy aspects of using Sandboxie. Overview The guiding principle of Sandboxie is to isolate and contain any actions taken by programs that Sandboxie supervises, for the purpose of keeping your computer and operating system in a clean and healthy state. Most of the side effects of running a program under Sandboxie are in fact caused by the very program that is running under Sandboxie, and are gone when the sandbox is deleted. For example, a Web browser running under Sandboxie will record your browsing history in the sandbox, and this history will be completely erased when you delete the sandbox. Thus it is easy to make a small leap of logic from the guiding principle above, and assume that a principle of Sandboxie is to protect your privacy and clean any all traces caused directly or indirectly by any program running under its supervision. However, this assumption would not be correct. Sandboxie puts a great deal of effort into containing the actions taken by the program it supervises, however Sandboxie makes no effect at all to prevent your own Windows operating system from keeping records of what you do in your computer. One who makes the incorrect assumption of extreme concern for privacy on the part of Sandboxie might be surprised to find several kinds of traces and logs in Windows that record which programs have been running, even inside the sandbox. This page will explain the various known mechanisms that record information about the programs you run, either inside or outside the supervision of Sandboxie. Prefetch and SuperFetch Prefetch, introduced in Windows XP, and SuperFetch, introduced in Windows Vista, make up the prefetcher component in Windows. This component is designed to improve application start up time by keeping copies of program files in a location that can be quickly accessed. The copies are kept in a folder called Prefetch that resides within the main Windows folder; typically that is C:\\Windows\\Prefetch . Windows may store copies of programs files in this Prefetch folder even when the programs were executed under Sandboxie. Prefetch behavior can be reduced to caching only programs using during the boot sequence, or to not cache anything at all. Follow these links for more information: https://www.ghacks.net/2008/01/13/enableprefetcher-in-prefetchparameters https://www.howtogeek.com/998/change-superfetch-to-only-cache-system-boot-files-in-vista https://www.howtogeek.com/989/how-to-disable-superfetch-on-windows-vista MUI Cache Windows Explorer records in the registry the names of programs that are launched directly through it. This includes launching programs through the Start menu, the desktop, the quick launch area, or any folder views. It is true even if the right-click \"Run Sandboxed\" action is used to launch the program under Sandboxie. The recorded information is kept in this registry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache If launch a program through a Sandboxie facility (such as the Sandboxie Start menu) or through a program which is already running under Sandboxie, then this information is kept in the registry inside the sandbox. There are various third-party registry cleaning tools that can erase this information. Windows Taskbar On Windows 7 and later, Windows Explorer stores information associated with icons on the taskbar. This information includes the icon for the program and the command used to launch it. The information is stored in files in the following folder, within the user profile folder: %Appdata%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts The Sandbox Settings > Applications > Miscellaneous settings page includes the setting \"Permit programs to update jump lists in the Windows 7 taskbar\". If this setting is enabled, additional files are created in the following folders, within the user profile folder: %Appdata%\\Microsoft\\Windows\\Recent\\CustomDestinations %Appdata%\\Microsoft\\Windows\\Recent\\AutomaticDestinations Windows Page File During its normal course of operation, Windows sometimes needs to put away the contents of memory used by one program in order to make room for another program. The memory contents are stored in the Windows page file . Programs that run under Sandboxie are still running in the same Windows operating system as any other program in the computer, so portions of sandboxed and normal programs may end up sitting side by side in the same page file. It is possible to configure Windows to clear the contents of the page file at shutdown. More information here and here . It is possible to configure Windows to encrypt the contents of the page file: Run secpol.msc to open the Local Security Policy editor Expand the group labeled Public Key Policies Right-click Properties on the item labeled Encrypting File System Select Allow to enable Encrypting File System (EFS) Click Apply and then OK Reboot to put the new setting into effect Windows Hibernate File Similar to the Windows Page File, the hibernate file stores a copy of the memory and state of the system before the computer is turned off as part of the hibernate process. Thus the hibernate file may contain bits of memory that were used by a sandboxed program. System Restore Restore points are snapshots of the state of the operating system at some points in time. The System Restore component in Windows XP and later versions records and restores these snapshots. Snapshots are recorded in the (typically inaccessible) folder called System Volume Information and may include many types of files found throughout the system, including within the folders of the sandbox. Thus it is possible that System Restore will create backup copies in its folders for files or programs that exist only in the sandbox. The System Restore component can be set to ignore files and folders in temporary folders, so moving the sandbox to %TEMP%\\SANDBOX (instead of the default C:\\SANDBOX ) and adding the path within the registry key FilesNotToSnapshot , System Restore should ignore the sandbox when creating a Shadow Copy snapshot. More information here . System, Audit and Other Event Logs Windows sometimes records bits of information about running programs in its various event logs . Typically, very little if any information is logged about a program. However, if security auditing has been enabled for some aspects of the system, Windows will have no trouble logging the details of any actions taken by a program running under Sandboxie. Windows has an Event Viewer program which can be used to view and delete the event logs. More information here . Windows System Tray Icons When a programs which is running under Sandboxie asks to place an icon in the system tray area , Sandboxie lets the program place the icon in the real system tray, which is typically located at the bottom right corner of the display. This has the advantage that interaction with the tray icon of the sandboxed program is as easy as interacting with any other tray icon. However, it also means that Windows will record this icon and its description in the history of all tray icons it has ever displayed. It is possible to manually clear this history in Windows . There may also be third-party registry cleaning tools that can erase this information. Disk Defragmentation Disk defragmenter software can be used to organize the contents of the hard disk at the level of data blocks, so that files may be accessed faster by the operating system. Although this is not a privacy concern, the issue of sandboxed programs being able to defragment the disk has been raised and should be addressed. Sandboxie isolation occurs at the higher file level rather than the lower level of data blocks. Moving data blocks around on the disk has no impact on the isolation of the sandbox, and cannot be used by a malicious program to somehow \"move\" its data out of the sandbox. IP Privacy Sandboxie isolation and protection occurs entirely within the local computer and is not visible to any other remote computer. Thus accessing the Internet using a sandboxed program looks the same as accessing the Internet using a program that is not running under Sandboxie. In both cases the remote computer identifies the accessing computer by its IP address. There are various third-party solutions for anonymous Web access. More information here . Windows DNS Host Cache Sandboxie does not prevent the logging and storage of the hosts file (DNS cache) on your Windows machine. This is written to C:\\Windows\\System32\\drivers\\etc .","title":"Privacy Concerns"},{"location":"Content/ProcessLimit/","text":"Process Limit ProcessLimit is a sandbox setting in Sandboxie Ini available since v0.9.7 / 5.52.1. This setting allows you to limit the maximum number of processes that Sandboxie will allow in the sandbox at the same time. Note: The start of new processes is delayed for 3 seconds when 80% of the set limit is reached. Once the limit is reached, no new process will be allowed to start (until another process is killed). . . . [DefaultBox] ProcessLimit=100","title":"Process Limit"},{"location":"Content/ProcessLimit/#process-limit","text":"ProcessLimit is a sandbox setting in Sandboxie Ini available since v0.9.7 / 5.52.1. This setting allows you to limit the maximum number of processes that Sandboxie will allow in the sandbox at the same time. Note: The start of new processes is delayed for 3 seconds when 80% of the set limit is reached. Once the limit is reached, no new process will be allowed to start (until another process is killed). . . . [DefaultBox] ProcessLimit=100","title":"Process Limit"},{"location":"Content/ProcessLimit1/","text":"Process Limit 1 ProcessLimit1 and ProcessLimit2 were removed since Sandboxie v0.7.1 / 5.48.5 in favour of ProcessLimit . ProcessLimit1 and ProcessLimit2 were sandbox settings in Sandboxie Ini . They limited the maximum number of processes that Sandboxie allowed in the sandbox at the same time. . . . [DefaultBox] ProcessLimit1=100 ProcessLimit2=200 ProcessLimit1: Once the sandbox has more than X programs at the same time, each new program will be delayed for ten seconds before it starts to run. X is the number specified in ProcessLimit1. The length of the delay, ten seconds, is not configurable. ProcessLimit2: Once the sandbox has more than Y programs at the same time, each new program will be immediately terminated. Y is the number specified in ProcessLimit2. The default numbers are 100 and 200 as mentioned above. ProcessLimit2 cannot be smaller than ProcessLimit1. Creative values can turn off one or both modes. For example, ProcessLimit2=999999 will effectively disable the termination feature. On the other hand, ProcessLimit1=50 ProcessLimit2=50 will effectively disable the delaying feature.","title":"Process Limit 1"},{"location":"Content/ProcessLimit1/#process-limit-1","text":"ProcessLimit1 and ProcessLimit2 were removed since Sandboxie v0.7.1 / 5.48.5 in favour of ProcessLimit . ProcessLimit1 and ProcessLimit2 were sandbox settings in Sandboxie Ini . They limited the maximum number of processes that Sandboxie allowed in the sandbox at the same time. . . . [DefaultBox] ProcessLimit1=100 ProcessLimit2=200 ProcessLimit1: Once the sandbox has more than X programs at the same time, each new program will be delayed for ten seconds before it starts to run. X is the number specified in ProcessLimit1. The length of the delay, ten seconds, is not configurable. ProcessLimit2: Once the sandbox has more than Y programs at the same time, each new program will be immediately terminated. Y is the number specified in ProcessLimit2. The default numbers are 100 and 200 as mentioned above. ProcessLimit2 cannot be smaller than ProcessLimit1. Creative values can turn off one or both modes. For example, ProcessLimit2=999999 will effectively disable the termination feature. On the other hand, ProcessLimit1=50 ProcessLimit2=50 will effectively disable the delaying feature.","title":"Process Limit 1"},{"location":"Content/ProcessLimit2/","text":"Process Limit 2 Please see Process Limit 1 .","title":"Process Limit 2"},{"location":"Content/ProcessLimit2/#process-limit-2","text":"Please see Process Limit 1 .","title":"Process Limit 2"},{"location":"Content/ProgramNamePrefix/","text":"Program Name Prefix In several settings in the Sandboxie Ini configuration file, a program name can be specified. This tells the setting to take effect only for sandboxed processes that match the program name criteria. The prefix is specified as the name of the executable, with an extension, but without a folder path: iexplore.exe - right C:\\Program Files\\Internet Explorer\\iexplore.exe - wrong The prefix may start with an exclamation point (!) to indicate negative criteria. A comma (,) separates the prefix from the rest of the setting specification. For example: . . . [DefaultBox] OpenFilePath=iexplore.exe,%Favorites% ClosedFilePath=!iexplore.exe,%Favorites% This combination means that Internet Explorer ( iexplore.exe ) has direct access to the Favorites folder and the shortcuts within it. On the other hand, any other program (NOT iexplore.exe , note the exclamation point) is denied any kind of access to that same folder.","title":"Program Name Prefix"},{"location":"Content/ProgramNamePrefix/#program-name-prefix","text":"In several settings in the Sandboxie Ini configuration file, a program name can be specified. This tells the setting to take effect only for sandboxed processes that match the program name criteria. The prefix is specified as the name of the executable, with an extension, but without a folder path: iexplore.exe - right C:\\Program Files\\Internet Explorer\\iexplore.exe - wrong The prefix may start with an exclamation point (!) to indicate negative criteria. A comma (,) separates the prefix from the rest of the setting specification. For example: . . . [DefaultBox] OpenFilePath=iexplore.exe,%Favorites% ClosedFilePath=!iexplore.exe,%Favorites% This combination means that Internet Explorer ( iexplore.exe ) has direct access to the Favorites folder and the shortcuts within it. On the other hand, any other program (NOT iexplore.exe , note the exclamation point) is denied any kind of access to that same folder.","title":"Program Name Prefix"},{"location":"Content/ProgramSettings/","text":"Program Settings Overview The Program Settings window is a quick way to configure some of the aspects of Sandboxie. To access the window, right-click on the name of a running sandboxed program to show the context menu, and select Program Settings : (You can also use Shift+F10 or the View menu to show the context menu.) The Program Settings window displays the sandbox where the program is running, the name of the program executable file, and checkboxes for the quick configurations settings. It is composed of two pages. Switch between the pages using the View Page 1 and View Page 2 radio buttons. Page 1 Program Start These settings control how Sandboxie handles programs that start outside any sandbox. Issue alert message SBIE1301 Sandboxie will issue message SBIE1301 whenever this program starts outside any sandbox. See also Configure Menu > Program Alerts . Force program to run in this sandbox Sandboxie will automatically force the program to run in this sandbox. See also Sandbox Settings > Program Start > Forced Programs . Program Stop These settings control how Sandboxie handles this program stopping in this sandbox. Stop this program if it lingers in the sandbox after other programs have ended Sandboxie will automatically terminate this program if it remains running when all other programs stopped. See also Sandbox Settings > Program Stop > Lingering Programs . Stop other programs after this leader program has ended Sandboxie will terminate every other program in the sandbox when this program stops. See also Sandbox Settings > Program Stop > Leader Programs . Page 2 These settings control which restrictions apply to this program. Internet Restrictions : Enable restrictions and allow this program to connect to the Internet Enable Internet restrictions in the sandbox, which means no program can connect to the Internet unless explicitly allowed. Additionally, explicitly allows this program to connect to the Internet from this sandbox. See also Sandbox Settings > Restrictions > Internet Access . Start/Run Restrictions : Enable restrictions and allow this program to start Enable Start/Run restrictions in the sandbox, which means no program can start unless explicitly allowed. Additionally, explicitly allows this program to start and run in this sandbox. See also Sandbox Settings > Restrictions > Start/Run Access .","title":"Program Settings"},{"location":"Content/ProgramSettings/#program-settings","text":"","title":"Program Settings"},{"location":"Content/ProgramSettings/#overview","text":"The Program Settings window is a quick way to configure some of the aspects of Sandboxie. To access the window, right-click on the name of a running sandboxed program to show the context menu, and select Program Settings : (You can also use Shift+F10 or the View menu to show the context menu.) The Program Settings window displays the sandbox where the program is running, the name of the program executable file, and checkboxes for the quick configurations settings. It is composed of two pages. Switch between the pages using the View Page 1 and View Page 2 radio buttons.","title":"Overview"},{"location":"Content/ProgramSettings/#page-1","text":"Program Start These settings control how Sandboxie handles programs that start outside any sandbox. Issue alert message SBIE1301 Sandboxie will issue message SBIE1301 whenever this program starts outside any sandbox. See also Configure Menu > Program Alerts . Force program to run in this sandbox Sandboxie will automatically force the program to run in this sandbox. See also Sandbox Settings > Program Start > Forced Programs . Program Stop These settings control how Sandboxie handles this program stopping in this sandbox. Stop this program if it lingers in the sandbox after other programs have ended Sandboxie will automatically terminate this program if it remains running when all other programs stopped. See also Sandbox Settings > Program Stop > Lingering Programs . Stop other programs after this leader program has ended Sandboxie will terminate every other program in the sandbox when this program stops. See also Sandbox Settings > Program Stop > Leader Programs .","title":"Page 1"},{"location":"Content/ProgramSettings/#page-2","text":"These settings control which restrictions apply to this program. Internet Restrictions : Enable restrictions and allow this program to connect to the Internet Enable Internet restrictions in the sandbox, which means no program can connect to the Internet unless explicitly allowed. Additionally, explicitly allows this program to connect to the Internet from this sandbox. See also Sandbox Settings > Restrictions > Internet Access . Start/Run Restrictions : Enable restrictions and allow this program to start Enable Start/Run restrictions in the sandbox, which means no program can start unless explicitly allowed. Additionally, explicitly allows this program to start and run in this sandbox. See also Sandbox Settings > Restrictions > Start/Run Access .","title":"Page 2"},{"location":"Content/ProgramStartSettings/","text":"Program Start Settings \"Program Start\" Settings Group Sandboxie Control > Sandbox Settings > Program Start: Settings in this section control which programs will be automatically sandboxed when started outside any sandbox. Put another way, here you select the program which Sandboxie will \"force\" to run sandboxed. Forced Folders Sandboxie Control > Sandbox Settings > Program Start > Forced Folders You may designate some folders for automatic, or forced, sandboxing. This means that if any program from that folder starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. Some examples where this is useful: On your \"download\" folder, where you typically download software from the Internet On your CDROM or DVD drive, so \"AutoRun\" programs on CDs and DVDs will start sandboxed. If you install several versions of the same program in separate folders, and wish to isolate each version to a separate sandbox. Use this settings page to select the folders (or drives) to which Forced Folders should apply. Notes: Forced Folders can be temporarily suspended using the Disable Forced Programs command. Forced Folders take precedence over Forced Programs . In other words, when a program matches both a Forced Folders and a Forced Programs setting, the Forced Folder setting will apply, and the Forced Programs setting will be ignored. Related Sandboxie Ini setting: ForceFolder . Forced Programs Sandboxie Control > Sandbox Settings > Program Start > Forced Programs You may designate some program names for automatic, or forced, sandboxing. This means that if that program starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. The most common use for the Forced Programs setting is to set the Web browser to automatically run sandboxed. Use this settings page to select the programs that will be forced to run in the sandbox. Use the Add By Name button to enter the program name, or the Add By File button to select the program file through folder navigation. You can also configure this setting in the Program Settings window. On your \"download\" folder, where you typically download software from the Internet On your CDROM or DVD drive, so \"AutoRun\" programs on the CD or DVD will start sandboxed. If you install several versions of the same program in separate folders, and wish to isolate each version to a separate sandbox. Notes: Forced Programs can be temporarily suspended using the Disable Forced Programs command. Forced Folders take precedence over Forced Programs. In other words, when a program matches both a Forced Folders and a Forced Programs setting, the Forced Folder setting will apply, and the Forced Programs setting will be ignored. Related Sandboxie Ini setting: ForceProcess .","title":"Program Start Settings"},{"location":"Content/ProgramStartSettings/#program-start-settings","text":"","title":"Program Start Settings"},{"location":"Content/ProgramStartSettings/#program-start-settings-group","text":"Sandboxie Control > Sandbox Settings > Program Start: Settings in this section control which programs will be automatically sandboxed when started outside any sandbox. Put another way, here you select the program which Sandboxie will \"force\" to run sandboxed.","title":"\"Program Start\" Settings Group"},{"location":"Content/ProgramStartSettings/#forced-folders","text":"Sandboxie Control > Sandbox Settings > Program Start > Forced Folders You may designate some folders for automatic, or forced, sandboxing. This means that if any program from that folder starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. Some examples where this is useful: On your \"download\" folder, where you typically download software from the Internet On your CDROM or DVD drive, so \"AutoRun\" programs on CDs and DVDs will start sandboxed. If you install several versions of the same program in separate folders, and wish to isolate each version to a separate sandbox. Use this settings page to select the folders (or drives) to which Forced Folders should apply. Notes: Forced Folders can be temporarily suspended using the Disable Forced Programs command. Forced Folders take precedence over Forced Programs . In other words, when a program matches both a Forced Folders and a Forced Programs setting, the Forced Folder setting will apply, and the Forced Programs setting will be ignored. Related Sandboxie Ini setting: ForceFolder .","title":"Forced Folders"},{"location":"Content/ProgramStartSettings/#forced-programs","text":"Sandboxie Control > Sandbox Settings > Program Start > Forced Programs You may designate some program names for automatic, or forced, sandboxing. This means that if that program starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. The most common use for the Forced Programs setting is to set the Web browser to automatically run sandboxed. Use this settings page to select the programs that will be forced to run in the sandbox. Use the Add By Name button to enter the program name, or the Add By File button to select the program file through folder navigation. You can also configure this setting in the Program Settings window. On your \"download\" folder, where you typically download software from the Internet On your CDROM or DVD drive, so \"AutoRun\" programs on the CD or DVD will start sandboxed. If you install several versions of the same program in separate folders, and wish to isolate each version to a separate sandbox. Notes: Forced Programs can be temporarily suspended using the Disable Forced Programs command. Forced Folders take precedence over Forced Programs. In other words, when a program matches both a Forced Folders and a Forced Programs setting, the Forced Folder setting will apply, and the Forced Programs setting will be ignored. Related Sandboxie Ini setting: ForceProcess .","title":"Forced Programs"},{"location":"Content/ProgramStopSettings/","text":"Program Stop Settings \"Program Stop\" Settings Group Sandboxie Control > Sandbox Settings > Program Stop: Settings in this section control when Sandboxie automatically ends programs that run in the sandbox. Lingering Programs Sandboxie Control > Sandbox Settings > Program Stop > Lingering Programs When one sandboxed program starts another program, that other program will be started in the same sandbox. However, the end of first program does not necessarily mean that the second program ends as well. This means that the sandbox can still be active after the primary program in the sandbox has been stopped. For example, viewing a PDF file in Internet Explorer may cause the Adobe Acrobat Reader program (acrord32.exe) to start in the sandbox. The Reader program will linger in the sandbox even after the Internet Explorer program has ended. This behavior is usually not desired. Use this settings page to identify the programs that Sandboxie should automatically stop, if they are lingering in the sandbox after all other (non-lingering) programs have ended. You can also configure this setting in the Program Settings window. (Note that acrord32.exe is already a default setting.) Note: When no program is running in the sandbox, and you explicitly start one of the lingering programs, then that program will not be considered a lingering program, and will not be stopped automatically. For example, if nothing is running in the sandbox, and you explicitly start Adobe Acrobat Reader sandboxed, then Sandboxie will not immediately stop this program. Related Sandboxie Ini setting: LingerProcess . Leader Programs Sandboxie Control > Sandbox Settings > Program Stop > Leader Programs When this sandboxed program ends, Sandboxie will stop all other programs in the sandbox. Use this settings page to identify those programs that should be considered primary programs in the sandbox, such that whenever they finish and stop, all other programs in the sandbox are stopped as well. For example, if you have a sandbox dedicated for Web browsing, then rather than listing all possible lingering programs (see Lingering Programs above for a discussion of a lingering program),you can list just the Web browser program as the leader program. You can also configure this setting in the Program Settings window. Related Sandboxie Ini setting: LeaderProcess .","title":"Program Stop Settings"},{"location":"Content/ProgramStopSettings/#program-stop-settings","text":"","title":"Program Stop Settings"},{"location":"Content/ProgramStopSettings/#program-stop-settings-group","text":"Sandboxie Control > Sandbox Settings > Program Stop: Settings in this section control when Sandboxie automatically ends programs that run in the sandbox.","title":"\"Program Stop\" Settings Group"},{"location":"Content/ProgramStopSettings/#lingering-programs","text":"Sandboxie Control > Sandbox Settings > Program Stop > Lingering Programs When one sandboxed program starts another program, that other program will be started in the same sandbox. However, the end of first program does not necessarily mean that the second program ends as well. This means that the sandbox can still be active after the primary program in the sandbox has been stopped. For example, viewing a PDF file in Internet Explorer may cause the Adobe Acrobat Reader program (acrord32.exe) to start in the sandbox. The Reader program will linger in the sandbox even after the Internet Explorer program has ended. This behavior is usually not desired. Use this settings page to identify the programs that Sandboxie should automatically stop, if they are lingering in the sandbox after all other (non-lingering) programs have ended. You can also configure this setting in the Program Settings window. (Note that acrord32.exe is already a default setting.) Note: When no program is running in the sandbox, and you explicitly start one of the lingering programs, then that program will not be considered a lingering program, and will not be stopped automatically. For example, if nothing is running in the sandbox, and you explicitly start Adobe Acrobat Reader sandboxed, then Sandboxie will not immediately stop this program. Related Sandboxie Ini setting: LingerProcess .","title":"Lingering Programs"},{"location":"Content/ProgramStopSettings/#leader-programs","text":"Sandboxie Control > Sandbox Settings > Program Stop > Leader Programs When this sandboxed program ends, Sandboxie will stop all other programs in the sandbox. Use this settings page to identify those programs that should be considered primary programs in the sandbox, such that whenever they finish and stop, all other programs in the sandbox are stopped as well. For example, if you have a sandbox dedicated for Web browsing, then rather than listing all possible lingering programs (see Lingering Programs above for a discussion of a lingering program),you can list just the Web browser program as the leader program. You can also configure this setting in the Program Settings window. Related Sandboxie Ini setting: LeaderProcess .","title":"Leader Programs"},{"location":"Content/ProgramsView/","text":"Programs View Sandboxie Control > View Menu > Programs The Programs View is the default view mode in Sandboxie Control . The programs running in each sandbox are displayed here, grouped by sandbox name. The list shows three columns: The Program Name column displays the name of the executable file of the program. For example, the picture shows iexplore.exe , which is the executable name for Internet Explorer. For a row describing a sandbox, this column displays the name of the sandbox. The PID column displays the process ID of the program. This is the same number that appears in the Processes tab of the Windows Task Manager. (The Windows Task Manager appears when you press the Ctrl+Shift+Esc keyboard shortcut or Ctrl+Alt+Del, which leads to the Windows logon screen.) For a row describing a sandbox, this column displays Active if any programs are running in the sandbox. The Window Title column displays the title associated with the main window of the program. Use the small + or - icon, located at the start of each Active sandbox row, to expand or collapse the display of programs in the sandbox. Context Menus The Programs View provides context menus for sandboxes and programs. To display a context menu for the item (sandbox or program) in some row, do one of the following: Click the right mouse button anywhere on the row. Select (highlight) the row using the mouse or keyboard, then press Shift+F10. Select (highlight) the row using the mouse or keyboard, then use the View Menu -> Context Menu command. For a sandbox row, the context menu displayed is the same as Sandbox Menu -> Sandbox Sub-Menu . See there for a full description. For a program row, the context menu offers the following commands: The Terminate Program command terminates the program. The Program Settings command displays the Program Settings window for the program. The Resource Access command displays the Sandbox Settings > Resource Access group of settings pages, where the program name is pre-selected in the program name filter ( The list above applies to filter). Go to Sandboxie Control , Files And Folders View , Help Topics .","title":"Programs View"},{"location":"Content/ProgramsView/#programs-view","text":"Sandboxie Control > View Menu > Programs The Programs View is the default view mode in Sandboxie Control . The programs running in each sandbox are displayed here, grouped by sandbox name. The list shows three columns: The Program Name column displays the name of the executable file of the program. For example, the picture shows iexplore.exe , which is the executable name for Internet Explorer. For a row describing a sandbox, this column displays the name of the sandbox. The PID column displays the process ID of the program. This is the same number that appears in the Processes tab of the Windows Task Manager. (The Windows Task Manager appears when you press the Ctrl+Shift+Esc keyboard shortcut or Ctrl+Alt+Del, which leads to the Windows logon screen.) For a row describing a sandbox, this column displays Active if any programs are running in the sandbox. The Window Title column displays the title associated with the main window of the program. Use the small + or - icon, located at the start of each Active sandbox row, to expand or collapse the display of programs in the sandbox. Context Menus The Programs View provides context menus for sandboxes and programs. To display a context menu for the item (sandbox or program) in some row, do one of the following: Click the right mouse button anywhere on the row. Select (highlight) the row using the mouse or keyboard, then press Shift+F10. Select (highlight) the row using the mouse or keyboard, then use the View Menu -> Context Menu command. For a sandbox row, the context menu displayed is the same as Sandbox Menu -> Sandbox Sub-Menu . See there for a full description. For a program row, the context menu offers the following commands: The Terminate Program command terminates the program. The Program Settings command displays the Program Settings window for the program. The Resource Access command displays the Sandbox Settings > Resource Access group of settings pages, where the program name is pre-selected in the program name filter ( The list above applies to filter). Go to Sandboxie Control , Files And Folders View , Help Topics .","title":"Programs View"},{"location":"Content/PromptForFileMigration/","text":"Prompt For File Migration PromptForFileMigration is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will prompt for large file migration. For more information, see SBIE2102 . . . . [DefaultBox] PromptForFileMigration=n Specifying n indicates sandbox will not prompt user for file migration (the access will be read-only). Related Sandboxie Plus setting: Sandbox Options > File Options > File Migration > Prompt user for large file migration Related Sandboxie Ini setting: CopyLimitKb , CopyLimitSilent","title":"Prompt For File Migration"},{"location":"Content/PromptForFileMigration/#prompt-for-file-migration","text":"PromptForFileMigration is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will prompt for large file migration. For more information, see SBIE2102 . . . . [DefaultBox] PromptForFileMigration=n Specifying n indicates sandbox will not prompt user for file migration (the access will be read-only). Related Sandboxie Plus setting: Sandbox Options > File Options > File Migration > Prompt user for large file migration Related Sandboxie Ini setting: CopyLimitKb , CopyLimitSilent","title":"Prompt For File Migration"},{"location":"Content/ProtectHostImages/","text":"Protect Host Images ProtectHostImages is a sandbox setting in Sandboxie Ini available since v1.9.0 / 5.64.0. This setting can be enabled to prevent processes located outside the sandbox from loading boxed DLLs. . . . [DefaultBox] ProtectHostImages=y Related Sandboxie Plus setting: Sandbox Options > Various Options > Dlls & Extensions > Prevent sandboxed programs installed on host from loading DLLs from the sandbox","title":"Protect Host Images"},{"location":"Content/ProtectHostImages/#protect-host-images","text":"ProtectHostImages is a sandbox setting in Sandboxie Ini available since v1.9.0 / 5.64.0. This setting can be enabled to prevent processes located outside the sandbox from loading boxed DLLs. . . . [DefaultBox] ProtectHostImages=y Related Sandboxie Plus setting: Sandbox Options > Various Options > Dlls & Extensions > Prevent sandboxed programs installed on host from loading DLLs from the sandbox","title":"Protect Host Images"},{"location":"Content/ProtectedStorage/","text":"Protected Storage Protected Storage (hereafter PStore) was a small memory space available until Windows 7, managed by the system security component, and usable by applications. Applications that needed to store sensitive information, such as passwords, could use PStore rather than implement means to encrypt and protect that information. Note that PStore memory of one user account is not accessible by another user account; but all programs running in the same user account can see and change information entered into the memory store by any other application. The best application example is Internet Explorer version 6, which uses PStore to store AutoComplete history (such as the Google search box) and passwords in Web forms. (Note that Internet Explorer version 7 still encrypts this information, but no longer uses PStore to do it. Presumably this is an effort to hide the sensitive information from other programs -- most likely spyware that may be running in the same user account.) Sandboxie can provide its own implementation of PStore, for sandboxed applications. This is the default setting, unless altered in Sandbox Settings > Applications > Web Browser . The Sandboxie PStore is stored in the file SbiePst.dat in the sandboxed Windows folder. The Sandboxie implementation of PStore encrypts data using a much weaker method than what the system security component would have done. However, information entered into the Sandboxie PStore will likely disappear quickly, as part of the process of deleting the sandbox.","title":"Protected Storage"},{"location":"Content/ProtectedStorage/#protected-storage","text":"Protected Storage (hereafter PStore) was a small memory space available until Windows 7, managed by the system security component, and usable by applications. Applications that needed to store sensitive information, such as passwords, could use PStore rather than implement means to encrypt and protect that information. Note that PStore memory of one user account is not accessible by another user account; but all programs running in the same user account can see and change information entered into the memory store by any other application. The best application example is Internet Explorer version 6, which uses PStore to store AutoComplete history (such as the Google search box) and passwords in Web forms. (Note that Internet Explorer version 7 still encrypts this information, but no longer uses PStore to do it. Presumably this is an effort to hide the sensitive information from other programs -- most likely spyware that may be running in the same user account.) Sandboxie can provide its own implementation of PStore, for sandboxed applications. This is the default setting, unless altered in Sandbox Settings > Applications > Web Browser . The Sandboxie PStore is stored in the file SbiePst.dat in the sandboxed Windows folder. The Sandboxie implementation of PStore encrypts data using a much weaker method than what the system security component would have done. However, information entered into the Sandboxie PStore will likely disappear quickly, as part of the process of deleting the sandbox.","title":"Protected Storage"},{"location":"Content/QuickRecovery/","text":"Quick Recovery Sandboxie Control > Sandbox Menu > Quick Recovery Sandboxie Control > Tray Icon Menu > Quick Recovery Sandboxed programs create files and folders inside the sandbox. It may be desirable to move some of these created files out of the sandbox. For instance, a document file downloaded by a sandboxed browser is saved into the sandbox, but that file should be extracted and placed in the Documents folder outside the sandbox. The rudimentary approach is to use the regular, non-sandboxed Windows Explorer to navigate inside the folders that make up the sandbox. By using the Sandbox Menu > Sandbox > Explore Contents command, you can open a folder window (unsandboxed) with a view into the sandbox. You can then navigate in the depth of the sandbox folder, and cut sandboxed files in order to paste them somewhere else. The Quick Recovery feature makes it easier to extract files (and even whole folders) that are created and saved by sandboxed programs. It scans a few sandboxed folders, which have to be selected in advance, and lists the files (and folders) it finds within them. These files (and folders) can be recovered into the corresponding location outside the sandbox, or to any location. To invoke the Quick Recovery window, use the Sandbox Menu > Sandbox > Quick Recovery command (or the corresponding command from the Tray Icon Menu ). Quick Recovery also appear as part of the Delete Sandbox window. The Quick Recovery Window The central area which extends to the lower right corner of the window shows the quick-recoverable files and folders in a particular sandbox. Select a file or folder, and then click one of the two Recover to buttons on the left: Recover to Same Folder moves the file (or folder) from the sandbox to a corresponding location outside the sandbox. For example, the picture above shows the file favicon.ico in the sandboxed Desktop folder. Clicking this command on the file will move it to the real desktop folder. Recover to Any Folder first displays a Browse For Folder dialog box, then moves the file (or folder) to the folder selected in the dialog box. These commands are also available if you invoke the context menu on a file or folder, typically by clicking the right mouse button on it. Adding Folders to Quick Recovery As noted, Quick Recovery only scans folders which are explicitly selected. By default, it scans the Desktop , Favorites and Documents folders. Where applicable, your Downloads folder is also considered a recoverable folder. You can add more folders using the Add Folder button. You can use Sandbox Settings > Recovery > Quick Recovery to add and remove folders. When Sandboxie Control is in Files And Folders View view, you can right-click a folder and select Add Folder to Quick Recovery . Go to Delete Sandbox , Immediate Recovery , Sandboxie Control , Help Topics .","title":"Quick Recovery"},{"location":"Content/QuickRecovery/#quick-recovery","text":"Sandboxie Control > Sandbox Menu > Quick Recovery Sandboxie Control > Tray Icon Menu > Quick Recovery Sandboxed programs create files and folders inside the sandbox. It may be desirable to move some of these created files out of the sandbox. For instance, a document file downloaded by a sandboxed browser is saved into the sandbox, but that file should be extracted and placed in the Documents folder outside the sandbox. The rudimentary approach is to use the regular, non-sandboxed Windows Explorer to navigate inside the folders that make up the sandbox. By using the Sandbox Menu > Sandbox > Explore Contents command, you can open a folder window (unsandboxed) with a view into the sandbox. You can then navigate in the depth of the sandbox folder, and cut sandboxed files in order to paste them somewhere else. The Quick Recovery feature makes it easier to extract files (and even whole folders) that are created and saved by sandboxed programs. It scans a few sandboxed folders, which have to be selected in advance, and lists the files (and folders) it finds within them. These files (and folders) can be recovered into the corresponding location outside the sandbox, or to any location. To invoke the Quick Recovery window, use the Sandbox Menu > Sandbox > Quick Recovery command (or the corresponding command from the Tray Icon Menu ). Quick Recovery also appear as part of the Delete Sandbox window. The Quick Recovery Window The central area which extends to the lower right corner of the window shows the quick-recoverable files and folders in a particular sandbox. Select a file or folder, and then click one of the two Recover to buttons on the left: Recover to Same Folder moves the file (or folder) from the sandbox to a corresponding location outside the sandbox. For example, the picture above shows the file favicon.ico in the sandboxed Desktop folder. Clicking this command on the file will move it to the real desktop folder. Recover to Any Folder first displays a Browse For Folder dialog box, then moves the file (or folder) to the folder selected in the dialog box. These commands are also available if you invoke the context menu on a file or folder, typically by clicking the right mouse button on it. Adding Folders to Quick Recovery As noted, Quick Recovery only scans folders which are explicitly selected. By default, it scans the Desktop , Favorites and Documents folders. Where applicable, your Downloads folder is also considered a recoverable folder. You can add more folders using the Add Folder button. You can use Sandbox Settings > Recovery > Quick Recovery to add and remove folders. When Sandboxie Control is in Files And Folders View view, you can right-click a folder and select Add Folder to Quick Recovery . Go to Delete Sandbox , Immediate Recovery , Sandboxie Control , Help Topics .","title":"Quick Recovery"},{"location":"Content/Ransomware/","text":"Ransomware Of all the classes of malware, ransomware may be the most destructive because often its not possible to recover from its negative effects. While most malware is disruptive in nature (including banking Trojans that steal financial data and credentials, malware that targets information like intellectual property, and those that turn your machines into bots to send out spam campaigns), an organization can eventually recover from their damage after significant cost, effort, and time. Not so with ransomware your important business data can be lost forever. Did you know that ransomware can hold your data hostage, and can't be stopped with anti-virus software alone? Sandboxie runs your programs in an isolated space which prevents malware - including ransomware - from making permanent changes to other programs and data in your computer.","title":"Ransomware"},{"location":"Content/Ransomware/#ransomware","text":"Of all the classes of malware, ransomware may be the most destructive because often its not possible to recover from its negative effects. While most malware is disruptive in nature (including banking Trojans that steal financial data and credentials, malware that targets information like intellectual property, and those that turn your machines into bots to send out spam campaigns), an organization can eventually recover from their damage after significant cost, effort, and time. Not so with ransomware your important business data can be lost forever. Did you know that ransomware can hold your data hostage, and can't be stopped with anti-virus software alone? Sandboxie runs your programs in an isolated space which prevents malware - including ransomware - from making permanent changes to other programs and data in your computer.","title":"Ransomware"},{"location":"Content/ReadFilePath/","text":"Read File Path ReadFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files, and will not allow writing. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] ReadFilePath=C:\\WINDOWS This example forces the C:\\WINDOWS folder, and everything below it, to be readable, but not writable (or deletable) by sandboxed programs. Note: ReadFilePath is a restricted form of OpenFilePath . As with OpenFilePath , any already-existing sandboxed contents for the specified file or folder locations, are ignored. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Read-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Read Only","title":"Read File Path"},{"location":"Content/ReadFilePath/#read-file-path","text":"ReadFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files, and will not allow writing. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] ReadFilePath=C:\\WINDOWS This example forces the C:\\WINDOWS folder, and everything below it, to be readable, but not writable (or deletable) by sandboxed programs. Note: ReadFilePath is a restricted form of OpenFilePath . As with OpenFilePath , any already-existing sandboxed contents for the specified file or folder locations, are ignored. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Read-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Read Only","title":"Read File Path"},{"location":"Content/ReadIpcPath/","text":"Read Ipc Path ReadIpcPath is a sandbox setting in Sandboxie Ini available since v1.0.16 / 5.55.16. It specifies path patterns for which Sandboxie will allow read access to unsandboxed processes or processes in other boxes. This lets sandboxed programs access resources and services provided by programs running outside the sandbox. Program Name Prefix may be specified. Usage: . . . [DefaultBox] ReadIpcPath=$:program.exe This example permits a program running inside the sandbox to have read access into the address space of a target process running outside the sandbox or processes in other boxes. The process name of the target process must match the name specified in the setting. It is also possible to restore the old behavior entirely by specifying: . . . [DefaultBox] ReadIpcPath=$:* By default, the only process whose memory can be read is explorer.exe . Many processes requires it and Windows File Explorer should not keep any secrets anyway. To block this, you can use: . . . [DefaultBox] ClosedIpcPath=$:explorer.exe Related Sandboxie Plus settings: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Read Only Sandbox Options > General Options > Restrictions > Other restrictions > Allow to read memory of unsandboxed processes (not recommended)","title":"Read Ipc Path"},{"location":"Content/ReadIpcPath/#read-ipc-path","text":"ReadIpcPath is a sandbox setting in Sandboxie Ini available since v1.0.16 / 5.55.16. It specifies path patterns for which Sandboxie will allow read access to unsandboxed processes or processes in other boxes. This lets sandboxed programs access resources and services provided by programs running outside the sandbox. Program Name Prefix may be specified. Usage: . . . [DefaultBox] ReadIpcPath=$:program.exe This example permits a program running inside the sandbox to have read access into the address space of a target process running outside the sandbox or processes in other boxes. The process name of the target process must match the name specified in the setting. It is also possible to restore the old behavior entirely by specifying: . . . [DefaultBox] ReadIpcPath=$:* By default, the only process whose memory can be read is explorer.exe . Many processes requires it and Windows File Explorer should not keep any secrets anyway. To block this, you can use: . . . [DefaultBox] ClosedIpcPath=$:explorer.exe Related Sandboxie Plus settings: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Read Only Sandbox Options > General Options > Restrictions > Other restrictions > Allow to read memory of unsandboxed processes (not recommended)","title":"Read Ipc Path"},{"location":"Content/ReadKeyPath/","text":"Read Key Path ReadKeyPath is a sandbox setting in Sandboxie Ini . It specifies a path patterns, for which Sandboxie will not apply sandboxing for registry keys, and will not allow writing. Program Name Prefix may be specified. Example: . . . [DefaultBox] ReadKeyPath=HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies This example forces the Policies key, and everything below it, to be readable, but not writable (or deletable) by sandboxed programs. Note: ReadKeyPath is a restricted form of OpenKeyPath . As with OpenKeyPath , any already-existing sandboxed contents for the specified file or folder locations, are ignored. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Read-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Read Only","title":"Read Key Path"},{"location":"Content/ReadKeyPath/#read-key-path","text":"ReadKeyPath is a sandbox setting in Sandboxie Ini . It specifies a path patterns, for which Sandboxie will not apply sandboxing for registry keys, and will not allow writing. Program Name Prefix may be specified. Example: . . . [DefaultBox] ReadKeyPath=HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies This example forces the Policies key, and everything below it, to be readable, but not writable (or deletable) by sandboxed programs. Note: ReadKeyPath is a restricted form of OpenKeyPath . As with OpenKeyPath , any already-existing sandboxed contents for the specified file or folder locations, are ignored. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Read-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Read Only","title":"Read Key Path"},{"location":"Content/RecoverFolder/","text":"Recover Folder RecoverFolder is a sandbox setting in Sandboxie Ini . It specifies the sandboxed folders that Quick Recovery should examine. Shell Folders may be specified. For example: . . . [DefaultBox] RecoverFolder=%Personal% RecoverFolder=C:\\Downloads [InstallBox] RecoverFolder=D:\\Program Files The first two example settings specify that Quick Recovery from the DefaultBox sandbox should look in the Documents and the Downloads folders in drive C. The third example setting specifies that QuickRecovery from the InstallBox sandbox should look in the Program Files folder in drive D. Note that when Quick Recovery looks in the specified folder, it also looks in any folders within that folder, and any folders within those folders, for as many levels of depth as are needed. Related Sandboxie Control setting: Sandbox Settings > Recovery > Quick Recovery","title":"Recover Folder"},{"location":"Content/RecoverFolder/#recover-folder","text":"RecoverFolder is a sandbox setting in Sandboxie Ini . It specifies the sandboxed folders that Quick Recovery should examine. Shell Folders may be specified. For example: . . . [DefaultBox] RecoverFolder=%Personal% RecoverFolder=C:\\Downloads [InstallBox] RecoverFolder=D:\\Program Files The first two example settings specify that Quick Recovery from the DefaultBox sandbox should look in the Documents and the Downloads folders in drive C. The third example setting specifies that QuickRecovery from the InstallBox sandbox should look in the Program Files folder in drive D. Note that when Quick Recovery looks in the specified folder, it also looks in any folders within that folder, and any folders within those folders, for as many levels of depth as are needed. Related Sandboxie Control setting: Sandbox Settings > Recovery > Quick Recovery","title":"Recover Folder"},{"location":"Content/RecoverySettings/","text":"Recovery Settings \"Recovery\" Settings Group Sandboxie Control > Sandbox Settings > Recovery: While you can manually explore the contents of the sandbox and extract the files you need, Sandboxie has a Quick Recovery tool that scans particular folders and informs you if any files are available for recovery out of the sandbox. The Recovery group configures this tool. Quick Recovery Sandboxie Control > Sandbox Settings > Recovery > Quick Recovery: Use this settings page to add and remove folders that should be scanned by Sandboxie. You can also influence this setting indirectly: In Files And Folders View , by right-clicking on folder items and invoking the actions Add Folder to Quick Recovery or Remove Folder from Quick Recovery . In the Delete Sandbox or Quick Recovery windows, by clicking the Add Folder button. Related Sandboxie Ini setting: RecoverFolder . Immediate Recovery Sandboxie Control > Sandbox Settings > Recovery > Immediate Recovery: The Quick Recovery tool scans folders only when invoked, which is either explicitly, or when the sandbox is about to be deleted. Immediate Recovery is an extension which notifies you about recoverable files as soon as they are created by a sandboxed program. This behavior is usually useful and is enabled by default, but it may be disabled if so desired. It may also be desirable to keep Immediate Recovery enabled, but exclude some file types from Immediate Recovery. For example: You may want to receive Immediate Recovery notifications about document files saved to the (sandboxed) desktop, but not about shortcuts ( .LNK ) files that may be created on the desktop during the installation of sandboxed programs. Use this settings page to enable or disable the Immediate Recovery extension, and configure exclusions to Immediate Recovery. Related Sandboxie Ini settings: AutoRecover , AutoRecoverIgnore .","title":"Recovery Settings"},{"location":"Content/RecoverySettings/#recovery-settings","text":"","title":"Recovery Settings"},{"location":"Content/RecoverySettings/#recovery-settings-group","text":"Sandboxie Control > Sandbox Settings > Recovery: While you can manually explore the contents of the sandbox and extract the files you need, Sandboxie has a Quick Recovery tool that scans particular folders and informs you if any files are available for recovery out of the sandbox. The Recovery group configures this tool.","title":"\"Recovery\" Settings Group"},{"location":"Content/RecoverySettings/#quick-recovery","text":"Sandboxie Control > Sandbox Settings > Recovery > Quick Recovery: Use this settings page to add and remove folders that should be scanned by Sandboxie. You can also influence this setting indirectly: In Files And Folders View , by right-clicking on folder items and invoking the actions Add Folder to Quick Recovery or Remove Folder from Quick Recovery . In the Delete Sandbox or Quick Recovery windows, by clicking the Add Folder button. Related Sandboxie Ini setting: RecoverFolder .","title":"Quick Recovery"},{"location":"Content/RecoverySettings/#immediate-recovery","text":"Sandboxie Control > Sandbox Settings > Recovery > Immediate Recovery: The Quick Recovery tool scans folders only when invoked, which is either explicitly, or when the sandbox is about to be deleted. Immediate Recovery is an extension which notifies you about recoverable files as soon as they are created by a sandboxed program. This behavior is usually useful and is enabled by default, but it may be disabled if so desired. It may also be desirable to keep Immediate Recovery enabled, but exclude some file types from Immediate Recovery. For example: You may want to receive Immediate Recovery notifications about document files saved to the (sandboxed) desktop, but not about shortcuts ( .LNK ) files that may be created on the desktop during the installation of sandboxed programs. Use this settings page to enable or disable the Immediate Recovery extension, and configure exclusions to Immediate Recovery. Related Sandboxie Ini settings: AutoRecover , AutoRecoverIgnore .","title":"Immediate Recovery"},{"location":"Content/ResourceAccess/","text":"Resource Access In Sandboxie, various Resource Access Settings apply only to programs installed outside of Sandboxie, as not to be bypassed by sandboxed programs changing their exe name. The following table shows which settings apply to what installation locations. Outside Inside ClosedFilePath Yes Yes ClosedIpcPath Yes Yes ClosedKeyPath Yes Yes ClosedRT Yes Yes OpenClsid Yes Yes ClosedClsid Yes Yes OpenConfPath Yes Yes OpenFilePath Yes No OpenIpcPath Yes Yes OpenKeyPath Yes No OpenPipePath Yes Yes OpenWinClass Yes Yes NoRenameWinClass Yes Yes NormalFilePath Read-only Yes NormalIpcPath Read-only Yes NormalKeyPath Read-only Yes ReadFilePath Read-only No ReadIpcPath Read-only No ReadKeyPath Read-only No WriteFilePath No Yes WriteKeyPath No Yes Note that all Close...=!<program>,... excludes only programs from outside the sandbox.","title":"Resource Access"},{"location":"Content/ResourceAccess/#resource-access","text":"In Sandboxie, various Resource Access Settings apply only to programs installed outside of Sandboxie, as not to be bypassed by sandboxed programs changing their exe name. The following table shows which settings apply to what installation locations. Outside Inside ClosedFilePath Yes Yes ClosedIpcPath Yes Yes ClosedKeyPath Yes Yes ClosedRT Yes Yes OpenClsid Yes Yes ClosedClsid Yes Yes OpenConfPath Yes Yes OpenFilePath Yes No OpenIpcPath Yes Yes OpenKeyPath Yes No OpenPipePath Yes Yes OpenWinClass Yes Yes NoRenameWinClass Yes Yes NormalFilePath Read-only Yes NormalIpcPath Read-only Yes NormalKeyPath Read-only Yes ReadFilePath Read-only No ReadIpcPath Read-only No ReadKeyPath Read-only No WriteFilePath No Yes WriteKeyPath No Yes Note that all Close...=!<program>,... excludes only programs from outside the sandbox.","title":"Resource Access"},{"location":"Content/ResourceAccessMonitor/","text":"Resource Access Monitor (for Sandboxie Classic) The Resource Access Monitor tool displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie. Designed to make it easy to identify those system resources which should be excluded from sandboxing, this tool can be used with the Sandboxie Trace options. Important: Please consider to use the Resource Access Monitor before opening a new issue. Using the Monitor 1. To activate the monitor, expand or open the Sandboxie Control window, then select the File Menu -> Resource Access Monitor command. 2. You should typically activate the monitor before any programs are running in any sandbox. Note that the Resource Access Monitor window blocks access to the Sandboxie Control main window, including its menu, so you will have to start sandboxed programs through the Tray Icon Menu . 3. When the monitor is activated and its window appears on the screen, it immediately starts to collect and display resource access information from all sandboxed programs that are running. 4. At this point, perform any specific tasks that fail when done under the supervision of Sandboxie. 5. Finally, click the button labeled Copy Contents to Clipboard and Close Window . This copies the collected data into the clipboard, and de-activates the monitor. 6. You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis. Performance Impact When inactive, the Resource Access Monitor does not use any system resources and does not have any performance impact on any running programs. When active, the Resource Access Monitor consumes 64K bytes of system memory and has a small performance penalty on sandboxed programs. Network Administrators may want to use the MonitorAdminOnly setting to restrict the use of this tool for user accounts which are not members of the Administrators group.","title":"Resource Access Monitor (for Sandboxie Classic)"},{"location":"Content/ResourceAccessMonitor/#resource-access-monitor-for-sandboxie-classic","text":"The Resource Access Monitor tool displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie. Designed to make it easy to identify those system resources which should be excluded from sandboxing, this tool can be used with the Sandboxie Trace options. Important: Please consider to use the Resource Access Monitor before opening a new issue.","title":"Resource Access Monitor (for Sandboxie Classic)"},{"location":"Content/ResourceAccessMonitor/#using-the-monitor","text":"1. To activate the monitor, expand or open the Sandboxie Control window, then select the File Menu -> Resource Access Monitor command. 2. You should typically activate the monitor before any programs are running in any sandbox. Note that the Resource Access Monitor window blocks access to the Sandboxie Control main window, including its menu, so you will have to start sandboxed programs through the Tray Icon Menu . 3. When the monitor is activated and its window appears on the screen, it immediately starts to collect and display resource access information from all sandboxed programs that are running. 4. At this point, perform any specific tasks that fail when done under the supervision of Sandboxie. 5. Finally, click the button labeled Copy Contents to Clipboard and Close Window . This copies the collected data into the clipboard, and de-activates the monitor. 6. You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis.","title":"Using the Monitor"},{"location":"Content/ResourceAccessMonitor/#performance-impact","text":"When inactive, the Resource Access Monitor does not use any system resources and does not have any performance impact on any running programs. When active, the Resource Access Monitor consumes 64K bytes of system memory and has a small performance penalty on sandboxed programs. Network Administrators may want to use the MonitorAdminOnly setting to restrict the use of this tool for user accounts which are not members of the Administrators group.","title":"Performance Impact"},{"location":"Content/ResourceAccessSettings/","text":"Resource Access Settings \"Resource Access\" Settings Group Sandboxie Control > Sandbox Settings > Resource Access Programs that run in a sandbox are generally not allowed to access system resources directly. In some cases, it may be desirable to make exceptions to this rule. The settings here display and change that set of exceptions. Examples where exceptions are convenient or necessary: Allow direct access to some specific folder. For example, let the Web browser place downloads directly in a Downloads folder. See the File Access category below. A program may need access to some resource for correct operation. If the program is known and trusted, it is reasonable to make such an exception. See Known Conflicts for some examples. Configuration changes do not apply to programs that are already running sandboxed at the time the configuration is changed. To keep things simple, you are advised to make configuration changes when no programs are running in the sandbox. General Information Each settings page within the Resource Access group generally has the following characteristics: There is a Title for the page, for example, Direct File Acccess or Read-Only Registry Access . There is a Short Explanation describing what the setting does. There is a List of Resources that shows the resources that get a special treatment. Depending on the particular setting, it may mean that those resources will be fully accessible to sandboxed programs. Or it may mean that these resources will not be accessible at all. The Short Explanation briefly describes the relationship between those resources and the programs which access them. You should also consult the documentation below for the particular setting, to fully understand what this means. The resources in the list may apply only to a particular program. Generally, however, they apply to All Programs . There is an Add button which adds a new resource entry to the list. There is an Edit/Add (sometimes just Edit ) which edits a resource entry in the list, or adds a new resource entry to the list. There is a Remove button which removes a resource entry from the list. There is a list-box labeled The list above applies to. This list-box associates the resources with a specific program. By default, resources apply to All Programs as shown in the example above. You can select to apply resources to a specific program, by selecting that program from the list-box. You can also type the name of the specific program directly into the list-box. You can also use the Add Pgm button to select a specific program by navigating to its folder. File Access Sandboxie Control > Sandbox Settings > Resource Access > File Access This category manages the following types of resources: Files, folders, drives, and other devices. See General Information above for more information about editing resources and associating resources with particular programs. File Access > Direct Access Allow direct access to some file or folder, bypassing the supervision of Sandboxie. For example, if you add a folder C:\\Downloads , then a program running under Sandboxie will be able to create or update files in that folder. Note that Direct Access exclusions do not apply when the program itself resides in the sandbox. For example, suppose that you allow direct access to a C:\\Downloads folder, and then you go on to install a new Web browser into the sandbox. This new sandboxed browser will not have direct access to the C:\\Downloads folder. Related Sandboxie Ini settings: OpenFilePath File Access > Full Access Similar to Direct Access , but always applies, even if the sandboxed program itself resides in the sandbox. For better protection, you are advised to use Direct Access rather than Full Access whenever possible. Related Sandboxie Ini settings: OpenPipePath File Access > Read-Only Access This access mode excludes the effects of sandboxing on a file (or folder) resource, while allowing a program to read, but not modify, the real resource. Related Sandboxie Ini settings: ReadFilePath File Access > Write-Only Access This access mode hides all files and folders which are located within the selected folder outside the sandbox. However, programs in the sandbox can create new files within the corresponding folder in the sandbox. This setting can only be used effectively on folders. If a file is selected, the effect is the same as the Blocked Access setting (see below). Related Sandboxie Ini settings: WriteFilePath File Access > Blocked Access Deny all access to the resource, for example to a folder containing sensitive data. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for C:\\Downloads appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the folder. Related Sandboxie Ini settings: ClosedFilePath Registry Access Sandboxie Control > Sandbox Settings > Resource Access > Registry Access This category manages registry key resources. The registry is a mechanism provided by Windows for programs to store configuration and settings. See General Information above for more information about editing resources and associating resources with particular programs. Registry Access > Direct Access Allow direct access to a registry key resource. Note that Direct Access exclusions do not apply when the program itself resides in the sandbox. This is described in more detail in the File Access category above. Note that unlike in the File Access category, there is no Full Access access mode for registry keys. Related Sandboxie Ini settings: OpenKeyPath Registry Access > Read-Only Access This access mode excludes the effects of sandboxing on a registry key resource, while allowing a program to read, but not modify, the real resource. Related Sandboxie Ini settings: ReadKeyPath Registry Access > Write-Only Access This access mode hides all registry data which is located within the selected registry key outside the sandbox. However, programs in the sandbox can create new registry data within the corresponding folder in the sandbox. Related Sandboxie Ini settings: WriteKeyPath Registry Access > Blocked Access Deny all access to a registry key resource, for example to a key containing Windows policy settings. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for a registry key appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the registry key. Related Sandboxie Ini settings: ClosedKeyPath IPC Access Sandboxie Control > Sandbox Settings > Resource Access > IPC Access This category manages exclusions for NT IPC objects. These resources are created by programs running the system as a way to coordinate operations or otherwise communicate. See General Information above for more information about editing resources and associating resources with particular programs. IPC Access > Direct Access Allow direct access to an IPC object resource. Note that unlike in the File Access and Registry Access categories, Direct Access exclusions for IPC objects always apply to all sandboxed programs. Related Sandboxie Ini settings: OpenIpcPath IPC Access > Blocked Access Deny all access to an IPC object resource. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for an IPC object appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the object. This setting can be used to override default IPC Access > Direct Access settings in Sandboxie, and block the access. For example, by default Sandboxie allows sandboxed programs to access the audio device. To override this and cut off audio output by sandboxed programs, add an exclusion for \\RPC Control\\AudioSrv . Related Sandboxie Ini settings: ClosedIpcPath Window Access Sandboxie Control > Sandbox Settings > Resource Access > Window Access This category manages exclusions for window classes. These resources are primarily related to windows displayed on the screen, but can also be used by programs as a way to coordinate operations or otherwise communicate. You can specify which window classes, that were created outside the sandbox, will be available for use by sandboxed programs. See General Information above for more information about editing resources and associating resources with particular programs. Related Sandboxie Ini settings: OpenWinClass COM Access Sandboxie Control > Sandbox Settings > Resource Access > COM Access This category manages exclusions for COM classes. These resources represent objects which are used as a way to coordinate operations or otherwise communicate. You can specify the COM class identifiers for those COM objects that exist outside the sandbox, and which should be accessible to sandboxed programs. See General Information above for more information about editing resources and associating resources with particular programs. Related Sandboxie Ini settings: OpenClsid","title":"Resource Access Settings"},{"location":"Content/ResourceAccessSettings/#resource-access-settings","text":"","title":"Resource Access Settings"},{"location":"Content/ResourceAccessSettings/#resource-access-settings-group","text":"Sandboxie Control > Sandbox Settings > Resource Access Programs that run in a sandbox are generally not allowed to access system resources directly. In some cases, it may be desirable to make exceptions to this rule. The settings here display and change that set of exceptions. Examples where exceptions are convenient or necessary: Allow direct access to some specific folder. For example, let the Web browser place downloads directly in a Downloads folder. See the File Access category below. A program may need access to some resource for correct operation. If the program is known and trusted, it is reasonable to make such an exception. See Known Conflicts for some examples. Configuration changes do not apply to programs that are already running sandboxed at the time the configuration is changed. To keep things simple, you are advised to make configuration changes when no programs are running in the sandbox.","title":"\"Resource Access\" Settings Group"},{"location":"Content/ResourceAccessSettings/#general-information","text":"Each settings page within the Resource Access group generally has the following characteristics: There is a Title for the page, for example, Direct File Acccess or Read-Only Registry Access . There is a Short Explanation describing what the setting does. There is a List of Resources that shows the resources that get a special treatment. Depending on the particular setting, it may mean that those resources will be fully accessible to sandboxed programs. Or it may mean that these resources will not be accessible at all. The Short Explanation briefly describes the relationship between those resources and the programs which access them. You should also consult the documentation below for the particular setting, to fully understand what this means. The resources in the list may apply only to a particular program. Generally, however, they apply to All Programs . There is an Add button which adds a new resource entry to the list. There is an Edit/Add (sometimes just Edit ) which edits a resource entry in the list, or adds a new resource entry to the list. There is a Remove button which removes a resource entry from the list. There is a list-box labeled The list above applies to. This list-box associates the resources with a specific program. By default, resources apply to All Programs as shown in the example above. You can select to apply resources to a specific program, by selecting that program from the list-box. You can also type the name of the specific program directly into the list-box. You can also use the Add Pgm button to select a specific program by navigating to its folder.","title":"General Information"},{"location":"Content/ResourceAccessSettings/#file-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > File Access This category manages the following types of resources: Files, folders, drives, and other devices. See General Information above for more information about editing resources and associating resources with particular programs.","title":"File Access"},{"location":"Content/ResourceAccessSettings/#file-access-direct-access","text":"Allow direct access to some file or folder, bypassing the supervision of Sandboxie. For example, if you add a folder C:\\Downloads , then a program running under Sandboxie will be able to create or update files in that folder. Note that Direct Access exclusions do not apply when the program itself resides in the sandbox. For example, suppose that you allow direct access to a C:\\Downloads folder, and then you go on to install a new Web browser into the sandbox. This new sandboxed browser will not have direct access to the C:\\Downloads folder. Related Sandboxie Ini settings: OpenFilePath","title":"File Access &gt; Direct Access"},{"location":"Content/ResourceAccessSettings/#file-access-full-access","text":"Similar to Direct Access , but always applies, even if the sandboxed program itself resides in the sandbox. For better protection, you are advised to use Direct Access rather than Full Access whenever possible. Related Sandboxie Ini settings: OpenPipePath","title":"File Access &gt; Full Access"},{"location":"Content/ResourceAccessSettings/#file-access-read-only-access","text":"This access mode excludes the effects of sandboxing on a file (or folder) resource, while allowing a program to read, but not modify, the real resource. Related Sandboxie Ini settings: ReadFilePath","title":"File Access &gt; Read-Only Access"},{"location":"Content/ResourceAccessSettings/#file-access-write-only-access","text":"This access mode hides all files and folders which are located within the selected folder outside the sandbox. However, programs in the sandbox can create new files within the corresponding folder in the sandbox. This setting can only be used effectively on folders. If a file is selected, the effect is the same as the Blocked Access setting (see below). Related Sandboxie Ini settings: WriteFilePath","title":"File Access &gt; Write-Only Access"},{"location":"Content/ResourceAccessSettings/#file-access-blocked-access","text":"Deny all access to the resource, for example to a folder containing sensitive data. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for C:\\Downloads appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the folder. Related Sandboxie Ini settings: ClosedFilePath","title":"File Access &gt; Blocked Access"},{"location":"Content/ResourceAccessSettings/#registry-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > Registry Access This category manages registry key resources. The registry is a mechanism provided by Windows for programs to store configuration and settings. See General Information above for more information about editing resources and associating resources with particular programs.","title":"Registry Access"},{"location":"Content/ResourceAccessSettings/#registry-access-direct-access","text":"Allow direct access to a registry key resource. Note that Direct Access exclusions do not apply when the program itself resides in the sandbox. This is described in more detail in the File Access category above. Note that unlike in the File Access category, there is no Full Access access mode for registry keys. Related Sandboxie Ini settings: OpenKeyPath","title":"Registry Access &gt; Direct Access"},{"location":"Content/ResourceAccessSettings/#registry-access-read-only-access","text":"This access mode excludes the effects of sandboxing on a registry key resource, while allowing a program to read, but not modify, the real resource. Related Sandboxie Ini settings: ReadKeyPath","title":"Registry Access &gt; Read-Only Access"},{"location":"Content/ResourceAccessSettings/#registry-access-write-only-access","text":"This access mode hides all registry data which is located within the selected registry key outside the sandbox. However, programs in the sandbox can create new registry data within the corresponding folder in the sandbox. Related Sandboxie Ini settings: WriteKeyPath","title":"Registry Access &gt; Write-Only Access"},{"location":"Content/ResourceAccessSettings/#registry-access-blocked-access","text":"Deny all access to a registry key resource, for example to a key containing Windows policy settings. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for a registry key appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the registry key. Related Sandboxie Ini settings: ClosedKeyPath","title":"Registry Access &gt; Blocked Access"},{"location":"Content/ResourceAccessSettings/#ipc-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > IPC Access This category manages exclusions for NT IPC objects. These resources are created by programs running the system as a way to coordinate operations or otherwise communicate. See General Information above for more information about editing resources and associating resources with particular programs.","title":"IPC Access"},{"location":"Content/ResourceAccessSettings/#ipc-access-direct-access","text":"Allow direct access to an IPC object resource. Note that unlike in the File Access and Registry Access categories, Direct Access exclusions for IPC objects always apply to all sandboxed programs. Related Sandboxie Ini settings: OpenIpcPath","title":"IPC Access &gt; Direct Access"},{"location":"Content/ResourceAccessSettings/#ipc-access-blocked-access","text":"Deny all access to an IPC object resource. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for an IPC object appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the object. This setting can be used to override default IPC Access > Direct Access settings in Sandboxie, and block the access. For example, by default Sandboxie allows sandboxed programs to access the audio device. To override this and cut off audio output by sandboxed programs, add an exclusion for \\RPC Control\\AudioSrv . Related Sandboxie Ini settings: ClosedIpcPath","title":"IPC Access &gt; Blocked Access"},{"location":"Content/ResourceAccessSettings/#window-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > Window Access This category manages exclusions for window classes. These resources are primarily related to windows displayed on the screen, but can also be used by programs as a way to coordinate operations or otherwise communicate. You can specify which window classes, that were created outside the sandbox, will be available for use by sandboxed programs. See General Information above for more information about editing resources and associating resources with particular programs. Related Sandboxie Ini settings: OpenWinClass","title":"Window Access"},{"location":"Content/ResourceAccessSettings/#com-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > COM Access This category manages exclusions for COM classes. These resources represent objects which are used as a way to coordinate operations or otherwise communicate. You can specify the COM class identifiers for those COM objects that exist outside the sandbox, and which should be accessible to sandboxed programs. See General Information above for more information about editing resources and associating resources with particular programs. Related Sandboxie Ini settings: OpenClsid","title":"COM Access"},{"location":"Content/RestrictionsSettings/","text":"Restrictions Settings \"Restrictions\" Settings Group Sandboxie Control > Sandbox Settings > Restrictions Settings in this section are intended to alter the default set of restrictions that Sandboxie places on programs running in the sandbox. You can place additional restrictions on programs, to tighten the security of the sandbox. You can relax some of the default restrictions, which is normally not recommended, but may enable some esoteric programs to work. Internet Access Sandboxie Control > Sandbox Settings > Restrictions > Internet Access Use these settings to select which programs, if any, will be allowed to access the Internet in the sandbox. Initially, all programs in the sandbox can access the Internet. Use the Add by Name button to add a program by typing its explicit executable name. Alternatively, use the Add by File button to navigate to the program folder and select its program executable. Blocking of SMB/CIFS which you can block as well by visiting BlockPort When any restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to access the Internet. Use the Remove button to remove some program previously added to the list. The button Block All Programs prevents all programs in the sandbox from accessing the Internet. When this mode is in effect, the button changes to Allow All Programs , and when clicked, will undo the effect of blocking all programs. Issue message SBIE1307 when access is denied : When a program is restricted due to this setting, Sandboxie can issue a notification message. Use this checkbox setting to indicate whether you would like to receive these notifications. See also message SBIE1307 . You can also configure this setting in the Program Settings window. Related Sandboxie Ini settings: ClosedFilePath , Notify Internet Access Denied . Start/Run Access Sandboxie Control > Sandbox Settings > Restrictions > Start/Run Access Use these settings to select which programs, if any, will be allowed to start and run in the sandbox. Initially, all programs in the sandbox can start and run in the sandbox. Use the Add by Name button to add a program by typing its explicit executable name. Alternatively, use the Add by File button to navigate to the program folder and select its program executable. When any Start/Run restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to start or run. Use the Remove button to remove some program previously added to the list. The Allow All Programs has the same effect as clicking Remove on each and every entry that appears in the list. Issue message SBIE1308 when access is denied : When a program is restricted due to this setting, Sandboxie can issue a notification message. Use this checkbox setting to indicate whether you would like to receive these notifications. See also message SBIE1308 . You can also configure this setting in the Program Settings window. Related Sandboxie Ini settings: ClosedIpcPath , Notify Start Run Access Denied . Drop Rights Sandboxie Control > Sandbox Settings > Restrictions > Drop Rights The setting in this page causes Sandboxie to strip administrative rights from programs running in this sandbox. Specifically, the security credentials used to start the sandboxed program will not include membership in the Administrators and Power Users groups. Note that this has little effect if you are already running under a non-Administrator user account. Related Sandboxie Ini settings: DropAdminRights . Low-Level Access -REMOVED Hardware Access has been removed from Sandboxie v4 and up. Previous versions of Sandboxie should not be used and they may not function. Sandboxie Control > Sandbox Settings > Restrictions > Low-Level Access This category manages restrictions for several types of global operations which are restricted in some way within the sandbox. Please see the associated Sandboxie Ini settings for more information. Permit programs in this sandbox to load kernel mode drivers into the operating system Related Sandboxie Ini settings: BlockDrivers Permit programs in this sandbox to load application (Win32) hooks into other programs Related Sandboxie Ini settings: BlockWinHooks Permit programs in this sandbox to change desktop wallpaper and other system parameters Related Sandboxie Ini settings: BlockSysParam Permit programs in this sandbox to change user account password Related Sandboxie Ini settings: BlockPassword See also message SBIE1309 . Hardware Access -REMOVED Hardware Access has been removed from Sandboxie v4 and up. Previous versions of Sandboxie should not be used and they may not function. Sandboxie Control > Sandbox Settings > Restrictions > Hardware Access This category manages restrictions for three types of global operations which are restricted in some way within the sandbox. Please see the associated Sandboxie Ini settings for more information. Permit programs in this sandbox to simulate keyboard and mouse input Related Sandboxie Ini settings: BlockFakeInput See also message SBIE1304 . Permit programs in this sandbox to manage hardware device configuration Related Sandboxie Ini settings: Template=PlugPlay This setting permits a program to update configuration and drivers for hardware devices. You are advised to keep the hardware access settings in their default, disabled state. However, when running games or other full screen applications in the sandbox, it may be useful to permit the simulation of keyboard and mouse input.","title":"Restrictions Settings"},{"location":"Content/RestrictionsSettings/#restrictions-settings","text":"","title":"Restrictions Settings"},{"location":"Content/RestrictionsSettings/#restrictions-settings-group","text":"Sandboxie Control > Sandbox Settings > Restrictions Settings in this section are intended to alter the default set of restrictions that Sandboxie places on programs running in the sandbox. You can place additional restrictions on programs, to tighten the security of the sandbox. You can relax some of the default restrictions, which is normally not recommended, but may enable some esoteric programs to work.","title":"\"Restrictions\" Settings Group"},{"location":"Content/RestrictionsSettings/#internet-access","text":"Sandboxie Control > Sandbox Settings > Restrictions > Internet Access Use these settings to select which programs, if any, will be allowed to access the Internet in the sandbox. Initially, all programs in the sandbox can access the Internet. Use the Add by Name button to add a program by typing its explicit executable name. Alternatively, use the Add by File button to navigate to the program folder and select its program executable. Blocking of SMB/CIFS which you can block as well by visiting BlockPort When any restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to access the Internet. Use the Remove button to remove some program previously added to the list. The button Block All Programs prevents all programs in the sandbox from accessing the Internet. When this mode is in effect, the button changes to Allow All Programs , and when clicked, will undo the effect of blocking all programs. Issue message SBIE1307 when access is denied : When a program is restricted due to this setting, Sandboxie can issue a notification message. Use this checkbox setting to indicate whether you would like to receive these notifications. See also message SBIE1307 . You can also configure this setting in the Program Settings window. Related Sandboxie Ini settings: ClosedFilePath , Notify Internet Access Denied .","title":"Internet Access"},{"location":"Content/RestrictionsSettings/#startrun-access","text":"Sandboxie Control > Sandbox Settings > Restrictions > Start/Run Access Use these settings to select which programs, if any, will be allowed to start and run in the sandbox. Initially, all programs in the sandbox can start and run in the sandbox. Use the Add by Name button to add a program by typing its explicit executable name. Alternatively, use the Add by File button to navigate to the program folder and select its program executable. When any Start/Run restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to start or run. Use the Remove button to remove some program previously added to the list. The Allow All Programs has the same effect as clicking Remove on each and every entry that appears in the list. Issue message SBIE1308 when access is denied : When a program is restricted due to this setting, Sandboxie can issue a notification message. Use this checkbox setting to indicate whether you would like to receive these notifications. See also message SBIE1308 . You can also configure this setting in the Program Settings window. Related Sandboxie Ini settings: ClosedIpcPath , Notify Start Run Access Denied .","title":"Start/Run Access"},{"location":"Content/RestrictionsSettings/#drop-rights","text":"Sandboxie Control > Sandbox Settings > Restrictions > Drop Rights The setting in this page causes Sandboxie to strip administrative rights from programs running in this sandbox. Specifically, the security credentials used to start the sandboxed program will not include membership in the Administrators and Power Users groups. Note that this has little effect if you are already running under a non-Administrator user account. Related Sandboxie Ini settings: DropAdminRights .","title":"Drop Rights"},{"location":"Content/RestrictionsSettings/#low-level-access-removed","text":"","title":"Low-Level Access -REMOVED"},{"location":"Content/RestrictionsSettings/#hardware-access-has-been-removed-from-sandboxie-v4-and-up","text":"","title":"Hardware Access has been removed from Sandboxie v4 and up."},{"location":"Content/RestrictionsSettings/#previous-versions-of-sandboxie-should-not-be-used-and-they-may-not-function","text":"Sandboxie Control > Sandbox Settings > Restrictions > Low-Level Access This category manages restrictions for several types of global operations which are restricted in some way within the sandbox. Please see the associated Sandboxie Ini settings for more information. Permit programs in this sandbox to load kernel mode drivers into the operating system Related Sandboxie Ini settings: BlockDrivers Permit programs in this sandbox to load application (Win32) hooks into other programs Related Sandboxie Ini settings: BlockWinHooks Permit programs in this sandbox to change desktop wallpaper and other system parameters Related Sandboxie Ini settings: BlockSysParam Permit programs in this sandbox to change user account password Related Sandboxie Ini settings: BlockPassword See also message SBIE1309 .","title":"Previous versions of Sandboxie should not be used and they may not function."},{"location":"Content/RestrictionsSettings/#hardware-access-removed","text":"","title":"Hardware Access -REMOVED"},{"location":"Content/RestrictionsSettings/#hardware-access-has-been-removed-from-sandboxie-v4-and-up_1","text":"","title":"Hardware Access has been removed from Sandboxie v4 and up."},{"location":"Content/RestrictionsSettings/#previous-versions-of-sandboxie-should-not-be-used-and-they-may-not-function_1","text":"Sandboxie Control > Sandbox Settings > Restrictions > Hardware Access This category manages restrictions for three types of global operations which are restricted in some way within the sandbox. Please see the associated Sandboxie Ini settings for more information. Permit programs in this sandbox to simulate keyboard and mouse input Related Sandboxie Ini settings: BlockFakeInput See also message SBIE1304 . Permit programs in this sandbox to manage hardware device configuration Related Sandboxie Ini settings: Template=PlugPlay This setting permits a program to update configuration and drivers for hardware devices. You are advised to keep the hardware access settings in their default, disabled state. However, when running games or other full screen applications in the sandbox, it may be useful to permit the simulation of keyboard and mouse input.","title":"Previous versions of Sandboxie should not be used and they may not function."},{"location":"Content/SBIE1101/","text":"SBIE1101 Message: SBIE1101 Sandboxie driver (SbieDrv) version x.yy initialized Logged To: System Event Log Explanation: The driver component of Sandboxie has been successfully initialized. This message is typically logged at some point during the system start-up sequence, once the driver component has started. The message will also be logged after a successful Sandboxie installation, which causes the driver to start or restart.","title":"SBIE1101"},{"location":"Content/SBIE1101/#sbie1101","text":"Message: SBIE1101 Sandboxie driver (SbieDrv) version x.yy initialized Logged To: System Event Log Explanation: The driver component of Sandboxie has been successfully initialized. This message is typically logged at some point during the system start-up sequence, once the driver component has started. The message will also be logged after a successful Sandboxie installation, which causes the driver to start or restart.","title":"SBIE1101"},{"location":"Content/SBIE1102/","text":"SBIE1102 Message: SBIE1102 Sandboxie driver (SbieDrv) unloading Logged To: System Event Log Explanation: The driver component of Sandboxie has stopped. This message is typically logged when Sandboxie is upgraded or uninstalled.","title":"SBIE1102"},{"location":"Content/SBIE1102/#sbie1102","text":"Message: SBIE1102 Sandboxie driver (SbieDrv) unloading Logged To: System Event Log Explanation: The driver component of Sandboxie has stopped. This message is typically logged when Sandboxie is upgraded or uninstalled.","title":"SBIE1102"},{"location":"Content/SBIE1103/","text":"SBIE1103 Message: SBIE1103 Sandboxie driver (SbieDrv) version x.yy failed to start Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization due to some error or incompatibility. This message does not specify the cause of the failure. To identify the cause of the failure, examine the Event Log for any other SBIExxxx messages that precede message SBIE1103.","title":"SBIE1103"},{"location":"Content/SBIE1103/#sbie1103","text":"Message: SBIE1103 Sandboxie driver (SbieDrv) version x.yy failed to start Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization due to some error or incompatibility. This message does not specify the cause of the failure. To identify the cause of the failure, examine the Event Log for any other SBIExxxx messages that precede message SBIE1103.","title":"SBIE1103"},{"location":"Content/SBIE1104/","text":"SBIE1104 Message: SBIE1104 Insufficient system resources to complete initialization Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. The cause of the failure is insufficient system resources, typically memory. This message is followed by message SBIE1103 .","title":"SBIE1104"},{"location":"Content/SBIE1104/#sbie1104","text":"Message: SBIE1104 Insufficient system resources to complete initialization Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. The cause of the failure is insufficient system resources, typically memory. This message is followed by message SBIE1103 .","title":"SBIE1104"},{"location":"Content/SBIE1105/","text":"SBIE1105 Message: SBIE1105 Unknown operating system version: x.yy Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. The driver component integrates into the core of the operating system (also called the kernel). For this integration to work seamlessly, the driver must recognize the operating system. This message indicates the driver did not recognize the operating system. This message is followed by message SBIE1103 .","title":"SBIE1105"},{"location":"Content/SBIE1105/#sbie1105","text":"Message: SBIE1105 Unknown operating system version: x.yy Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. The driver component integrates into the core of the operating system (also called the kernel). For this integration to work seamlessly, the driver must recognize the operating system. This message indicates the driver did not recognize the operating system. This message is followed by message SBIE1103 .","title":"SBIE1105"},{"location":"Content/SBIE1106/","text":"SBIE1106 Message: SBIE1106 error [ ntstatus / yy] , detail zzz Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This messages indicates the driver experienced an error while trying to determine the installation folder for Sandboxie. The particular problem depends on the yy value in the message. When yy = 11, there was a problem accessing the following registry key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SbieDrv When yy = 22 or 33, there was a problem querying the value ImagePath from the registry key noted above. When yy = 44, there was not enough memory to complete the operation. When yy = 55 or 66 or 77, there was some problem accessing the folder specified in the value of ImagePath from the registry key noted above. This message is followed by message SBIE1103 .","title":"SBIE1106"},{"location":"Content/SBIE1106/#sbie1106","text":"Message: SBIE1106 error [ ntstatus / yy] , detail zzz Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This messages indicates the driver experienced an error while trying to determine the installation folder for Sandboxie. The particular problem depends on the yy value in the message. When yy = 11, there was a problem accessing the following registry key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SbieDrv When yy = 22 or 33, there was a problem querying the value ImagePath from the registry key noted above. When yy = 44, there was not enough memory to complete the operation. When yy = 55 or 66 or 77, there was some problem accessing the folder specified in the value of ImagePath from the registry key noted above. This message is followed by message SBIE1103 .","title":"SBIE1106"},{"location":"Content/SBIE1108/","text":"SBIE1108 Message: SBIE1108 Procedure name could not be analyzed Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This messages indicates the driver was unable to locate the specified procedure in the operating system kernel. This message is followed by message SBIE1103 .","title":"SBIE1108"},{"location":"Content/SBIE1108/#sbie1108","text":"Message: SBIE1108 Procedure name could not be analyzed Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This messages indicates the driver was unable to locate the specified procedure in the operating system kernel. This message is followed by message SBIE1103 .","title":"SBIE1108"},{"location":"Content/SBIE1109/","text":"SBIE1109 Message: SBIE1109 Invalid license information: [ ntstatus / yy] Logged To: System Event Log Explanation: Sandboxie was unable to read or verify the license/registration information. Sandboxie will start in unregistered mode.","title":"SBIE1109"},{"location":"Content/SBIE1109/#sbie1109","text":"Message: SBIE1109 Invalid license information: [ ntstatus / yy] Logged To: System Event Log Explanation: Sandboxie was unable to read or verify the license/registration information. Sandboxie will start in unregistered mode.","title":"SBIE1109"},{"location":"Content/SBIE1110/","text":"SBIE1110 Message: SBIE1110 Cannot intercept type name , error [ ntstatus / yy] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to integrate into the operating system. This message is followed by message SBIE1103 .","title":"SBIE1110"},{"location":"Content/SBIE1110/#sbie1110","text":"Message: SBIE1110 Cannot intercept type name , error [ ntstatus / yy] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to integrate into the operating system. This message is followed by message SBIE1103 .","title":"SBIE1110"},{"location":"Content/SBIE1111/","text":"SBIE1111 Message: SBIE1111 System DLL name could not be loaded [ ntstatus / yy] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to load the specified system DLL. This message is followed by message SBIE1103 .","title":"SBIE1111"},{"location":"Content/SBIE1111/#sbie1111","text":"Message: SBIE1111 System DLL name could not be loaded [ ntstatus / yy] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to load the specified system DLL. This message is followed by message SBIE1103 .","title":"SBIE1111"},{"location":"Content/SBIE1112/","text":"SBIE1112 Message: SBIE1112 Procedure name could not be located Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find the specified procedure in one of the system DLLs. This message is followed by message SBIE1103 .","title":"SBIE1112"},{"location":"Content/SBIE1112/#sbie1112","text":"Message: SBIE1112 Procedure name could not be located Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find the specified procedure in one of the system DLLs. This message is followed by message SBIE1103 .","title":"SBIE1112"},{"location":"Content/SBIE1113/","text":"SBIE1113 Message: SBIE1113 Cannot find Nt system service, reason xx Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find some system procedure. This message is followed by message SBIE1108 , which specifies the related procedure name.","title":"SBIE1113"},{"location":"Content/SBIE1113/#sbie1113","text":"Message: SBIE1113 Cannot find Nt system service, reason xx Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find some system procedure. This message is followed by message SBIE1108 , which specifies the related procedure name.","title":"SBIE1113"},{"location":"Content/SBIE1114/","text":"SBIE1114 Message: SBIE1114 Cannot find Zw system service, reason xx Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find some system procedure. This message is followed by message SBIE1108 , which specifies the related procedure name. Note: Reason code 36 can appear on 64-bit Windows, when the Windows built-in Driver Verifier is enabled for the Sandboxie driver SbieDrv .","title":"SBIE1114"},{"location":"Content/SBIE1114/#sbie1114","text":"Message: SBIE1114 Cannot find Zw system service, reason xx Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find some system procedure. This message is followed by message SBIE1108 , which specifies the related procedure name. Note: Reason code 36 can appear on 64-bit Windows, when the Windows built-in Driver Verifier is enabled for the Sandboxie driver SbieDrv .","title":"SBIE1114"},{"location":"Content/SBIE1116/","text":"SBIE1116 Message: SBIE1116 Driver failed to register process notification routine [ ntstatus / yy ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie asked the system to provide notifications when processes (applications) start and stop, but the system was not able to accommodate this request. In technical terms, Sandboxie is asking to register a process notification routine, and this request has failed. Errors [C000000D / 11] and [C000009A / 22] Typically the message is issued with the error detail [C000000D / 11] or [C000009A / 22]. This indicates that a number of other security products have already registered such process notification routines. The system will only register a limited number of these routines. In this case, the problem may be resolved by uninstalling some other security product, to make room, so to speak, for Sandboxie. Please see Microsoft's hotfix for this issue: https://support.microsoft.com/kb/2922790 This message is followed by message SBIE1103 .","title":"SBIE1116"},{"location":"Content/SBIE1116/#sbie1116","text":"Message: SBIE1116 Driver failed to register process notification routine [ ntstatus / yy ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie asked the system to provide notifications when processes (applications) start and stop, but the system was not able to accommodate this request. In technical terms, Sandboxie is asking to register a process notification routine, and this request has failed. Errors [C000000D / 11] and [C000009A / 22] Typically the message is issued with the error detail [C000000D / 11] or [C000009A / 22]. This indicates that a number of other security products have already registered such process notification routines. The system will only register a limited number of these routines. In this case, the problem may be resolved by uninstalling some other security product, to make room, so to speak, for Sandboxie. Please see Microsoft's hotfix for this issue: https://support.microsoft.com/kb/2922790 This message is followed by message SBIE1103 .","title":"SBIE1116"},{"location":"Content/SBIE1119/","text":"SBIE1119 Message: SBIE1119 Cannot create API device [ ntstatus ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message is issued when the internal logical device object which is used to control Sandboxie could not be created. This message is followed by message SBIE1103 .","title":"SBIE1119"},{"location":"Content/SBIE1119/#sbie1119","text":"Message: SBIE1119 Cannot create API device [ ntstatus ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message is issued when the internal logical device object which is used to control Sandboxie could not be created. This message is followed by message SBIE1103 .","title":"SBIE1119"},{"location":"Content/SBIE1120/","text":"SBIE1120 Message: SBIE1120 Mismatch in service name Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not identify the system service specified by name . This message is followed by message SBIE1103 .","title":"SBIE1120"},{"location":"Content/SBIE1120/#sbie1120","text":"Message: SBIE1120 Mismatch in service name Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not identify the system service specified by name . This message is followed by message SBIE1103 .","title":"SBIE1120"},{"location":"Content/SBIE1121/","text":"SBIE1121 Message: SBIE1121 Hook failed for service name Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not intercept and extend the system service specified by name . This message is followed by message SBIE1103 .","title":"SBIE1121"},{"location":"Content/SBIE1121/#sbie1121","text":"Message: SBIE1121 Hook failed for service name Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not intercept and extend the system service specified by name . This message is followed by message SBIE1103 .","title":"SBIE1121"},{"location":"Content/SBIE1122/","text":"SBIE1122 Message: SBIE1122 Error: [ ntstatus ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not intercept and extend some system service. This message is followed by message SBIE1121 , which specifies the name of the system service for which the error occurred.","title":"SBIE1122"},{"location":"Content/SBIE1122/#sbie1122","text":"Message: SBIE1122 Error: [ ntstatus ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not intercept and extend some system service. This message is followed by message SBIE1121 , which specifies the name of the system service for which the error occurred.","title":"SBIE1122"},{"location":"Content/SBIE1151/","text":"SBIE1151 Message: SBIE1151 Cannot handle instruction [ detail ] Logged To: System Event Log and Popup Message Log . Explanation: Sandboxie attempted to analyze instructions of executable code, and detected an unknown sequence. No further information is available.","title":"SBIE1151"},{"location":"Content/SBIE1151/#sbie1151","text":"Message: SBIE1151 Cannot handle instruction [ detail ] Logged To: System Event Log and Popup Message Log . Explanation: Sandboxie attempted to analyze instructions of executable code, and detected an unknown sequence. No further information is available.","title":"SBIE1151"},{"location":"Content/SBIE1152/","text":"SBIE1152 Message: SBIE1152 Trampoline allocation failed [ ntstatus / yy] Logged To: System Event Log and Popup Message Log . Explanation: Sandboxie could not allocate some memory.","title":"SBIE1152"},{"location":"Content/SBIE1152/#sbie1152","text":"Message: SBIE1152 Trampoline allocation failed [ ntstatus / yy] Logged To: System Event Log and Popup Message Log . Explanation: Sandboxie could not allocate some memory.","title":"SBIE1152"},{"location":"Content/SBIE1153/","text":"SBIE1153 Message: SBIE1153 Sandboxie initialization failed. Close all programs and then re-install Sandboxie OR restart your computer. Logged To: System Event Log and Popup Message Log . Explanation: The driver component of Sandboxie completed its first phase of initialization, but failed during the second phase of initialization. The driver remains loaded in the system, but is disabled. You may try to resolve the problem by re-installing Sandboxie, which stops the driver and starts a new instance of the driver. Alternatively, you may restart your computer. In some cases this problem occurs due to some conflict with third-party security software.","title":"SBIE1153"},{"location":"Content/SBIE1153/#sbie1153","text":"Message: SBIE1153 Sandboxie initialization failed. Close all programs and then re-install Sandboxie OR restart your computer. Logged To: System Event Log and Popup Message Log . Explanation: The driver component of Sandboxie completed its first phase of initialization, but failed during the second phase of initialization. The driver remains loaded in the system, but is disabled. You may try to resolve the problem by re-installing Sandboxie, which stops the driver and starts a new instance of the driver. Alternatively, you may restart your computer. In some cases this problem occurs due to some conflict with third-party security software.","title":"SBIE1153"},{"location":"Content/SBIE1201/","text":"SBIE1201 Message: SBIE1201 Not enough memory Logged To: Popup Message Log . Explanation: There was insufficient memory to complete some requested operation. The operation fails.","title":"SBIE1201"},{"location":"Content/SBIE1201/#sbie1201","text":"Message: SBIE1201 Not enough memory Logged To: Popup Message Log . Explanation: There was insufficient memory to complete some requested operation. The operation fails.","title":"SBIE1201"},{"location":"Content/SBIE1202/","text":"SBIE1202 Message: SBIE1202 Cannot update license information: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while recording your license/registration information.","title":"SBIE1202"},{"location":"Content/SBIE1202/#sbie1202","text":"Message: SBIE1202 Cannot update license information: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while recording your license/registration information.","title":"SBIE1202"},{"location":"Content/SBIE1203/","text":"SBIE1203 Message: SBIE1203 Cannot build path list (error in name ) Logged To: Popup Message Log . Explanation: Whenever a program starts in the sandbox, Sandboxie applies configuration settings from the Sandboxie Ini file to that program. This error message indicates a problem has occurred while preparing the configuration settings for name . name can be OpenFilePath , OpenPipePath , ClosedFilePath , ReadFilePath , OpenKeyPath , ClosedKeyPath , ReadKeyPath , OpenIpcPath , ClosedIpcPath , or OpenWinClass . This message is similar to message SBIE2317 .","title":"SBIE1203"},{"location":"Content/SBIE1203/#sbie1203","text":"Message: SBIE1203 Cannot build path list (error in name ) Logged To: Popup Message Log . Explanation: Whenever a program starts in the sandbox, Sandboxie applies configuration settings from the Sandboxie Ini file to that program. This error message indicates a problem has occurred while preparing the configuration settings for name . name can be OpenFilePath , OpenPipePath , ClosedFilePath , ReadFilePath , OpenKeyPath , ClosedKeyPath , ReadKeyPath , OpenIpcPath , ClosedIpcPath , or OpenWinClass . This message is similar to message SBIE2317 .","title":"SBIE1203"},{"location":"Content/SBIE1204/","text":"SBIE1204 Message: SBIE1204 Sandbox creation failed for name__[xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Whenever a program starts in a sandbox, Sandboxie should initialize this program with some data and information related to the sandbox in which the program runs. This message indicates that some error has occurred during this initialization.","title":"SBIE1204"},{"location":"Content/SBIE1204/#sbie1204","text":"Message: SBIE1204 Sandbox creation failed for name__[xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Whenever a program starts in a sandbox, Sandboxie should initialize this program with some data and information related to the sandbox in which the program runs. This message indicates that some error has occurred during this initialization.","title":"SBIE1204"},{"location":"Content/SBIE1211/","text":"SBIE1211 Message: SBIE1211 Could not initiate sandboxing for process name Logged To: Popup Message Log . Explanation: Whenever a program starts in a sandbox, Sandboxie has to complete a series of initialization steps which prepare the program to run successfully in the sandbox. This message indicates that one or more of these steps have failed. This is a summary message, and it follows one or more other error messages which indicate the precise cause of the error.","title":"SBIE1211"},{"location":"Content/SBIE1211/#sbie1211","text":"Message: SBIE1211 Could not initiate sandboxing for process name Logged To: Popup Message Log . Explanation: Whenever a program starts in a sandbox, Sandboxie has to complete a series of initialization steps which prepare the program to run successfully in the sandbox. This message indicates that one or more of these steps have failed. This is a summary message, and it follows one or more other error messages which indicate the precise cause of the error.","title":"SBIE1211"},{"location":"Content/SBIE1212/","text":"SBIE1212 Message: SBIE1212 Cannot create directory path__[xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie experienced an error while trying to create the sandbox folder identified by path . To change the location of the sandbox folder, use Sandbox Menu -> Set Container Folder or manually edit the FileRootPath configuration setting.","title":"SBIE1212"},{"location":"Content/SBIE1212/#sbie1212","text":"Message: SBIE1212 Cannot create directory path__[xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie experienced an error while trying to create the sandbox folder identified by path . To change the location of the sandbox folder, use Sandbox Menu -> Set Container Folder or manually edit the FileRootPath configuration setting.","title":"SBIE1212"},{"location":"Content/SBIE1213/","text":"SBIE1213 Message: SBIE1213 Cannot create object directory path__[xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie experienced an error while trying to create the sandbox object directory identified by path .","title":"SBIE1213"},{"location":"Content/SBIE1213/#sbie1213","text":"Message: SBIE1213 Cannot create object directory path__[xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie experienced an error while trying to create the sandbox object directory identified by path .","title":"SBIE1213"},{"location":"Content/SBIE1214/","text":"SBIE1214 OBSOLETE Message: SBIE1214 Cannot inject SbieDll [xxxxxxxx] Logged To: Popup Message Log . Explanation: The Sandboxie driver component was not able to inject (load) the Sandboxie DLL component into a sandboxed program that was started in the sandbox. This error rarely occurs, but when it does, it is typically for very small programs or for very large and complicated programs. In either case, it may be possible to work around this error by compressing the program executable file using UPX .","title":"SBIE1214"},{"location":"Content/SBIE1214/#sbie1214","text":"OBSOLETE Message: SBIE1214 Cannot inject SbieDll [xxxxxxxx] Logged To: Popup Message Log . Explanation: The Sandboxie driver component was not able to inject (load) the Sandboxie DLL component into a sandboxed program that was started in the sandbox. This error rarely occurs, but when it does, it is typically for very small programs or for very large and complicated programs. In either case, it may be possible to work around this error by compressing the program executable file using UPX .","title":"SBIE1214"},{"location":"Content/SBIE1215/","text":"SBIE1215 OBSOLETE Message: SBIE1215 Cannot resolve path to process image [xxxxxxxx] Logged To: Popup Message Log . Explanation: Some error has prohibited Sandboxie from identifying the full path to a program that was started in the sandbox. Sandboxie requires the full path in order to identify if the program is installed inside or outside the sandbox. This distinction has an effect on settings such as OpenFilePath (compare with OpenPipePath ), ClosedFilePath , ClosedKeyPath and ClosedIpcPath .","title":"SBIE1215"},{"location":"Content/SBIE1215/#sbie1215","text":"OBSOLETE Message: SBIE1215 Cannot resolve path to process image [xxxxxxxx] Logged To: Popup Message Log . Explanation: Some error has prohibited Sandboxie from identifying the full path to a program that was started in the sandbox. Sandboxie requires the full path in order to identify if the program is installed inside or outside the sandbox. This distinction has an effect on settings such as OpenFilePath (compare with OpenPipePath ), ClosedFilePath , ClosedKeyPath and ClosedIpcPath .","title":"SBIE1215"},{"location":"Content/SBIE1216/","text":"SBIE1216 OBSOLETE Message: SBIE1216 Could not query security ID [xxxxxxxx] Logged To: Popup Message Log . Explanation: Some error has prohibited Sandboxie from identifying the security ID (the SID) for a program that was started in the sandbox.","title":"SBIE1216"},{"location":"Content/SBIE1216/#sbie1216","text":"OBSOLETE Message: SBIE1216 Could not query security ID [xxxxxxxx] Logged To: Popup Message Log . Explanation: Some error has prohibited Sandboxie from identifying the security ID (the SID) for a program that was started in the sandbox.","title":"SBIE1216"},{"location":"Content/SBIE1222/","text":"SBIE1222 Message: SBIE1222 Cannot restrict token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while removing some privileges from a security token.","title":"SBIE1222"},{"location":"Content/SBIE1222/#sbie1222","text":"Message: SBIE1222 Cannot restrict token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while removing some privileges from a security token.","title":"SBIE1222"},{"location":"Content/SBIE1223/","text":"SBIE1223 Message: SBIE1223 Cannot replace token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while replacing the original security token of a program with a security token that has less privileges.","title":"SBIE1223"},{"location":"Content/SBIE1223/#sbie1223","text":"Message: SBIE1223 Cannot replace token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while replacing the original security token of a program with a security token that has less privileges.","title":"SBIE1223"},{"location":"Content/SBIE1224/","text":"SBIE1224 Message: SBIE1224 Cannot query token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while querying information from a security token.","title":"SBIE1224"},{"location":"Content/SBIE1224/#sbie1224","text":"Message: SBIE1224 Cannot query token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while querying information from a security token.","title":"SBIE1224"},{"location":"Content/SBIE1241/","text":"SBIE1241 Message: SBIE1241 Cannot mount registry hive: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: When a sandboxed program starts, Sandboxie may need to prepare the sandboxed registry for that sandbox. Sandboxie will load the registry hive file into the system. This error message indicates a problem has occurred and the registry hive file was not loaded. If yy is 11, the KeyRootPath setting may be improperly set, causing more than one sandbox to use the same registry location (or registry key). If yy is 22, the registry hive file may be corrupt, or the drive containing the registry hive file (and its associated sandbox) may be full. If yy is 33, the FileRootPath setting may be improperly set, causing more than one sandbox to use the same registry hive file.","title":"SBIE1241"},{"location":"Content/SBIE1241/#sbie1241","text":"Message: SBIE1241 Cannot mount registry hive: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: When a sandboxed program starts, Sandboxie may need to prepare the sandboxed registry for that sandbox. Sandboxie will load the registry hive file into the system. This error message indicates a problem has occurred and the registry hive file was not loaded. If yy is 11, the KeyRootPath setting may be improperly set, causing more than one sandbox to use the same registry location (or registry key). If yy is 22, the registry hive file may be corrupt, or the drive containing the registry hive file (and its associated sandbox) may be full. If yy is 33, the FileRootPath setting may be improperly set, causing more than one sandbox to use the same registry hive file.","title":"SBIE1241"},{"location":"Content/SBIE1242/","text":"SBIE1242 OBSOLETE SINCE 0.9.0 / 5.51.0 Message: SBIE1242 Monitor buffer overflow Logged To: Popup Message Log . Explanation: When enabled, the Resource Access Monitor component of Sandboxie records every access attempt by a sandboxed program to some system resource. The name and type of the resource are stored in a \"monitor buffer\". The monitor buffer uses only 64KB of memory. Because of the small size of the monitor buffer, it can keep only a limited number of access attempts at the same time. This error indicates the Resource Access Monitor detected more attempts to access resources than the monitor buffer can handle. Effectively, this means that some resource accesses will not be displayed by the Resource Access Monitor. This may or may not be important. A possible solution is to lower the priority level of the sandboxed program, or, in the case of a multiple-processor system, restrict it to just one processor. This would ideally reduce the number of resource accesses that the program can carry out at once.","title":"SBIE1242"},{"location":"Content/SBIE1242/#sbie1242","text":"OBSOLETE SINCE 0.9.0 / 5.51.0 Message: SBIE1242 Monitor buffer overflow Logged To: Popup Message Log . Explanation: When enabled, the Resource Access Monitor component of Sandboxie records every access attempt by a sandboxed program to some system resource. The name and type of the resource are stored in a \"monitor buffer\". The monitor buffer uses only 64KB of memory. Because of the small size of the monitor buffer, it can keep only a limited number of access attempts at the same time. This error indicates the Resource Access Monitor detected more attempts to access resources than the monitor buffer can handle. Effectively, this means that some resource accesses will not be displayed by the Resource Access Monitor. This may or may not be important. A possible solution is to lower the priority level of the sandboxed program, or, in the case of a multiple-processor system, restrict it to just one processor. This would ideally reduce the number of resource accesses that the program can carry out at once.","title":"SBIE1242"},{"location":"Content/SBIE1301/","text":"SBIE1301 Message: SBIE1301 Program program.exe was launched outside of the sandbox Logged To: Popup Message Log . Explanation: This is an informational/warning message. This message appears when a Program Alert has been started outside the supervision of Sandboxie. This message also appears when a Forced Program (or a program from a Forced Folder ) has been started, while the Disable Forced Programs mode is in effect. For configuration of Program Alerts , see: Configure Menu -> Program Alerts Program Settings For configuration of Forced Programs , see: SandboxSettings > Forced Programs SandboxSettings > Forced Folders Program Settings","title":"SBIE1301"},{"location":"Content/SBIE1301/#sbie1301","text":"Message: SBIE1301 Program program.exe was launched outside of the sandbox Logged To: Popup Message Log . Explanation: This is an informational/warning message. This message appears when a Program Alert has been started outside the supervision of Sandboxie. This message also appears when a Forced Program (or a program from a Forced Folder ) has been started, while the Disable Forced Programs mode is in effect. For configuration of Program Alerts , see: Configure Menu -> Program Alerts Program Settings For configuration of Forced Programs , see: SandboxSettings > Forced Programs SandboxSettings > Forced Folders Program Settings","title":"SBIE1301"},{"location":"Content/SBIE1303/","text":"SBIE1303 OBSOLETE Message: SBIE1303 Only one sandbox can be active at a time Logged To: Popup Message Log . Explanation: This error message appeared in the unregistered version of Sandboxie when programs were started in more than one sandbox at the same time. The unregistered version was limited in that it can only run programs in one sandbox at a time. This limitation is no longer present since Sandboxie 5.31.4.","title":"SBIE1303"},{"location":"Content/SBIE1303/#sbie1303","text":"OBSOLETE Message: SBIE1303 Only one sandbox can be active at a time Logged To: Popup Message Log . Explanation: This error message appeared in the unregistered version of Sandboxie when programs were started in more than one sandbox at the same time. The unregistered version was limited in that it can only run programs in one sandbox at a time. This limitation is no longer present since Sandboxie 5.31.4.","title":"SBIE1303"},{"location":"Content/SBIE1304/","text":"SBIE1304 OBSOLETE Message: SBIE1304 Blocked simulated keyboard or mouse input by process program.exe Logged To: Popup Message Log . Explanation: This warning message appeared when a sandboxed program had simulated keyboard or mouse action which would have been received by a window running in another sandbox or outside any sandboxes. As a result, the keyboard or mouse action was discarded. The point of this protection was to block a scenario where a malicious program running in a sandbox managed to circumvent Sandboxie by communicating with programs outside Sandboxie, such as the Windows Explorer. The malicious program could simulate keyboard actions that would instruct Windows Explorer to navigate into the sandbox and launch a malicious program. Games and Full Screen Applications: Sometimes this message was issued while launching a game or an application. In that case the message was not an indication of malicious activity, and it was safe to hide message SBIE1304, or to disable this protection. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access Related Sandboxie Ini setting: BlockFakeInput .","title":"SBIE1304"},{"location":"Content/SBIE1304/#sbie1304","text":"OBSOLETE Message: SBIE1304 Blocked simulated keyboard or mouse input by process program.exe Logged To: Popup Message Log . Explanation: This warning message appeared when a sandboxed program had simulated keyboard or mouse action which would have been received by a window running in another sandbox or outside any sandboxes. As a result, the keyboard or mouse action was discarded. The point of this protection was to block a scenario where a malicious program running in a sandbox managed to circumvent Sandboxie by communicating with programs outside Sandboxie, such as the Windows Explorer. The malicious program could simulate keyboard actions that would instruct Windows Explorer to navigate into the sandbox and launch a malicious program. Games and Full Screen Applications: Sometimes this message was issued while launching a game or an application. In that case the message was not an indication of malicious activity, and it was safe to hide message SBIE1304, or to disable this protection. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access Related Sandboxie Ini setting: BlockFakeInput .","title":"SBIE1304"},{"location":"Content/SBIE1306/","text":"SBIE1306 Message: SBIE1306 Sandboxie driver (SbieDrv) cannot be unloaded now Logged To: Popup Message Log . Explanation: The Sandboxie driver component is in use and cannot be unloaded at this time. Note that the Sandboxie driver component does not respond to the standard, generic \"Stop Service\" request, until a Sandboxie-specific \"Prepare to Stop\" request has been issued. The Sandboxie-specific request may fail if the driver is in use by any other program at the time the request is issued. If the Sandboxie-specific request succeeds, the driver component disables itself, and waits for the generic \"Stop Service\" request before it is unloaded from memory. Note also that the driver component does not honor stop requests from a program that is running under the supervision of Sandboxie.","title":"SBIE1306"},{"location":"Content/SBIE1306/#sbie1306","text":"Message: SBIE1306 Sandboxie driver (SbieDrv) cannot be unloaded now Logged To: Popup Message Log . Explanation: The Sandboxie driver component is in use and cannot be unloaded at this time. Note that the Sandboxie driver component does not respond to the standard, generic \"Stop Service\" request, until a Sandboxie-specific \"Prepare to Stop\" request has been issued. The Sandboxie-specific request may fail if the driver is in use by any other program at the time the request is issued. If the Sandboxie-specific request succeeds, the driver component disables itself, and waits for the generic \"Stop Service\" request before it is unloaded from memory. Note also that the driver component does not honor stop requests from a program that is running under the supervision of Sandboxie.","title":"SBIE1306"},{"location":"Content/SBIE1307/","text":"SBIE1307 Message: SBIE1307 Program cannot access the Internet due to restrictions - program.exe Logged To: Popup Message Log . Explanation: Internet Access restrictions are in effect for the sandbox in which the program is running. The program is prohibited from accessing the Internet. This message is issued just once for any running sandboxed program. Related Sandboxie Control setting: Sandbox Settings > Restrictions Settings > Internet Access Related Sandboxie Ini settings: ClosedFilePath , NotifyInternetAccessDenied .","title":"SBIE1307"},{"location":"Content/SBIE1307/#sbie1307","text":"Message: SBIE1307 Program cannot access the Internet due to restrictions - program.exe Logged To: Popup Message Log . Explanation: Internet Access restrictions are in effect for the sandbox in which the program is running. The program is prohibited from accessing the Internet. This message is issued just once for any running sandboxed program. Related Sandboxie Control setting: Sandbox Settings > Restrictions Settings > Internet Access Related Sandboxie Ini settings: ClosedFilePath , NotifyInternetAccessDenied .","title":"SBIE1307"},{"location":"Content/SBIE1308/","text":"SBIE1308 Message: SBIE1308 Program cannot start due to restrictions - program.exe Logged To: Popup Message Log . Explanation: Start/Run restrictions are in effect for the sandbox in which the program is running. The program is prohibited from starting or running. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Ini settings: ClosedIpcPath , NotifyStartRunAccessDenied .","title":"SBIE1308"},{"location":"Content/SBIE1308/#sbie1308","text":"Message: SBIE1308 Program cannot start due to restrictions - program.exe Logged To: Popup Message Log . Explanation: Start/Run restrictions are in effect for the sandbox in which the program is running. The program is prohibited from starting or running. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Ini settings: ClosedIpcPath , NotifyStartRunAccessDenied .","title":"SBIE1308"},{"location":"Content/SBIE1309/","text":"SBIE1309 OBSOLETE Message: SBIE1311 Blocked request to change desktop wallpaper by process program.exe Logged To: Popup Message Log . Explanation: Sandboxie detected that a program issued a request to change the desktop wallpaper, and blocked the request. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini settings: BlockSysParam .","title":"SBIE1309"},{"location":"Content/SBIE1309/#sbie1309","text":"OBSOLETE Message: SBIE1311 Blocked request to change desktop wallpaper by process program.exe Logged To: Popup Message Log . Explanation: Sandboxie detected that a program issued a request to change the desktop wallpaper, and blocked the request. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini settings: BlockSysParam .","title":"SBIE1309"},{"location":"Content/SBIE1310/","text":"SBIE1310 OBSOLETE Message: SBIE1310 Extended features are disabled until the license is reactivated Logged To: Popup Message Log . Explanation: This message indicated that the license had expired before Sandboxie became a free software in version 5.31.4. The FAQ Licensing page listed those extra features that were available only in the registered versions of Sandboxie. To renew your license, invoke the Sandboxie License Manager: Open Sandboxie Control . You can find it in your Windows Start menu, under the Sandboxie program group. Then, select the Help Menu and invoke the Register Sandboxie command. Please see Sandboxie is now an open source tool for more information.","title":"SBIE1310"},{"location":"Content/SBIE1310/#sbie1310","text":"OBSOLETE Message: SBIE1310 Extended features are disabled until the license is reactivated Logged To: Popup Message Log . Explanation: This message indicated that the license had expired before Sandboxie became a free software in version 5.31.4. The FAQ Licensing page listed those extra features that were available only in the registered versions of Sandboxie. To renew your license, invoke the Sandboxie License Manager: Open Sandboxie Control . You can find it in your Windows Start menu, under the Sandboxie program group. Then, select the Help Menu and invoke the Register Sandboxie command. Please see Sandboxie is now an open source tool for more information.","title":"SBIE1310"},{"location":"Content/SBIE1311/","text":"SBIE1311 OBSOLETE Message: SBIE1311 Blocked request to change desktop wallpaper by process program.exe Logged To: Popup Message Log . Explanation: Sandboxie detected that a program issued a request to change the desktop wallpaper, and blocked the request. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini settings: BlockSysParam .","title":"SBIE1311"},{"location":"Content/SBIE1311/#sbie1311","text":"OBSOLETE Message: SBIE1311 Blocked request to change desktop wallpaper by process program.exe Logged To: Popup Message Log . Explanation: Sandboxie detected that a program issued a request to change the desktop wallpaper, and blocked the request. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini settings: BlockSysParam .","title":"SBIE1311"},{"location":"Content/SBIE1312/","text":"SBIE1312 Message: SBIE1312 Blocked request to start a 16-bit DOS program in the sandbox Logged To: Popup Message Log . Explanation: Sandboxie blocks the execution of 16-bit DOS programs in the sandbox, because Sandboxie cannot guarantee sandbox isolation for such programs. Note that this message only appears in the 32-bit edition of Sandboxie on 32-bit Windows, as 64-bit Windows does not run 16-bit DOS programs. One possible workaround is to install the DOS emulation software DOSBox into a sandbox, and use that to run the 16-bit DOS program.","title":"SBIE1312"},{"location":"Content/SBIE1312/#sbie1312","text":"Message: SBIE1312 Blocked request to start a 16-bit DOS program in the sandbox Logged To: Popup Message Log . Explanation: Sandboxie blocks the execution of 16-bit DOS programs in the sandbox, because Sandboxie cannot guarantee sandbox isolation for such programs. Note that this message only appears in the 32-bit edition of Sandboxie on 32-bit Windows, as 64-bit Windows does not run 16-bit DOS programs. One possible workaround is to install the DOS emulation software DOSBox into a sandbox, and use that to run the 16-bit DOS program.","title":"SBIE1312"},{"location":"Content/SBIE1313/","text":"SBIE1313 OBSOLETE Message: SBIE1313 Blocked direct disk access by process program.exe Logged To: Popup Message Log . Explanation: This message indicated that a program requested direct access to a hard disk device and Sandboxie denied this access. Note that the default behavior of Sandboxie is to deny all direct access requests without issuing this message. The message was issued only when the NotifyDirectDiskAccess setting was already enabled. Please see NotifyDirectDiskAccess for more information.","title":"SBIE1313"},{"location":"Content/SBIE1313/#sbie1313","text":"OBSOLETE Message: SBIE1313 Blocked direct disk access by process program.exe Logged To: Popup Message Log . Explanation: This message indicated that a program requested direct access to a hard disk device and Sandboxie denied this access. Note that the default behavior of Sandboxie is to deny all direct access requests without issuing this message. The message was issued only when the NotifyDirectDiskAccess setting was already enabled. Please see NotifyDirectDiskAccess for more information.","title":"SBIE1313"},{"location":"Content/SBIE1314/","text":"SBIE1314 Message: SBIE1314 Blocked request to alter network/firewall settings by process program.exe Logged To: Popup Message Log . Explanation: This message indicates that a program attempted to change TCP/IP network configuration, and the request was blocked. Sandboxie may issue this message when it blocks a program from attempting to change the IP address or routing tables for the local computer, or other networking parameters. Note that at this time, the message is not actually issued when a program attempts to change firewall parameters, but the program will not be able to modify the parameters of the firewall. To permit a program to alter network and firewall parameters, please see the following settings: Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access Related Sandboxie Ini settings: BlockNetParam .","title":"SBIE1314"},{"location":"Content/SBIE1314/#sbie1314","text":"Message: SBIE1314 Blocked request to alter network/firewall settings by process program.exe Logged To: Popup Message Log . Explanation: This message indicates that a program attempted to change TCP/IP network configuration, and the request was blocked. Sandboxie may issue this message when it blocks a program from attempting to change the IP address or routing tables for the local computer, or other networking parameters. Note that at this time, the message is not actually issued when a program attempts to change firewall parameters, but the program will not be able to modify the parameters of the firewall. To permit a program to alter network and firewall parameters, please see the following settings: Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access Related Sandboxie Ini settings: BlockNetParam .","title":"SBIE1314"},{"location":"Content/SBIE1401/","text":"SBIE1401 Message: SBIE1401 Configuration file not found, using defaults Logged To: System Event Log and Popup Message Log . Explanation: This is a notification message which indicates that Sandboxie did not find the Sandboxie Ini configuration file, and will be using default settings. Sandboxie looks for the Sandboxie Ini file first in the Windows directory (typically C:\\Windows), and if not found there, in the Sandboxie installation folder.","title":"SBIE1401"},{"location":"Content/SBIE1401/#sbie1401","text":"Message: SBIE1401 Configuration file not found, using defaults Logged To: System Event Log and Popup Message Log . Explanation: This is a notification message which indicates that Sandboxie did not find the Sandboxie Ini configuration file, and will be using default settings. Sandboxie looks for the Sandboxie Ini file first in the Windows directory (typically C:\\Windows), and if not found there, in the Sandboxie installation folder.","title":"SBIE1401"},{"location":"Content/SBIE1402/","text":"SBIE1402 Message: SBIE1402 Configuration file error in line number : [xxxxxxxx] Logged To: System Event Log and Popup Message Log . Explanation: There was some error reading the Sandboxie Ini configuration file. Note that messages SBIE1403 , SBIE1404 and SBIE1405 are concerned with specific error conditions, while this message indicates some other, unspecified condition.","title":"SBIE1402"},{"location":"Content/SBIE1402/#sbie1402","text":"Message: SBIE1402 Configuration file error in line number : [xxxxxxxx] Logged To: System Event Log and Popup Message Log . Explanation: There was some error reading the Sandboxie Ini configuration file. Note that messages SBIE1403 , SBIE1404 and SBIE1405 are concerned with specific error conditions, while this message indicates some other, unspecified condition.","title":"SBIE1402"},{"location":"Content/SBIE1403/","text":"SBIE1403 Message: SBIE1403 Configuration file error in line number : line too long Logged To: System Event Log and Popup Message Log . Explanation: The maximum length of a line in the Sandboxie Ini configuration file is 1000 characters. This message indicates that a particular line in the file was longer than this limit.","title":"SBIE1403"},{"location":"Content/SBIE1403/#sbie1403","text":"Message: SBIE1403 Configuration file error in line number : line too long Logged To: System Event Log and Popup Message Log . Explanation: The maximum length of a line in the Sandboxie Ini configuration file is 1000 characters. This message indicates that a particular line in the file was longer than this limit.","title":"SBIE1403"},{"location":"Content/SBIE1404/","text":"SBIE1404 Message: SBIE1404 Configuration file error in line number : too many lines Logged To: System Event Log and Popup Message Log . Explanation: The maximum number of a lines in the Sandboxie Ini configuration file is 30000. This message indicates that the configuration file has more lines than this limiting number.","title":"SBIE1404"},{"location":"Content/SBIE1404/#sbie1404","text":"Message: SBIE1404 Configuration file error in line number : too many lines Logged To: System Event Log and Popup Message Log . Explanation: The maximum number of a lines in the Sandboxie Ini configuration file is 30000. This message indicates that the configuration file has more lines than this limiting number.","title":"SBIE1404"},{"location":"Content/SBIE1405/","text":"SBIE1405 Message: SBIE1405 Configuration file error in line number : syntax error Logged To: System Event Log and Popup Message Log . Explanation: The Sandboxie Ini configuration file is structured as a set of sections. Each section begins with a section name between brackets, for example: [GlobalSettings]. Within each section, each line must be formatted as name=value . Alternatively, a line in the configuration file may be blank, or may begin with the hash character (#), in which case the line is considered a comment and is ignored. This message indicates that some text in the configuration file could not be parsed according to the syntax described above.","title":"SBIE1405"},{"location":"Content/SBIE1405/#sbie1405","text":"Message: SBIE1405 Configuration file error in line number : syntax error Logged To: System Event Log and Popup Message Log . Explanation: The Sandboxie Ini configuration file is structured as a set of sections. Each section begins with a section name between brackets, for example: [GlobalSettings]. Within each section, each line must be formatted as name=value . Alternatively, a line in the configuration file may be blank, or may begin with the hash character (#), in which case the line is considered a comment and is ignored. This message indicates that some text in the configuration file could not be parsed according to the syntax described above.","title":"SBIE1405"},{"location":"Content/SBIE1406/","text":"SBIE1406 Message: SBIE1406 Missing or invalid expansion for variable : [xxxxxxxx] Logged To: System Event Log and Popup Message Log . Explanation: This messages indicates that the variable referenced in the configuration file, whose name is noted in the message, cannot be replaced by textual content. For example, the variables %USERNAME% are expanded to (or replaced by) the user account name. If Sandboxie cannot determine the user account name (see messages SBIE1408 and SBIE2209 ), then message SBIE1406 will be issued, naming the variable USERNAME. For a list of expandable variables, see Expandable Variables . Template Variables If the variable name in the message begins with Tmpl , then you should go to Sandbox Settings > Applications > Folders and select a folder location to be associated with the missing variable. For example, if you see this error message for Tmpl.Eudora , go to the Folders settings page, and select a folder for Eudora.","title":"SBIE1406"},{"location":"Content/SBIE1406/#sbie1406","text":"Message: SBIE1406 Missing or invalid expansion for variable : [xxxxxxxx] Logged To: System Event Log and Popup Message Log . Explanation: This messages indicates that the variable referenced in the configuration file, whose name is noted in the message, cannot be replaced by textual content. For example, the variables %USERNAME% are expanded to (or replaced by) the user account name. If Sandboxie cannot determine the user account name (see messages SBIE1408 and SBIE2209 ), then message SBIE1406 will be issued, naming the variable USERNAME. For a list of expandable variables, see Expandable Variables . Template Variables If the variable name in the message begins with Tmpl , then you should go to Sandbox Settings > Applications > Folders and select a folder location to be associated with the missing variable. For example, if you see this error message for Tmpl.Eudora , go to the Folders settings page, and select a folder for Eudora.","title":"SBIE1406"},{"location":"Content/SBIE1408/","text":"SBIE1408 Message: SBIE1408 Unknown user name for SID: S-1-5-x-y-z Logged To: Popup Message Log . Explanation: Sandboxie needs to translate security S-1-5-x-y-z to a user account name. This message indicates that an error has occurred and revented this translation. If this message is not accompanied by message SBIE2209 , then it may be an indication that the Sandboxie service is not running.","title":"SBIE1408"},{"location":"Content/SBIE1408/#sbie1408","text":"Message: SBIE1408 Unknown user name for SID: S-1-5-x-y-z Logged To: Popup Message Log . Explanation: Sandboxie needs to translate security S-1-5-x-y-z to a user account name. This message indicates that an error has occurred and revented this translation. If this message is not accompanied by message SBIE2209 , then it may be an indication that the Sandboxie service is not running.","title":"SBIE1408"},{"location":"Content/SBIE1409/","text":"SBIE1409 Message: SBIE1409 The Templates.ini file cannot be opened [xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie expects to find the global configuration file Templates.ini in its installation folder. This file should be considered a stock part of the installation and should not be edited or removed. See also: Nt Status Codes .","title":"SBIE1409"},{"location":"Content/SBIE1409/#sbie1409","text":"Message: SBIE1409 The Templates.ini file cannot be opened [xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie expects to find the global configuration file Templates.ini in its installation folder. This file should be considered a stock part of the installation and should not be edited or removed. See also: Nt Status Codes .","title":"SBIE1409"},{"location":"Content/SBIE1410/","text":"SBIE1410 Message: SBIE1410 The following message indicates an error in the Templates.ini file Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the global configuration file Templates.ini . This message precedes one of the other SBIE14xx messages: SBIE1402 , SBIE1403 , SBIE1404 , SBIE1405 , SBIE1406 . The message indicates the follow-up SBIE14xx message refers to the Templates.ini file rather than the Sandboxie.ini configuration file.","title":"SBIE1410"},{"location":"Content/SBIE1410/#sbie1410","text":"Message: SBIE1410 The following message indicates an error in the Templates.ini file Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the global configuration file Templates.ini . This message precedes one of the other SBIE14xx messages: SBIE1402 , SBIE1403 , SBIE1404 , SBIE1405 , SBIE1406 . The message indicates the follow-up SBIE14xx message refers to the Templates.ini file rather than the Sandboxie.ini configuration file.","title":"SBIE1410"},{"location":"Content/SBIE1411/","text":"SBIE1411 Message: SBIE1411 Sandbox %2 specifies unknown template %3 Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the Sandboxie.ini file. One of the sandboxes configured in the file references a global template section which does not appear in the global configuration file Templates.ini . Note that local templates should be defined in the Sandboxie.ini file while stock global templates are delivered as part of the installation of Sandboxie in the Templates.ini file.","title":"SBIE1411"},{"location":"Content/SBIE1411/#sbie1411","text":"Message: SBIE1411 Sandbox %2 specifies unknown template %3 Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the Sandboxie.ini file. One of the sandboxes configured in the file references a global template section which does not appear in the global configuration file Templates.ini . Note that local templates should be defined in the Sandboxie.ini file while stock global templates are delivered as part of the installation of Sandboxie in the Templates.ini file.","title":"SBIE1411"},{"location":"Content/SBIE1412/","text":"SBIE1412 Message: SBIE1412 In text: %2 Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the configuration file. In addition to other messages which explain and identify the error, such as message SBIE1405 , this SBIE1412 message quotes the text line in which the error occurred.","title":"SBIE1412"},{"location":"Content/SBIE1412/#sbie1412","text":"Message: SBIE1412 In text: %2 Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the configuration file. In addition to other messages which explain and identify the error, such as message SBIE1405 , this SBIE1412 message quotes the text line in which the error occurred.","title":"SBIE1412"},{"location":"Content/SBIE2102/","text":"SBIE2102 Message: SBIE2102 File is too large to copy into sandbox - path Logged To: Popup Message Log . Explanation: This is an informational message. Before a sandboxed program can make changes to a file that already exists in your computer, Sandboxie first must make a copy of this file in the sandbox. This works very well for small files (up to a few megabytes in size), as the copy operation completes very quickly. But for larger files, the copy operation may take a noticeable length of time. For example, suppose you created a backup for a DVD, in the form of a 4GB file. If a sandboxed program tries to access the file, Sandboxie would have to make a sandboxed copy of the 4 GB file. This would take several minutes to complete, and would cost 4 GB of disk space. For this reason, Sandboxie will only make copies of files that are below a certain size threshold. Files larger than this size will be considered read-only inside the sandbox, and any attempt to modify them will result in message SBIE2102. The size threshold and alert message can be configured in Sandbox Settings > File Migration . Related Sandboxie Ini setting: CopyLimitKb , CopyLimitSilent","title":"SBIE2102"},{"location":"Content/SBIE2102/#sbie2102","text":"Message: SBIE2102 File is too large to copy into sandbox - path Logged To: Popup Message Log . Explanation: This is an informational message. Before a sandboxed program can make changes to a file that already exists in your computer, Sandboxie first must make a copy of this file in the sandbox. This works very well for small files (up to a few megabytes in size), as the copy operation completes very quickly. But for larger files, the copy operation may take a noticeable length of time. For example, suppose you created a backup for a DVD, in the form of a 4GB file. If a sandboxed program tries to access the file, Sandboxie would have to make a sandboxed copy of the 4 GB file. This would take several minutes to complete, and would cost 4 GB of disk space. For this reason, Sandboxie will only make copies of files that are below a certain size threshold. Files larger than this size will be considered read-only inside the sandbox, and any attempt to modify them will result in message SBIE2102. The size threshold and alert message can be configured in Sandbox Settings > File Migration . Related Sandboxie Ini setting: CopyLimitKb , CopyLimitSilent","title":"SBIE2102"},{"location":"Content/SBIE2103/","text":"SBIE2103 Message: SBIE2103 Denied attempt to load system driver driver Logged To: Popup Message Log . Explanation: This is an informational message. Programs running under the supervision of Sandboxie are stripped of privileges required to start drivers. (Unless this is explicitly allowed through the Block Drivers settings.) This message indicates that a sandboxed program has requested to start a driver, and that the request was denied. Note, depending on the circumstances, this message may indicate that an attempt to install a malicious rootkit into the system, has been subverted by Sandboxie. On the other hand, if this message appears during the sandboxed installation of a program that is known to install and activate drivers, then the previous statement does not apply. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini setting: BlockDrivers","title":"SBIE2103"},{"location":"Content/SBIE2103/#sbie2103","text":"Message: SBIE2103 Denied attempt to load system driver driver Logged To: Popup Message Log . Explanation: This is an informational message. Programs running under the supervision of Sandboxie are stripped of privileges required to start drivers. (Unless this is explicitly allowed through the Block Drivers settings.) This message indicates that a sandboxed program has requested to start a driver, and that the request was denied. Note, depending on the circumstances, this message may indicate that an attempt to install a malicious rootkit into the system, has been subverted by Sandboxie. On the other hand, if this message appears during the sandboxed installation of a program that is known to install and activate drivers, then the previous statement does not apply. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini setting: BlockDrivers","title":"SBIE2103"},{"location":"Content/SBIE2104/","text":"SBIE2104 Message: SBIE2104 Denied attempt to end this Windows session Logged To: Popup Message Log . Explanation: This is an informational message. Programs running under the supervision of Sandboxie are stripped of privileges required to logoff the active user or shut down or restart the system. This message indicates that a sandboxed program has requested to end the Windows session through logoff, shutdown or restart, and that the request was denied.","title":"SBIE2104"},{"location":"Content/SBIE2104/#sbie2104","text":"Message: SBIE2104 Denied attempt to end this Windows session Logged To: Popup Message Log . Explanation: This is an informational message. Programs running under the supervision of Sandboxie are stripped of privileges required to logoff the active user or shut down or restart the system. This message indicates that a sandboxed program has requested to end the Windows session through logoff, shutdown or restart, and that the request was denied.","title":"SBIE2104"},{"location":"Content/SBIE2108/","text":"SBIE2108 Message: SBIE2108 Faking successful completion for program program.exe Logged To: Popup Message Log . Explanation: This is an informational message. In some specific cases, installation of particular software into the sandbox fails due to an error condition occurring in some minor component of the entire process. This message indicates that Sandboxie has hidden this error condition in the minor component, in order to allow the installation to succeed.","title":"SBIE2108"},{"location":"Content/SBIE2108/#sbie2108","text":"Message: SBIE2108 Faking successful completion for program program.exe Logged To: Popup Message Log . Explanation: This is an informational message. In some specific cases, installation of particular software into the sandbox fails due to an error condition occurring in some minor component of the entire process. This message indicates that Sandboxie has hidden this error condition in the minor component, in order to allow the installation to succeed.","title":"SBIE2108"},{"location":"Content/SBIE2111/","text":"SBIE2111 Message: SBIE2111 Process is not accessible: program , call call Logged To: Popup Message Log . Explanation: This is an informational message. Before v1.0.16 / 5.55.16, Sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence, from v1.0.16 / 5.55.16 onwards Sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other sandboxes. To facilitate compatibility, this build introduces a ReadIpcPath sandbox setting. Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Issue message 2111 when a process access is denied See also: Notify Process Access Denied .","title":"SBIE2111"},{"location":"Content/SBIE2111/#sbie2111","text":"Message: SBIE2111 Process is not accessible: program , call call Logged To: Popup Message Log . Explanation: This is an informational message. Before v1.0.16 / 5.55.16, Sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence, from v1.0.16 / 5.55.16 onwards Sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other sandboxes. To facilitate compatibility, this build introduces a ReadIpcPath sandbox setting. Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Issue message 2111 when a process access is denied See also: Notify Process Access Denied .","title":"SBIE2111"},{"location":"Content/SBIE2191/","text":"SBIE2191 Message: SBIE2191 browser should not be updated while running under Sandboxie. Logged To: Popup Message Log . Explanation: This is an informational message. This message is always followed by SBIE2192 and SBIE2193 : SBIE2191 browser should not be updated while running under Sandboxie. SBIE2192 To update the program, run it outside of the supervision of Sandboxie. SBIE2193 Make sure to delete the sandbox after completing the update process. (unavailable since Sandboxie 1.0.14 / 5.55.14) The browser in the message is Mozilla Firefox or Google Chrome.","title":"SBIE2191"},{"location":"Content/SBIE2191/#sbie2191","text":"Message: SBIE2191 browser should not be updated while running under Sandboxie. Logged To: Popup Message Log . Explanation: This is an informational message. This message is always followed by SBIE2192 and SBIE2193 : SBIE2191 browser should not be updated while running under Sandboxie. SBIE2192 To update the program, run it outside of the supervision of Sandboxie. SBIE2193 Make sure to delete the sandbox after completing the update process. (unavailable since Sandboxie 1.0.14 / 5.55.14) The browser in the message is Mozilla Firefox or Google Chrome.","title":"SBIE2191"},{"location":"Content/SBIE2192/","text":"SBIE2192 Message: SBIE2192 To update the program, run it outside of the supervision of Sandboxie. Logged To: Popup Message Log . Explanation: See message SBIE2191 .","title":"SBIE2192"},{"location":"Content/SBIE2192/#sbie2192","text":"Message: SBIE2192 To update the program, run it outside of the supervision of Sandboxie. Logged To: Popup Message Log . Explanation: See message SBIE2191 .","title":"SBIE2192"},{"location":"Content/SBIE2193/","text":"SBIE2193 OBSOLETE SINCE 1.0.14 / 5.55.14 Message: SBIE2193 Make sure to delete the sandbox after completing the update process. Logged To: Popup Message Log . Explanation: See message SBIE2191 .","title":"SBIE2193"},{"location":"Content/SBIE2193/#sbie2193","text":"OBSOLETE SINCE 1.0.14 / 5.55.14 Message: SBIE2193 Make sure to delete the sandbox after completing the update process. Logged To: Popup Message Log . Explanation: See message SBIE2191 .","title":"SBIE2193"},{"location":"Content/SBIE2202/","text":"SBIE2202 Message: SBIE2202 Missing list of installed hardware devices Logged To: Popup Message Log . Explanation: The Sandboxie DLL component executing within the sandboxed program needs to access information prepared, in advance, by the Sandboxie service component (SbieSvc). This message indicates that information was not available. Typically, the reason is that the Sandboxie service is not running.","title":"SBIE2202"},{"location":"Content/SBIE2202/#sbie2202","text":"Message: SBIE2202 Missing list of installed hardware devices Logged To: Popup Message Log . Explanation: The Sandboxie DLL component executing within the sandboxed program needs to access information prepared, in advance, by the Sandboxie service component (SbieSvc). This message indicates that information was not available. Typically, the reason is that the Sandboxie service is not running.","title":"SBIE2202"},{"location":"Content/SBIE2203/","text":"SBIE2203 Message: SBIE2203 Failed to communicate with Sandboxie Service: detail Logged To: Popup Message Log . Explanation: The Sandboxie DLL component executing within the sandboxed program needs to communicate with the Sandboxie service component (SbieSvc). This message indicates that some communication failure has occurred. When detail is connect , the likely reason is that the Sandboxie service is not running. Any other value of detail indicates that communication has been established, but could not be completed, due to some error.","title":"SBIE2203"},{"location":"Content/SBIE2203/#sbie2203","text":"Message: SBIE2203 Failed to communicate with Sandboxie Service: detail Logged To: Popup Message Log . Explanation: The Sandboxie DLL component executing within the sandboxed program needs to communicate with the Sandboxie service component (SbieSvc). This message indicates that some communication failure has occurred. When detail is connect , the likely reason is that the Sandboxie service is not running. Any other value of detail indicates that communication has been established, but could not be completed, due to some error.","title":"SBIE2203"},{"location":"Content/SBIE2204/","text":"SBIE2204 Message: SBIE2204 Cannot start sandboxed service name__(xxxxxxxx) Logged To: Popup Message Log . Explanation: The message indicates that Sandboxie was unable to start one of the helper programs SandboxieRpcSs or SandboxieDcomLaunch . The name noted in the message can be rpcss or dcomlaunch . For more information about these programs, see Service Programs .","title":"SBIE2204"},{"location":"Content/SBIE2204/#sbie2204","text":"Message: SBIE2204 Cannot start sandboxed service name__(xxxxxxxx) Logged To: Popup Message Log . Explanation: The message indicates that Sandboxie was unable to start one of the helper programs SandboxieRpcSs or SandboxieDcomLaunch . The name noted in the message can be rpcss or dcomlaunch . For more information about these programs, see Service Programs .","title":"SBIE2204"},{"location":"Content/SBIE2205/","text":"SBIE2205 Message: SBIE2205 Service not implemented: name Logged To: Popup Message Log . Explanation: Some little-used system service, which is identified by name , is not implemented by Sandboxie. This is a warning/notification message from Sandboxie. The sandboxed program may or may not fail. Missing functionality related to Protected Storage and Windows Credentials The explanation below applies to these missing services: CredReadA IPStore::GetTypeInfo Protected Storage is a facility that some Windows programs use to collect history of typed text. Windows credentials is a facility that some Windows programs (like Windows Messenger), and some Microsoft web sites (like Hotmail) use to remember user/password information. Sandboxie provides its own implementation for these facilities, which store any collected information in the sandbox rather than in the real Protected Storage. This is part of the overall approach of Sandboxie which aims to contain any effects by a programs into the sandbox. This Sandboxie implementation is complete enough that it enables most programs to work as expected. However, it is not 100% compatible with the real implementation of the facilities in Windows. Few programs use services which are not implemented. In this cases, Sandboxie issues message SBIE2205 to report that a program tried to do something which was not supported, and that the operation failed. The message does not imply that any information was stored outside the sandbox. More information: Protected Storage , Open Protected Storage , Open Credentials , and Save Outside Sandbox in Internet Explorer Tips .","title":"SBIE2205"},{"location":"Content/SBIE2205/#sbie2205","text":"Message: SBIE2205 Service not implemented: name Logged To: Popup Message Log . Explanation: Some little-used system service, which is identified by name , is not implemented by Sandboxie. This is a warning/notification message from Sandboxie. The sandboxed program may or may not fail. Missing functionality related to Protected Storage and Windows Credentials The explanation below applies to these missing services: CredReadA IPStore::GetTypeInfo Protected Storage is a facility that some Windows programs use to collect history of typed text. Windows credentials is a facility that some Windows programs (like Windows Messenger), and some Microsoft web sites (like Hotmail) use to remember user/password information. Sandboxie provides its own implementation for these facilities, which store any collected information in the sandbox rather than in the real Protected Storage. This is part of the overall approach of Sandboxie which aims to contain any effects by a programs into the sandbox. This Sandboxie implementation is complete enough that it enables most programs to work as expected. However, it is not 100% compatible with the real implementation of the facilities in Windows. Few programs use services which are not implemented. In this cases, Sandboxie issues message SBIE2205 to report that a program tried to do something which was not supported, and that the operation failed. The message does not imply that any information was stored outside the sandbox. More information: Protected Storage , Open Protected Storage , Open Credentials , and Save Outside Sandbox in Internet Explorer Tips .","title":"SBIE2205"},{"location":"Content/SBIE2206/","text":"SBIE2206 Message: SBIE2206 Failed processing AutoExec setting yy__[ ntstatus ] Logged To: Popup Message Log . Explanation: There was an error in the processing one of the AutoExec settings from the Sandboxie Ini configuration file. Note that this message is specifically not concerned with errors that occur as the result of running the program or command specified by the AutoExec setting. This message indicates that it is the bookkeeping , which is related to AutoExec settings, that has failed in some way.","title":"SBIE2206"},{"location":"Content/SBIE2206/#sbie2206","text":"Message: SBIE2206 Failed processing AutoExec setting yy__[ ntstatus ] Logged To: Popup Message Log . Explanation: There was an error in the processing one of the AutoExec settings from the Sandboxie Ini configuration file. Note that this message is specifically not concerned with errors that occur as the result of running the program or command specified by the AutoExec setting. This message indicates that it is the bookkeeping , which is related to AutoExec settings, that has failed in some way.","title":"SBIE2206"},{"location":"Content/SBIE2207/","text":"SBIE2207 Message: SBIE2207 Invalid value for setting name , using default Logged To: Popup Message Log . Explanation: The Sandboxie Ini configuration setting identified by name has an invalid value. Consult the documentation for the relevant setting.","title":"SBIE2207"},{"location":"Content/SBIE2207/#sbie2207","text":"Message: SBIE2207 Invalid value for setting name , using default Logged To: Popup Message Log . Explanation: The Sandboxie Ini configuration setting identified by name has an invalid value. Consult the documentation for the relevant setting.","title":"SBIE2207"},{"location":"Content/SBIE2208/","text":"SBIE2208 Message: SBIE2208 Cannot remove registry hive: [ ntstatus ] Logged To: Popup Message Log . Explanation: When all sandboxed programs end, Sandboxie removes the sandboxed registry from the system. This error message indicates the removal was unsuccessful. Typically the ntstatus code is C0000121, and indicates that some other program is using the sandboxed registry, from outside the sandbox. Note, as long as the registry remains loaded into the system, the sandbox cannot be deleted. Logging-off the current user account may resolve the problem.","title":"SBIE2208"},{"location":"Content/SBIE2208/#sbie2208","text":"Message: SBIE2208 Cannot remove registry hive: [ ntstatus ] Logged To: Popup Message Log . Explanation: When all sandboxed programs end, Sandboxie removes the sandboxed registry from the system. This error message indicates the removal was unsuccessful. Typically the ntstatus code is C0000121, and indicates that some other program is using the sandboxed registry, from outside the sandbox. Note, as long as the registry remains loaded into the system, the sandbox cannot be deleted. Logging-off the current user account may resolve the problem.","title":"SBIE2208"},{"location":"Content/SBIE2209/","text":"SBIE2209 Message: SBIE2209 Cannot translate SID to user name: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie needs to translate security S-1-5-x-y-z to a user account name. This message indicates that an error has occurred and prevented this translation.","title":"SBIE2209"},{"location":"Content/SBIE2209/#sbie2209","text":"Message: SBIE2209 Cannot translate SID to user name: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie needs to translate security S-1-5-x-y-z to a user account name. This message indicates that an error has occurred and prevented this translation.","title":"SBIE2209"},{"location":"Content/SBIE2210/","text":"SBIE2210 Message: SBIE2210 Cannot start Windows Explorer for: folder__(xxxx) Logged To: Popup Message Log . Explanation: Sandboxie tries to launch Windows Explorer (the program explorer.exe ) when a sandboxed program requests to 'explore' a folder. This message indicates that the Windows Explorer program could not be started to explore the folder noted in the message.","title":"SBIE2210"},{"location":"Content/SBIE2210/#sbie2210","text":"Message: SBIE2210 Cannot start Windows Explorer for: folder__(xxxx) Logged To: Popup Message Log . Explanation: Sandboxie tries to launch Windows Explorer (the program explorer.exe ) when a sandboxed program requests to 'explore' a folder. This message indicates that the Windows Explorer program could not be started to explore the folder noted in the message.","title":"SBIE2210"},{"location":"Content/SBIE2211/","text":"SBIE2211 Message: SBIE2211 Sandboxed service failed to start: name Logged To: Popup Message Log . Explanation: Windows Services that are installed into the sandbox are managed by Sandboxie. This management includes starting and stopping the service. This message reports that the sandboxed service name has failed to start. User Account Control In Windows Vista and later, software may not correctly install into the sandbox unless you enable the option Run As UAC Administrator prior to running the installation. Particularly, Windows Installer packages, which are installed through the Windows Installer service, require enabling this option. This is not a security issue: The \"Run As UAC Administrator\" option does not diminish the protection of Sandboxie in any way.","title":"SBIE2211"},{"location":"Content/SBIE2211/#sbie2211","text":"Message: SBIE2211 Sandboxed service failed to start: name Logged To: Popup Message Log . Explanation: Windows Services that are installed into the sandbox are managed by Sandboxie. This management includes starting and stopping the service. This message reports that the sandboxed service name has failed to start. User Account Control In Windows Vista and later, software may not correctly install into the sandbox unless you enable the option Run As UAC Administrator prior to running the installation. Particularly, Windows Installer packages, which are installed through the Windows Installer service, require enabling this option. This is not a security issue: The \"Run As UAC Administrator\" option does not diminish the protection of Sandboxie in any way.","title":"SBIE2211"},{"location":"Content/SBIE2212/","text":"SBIE2212 Message: SBIE2212 Email reader program.exe is not configured to run sandboxed Logged To: Popup Message Log . Explanation: This message is displayed when you run your mail reader program sandboxed, but have not yet enabled proper support for that program in Sandboxie. Sandboxie offers quick configuration for most email programs. Please see Sandbox Settings > Applications > Email Reader , and then Test Email Configuration . By default, Sandboxie traps all changes in the sandbox, including changes to mailbox files, such as the addition of new mail. These changes will be deleted when the sandbox is deleted. To properly run your mail program sandboxed, you should configure Sandboxie to exclude your mailbox data files from sandboxing. For more information, see Email Protection .","title":"SBIE2212"},{"location":"Content/SBIE2212/#sbie2212","text":"Message: SBIE2212 Email reader program.exe is not configured to run sandboxed Logged To: Popup Message Log . Explanation: This message is displayed when you run your mail reader program sandboxed, but have not yet enabled proper support for that program in Sandboxie. Sandboxie offers quick configuration for most email programs. Please see Sandbox Settings > Applications > Email Reader , and then Test Email Configuration . By default, Sandboxie traps all changes in the sandbox, including changes to mailbox files, such as the addition of new mail. These changes will be deleted when the sandbox is deleted. To properly run your mail program sandboxed, you should configure Sandboxie to exclude your mailbox data files from sandboxing. For more information, see Email Protection .","title":"SBIE2212"},{"location":"Content/SBIE2213/","text":"SBIE2213 Message: SBIE2213 Windows Credentials cannot be stored in the sandbox Logged To: Popup Message Log . Explanation: Windows Credentials are username and password information stored in Windows by some Microsoft applications. For example, Windows Messenger stores email addresses and passwords as Windows Credentials. Sandboxie provides its own implementation of Windows Credentials which stores the information in the sandbox in order to keep them isolated from the rest of the system. To disable this implementation of isolated credentials, specify the OpenCredentials =y setting. This message is an indication that the Sandboxie implementation of Windows Credentials was asked to store Windows Credentials but failed to do so. The credentials in question are discarded.","title":"SBIE2213"},{"location":"Content/SBIE2213/#sbie2213","text":"Message: SBIE2213 Windows Credentials cannot be stored in the sandbox Logged To: Popup Message Log . Explanation: Windows Credentials are username and password information stored in Windows by some Microsoft applications. For example, Windows Messenger stores email addresses and passwords as Windows Credentials. Sandboxie provides its own implementation of Windows Credentials which stores the information in the sandbox in order to keep them isolated from the rest of the system. To disable this implementation of isolated credentials, specify the OpenCredentials =y setting. This message is an indication that the Sandboxie implementation of Windows Credentials was asked to store Windows Credentials but failed to do so. The credentials in question are discarded.","title":"SBIE2213"},{"location":"Content/SBIE2214/","text":"SBIE2214 Message: SBIE2214 Request to start service name was denied due to dropped rights Logged To: Popup Message Log . Explanation: The Drop Rights setting is enabled in the sandbox, and this prevents the service program from starting with full (LocalSystem) privileges. Note that the 64-bit edition of Sandboxie enables the Drop Rights setting by default. This message is followed by message SBIE2219 . Resolution: Turn off the Drop Rights setting.","title":"SBIE2214"},{"location":"Content/SBIE2214/#sbie2214","text":"Message: SBIE2214 Request to start service name was denied due to dropped rights Logged To: Popup Message Log . Explanation: The Drop Rights setting is enabled in the sandbox, and this prevents the service program from starting with full (LocalSystem) privileges. Note that the 64-bit edition of Sandboxie enables the Drop Rights setting by default. This message is followed by message SBIE2219 . Resolution: Turn off the Drop Rights setting.","title":"SBIE2214"},{"location":"Content/SBIE2217/","text":"SBIE2217 Message: SBIE2217 Request to run as Administrator was denied due to dropped rights Logged To: Popup Message Log . Explanation: The Drop Rights setting is enabled in the sandbox, and this prevents the program from starting with Administrator account privileges. This message is followed by message SBIE2219 . Resolution: Turn off the Drop Rights setting: Sandbox Settings > Restrictions > Drop Rights .","title":"SBIE2217"},{"location":"Content/SBIE2217/#sbie2217","text":"Message: SBIE2217 Request to run as Administrator was denied due to dropped rights Logged To: Popup Message Log . Explanation: The Drop Rights setting is enabled in the sandbox, and this prevents the program from starting with Administrator account privileges. This message is followed by message SBIE2219 . Resolution: Turn off the Drop Rights setting: Sandbox Settings > Restrictions > Drop Rights .","title":"SBIE2217"},{"location":"Content/SBIE2218/","text":"SBIE2218 Message: SBIE2218 Failed to get elevated privileges: [xx / yyyyyyyy] Logged To: Popup Message Log . Explanation: Some error has occurred which prevents Sandboxie from successfully completing a privilege elevation operation which was issued by a program running in the sandbox. A privilege elevation operation can be: a request to start some service in the sandbox, or on Windows Vista and later, a request to use User Account Control (UAC) to elevate to Administrator privileges. This message is followed by message SBIE2219 . Resolution: This error might occur during program installation. A possible workaround is to run the installation with Administrator privileges: Use the right-click command Run Sandboxed to launch the installation setup program under Sandboxie, and make sure to select the Run as UAC Administrator option in the Run Sandboxed dialog box.","title":"SBIE2218"},{"location":"Content/SBIE2218/#sbie2218","text":"Message: SBIE2218 Failed to get elevated privileges: [xx / yyyyyyyy] Logged To: Popup Message Log . Explanation: Some error has occurred which prevents Sandboxie from successfully completing a privilege elevation operation which was issued by a program running in the sandbox. A privilege elevation operation can be: a request to start some service in the sandbox, or on Windows Vista and later, a request to use User Account Control (UAC) to elevate to Administrator privileges. This message is followed by message SBIE2219 . Resolution: This error might occur during program installation. A possible workaround is to run the installation with Administrator privileges: Use the right-click command Run Sandboxed to launch the installation setup program under Sandboxie, and make sure to select the Run as UAC Administrator option in the Run Sandboxed dialog box.","title":"SBIE2218"},{"location":"Content/SBIE2219/","text":"SBIE2219 Message: SBIE2219 Request was issued by program ' name ' Logged To: Popup Message Log . Explanation: This message names a program (identified as ' name ') that has issued an operation that could not be completed. More information about the request, including the reason of failure, is given by one of the messages SBIE2214 , SBIE2217 , or SBIE2218 , which precede message SBIE2219.","title":"SBIE2219"},{"location":"Content/SBIE2219/#sbie2219","text":"Message: SBIE2219 Request was issued by program ' name ' Logged To: Popup Message Log . Explanation: This message names a program (identified as ' name ') that has issued an operation that could not be completed. More information about the request, including the reason of failure, is given by one of the messages SBIE2214 , SBIE2217 , or SBIE2218 , which precede message SBIE2219.","title":"SBIE2219"},{"location":"Content/SBIE2220/","text":"SBIE2220 Message: SBIE2220 To permit use of Administrator privileges, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE2217 and offers a quick way to enable the Drop Rights setting in the sandbox. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Drop Rights Related Sandboxie Ini setting: DropAdminRights","title":"SBIE2220"},{"location":"Content/SBIE2220/#sbie2220","text":"Message: SBIE2220 To permit use of Administrator privileges, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE2217 and offers a quick way to enable the Drop Rights setting in the sandbox. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Drop Rights Related Sandboxie Ini setting: DropAdminRights","title":"SBIE2220"},{"location":"Content/SBIE2221/","text":"SBIE2221 Message: SBIE2221 To add the program to Internet Access Restrictions, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE1307 and offers a quick way to add a program to Internet Access restrictions. Related Sandboxie Control setting: Sandbox Settings > Restrictions Settings > Internet Access . Related Sandboxie Ini settings: ClosedFilePath , NotifyInternetAccessDenied .","title":"SBIE2221"},{"location":"Content/SBIE2221/#sbie2221","text":"Message: SBIE2221 To add the program to Internet Access Restrictions, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE1307 and offers a quick way to add a program to Internet Access restrictions. Related Sandboxie Control setting: Sandbox Settings > Restrictions Settings > Internet Access . Related Sandboxie Ini settings: ClosedFilePath , NotifyInternetAccessDenied .","title":"SBIE2221"},{"location":"Content/SBIE2222/","text":"SBIE2222 Message: SBIE2222 To add the program to Start/Run Access Restrictions, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE1308 and offers a quick way to add a program to Start/Run Access restrictions. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Ini settings: ClosedIpcPath , NotifyStartRunAccessDenied .","title":"SBIE2222"},{"location":"Content/SBIE2222/#sbie2222","text":"Message: SBIE2222 To add the program to Start/Run Access Restrictions, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE1308 and offers a quick way to add a program to Start/Run Access restrictions. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Ini settings: ClosedIpcPath , NotifyStartRunAccessDenied .","title":"SBIE2222"},{"location":"Content/SBIE2223/","text":"SBIE2223 Message: SBIE2223 To increase the file size limit for copying files, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE2102 and offers a quick way to adjust the File Migration size limit. Related Sandboxie Control setting: Sandbox Settings > File Migration Related Sandboxie Ini setting: CopyLimitKb","title":"SBIE2223"},{"location":"Content/SBIE2223/#sbie2223","text":"Message: SBIE2223 To increase the file size limit for copying files, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE2102 and offers a quick way to adjust the File Migration size limit. Related Sandboxie Control setting: Sandbox Settings > File Migration Related Sandboxie Ini setting: CopyLimitKb","title":"SBIE2223"},{"location":"Content/SBIE2303/","text":"SBIE2303 Message: SBIE2303 Could not hook name__(reason) Logged To: Popup Message Log . Explanation: This message indicates that the Sandboxie DLL component, which is running within the sandboxed program, has failed to intercept and replace the system function identified by name . This message is typically an indication of incompatibility with some third party software.","title":"SBIE2303"},{"location":"Content/SBIE2303/#sbie2303","text":"Message: SBIE2303 Could not hook name__(reason) Logged To: Popup Message Log . Explanation: This message indicates that the Sandboxie DLL component, which is running within the sandboxed program, has failed to intercept and replace the system function identified by name . This message is typically an indication of incompatibility with some third party software.","title":"SBIE2303"},{"location":"Content/SBIE2304/","text":"SBIE2304 Message: SBIE2304 Initialization failed for process program.exe Logged To: Popup Message Log . Explanation: This message indicates that the Sandboxie DLL component, which is running within the sandboxed program, has failed to initialize.","title":"SBIE2304"},{"location":"Content/SBIE2304/#sbie2304","text":"Message: SBIE2304 Initialization failed for process program.exe Logged To: Popup Message Log . Explanation: This message indicates that the Sandboxie DLL component, which is running within the sandboxed program, has failed to initialize.","title":"SBIE2304"},{"location":"Content/SBIE2305/","text":"SBIE2305 Message: SBIE2305 Out of memory Logged To: Popup Message Log . Explanation: There was not enough memory. This message does not necessarily mean that the computer has run out of memory. However, there is no more memory available for use within the region of memory that was allocated to the sandboxed program.","title":"SBIE2305"},{"location":"Content/SBIE2305/#sbie2305","text":"Message: SBIE2305 Out of memory Logged To: Popup Message Log . Explanation: There was not enough memory. This message does not necessarily mean that the computer has run out of memory. However, there is no more memory available for use within the region of memory that was allocated to the sandboxed program.","title":"SBIE2305"},{"location":"Content/SBIE2306/","text":"SBIE2306 Message: SBIE2306 Could not locate user directory: [ ntstatus / yy] Logged To: Popup Message Log . Explanation: Sandboxie attempts to enhance the portability of the sandbox by storing personal (also known as \"user profile\") files in a folder that has a generic name rather than a specific one. For example, instead of storing files in \\sandbox\\drive\\c\\Users\\joe\\Documents Sandboxie prefers to store files in \\sandbox\\drive\\c\\user\\current\\Documents This means you can use the same sandbox with some other user account or even some other computer. This message indicates that Sandboxie failed to find the user profile folder, and does not know which folder to associate with the sandbox folder user\\current .","title":"SBIE2306"},{"location":"Content/SBIE2306/#sbie2306","text":"Message: SBIE2306 Could not locate user directory: [ ntstatus / yy] Logged To: Popup Message Log . Explanation: Sandboxie attempts to enhance the portability of the sandbox by storing personal (also known as \"user profile\") files in a folder that has a generic name rather than a specific one. For example, instead of storing files in \\sandbox\\drive\\c\\Users\\joe\\Documents Sandboxie prefers to store files in \\sandbox\\drive\\c\\user\\current\\Documents This means you can use the same sandbox with some other user account or even some other computer. This message indicates that Sandboxie failed to find the user profile folder, and does not know which folder to associate with the sandbox folder user\\current .","title":"SBIE2306"},{"location":"Content/SBIE2307/","text":"SBIE2307 Message: SBIE2307 Could not map drive x__[ ntstatus ] Logged To: Popup Message Log . Explanation: Internally, Windows does not recognize drive letters such as A: or C: and instead uses a naming scheme that identifies devices. For example \\Device\\Floppy0 \\Device\\HarddiskVolume1 May be the internal name for drives A: and C: respectively. Sandboxie works in this lower level of Windows and uses the internal names. But for convenience, when files are stored in the sandbox folder, they are stored as \\sandbox\\drive\\a and \\sandbox\\drive\\c . Therefore for every drive, Sandboxie needs to know its associated internal name, so it can map, for example, between C: and \\Device\\HarddiskVolume1 . This message indicates that Sandboxie failed to find the internal name for the drive x noted in the message.","title":"SBIE2307"},{"location":"Content/SBIE2307/#sbie2307","text":"Message: SBIE2307 Could not map drive x__[ ntstatus ] Logged To: Popup Message Log . Explanation: Internally, Windows does not recognize drive letters such as A: or C: and instead uses a naming scheme that identifies devices. For example \\Device\\Floppy0 \\Device\\HarddiskVolume1 May be the internal name for drives A: and C: respectively. Sandboxie works in this lower level of Windows and uses the internal names. But for convenience, when files are stored in the sandbox folder, they are stored as \\sandbox\\drive\\a and \\sandbox\\drive\\c . Therefore for every drive, Sandboxie needs to know its associated internal name, so it can map, for example, between C: and \\Device\\HarddiskVolume1 . This message indicates that Sandboxie failed to find the internal name for the drive x noted in the message.","title":"SBIE2307"},{"location":"Content/SBIE2308/","text":"SBIE2308 Message: SBIE2308 Could not create object directory: [yy / xxxx] Logged To: Popup Message Log . Explanation: Inter-process communication (IPC) objects are logical objects which are used for various forms of communication between programs. The IPC objects have identifying names and are organized into a hierarchial structure of directories. Sandboxie redirects all IPC objects created by sandboxed programs to an isolated directory in the hierarchial structure, in order to guarantee separation of communications between programs inside and outside the sandbox. This message indicates that Sandboxie failed to create the isolated directory. Guest or Limited Account If you are running Sandboxie under a guest or limited user account, make sure the user account is allowed to create IPC objects: Open Control Panel > Administrative Tools > Local Security Policy Expand Security Settings > Local Policies > User Rights Assignment Find the entry named \"Create global objects\" Make sure the guest or limited user account is listed for that entry Find the entry named \"Create permanent shared objects\" Make sure the guest or limited user account is listed for that entry","title":"SBIE2308"},{"location":"Content/SBIE2308/#sbie2308","text":"Message: SBIE2308 Could not create object directory: [yy / xxxx] Logged To: Popup Message Log . Explanation: Inter-process communication (IPC) objects are logical objects which are used for various forms of communication between programs. The IPC objects have identifying names and are organized into a hierarchial structure of directories. Sandboxie redirects all IPC objects created by sandboxed programs to an isolated directory in the hierarchial structure, in order to guarantee separation of communications between programs inside and outside the sandbox. This message indicates that Sandboxie failed to create the isolated directory. Guest or Limited Account If you are running Sandboxie under a guest or limited user account, make sure the user account is allowed to create IPC objects: Open Control Panel > Administrative Tools > Local Security Policy Expand Security Settings > Local Policies > User Rights Assignment Find the entry named \"Create global objects\" Make sure the guest or limited user account is listed for that entry Find the entry named \"Create permanent shared objects\" Make sure the guest or limited user account is listed for that entry","title":"SBIE2308"},{"location":"Content/SBIE2309/","text":"SBIE2309 Message: SBIE2309 Could not disable COM+/DCOM: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to disable cross-computer COM connectivity (DCOM) from within the sandbox. The customization prevents the COM framework in the sandbox (see SandboxieRpcSs and SandboxieDcomLaunch ) from providing this cross-computer connectivity. This message indicates the customization has failed due to an error.","title":"SBIE2309"},{"location":"Content/SBIE2309/#sbie2309","text":"Message: SBIE2309 Could not disable COM+/DCOM: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to disable cross-computer COM connectivity (DCOM) from within the sandbox. The customization prevents the COM framework in the sandbox (see SandboxieRpcSs and SandboxieDcomLaunch ) from providing this cross-computer connectivity. This message indicates the customization has failed due to an error.","title":"SBIE2309"},{"location":"Content/SBIE2310/","text":"SBIE2310 Message: SBIE2310 Name buffer is approaching overflow ( n ) Logged To: Popup Message Log . Explanation: This message identifies a problem condition in Sandboxie, which is the result of an internal error, or more commonly, an incompatibility with some third-party software has occurred Known Conflict This message is usually an indication of a conflict with PC-Tools Spyware Doctor V7 . See the Known Conflicts page.","title":"SBIE2310"},{"location":"Content/SBIE2310/#sbie2310","text":"Message: SBIE2310 Name buffer is approaching overflow ( n ) Logged To: Popup Message Log . Explanation: This message identifies a problem condition in Sandboxie, which is the result of an internal error, or more commonly, an incompatibility with some third-party software has occurred Known Conflict This message is usually an indication of a conflict with PC-Tools Spyware Doctor V7 . See the Known Conflicts page.","title":"SBIE2310"},{"location":"Content/SBIE2311/","text":"SBIE2311 Message: SBIE2311 Could not disable recycle bin (BitBucket): [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to disable the Recycle Bin for sandboxed programs. Instead, sandboxed programs should delete files and folders directly, without using the Recycle Bin. This message indicates the customization has failed due to an error.","title":"SBIE2311"},{"location":"Content/SBIE2311/#sbie2311","text":"Message: SBIE2311 Could not disable recycle bin (BitBucket): [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to disable the Recycle Bin for sandboxed programs. Instead, sandboxed programs should delete files and folders directly, without using the Recycle Bin. This message indicates the customization has failed due to an error.","title":"SBIE2311"},{"location":"Content/SBIE2312/","text":"SBIE2312 Message: SBIE2312 Could not enable BrowseNewProcess setting: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to prevent multiple instances of the Internet Explorer program from coalescing into a single instance. This message indicates the customization has failed due to an error.","title":"SBIE2312"},{"location":"Content/SBIE2312/#sbie2312","text":"Message: SBIE2312 Could not enable BrowseNewProcess setting: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to prevent multiple instances of the Internet Explorer program from coalescing into a single instance. This message indicates the customization has failed due to an error.","title":"SBIE2312"},{"location":"Content/SBIE2313/","text":"SBIE2313 Message: SBIE2313 Could not execute program.exe Logged To: Popup Message Log . Explanation: Sandboxie was not able to execute one of its own programs. Check access permissions to the Sandboxie installation folder and/or reinstall Sandboxie. Possible Causes Sandboxie was configured to block access to the folder containing its program files. See Sandbox Settings > Resource Access > File Access > Blocked Access . A third-party (HIPS) security software was configured to block the execution of the program mentioned in the message. Known Conflicts The message: SBIE2313 Could not execute SandboxieDcomLaunch.exe May be caused by the combination of Sandboxie and versions of PC Tools Firewall Plus prior to 5.0.0.38, if the Enhanced Security Verification (ESV) feature was enabled in the firewall software. To resolve this conflict, please upgrade to the version 5.0.0.38 or later of PC Tools Firewall Plus.","title":"SBIE2313"},{"location":"Content/SBIE2313/#sbie2313","text":"Message: SBIE2313 Could not execute program.exe Logged To: Popup Message Log . Explanation: Sandboxie was not able to execute one of its own programs. Check access permissions to the Sandboxie installation folder and/or reinstall Sandboxie. Possible Causes Sandboxie was configured to block access to the folder containing its program files. See Sandbox Settings > Resource Access > File Access > Blocked Access . A third-party (HIPS) security software was configured to block the execution of the program mentioned in the message. Known Conflicts The message: SBIE2313 Could not execute SandboxieDcomLaunch.exe May be caused by the combination of Sandboxie and versions of PC Tools Firewall Plus prior to 5.0.0.38, if the Enhanced Security Verification (ESV) feature was enabled in the firewall software. To resolve this conflict, please upgrade to the version 5.0.0.38 or later of PC Tools Firewall Plus.","title":"SBIE2313"},{"location":"Content/SBIE2314/","text":"SBIE2314 Message: SBIE2314 Canceling process program.exe Logged To: Popup Message Log . Explanation: An update to Windows may cause Sandboxie to issue this message on Windows 7. COM Servers In some specific cases, Sandboxie might need to launch an instance of Internet Explorer, Window Media Player or other media players, to receive the file name that should be opened in the sandbox, when the requester is outside the sandbox. For instance, when Window Media Player is forced to run in the sandbox, and a request is made through Windows Explorer (running outside the sandbox) to open a media file, then Sandboxie needs to launch an instance of Windows Media Player to receive the file name for the media file, so it can then open a properly sandboxed instance of Window Media Player and play the file. This message indicates that a program that was launched in this way to receive the file name experienced some error, and had to be closed. For Internet Explorer and Media Players: As of version 3.32 this message can only be issued for the Internet Explorer program, iexplore.exe , and only when Internet Explorer has been configured as a forced program . The message indicates that a special instance of a Internet Explorer, which has been started in order to accept an Internet address (a URL) from a program running outside the sandbox, has encountered an error. You should be able to work around this problem by invoking the Disable Forced Programs command and retrying the operation that opens an Internet address.","title":"SBIE2314"},{"location":"Content/SBIE2314/#sbie2314","text":"Message: SBIE2314 Canceling process program.exe Logged To: Popup Message Log . Explanation: An update to Windows may cause Sandboxie to issue this message on Windows 7. COM Servers In some specific cases, Sandboxie might need to launch an instance of Internet Explorer, Window Media Player or other media players, to receive the file name that should be opened in the sandbox, when the requester is outside the sandbox. For instance, when Window Media Player is forced to run in the sandbox, and a request is made through Windows Explorer (running outside the sandbox) to open a media file, then Sandboxie needs to launch an instance of Windows Media Player to receive the file name for the media file, so it can then open a properly sandboxed instance of Window Media Player and play the file. This message indicates that a program that was launched in this way to receive the file name experienced some error, and had to be closed. For Internet Explorer and Media Players: As of version 3.32 this message can only be issued for the Internet Explorer program, iexplore.exe , and only when Internet Explorer has been configured as a forced program . The message indicates that a special instance of a Internet Explorer, which has been started in order to accept an Internet address (a URL) from a program running outside the sandbox, has encountered an error. You should be able to work around this problem by invoking the Disable Forced Programs command and retrying the operation that opens an Internet address.","title":"SBIE2314"},{"location":"Content/SBIE2315/","text":"SBIE2315 Message: SBIE2315 Could not fix executable image Logged To: Popup Message Log . Explanation: As explained in message SBIE1214 , the Sandboxie driver injects the Sandboxie DLL component into a sandboxed program that was started in the sandbox. When the DLL component starts executing within the sandboxed program, it first needs to \"clean up\" the side-effects of the injection. This message indicates an error has occurred and the clean-up is not possible.","title":"SBIE2315"},{"location":"Content/SBIE2315/#sbie2315","text":"Message: SBIE2315 Could not fix executable image Logged To: Popup Message Log . Explanation: As explained in message SBIE1214 , the Sandboxie driver injects the Sandboxie DLL component into a sandboxed program that was started in the sandbox. When the DLL component starts executing within the sandboxed program, it first needs to \"clean up\" the side-effects of the injection. This message indicates an error has occurred and the clean-up is not possible.","title":"SBIE2315"},{"location":"Content/SBIE2316/","text":"SBIE2316 Message: SBIE2316 Memory corrupted Logged To: Popup Message Log . Explanation: The memory areas that Sandboxie maintains within the sandboxed programs have been corrupted. This could be due to an error in Sandboxie which causes it to corrupt its own memory, or due to an error in the sandboxed program which causes it to corrupt the memory areas that are owned by Sandboxie. The sandboxed program immediately aborts. Note that a sandboxed program cannot corrupt these memory areas in an attempt to circumvent Sandboxie. Sandboxie effects its restrictions through its driver component, which cannot be damaged or altered in any way by a sandboxed program.","title":"SBIE2316"},{"location":"Content/SBIE2316/#sbie2316","text":"Message: SBIE2316 Memory corrupted Logged To: Popup Message Log . Explanation: The memory areas that Sandboxie maintains within the sandboxed programs have been corrupted. This could be due to an error in Sandboxie which causes it to corrupt its own memory, or due to an error in the sandboxed program which causes it to corrupt the memory areas that are owned by Sandboxie. The sandboxed program immediately aborts. Note that a sandboxed program cannot corrupt these memory areas in an attempt to circumvent Sandboxie. Sandboxie effects its restrictions through its driver component, which cannot be damaged or altered in any way by a sandboxed program.","title":"SBIE2316"},{"location":"Content/SBIE2317/","text":"SBIE2317 Message: SBIE2317 Cannot initialize path list '%2' Logged To: Popup Message Log . Explanation: Whenever a program starts in the sandbox, Sandboxie applies configuration settings from the Sandboxie Ini file to that program. This error message indicates a problem has occurred while preparing the configuration settings for name . name can be OpenFilePath , OpenPipePath , ClosedFilePath , ReadFilePath , OpenKeyPath , ClosedKeyPath , ReadKeyPath , OpenIpcPath , ClosedIpcPath , or OpenWinClass . This message is similar to message SBIE1203 .","title":"SBIE2317"},{"location":"Content/SBIE2317/#sbie2317","text":"Message: SBIE2317 Cannot initialize path list '%2' Logged To: Popup Message Log . Explanation: Whenever a program starts in the sandbox, Sandboxie applies configuration settings from the Sandboxie Ini file to that program. This error message indicates a problem has occurred while preparing the configuration settings for name . name can be OpenFilePath , OpenPipePath , ClosedFilePath , ReadFilePath , OpenKeyPath , ClosedKeyPath , ReadKeyPath , OpenIpcPath , ClosedIpcPath , or OpenWinClass . This message is similar to message SBIE1203 .","title":"SBIE2317"},{"location":"Content/SBIE2318/","text":"SBIE2318 Message: SBIE2318 DLL initialization failed for library.dll Logged To: Popup Message Log . Explanation: The sandboxed program issued a request to load the system DLL named in the message. Some functionality in some system DLLs does not work \"out of the box\" when running sandboxed, due to the restrictions placed on the sandboxed program. In these cases, Sandboxie has to alter the DLL in order to assist it in accomplishing its tasks. The message indicates Sandboxie could not \"fix\" the system DLL.","title":"SBIE2318"},{"location":"Content/SBIE2318/#sbie2318","text":"Message: SBIE2318 DLL initialization failed for library.dll Logged To: Popup Message Log . Explanation: The sandboxed program issued a request to load the system DLL named in the message. Some functionality in some system DLLs does not work \"out of the box\" when running sandboxed, due to the restrictions placed on the sandboxed program. In these cases, Sandboxie has to alter the DLL in order to assist it in accomplishing its tasks. The message indicates Sandboxie could not \"fix\" the system DLL.","title":"SBIE2318"},{"location":"Content/SBIE2321/","text":"SBIE2321 Message: SBIE2321 Cannot manage device map: [ ntstatus / yy] Logged To: Popup Message Log . Explanation: The device map is the set of drive letters in the Windows sessions and their corresponding devices. Normally, a program (whether it is running sandboxed or not) automatically inherits the device map of the session in which it is running. However, in some cases, Sandboxie starts programs in a way that disassociates them from the device map. In these cases, Sandboxie also makes an attempt to restore the correct device map. This message indicates that the device map could not be applied to the sandboxed program because some error has occurred.","title":"SBIE2321"},{"location":"Content/SBIE2321/#sbie2321","text":"Message: SBIE2321 Cannot manage device map: [ ntstatus / yy] Logged To: Popup Message Log . Explanation: The device map is the set of drive letters in the Windows sessions and their corresponding devices. Normally, a program (whether it is running sandboxed or not) automatically inherits the device map of the session in which it is running. However, in some cases, Sandboxie starts programs in a way that disassociates them from the device map. In these cases, Sandboxie also makes an attempt to restore the correct device map. This message indicates that the device map could not be applied to the sandboxed program because some error has occurred.","title":"SBIE2321"},{"location":"Content/SBIE2322/","text":"SBIE2322 Message: SBIE2322 Cannot rewrite Sandboxie.ini: [yy / xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie was unable to rewrite the contents of the Sandboxie Ini configuration file. During its operation, Sandboxie Control occasionally has to update the contents of the configuration file to reflect changes to sandbox settings and other information. This error indicates that a problem has occurred while updating the configuration file.","title":"SBIE2322"},{"location":"Content/SBIE2322/#sbie2322","text":"Message: SBIE2322 Cannot rewrite Sandboxie.ini: [yy / xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie was unable to rewrite the contents of the Sandboxie Ini configuration file. During its operation, Sandboxie Control occasionally has to update the contents of the configuration file to reflect changes to sandbox settings and other information. This error indicates that a problem has occurred while updating the configuration file.","title":"SBIE2322"},{"location":"Content/SBIE2323/","text":"SBIE2323 Message: SBIE2323 Cryptography error: [yy / xxxxxxxx] Logged To: Popup Message Log . Explanation: Password protection is enabled for the Sandboxie Ini configuration file, and Sandboxie encountered some error when trying to apply the password to the file. For more information about protecting the configuration file, please see Configuration Protection .","title":"SBIE2323"},{"location":"Content/SBIE2323/#sbie2323","text":"Message: SBIE2323 Cryptography error: [yy / xxxxxxxx] Logged To: Popup Message Log . Explanation: Password protection is enabled for the Sandboxie Ini configuration file, and Sandboxie encountered some error when trying to apply the password to the file. For more information about protecting the configuration file, please see Configuration Protection .","title":"SBIE2323"},{"location":"Content/SBIE2326/","text":"SBIE2326 Message: SBIE2326 Cannot prepare registry: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: This message indicates than an error has occurred while customizing the registry in the sandbox. This customization creates and links together some registry keys in order to mimic the behavior of the real registry.","title":"SBIE2326"},{"location":"Content/SBIE2326/#sbie2326","text":"Message: SBIE2326 Cannot prepare registry: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: This message indicates than an error has occurred while customizing the registry in the sandbox. This customization creates and links together some registry keys in order to mimic the behavior of the real registry.","title":"SBIE2326"},{"location":"Content/SBIE2327/","text":"SBIE2327 Message: SBIE2327 Error in COM server: [yy / xxxx] Logged To: Popup Message Log . Explanation: In some specific cases, Sandboxie acts as a communication channel on behalf of a sandboxed program, and forwards specific requests to a COM object which is executing outside the sandbox. The communication channel is implemented as SbieSvc.exe programs which are started by the Sandboxie service component (which is also called SbieSvc.exe ). This message reports that an error has occurred in one of those SbieSvc.exe programs that serve as a communnication channel. This communication channel is used when a sandboxed program tries to contact a COM object using a CLSID identifier which matches the OpenClsid setting. Related Sandboxie Control setting: Sandbox Settings > Resource Access > COM Access Related Sandboxie Ini setting: OpenClsid .","title":"SBIE2327"},{"location":"Content/SBIE2327/#sbie2327","text":"Message: SBIE2327 Error in COM server: [yy / xxxx] Logged To: Popup Message Log . Explanation: In some specific cases, Sandboxie acts as a communication channel on behalf of a sandboxed program, and forwards specific requests to a COM object which is executing outside the sandbox. The communication channel is implemented as SbieSvc.exe programs which are started by the Sandboxie service component (which is also called SbieSvc.exe ). This message reports that an error has occurred in one of those SbieSvc.exe programs that serve as a communnication channel. This communication channel is used when a sandboxed program tries to contact a COM object using a CLSID identifier which matches the OpenClsid setting. Related Sandboxie Control setting: Sandbox Settings > Resource Access > COM Access Related Sandboxie Ini setting: OpenClsid .","title":"SBIE2327"},{"location":"Content/SBIE2331/","text":"SBIE2331 Message: SBIE2331 Service start failed: [yy / xxxx] text Logged To: Popup Message Log . Explanation: Sandboxie Control has detected that the Sandboxie service component (SbieSvc) is not running. Sandboxie Control then tried to start the service, but failed to do so. This message specifies the error code that prevents the service from starting. For example, if the detail is [22 / 5] Access is denied , it indicates that the service SbieSvc is not running, and that Sandboxie Control is running in a user account which does not have the authority to start the service.","title":"SBIE2331"},{"location":"Content/SBIE2331/#sbie2331","text":"Message: SBIE2331 Service start failed: [yy / xxxx] text Logged To: Popup Message Log . Explanation: Sandboxie Control has detected that the Sandboxie service component (SbieSvc) is not running. Sandboxie Control then tried to start the service, but failed to do so. This message specifies the error code that prevents the service from starting. For example, if the detail is [22 / 5] Access is denied , it indicates that the service SbieSvc is not running, and that Sandboxie Control is running in a user account which does not have the authority to start the service.","title":"SBIE2331"},{"location":"Content/SBIE2332/","text":"SBIE2332 Message: SBIE2332 Cannot access file SbiePst.dat Logged To: Popup Message Log . Explanation: The SbiePst.dat file is created in the sandbox and is used by Sandboxie to implement the Protected Storage facility. This error message indicates that Sandboxie experienced a problem either creating or accessing the SbiePst.dat file. For more information, please see Protected Storage .","title":"SBIE2332"},{"location":"Content/SBIE2332/#sbie2332","text":"Message: SBIE2332 Cannot access file SbiePst.dat Logged To: Popup Message Log . Explanation: The SbiePst.dat file is created in the sandbox and is used by Sandboxie to implement the Protected Storage facility. This error message indicates that Sandboxie experienced a problem either creating or accessing the SbiePst.dat file. For more information, please see Protected Storage .","title":"SBIE2332"},{"location":"Content/SBIE2334/","text":"SBIE2334 Message: SBIE2334 Cannot load DLL file: dllname.dll Logged To: Popup Message Log . Explanation: When trying to initialize a new process in the sandbox, Sandboxie was unable to load or initialize one of the DLLs used by the main EXE file.","title":"SBIE2334"},{"location":"Content/SBIE2334/#sbie2334","text":"Message: SBIE2334 Cannot load DLL file: dllname.dll Logged To: Popup Message Log . Explanation: When trying to initialize a new process in the sandbox, Sandboxie was unable to load or initialize one of the DLLs used by the main EXE file.","title":"SBIE2334"},{"location":"Content/SBIE3207/","text":"SBIE3207 Message: SBIE3207 Cannot find the Internet Explorer executable Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for Internet Explorer executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\Applications\\iexplore.exe Typically, the information is contained in the default value of this registry key: HKEY_CLASSES_ROOT\\Applications\\iexplore.exe\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: Consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to Internet Explorer.","title":"SBIE3207"},{"location":"Content/SBIE3207/#sbie3207","text":"Message: SBIE3207 Cannot find the Internet Explorer executable Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for Internet Explorer executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\Applications\\iexplore.exe Typically, the information is contained in the default value of this registry key: HKEY_CLASSES_ROOT\\Applications\\iexplore.exe\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: Consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to Internet Explorer.","title":"SBIE3207"},{"location":"Content/SBIE3208/","text":"SBIE3208 Message: SBIE3208 Cannot find the executable for the default Web browser Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for the Web browser executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\.html Typically, that registry key points to further information to be found in the following registry key: HKEY_CLASSES_ROOT\\htmlfile And the actual information comes from either of these registry keys: HKEY_CLASSES_ROOT\\htmlfile\\shell\\opennew\\command HKEY_CLASSES_ROOT\\htmlfile\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: It may be possible to fix this problem by forcing your web browser to reset itself as the default web browser for the system. Different browsers provide this feature in different ways, so please consult the documentation for your particular web browser. Alternatively, consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to the web browser program.","title":"SBIE3208"},{"location":"Content/SBIE3208/#sbie3208","text":"Message: SBIE3208 Cannot find the executable for the default Web browser Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for the Web browser executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\.html Typically, that registry key points to further information to be found in the following registry key: HKEY_CLASSES_ROOT\\htmlfile And the actual information comes from either of these registry keys: HKEY_CLASSES_ROOT\\htmlfile\\shell\\opennew\\command HKEY_CLASSES_ROOT\\htmlfile\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: It may be possible to fix this problem by forcing your web browser to reset itself as the default web browser for the system. Different browsers provide this feature in different ways, so please consult the documentation for your particular web browser. Alternatively, consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to the web browser program.","title":"SBIE3208"},{"location":"Content/SBIE3209/","text":"SBIE3209 Message: SBIE3209 Cannot find the executable for the default mail agent Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for the Web browser executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\mailto And the actual information comes from either of these registry keys: HKEY_CLASSES_ROOT\\mailto\\shell\\opennew\\command HKEY_CLASSES_ROOT\\mailto\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: It may be possible to fix this problem by forcing your mail program to reset itself as the default mail program for the system. Different programs provide this feature in different ways, so please consult the documentation for your particular mail program. Alternatively, consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to the web browser program.","title":"SBIE3209"},{"location":"Content/SBIE3209/#sbie3209","text":"Message: SBIE3209 Cannot find the executable for the default mail agent Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for the Web browser executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\mailto And the actual information comes from either of these registry keys: HKEY_CLASSES_ROOT\\mailto\\shell\\opennew\\command HKEY_CLASSES_ROOT\\mailto\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: It may be possible to fix this problem by forcing your mail program to reset itself as the default mail program for the system. Different programs provide this feature in different ways, so please consult the documentation for your particular mail program. Alternatively, consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to the web browser program.","title":"SBIE3209"},{"location":"Content/SBIE9101/","text":"SBIE9101 Message: SBIE9101 Insufficient system resources Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) was not able to complete some operation. The cause of the failure is insufficient system resources, typically memory.","title":"SBIE9101"},{"location":"Content/SBIE9101/#sbie9101","text":"Message: SBIE9101 Insufficient system resources Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) was not able to complete some operation. The cause of the failure is insufficient system resources, typically memory.","title":"SBIE9101"},{"location":"Content/SBIE9153/","text":"SBIE9153 Message: SBIE9153 Cannot start driver (SbieDrv) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) was not able to start the driver component of Sandboxie (SbieDrv). The message does not specify the cause of the error, because that information is not known. Some possible causes for the error: The driver component SbieDrv is not installed correctly. Try to re-install Sandboxie over itself (an update/upgrade installation). If that does not resolve the problem, try to uninstall Sandboxie and re-install a fresh copy. The driver is blocked by Windows. Examine the System Event Log for any related messages from Windows. The driver is blocked by third-party security software. Consult the documentation for your third-party security software.","title":"SBIE9153"},{"location":"Content/SBIE9153/#sbie9153","text":"Message: SBIE9153 Cannot start driver (SbieDrv) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) was not able to start the driver component of Sandboxie (SbieDrv). The message does not specify the cause of the error, because that information is not known. Some possible causes for the error: The driver component SbieDrv is not installed correctly. Try to re-install Sandboxie over itself (an update/upgrade installation). If that does not resolve the problem, try to uninstall Sandboxie and re-install a fresh copy. The driver is blocked by Windows. Examine the System Event Log for any related messages from Windows. The driver is blocked by third-party security software. Consult the documentation for your third-party security software.","title":"SBIE9153"},{"location":"Content/SBIE9154/","text":"SBIE9154 Message: SBIE9154 Driver (SbieDrv) and service (SbieSvc) have different version numbers Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has a different version number than the driver component (SbieDrv). To resolve this problem, try to re-install Sandboxie over itself (an update/upgrade installation). If that does not resolve the problem, try to uninstall Sandboxie and re-install a fresh copy.","title":"SBIE9154"},{"location":"Content/SBIE9154/#sbie9154","text":"Message: SBIE9154 Driver (SbieDrv) and service (SbieSvc) have different version numbers Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has a different version number than the driver component (SbieDrv). To resolve this problem, try to re-install Sandboxie over itself (an update/upgrade installation). If that does not resolve the problem, try to uninstall Sandboxie and re-install a fresh copy.","title":"SBIE9154"},{"location":"Content/SBIE9156/","text":"SBIE9156 Message: SBIE9156 Driver initialization not completed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has detected that the driver component (SbieDrv) failed to start. Search the System Event Log for any SBIExxxx messages in order to determine the cause of the failure in the driver.","title":"SBIE9156"},{"location":"Content/SBIE9156/#sbie9156","text":"Message: SBIE9156 Driver initialization not completed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has detected that the driver component (SbieDrv) failed to start. Search the System Event Log for any SBIExxxx messages in order to determine the cause of the failure in the driver.","title":"SBIE9156"},{"location":"Content/SBIE9201/","text":"SBIE9201 Message: SBIE9201 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9201"},{"location":"Content/SBIE9201/#sbie9201","text":"Message: SBIE9201 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9201"},{"location":"Content/SBIE9202/","text":"SBIE9202 Message: SBIE9202 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9202"},{"location":"Content/SBIE9202/#sbie9202","text":"Message: SBIE9202 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9202"},{"location":"Content/SBIE9203/","text":"SBIE9203 Message: SBIE9203 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9203"},{"location":"Content/SBIE9203/#sbie9203","text":"Message: SBIE9203 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9203"},{"location":"Content/SBIE9204/","text":"SBIE9204 Message: SBIE9204 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9204"},{"location":"Content/SBIE9204/#sbie9204","text":"Message: SBIE9204 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9204"},{"location":"Content/SBIE9205/","text":"SBIE9205 Message: SBIE9205 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9205"},{"location":"Content/SBIE9205/#sbie9205","text":"Message: SBIE9205 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9205"},{"location":"Content/SBIE9206/","text":"SBIE9206 Message: SBIE9206 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9206"},{"location":"Content/SBIE9206/#sbie9206","text":"Message: SBIE9206 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9206"},{"location":"Content/SBIE9207/","text":"SBIE9207 Message: SBIE9207 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9207"},{"location":"Content/SBIE9207/#sbie9207","text":"Message: SBIE9207 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9207"},{"location":"Content/SBIE9208/","text":"SBIE9208 Message: SBIE9208 Cannot enable SeRestorePrivilege Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9208"},{"location":"Content/SBIE9208/#sbie9208","text":"Message: SBIE9208 Cannot enable SeRestorePrivilege Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9208"},{"location":"Content/SBIE9251/","text":"SBIE9251 Message: SBIE9251 Port event creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9251"},{"location":"Content/SBIE9251/#sbie9251","text":"Message: SBIE9251 Port event creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9251"},{"location":"Content/SBIE9252/","text":"SBIE9252 Message: SBIE9252 Port creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9252"},{"location":"Content/SBIE9252/#sbie9252","text":"Message: SBIE9252 Port creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9252"},{"location":"Content/SBIE9253/","text":"SBIE9253 Message: SBIE9253 Port thread creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9253"},{"location":"Content/SBIE9253/#sbie9253","text":"Message: SBIE9253 Port thread creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9253"},{"location":"Content/SBIE9302/","text":"SBIE9302 Message: SBIE9302 Section creation failed (device setup classes) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. This message typically occurs when the Sandboxie service is restarted while one or more programs are running sandboxed. This message is followed by message SBIE9305 .","title":"SBIE9302"},{"location":"Content/SBIE9302/#sbie9302","text":"Message: SBIE9302 Section creation failed (device setup classes) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. This message typically occurs when the Sandboxie service is restarted while one or more programs are running sandboxed. This message is followed by message SBIE9305 .","title":"SBIE9302"},{"location":"Content/SBIE9304/","text":"SBIE9304 Message: SBIE9304 Section creation failed (device id list) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. This message typically occurs when the Sandboxie service is restarted while one or more programs are running sandboxed. This message is followed by message SBIE9305 .","title":"SBIE9304"},{"location":"Content/SBIE9304/#sbie9304","text":"Message: SBIE9304 Section creation failed (device id list) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. This message typically occurs when the Sandboxie service is restarted while one or more programs are running sandboxed. This message is followed by message SBIE9305 .","title":"SBIE9304"},{"location":"Content/SBIE9305/","text":"SBIE9305 Message: SBIE9305 Terminate sandboxed programs, if any are running Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. The message follows messages SBIE9302 and SBIE9304 and indicates an error condition that typically occurs when the Sandboxie service is restarted while one or more program is running sandboxed.","title":"SBIE9305"},{"location":"Content/SBIE9305/#sbie9305","text":"Message: SBIE9305 Terminate sandboxed programs, if any are running Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. The message follows messages SBIE9302 and SBIE9304 and indicates an error condition that typically occurs when the Sandboxie service is restarted while one or more program is running sandboxed.","title":"SBIE9305"},{"location":"Content/SBIEDLLAPI/","text":"SBIE DLL API This page describes the callable entrypoints in the SbieDll.dll dynamically-linked library (DLL). These entrypoints expose some functionality of Sandboxie that can be accessed programmatically, that is, through other programs rather than through a person interacting with Sandboxie. There are three aspects to using Sandboxie programmatically: Driving some functionality using the Start.exe program. See Start Command Line . Injecting custom DLLs into sandboxed programs. See InjectDll . Calling Sandboxie entrypoints from programs running (sandboxed or not). Described here. The entrypoints described here are all exported by SbieDll.dll . To access an entrypoint, you should dynamically load this DLL into your program, and get the address of the desired entrypoint. For example, __declspec(dllexport) void __stdcall InjectDllMain(HINSTANCE hSbieDll, ULONG_PTR UnusedParameter) { // // locate the address of SbieDll_Hook in SbieDll.dll // typedef void *(__stdcall *P_SbieDll_Hook)( const char *ApiName, void *ApiFunc, void *NewFunc); P_SbieDll_Hook p_SbieDll_Hook = GetProcAddress(hSbieDll, \"SbieDll_Hook\"); // // invoke SbieDll_Hook through the function pointer // p_SbieDll_Hook(...); } Note the use of InjectDllMain (see Inject Dll ) to get a handle to the loaded instance of SbieDll. That is the recommended approach. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine. Enumerate Sandbox Names Prototype: typedef LONG (__stdcall *P_SbieApi_EnumBoxes)( LONG index, // initialize to -1 WCHAR *box_name); // pointer to WCHAR [34] Export Name: SbieApi_EnumBoxes Parameters: index [in] specifies which sandbox to return. Initialize to -1. Sandboxes are enumerated in the order they appear in Sandboxie.ini. box_name [out] receives the sandbox name. Note: this function cannot be used by a sandboxed program. Return Value: Returns the next value to use for the index parameter. Returns -1 when there is nothing left to enumerate. Sample Code: WCHAR name[34]; int index = -1; while (1) { index = SbieApi_EnumBoxes(index, name); if (index == -1) break; SandboxNames_StringArray.add(name); } Query Sandbox Paths by Sandbox Name Prototype: typedef LONG (__stdcall *P_SbieApi_QueryBoxPath)( const WCHAR *box_name, // pointer to WCHAR [34] WCHAR *file_path, WCHAR *key_path, WCHAR *ipc_path, ULONG *file_path_len, ULONG *key_path_len, ULONG *ipc_path_len); Export Name: SbieApi_QueryBoxPath Parameters: box_name [in] specifies the name of the sandbox for which to return path information. file_path [out] receives the path to the root directory of the sandbox, as set by the FileRootPath setting. The buffer receives at most the number of bytes specified by the file_path_len parameter. Pass NULL to ignore this parameter. key_path [out] receives the path to the root key of the sandbox registry, as set by the KeyRootPath setting. The buffer receives at most the number of bytes specified by the key_path_len parameter. Pass NULL to ignore this parameter. ipc_path [out] receives the path to the root object directory of the sandbox, as set by the IpcRootPath setting. The buffer receives at most the number of bytes specified by the ipc_path_len parameter. Pass NULL to ignore this parameter. file_path_len [in/out] specifies the length in bytes of the file_path buffer. On return, receives the length in bytes needed to receive a complete buffer. key_path_len [in/out] specifies the length in bytes of the key_path buffer. On return, receives the length in bytes needed to receive a complete buffer. ipc_path_len [in/out] specifies the length in bytes of the ipc_path buffer. On return, receives the length in bytes needed to receive a complete buffer. Return Value: Returns zero on success, a non-zero value on error. Sample Code: ULONG FileLen = 0; ULONG KeyLen = 0; ULONG IpcLen = 0; SbieApi_QueryBoxPath( NULL, NULL, NULL, NULL, &FileLen, &KeyLen, &IpcLen); // note that lengths are returned as the number of bytes, // rather than number of WCHAR characters WCHAR *FileBuf = malloc(FileLen); WCHAR *KeyBuf = malloc(KeyLen); WCHAR *IpcBuf = malloc(IpcLen); SbieApi_QueryBoxPath( FileBuf, KeyBuf, IpcBuf, &FileLen, &KeyLen, &IpcLen); // now use wcslen to count the number of characters FileLen = wcslen(FileBuf); KeyLen = wcslen(KeyBuf); IpcLen = wcslen(IpcBuf); Query Sandbox Paths by Process ID Prototype: typedef LONG (__stdcall *P_SbieApi_QueryProcessPath)( HANDLE process_id, WCHAR *file_path, WCHAR *key_path, WCHAR *ipc_path, ULONG *file_path_len, ULONG *key_path_len, ULONG *ipc_path_len); Export Name: SbieApi_QueryProcessPath Parameters: process_id [in] specifies the ID of the sandboxed process to query. file_path [out] key_path [out] ipc_path [out] file_path_len [in/out] key_path_len [in/out] ipc_path_len [in/out] The last six parameters are similar to the last six parameters for the QueryBoxPath function, discussed above. However, QueryProcessPath (this function) returns the sandbox paths that are in use by a running program, whereas QueryBoxPath returns the paths as they are recorded in the Sandboxie configuration. Or put another way: Suppose a sandboxed program starts with PID 124, and then some sandbox path (for instance FileRootPath) is set to a new value. At this point, QueryBoxPath will return the new value, but QueryProcessPath for PID 124 will return the old value. Return Value: Returns zero on success, a non-zero value on error. Enumerate Running Processes Prototype: typedef LONG (__stdcall *P_SbieApi_EnumProcessEx)( const WCHAR *box_name, // pointer to WCHAR [34] BOOLEAN all_sessions, ULONG which_session, ULONG *boxed_pids, // pointer to ULONG [] ULONG *boxed_count); Export Name: SbieApi_EnumProcessEx Parameters: box_name [in] specifies the name of the sandbox in which processes will be enumerated. all_sessions [in] specifies TRUE to enumerate processes in all logon sessions or only in a particular logon session which_session [in] specifies the logon session number in which processes will be enumerated. Ignored if all_sessions if TRUE. Pass the value -1 to specify the current logon session. boxed_pids [out] receives the process ID (PID) numbers. The first ULONG receives the number of processes enumerated. The second ULONG receives the first PID, the third ULONG receives the second PID, and so on. Return Value: Returns zero on success, a non-zero value on error. Query Process Information Prototype: typedef LONG (__stdcall *P_SbieApi_QueryProcess)( HANDLE process_id, WCHAR *box_name, // pointer to WCHAR [34] WCHAR *image_name, // pointer to WCHAR [96] WCHAR *sid_string, // pointer to WCHAR [96] ULONG *session_id); Export Name: SbieApi_QueryProcess Parameters: process_id [in] specifies the ID of the sandboxed process to query. box_name [out] receives the name of the sandbox in which the process is running. Pass NULL to ignore this parameter. image_name [out] receives the process name. Pass NULL to ignore this parameter. sid_string [out] receives the SID string for the process. Pass NULL to ignore this parameter. session_id [out] receives the logon session number in which the process is running. Pass NULL to ignore this parameter. Return Value: Returns zero on success, a non-zero value on error. Terminate a Single Sandboxed Process Prototype: typedef BOOLEAN (__stdcall *P_SbieDll_KillOne)( HANDLE process_id); Export Name: SbieDll_KillOne Parameters: process_id [in] specifies the process ID for the sandboxed process that should be terminated. Return Value: Returns TRUE on success, FALSE on failure. The target process is terminated by the Sandboxie service (SbieSvc) with exit code 1 through a call to the Windows API TerminateProcess (ProcessId, 1). Terminate All Sandboxed Processes Prototype: typedef BOOLEAN (__stdcall *P_SbieDll_KillAll)( ULONG session_id, const WCHAR *box_name); Export Name: SbieDll_KillAll Parameters: session_id [in] specifies the logon session number in which sandboxed programs should be terminated. box_name [in] specifies the sandbox name in which sandboxed programs should be terminated. Specify -1 to indicate the current logon session. Return Value: Returns TRUE on success, FALSE on failure. The target processes are terminated in the fashion described above; see SbieDll_KillOne. Query Configuration from Sandboxie.ini Prototype: typedef LONG (__stdcall *P_SbieApi_QueryConf)( const WCHAR *section_name, // pointer to WCHAR [34] const WCHAR *setting_name, // pointer to WCHAR [66] ULONG setting_index, WCHAR *value, ULONG value_len) Export Name: SbieApi_QueryConf Parameters: section_name [in] specifies the section name that contains the setting to query. setting_name [in] specifies the setting name to query. setting_index [in] specifies the zero-based index number for a setting that may appear multiple times. The index number can be logically OR'ed with these special values: 0x40000000 - do not scan the [GlobalSettings] section if the specified setting name does appear in the specified section. 0x20000000 - do not expand any variables in the result. 0x10000000 - ignore any settings that originate from a template (typically defined in the Templates.ini file). only query those settings that appear explicitly in the Sandboxie.ini file. value [out] receives the value of the specified setting. value_len [in] specifies the maximum length in bytes of the buffer pointed to by the value parameter. Return Value: Returns zero on success. Returns 0xC000008B if the setting was not found. Any other return value indicates some other error. Update Configuration in Sandboxie.ini Prototype: typedef LONG (__stdcall *P_SbieDll_UpdateConf)( WCHAR operation_code, const WCHAR *password, // limited to 64 chars const WCHAR *section_name, // limited to 32 chars const WCHAR *setting_name, // limited to 64 chars const WCHAR *value) // limited to 2000 chars Export Name: SbieDll_UpdateConf Parameters: operation_code [in] specifies how to update the request setting: 's' to set (overwrite), replacing any existing values 'a' to append the new value at the bottom of a list of values (or simply set the new value if there isn't one already) 'i' to insert the new value at the top of a list of values (or simply set the new value if there isn't one already) 'd' to delete an existing value in a list of values password [in] specifies the password to use if one is required, or NULL or an empty string otherwise. section_name [in] is a required parameter which specifies the section name that contains the setting to set. setting_name [in] is a required parameter which specifies the setting name to set. value [ini] is an optional parameter specifies the new value. If operation_code is 's' and value is omitted, the corresponding setting in the specified section will be deleted. If operation_code is 's' and setting_name is \"*\" (wildcard star) and value is omitted, this function deletes a complete section from the configuration file. Return Value: Returns zero on success. Reload Configuration from Sandboxie.ini Prototype: typedef LONG (__stdcall *P_SbieApi_ReloadConf)( ULONG session_id); Export Name: SbieApi_ReloadConf Parameters: session_id [in] specifies the logon session number to which Sandboxie will log any error messages. Pass -1 for the current logon session. Return Value: Returns zero on success, a non-zero value on error. Hook a User-Mode Entrypoint Prototype: typedef void *(__stdcall *P_SbieDll_Hook)( const char *name, void *source_func, void *detour_func); Export Name: SbieDll_Hook Parameters: name [in] specifies an ASCII-string naming the entrypoint to be hooked. In case of error, SbieDll_Hook logs a Sandboxie error message which includes this descriptive name. source_func [in] pointer to the function to hook. detour_func [in] pointer to the hook code. This function will cause the source function to invoke the detour function. In other words, the detour function will intercept all calls to the source function. Return Value: Returns a function pointer which can be used by the detour function to invoke the source function. Sample Code: typedef BOOL (__stdcall *P_DeleteFileW)(const WCHAR *Path); P_DeleteFileW pDeleteFileW = NULL; BOOL __stdcall MyDeleteFileW(const WCHAR *Path) { if (Path[0] == L'C') { // silently ignore requests to delete any file on drive C SetLastError(0); return TRUE; } else { // otherwise invoke the original DeleteFileW function return pDeleteFileW(Path); } } main() { pDeleteFileW = GetProcAddress(kernel32dll, \"DeleteFileW\"); pDeleteFileW = SbieDll_Hook(\"DeleteFile\", pDeleteFileW, MyDeleteFileW); } Register for DLL Load/Unload Callbacks Prototype: typedef void (__stdcall *P_DllCallback)(const WCHAR *ImageName, HMODULE ImageBase); typedef BOOLEAN *(__stdcall *P_SbieDll_RegisterDllCallback)( P_DllCallback pCallback); Export Name: SbieDll_RegisterDllCallback This API is available starting with version 3.46 of Sandboxie. Parameters: pCallback specifies a callback function to be invoked whenever any DLL is loaded or unloaded in the process. The callback function cannot be unregistered. The ImageName (first) parameter to the callback function specifies the UNICODE name string for the DLL that was loaded or unloaded. The name string does not include a path. The ImageBase (second) parameter to the callback function specifies the load base address for the DLL, when the callback function is invoked to notify of a DLL load. When the callback function is invoked to notify of a DLL unload, this parameter is set to zero. Return Value: Returns TRUE on success, FALSE if the callback cannot be registered. As of version 3.46, Sandboxie supports up to 8 registrations within a single process. Get Sandboxie Home Folder Prototype: typedef LONG *(__stdcall *P_SbieApi_GetHomePath)( WCHAR *NtPath, ULONG NtPathMaxLen, WCHAR *DosPath, ULONG DosPathMaxLen); Export Name: SbieApi_GetHomePath This API is available starting with version 3.52 of Sandboxie. Parameters: NtPath specifies a pointer to a buffer which will receive the full path of the Sandboxie installation folder in NT-path syntax. NtPathMaxLen specifies the size of the NtPath buffer. Specify NULL for NtPath and zero for NtPathMaxLen to not receive the NT path. DosPath specifies a pointer to a buffer which will receive the full path of the Sandboxie installation folder in DOS-path syntax. DosPathMaxLen specifies the size of the DosPath buffer. Specify NULL for DosPath and zero for DosPathMaxLen to not receive the NT path. Return Value: Returns zero on success, a non-zero value on error. STATUS_BUFFER_TOO_SMALL (0xC0000023) indicates either NtPathMaxLen or DosPathMaxLen specifies a buffer that is too small. Increase the size of the input buffer and retry the call.","title":"SBIE DLL API"},{"location":"Content/SBIEDLLAPI/#sbie-dll-api","text":"This page describes the callable entrypoints in the SbieDll.dll dynamically-linked library (DLL). These entrypoints expose some functionality of Sandboxie that can be accessed programmatically, that is, through other programs rather than through a person interacting with Sandboxie. There are three aspects to using Sandboxie programmatically: Driving some functionality using the Start.exe program. See Start Command Line . Injecting custom DLLs into sandboxed programs. See InjectDll . Calling Sandboxie entrypoints from programs running (sandboxed or not). Described here. The entrypoints described here are all exported by SbieDll.dll . To access an entrypoint, you should dynamically load this DLL into your program, and get the address of the desired entrypoint. For example, __declspec(dllexport) void __stdcall InjectDllMain(HINSTANCE hSbieDll, ULONG_PTR UnusedParameter) { // // locate the address of SbieDll_Hook in SbieDll.dll // typedef void *(__stdcall *P_SbieDll_Hook)( const char *ApiName, void *ApiFunc, void *NewFunc); P_SbieDll_Hook p_SbieDll_Hook = GetProcAddress(hSbieDll, \"SbieDll_Hook\"); // // invoke SbieDll_Hook through the function pointer // p_SbieDll_Hook(...); } Note the use of InjectDllMain (see Inject Dll ) to get a handle to the loaded instance of SbieDll. That is the recommended approach. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine.","title":"SBIE DLL API"},{"location":"Content/SBIEDLLAPI/#enumerate-sandbox-names","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_EnumBoxes)( LONG index, // initialize to -1 WCHAR *box_name); // pointer to WCHAR [34] Export Name: SbieApi_EnumBoxes Parameters: index [in] specifies which sandbox to return. Initialize to -1. Sandboxes are enumerated in the order they appear in Sandboxie.ini. box_name [out] receives the sandbox name. Note: this function cannot be used by a sandboxed program. Return Value: Returns the next value to use for the index parameter. Returns -1 when there is nothing left to enumerate. Sample Code: WCHAR name[34]; int index = -1; while (1) { index = SbieApi_EnumBoxes(index, name); if (index == -1) break; SandboxNames_StringArray.add(name); }","title":"Enumerate Sandbox Names"},{"location":"Content/SBIEDLLAPI/#query-sandbox-paths-by-sandbox-name","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_QueryBoxPath)( const WCHAR *box_name, // pointer to WCHAR [34] WCHAR *file_path, WCHAR *key_path, WCHAR *ipc_path, ULONG *file_path_len, ULONG *key_path_len, ULONG *ipc_path_len); Export Name: SbieApi_QueryBoxPath Parameters: box_name [in] specifies the name of the sandbox for which to return path information. file_path [out] receives the path to the root directory of the sandbox, as set by the FileRootPath setting. The buffer receives at most the number of bytes specified by the file_path_len parameter. Pass NULL to ignore this parameter. key_path [out] receives the path to the root key of the sandbox registry, as set by the KeyRootPath setting. The buffer receives at most the number of bytes specified by the key_path_len parameter. Pass NULL to ignore this parameter. ipc_path [out] receives the path to the root object directory of the sandbox, as set by the IpcRootPath setting. The buffer receives at most the number of bytes specified by the ipc_path_len parameter. Pass NULL to ignore this parameter. file_path_len [in/out] specifies the length in bytes of the file_path buffer. On return, receives the length in bytes needed to receive a complete buffer. key_path_len [in/out] specifies the length in bytes of the key_path buffer. On return, receives the length in bytes needed to receive a complete buffer. ipc_path_len [in/out] specifies the length in bytes of the ipc_path buffer. On return, receives the length in bytes needed to receive a complete buffer. Return Value: Returns zero on success, a non-zero value on error. Sample Code: ULONG FileLen = 0; ULONG KeyLen = 0; ULONG IpcLen = 0; SbieApi_QueryBoxPath( NULL, NULL, NULL, NULL, &FileLen, &KeyLen, &IpcLen); // note that lengths are returned as the number of bytes, // rather than number of WCHAR characters WCHAR *FileBuf = malloc(FileLen); WCHAR *KeyBuf = malloc(KeyLen); WCHAR *IpcBuf = malloc(IpcLen); SbieApi_QueryBoxPath( FileBuf, KeyBuf, IpcBuf, &FileLen, &KeyLen, &IpcLen); // now use wcslen to count the number of characters FileLen = wcslen(FileBuf); KeyLen = wcslen(KeyBuf); IpcLen = wcslen(IpcBuf);","title":"Query Sandbox Paths by Sandbox Name"},{"location":"Content/SBIEDLLAPI/#query-sandbox-paths-by-process-id","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_QueryProcessPath)( HANDLE process_id, WCHAR *file_path, WCHAR *key_path, WCHAR *ipc_path, ULONG *file_path_len, ULONG *key_path_len, ULONG *ipc_path_len); Export Name: SbieApi_QueryProcessPath Parameters: process_id [in] specifies the ID of the sandboxed process to query. file_path [out] key_path [out] ipc_path [out] file_path_len [in/out] key_path_len [in/out] ipc_path_len [in/out] The last six parameters are similar to the last six parameters for the QueryBoxPath function, discussed above. However, QueryProcessPath (this function) returns the sandbox paths that are in use by a running program, whereas QueryBoxPath returns the paths as they are recorded in the Sandboxie configuration. Or put another way: Suppose a sandboxed program starts with PID 124, and then some sandbox path (for instance FileRootPath) is set to a new value. At this point, QueryBoxPath will return the new value, but QueryProcessPath for PID 124 will return the old value. Return Value: Returns zero on success, a non-zero value on error.","title":"Query Sandbox Paths by Process ID"},{"location":"Content/SBIEDLLAPI/#enumerate-running-processes","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_EnumProcessEx)( const WCHAR *box_name, // pointer to WCHAR [34] BOOLEAN all_sessions, ULONG which_session, ULONG *boxed_pids, // pointer to ULONG [] ULONG *boxed_count); Export Name: SbieApi_EnumProcessEx Parameters: box_name [in] specifies the name of the sandbox in which processes will be enumerated. all_sessions [in] specifies TRUE to enumerate processes in all logon sessions or only in a particular logon session which_session [in] specifies the logon session number in which processes will be enumerated. Ignored if all_sessions if TRUE. Pass the value -1 to specify the current logon session. boxed_pids [out] receives the process ID (PID) numbers. The first ULONG receives the number of processes enumerated. The second ULONG receives the first PID, the third ULONG receives the second PID, and so on. Return Value: Returns zero on success, a non-zero value on error.","title":"Enumerate Running Processes"},{"location":"Content/SBIEDLLAPI/#query-process-information","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_QueryProcess)( HANDLE process_id, WCHAR *box_name, // pointer to WCHAR [34] WCHAR *image_name, // pointer to WCHAR [96] WCHAR *sid_string, // pointer to WCHAR [96] ULONG *session_id); Export Name: SbieApi_QueryProcess Parameters: process_id [in] specifies the ID of the sandboxed process to query. box_name [out] receives the name of the sandbox in which the process is running. Pass NULL to ignore this parameter. image_name [out] receives the process name. Pass NULL to ignore this parameter. sid_string [out] receives the SID string for the process. Pass NULL to ignore this parameter. session_id [out] receives the logon session number in which the process is running. Pass NULL to ignore this parameter. Return Value: Returns zero on success, a non-zero value on error.","title":"Query Process Information"},{"location":"Content/SBIEDLLAPI/#terminate-a-single-sandboxed-process","text":"Prototype: typedef BOOLEAN (__stdcall *P_SbieDll_KillOne)( HANDLE process_id); Export Name: SbieDll_KillOne Parameters: process_id [in] specifies the process ID for the sandboxed process that should be terminated. Return Value: Returns TRUE on success, FALSE on failure. The target process is terminated by the Sandboxie service (SbieSvc) with exit code 1 through a call to the Windows API TerminateProcess (ProcessId, 1).","title":"Terminate a Single Sandboxed Process"},{"location":"Content/SBIEDLLAPI/#terminate-all-sandboxed-processes","text":"Prototype: typedef BOOLEAN (__stdcall *P_SbieDll_KillAll)( ULONG session_id, const WCHAR *box_name); Export Name: SbieDll_KillAll Parameters: session_id [in] specifies the logon session number in which sandboxed programs should be terminated. box_name [in] specifies the sandbox name in which sandboxed programs should be terminated. Specify -1 to indicate the current logon session. Return Value: Returns TRUE on success, FALSE on failure. The target processes are terminated in the fashion described above; see SbieDll_KillOne.","title":"Terminate All Sandboxed Processes"},{"location":"Content/SBIEDLLAPI/#query-configuration-from-sandboxieini","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_QueryConf)( const WCHAR *section_name, // pointer to WCHAR [34] const WCHAR *setting_name, // pointer to WCHAR [66] ULONG setting_index, WCHAR *value, ULONG value_len) Export Name: SbieApi_QueryConf Parameters: section_name [in] specifies the section name that contains the setting to query. setting_name [in] specifies the setting name to query. setting_index [in] specifies the zero-based index number for a setting that may appear multiple times. The index number can be logically OR'ed with these special values: 0x40000000 - do not scan the [GlobalSettings] section if the specified setting name does appear in the specified section. 0x20000000 - do not expand any variables in the result. 0x10000000 - ignore any settings that originate from a template (typically defined in the Templates.ini file). only query those settings that appear explicitly in the Sandboxie.ini file. value [out] receives the value of the specified setting. value_len [in] specifies the maximum length in bytes of the buffer pointed to by the value parameter. Return Value: Returns zero on success. Returns 0xC000008B if the setting was not found. Any other return value indicates some other error.","title":"Query Configuration from Sandboxie.ini"},{"location":"Content/SBIEDLLAPI/#update-configuration-in-sandboxieini","text":"Prototype: typedef LONG (__stdcall *P_SbieDll_UpdateConf)( WCHAR operation_code, const WCHAR *password, // limited to 64 chars const WCHAR *section_name, // limited to 32 chars const WCHAR *setting_name, // limited to 64 chars const WCHAR *value) // limited to 2000 chars Export Name: SbieDll_UpdateConf Parameters: operation_code [in] specifies how to update the request setting: 's' to set (overwrite), replacing any existing values 'a' to append the new value at the bottom of a list of values (or simply set the new value if there isn't one already) 'i' to insert the new value at the top of a list of values (or simply set the new value if there isn't one already) 'd' to delete an existing value in a list of values password [in] specifies the password to use if one is required, or NULL or an empty string otherwise. section_name [in] is a required parameter which specifies the section name that contains the setting to set. setting_name [in] is a required parameter which specifies the setting name to set. value [ini] is an optional parameter specifies the new value. If operation_code is 's' and value is omitted, the corresponding setting in the specified section will be deleted. If operation_code is 's' and setting_name is \"*\" (wildcard star) and value is omitted, this function deletes a complete section from the configuration file. Return Value: Returns zero on success.","title":"Update Configuration in Sandboxie.ini"},{"location":"Content/SBIEDLLAPI/#reload-configuration-from-sandboxieini","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_ReloadConf)( ULONG session_id); Export Name: SbieApi_ReloadConf Parameters: session_id [in] specifies the logon session number to which Sandboxie will log any error messages. Pass -1 for the current logon session. Return Value: Returns zero on success, a non-zero value on error.","title":"Reload Configuration from Sandboxie.ini"},{"location":"Content/SBIEDLLAPI/#hook-a-user-mode-entrypoint","text":"Prototype: typedef void *(__stdcall *P_SbieDll_Hook)( const char *name, void *source_func, void *detour_func); Export Name: SbieDll_Hook Parameters: name [in] specifies an ASCII-string naming the entrypoint to be hooked. In case of error, SbieDll_Hook logs a Sandboxie error message which includes this descriptive name. source_func [in] pointer to the function to hook. detour_func [in] pointer to the hook code. This function will cause the source function to invoke the detour function. In other words, the detour function will intercept all calls to the source function. Return Value: Returns a function pointer which can be used by the detour function to invoke the source function. Sample Code: typedef BOOL (__stdcall *P_DeleteFileW)(const WCHAR *Path); P_DeleteFileW pDeleteFileW = NULL; BOOL __stdcall MyDeleteFileW(const WCHAR *Path) { if (Path[0] == L'C') { // silently ignore requests to delete any file on drive C SetLastError(0); return TRUE; } else { // otherwise invoke the original DeleteFileW function return pDeleteFileW(Path); } } main() { pDeleteFileW = GetProcAddress(kernel32dll, \"DeleteFileW\"); pDeleteFileW = SbieDll_Hook(\"DeleteFile\", pDeleteFileW, MyDeleteFileW); }","title":"Hook a User-Mode Entrypoint"},{"location":"Content/SBIEDLLAPI/#register-for-dll-loadunload-callbacks","text":"Prototype: typedef void (__stdcall *P_DllCallback)(const WCHAR *ImageName, HMODULE ImageBase); typedef BOOLEAN *(__stdcall *P_SbieDll_RegisterDllCallback)( P_DllCallback pCallback); Export Name: SbieDll_RegisterDllCallback This API is available starting with version 3.46 of Sandboxie. Parameters: pCallback specifies a callback function to be invoked whenever any DLL is loaded or unloaded in the process. The callback function cannot be unregistered. The ImageName (first) parameter to the callback function specifies the UNICODE name string for the DLL that was loaded or unloaded. The name string does not include a path. The ImageBase (second) parameter to the callback function specifies the load base address for the DLL, when the callback function is invoked to notify of a DLL load. When the callback function is invoked to notify of a DLL unload, this parameter is set to zero. Return Value: Returns TRUE on success, FALSE if the callback cannot be registered. As of version 3.46, Sandboxie supports up to 8 registrations within a single process.","title":"Register for DLL Load/Unload Callbacks"},{"location":"Content/SBIEDLLAPI/#get-sandboxie-home-folder","text":"Prototype: typedef LONG *(__stdcall *P_SbieApi_GetHomePath)( WCHAR *NtPath, ULONG NtPathMaxLen, WCHAR *DosPath, ULONG DosPathMaxLen); Export Name: SbieApi_GetHomePath This API is available starting with version 3.52 of Sandboxie. Parameters: NtPath specifies a pointer to a buffer which will receive the full path of the Sandboxie installation folder in NT-path syntax. NtPathMaxLen specifies the size of the NtPath buffer. Specify NULL for NtPath and zero for NtPathMaxLen to not receive the NT path. DosPath specifies a pointer to a buffer which will receive the full path of the Sandboxie installation folder in DOS-path syntax. DosPathMaxLen specifies the size of the DosPath buffer. Specify NULL for DosPath and zero for DosPathMaxLen to not receive the NT path. Return Value: Returns zero on success, a non-zero value on error. STATUS_BUFFER_TOO_SMALL (0xC0000023) indicates either NtPathMaxLen or DosPathMaxLen specifies a buffer that is too small. Increase the size of the input buffer and retry the call.","title":"Get Sandboxie Home Folder"},{"location":"Content/SBIEMessages/","text":"SBIE Messages Sandboxie messages may be issued to the System Event Log or the Popup Message Log . This is not an exhaustive list. For more information, please look in our GitHub repository . Some messages are informational and notify of a common, or in some cases special, event that has occurred. Other messages indicate an error condition. To consult the documentation for a particular message, please use the navigation frame on the right. Some messages display details which include NT status codes, denoted in the help pages as ntstatus . For a list of common NT status codes, please consult Nt Status Codes . All documented Messages SBIE1101 SBIE1102 SBIE1103 SBIE1104 SBIE1105 SBIE1106 SBIE1108 SBIE1109 SBIE1110 SBIE1111 SBIE1112 SBIE1113 SBIE1114 SBIE1116 SBIE1119 SBIE1120 SBIE1121 SBIE1122 SBIE1151 SBIE1152 SBIE1153 SBIE1201 SBIE1202 SBIE1203 SBIE1204 SBIE1211 SBIE1212 SBIE1213 SBIE1214 SBIE1215 SBIE1216 SBIE1222 SBIE1223 SBIE1224 SBIE1241 SBIE1242 SBIE1301 SBIE1303 SBIE1304 SBIE1306 SBIE1307 SBIE1308 SBIE1309 SBIE1310 SBIE1311 SBIE1312 SBIE1313 SBIE1314 SBIE1401 SBIE1402 SBIE1403 SBIE1404 SBIE1405 SBIE1406 SBIE1408 SBIE1409 SBIE1410 SBIE1411 SBIE1412 SBIE2102 SBIE2103 SBIE2104 SBIE2108 SBIE2191 SBIE2192 SBIE2193 SBIE2202 SBIE2203 SBIE2204 SBIE2205 SBIE2206 SBIE2207 SBIE2208 SBIE2209 SBIE2210 SBIE2211 SBIE2212 SBIE2213 SBIE2214 SBIE2217 SBIE2218 SBIE2219 SBIE2220 SBIE2221 SBIE2222 SBIE2223 SBIE2303 SBIE2304 SBIE2305 SBIE2306 SBIE2307 SBIE2308 SBIE2309 SBIE2310 SBIE2311 SBIE2312 SBIE2313 SBIE2314 SBIE2315 SBIE2316 SBIE2317 SBIE2318 SBIE2321 SBIE2322 SBIE2323 SBIE2326 SBIE2327 SBIE2331 SBIE2332 SBIE2334 SBIE3207 SBIE3208 SBIE3209 SBIE9101 SBIE9153 SBIE9154 SBIE9156 SBIE9201 SBIE9202 SBIE9203 SBIE9204 SBIE9205 SBIE9206 SBIE9207 SBIE9208 SBIE9251 SBIE9252 SBIE9253 SBIE9302 SBIE9304 SBIE9305","title":"SBIE Messages"},{"location":"Content/SBIEMessages/#sbie-messages","text":"Sandboxie messages may be issued to the System Event Log or the Popup Message Log . This is not an exhaustive list. For more information, please look in our GitHub repository . Some messages are informational and notify of a common, or in some cases special, event that has occurred. Other messages indicate an error condition. To consult the documentation for a particular message, please use the navigation frame on the right. Some messages display details which include NT status codes, denoted in the help pages as ntstatus . For a list of common NT status codes, please consult Nt Status Codes .","title":"SBIE Messages"},{"location":"Content/SBIEMessages/#all-documented-messages","text":"SBIE1101 SBIE1102 SBIE1103 SBIE1104 SBIE1105 SBIE1106 SBIE1108 SBIE1109 SBIE1110 SBIE1111 SBIE1112 SBIE1113 SBIE1114 SBIE1116 SBIE1119 SBIE1120 SBIE1121 SBIE1122 SBIE1151 SBIE1152 SBIE1153 SBIE1201 SBIE1202 SBIE1203 SBIE1204 SBIE1211 SBIE1212 SBIE1213 SBIE1214 SBIE1215 SBIE1216 SBIE1222 SBIE1223 SBIE1224 SBIE1241 SBIE1242 SBIE1301 SBIE1303 SBIE1304 SBIE1306 SBIE1307 SBIE1308 SBIE1309 SBIE1310 SBIE1311 SBIE1312 SBIE1313 SBIE1314 SBIE1401 SBIE1402 SBIE1403 SBIE1404 SBIE1405 SBIE1406 SBIE1408 SBIE1409 SBIE1410 SBIE1411 SBIE1412 SBIE2102 SBIE2103 SBIE2104 SBIE2108 SBIE2191 SBIE2192 SBIE2193 SBIE2202 SBIE2203 SBIE2204 SBIE2205 SBIE2206 SBIE2207 SBIE2208 SBIE2209 SBIE2210 SBIE2211 SBIE2212 SBIE2213 SBIE2214 SBIE2217 SBIE2218 SBIE2219 SBIE2220 SBIE2221 SBIE2222 SBIE2223 SBIE2303 SBIE2304 SBIE2305 SBIE2306 SBIE2307 SBIE2308 SBIE2309 SBIE2310 SBIE2311 SBIE2312 SBIE2313 SBIE2314 SBIE2315 SBIE2316 SBIE2317 SBIE2318 SBIE2321 SBIE2322 SBIE2323 SBIE2326 SBIE2327 SBIE2331 SBIE2332 SBIE2334 SBIE3207 SBIE3208 SBIE3209 SBIE9101 SBIE9153 SBIE9154 SBIE9156 SBIE9201 SBIE9202 SBIE9203 SBIE9204 SBIE9205 SBIE9206 SBIE9207 SBIE9208 SBIE9251 SBIE9252 SBIE9253 SBIE9302 SBIE9304 SBIE9305","title":"All documented Messages"},{"location":"Content/SandboxHierarchy/","text":"Sandbox Hierarchy Overview When sandboxed programs create (or modify) objects, such as files, in fact, some kind of data should be created. Sandboxie creates these objects out of the way, to protect the system from harmful changes. But these objects must reside somewhere in the system. This page describes where various types of sandboxed objects are placed. Beginning with version 2.80 of Sandboxie, the layout of the sandbox is not tied to computer-specific device names and account names. See Portable Sandbox for more information. Files Files are created in the Sandbox folder according to the following hierarchy: . FileRootPath . . drive . . . C . . . D . . . Q . . user . . . all . . . current The FileRootPath setting specifies a path to the root of a particular sandbox. In other words, if FileRootPath specifies the folder C:\\MySandbox , then the sub-folders drive and user are created as C:\\MySandbox\\drive and C:\\MySandbox\\user, respectively. If the FileRootPath setting is omitted, the BoxRootFolder setting is used instead. The Box Root Folder setting specifies a path to a group of sandboxes. In other words, if Box Root Folder specifies the folder C:\\MySandbox , then the sub-folders drive and user are created as C:\\MySandbox\\Sandbox\\DefaultBox\\drive and C:\\MySandbox\\Sandbox\\DefaultBox\\user, respectively, and assuming the sandbox is called DefaultBox. Please note that BoxRootFolder is a deprecated setting. As sandboxed programs create new files or modify existing files, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the file C:\\NEW.TXT , it will be redirected to create instead ( FileRootPath )\\drive\\C\\NEW.TXT . If the sandboxed program was trying to create the file C:\\Users\\joe\\Documents\\NEW.TXT , it will be redirected to create ( FileRootPath )\\user\\current\\Documents\\NEW.TXT . Files that are created or modified in or below profile (or home ) folders, such as C:\\Users\\joe (on Windows Vista and later) are redirected into the sandboxed user\\current folder. Files that are created or modified in or below the generic (or All Users ) profile, are redirected into the sandboxed user\\all folder. Other files that don't match either of the above paths are redirected to the sandboxed drive\\X folder, where X would be the drive in which the files were supposed to have been written. Files that are created or modified on a remote network share are redirected into the sandboxed share\\servername\\sharename folder. When a program tries to open a file for which a copy already exists in the sandbox, Sandboxie will redirect the program to the copy of the file that was previously stored in the sandbox. On the other hand, if a copy for the file does not exist in the sandbox, and if the program does not try to modify the file, then Sandboxie will permit read-only access on the original file outside the sandbox. This behavior can be affected with the file-related settings OpenFilePath , ReadFilePath , and ClosedFilePath . Note that the Sandbox folder itself resides on one particular drive, so even as sandboxed programs may create and modify files in multiple drives, all these files will end up residing physically in the same drive -- the drive where the Sandbox folder resides. Apart from the two sub-folders, drive and user , the Sandbox folder itself contains the file RegHive , and typically also RegHive.LOG . These hold the sandboxed registry. See below. Registry Registry keys are created in a sandboxed registry hive. A registry hive is the Microsoft Windows term for a group of related registry keys that are stored in a single hive file . Sandboxie creates the hive file in the Sandbox folder, as the files RegHive and RegHive.LOG . This hive is mounted (or in other words, loaded into the registry) when a sandboxed program starts. The hive is unmounted when all sandboxed programs end. The sandboxed hive has the following position and structure within the global structure of the Windows registry. . HKEY_USERS . . KeyRootPath . . . machine . . . user . . . . current The KeyRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to HKEY_USERS\\Sandbox (user name) (sandbox name) . For example, if the user joe is using the sandbox DefaultBox, the default KeyRootPath is HKEY_USERS\\Sandbox_joe_DefaultBox . As sandboxed programs create new registry keys or modify existing keys, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the key HKEY_LOCAL_MACHINE\\Software\\NewKey , it will be redirected to create instead ( KeyRootPath )\\machine\\Software\\NewKey . If the sandboxed program was trying to create the key HKEY_CURRENT_USER\\Software\\NewKey , it will be redirected to create ( KeyRootPath )\\user\\current\\Software\\NewKey . With the sandboxed registry, the rules for redirection are simpler than for sandboxed files: A registry key created or modified below the HKEY_LOCAL_MACHINE tree will be redirected below the sandboxed machine key. A registry key created or modified below the HKEY_CURRENT_USER tree will be redirected below the sandboxed user\\current key. A registry key created or modified below the HKEY_CLASSES_ROOT tree will be redirected below the sandboxed user\\current_classes key. Note that the sandboxed user\\current\\software\\classes key is a symbolic link to the user\\current_classes key which means and the keys are effectively synonyms and share the same content in the sandboxed Windows registry. As with files, access to a key which has a copy in the sandboxed registry will be redirected to use the copy in the sandbox. Read-only access to a key which does not have a copy in the sandboxed registry will be permitted to access the key outside the sandbox. This behavior can be affected with the registry-related settings OpenKeyPath , ReadKeyPath , and ClosedKeyPath . Inter-Process Objects These objects are used by programs to share information, synchronize processing, and provide services. These objects are never written to disk and they disappear when the system shuts down. Sandboxie isolates these objects in order to make it possible to run the same program sandboxed and un-sandboxed side-by-side. It also keeps sandboxed programs from interfering with un-sandboxed ones. These objects are created in the NT object namespace. Their position and structure within that namespace are as follows. . IpcRootPath . . BaseNamedObjects . . . Global . . . Local . . . Session . . RPC Control The IpcRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to \\Sandbox(user name)(sandbox name)\\Session (session number) . For example, if the user joe is running in session zero, and using the sandbox DefaultBox, the default IpcRootPath is \\Sandbox\\joe\\DefaultBox\\Session_0_. Below the IpcRootPath , there are object directories which comprise the NT namespace, and match the layout of existing object directories outside the sandbox area. The directories are created with a persistent attribute, which means they will only disappear at system shutdown. Objects created by sandboxed programs are created within the sandbox object directories. If the program is running outside the supervision of Sandboxie, it would typically create such objects in the \\BaseNamedObjects object directory. Note that objects may be created without a name, in which case the object is effectively isolated to the particular program which created it. However, a program can access the internals of another program in order to locate and use such nameless objects. To mitigate this, Sandboxie prevents a program in the sandbox from accessing a program outside the sandbox in this way. The free utility WinObj by Sysinternals (now a part of Microsoft) can be used to display the NT object namespace. Unlike the case with files or registry keys, sandboxed programs are never permitted to access IPC objects outside the sandbox namespace, not even for read-only access. This behavior can be affected with the registry-related settings OpenIpcPath and ClosedIpcPath . Note that Sandboxie includes a number of built-in OpenIpcPath settings to allow programs to function correctly, and in a typical system, more OpenIpcPath settings are applied through compatibility settings for third-party software.","title":"Sandbox Hierarchy"},{"location":"Content/SandboxHierarchy/#sandbox-hierarchy","text":"","title":"Sandbox Hierarchy"},{"location":"Content/SandboxHierarchy/#overview","text":"When sandboxed programs create (or modify) objects, such as files, in fact, some kind of data should be created. Sandboxie creates these objects out of the way, to protect the system from harmful changes. But these objects must reside somewhere in the system. This page describes where various types of sandboxed objects are placed. Beginning with version 2.80 of Sandboxie, the layout of the sandbox is not tied to computer-specific device names and account names. See Portable Sandbox for more information.","title":"Overview"},{"location":"Content/SandboxHierarchy/#files","text":"Files are created in the Sandbox folder according to the following hierarchy: . FileRootPath . . drive . . . C . . . D . . . Q . . user . . . all . . . current The FileRootPath setting specifies a path to the root of a particular sandbox. In other words, if FileRootPath specifies the folder C:\\MySandbox , then the sub-folders drive and user are created as C:\\MySandbox\\drive and C:\\MySandbox\\user, respectively. If the FileRootPath setting is omitted, the BoxRootFolder setting is used instead. The Box Root Folder setting specifies a path to a group of sandboxes. In other words, if Box Root Folder specifies the folder C:\\MySandbox , then the sub-folders drive and user are created as C:\\MySandbox\\Sandbox\\DefaultBox\\drive and C:\\MySandbox\\Sandbox\\DefaultBox\\user, respectively, and assuming the sandbox is called DefaultBox. Please note that BoxRootFolder is a deprecated setting. As sandboxed programs create new files or modify existing files, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the file C:\\NEW.TXT , it will be redirected to create instead ( FileRootPath )\\drive\\C\\NEW.TXT . If the sandboxed program was trying to create the file C:\\Users\\joe\\Documents\\NEW.TXT , it will be redirected to create ( FileRootPath )\\user\\current\\Documents\\NEW.TXT . Files that are created or modified in or below profile (or home ) folders, such as C:\\Users\\joe (on Windows Vista and later) are redirected into the sandboxed user\\current folder. Files that are created or modified in or below the generic (or All Users ) profile, are redirected into the sandboxed user\\all folder. Other files that don't match either of the above paths are redirected to the sandboxed drive\\X folder, where X would be the drive in which the files were supposed to have been written. Files that are created or modified on a remote network share are redirected into the sandboxed share\\servername\\sharename folder. When a program tries to open a file for which a copy already exists in the sandbox, Sandboxie will redirect the program to the copy of the file that was previously stored in the sandbox. On the other hand, if a copy for the file does not exist in the sandbox, and if the program does not try to modify the file, then Sandboxie will permit read-only access on the original file outside the sandbox. This behavior can be affected with the file-related settings OpenFilePath , ReadFilePath , and ClosedFilePath . Note that the Sandbox folder itself resides on one particular drive, so even as sandboxed programs may create and modify files in multiple drives, all these files will end up residing physically in the same drive -- the drive where the Sandbox folder resides. Apart from the two sub-folders, drive and user , the Sandbox folder itself contains the file RegHive , and typically also RegHive.LOG . These hold the sandboxed registry. See below.","title":"Files"},{"location":"Content/SandboxHierarchy/#registry","text":"Registry keys are created in a sandboxed registry hive. A registry hive is the Microsoft Windows term for a group of related registry keys that are stored in a single hive file . Sandboxie creates the hive file in the Sandbox folder, as the files RegHive and RegHive.LOG . This hive is mounted (or in other words, loaded into the registry) when a sandboxed program starts. The hive is unmounted when all sandboxed programs end. The sandboxed hive has the following position and structure within the global structure of the Windows registry. . HKEY_USERS . . KeyRootPath . . . machine . . . user . . . . current The KeyRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to HKEY_USERS\\Sandbox (user name) (sandbox name) . For example, if the user joe is using the sandbox DefaultBox, the default KeyRootPath is HKEY_USERS\\Sandbox_joe_DefaultBox . As sandboxed programs create new registry keys or modify existing keys, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the key HKEY_LOCAL_MACHINE\\Software\\NewKey , it will be redirected to create instead ( KeyRootPath )\\machine\\Software\\NewKey . If the sandboxed program was trying to create the key HKEY_CURRENT_USER\\Software\\NewKey , it will be redirected to create ( KeyRootPath )\\user\\current\\Software\\NewKey . With the sandboxed registry, the rules for redirection are simpler than for sandboxed files: A registry key created or modified below the HKEY_LOCAL_MACHINE tree will be redirected below the sandboxed machine key. A registry key created or modified below the HKEY_CURRENT_USER tree will be redirected below the sandboxed user\\current key. A registry key created or modified below the HKEY_CLASSES_ROOT tree will be redirected below the sandboxed user\\current_classes key. Note that the sandboxed user\\current\\software\\classes key is a symbolic link to the user\\current_classes key which means and the keys are effectively synonyms and share the same content in the sandboxed Windows registry. As with files, access to a key which has a copy in the sandboxed registry will be redirected to use the copy in the sandbox. Read-only access to a key which does not have a copy in the sandboxed registry will be permitted to access the key outside the sandbox. This behavior can be affected with the registry-related settings OpenKeyPath , ReadKeyPath , and ClosedKeyPath .","title":"Registry"},{"location":"Content/SandboxHierarchy/#inter-process-objects","text":"These objects are used by programs to share information, synchronize processing, and provide services. These objects are never written to disk and they disappear when the system shuts down. Sandboxie isolates these objects in order to make it possible to run the same program sandboxed and un-sandboxed side-by-side. It also keeps sandboxed programs from interfering with un-sandboxed ones. These objects are created in the NT object namespace. Their position and structure within that namespace are as follows. . IpcRootPath . . BaseNamedObjects . . . Global . . . Local . . . Session . . RPC Control The IpcRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to \\Sandbox(user name)(sandbox name)\\Session (session number) . For example, if the user joe is running in session zero, and using the sandbox DefaultBox, the default IpcRootPath is \\Sandbox\\joe\\DefaultBox\\Session_0_. Below the IpcRootPath , there are object directories which comprise the NT namespace, and match the layout of existing object directories outside the sandbox area. The directories are created with a persistent attribute, which means they will only disappear at system shutdown. Objects created by sandboxed programs are created within the sandbox object directories. If the program is running outside the supervision of Sandboxie, it would typically create such objects in the \\BaseNamedObjects object directory. Note that objects may be created without a name, in which case the object is effectively isolated to the particular program which created it. However, a program can access the internals of another program in order to locate and use such nameless objects. To mitigate this, Sandboxie prevents a program in the sandbox from accessing a program outside the sandbox in this way. The free utility WinObj by Sysinternals (now a part of Microsoft) can be used to display the NT object namespace. Unlike the case with files or registry keys, sandboxed programs are never permitted to access IPC objects outside the sandbox namespace, not even for read-only access. This behavior can be affected with the registry-related settings OpenIpcPath and ClosedIpcPath . Note that Sandboxie includes a number of built-in OpenIpcPath settings to allow programs to function correctly, and in a typical system, more OpenIpcPath settings are applied through compatibility settings for third-party software.","title":"Inter-Process Objects"},{"location":"Content/SandboxMenu/","text":"Sandbox Menu Sandboxie Control > Sandbox Menu Sandbox Sub-Menu One or more sub-menus appear for each sandbox defined. The default configuration includes only one sandbox named DefaultBox , but more can be added using the Create New Sandbox command. Each sub-menu contains the following commands: The Run Sandboxed sub-sub-menu is used to start programs under the supervision of Sandboxie: The Web Browser command starts the system (default) Web browser. (Note: If the wrong program starts, see Frequently Asked Questions to fix this.) The Email Reader command starts the system (default) email reader The Any Program command displays the Run Any Program dialog box which is similar to the standard Windows Run... dialog box. It can be used to start programs, open documents, and browse folders, all under the supervision of Sandboxie. The From Start Menu command displays the Sandboxie Start menu, similar to the standard Windows Start menu. It can be used to start programs and other shortcuts that appear in the start menu and on the desktop. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation. The Windows Explorer command starts a sandboxed instance of the Windows Explorer. It can be used to navigate folders and start programs, all under the supervision of Sandboxie. The Terminate Running Programs command stops all programs running in the sandbox. The Quick Recovery command shows the Quick Recovery window. The Delete Contents command shows the Delete Sandbox window. The Explore Contents command opens an unsandboxed folder view for the contents of the sandbox outside the supervision of Sandboxie . If possible, use the Files And Folders View to browse the contents of the sandbox. The Sandbox Settings command opens the Sandbox Settings window. The Rename Sandbox command changes the name of the sandbox. The Remove Sandbox command removes a sandboxed created using the Create New Sandbox command. These commands, except for Rename Sandbox and Remove Sandbox, are also available in the Tray Icon Menu . Create New Sandbox The Create New Sandbox command defines a new sandbox in Sandboxie. A dialog box window will be displayed asking for the name of the new sandbox. The name can be any combination of digits and letters, and its maximum length is 32 characters. A combo box button can specify some existing sandbox, from which settings will be copied into the new sandbox. If such an existing sandbox has not been selected, the new sandbox will initially have a default set of settings. Once the sandbox is created, the Sandbox Settings window can be used to alter sandbox settings. Set Container Folder The Set Container Folder command selects the container (or master, or parent) folder which will contain all other sandboxes. The default location is X:\\Sandbox\\%USER%\\%SANDBOX% , where X: stands for the drive where Windows is installed, typically C: . The special variable %SANDBOX% is replaced by the name of the sandbox. The special variable %USER% is replaced by the name of whichever user account (or logon) is using that sandbox. Note that a sandbox created in one user account is visible and can be used by other accounts in the system. However, if the container folder includes the %USER% special variable, then the user accounts don't actually share the same sandbox. Each account has a separate instance of the sandbox. Related Sandboxie Ini setting: FileRootPath . Set Layout and Groups The Set Layout and Groups command permits ordering sandboxes within a hierarchy of groups, when displayed in menus and lists. This does not have any effect on how programs behave within a sandbox. This feature is useful when more than a few sandboxes are defined, as it permits easier menu access to a specific sandbox. Once any groups have been defined, the main Programs View in Sandboxie Control will include a combo box button which can be used to restrict the list of sandboxes that are displayed. Related Sandboxie Ini setting: BoxDisplayOrder. Reveal Hidden Sandbox The Reveal Hidden Sandbox command appears in the menu only if some sandboxes are not visible to or usable by the current user account. A sandbox can be restricted to specific user accounts using the User Accounts Settings settings page in the Sandbox Settings window. The Reveal Hidden Sandbox command can restore visibility of a sandbox that has been made unavailable the current user account. Go to Sandboxie Control , Help Topics .","title":"Sandbox Menu"},{"location":"Content/SandboxMenu/#sandbox-menu","text":"Sandboxie Control > Sandbox Menu","title":"Sandbox Menu"},{"location":"Content/SandboxMenu/#sandbox-sub-menu","text":"One or more sub-menus appear for each sandbox defined. The default configuration includes only one sandbox named DefaultBox , but more can be added using the Create New Sandbox command. Each sub-menu contains the following commands: The Run Sandboxed sub-sub-menu is used to start programs under the supervision of Sandboxie: The Web Browser command starts the system (default) Web browser. (Note: If the wrong program starts, see Frequently Asked Questions to fix this.) The Email Reader command starts the system (default) email reader The Any Program command displays the Run Any Program dialog box which is similar to the standard Windows Run... dialog box. It can be used to start programs, open documents, and browse folders, all under the supervision of Sandboxie. The From Start Menu command displays the Sandboxie Start menu, similar to the standard Windows Start menu. It can be used to start programs and other shortcuts that appear in the start menu and on the desktop. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation. The Windows Explorer command starts a sandboxed instance of the Windows Explorer. It can be used to navigate folders and start programs, all under the supervision of Sandboxie. The Terminate Running Programs command stops all programs running in the sandbox. The Quick Recovery command shows the Quick Recovery window. The Delete Contents command shows the Delete Sandbox window. The Explore Contents command opens an unsandboxed folder view for the contents of the sandbox outside the supervision of Sandboxie . If possible, use the Files And Folders View to browse the contents of the sandbox. The Sandbox Settings command opens the Sandbox Settings window. The Rename Sandbox command changes the name of the sandbox. The Remove Sandbox command removes a sandboxed created using the Create New Sandbox command. These commands, except for Rename Sandbox and Remove Sandbox, are also available in the Tray Icon Menu .","title":"Sandbox Sub-Menu"},{"location":"Content/SandboxMenu/#create-new-sandbox","text":"The Create New Sandbox command defines a new sandbox in Sandboxie. A dialog box window will be displayed asking for the name of the new sandbox. The name can be any combination of digits and letters, and its maximum length is 32 characters. A combo box button can specify some existing sandbox, from which settings will be copied into the new sandbox. If such an existing sandbox has not been selected, the new sandbox will initially have a default set of settings. Once the sandbox is created, the Sandbox Settings window can be used to alter sandbox settings.","title":"Create New Sandbox"},{"location":"Content/SandboxMenu/#set-container-folder","text":"The Set Container Folder command selects the container (or master, or parent) folder which will contain all other sandboxes. The default location is X:\\Sandbox\\%USER%\\%SANDBOX% , where X: stands for the drive where Windows is installed, typically C: . The special variable %SANDBOX% is replaced by the name of the sandbox. The special variable %USER% is replaced by the name of whichever user account (or logon) is using that sandbox. Note that a sandbox created in one user account is visible and can be used by other accounts in the system. However, if the container folder includes the %USER% special variable, then the user accounts don't actually share the same sandbox. Each account has a separate instance of the sandbox. Related Sandboxie Ini setting: FileRootPath .","title":"Set Container Folder"},{"location":"Content/SandboxMenu/#set-layout-and-groups","text":"The Set Layout and Groups command permits ordering sandboxes within a hierarchy of groups, when displayed in menus and lists. This does not have any effect on how programs behave within a sandbox. This feature is useful when more than a few sandboxes are defined, as it permits easier menu access to a specific sandbox. Once any groups have been defined, the main Programs View in Sandboxie Control will include a combo box button which can be used to restrict the list of sandboxes that are displayed. Related Sandboxie Ini setting: BoxDisplayOrder.","title":"Set Layout and Groups"},{"location":"Content/SandboxMenu/#reveal-hidden-sandbox","text":"The Reveal Hidden Sandbox command appears in the menu only if some sandboxes are not visible to or usable by the current user account. A sandbox can be restricted to specific user accounts using the User Accounts Settings settings page in the Sandbox Settings window. The Reveal Hidden Sandbox command can restore visibility of a sandbox that has been made unavailable the current user account. Go to Sandboxie Control , Help Topics .","title":"Reveal Hidden Sandbox"},{"location":"Content/SandboxSettings/","text":"Sandbox Settings The Sandbox Settings window in Sandboxie Control displays and changes the configuration and options associated with a single sandbox. The Sandbox Settings window can be accessed in two ways: From the menu bar: Access the Sandbox Menu , select one of the sandboxes listed, then select the Sandbox Settings command: From the context menu: In the main window area, right-click (or press Shift+F10) on the name of a sandbox, then select the Sandbox Settings command. (See the discussion about Context Menus in Programs View or Files And Folders View for more information.) Note that unless new sandboxes are added, Sandboxie lists only one sandbox: DefaultBox. In the Sandbox Settings window, the individual settings are organized into settings pages, and some pages are organized into groups, as shown below. The left part of the window contains the pages and groups. When a settings page is selected (clicked) in the left part of the window, the right part of the window shows the related settings. When a change has been made in a particular page, the change must be applied to Sandboxie before moving to any other settings page. This can be done manually using the Apply button, or automatically by marking the checkbox at the bottom of the window (\"Apply changes when switching to another page\"). The sections below describe each settings page. Configuration changes do not apply to programs that are already running sandboxed at the time the configuration is changed. To keep things simple, you are advised to make configuration changes when no programs are running in the sandbox. For information about the settings, see these pages: Appearance Settings Recovery Settings Delete Settings Program Start Settings Program Stop Settings File Migration Settings Restrictions Settings Resource Access Settings Applications Settings User Accounts Settings","title":"Sandbox Settings"},{"location":"Content/SandboxSettings/#sandbox-settings","text":"The Sandbox Settings window in Sandboxie Control displays and changes the configuration and options associated with a single sandbox. The Sandbox Settings window can be accessed in two ways: From the menu bar: Access the Sandbox Menu , select one of the sandboxes listed, then select the Sandbox Settings command: From the context menu: In the main window area, right-click (or press Shift+F10) on the name of a sandbox, then select the Sandbox Settings command. (See the discussion about Context Menus in Programs View or Files And Folders View for more information.) Note that unless new sandboxes are added, Sandboxie lists only one sandbox: DefaultBox. In the Sandbox Settings window, the individual settings are organized into settings pages, and some pages are organized into groups, as shown below. The left part of the window contains the pages and groups. When a settings page is selected (clicked) in the left part of the window, the right part of the window shows the related settings. When a change has been made in a particular page, the change must be applied to Sandboxie before moving to any other settings page. This can be done manually using the Apply button, or automatically by marking the checkbox at the bottom of the window (\"Apply changes when switching to another page\"). The sections below describe each settings page. Configuration changes do not apply to programs that are already running sandboxed at the time the configuration is changed. To keep things simple, you are advised to make configuration changes when no programs are running in the sandbox. For information about the settings, see these pages: Appearance Settings Recovery Settings Delete Settings Program Start Settings Program Stop Settings File Migration Settings Restrictions Settings Resource Access Settings Applications Settings User Accounts Settings","title":"Sandbox Settings"},{"location":"Content/Sandboxie/","text":"Sandboxie Tired of dealing with rogue software, spyware and malware? Spent too many hours removing unsolicited software? Worried about clicking unfamiliar Web links? Introducing Sandboxie Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox , depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once. Benefits of the Isolated Sandbox Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially. Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows. Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system. Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox. Download Sandboxie now and give it a try! Check out the Help Topics for Sandboxie, or visit the Support Page Index .","title":"Sandboxie"},{"location":"Content/Sandboxie/#sandboxie","text":"Tired of dealing with rogue software, spyware and malware? Spent too many hours removing unsolicited software? Worried about clicking unfamiliar Web links?","title":"Sandboxie"},{"location":"Content/Sandboxie/#introducing-sandboxie","text":"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox , depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once.","title":"Introducing Sandboxie"},{"location":"Content/Sandboxie/#benefits-of-the-isolated-sandbox","text":"Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially. Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows. Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system. Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox. Download Sandboxie now and give it a try! Check out the Help Topics for Sandboxie, or visit the Support Page Index .","title":"Benefits of the Isolated Sandbox"},{"location":"Content/SandboxieControl/","text":"Sandboxie Control Overview Sandboxie Control is the graphical front end to Sandboxie Classic, and can control most aspects of Sandboxie. These are some of the things that you can do with it: Start and stop programs under the supervision of Sandboxie View files inside the sandbox Recover desired files out of the sandbox Delete the contents of sandboxes, purging all undesired files Create, remove and configure sandboxes Menus Main Menu: File Menu View Menu Sandbox Menu Configure Menu Help Menu See Also: Tray Icon Menu Visibility Sandboxie is primarily a mechanism to run other programs, not an interactive tool. You will typically hide the main window of Sandboxie Control, and the program will only be visible as a tray icon in your system notification area, typically at the lower-right corner of the screen: (Note the yellow Sandboxie Control icon near the clock.) To toggle the hidden state, double-click the tray icon, or right-click it and select the Show Window or Hide Window commands. (See Tray Icon Menu .) Additionally, you can hide the window by clicking the close button (X) at the upper-right corner of the window. To quit Sandboxie Control and remove its tray icon from the system notification area, right-click the tray icon and select Exit . Views Programs View Files And Folders View Quick Links to More Topics Quick Recovery , Immediate Recovery and Delete Sandbox Sandbox Settings Disable Forced Programs Shell Integration Is Window Sandboxed? Go to Help Topics .","title":"Sandboxie Control"},{"location":"Content/SandboxieControl/#sandboxie-control","text":"","title":"Sandboxie Control"},{"location":"Content/SandboxieControl/#overview","text":"Sandboxie Control is the graphical front end to Sandboxie Classic, and can control most aspects of Sandboxie. These are some of the things that you can do with it: Start and stop programs under the supervision of Sandboxie View files inside the sandbox Recover desired files out of the sandbox Delete the contents of sandboxes, purging all undesired files Create, remove and configure sandboxes","title":"Overview"},{"location":"Content/SandboxieControl/#menus","text":"Main Menu: File Menu View Menu Sandbox Menu Configure Menu Help Menu See Also: Tray Icon Menu","title":"Menus"},{"location":"Content/SandboxieControl/#visibility","text":"Sandboxie is primarily a mechanism to run other programs, not an interactive tool. You will typically hide the main window of Sandboxie Control, and the program will only be visible as a tray icon in your system notification area, typically at the lower-right corner of the screen: (Note the yellow Sandboxie Control icon near the clock.) To toggle the hidden state, double-click the tray icon, or right-click it and select the Show Window or Hide Window commands. (See Tray Icon Menu .) Additionally, you can hide the window by clicking the close button (X) at the upper-right corner of the window. To quit Sandboxie Control and remove its tray icon from the system notification area, right-click the tray icon and select Exit .","title":"Visibility"},{"location":"Content/SandboxieControl/#views","text":"Programs View Files And Folders View","title":"Views"},{"location":"Content/SandboxieControl/#quick-links-to-more-topics","text":"Quick Recovery , Immediate Recovery and Delete Sandbox Sandbox Settings Disable Forced Programs Shell Integration Is Window Sandboxed? Go to Help Topics .","title":"Quick Links to More Topics"},{"location":"Content/SandboxieIni/","text":"Sandboxie Ini Some aspects of the operation of Sandboxie can be altered or fine-tuned through the use of a human-readable textual configuration file called Sandboxie.ini. This section describes the structure and contents of the file. As a general rule, manual editing of the configuration file is discouraged. You are advised to use Sandboxie Control to make configuration changes. See Sandbox Settings . Location Sandboxie looks for the file Sandboxie.ini in the following folders, in this order: * In the Windows folder: C:\\Windows on most Windows installations * In the Sandboxie installation folder: typically C:\\Program Files\\Sandboxie or C:\\Program Files\\Sandboxie-Plus The search for Sandboxie.ini ends when an instance of the file is found, and all other instances are ignored. When Sandboxie Control updates the configuration, it rewrites the file Sandboxie.ini file in the folder from which the configuration was last read. Thus, if the file is manually moved, Sandboxie configuration must be manually reloaded . (Restarting the computer would have the same effect.) Note: Sandboxie does not support any other custom location for the Sandboxie.ini file. Structure Configuration settings in the file are split into groups, or sections. A section begins with a line that specifies its name enclosed within square brackets. For example: [SomeSectionName]. The section continues to the end of the file, or until another section begins. There are three types of sections: The Global Settings section contains settings global to Sandboxie. These apply in one way or another to all sandboxes and all user accounts. There can be only one Global Settings section, typically at the top of the configuration file. One Sandbox Settings section for each sandbox known to Sandboxie. A valid sandbox name is a string of letters and digits, and has a maximum length of 32 characters. The Sandbox Settings section should contain the setting Enabled =y. One User Settings section for each user account. These settings record the state of Sandboxie Control for a particular user account, and include such information as the size of the window. These settings are not documented here, but see a brief discussion below. A simple Sandboxie.ini file may look like this. # Sample Sandboxie Configuration File [GlobalSettings] FileRootPath=C:\\Sandbox\\%USER%\\%SANDBOX% # Settings for sandbox DefaultBox [DefaultBox] Enabled=y # Settings for sandbox InstallBox [InstallBox] Enabled=y FileRootPath=D:\\Sandbox\\Install # Sandboxie Control settings for some user [UserSettings_054A02CE] SbieCtrl_UserName=tzuk The example shows four sections: The global section (GlobalSettings), two sandbox sections (DefaultBox and InstallBox), and one user account section (UserSettings_054A02CE). Lines that begin with a hash sign (#) are comments. These lines are skipped. Note: During its operation, Sandboxie Control regularly rewrites the Sandboxie.ini file, and this rewrite loses all comments. However, unrecognized settings are not lost during the rewrite, so one workaround is to write comments in the form Comment=text. The configuration file can contain up to 30,000 lines of text. Each line can be up to 1000 characters long. The file is UNICODE-encoded, which means each character is composed of two bytes. Many text file editors, including the system Notepad, handle this encoding properly. Settings Global Settings: Listed in the navigation bar on the right under the heading Global Settings. Settings apply to the general operation of Sandboxie, not to any particular sandbox. Global settings must be placed in the GlobalSettings section, and cannot be overridden by also including them in a sandbox section. Sandbox settings may appear in the GlobalSettings section, and can be overridden by also including them in a sandbox section. Sandbox Settings: Listed in the navigation bar on the right under the heading Sandbox Settings. Settings apply to a particular sandbox when specified in the associated sandbox section. Settings apply to all sandboxes when specified in the [GlobalSettings] section. Settings in the sandbox section override corresponding settings from [GlobalSettings]. In the example above, the sandbox setting FileRootPath appears in [GlobalSettings] and applies to all sandboxes, but note that it is overridden in section [InstallBox]. Sandbox settings can be applied to a specific program. See Program Name Prefix . Some sandbox settings are Yes Or No Settings . Sandbox settings may specify Expandable Variables that Sandboxie recognizes. User Settings Settings record the state of Sandboxie Control , for instance the position of the window. Each user account is directed to a different [UserSettings_XXXXXXXX] section. When a new [UserSettings_XXXXXXXX] is created, default values are taken from the [UserSettings_Default] section, if it exists. If the section [UserSettings_Portable] exists, all user accounts are directed to use this section. Automation Sandboxie includes a command-line utility to query or update the Sandboxie.ini configuration file. The utility is suitable for direct command-line interaction as well as invocation from a script or a program. The utility can be found as SbieIni.exe in the Sandboxie installation directory. For further details, see Create a sandbox by command line and SbieIni.exe usage section.","title":"Sandboxie Ini"},{"location":"Content/SandboxieIni/#sandboxie-ini","text":"Some aspects of the operation of Sandboxie can be altered or fine-tuned through the use of a human-readable textual configuration file called Sandboxie.ini. This section describes the structure and contents of the file. As a general rule, manual editing of the configuration file is discouraged. You are advised to use Sandboxie Control to make configuration changes. See Sandbox Settings .","title":"Sandboxie Ini"},{"location":"Content/SandboxieIni/#location","text":"Sandboxie looks for the file Sandboxie.ini in the following folders, in this order: * In the Windows folder: C:\\Windows on most Windows installations * In the Sandboxie installation folder: typically C:\\Program Files\\Sandboxie or C:\\Program Files\\Sandboxie-Plus The search for Sandboxie.ini ends when an instance of the file is found, and all other instances are ignored. When Sandboxie Control updates the configuration, it rewrites the file Sandboxie.ini file in the folder from which the configuration was last read. Thus, if the file is manually moved, Sandboxie configuration must be manually reloaded . (Restarting the computer would have the same effect.) Note: Sandboxie does not support any other custom location for the Sandboxie.ini file.","title":"Location"},{"location":"Content/SandboxieIni/#structure","text":"Configuration settings in the file are split into groups, or sections. A section begins with a line that specifies its name enclosed within square brackets. For example: [SomeSectionName]. The section continues to the end of the file, or until another section begins. There are three types of sections: The Global Settings section contains settings global to Sandboxie. These apply in one way or another to all sandboxes and all user accounts. There can be only one Global Settings section, typically at the top of the configuration file. One Sandbox Settings section for each sandbox known to Sandboxie. A valid sandbox name is a string of letters and digits, and has a maximum length of 32 characters. The Sandbox Settings section should contain the setting Enabled =y. One User Settings section for each user account. These settings record the state of Sandboxie Control for a particular user account, and include such information as the size of the window. These settings are not documented here, but see a brief discussion below. A simple Sandboxie.ini file may look like this. # Sample Sandboxie Configuration File [GlobalSettings] FileRootPath=C:\\Sandbox\\%USER%\\%SANDBOX% # Settings for sandbox DefaultBox [DefaultBox] Enabled=y # Settings for sandbox InstallBox [InstallBox] Enabled=y FileRootPath=D:\\Sandbox\\Install # Sandboxie Control settings for some user [UserSettings_054A02CE] SbieCtrl_UserName=tzuk The example shows four sections: The global section (GlobalSettings), two sandbox sections (DefaultBox and InstallBox), and one user account section (UserSettings_054A02CE). Lines that begin with a hash sign (#) are comments. These lines are skipped. Note: During its operation, Sandboxie Control regularly rewrites the Sandboxie.ini file, and this rewrite loses all comments. However, unrecognized settings are not lost during the rewrite, so one workaround is to write comments in the form Comment=text. The configuration file can contain up to 30,000 lines of text. Each line can be up to 1000 characters long. The file is UNICODE-encoded, which means each character is composed of two bytes. Many text file editors, including the system Notepad, handle this encoding properly.","title":"Structure"},{"location":"Content/SandboxieIni/#settings","text":"","title":"Settings"},{"location":"Content/SandboxieIni/#global-settings","text":"Listed in the navigation bar on the right under the heading Global Settings. Settings apply to the general operation of Sandboxie, not to any particular sandbox. Global settings must be placed in the GlobalSettings section, and cannot be overridden by also including them in a sandbox section. Sandbox settings may appear in the GlobalSettings section, and can be overridden by also including them in a sandbox section.","title":"Global Settings:"},{"location":"Content/SandboxieIni/#sandbox-settings","text":"Listed in the navigation bar on the right under the heading Sandbox Settings. Settings apply to a particular sandbox when specified in the associated sandbox section. Settings apply to all sandboxes when specified in the [GlobalSettings] section. Settings in the sandbox section override corresponding settings from [GlobalSettings]. In the example above, the sandbox setting FileRootPath appears in [GlobalSettings] and applies to all sandboxes, but note that it is overridden in section [InstallBox]. Sandbox settings can be applied to a specific program. See Program Name Prefix . Some sandbox settings are Yes Or No Settings . Sandbox settings may specify Expandable Variables that Sandboxie recognizes.","title":"Sandbox Settings:"},{"location":"Content/SandboxieIni/#user-settings","text":"Settings record the state of Sandboxie Control , for instance the position of the window. Each user account is directed to a different [UserSettings_XXXXXXXX] section. When a new [UserSettings_XXXXXXXX] is created, default values are taken from the [UserSettings_Default] section, if it exists. If the section [UserSettings_Portable] exists, all user accounts are directed to use this section.","title":"User Settings"},{"location":"Content/SandboxieIni/#automation","text":"Sandboxie includes a command-line utility to query or update the Sandboxie.ini configuration file. The utility is suitable for direct command-line interaction as well as invocation from a script or a program. The utility can be found as SbieIni.exe in the Sandboxie installation directory. For further details, see Create a sandbox by command line and SbieIni.exe usage section.","title":"Automation"},{"location":"Content/SandboxieLogon/","text":"Sandbox SID","title":"Sandbox SID"},{"location":"Content/SandboxieLogon/#sandbox-sid","text":"","title":"Sandbox SID"},{"location":"Content/SandboxieTrace/","text":"Sandboxie Trace Please see Resource Access Monitor for Sandboxie Classic. Please see Trace Logging for Sandboxie Plus. Overview In some cases, a program may not function correctly within the sandbox, because it needs access to a system resource which is, by default, protected by Sandboxie, and access to that resource is denied. Note that in this case, the sandboxed program is not creating the resource itself; rather, it expects the resource to already be available for access and use. The trace displays access attempts and makes it possible to somewhat easily identify which resources that are needed for correct operation, have been blocked. Enable the Trace The trace can be activated through different Sandboxie Ini settings: FileTrace logs access to files, folders, and filesystem volumes; KeyTrace logs access to registry keys (but not values within keys); PipeTrace logs access to named pipes and mail slot objects which are used for inter-process communication; IpcTrace logs access to other objects used for inter-process communication, and also logs access attempts by one process to another process; GuiTrace logs window-to-window communications; ClsidTrace logs COM communications; NetFwTrace traces the actions of the firewall components (since version 0.9.0 / 5.51.0); LogAPI library to get additional trace output (see this thread for more information). Each setting accepts a sequence of characters which specifies what to log. The character a logs requests which were allowed; the character d logs requests which were denied. For the FileTrace and PipeTrace settings, the character i logs requests which were allowed because they access a device which is ignored by Sandboxie, such as a CD-ROM. The settings PipeTrace , IpcTrace and GuiTrace are more relevant to the discussion in this page. FileTrace and KeyTrace will usually not be able to provide insight as to why a sandboxed program is malfunctioning. Thus, typically you enable the trace by making this change in Sandboxie Ini : [GlobalSettings] IpcTrace=ad PipeTrace=ad GuiTrace=ad Then use Sandboxie to reload the configuration: * Configure menu -> Reload Configuration on Sandboxie Classic * Options menu -> Reload ini file on Sandboxie Plus Trace options can be set on a per box basis such that only the boxes you need will generate trace logs. You can also adjust the buffer size by adding TraceBufferPages=2560 that will increase it tenfold. Review the Trace for NetFwTrace , IpcTrace and PipeTrace Since version 0.9.0 / 5.51.0, a new option NetFwTrace=* was added to trace the actions of the firewall components. Please note that the driver only logs to the kernel debug output, which you can view with DbgView.exe . On Windows Vista and later, output from the system debugger log is disabled by default. This blog post and this thread explain how to enable it. The following trace will display output in the following format. (Assuming IpcTrace , and PipeTrace enabled.) ... (001404) SBIE (FA) 00120116.01.00000000 \\Device\\NamedPipe\\ShimViewer ... (001404) SBIE (IA) 001F0001 \\ThemeApiPort ... (001404) SBIE (PD) 00000040 001136 (001404) SBIE (PA) 00020400 001136 ... (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd\\Endpoint (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd ... (001404) SBIE (ID) 001F0001 \\RPC Control\\protected_storage ... The format is this: (pid) SBIE (ca) (access) (resource) pid identifies the process attempting the access; c indicates the Sandboxie class for the resource -- more on this later; a indicates if the access was allowed (A) or denied (D); access indicates the access requested to the object, and is typically not interesting or important; resource identifies the resource to which access is desired; in the case of process-to-process access, where ca is (PA) or (PD), the resource name is the process id of the process being accessed. Some examples: (001404) SBIE (IA) 001F0001 \\ThemeApiPort Here the process making the request is process id 1404, and was allowed to access the resource named ThemeApiPort . The resource class is I, so this is an inter-process object. The access was allowed because by default, Sandboxie allows this specific access. (001404) SBIE (ID) 001F0001 \\RPC Control\\protected_storage Here the access to the resource protected_storage was denied. By default Sandboxie does not allow this access; however the OpenProtectedStorage setting changes this behavior. (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd\\Endpoint Here the access is allowed to the resource Endpoint . The resource class is F, so this is a named pipe or a mail slot resource. The access is allowed by default, because the \\Device\\Afd prefix names resources needed for Internet access. Review GuiTrace Entries When GuiTrace is enabled, the trace also produces entries like the following: ... (001404) SBIE (GA) WinHook 0002 on tid=001484 pid=001960 (001404) SBIE (GA) AccHook on tid=000000 pid=000000 ... (001404) SBIE (GD) PostMessage 01224 (04C8) to hwnd=00050060 pid=001324 DDEMLMom (001404) SBIE (GD) SendMessage 49376 (C0E0) to hwnd=00010014 pid=000804 #32769 ... (001404) SBIE (GD) SendInput (001404) SBIE (GA) SendInput These entries have a few formats. The first word after (GA) or (GD) identifies the type of the entry. When the first word is WinHook or AccHook , the entry indicates installation of a hook. Its installation is permitted for (GA) entries, and denied for (GD) entries. WinHook is a standard Windows hook, followed by the type of the hook (see SetWidowsHookEx in MSDN ). AccHook is an accessibility hook (see SetWinEventHook in MSDN ). Both entries identify the thread number (tid) process number (pid) into which the hook was to be installed. When the first word is PostMessage , SendMessage or ThrdMessage , the entry shows denied window communication. The following two numbers indicate the window message number, in decimal and hexadecimal. The entry also indicates the window handle (hwnd) of the target window, the process number (pid) which owns this window, and finally, the internal window class name for the window. Analyze the Trace The point of using the trace is usually to identify the resource that is keeping the sandboxed program from functioning correctly. Consider for example the following trace record: (001404) SBIE (ID) 001F0001 \\BaseNamedObjects\\Xyzzy This shows that access to some Xyzzy resource was denied. Sandboxie does not know this resource, and by default, it denies access to unknown resources. If a sandboxed program begins to malfunction (it may lock up, or it may end abruptly, or just complain about something) soon after this record appears in the trace, it stands to reason that the program was expecting the resource to be accessible. The next step is to add an OpenIpcPath setting for this resource: OpenIpcPath=\\BaseNamedObjects\\Xyzzy This setting tells Sandboxie that access to the Xyzzy resource should not be blocked. Then reload the Sandboxie configuration, clear the old contents of the trace display, and restart the sandboxed program. If the program now performs better, Xyzzy was indeed the problematic resource. But if the program still fails, the trace log can be inspected again for later (or possibly earlier) failed access attempts. Resource Class The trace record shows the Sandboxie resource class of the object. This indicates which OpenXxxPath setting is needed to allow access to the object. When resource class is F, as in (FA) or (FD), the relevant settings are OpenFilePath and ClosedFilePath . When resource class is K, as in (KA) or (KD), the relevant settings are OpenKeyPath and ClosedKeyPath . When resource class is I, as in (IA) or (ID), the relevant settings are OpenIpcPath and ClosedIpcPath . When resource class is G, as in (GA) or (GD), the relevant setting is OpenWinClass . For COM objects displayed by ClsidTrace, the relevant setting is OpenClsid .","title":"Sandboxie Trace"},{"location":"Content/SandboxieTrace/#sandboxie-trace","text":"","title":"Sandboxie Trace"},{"location":"Content/SandboxieTrace/#please-see-resource-access-monitor-for-sandboxie-classic","text":"","title":"Please see Resource Access Monitor for Sandboxie Classic."},{"location":"Content/SandboxieTrace/#please-see-trace-logging-for-sandboxie-plus","text":"","title":"Please see Trace Logging for Sandboxie Plus."},{"location":"Content/SandboxieTrace/#overview","text":"In some cases, a program may not function correctly within the sandbox, because it needs access to a system resource which is, by default, protected by Sandboxie, and access to that resource is denied. Note that in this case, the sandboxed program is not creating the resource itself; rather, it expects the resource to already be available for access and use. The trace displays access attempts and makes it possible to somewhat easily identify which resources that are needed for correct operation, have been blocked.","title":"Overview"},{"location":"Content/SandboxieTrace/#enable-the-trace","text":"The trace can be activated through different Sandboxie Ini settings: FileTrace logs access to files, folders, and filesystem volumes; KeyTrace logs access to registry keys (but not values within keys); PipeTrace logs access to named pipes and mail slot objects which are used for inter-process communication; IpcTrace logs access to other objects used for inter-process communication, and also logs access attempts by one process to another process; GuiTrace logs window-to-window communications; ClsidTrace logs COM communications; NetFwTrace traces the actions of the firewall components (since version 0.9.0 / 5.51.0); LogAPI library to get additional trace output (see this thread for more information). Each setting accepts a sequence of characters which specifies what to log. The character a logs requests which were allowed; the character d logs requests which were denied. For the FileTrace and PipeTrace settings, the character i logs requests which were allowed because they access a device which is ignored by Sandboxie, such as a CD-ROM. The settings PipeTrace , IpcTrace and GuiTrace are more relevant to the discussion in this page. FileTrace and KeyTrace will usually not be able to provide insight as to why a sandboxed program is malfunctioning. Thus, typically you enable the trace by making this change in Sandboxie Ini : [GlobalSettings] IpcTrace=ad PipeTrace=ad GuiTrace=ad Then use Sandboxie to reload the configuration: * Configure menu -> Reload Configuration on Sandboxie Classic * Options menu -> Reload ini file on Sandboxie Plus Trace options can be set on a per box basis such that only the boxes you need will generate trace logs. You can also adjust the buffer size by adding TraceBufferPages=2560 that will increase it tenfold.","title":"Enable the Trace"},{"location":"Content/SandboxieTrace/#review-the-trace-for-netfwtrace-ipctrace-and-pipetrace","text":"Since version 0.9.0 / 5.51.0, a new option NetFwTrace=* was added to trace the actions of the firewall components. Please note that the driver only logs to the kernel debug output, which you can view with DbgView.exe . On Windows Vista and later, output from the system debugger log is disabled by default. This blog post and this thread explain how to enable it. The following trace will display output in the following format. (Assuming IpcTrace , and PipeTrace enabled.) ... (001404) SBIE (FA) 00120116.01.00000000 \\Device\\NamedPipe\\ShimViewer ... (001404) SBIE (IA) 001F0001 \\ThemeApiPort ... (001404) SBIE (PD) 00000040 001136 (001404) SBIE (PA) 00020400 001136 ... (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd\\Endpoint (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd ... (001404) SBIE (ID) 001F0001 \\RPC Control\\protected_storage ... The format is this: (pid) SBIE (ca) (access) (resource) pid identifies the process attempting the access; c indicates the Sandboxie class for the resource -- more on this later; a indicates if the access was allowed (A) or denied (D); access indicates the access requested to the object, and is typically not interesting or important; resource identifies the resource to which access is desired; in the case of process-to-process access, where ca is (PA) or (PD), the resource name is the process id of the process being accessed. Some examples: (001404) SBIE (IA) 001F0001 \\ThemeApiPort Here the process making the request is process id 1404, and was allowed to access the resource named ThemeApiPort . The resource class is I, so this is an inter-process object. The access was allowed because by default, Sandboxie allows this specific access. (001404) SBIE (ID) 001F0001 \\RPC Control\\protected_storage Here the access to the resource protected_storage was denied. By default Sandboxie does not allow this access; however the OpenProtectedStorage setting changes this behavior. (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd\\Endpoint Here the access is allowed to the resource Endpoint . The resource class is F, so this is a named pipe or a mail slot resource. The access is allowed by default, because the \\Device\\Afd prefix names resources needed for Internet access.","title":"Review the Trace for NetFwTrace, IpcTrace and PipeTrace"},{"location":"Content/SandboxieTrace/#review-guitrace-entries","text":"When GuiTrace is enabled, the trace also produces entries like the following: ... (001404) SBIE (GA) WinHook 0002 on tid=001484 pid=001960 (001404) SBIE (GA) AccHook on tid=000000 pid=000000 ... (001404) SBIE (GD) PostMessage 01224 (04C8) to hwnd=00050060 pid=001324 DDEMLMom (001404) SBIE (GD) SendMessage 49376 (C0E0) to hwnd=00010014 pid=000804 #32769 ... (001404) SBIE (GD) SendInput (001404) SBIE (GA) SendInput These entries have a few formats. The first word after (GA) or (GD) identifies the type of the entry. When the first word is WinHook or AccHook , the entry indicates installation of a hook. Its installation is permitted for (GA) entries, and denied for (GD) entries. WinHook is a standard Windows hook, followed by the type of the hook (see SetWidowsHookEx in MSDN ). AccHook is an accessibility hook (see SetWinEventHook in MSDN ). Both entries identify the thread number (tid) process number (pid) into which the hook was to be installed. When the first word is PostMessage , SendMessage or ThrdMessage , the entry shows denied window communication. The following two numbers indicate the window message number, in decimal and hexadecimal. The entry also indicates the window handle (hwnd) of the target window, the process number (pid) which owns this window, and finally, the internal window class name for the window.","title":"Review GuiTrace Entries"},{"location":"Content/SandboxieTrace/#analyze-the-trace","text":"The point of using the trace is usually to identify the resource that is keeping the sandboxed program from functioning correctly. Consider for example the following trace record: (001404) SBIE (ID) 001F0001 \\BaseNamedObjects\\Xyzzy This shows that access to some Xyzzy resource was denied. Sandboxie does not know this resource, and by default, it denies access to unknown resources. If a sandboxed program begins to malfunction (it may lock up, or it may end abruptly, or just complain about something) soon after this record appears in the trace, it stands to reason that the program was expecting the resource to be accessible. The next step is to add an OpenIpcPath setting for this resource: OpenIpcPath=\\BaseNamedObjects\\Xyzzy This setting tells Sandboxie that access to the Xyzzy resource should not be blocked. Then reload the Sandboxie configuration, clear the old contents of the trace display, and restart the sandboxed program. If the program now performs better, Xyzzy was indeed the problematic resource. But if the program still fails, the trace log can be inspected again for later (or possibly earlier) failed access attempts.","title":"Analyze the Trace"},{"location":"Content/SandboxieTrace/#resource-class","text":"The trace record shows the Sandboxie resource class of the object. This indicates which OpenXxxPath setting is needed to allow access to the object. When resource class is F, as in (FA) or (FD), the relevant settings are OpenFilePath and ClosedFilePath . When resource class is K, as in (KA) or (KD), the relevant settings are OpenKeyPath and ClosedKeyPath . When resource class is I, as in (IA) or (ID), the relevant settings are OpenIpcPath and ClosedIpcPath . When resource class is G, as in (GA) or (GD), the relevant setting is OpenWinClass . For COM objects displayed by ClsidTrace, the relevant setting is OpenClsid .","title":"Resource Class"},{"location":"Content/SbieCtrl_HideMessage/","text":"SbieCtrl_HideMessage SbieCtrl_HideMessage is a user setting in Sandboxie Ini . It specifies which of the SBIE Messages should be hidden from popping up. . . . [UserSettings_054A02CE] SbieCtrl_HideMessage=1101 SbieCtrl_HideMessage=1102,Example Message The first parameter is mandatory and specifies the ID number of the SBIE Messages to be hidden. The second parameter is optional. If specified in Sandboxie Plus, only messages that match the text will be hidden, otherwise all occurrences of the message will be hidden. Related Sandboxie Plus setting: Global Settings > General Config > Notifications > SBIE Messages Related Sandboxie Control setting: Messages From Sandboxie pop-up window","title":"SbieCtrl_HideMessage"},{"location":"Content/SbieCtrl_HideMessage/#sbiectrl_hidemessage","text":"SbieCtrl_HideMessage is a user setting in Sandboxie Ini . It specifies which of the SBIE Messages should be hidden from popping up. . . . [UserSettings_054A02CE] SbieCtrl_HideMessage=1101 SbieCtrl_HideMessage=1102,Example Message The first parameter is mandatory and specifies the ID number of the SBIE Messages to be hidden. The second parameter is optional. If specified in Sandboxie Plus, only messages that match the text will be hidden, otherwise all occurrences of the message will be hidden. Related Sandboxie Plus setting: Global Settings > General Config > Notifications > SBIE Messages Related Sandboxie Control setting: Messages From Sandboxie pop-up window","title":"SbieCtrl_HideMessage"},{"location":"Content/SecureDeleteSandbox/","text":"Secure Delete Sandbox Typical file deletion makes data inaccessible to the operating system and programs, but the data is not physically wiped from the hard drive storage medium, and may be recovered by by a data recovery technician. To make this recovery more difficult, third-party software exists that can perform a secure deletion. This is typically accomplished by overwriting the data multiple times before deleting it. For more information, see Data remanence in Wikipedia . By default, Sandboxie deletes the sandbox using a standard Windows command to delete folders -- RMDIR . This makes sure the contents of the sandbox (including malicious software) are properly removed from the operating system. But as mentioned above, it leaves the data vulnerable to inspection and recovery by forensics experts. People who are concerned about the privacy of their sensitive data can plug a third-party secure deletion utility into Sandboxie, to be used instead of the standard command. You can configure a custom delete command through Sandboxie Control or by manually editing the Sandboxie Ini configuration file. In Sandboxie Control Use Sandbox Settings > Delete > Command . A couple of examples for the Delete Command: Invoke Eraser by Heidi Computers to delete the contents securely: %SystemRoot%\\System32\\eraserl.exe -folder \"%SANDBOX%\" -subfolders -method DoD_E -resultsonerror -queue Invoke SDelete by SysInternals/Microsoft to delete the contents securely. \"C:\\Program Files\\Sysinternals\\SDelete\\sdelete.exe\" -p 3 -s -q \"%SANDBOX%\" In the Sandboxie.ini Configuration File To configure a custom delete command for a particular sandbox, edit or insert the DeleteCommand setting in the sandbox section of Sandboxie Ini . To configure a global custom delete command, edit or insert the DeleteCommand setting in the [GlobalSettings] section of Sandboxie Ini . When specifying this setting, make sure to include \"%SANDBOX%\" (with quote marks) in the command. Before launching the delete command, Sandboxie scans the sandbox to make sure all files can be properly deleted, as described in Delete Contents of Sandbox . Go to Help Topics .","title":"Secure Delete Sandbox"},{"location":"Content/SecureDeleteSandbox/#secure-delete-sandbox","text":"Typical file deletion makes data inaccessible to the operating system and programs, but the data is not physically wiped from the hard drive storage medium, and may be recovered by by a data recovery technician. To make this recovery more difficult, third-party software exists that can perform a secure deletion. This is typically accomplished by overwriting the data multiple times before deleting it. For more information, see Data remanence in Wikipedia . By default, Sandboxie deletes the sandbox using a standard Windows command to delete folders -- RMDIR . This makes sure the contents of the sandbox (including malicious software) are properly removed from the operating system. But as mentioned above, it leaves the data vulnerable to inspection and recovery by forensics experts. People who are concerned about the privacy of their sensitive data can plug a third-party secure deletion utility into Sandboxie, to be used instead of the standard command. You can configure a custom delete command through Sandboxie Control or by manually editing the Sandboxie Ini configuration file. In Sandboxie Control Use Sandbox Settings > Delete > Command . A couple of examples for the Delete Command: Invoke Eraser by Heidi Computers to delete the contents securely: %SystemRoot%\\System32\\eraserl.exe -folder \"%SANDBOX%\" -subfolders -method DoD_E -resultsonerror -queue Invoke SDelete by SysInternals/Microsoft to delete the contents securely. \"C:\\Program Files\\Sysinternals\\SDelete\\sdelete.exe\" -p 3 -s -q \"%SANDBOX%\" In the Sandboxie.ini Configuration File To configure a custom delete command for a particular sandbox, edit or insert the DeleteCommand setting in the sandbox section of Sandboxie Ini . To configure a global custom delete command, edit or insert the DeleteCommand setting in the [GlobalSettings] section of Sandboxie Ini . When specifying this setting, make sure to include \"%SANDBOX%\" (with quote marks) in the command. Before launching the delete command, Sandboxie scans the sandbox to make sure all files can be properly deleted, as described in Delete Contents of Sandbox . Go to Help Topics .","title":"Secure Delete Sandbox"},{"location":"Content/SeparateUserFolders/","text":"Separate User Folders SeparateUserFolders is a sandbox setting in Sandboxie Ini available since v0.2.2 / 5.41.2. It specifies whether user profile files will be stored separately in the sandbox. . . . [DefaultBox] SeparateUserFolders=n The setting in the example will result in user profile files no longer being stored separately in the sandbox. Related Sandboxie Plus setting: Sandbox Options > File Options > Separate user folders","title":"Separate User Folders"},{"location":"Content/SeparateUserFolders/#separate-user-folders","text":"SeparateUserFolders is a sandbox setting in Sandboxie Ini available since v0.2.2 / 5.41.2. It specifies whether user profile files will be stored separately in the sandbox. . . . [DefaultBox] SeparateUserFolders=n The setting in the example will result in user profile files no longer being stored separately in the sandbox. Related Sandboxie Plus setting: Sandbox Options > File Options > Separate user folders","title":"Separate User Folders"},{"location":"Content/ServicePrograms/","text":"Service Programs Overview A Windows computers includes several service programs which are designed to accept requests from application programs. Many service programs run inside special svchost.exe processes (programs), although some others run as standalone processes. Programs running under Sandboxie are not allowed to reach those system service programs, due to the isolation of the sandbox. Instead, Sandboxie provides its own service programs, which run in the same sandbox as the program requesting the service. The Sandboxie service programs are started on demand. It is not an error or a problem if any of the service programs listed below are not running at any given moment. Remote Procedure Call (RPC) Program Name: SandboxieRpcSs.exe Service Name: rpcss The Component Object Model (COM) main service. This service provides a wide range of services to applications in the sandbox, including mechanisms for one application to start another application. Depending on the programs you run sandboxed, the service may or may not need to start. This service, along with the DCOM Server Process Launcher (see below) makes it possible for other service programs to start in the sandbox. DCOM Server Process Launcher Program Name: SandboxieDcomLaunch.exe Service Name: dcomlaunch This service, along with the Remote Procedure Call (RPC) (see above) makes it possible for other service programs to start in the sandbox. Note that this service is available on Windows XP Service Pack 2 and later operating systems. Cryptographic Services Program Name: SandboxieCrypto.exe Service Name: cryptsvc Manages software signing, security certificates and software catalogs.. This service manages and stores in the sandbox any digital certificates or catalog information that was installed by other programs running in the same sandbox. This service occasionally connects to the Internet address mscrl.microsoft.com . This connection is initiated by Microsoft code running within SandboxieCrypto.exe and it is part of the procedure which verifies or revokes digital certificates for Web sites and programs. This connection is not unique to SandboxieCrypto.exe and is initiated also by the \"real\" service program running under one of the svchost.exe processes. It is possible to block this connection through Restrictions > Internet Access or through a firewall. However, this is not recommended. Please see Certificate revocation list on Wikipedia for more information about certificate revocation. Background Intelligent Transfer Service Program Name: SandboxieBITS.exe Service Name: bits Downloads files in the background on behalf of a requesting applications. Some installation programs (most commonly for Microsoft and Google products) ask this service to download additional resource files on their behalf. The service downloads these files into the sandbox. Automatic Updates Program Name: SandboxieWUAU.exe Service Name: wuauserv Checks for Windows updates and downloads them using the Background Intelligent Transfer Service (see above). Once the updates are downloaded into the sandbox, this service will try to install them into the sandbox. Note that in some cases, updates to Windows involve the modification of core system files. Such modification might fail or have no effect, when carried out under the supervision of Sandboxie. Windows Installer Program Name: msiexec.exe Service Name: msiserver Installs software packages that were prepared using Windows Installer technology. The software will be installed into the sandbox. It is typical to see several instances of msiexec.exe start and stop during software installation.","title":"Service Programs"},{"location":"Content/ServicePrograms/#service-programs","text":"","title":"Service Programs"},{"location":"Content/ServicePrograms/#overview","text":"A Windows computers includes several service programs which are designed to accept requests from application programs. Many service programs run inside special svchost.exe processes (programs), although some others run as standalone processes. Programs running under Sandboxie are not allowed to reach those system service programs, due to the isolation of the sandbox. Instead, Sandboxie provides its own service programs, which run in the same sandbox as the program requesting the service. The Sandboxie service programs are started on demand. It is not an error or a problem if any of the service programs listed below are not running at any given moment.","title":"Overview"},{"location":"Content/ServicePrograms/#remote-procedure-call-rpc","text":"Program Name: SandboxieRpcSs.exe Service Name: rpcss The Component Object Model (COM) main service. This service provides a wide range of services to applications in the sandbox, including mechanisms for one application to start another application. Depending on the programs you run sandboxed, the service may or may not need to start. This service, along with the DCOM Server Process Launcher (see below) makes it possible for other service programs to start in the sandbox.","title":"Remote Procedure Call (RPC)"},{"location":"Content/ServicePrograms/#dcom-server-process-launcher","text":"Program Name: SandboxieDcomLaunch.exe Service Name: dcomlaunch This service, along with the Remote Procedure Call (RPC) (see above) makes it possible for other service programs to start in the sandbox. Note that this service is available on Windows XP Service Pack 2 and later operating systems.","title":"DCOM Server Process Launcher"},{"location":"Content/ServicePrograms/#cryptographic-services","text":"Program Name: SandboxieCrypto.exe Service Name: cryptsvc Manages software signing, security certificates and software catalogs.. This service manages and stores in the sandbox any digital certificates or catalog information that was installed by other programs running in the same sandbox. This service occasionally connects to the Internet address mscrl.microsoft.com . This connection is initiated by Microsoft code running within SandboxieCrypto.exe and it is part of the procedure which verifies or revokes digital certificates for Web sites and programs. This connection is not unique to SandboxieCrypto.exe and is initiated also by the \"real\" service program running under one of the svchost.exe processes. It is possible to block this connection through Restrictions > Internet Access or through a firewall. However, this is not recommended. Please see Certificate revocation list on Wikipedia for more information about certificate revocation.","title":"Cryptographic Services"},{"location":"Content/ServicePrograms/#background-intelligent-transfer-service","text":"Program Name: SandboxieBITS.exe Service Name: bits Downloads files in the background on behalf of a requesting applications. Some installation programs (most commonly for Microsoft and Google products) ask this service to download additional resource files on their behalf. The service downloads these files into the sandbox.","title":"Background Intelligent Transfer Service"},{"location":"Content/ServicePrograms/#automatic-updates","text":"Program Name: SandboxieWUAU.exe Service Name: wuauserv Checks for Windows updates and downloads them using the Background Intelligent Transfer Service (see above). Once the updates are downloaded into the sandbox, this service will try to install them into the sandbox. Note that in some cases, updates to Windows involve the modification of core system files. Such modification might fail or have no effect, when carried out under the supervision of Sandboxie.","title":"Automatic Updates"},{"location":"Content/ServicePrograms/#windows-installer","text":"Program Name: msiexec.exe Service Name: msiserver Installs software packages that were prepared using Windows Installer technology. The software will be installed into the sandbox. It is typical to see several instances of msiexec.exe start and stop during software installation.","title":"Windows Installer"},{"location":"Content/ShellFolders/","text":"Shell Folders In Windows, each user account has associated personal folders, typically known as Documents , Music and so on. The Windows shell records each user's personal folders, in the following registry keys. HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ . . . User Shell Folders . . . Shell Folders This key contains several registry values , each identifies a specific personal folder, and contains its absolute folder path. Most registry values in this key are named the same as the \"friendly\" name of the folder: Desktop , Favorites , Music , and so on. However, in some cases, the registry value differs: Personal stands for the Documents folder. AppData stands for the primary Application Data folder. Local AppData stands for the secondary Application Data folder, located below the Local Settings folder. Please see the registry key noted above for a complete list of possible folder names. For example, for the user joe, the registry value Personal (which identifies the Documents folder), may specify: C:\\Users\\joe\\Documents Configuration settings in Sandboxie that specify folder paths generally accept references to registry values in the Shell Folders key. This is more useful than specifying explicit folder locations. For example: [DefaultBox] RecoverFolder=%Desktop% Indicates that Quick Recovery should look for sandboxed items in the desktop folder of whichever user is making the request.","title":"Shell Folders"},{"location":"Content/ShellFolders/#shell-folders","text":"In Windows, each user account has associated personal folders, typically known as Documents , Music and so on. The Windows shell records each user's personal folders, in the following registry keys. HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ . . . User Shell Folders . . . Shell Folders This key contains several registry values , each identifies a specific personal folder, and contains its absolute folder path. Most registry values in this key are named the same as the \"friendly\" name of the folder: Desktop , Favorites , Music , and so on. However, in some cases, the registry value differs: Personal stands for the Documents folder. AppData stands for the primary Application Data folder. Local AppData stands for the secondary Application Data folder, located below the Local Settings folder. Please see the registry key noted above for a complete list of possible folder names. For example, for the user joe, the registry value Personal (which identifies the Documents folder), may specify: C:\\Users\\joe\\Documents Configuration settings in Sandboxie that specify folder paths generally accept references to registry values in the Shell Folders key. This is more useful than specifying explicit folder locations. For example: [DefaultBox] RecoverFolder=%Desktop% Indicates that Quick Recovery should look for sandboxed items in the desktop folder of whichever user is making the request.","title":"Shell Folders"},{"location":"Content/ShowForRunIn/","text":"Show For Run in ShowForRunIn is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will show this box in \"run in box\" selection prompt. . . . [DefaultBox] ShowForRunIn=n Specifying n indicates that this sandbox will not be shown as a candidate in \"run in sandbox\" selection window. Related Sandboxie Plus setting: Sandbox Options > General Options > Box Options > Show this box in the 'run in box' selection prompt","title":"Show For Run in"},{"location":"Content/ShowForRunIn/#show-for-run-in","text":"ShowForRunIn is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will show this box in \"run in box\" selection prompt. . . . [DefaultBox] ShowForRunIn=n Specifying n indicates that this sandbox will not be shown as a candidate in \"run in sandbox\" selection window. Related Sandboxie Plus setting: Sandbox Options > General Options > Box Options > Show this box in the 'run in box' selection prompt","title":"Show For Run in"},{"location":"Content/StartCommandLine/","text":"Start Command Line The Sandboxie Start program can do any of the following, depending on command line parameters specified to it. Start programs under the supervision of Sandboxie Stop sandboxed programs List sandboxed programs Delete the contents of a sandbox Reload Sandboxie configuration Initiate the Disable Forced Programs mode Related reading material Start Programs This is the default behavior. By specifying a full or partial path to a program's executable file, Sandboxie Start will launch that program under the supervision of Sandboxie: \"C:\\Program Files\\Sandboxie\\Start.exe\" c:\\windows\\system32\\notepad.exe \"C:\\Program Files\\Sandboxie\\Start.exe\" notepad.exe Two special program names are allowed: \"C:\\Program Files\\Sandboxie\\Start.exe\" default_browser \"C:\\Program Files\\Sandboxie\\Start.exe\" mail_agent Sandboxie Start can also display the Run Any Program dialog window, or the Sandboxie Start Menu, depending on parameters specified: \"C:\\Program Files\\Sandboxie\\Start.exe\" run_dialog \"C:\\Program Files\\Sandboxie\\Start.exe\" start_menu In all forms, the parameter /box:SandboxName is applicable, and may be specified between Start.exe and the parameter, to indicate a sandbox name other than the default of DefaultBox . For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox run_dialog A special form of the /box parameter is /box:__ask__ and causes Start.exe to display the sandbox selection dialog box. The parameter /silent can be used to eliminate some pop-up error messages. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /silent no_such_program.exe In both silent and normal operation, Start.exe exits with a zero exit code on success, or non-zero on failure. In batch files, the exit code can be examined using the IF ERRORLEVEL condition. The parameter /elevate can be used to run a program with Administrator privileges on a system where User Account Control (UAC) is enabled. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /elevate cmd.exe The parameter /env can be used to pass an environment variable: \"C:\\Program Files\\Sandboxie\\Start.exe\" /env:VariableName=VariableValueWithoutSpace \"C:\\Program Files\\Sandboxie\\Start.exe\" /env:VariableName=\"Variable Value With Spaces\" The parameter /hide_window can be used to signal that the starting program should not display its window: \"C:\\Program Files\\Sandboxie\\Start.exe\" /hide_window cmd.exe /c automated_script.bat The parameter /wait can be used to run a program, wait for it to finish, and return the exit status from the program: \"C:\\Program Files\\Sandboxie\\Start.exe\" /wait cmd.exe Note that Start.exe is a Win32 application and not a console application, so the system \"start\" command is useful here to force the system to wait for Start.exe to finish: start /wait \"C:\\Program Files\\Sandboxie\\Start.exe\" /wait cmd /c exit 9 echo %ERRORLEVEL% 9 The system waits for Start.exe to finish, which in turn waits for \"cmd /c exit 9\" to finish, and then the exit status 9 is returned all the way back. Parameters can be combined in any order. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:CustomBox /silent MyProgram.exe Stop Programs Terminate all programs running in a particular sandbox. Note that the request is transmitted to the Sandboxie service SbieSvc, which actually carries out the termination. \"C:\\Program Files\\Sandboxie\\Start.exe\" /terminate \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox /terminate \"C:\\Program Files\\Sandboxie\\Start.exe\" /terminate_all If the parameter /box:SandboxName is omitted, programs running in the default sandbox, DefaultBox , will be stopped. The form /terminate_all terminates all programs in all sandboxes. Unmount Box Images These commands unmount encrypted box images or RAM disks created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /unmount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /unmount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /unmount_all If the parameter /box:SandboxName is omitted, default sandbox, DefaultBox image, will be unmounted. The form /unmount_all terminates all programs in all encrypted sandboxes and unmounts all encrypted box images, including RAM disks created by Sandboxie Plus. Mount Box Images These commands mount encrypted box images created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /key:[box image password] /mount_protected \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /key:[box image password] /mount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /key:[box image password] /mount_protected \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /key:[box image password] /mount If the parameter /box:SandboxName is omitted, default sandbox, DefaultBox image, will be mounted. The form /mount_protected mounts encrypted box images with the Box Root Protection . Box Root Protection prevents processes running outside the sandbox from accessing the root folder of the encrypted box. List Programs List the system process ID numbers for all programs running in a particular sandbox. \"C:\\Program Files\\Sandboxie\\Start.exe\" /listpids \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox /listpids If the parameter /box:SandboxName is omitted, programs running in the default sandbox, DefaultBox , will be listed. The output is formatted as one number per line. The first line contains the number of programs, followed by one process ID per line. Example output: \"C:\\Program Files\\Sandboxie\\Start.exe\" /listpids | more 3 3036 2136 384 Note that Start.exe is not a console applications, so the output does not appear in a command prompt window unless you pipe the output using a construct such as | more . Delete Contents of Sandbox \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent The /box:SandboxName parameter may be specified between Start.exe and the delete command. The __silent_ suffix on the delete command, indicates Sandboxie Start should silently ignore any errors and not display any error messages. The delete operation occurs in two phases: Phase 1 scans the contents of the sandbox and processes files which could pose a problem during the second phase: Junctions (also known as reparse points) are removed. Read-only files and directories are made fully accessible. Files and directories that have very long names are renamed to shorter names. Renames the sandbox to the format __Delete_(sandbox name)_(some random number) . For example, if the sandbox is DefaultBox, it could be renamed to __Delete_DefaultBox_01C4012345678912 . Phase 2 deletes any sandboxes that were processed in phase 1. Sandboxes that were processed in phase 1 are those that have been renamed as described above. More than one sandbox may be deleted in phase 2. By default, the standard system command RMDIR is used to delete the renamed sandbox folder. Alternatively, a third-party delete utility may used. See Secure Delete Sandbox . Issuing the delete_sandbox command causes Start.exe to invoke phase 1 followed by phase 2. Start.exe also accepts these commands to invoke a specific phase: \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_phase1 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_phase2 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent_phase1 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent_phase2 Reload Configuration This command reloads the Sandboxie configuration in SandboxieIni into the active Sandboxie driver. Typically useful after manually editing the Sandboxie.ini file. \"C:\\Program Files\\Sandboxie\\Start.exe\" /reload Note that reloading the configuration does not take effect on sandboxed programs that are already running when this command is issued. Disable Forced Programs The following command runs a program outside the sandbox, even if the program is forced. It is similar to using the Run Outside Sandbox option from the sandbox selection window of the Run Sandboxed command. \"C:\\Program Files\\Sandboxie\\Start.exe\" /dfp c:\\path\\to\\program.exe \"C:\\Program Files\\Sandboxie\\Start.exe\" /disable_force c:\\path\\to\\program.exe Note that /dfp and /disable_force are identical. You can also select this option by holding the Ctrl and Shift keys down when you click the Run Sandboxed command. An older form of this command can temporarily disable the forced programs mode, for all programs. It is similar in function to using the Disable Forced Programs command from the Tray Icon Menu in Sandboxie Control (and not the File Menu ). \"C:\\Program Files\\Sandboxie\\Start.exe\" disable_force Note the missing slash in this command syntax. Note also that this command is not a toggle. It always puts the Disable Forced Programs mode into effect and always restarts the countdown timer. At this time, Start.exe does not offer a way to request the cancellation of this mode. Related Reading Material See also: InjectDll and SBIE DLL API Go to Help Topics .","title":"Command Line Usage"},{"location":"Content/StartCommandLine/#start-command-line","text":"The Sandboxie Start program can do any of the following, depending on command line parameters specified to it. Start programs under the supervision of Sandboxie Stop sandboxed programs List sandboxed programs Delete the contents of a sandbox Reload Sandboxie configuration Initiate the Disable Forced Programs mode Related reading material","title":"Start Command Line"},{"location":"Content/StartCommandLine/#start-programs","text":"This is the default behavior. By specifying a full or partial path to a program's executable file, Sandboxie Start will launch that program under the supervision of Sandboxie: \"C:\\Program Files\\Sandboxie\\Start.exe\" c:\\windows\\system32\\notepad.exe \"C:\\Program Files\\Sandboxie\\Start.exe\" notepad.exe Two special program names are allowed: \"C:\\Program Files\\Sandboxie\\Start.exe\" default_browser \"C:\\Program Files\\Sandboxie\\Start.exe\" mail_agent Sandboxie Start can also display the Run Any Program dialog window, or the Sandboxie Start Menu, depending on parameters specified: \"C:\\Program Files\\Sandboxie\\Start.exe\" run_dialog \"C:\\Program Files\\Sandboxie\\Start.exe\" start_menu In all forms, the parameter /box:SandboxName is applicable, and may be specified between Start.exe and the parameter, to indicate a sandbox name other than the default of DefaultBox . For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox run_dialog A special form of the /box parameter is /box:__ask__ and causes Start.exe to display the sandbox selection dialog box. The parameter /silent can be used to eliminate some pop-up error messages. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /silent no_such_program.exe In both silent and normal operation, Start.exe exits with a zero exit code on success, or non-zero on failure. In batch files, the exit code can be examined using the IF ERRORLEVEL condition. The parameter /elevate can be used to run a program with Administrator privileges on a system where User Account Control (UAC) is enabled. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /elevate cmd.exe The parameter /env can be used to pass an environment variable: \"C:\\Program Files\\Sandboxie\\Start.exe\" /env:VariableName=VariableValueWithoutSpace \"C:\\Program Files\\Sandboxie\\Start.exe\" /env:VariableName=\"Variable Value With Spaces\" The parameter /hide_window can be used to signal that the starting program should not display its window: \"C:\\Program Files\\Sandboxie\\Start.exe\" /hide_window cmd.exe /c automated_script.bat The parameter /wait can be used to run a program, wait for it to finish, and return the exit status from the program: \"C:\\Program Files\\Sandboxie\\Start.exe\" /wait cmd.exe Note that Start.exe is a Win32 application and not a console application, so the system \"start\" command is useful here to force the system to wait for Start.exe to finish: start /wait \"C:\\Program Files\\Sandboxie\\Start.exe\" /wait cmd /c exit 9 echo %ERRORLEVEL% 9 The system waits for Start.exe to finish, which in turn waits for \"cmd /c exit 9\" to finish, and then the exit status 9 is returned all the way back. Parameters can be combined in any order. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:CustomBox /silent MyProgram.exe","title":"Start Programs"},{"location":"Content/StartCommandLine/#stop-programs","text":"Terminate all programs running in a particular sandbox. Note that the request is transmitted to the Sandboxie service SbieSvc, which actually carries out the termination. \"C:\\Program Files\\Sandboxie\\Start.exe\" /terminate \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox /terminate \"C:\\Program Files\\Sandboxie\\Start.exe\" /terminate_all If the parameter /box:SandboxName is omitted, programs running in the default sandbox, DefaultBox , will be stopped. The form /terminate_all terminates all programs in all sandboxes.","title":"Stop Programs"},{"location":"Content/StartCommandLine/#unmount-box-images","text":"These commands unmount encrypted box images or RAM disks created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /unmount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /unmount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /unmount_all If the parameter /box:SandboxName is omitted, default sandbox, DefaultBox image, will be unmounted. The form /unmount_all terminates all programs in all encrypted sandboxes and unmounts all encrypted box images, including RAM disks created by Sandboxie Plus.","title":"Unmount Box Images"},{"location":"Content/StartCommandLine/#mount-box-images","text":"These commands mount encrypted box images created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /key:[box image password] /mount_protected \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /key:[box image password] /mount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /key:[box image password] /mount_protected \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /key:[box image password] /mount If the parameter /box:SandboxName is omitted, default sandbox, DefaultBox image, will be mounted. The form /mount_protected mounts encrypted box images with the Box Root Protection . Box Root Protection prevents processes running outside the sandbox from accessing the root folder of the encrypted box.","title":"Mount Box Images"},{"location":"Content/StartCommandLine/#list-programs","text":"List the system process ID numbers for all programs running in a particular sandbox. \"C:\\Program Files\\Sandboxie\\Start.exe\" /listpids \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox /listpids If the parameter /box:SandboxName is omitted, programs running in the default sandbox, DefaultBox , will be listed. The output is formatted as one number per line. The first line contains the number of programs, followed by one process ID per line. Example output: \"C:\\Program Files\\Sandboxie\\Start.exe\" /listpids | more 3 3036 2136 384 Note that Start.exe is not a console applications, so the output does not appear in a command prompt window unless you pipe the output using a construct such as | more .","title":"List Programs"},{"location":"Content/StartCommandLine/#delete-contents-of-sandbox","text":"\"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent The /box:SandboxName parameter may be specified between Start.exe and the delete command. The __silent_ suffix on the delete command, indicates Sandboxie Start should silently ignore any errors and not display any error messages. The delete operation occurs in two phases: Phase 1 scans the contents of the sandbox and processes files which could pose a problem during the second phase: Junctions (also known as reparse points) are removed. Read-only files and directories are made fully accessible. Files and directories that have very long names are renamed to shorter names. Renames the sandbox to the format __Delete_(sandbox name)_(some random number) . For example, if the sandbox is DefaultBox, it could be renamed to __Delete_DefaultBox_01C4012345678912 . Phase 2 deletes any sandboxes that were processed in phase 1. Sandboxes that were processed in phase 1 are those that have been renamed as described above. More than one sandbox may be deleted in phase 2. By default, the standard system command RMDIR is used to delete the renamed sandbox folder. Alternatively, a third-party delete utility may used. See Secure Delete Sandbox . Issuing the delete_sandbox command causes Start.exe to invoke phase 1 followed by phase 2. Start.exe also accepts these commands to invoke a specific phase: \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_phase1 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_phase2 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent_phase1 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent_phase2","title":"Delete Contents of Sandbox"},{"location":"Content/StartCommandLine/#reload-configuration","text":"This command reloads the Sandboxie configuration in SandboxieIni into the active Sandboxie driver. Typically useful after manually editing the Sandboxie.ini file. \"C:\\Program Files\\Sandboxie\\Start.exe\" /reload Note that reloading the configuration does not take effect on sandboxed programs that are already running when this command is issued.","title":"Reload Configuration"},{"location":"Content/StartCommandLine/#disable-forced-programs","text":"The following command runs a program outside the sandbox, even if the program is forced. It is similar to using the Run Outside Sandbox option from the sandbox selection window of the Run Sandboxed command. \"C:\\Program Files\\Sandboxie\\Start.exe\" /dfp c:\\path\\to\\program.exe \"C:\\Program Files\\Sandboxie\\Start.exe\" /disable_force c:\\path\\to\\program.exe Note that /dfp and /disable_force are identical. You can also select this option by holding the Ctrl and Shift keys down when you click the Run Sandboxed command. An older form of this command can temporarily disable the forced programs mode, for all programs. It is similar in function to using the Disable Forced Programs command from the Tray Icon Menu in Sandboxie Control (and not the File Menu ). \"C:\\Program Files\\Sandboxie\\Start.exe\" disable_force Note the missing slash in this command syntax. Note also that this command is not a toggle. It always puts the Disable Forced Programs mode into effect and always restarts the countdown timer. At this time, Start.exe does not offer a way to request the cancellation of this mode.","title":"Disable Forced Programs"},{"location":"Content/StartCommandLine/#related-reading-material","text":"See also: InjectDll and SBIE DLL API Go to Help Topics .","title":"Related Reading Material"},{"location":"Content/StartProgram/","text":"Start Program StartProgram is a sandbox setting in Sandboxie Ini . It provides an automatic start for the specified program. For example: . . . [DefaultBox] StartProgram=%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe The example specifies that Google Chrome (chrome.exe) will be forced to run sandboxed in the sandbox DefaultBox . Technical Details StartProgram is processed by SandboxieRpcSs , which runs just once in every sandbox. Like the AutoExec setting, it is processed when the first program begins to run in a sandbox. Note that StartProgram launches the specified application in hidden mode, if supported. For services, see StartService .","title":"Start Program"},{"location":"Content/StartProgram/#start-program","text":"StartProgram is a sandbox setting in Sandboxie Ini . It provides an automatic start for the specified program. For example: . . . [DefaultBox] StartProgram=%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe The example specifies that Google Chrome (chrome.exe) will be forced to run sandboxed in the sandbox DefaultBox . Technical Details StartProgram is processed by SandboxieRpcSs , which runs just once in every sandbox. Like the AutoExec setting, it is processed when the first program begins to run in a sandbox. Note that StartProgram launches the specified application in hidden mode, if supported. For services, see StartService .","title":"Start Program"},{"location":"Content/StartService/","text":"Start Service StartService is a sandbox setting in Sandboxie Ini . It allows to run a service program in the sandbox. This setting expects a service name (identifier), which is defined outside the sandbox. For example: . . . [DefaultBox] StartService=Adguard Service The example specifies that the service name Adguard Service will be forced to run sandboxed in the sandbox DefaultBox . Technical Details StartService is processed by SandboxieRpcSs , which runs just once in every sandbox. Like the AutoExec setting, it is processed when the first program begins to run in a sandbox. For applications, see StartProgram .","title":"Start Service"},{"location":"Content/StartService/#start-service","text":"StartService is a sandbox setting in Sandboxie Ini . It allows to run a service program in the sandbox. This setting expects a service name (identifier), which is defined outside the sandbox. For example: . . . [DefaultBox] StartService=Adguard Service The example specifies that the service name Adguard Service will be forced to run sandboxed in the sandbox DefaultBox . Technical Details StartService is processed by SandboxieRpcSs , which runs just once in every sandbox. Like the AutoExec setting, it is processed when the first program begins to run in a sandbox. For applications, see StartProgram .","title":"Start Service"},{"location":"Content/SystemEventLog/","text":"System Event Log The System Event Log is a Windows component that collects informational and error messages issued by Windows itself and other third-party software. Sandboxie issues some messages to the System Event Log. The messages are listed with a Source value of SbieDrv. To access the log and view messages, use the Event Viewer tool: Windows Start Menu > Control Panel > Administrative Tools > Event Viewer For more information about the System Event Log, see Event Viewer in Wikipedia . If any Sandboxie messages are issued due to an error which prevents successful initialization, Sandboxie Control will display a flashing exclamation mark icon. Right-click the flashing icon and select Show Errors to view any related messages. Messages From Sandboxie are not stored in the Windows Event Log , a workaround is available to store the logs in a flat file . See also: SBIE Messages .","title":"System Event Log"},{"location":"Content/SystemEventLog/#system-event-log","text":"The System Event Log is a Windows component that collects informational and error messages issued by Windows itself and other third-party software. Sandboxie issues some messages to the System Event Log. The messages are listed with a Source value of SbieDrv. To access the log and view messages, use the Event Viewer tool: Windows Start Menu > Control Panel > Administrative Tools > Event Viewer For more information about the System Event Log, see Event Viewer in Wikipedia . If any Sandboxie messages are issued due to an error which prevents successful initialization, Sandboxie Control will display a flashing exclamation mark icon. Right-click the flashing icon and select Show Errors to view any related messages. Messages From Sandboxie are not stored in the Windows Event Log , a workaround is available to store the logs in a flat file . See also: SBIE Messages .","title":"System Event Log"},{"location":"Content/TechnicalAspects/","text":"Technical Aspects Sandboxie is now open source, hence no more secrets. To help interested developers to get an insight into Sandboxie's inner workings, this page provides various in-depth discussions of the employed mechanisms and security guaranties utilized. Topics Isolation Mechanism Code Injection","title":"Technical Aspects"},{"location":"Content/TechnicalAspects/#technical-aspects","text":"Sandboxie is now open source, hence no more secrets. To help interested developers to get an insight into Sandboxie's inner workings, this page provides various in-depth discussions of the employed mechanisms and security guaranties utilized.","title":"Technical Aspects"},{"location":"Content/TechnicalAspects/#topics","text":"Isolation Mechanism Code Injection","title":"Topics"},{"location":"Content/TestEmailConfiguration/","text":"Test Email Configuration Test and Confirm Configuration Sandboxie offers quick configuration for most email programs. Please see Sandbox Settings > Applications > Email Reader for more information. After completing the email configuration, you may want to test it to make sure that new emails will not be lost when you delete the sandbox. To do that, follow these steps: Disable Internet access in the sandbox. This is a precaution measure, to make sure that your sandboxed email program cannot retrieve new mail messages before you confirm the configuration is correct: Open Sandbox Settings > Restrictions > Internet Access , then click Block All Programs , and finally click OK . Run your email program sandboxed under Sandboxie. (You can use the Run Email Reader command from the Tray Icon Menu of Sandboxie Control .) Compose a test draft message to yourself. Don't send it. Quit your email program. If your email program suggests to send the test message, disregard the suggestion. Delete the sandbox. (See Delete Sandbox .) Run your email program normally, that is, outside the supervision of Sandboxie. Confirm that you can use the normal (unsandboxed) instance of the mail program to see and edit the test message you created. If the email message that you created in a sandboxed instance of your email program is also accessible in the normal (unsandboxed) instance, even after the sandbox has been deleted, then the configuration is correct. When done, re-enable Internet access in the sandbox: Open Sandbox Settings > Restrictions > Internet Access , then click Remove (to remove the restriction), and finally click OK . For more information, see Email Protection and FAQ Email .","title":"Test Email Configuration"},{"location":"Content/TestEmailConfiguration/#test-email-configuration","text":"","title":"Test Email Configuration"},{"location":"Content/TestEmailConfiguration/#test-and-confirm-configuration","text":"Sandboxie offers quick configuration for most email programs. Please see Sandbox Settings > Applications > Email Reader for more information. After completing the email configuration, you may want to test it to make sure that new emails will not be lost when you delete the sandbox. To do that, follow these steps: Disable Internet access in the sandbox. This is a precaution measure, to make sure that your sandboxed email program cannot retrieve new mail messages before you confirm the configuration is correct: Open Sandbox Settings > Restrictions > Internet Access , then click Block All Programs , and finally click OK . Run your email program sandboxed under Sandboxie. (You can use the Run Email Reader command from the Tray Icon Menu of Sandboxie Control .) Compose a test draft message to yourself. Don't send it. Quit your email program. If your email program suggests to send the test message, disregard the suggestion. Delete the sandbox. (See Delete Sandbox .) Run your email program normally, that is, outside the supervision of Sandboxie. Confirm that you can use the normal (unsandboxed) instance of the mail program to see and edit the test message you created. If the email message that you created in a sandboxed instance of your email program is also accessible in the normal (unsandboxed) instance, even after the sandbox has been deleted, then the configuration is correct. When done, re-enable Internet access in the sandbox: Open Sandbox Settings > Restrictions > Internet Access , then click Remove (to remove the restriction), and finally click OK . For more information, see Email Protection and FAQ Email .","title":"Test and Confirm Configuration"},{"location":"Content/TokenMagic/","text":"SandboxieDrv use of undocumented kernel exports to do its token magic Sandboxie implements isolation by running sandboxed processes with a heavily restricted primary token. As most applications cannot function this way, it hooks all NTDLL.dll calls redirecting them through an interface in the SbieDrv. The driver then can inspect the call arguments, makes the calling thread impersonate the original unrestricted token, execute the system call, and de-impersonate the thread before returning control to user mode. This way, a process running under the supervision of Sandboxie cannot issue syscalls with the original token, even if it would undo the ntdll.dll hooks. For this mechanism to work, Sandboxie utilizes a couple of undocumented operations: To create the restricted token, it uses currently the unexported function SepFilterToken as well as a couple of offsets (RestrictedSidCount, RestrictedSids, UserAndGroups, UserAndGroupCount). This mechanism could be replaced by calling CreateToken or CreateTokenEx, however these functions are not exported in the kernel either. To eliminate the dependencies on unexported symbols, for this part of the process ZwCreateTokenEx should be exported and utilized. To be able to invoke any syscall on the behalf of the sandboxed process, the driver must know the function address and argument count for each syscall index. Sandboxie currently obtains those by finding the address of the unexported syscall table by analyzing the KeAddSystemServiceTable function. To eliminate the dependencies on unexported symbols, it is required to export KeServiceDescriptorTableShadow. Due to limitations in PsImpersonateClient (starting with Windows XP SP2), it is required to call it with impersonation level SecurityIdentification and then change that in the opaque thread object to SecurityImpersonation. To eliminate the dependencies on unexported symbols, it would be required to provide a documented mechanism for a driver to achieve any desired impersonation level. To replace a sandboxed processes primary token, it is required to clear the PrimaryTokenFrozen bit in the EPROCESS structure, this operation is triggered from a callback registered with PsSetLoadImageNotifyRoutine. I have not investigated if it would be feasible to do the token replacement before it gets officially frozen. Other than the above essential dependencies, Sandboxie gets the Clipboard object from the window station object in order to adjust the integrity level for the stored items such that they can be accessed by the sandboxed applications.","title":"SandboxieDrv use of undocumented kernel exports to do its token magic"},{"location":"Content/TokenMagic/#sandboxiedrv-use-of-undocumented-kernel-exports-to-do-its-token-magic","text":"Sandboxie implements isolation by running sandboxed processes with a heavily restricted primary token. As most applications cannot function this way, it hooks all NTDLL.dll calls redirecting them through an interface in the SbieDrv. The driver then can inspect the call arguments, makes the calling thread impersonate the original unrestricted token, execute the system call, and de-impersonate the thread before returning control to user mode. This way, a process running under the supervision of Sandboxie cannot issue syscalls with the original token, even if it would undo the ntdll.dll hooks. For this mechanism to work, Sandboxie utilizes a couple of undocumented operations: To create the restricted token, it uses currently the unexported function SepFilterToken as well as a couple of offsets (RestrictedSidCount, RestrictedSids, UserAndGroups, UserAndGroupCount). This mechanism could be replaced by calling CreateToken or CreateTokenEx, however these functions are not exported in the kernel either. To eliminate the dependencies on unexported symbols, for this part of the process ZwCreateTokenEx should be exported and utilized. To be able to invoke any syscall on the behalf of the sandboxed process, the driver must know the function address and argument count for each syscall index. Sandboxie currently obtains those by finding the address of the unexported syscall table by analyzing the KeAddSystemServiceTable function. To eliminate the dependencies on unexported symbols, it is required to export KeServiceDescriptorTableShadow. Due to limitations in PsImpersonateClient (starting with Windows XP SP2), it is required to call it with impersonation level SecurityIdentification and then change that in the opaque thread object to SecurityImpersonation. To eliminate the dependencies on unexported symbols, it would be required to provide a documented mechanism for a driver to achieve any desired impersonation level. To replace a sandboxed processes primary token, it is required to clear the PrimaryTokenFrozen bit in the EPROCESS structure, this operation is triggered from a callback registered with PsSetLoadImageNotifyRoutine. I have not investigated if it would be feasible to do the token replacement before it gets officially frozen. Other than the above essential dependencies, Sandboxie gets the Clipboard object from the window station object in order to adjust the integrity level for the stored items such that they can be accessed by the sandboxed applications.","title":"SandboxieDrv use of undocumented kernel exports to do its token magic"},{"location":"Content/TrayIconMenu/","text":"Tray Icon Menu To invoke commands from the tray icon menu, right-click the Sandboxie tray icon that appears in your system notification area, typically at the lower-right corner of the screen. Hide Window / Show Window The first command is Hide Window when the main window of Sandboxie Control is visible. It changes to Show Window when the main window is hidden. This command shows or hides the main window of Sandboxie Control. Sandbox Sub-Menu One or more sub-menus appear for each sandbox defined. The default configuration includes only one sandbox named DefaultBox , but more can be added using the Sandbox Menu . Each sub-menu contains the following commands: The Run Web Browser command starts the system (default) Web browser. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Web Browser. (Note: If the wrong program starts, see Frequently Asked Questions to fix this.) The Run Email Reader command starts the system (default) email reader. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Email Reader. The Run Any Program command displays the Run Any Program dialog box which is similar to the standard Windows Run... dialog box. It can be used to start programs, open documents, and browse folders, all under the supervision of Sandboxie. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Any Program. The Run From Start Menu command displays the Sandboxie Start menu, similar to the standard Windows Start menu. It can be used to start programs and other shortcuts that appear in the start menu and on the desktop. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> From Start Menu. The Run Windows Explorer command starts a sandboxed instance of the Windows Explorer. It can be used to navigate folders and start programs, all under the supervision of Sandboxie. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Windows Explorer. The Terminate Programs command stops all programs running in the sandbox. Same as Sandbox Menu -> (sandbox) -> Terminate Running Programs. The Quick Recovery command shows the Quick Recovery window. Same as Sandbox Menu -> (sandbox) -> Quick Recovery. The Delete Contents command shows the Delete Sandbox window. Same as Sandbox Menu -> (sandbox) -> Delete Contents. The Explore Contents command opens an unsandboxed folder view for the contents of the sandbox outside the supervision of Sandboxie . If possible, use the Files And Folders View to browse the contents of the sandbox. Same as Sandbox Menu -> (sandbox) -> Explore Contents. Terminate All Programs The Terminate All Programs command stops all programs running in all sandboxes. Same as File Menu -> Terminate All Programs. See also: Terminate All Programs in File Menu . Disable Forced Programs The Disable Forced Programs toggle command temporarily disables and re-enables forced sandboxing. See the associated command in the File Menu . Note that unlike the File Menu command, the tray icon command does not show a dialog box to alter the duration of the command. Instead, forced sandboxing will be suspended for the last duration specified, or the default of 10 seconds. Same as File Menu -> Disable Forced Programs. See also: Disable Forced Programs in File Menu . Run As UAC Administrator The Run As UAC Administrator (not shown in the picture; see File Menu ) toggle command tells Sandboxie to ask for elevation to Administrative privileges before starting any programs. This command is only available on Windows when User Account Control (UAC) is in effect, and the user account is not already elevated. If this command is available in the menu, then it is typically necessary to enable it before installing programs into the sandbox, and it is recommended to disable it when that installation is complete. Same as File Menu -> Run As UAC Administrator. See also: Run As UAC Administrator in File Menu . Exit The Exit command quits Sandboxie Control . Note that merely closing the window (or selecting the Hide Window command) does not quit Sandboxie Control. Same as File Menu -> Exit. Go to Sandboxie Control , Help Topics .","title":"Tray Icon Menu"},{"location":"Content/TrayIconMenu/#tray-icon-menu","text":"To invoke commands from the tray icon menu, right-click the Sandboxie tray icon that appears in your system notification area, typically at the lower-right corner of the screen.","title":"Tray Icon Menu"},{"location":"Content/TrayIconMenu/#hide-window-show-window","text":"The first command is Hide Window when the main window of Sandboxie Control is visible. It changes to Show Window when the main window is hidden. This command shows or hides the main window of Sandboxie Control.","title":"Hide Window / Show Window"},{"location":"Content/TrayIconMenu/#sandbox-sub-menu","text":"One or more sub-menus appear for each sandbox defined. The default configuration includes only one sandbox named DefaultBox , but more can be added using the Sandbox Menu . Each sub-menu contains the following commands: The Run Web Browser command starts the system (default) Web browser. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Web Browser. (Note: If the wrong program starts, see Frequently Asked Questions to fix this.) The Run Email Reader command starts the system (default) email reader. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Email Reader. The Run Any Program command displays the Run Any Program dialog box which is similar to the standard Windows Run... dialog box. It can be used to start programs, open documents, and browse folders, all under the supervision of Sandboxie. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Any Program. The Run From Start Menu command displays the Sandboxie Start menu, similar to the standard Windows Start menu. It can be used to start programs and other shortcuts that appear in the start menu and on the desktop. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> From Start Menu. The Run Windows Explorer command starts a sandboxed instance of the Windows Explorer. It can be used to navigate folders and start programs, all under the supervision of Sandboxie. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Windows Explorer. The Terminate Programs command stops all programs running in the sandbox. Same as Sandbox Menu -> (sandbox) -> Terminate Running Programs. The Quick Recovery command shows the Quick Recovery window. Same as Sandbox Menu -> (sandbox) -> Quick Recovery. The Delete Contents command shows the Delete Sandbox window. Same as Sandbox Menu -> (sandbox) -> Delete Contents. The Explore Contents command opens an unsandboxed folder view for the contents of the sandbox outside the supervision of Sandboxie . If possible, use the Files And Folders View to browse the contents of the sandbox. Same as Sandbox Menu -> (sandbox) -> Explore Contents.","title":"Sandbox Sub-Menu"},{"location":"Content/TrayIconMenu/#terminate-all-programs","text":"The Terminate All Programs command stops all programs running in all sandboxes. Same as File Menu -> Terminate All Programs. See also: Terminate All Programs in File Menu .","title":"Terminate All Programs"},{"location":"Content/TrayIconMenu/#disable-forced-programs","text":"The Disable Forced Programs toggle command temporarily disables and re-enables forced sandboxing. See the associated command in the File Menu . Note that unlike the File Menu command, the tray icon command does not show a dialog box to alter the duration of the command. Instead, forced sandboxing will be suspended for the last duration specified, or the default of 10 seconds. Same as File Menu -> Disable Forced Programs. See also: Disable Forced Programs in File Menu .","title":"Disable Forced Programs"},{"location":"Content/TrayIconMenu/#run-as-uac-administrator","text":"The Run As UAC Administrator (not shown in the picture; see File Menu ) toggle command tells Sandboxie to ask for elevation to Administrative privileges before starting any programs. This command is only available on Windows when User Account Control (UAC) is in effect, and the user account is not already elevated. If this command is available in the menu, then it is typically necessary to enable it before installing programs into the sandbox, and it is recommended to disable it when that installation is complete. Same as File Menu -> Run As UAC Administrator. See also: Run As UAC Administrator in File Menu .","title":"Run As UAC Administrator"},{"location":"Content/TrayIconMenu/#exit","text":"The Exit command quits Sandboxie Control . Note that merely closing the window (or selecting the Hide Window command) does not quit Sandboxie Control. Same as File Menu -> Exit. Go to Sandboxie Control , Help Topics .","title":"Exit"},{"location":"Content/UsageTips/","text":"Usage Tips Learn more about Quick Recovery and Immediate Recovery . Tips specific to a browser: Internet Explorer Tips and Firefox Tips . Run your email program sandboxed, for better Email Protection . See also FAQ Email . Learn how to use Sandboxie to defend against keyloggers . Use the Add Shortcut Icons button to create shortcuts to run your programs sandboxed. Identify sandboxed windows and programs using the File Menu -> Is Window Sandboxed? command. Force Programs , such as your Web browser, to always run sandboxed. Disable Forced Programs when you need to run a \"forced\" program not under the supervision of Sandboxie. Use Sandbox Settings > Forced Folders to protect CDROM and DVD drives. Create more sandboxes for better isolation of separate programs. Note: To run a program sandboxed means to invoke it under the supervision of Sandboxie.","title":"Usage Tips"},{"location":"Content/UsageTips/#usage-tips","text":"Learn more about Quick Recovery and Immediate Recovery . Tips specific to a browser: Internet Explorer Tips and Firefox Tips . Run your email program sandboxed, for better Email Protection . See also FAQ Email . Learn how to use Sandboxie to defend against keyloggers . Use the Add Shortcut Icons button to create shortcuts to run your programs sandboxed. Identify sandboxed windows and programs using the File Menu -> Is Window Sandboxed? command. Force Programs , such as your Web browser, to always run sandboxed. Disable Forced Programs when you need to run a \"forced\" program not under the supervision of Sandboxie. Use Sandbox Settings > Forced Folders to protect CDROM and DVD drives. Create more sandboxes for better isolation of separate programs. Note: To run a program sandboxed means to invoke it under the supervision of Sandboxie.","title":"Usage Tips"},{"location":"Content/UsePrivacyMode/","text":"Privacy Mode UsePrivacyMode is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. Usage: . . . [DefaultBox] UsePrivacyMode=y See Privacy Mode for more information.","title":"Privacy Mode"},{"location":"Content/UsePrivacyMode/#privacy-mode","text":"UsePrivacyMode is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. Usage: . . . [DefaultBox] UsePrivacyMode=y See Privacy Mode for more information.","title":"Privacy Mode"},{"location":"Content/UseRuleSpecificity/","text":"Use Rule Specificity UseRuleSpecificity is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. Usage: . . . [DefaultBox] UseRuleSpecificity=y See Rule Specificity for more information.","title":"Use Rule Specificity"},{"location":"Content/UseRuleSpecificity/#use-rule-specificity","text":"UseRuleSpecificity is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. Usage: . . . [DefaultBox] UseRuleSpecificity=y See Rule Specificity for more information.","title":"Use Rule Specificity"},{"location":"Content/UseSbieDeskHack/","text":"Use SbieDesk Hack UseSbieDeskHack is a sandbox setting in Sandboxie Ini . . . . [DefaultBox] UseSbieDeskHack=y A desktop object solution that is now enabled by default for all processes. Technical Details This is a desktop object solution that is used for all processes. It was initially implemented to address the issue of infinite callback problems caused by delayed loading (the infinite recursion problem has been resolved in version 0.4.0 / 5.43). It is now enabled by default. This allows Electron applications to run without the need to set the 'SpecialImage=chrome,program.exe' option. Related Sandboxie Plus setting: Sandbox Options > Various Options > Compatibility > Use desktop object workaround for all processes","title":"Use SbieDesk Hack"},{"location":"Content/UseSbieDeskHack/#use-sbiedesk-hack","text":"UseSbieDeskHack is a sandbox setting in Sandboxie Ini . . . . [DefaultBox] UseSbieDeskHack=y A desktop object solution that is now enabled by default for all processes. Technical Details This is a desktop object solution that is used for all processes. It was initially implemented to address the issue of infinite callback problems caused by delayed loading (the infinite recursion problem has been resolved in version 0.4.0 / 5.43). It is now enabled by default. This allows Electron applications to run without the need to set the 'SpecialImage=chrome,program.exe' option. Related Sandboxie Plus setting: Sandbox Options > Various Options > Compatibility > Use desktop object workaround for all processes","title":"Use SbieDesk Hack"},{"location":"Content/UseSecurityMode/","text":"Use Security Mode UseSecurityMode is a sandbox setting in Sandboxie Ini available since v1.3.0 / 5.58.0. Usage: . . . [DefaultBox] UseSecurityMode=y See Security Mode for more information.","title":"Use Security Mode"},{"location":"Content/UseSecurityMode/#use-security-mode","text":"UseSecurityMode is a sandbox setting in Sandboxie Ini available since v1.3.0 / 5.58.0. Usage: . . . [DefaultBox] UseSecurityMode=y See Security Mode for more information.","title":"Use Security Mode"},{"location":"Content/UserAccountsSettings/","text":"User Accounts Settings Sandboxie Control > Sandbox Settings > User Accounts: This settings page can restrict use of this sandbox to specific user accounts. The Add User button opens a standard Windows user account selection dialog box which can be used to find and select specific user accounts. User account groups may also be specified. A sandbox that has been restricted to specific users is considered hidden to all other user accounts. Those other user accounts will not see the sandbox listed in Sandboxie Control , and Forced Programs and Forced Folders settings will not apply to those user accounts. A user account to which any sandboxes are hidden will have the Reveal Hidden Sandbox command appear in the Sandbox Menu in Sandboxie Control . Related Sandboxie Ini setting: Enabled","title":"User Accounts Settings"},{"location":"Content/UserAccountsSettings/#user-accounts-settings","text":"Sandboxie Control > Sandbox Settings > User Accounts: This settings page can restrict use of this sandbox to specific user accounts. The Add User button opens a standard Windows user account selection dialog box which can be used to find and select specific user accounts. User account groups may also be specified. A sandbox that has been restricted to specific users is considered hidden to all other user accounts. Those other user accounts will not see the sandbox listed in Sandboxie Control , and Forced Programs and Forced Folders settings will not apply to those user accounts. A user account to which any sandboxes are hidden will have the Reveal Hidden Sandbox command appear in the Sandbox Menu in Sandboxie Control . Related Sandboxie Ini setting: Enabled","title":"User Accounts Settings"},{"location":"Content/ViewMenu/","text":"View Menu Programs The Programs command selects Programs View , which displays the programs running in each sandbox. This is the default view. Files and Folders The Files and Folders selects Files And Folders View , which displays the files and folders in each sandbox. Context Menu The Context Menu commands displays the context menu associated with the item that is highlighted (selected). The context menu can also be displayed by clicking the right mouse button on an item. An item is a sandbox, a program, a file or a folder. Not all items appear in all views.","title":"View Menu"},{"location":"Content/ViewMenu/#view-menu","text":"","title":"View Menu"},{"location":"Content/ViewMenu/#programs","text":"The Programs command selects Programs View , which displays the programs running in each sandbox. This is the default view.","title":"Programs"},{"location":"Content/ViewMenu/#files-and-folders","text":"The Files and Folders selects Files And Folders View , which displays the files and folders in each sandbox.","title":"Files and Folders"},{"location":"Content/ViewMenu/#context-menu","text":"The Context Menu commands displays the context menu associated with the item that is highlighted (selected). The context menu can also be displayed by clicking the right mouse button on an item. An item is a sandbox, a program, a file or a folder. Not all items appear in all views.","title":"Context Menu"},{"location":"Content/Windows8/","text":"Windows 8 Starting with version 4.02, Sandboxie fully supports Windows 8 without qualifications on both 32-bit and 64-bit editions. Please visit the Download Sandboxie web page. With version 3.76 and earlier, Windows warns that Sandboxie v3 is not compatible with Windows 8. This warning applies to versions of Sandboxie before 3.72. When using Sandboxie version 3.74 or later, you can safely disregard the warning message from Windows 8.","title":"Windows 8"},{"location":"Content/Windows8/#windows-8","text":"Starting with version 4.02, Sandboxie fully supports Windows 8 without qualifications on both 32-bit and 64-bit editions. Please visit the Download Sandboxie web page. With version 3.76 and earlier, Windows warns that Sandboxie v3 is not compatible with Windows 8. This warning applies to versions of Sandboxie before 3.72. When using Sandboxie version 3.74 or later, you can safely disregard the warning message from Windows 8.","title":"Windows 8"},{"location":"Content/WindowsXPMode/","text":"Windows XP Mode With Windows 7, Microsoft offers Windows XP Mode , which is a virtualized installation of 32-bit Windows XP Service Pack 3 running side-by-side with the primary Windows 7 operating system. Windows XP Mode is only available on the Professional, Enterprise, and Ultimate editions of Windows 7. The 32-bit edition of Sandboxie can be installed into the 32-bit Windows XP running within the 64-bit Windows 7. Thanks to the seamless integration of Windows XP Mode into the Windows 7 environment, 32-bit Sandboxie can function reasonably well within a 64-bit Windows 7. Windows XP Mode is easier to use than a stand-alone virtual machine running Windows XP, as it is better integrated into Windows 7. It also includes a licensed copy of Windows XP. However, this improved integration also exposes your Windows 7 system and documents to malicious changes originating in the Windows XP Mode operating system. With Sandboxie, you can have a web browser which is isolated within its own sandbox, making it more secure than your web browser running directly on Windows 7. Windows XP Mode - Install and Setup Once Windows XP Mode is installed into your Windows 7, here are step-by-step instructions to install Sandboxie and Firefox: Open the Windows XP Mode operating system. Optionally, download and install Firefox. Make sure to let Firefox designate itself as the default web browser during its installation process. Optionally, also tweak Firefox preferences, and install any add-ons you wish to use. Download and install Sandboxie. Optionally download and install an anti-virus for your Windows XP Mode operating system. Log out of the Windows XP Mode operating system. In your Windows 7 Start Menu, you should now find the Sandboxie program group: Windows 7 Start Menu > All Programs > Windows Virtual PC > Windows XP Mode Applications > Sandboxie Select Run Web browser sandboxed to run Firefox within Sandboxie.","title":"Windows XP Mode"},{"location":"Content/WindowsXPMode/#windows-xp-mode","text":"With Windows 7, Microsoft offers Windows XP Mode , which is a virtualized installation of 32-bit Windows XP Service Pack 3 running side-by-side with the primary Windows 7 operating system.","title":"Windows XP Mode"},{"location":"Content/WindowsXPMode/#windows-xp-mode-is-only-available-on-the-professional-enterprise-and-ultimate-editions-of-windows-7","text":"The 32-bit edition of Sandboxie can be installed into the 32-bit Windows XP running within the 64-bit Windows 7. Thanks to the seamless integration of Windows XP Mode into the Windows 7 environment, 32-bit Sandboxie can function reasonably well within a 64-bit Windows 7. Windows XP Mode is easier to use than a stand-alone virtual machine running Windows XP, as it is better integrated into Windows 7. It also includes a licensed copy of Windows XP. However, this improved integration also exposes your Windows 7 system and documents to malicious changes originating in the Windows XP Mode operating system. With Sandboxie, you can have a web browser which is isolated within its own sandbox, making it more secure than your web browser running directly on Windows 7. Windows XP Mode - Install and Setup Once Windows XP Mode is installed into your Windows 7, here are step-by-step instructions to install Sandboxie and Firefox: Open the Windows XP Mode operating system. Optionally, download and install Firefox. Make sure to let Firefox designate itself as the default web browser during its installation process. Optionally, also tweak Firefox preferences, and install any add-ons you wish to use. Download and install Sandboxie. Optionally download and install an anti-virus for your Windows XP Mode operating system. Log out of the Windows XP Mode operating system. In your Windows 7 Start Menu, you should now find the Sandboxie program group: Windows 7 Start Menu > All Programs > Windows Virtual PC > Windows XP Mode Applications > Sandboxie Select Run Web browser sandboxed to run Firefox within Sandboxie.","title":"Windows XP Mode is only available on the Professional, Enterprise, and Ultimate editions of Windows 7."},{"location":"Content/WriteFilePath/","text":"Write File Path WriteFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will hide any files or folders outside the sandbox, while allowing new files and folders to be created in the sandbox. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] WriteFilePath=%Cookies% This example means that program in the sandbox will not be able to see any files within the Internet Explorer cookies folder outside the sandbox, but may create files in the corresponding folder in the sandbox. In other words, existing cookies outside the sandbox will not be visible, but the program may create new cookies as if the cookie folder was empty. This setting is not applicable to files. If the path specified in the setting matches a file, the file will be treated as if it matches a ClosedFilePath setting. Note: WriteFilePath is implemented internally as an enhanced form of ClosedFilePath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Write-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Box Only (Write Only)","title":"Write File Path"},{"location":"Content/WriteFilePath/#write-file-path","text":"WriteFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will hide any files or folders outside the sandbox, while allowing new files and folders to be created in the sandbox. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] WriteFilePath=%Cookies% This example means that program in the sandbox will not be able to see any files within the Internet Explorer cookies folder outside the sandbox, but may create files in the corresponding folder in the sandbox. In other words, existing cookies outside the sandbox will not be visible, but the program may create new cookies as if the cookie folder was empty. This setting is not applicable to files. If the path specified in the setting matches a file, the file will be treated as if it matches a ClosedFilePath setting. Note: WriteFilePath is implemented internally as an enhanced form of ClosedFilePath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Write-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Box Only (Write Only)","title":"Write File Path"},{"location":"Content/WriteKeyPath/","text":"Write Key Path WriteKeyPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will hide any registry keys outside the sandbox, while allowing new registry keys and registry values to be created in the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] WriteKeyPath=HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths This example hides any data which exists outside the sandbox within the TypedPaths registry key, while allowing a program to create new keys and values within the corresponding TypedPaths registry key in the sandbox. This means that Windows Explorer running in the sandbox will not be able to display the history of paths that were typed into Windows Explorer outside the sandbox. But the Windows Explorer running in the sandbox will be able to record and store new paths as they are typed. Note: WriteKeyPath is implemented internally as an enhanced form of ClosedKeyPath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Write-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Box Only (Write Only)","title":"Write Key Path"},{"location":"Content/WriteKeyPath/#write-key-path","text":"WriteKeyPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will hide any registry keys outside the sandbox, while allowing new registry keys and registry values to be created in the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] WriteKeyPath=HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths This example hides any data which exists outside the sandbox within the TypedPaths registry key, while allowing a program to create new keys and values within the corresponding TypedPaths registry key in the sandbox. This means that Windows Explorer running in the sandbox will not be able to display the history of paths that were typed into Windows Explorer outside the sandbox. But the Windows Explorer running in the sandbox will be able to record and store new paths as they are typed. Note: WriteKeyPath is implemented internally as an enhanced form of ClosedKeyPath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Write-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Box Only (Write Only)","title":"Write Key Path"},{"location":"Content/YesOrNoSettings/","text":"Yes Or No Settings Some settings Sandboxie Ini are boolean settings. That is, they indicate whether something is or isn't; they answer a Yes/No question. To indicate the setting is enabled (or selected, or yes), specify Y. To indicate the setting is disabled (or unselected, or no), specify N. A boolean setting which not specified, or specifies some other value other than Y or N will silently revert to a default value which depends on the particular setting. For example, the default value for the OpenProtectedStorage setting is N.","title":"Yes Or No Settings"},{"location":"Content/YesOrNoSettings/#yes-or-no-settings","text":"Some settings Sandboxie Ini are boolean settings. That is, they indicate whether something is or isn't; they answer a Yes/No question. To indicate the setting is enabled (or selected, or yes), specify Y. To indicate the setting is disabled (or unselected, or no), specify N. A boolean setting which not specified, or specifies some other value other than Y or N will silently revert to a default value which depends on the particular setting. For example, the default value for the OpenProtectedStorage setting is N.","title":"Yes Or No Settings"},{"location":"PlusContent/BoxEncryption/","text":"Encrypted Sandboxes Encrypted Box Image support The Encrypted Box Image support empowers you to establish safeguarded sandboxed environments, fostering a level of protection that goes above and beyond to shield your confidential data. In the pursuit of unassailable data security, the integration of Encrypted Box Image support represents a monumental leap forward. This technology grants you the capacity to construct sandboxed environments fortified by AES-XTS encrypted box images. This advanced methodology leverages the well-established cryptography implementation used in DiskCryptor , to create an impervious barrier around your sensitive data. Sandboxie Driver for Uncompromised Security: A vital cornerstone in the security architecture is the SbieDrv driver. This guardian sentinel stands guard over the mounted encrypted box root folder, thwarting any unauthorized attempts by unsanctioned applications to access it. By ensuring that no data can escape the confines of the sandbox and preventing any exfiltration attempts by host applications, the sbiedrv driver establishes a watertight barrier. Secure Data Exchange and Inherent Confidentiality: Root protection being activated mandates the definition of OpenFilePath paths for seamless data exchange between the host system and the encrypted sandbox. This method guarantees that file transfers occur within controlled parameters, maintaining the integrity of your data. Furthermore, the default setting of ConfidentialBox=y within an encrypted sandbox preserves the sanctity of your data by inhibiting host processes from accessing the memory of processes operating within the confines of the sandbox.","title":"Encrypted Sandboxes"},{"location":"PlusContent/BoxEncryption/#encrypted-sandboxes","text":"","title":"Encrypted Sandboxes"},{"location":"PlusContent/BoxEncryption/#encrypted-box-image-support","text":"The Encrypted Box Image support empowers you to establish safeguarded sandboxed environments, fostering a level of protection that goes above and beyond to shield your confidential data. In the pursuit of unassailable data security, the integration of Encrypted Box Image support represents a monumental leap forward. This technology grants you the capacity to construct sandboxed environments fortified by AES-XTS encrypted box images. This advanced methodology leverages the well-established cryptography implementation used in DiskCryptor , to create an impervious barrier around your sensitive data.","title":"Encrypted Box Image support"},{"location":"PlusContent/BoxEncryption/#sandboxie-driver-for-uncompromised-security","text":"A vital cornerstone in the security architecture is the SbieDrv driver. This guardian sentinel stands guard over the mounted encrypted box root folder, thwarting any unauthorized attempts by unsanctioned applications to access it. By ensuring that no data can escape the confines of the sandbox and preventing any exfiltration attempts by host applications, the sbiedrv driver establishes a watertight barrier.","title":"Sandboxie Driver for Uncompromised Security:"},{"location":"PlusContent/BoxEncryption/#secure-data-exchange-and-inherent-confidentiality","text":"Root protection being activated mandates the definition of OpenFilePath paths for seamless data exchange between the host system and the encrypted sandbox. This method guarantees that file transfers occur within controlled parameters, maintaining the integrity of your data. Furthermore, the default setting of ConfidentialBox=y within an encrypted sandbox preserves the sanctity of your data by inhibiting host processes from accessing the memory of processes operating within the confines of the sandbox.","title":"Secure Data Exchange and Inherent Confidentiality:"},{"location":"PlusContent/BoxSnapshots/","text":"Box Snapshots (for Sandboxie Plus) A snapshot saves the current state of a sandbox. You can create multiple snapshots of a box at different times and make one of the snapshots the default. To get started, open the Sandman GUI, right-click on the desired sandbox and click 'Snapshots Manager' from the drop-down list. See image below. Note that you cannot create a snapshot if the box is empty (an error message is displayed). Note that you cannot create a snapshot if there are running processes in the box. Caveat: Snapshots must be created with box AutoDelete disabled. To do so, open the Sandman GUI and double-click on the desired box to bring up the box options window. Then, click on 'File Options' and, under 'Box Delete Options', uncheck the option to AutoDelete content, and press OK (bottom right) to apply any changes. See image below. Installing Software to a Box and Creating a Snapshot: - Select a box, disable AutoDelete, install the software to this box, set it up just the way you like. - Then, close the box, create a snapshot and enable box AutoDelete. - Now, this box will revert to the snapshot you created whenever it is closed. Updating Software Installed to a Box: - Create a pre-update snapshot (for a baseline you can revert to, if need be). - Disable box AutoDelete, update the software and test. - If all is well, create a post-update snapshot, enable box AutoDelete. - This automatically makes the last (post-update) snapshot the default. - If there are problems, you can revert to the pre-update snapshot. - You can always revert to any of the snapshots that you create for a box! You have the ability to create a snapshot, remove a snapshot, revert to a snapshot or (starting with Sandboxie Plus v1.0.9 ) revert to an empty box while retaining all snapshots. Caveat: It is wise to use the snapshot features only for boxes whose location is on a real disk (and not on a ramdisk). Additional Details: - Each snapshot is created its own folder, labeled snapshot-n, where the number n is the snapshot id. You can change this label. - All snapshot folders for a given box are inside the box folder. - The snapshot layout and information on the current (default) snapshot are saved in the file snapshot.ini in the box folder. - The File-System snapshots are incremental. Files are duplicated only when changed (just as with real files on the host). - The Registry snapshots are NOT incremental. Each snapshot has a full copy and only the most recent reg hive file is used.","title":"Box Snapshots (for Sandboxie Plus)"},{"location":"PlusContent/BoxSnapshots/#box-snapshots-for-sandboxie-plus","text":"A snapshot saves the current state of a sandbox. You can create multiple snapshots of a box at different times and make one of the snapshots the default. To get started, open the Sandman GUI, right-click on the desired sandbox and click 'Snapshots Manager' from the drop-down list. See image below. Note that you cannot create a snapshot if the box is empty (an error message is displayed). Note that you cannot create a snapshot if there are running processes in the box. Caveat: Snapshots must be created with box AutoDelete disabled. To do so, open the Sandman GUI and double-click on the desired box to bring up the box options window. Then, click on 'File Options' and, under 'Box Delete Options', uncheck the option to AutoDelete content, and press OK (bottom right) to apply any changes. See image below. Installing Software to a Box and Creating a Snapshot: - Select a box, disable AutoDelete, install the software to this box, set it up just the way you like. - Then, close the box, create a snapshot and enable box AutoDelete. - Now, this box will revert to the snapshot you created whenever it is closed. Updating Software Installed to a Box: - Create a pre-update snapshot (for a baseline you can revert to, if need be). - Disable box AutoDelete, update the software and test. - If all is well, create a post-update snapshot, enable box AutoDelete. - This automatically makes the last (post-update) snapshot the default. - If there are problems, you can revert to the pre-update snapshot. - You can always revert to any of the snapshots that you create for a box! You have the ability to create a snapshot, remove a snapshot, revert to a snapshot or (starting with Sandboxie Plus v1.0.9 ) revert to an empty box while retaining all snapshots. Caveat: It is wise to use the snapshot features only for boxes whose location is on a real disk (and not on a ramdisk). Additional Details: - Each snapshot is created its own folder, labeled snapshot-n, where the number n is the snapshot id. You can change this label. - All snapshot folders for a given box are inside the box folder. - The snapshot layout and information on the current (default) snapshot are saved in the file snapshot.ini in the box folder. - The File-System snapshots are incremental. Files are duplicated only when changed (just as with real files on the host). - The Registry snapshots are NOT incremental. Each snapshot has a full copy and only the most recent reg hive file is used.","title":"Box Snapshots (for Sandboxie Plus)"},{"location":"PlusContent/DNSFilter/","text":"DNS Filter In the dynamic landscape of digital security and network management, Sandboxie-Plus strides forward with a groundbreaking addition to its repertoire \u2013 DNS Query Logging, Filtering, and Redirection. This feature emerges as a pivotal enhancement within the realm of sandboxing, offering users an unparalleled level of control over network interactions. Empowering users with the ability to monitor, filter, and redirect DNS queries initiated by sandboxed programs for specific domains, this innovation revolutionizes the way network activities are managed within sandboxed environments. A Deeper Look into DNS Query Control The introduction of DNS Query Logging, Filtering, and Redirection signifies a remarkable advancement in the capabilities of Sandboxie-Plus. This feature is the embodiment of precision control, allowing users to influence how sandboxed applications interact with the Domain Name System (DNS). By delving into DNS activities, users can effectively manage and tailor network access, resulting in heightened security, granular oversight, and enhanced privacy. The Power of Control DNS Query Control shifts the balance of power towards users, granting them unprecedented control over how sandboxed programs interact with DNS servers. This control manifests in a multitude of benefits: 1. Security Reinforcement: With the ability to filter and block DNS queries for specific domains, users can mitigate potential security risks. Malicious domains or known threat vectors can be preemptively blocked, shielding the system from potential hazards. 2. Privacy Enhancement: By redirecting certain DNS queries, users can ensure that sensitive information remains confidential. This redirection curtails instances where sandboxed applications inadvertently reveal confidential data through DNS queries. 3. Content Control: DNS Query Control allows users to manage content access. Unwanted domains or inappropriate content can be blocked, ensuring that sandboxed applications are limited to approved and safe online resources. 4. Network Analysis: The logging component of this feature offers users the opportunity to monitor DNS activities. This data can provide insights into the behavior of sandboxed applications, potentially revealing any anomalous or suspicious network activity. How DNS Query Control Works The mechanics of DNS Query Control are elegantly intricate. Users can selectively block or redirect DNS queries made by sandboxed programs for specific domains. This process involves defining rules within the sandbox configuration, dictating how DNS queries to certain domains should be handled. This level of granularity empowers users to tailor the DNS experience within the sandboxed environment according to their security and privacy preferences. Embrace the Future of Network Control DNS Query Logging, Filtering, and Redirection transcends traditional sandboxing capabilities. It introduces an unprecedented level of network oversight, effectively placing users at the helm of their sandboxed network interactions. In an age where data security, privacy, and control are paramount, this feature stands as a beacon of innovation. Join us in embracing the dawn of network control with DNS Query Logging, Filtering, and Redirection \u2013 where every DNS interaction is precisely managed to align with your security vision.","title":"DNS Filter"},{"location":"PlusContent/DNSFilter/#dns-filter","text":"In the dynamic landscape of digital security and network management, Sandboxie-Plus strides forward with a groundbreaking addition to its repertoire \u2013 DNS Query Logging, Filtering, and Redirection. This feature emerges as a pivotal enhancement within the realm of sandboxing, offering users an unparalleled level of control over network interactions. Empowering users with the ability to monitor, filter, and redirect DNS queries initiated by sandboxed programs for specific domains, this innovation revolutionizes the way network activities are managed within sandboxed environments.","title":"DNS Filter"},{"location":"PlusContent/DNSFilter/#a-deeper-look-into-dns-query-control","text":"The introduction of DNS Query Logging, Filtering, and Redirection signifies a remarkable advancement in the capabilities of Sandboxie-Plus. This feature is the embodiment of precision control, allowing users to influence how sandboxed applications interact with the Domain Name System (DNS). By delving into DNS activities, users can effectively manage and tailor network access, resulting in heightened security, granular oversight, and enhanced privacy.","title":"A Deeper Look into DNS Query Control"},{"location":"PlusContent/DNSFilter/#the-power-of-control","text":"DNS Query Control shifts the balance of power towards users, granting them unprecedented control over how sandboxed programs interact with DNS servers. This control manifests in a multitude of benefits:","title":"The Power of Control"},{"location":"PlusContent/DNSFilter/#1-security-reinforcement","text":"With the ability to filter and block DNS queries for specific domains, users can mitigate potential security risks. Malicious domains or known threat vectors can be preemptively blocked, shielding the system from potential hazards.","title":"1. Security Reinforcement:"},{"location":"PlusContent/DNSFilter/#2-privacy-enhancement","text":"By redirecting certain DNS queries, users can ensure that sensitive information remains confidential. This redirection curtails instances where sandboxed applications inadvertently reveal confidential data through DNS queries.","title":"2. Privacy Enhancement:"},{"location":"PlusContent/DNSFilter/#3-content-control","text":"DNS Query Control allows users to manage content access. Unwanted domains or inappropriate content can be blocked, ensuring that sandboxed applications are limited to approved and safe online resources.","title":"3. Content Control:"},{"location":"PlusContent/DNSFilter/#4-network-analysis","text":"The logging component of this feature offers users the opportunity to monitor DNS activities. This data can provide insights into the behavior of sandboxed applications, potentially revealing any anomalous or suspicious network activity.","title":"4. Network Analysis:"},{"location":"PlusContent/DNSFilter/#how-dns-query-control-works","text":"The mechanics of DNS Query Control are elegantly intricate. Users can selectively block or redirect DNS queries made by sandboxed programs for specific domains. This process involves defining rules within the sandbox configuration, dictating how DNS queries to certain domains should be handled. This level of granularity empowers users to tailor the DNS experience within the sandboxed environment according to their security and privacy preferences.","title":"How DNS Query Control Works"},{"location":"PlusContent/DNSFilter/#embrace-the-future-of-network-control","text":"DNS Query Logging, Filtering, and Redirection transcends traditional sandboxing capabilities. It introduces an unprecedented level of network oversight, effectively placing users at the helm of their sandboxed network interactions. In an age where data security, privacy, and control are paramount, this feature stands as a beacon of innovation. Join us in embracing the dawn of network control with DNS Query Logging, Filtering, and Redirection \u2013 where every DNS interaction is precisely managed to align with your security vision.","title":"Embrace the Future of Network Control"},{"location":"PlusContent/Plus-Features/","text":"Sandboxie Plus user interface offers a multitude of new functionality which improves security, compatibility and the overall sandboxing experience. Some of these features (*) are however only available to users with a Support Certificate which can be obtained by contributing to the Sandboxie project or purchased in our online shop . Some more features (**) are available to participants of the Sandboxie-Insider program. Rule Specificity * With this option rules are prioritized based on their specificity (see changelog/docs for details) this way sub paths can be readable/writeable while parent parts are still protected. Security enhanced sandboxes * Restrict syscall elevation to approved known safe / filtered syscalls Limit access to device endpoints to known safe / filtered endpoints Privacy enhanced sandboxes * With this feature, by applying a preset rule collection, all locations potentially containing personal data can be protected. Applications running in boxes with personal data protection will see an empty PC with no user data on it. Compartment Mode * This mode is intended to optimize compatibility at the cost of security, here Sandboxie\u2019s token-based isolation scheme is not used. Isolation is limited to the FS minifilter as well as registry and object callbacks. This has the potential to greatly improve compatibility with various applications. Virtual Disk Integration ** RamDisk support , available since the latest insider build, allows you to create a virtual disk in your system's memory, using the ImDisk driver, which can speed up file access and increase confidentiality as all box contents will be discarded when the disk is unmounted (manually or automatically on reboot). Encrypted Box Image support is currently in development and allows you to create encrypted sandboxed environments for an even greater protection of your confidential data. With this feature the box file root is being mounted from an AES-XTS encrypted box image, other ciphers are available as well. Upcoming additions to this root functionality will contain secure box passphrase handling and a driver extension to prevent applications not running in the encrypted sandbox from accessing the sandboxed files. Enhanced network filtering and redirection ** Proxy injection is yet another feature which has been added in the insider builds, it allows to force any application to use a Socks 5 proxy instead of a direct connection. DNS query logging, filtering and redirection feature allows you to block, or redirect DNS queries made by sandboxed programs for selected domains. WFP (Windows Filtering Platform) support With this feature, Sandboxie can be like an application firewall which applies the rules on a per-sandbox basis, allowing the same application access to Internet in one box while blocking it in another. Windows 11 context menu integration Process/Thread handle filtering (obCallbacks) Using this mechanism greatly improves on isolation of processes and provides enhanced security. Win32 syscall hooking With this feature, Win32 syscalls can get the same treatment as NT syscalls, which helps with graphics and HW acceleration. New UI with dark mode and much more Sandboxie-Plus bring an entirely new Qt based UI sandman.exe Customizable per box run menu Global hotkey to terminate all boxes INI section editor for easy configuration of advanced options Box event triggers/scripts Ability to stop selected applications from running globally, regardless of box presets Snapshots Sandboxie-Plus can create box snapshots, with them it is possible to easily revert a box to a defined previous state. Box set to auto delete will auto-revert when available to the last snapshot allowing to benefit from a fresh clean box each time but with some preset configuration Enhanced debug/trace monitor Fake admin privileges Allows to make all processes in a box think they have admin permissions and act accordingly, without the potential drawbacks of granting them admin permissions Box size monitor Monitor and list box size in an own column Start Menu integration Integrate start menu entries from sandboxes into the host start menu Sandbox SID isolation Instead of using anonymous login SID, it uses custom SIDs per-sandbox like Sandboxie/DefaultBox. This way, processes from separate sandboxes won\u2019t be able accessing each other\u2019s resources. Breakout Process Allows to specify which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. Document Breakout is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandboxed instance of the associated application. ** USB drive sandboxing ** This feature allows you to automatically sandbox any USB drive that you plug into your computer, which adds an extra layer of protection to your system. EFS Support ** Support for EFS (Encrypted File System) protected files. ARM64 support for Windows 11 * Support ARM64 natively Support emulated x86 Support emulated x64 (ARM64EC)","title":"Plus Features"},{"location":"PlusContent/Plus-Features/#rule-specificity","text":"With this option rules are prioritized based on their specificity (see changelog/docs for details) this way sub paths can be readable/writeable while parent parts are still protected.","title":"Rule Specificity *"},{"location":"PlusContent/Plus-Features/#security-enhanced-sandboxes","text":"Restrict syscall elevation to approved known safe / filtered syscalls Limit access to device endpoints to known safe / filtered endpoints","title":"Security enhanced sandboxes *"},{"location":"PlusContent/Plus-Features/#privacy-enhanced-sandboxes","text":"With this feature, by applying a preset rule collection, all locations potentially containing personal data can be protected. Applications running in boxes with personal data protection will see an empty PC with no user data on it.","title":"Privacy enhanced sandboxes *"},{"location":"PlusContent/Plus-Features/#compartment-mode","text":"This mode is intended to optimize compatibility at the cost of security, here Sandboxie\u2019s token-based isolation scheme is not used. Isolation is limited to the FS minifilter as well as registry and object callbacks. This has the potential to greatly improve compatibility with various applications.","title":"Compartment Mode *"},{"location":"PlusContent/Plus-Features/#virtual-disk-integration","text":"RamDisk support , available since the latest insider build, allows you to create a virtual disk in your system's memory, using the ImDisk driver, which can speed up file access and increase confidentiality as all box contents will be discarded when the disk is unmounted (manually or automatically on reboot). Encrypted Box Image support is currently in development and allows you to create encrypted sandboxed environments for an even greater protection of your confidential data. With this feature the box file root is being mounted from an AES-XTS encrypted box image, other ciphers are available as well. Upcoming additions to this root functionality will contain secure box passphrase handling and a driver extension to prevent applications not running in the encrypted sandbox from accessing the sandboxed files.","title":"Virtual Disk Integration **"},{"location":"PlusContent/Plus-Features/#enhanced-network-filtering-and-redirection","text":"Proxy injection is yet another feature which has been added in the insider builds, it allows to force any application to use a Socks 5 proxy instead of a direct connection. DNS query logging, filtering and redirection feature allows you to block, or redirect DNS queries made by sandboxed programs for selected domains.","title":"Enhanced network filtering and redirection **"},{"location":"PlusContent/Plus-Features/#wfp-windows-filtering-platform-support","text":"With this feature, Sandboxie can be like an application firewall which applies the rules on a per-sandbox basis, allowing the same application access to Internet in one box while blocking it in another.","title":"WFP (Windows Filtering Platform) support"},{"location":"PlusContent/Plus-Features/#windows-11-context-menu-integration","text":"","title":"Windows 11 context menu integration"},{"location":"PlusContent/Plus-Features/#processthread-handle-filtering-obcallbacks","text":"Using this mechanism greatly improves on isolation of processes and provides enhanced security.","title":"Process/Thread handle filtering (obCallbacks)"},{"location":"PlusContent/Plus-Features/#win32-syscall-hooking","text":"With this feature, Win32 syscalls can get the same treatment as NT syscalls, which helps with graphics and HW acceleration.","title":"Win32 syscall hooking"},{"location":"PlusContent/Plus-Features/#new-ui-with-dark-mode-and-much-more","text":"Sandboxie-Plus bring an entirely new Qt based UI sandman.exe Customizable per box run menu Global hotkey to terminate all boxes INI section editor for easy configuration of advanced options Box event triggers/scripts Ability to stop selected applications from running globally, regardless of box presets","title":"New UI with dark mode and much more"},{"location":"PlusContent/Plus-Features/#snapshots","text":"Sandboxie-Plus can create box snapshots, with them it is possible to easily revert a box to a defined previous state. Box set to auto delete will auto-revert when available to the last snapshot allowing to benefit from a fresh clean box each time but with some preset configuration","title":"Snapshots"},{"location":"PlusContent/Plus-Features/#enhanced-debugtrace-monitor","text":"","title":"Enhanced debug/trace monitor"},{"location":"PlusContent/Plus-Features/#fake-admin-privileges","text":"Allows to make all processes in a box think they have admin permissions and act accordingly, without the potential drawbacks of granting them admin permissions","title":"Fake admin privileges"},{"location":"PlusContent/Plus-Features/#box-size-monitor","text":"Monitor and list box size in an own column","title":"Box size monitor"},{"location":"PlusContent/Plus-Features/#start-menu-integration","text":"Integrate start menu entries from sandboxes into the host start menu","title":"Start Menu integration"},{"location":"PlusContent/Plus-Features/#sandbox-sid-isolation","text":"Instead of using anonymous login SID, it uses custom SIDs per-sandbox like Sandboxie/DefaultBox. This way, processes from separate sandboxes won\u2019t be able accessing each other\u2019s resources.","title":"Sandbox SID isolation"},{"location":"PlusContent/Plus-Features/#breakout-process","text":"Allows to specify which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. Document Breakout is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandboxed instance of the associated application. **","title":"Breakout Process"},{"location":"PlusContent/Plus-Features/#usb-drive-sandboxing","text":"This feature allows you to automatically sandbox any USB drive that you plug into your computer, which adds an extra layer of protection to your system.","title":"USB drive sandboxing **"},{"location":"PlusContent/Plus-Features/#efs-support","text":"Support for EFS (Encrypted File System) protected files.","title":"EFS Support **"},{"location":"PlusContent/Plus-Features/#arm64-support-for-windows-11","text":"Support ARM64 natively Support emulated x86 Support emulated x64 (ARM64EC)","title":"ARM64 support for Windows 11 *"},{"location":"PlusContent/ProxySupport/","text":"Proxy Support In the ever-evolving landscape of network security and control, Sandboxie-Plus brings forth a powerful addition to its arsenal of features \u2013 Proxy Injection. As a testament to our commitment to providing advanced sandboxing solutions, Proxy Injection emerges as a game-changing capability within the new builds of Sandboxie-Plus. This cutting-edge feature empowers users with an unprecedented level of control over network connectivity, enabling the forceful redirection of application traffic through a Socks 5 proxy instead of relying on direct connections. A Glimpse into Proxy Injection Proxy Injection stands as a pioneering addition to the Sandboxie-Plus suite, designed to elevate the security and manageability of application interactions within sandboxed environments. This feature redefines how users can influence network behavior by seamlessly injecting a Socks 5 proxy mechanism into applications, ensuring that all network-bound activities are routed through a designated proxy server. The Power of Control At its core, Proxy Injection embodies the concept of control. With this feature, users wield a newfound ability to enforce the use of a Socks 5 proxy for any application, regardless of its inherent network settings. This degree of control translates into numerous tangible advantages: 1. Enhanced Privacy: By channeling application traffic through a Socks 5 proxy, users can obscure their IP addresses and enhance their online privacy. This becomes particularly crucial in scenarios where applications might inadvertently expose sensitive information. 2. Network Segmentation: Proxy Injection enables the isolation of application traffic, ensuring that interactions are confined to the proxy server. This isolation adds an extra layer of security by minimizing direct communication between applications and external servers. 3. Bypassing Geo-Restrictions: Users can strategically utilize Proxy Injection to bypass geo-restricted content or access region-specific services by routing their traffic through proxies located in desired regions. 4. Network Monitoring and Control: For security-conscious users, Proxy Injection becomes a vital tool for observing and regulating application network activity. By centralizing network traffic through a proxy server, users can closely monitor data exchanges and potentially thwart malicious activity. How Proxy Injection Works The mechanics of Proxy Injection are elegantly simple, yet profoundly effective. Users can designate specific applications (or entire boxes) to undergo proxy injection, effectively compelling these applications to establish their network connections through the selected Socks 5 proxy. The result is a controlled network environment that aligns with security and privacy preferences, effectively mitigating potential vulnerabilities that might arise from direct connections. Embrace the Future of Network Control Proxy Injection emerges as a visionary feature that redefines network interaction paradigms within sandboxed environments. It transforms the sandboxing experience by offering users granular control over how applications access external resources. As we forge ahead in an era where digital security is paramount, Proxy Injection emerges as a powerful tool that empowers users to safeguard their interactions, maintain privacy, and proactively manage application behavior. Join us in embracing the future of network control with Proxy Injection \u2013 where every connection is made on your terms.","title":"Proxy Support"},{"location":"PlusContent/ProxySupport/#proxy-support","text":"In the ever-evolving landscape of network security and control, Sandboxie-Plus brings forth a powerful addition to its arsenal of features \u2013 Proxy Injection. As a testament to our commitment to providing advanced sandboxing solutions, Proxy Injection emerges as a game-changing capability within the new builds of Sandboxie-Plus. This cutting-edge feature empowers users with an unprecedented level of control over network connectivity, enabling the forceful redirection of application traffic through a Socks 5 proxy instead of relying on direct connections.","title":"Proxy Support"},{"location":"PlusContent/ProxySupport/#a-glimpse-into-proxy-injection","text":"Proxy Injection stands as a pioneering addition to the Sandboxie-Plus suite, designed to elevate the security and manageability of application interactions within sandboxed environments. This feature redefines how users can influence network behavior by seamlessly injecting a Socks 5 proxy mechanism into applications, ensuring that all network-bound activities are routed through a designated proxy server.","title":"A Glimpse into Proxy Injection"},{"location":"PlusContent/ProxySupport/#the-power-of-control","text":"At its core, Proxy Injection embodies the concept of control. With this feature, users wield a newfound ability to enforce the use of a Socks 5 proxy for any application, regardless of its inherent network settings. This degree of control translates into numerous tangible advantages:","title":"The Power of Control"},{"location":"PlusContent/ProxySupport/#1-enhanced-privacy","text":"By channeling application traffic through a Socks 5 proxy, users can obscure their IP addresses and enhance their online privacy. This becomes particularly crucial in scenarios where applications might inadvertently expose sensitive information.","title":"1. Enhanced Privacy:"},{"location":"PlusContent/ProxySupport/#2-network-segmentation","text":"Proxy Injection enables the isolation of application traffic, ensuring that interactions are confined to the proxy server. This isolation adds an extra layer of security by minimizing direct communication between applications and external servers.","title":"2. Network Segmentation:"},{"location":"PlusContent/ProxySupport/#3-bypassing-geo-restrictions","text":"Users can strategically utilize Proxy Injection to bypass geo-restricted content or access region-specific services by routing their traffic through proxies located in desired regions.","title":"3. Bypassing Geo-Restrictions:"},{"location":"PlusContent/ProxySupport/#4-network-monitoring-and-control","text":"For security-conscious users, Proxy Injection becomes a vital tool for observing and regulating application network activity. By centralizing network traffic through a proxy server, users can closely monitor data exchanges and potentially thwart malicious activity.","title":"4. Network Monitoring and Control:"},{"location":"PlusContent/ProxySupport/#how-proxy-injection-works","text":"The mechanics of Proxy Injection are elegantly simple, yet profoundly effective. Users can designate specific applications (or entire boxes) to undergo proxy injection, effectively compelling these applications to establish their network connections through the selected Socks 5 proxy. The result is a controlled network environment that aligns with security and privacy preferences, effectively mitigating potential vulnerabilities that might arise from direct connections.","title":"How Proxy Injection Works"},{"location":"PlusContent/ProxySupport/#embrace-the-future-of-network-control","text":"Proxy Injection emerges as a visionary feature that redefines network interaction paradigms within sandboxed environments. It transforms the sandboxing experience by offering users granular control over how applications access external resources. As we forge ahead in an era where digital security is paramount, Proxy Injection emerges as a powerful tool that empowers users to safeguard their interactions, maintain privacy, and proactively manage application behavior. Join us in embracing the future of network control with Proxy Injection \u2013 where every connection is made on your terms.","title":"Embrace the Future of Network Control"},{"location":"PlusContent/RamDiskSupport/","text":"RamDiskSandboxes RAM Disk Support By seamlessly interfacing with the ImDisk Driver , Sandboxie Plus introduces a transformative way to allocate a portion of your system RAM for dynamic RAM Disks. This mechanism revolutionizes the speed and efficiency of your sandboxes, while also conferring distinct privacy advantages. Performance Amplification The hallmark benefit of RAM Disk Support is the remarkable performance boost it offers. Sandboxes configured with a RAM Disk can harness the lightning-fast data access and processing capabilities of your system's RAM. This means that operations within the sandbox occur at unprecedented speeds, without the constraints of traditional storage mediums. Privacy Enhancement Beyond the performance gains, RAM Disk Support lends an added layer of privacy to your sandboxing endeavors. Data stored in a RAM Disk is inherently volatile \u2013 once the system is powered off or the sandbox is closed, the data vanishes. This ephemeral nature of a RAM Disk significantly reduces the potential for data leaks, as there's no persistent storage where sensitive information could inadvertently reside. Integrating RAM Disk Support: Step by Step To fully embrace the potential of RAM Disk Support, follow these straightforward steps: Updating Sandbox Configuration: Open the Sandboxie Ini configuration file for the sandbox you wish to enhance. To enable the RAM Disk for this sandbox, include the following line within the respective sandbox's section: UseRamDisk=y Configuring Global Settings: To enable RAM Disk Support across all your sandboxes, navigate to the [GlobalSettings] section within the Sandboxie Ini file. Allocate the appropriate memory for the RAM Disk by adding this line: RamDiskSizeKb=2097152 This value designates the maximum size of the RAM Disk in Kilobytes. For optimal results, allocate at least 1GB of RAM to the RAM Disk. A key point to remember is the dynamic allocation of memory by RAM Disk Support. Unlike conventional storage, memory is utilized on-demand, ensuring optimal resource management. This intelligent allocation means you can allocate up to half of your system's physical RAM without encountering issues.","title":"RamDiskSandboxes"},{"location":"PlusContent/RamDiskSupport/#ramdisksandboxes","text":"","title":"RamDiskSandboxes"},{"location":"PlusContent/RamDiskSupport/#ram-disk-support","text":"By seamlessly interfacing with the ImDisk Driver , Sandboxie Plus introduces a transformative way to allocate a portion of your system RAM for dynamic RAM Disks. This mechanism revolutionizes the speed and efficiency of your sandboxes, while also conferring distinct privacy advantages.","title":"RAM Disk Support"},{"location":"PlusContent/RamDiskSupport/#performance-amplification","text":"The hallmark benefit of RAM Disk Support is the remarkable performance boost it offers. Sandboxes configured with a RAM Disk can harness the lightning-fast data access and processing capabilities of your system's RAM. This means that operations within the sandbox occur at unprecedented speeds, without the constraints of traditional storage mediums.","title":"Performance Amplification"},{"location":"PlusContent/RamDiskSupport/#privacy-enhancement","text":"Beyond the performance gains, RAM Disk Support lends an added layer of privacy to your sandboxing endeavors. Data stored in a RAM Disk is inherently volatile \u2013 once the system is powered off or the sandbox is closed, the data vanishes. This ephemeral nature of a RAM Disk significantly reduces the potential for data leaks, as there's no persistent storage where sensitive information could inadvertently reside.","title":"Privacy Enhancement"},{"location":"PlusContent/RamDiskSupport/#integrating-ram-disk-support-step-by-step","text":"To fully embrace the potential of RAM Disk Support, follow these straightforward steps:","title":"Integrating RAM Disk Support: Step by Step"},{"location":"PlusContent/RamDiskSupport/#updating-sandbox-configuration","text":"Open the Sandboxie Ini configuration file for the sandbox you wish to enhance. To enable the RAM Disk for this sandbox, include the following line within the respective sandbox's section: UseRamDisk=y","title":"Updating Sandbox Configuration:"},{"location":"PlusContent/RamDiskSupport/#configuring-global-settings","text":"To enable RAM Disk Support across all your sandboxes, navigate to the [GlobalSettings] section within the Sandboxie Ini file. Allocate the appropriate memory for the RAM Disk by adding this line: RamDiskSizeKb=2097152 This value designates the maximum size of the RAM Disk in Kilobytes. For optimal results, allocate at least 1GB of RAM to the RAM Disk. A key point to remember is the dynamic allocation of memory by RAM Disk Support. Unlike conventional storage, memory is utilized on-demand, ensuring optimal resource management. This intelligent allocation means you can allocate up to half of your system's physical RAM without encountering issues.","title":"Configuring Global Settings:"},{"location":"PlusContent/RuleSpecificity/","text":"Rule Specificity Sandboxie prior to build 5.55.0 handled rules exclusively in a very simple way, a path may be Closed , Read Only , Write Only , or Open and the priority of rule application was the same, when a closed rule matched a particular path it overruled all other rules. Starting with build 1.0.0, Sandboxie-Plus has introduced a new mechanism to evaluate and apply rules, based on how specific they are and which match level they have. The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like \"*.tmp\" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. For this feature, a new type of path directive has been introduced Normal , which allows to restore default sandboxing behaviour for a path whose parent have been set to one of the prior 4 types.","title":"Rule Specificity"},{"location":"PlusContent/RuleSpecificity/#rule-specificity","text":"Sandboxie prior to build 5.55.0 handled rules exclusively in a very simple way, a path may be Closed , Read Only , Write Only , or Open and the priority of rule application was the same, when a closed rule matched a particular path it overruled all other rules. Starting with build 1.0.0, Sandboxie-Plus has introduced a new mechanism to evaluate and apply rules, based on how specific they are and which match level they have. The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like \"*.tmp\" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. For this feature, a new type of path directive has been introduced Normal , which allows to restore default sandboxing behaviour for a path whose parent have been set to one of the prior 4 types.","title":"Rule Specificity"},{"location":"PlusContent/Sandboxie-Insider/","text":"The Sandboxie Plus Insider Program provides early access to new features and functionality that are not yet available to the public. To become a participant in the Insider Program and gain access to the private GitHub repository with new releases, you must contribute to the project in a meaningful way, such as by helping with documentation, development, providing translations, or by submitting exceptional bug reports. Alternatively, you can support the project on Patreon at the GREAT tier or above. All users with CONTRIBUTOR or HUGE certificates are automatically eligible. The insider builds introduce several new features that are designed to improve the Sandboxie experience and enhance the security of your system: RamDisk support , available since the latest insider build, allows you to create a virtual disk in your system's memory, using the ImDisk driver, which can speed up file access and increase confidentiality as all box contents will be discarded when the disk is unmounted (manually or automatically on reboot). Encrypted Box Image support is currently in development and allows you to create encrypted sandboxed environments for an even greater protection of your confidential data. With this feature the box file root is being mounted from an AES-XTS encrypted box image, other ciphers are available as well. Upcoming additions to this core functionality will contain secure box passphrase handling and a driver extension to prevent applications not running in the encrypted sandbox from accessing the sandboxed files. Proxy injection is yet another feature which has been added in the insider builds, it allows to force any application to use a Socks 5 proxy instead of a direct connection. DNS query logging, filtering and redirection feature allows you to block, or redirect DNS queries made by sandboxed programs for selected domains. USB drive sandboxing is yet another new feature that has been added to the Insider builds. This feature allows you to automatically sandbox any USB drive that you plug into your computer, which adds an extra layer of protection to your system. Insider builds include support for EFS, which is a feature in Windows that allows you to encrypt files and folders to protect them from unauthorized access. Document Breakout is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandbox instance of the associated application. Please note that: - The Sandboxie Plus insider builds are not like the Windows insider builds which are buggy and rushed. - The new things in the insider builds are limited to new functionality and new features. - Experimental things that may impact compatibility are tested in the public GitHub preview channel. - The Sandboxie Plus insider builds are based on stable final releases, with new functionality added on top. - The insider builds are compiled with Qt6 and provided as a unified x64/ARM64 installer.","title":"Sandboxie Insider"},{"location":"PlusContent/Sandboxie-Live/","text":"Sandboxie-Live is a fast update service (stable channel) for project supporters (users with a supporter certificate) and/or adventurous people (preview channel) wanting to try out the latest fixes and discover the newest bugs. In the \"Support & Updates\" tab in the \"Global Options\", the user can now choose from the following release channels: Stable - GitHub Releases Preview - GitHub Pre-Releases There the user can also select how to behave when a \"New Version\" (where an installer is available) or a \"Version Update\" (where only individual files of the existing installation will be updated) is found. For a \"New Version\", the following options are available: - Notify - Download & Notify - Download & Install For a \"Version Update\", the following options are available: - Ignore - Notify - Download & Notify - Download & Install There is no \"Ignore\" option for \"New Version\", as that is covered by disabling the update check. In the \"Stable\" channel, a check for \"Version Update\" is only available to supporters with a valid certificate. In this channel, all updates are signed and consist of the latest compatibility templates and urgent bug-fixes and translations. In the \"Preview\" channel, the \"Version Update\" consists of unsigned test builds (except the signed driver) released every few days (like 1.6.0, 1.6.1a and 1.6.1b), as here the updates contain not only half-tested fixes but also new functionality which may not yet be free of bugs.","title":"Sandboxie Live"},{"location":"PlusContent/TraceLog/","text":"Trace logging (for Sandboxie Plus) The Trace Log tool displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie Plus. Designed to make it easy to identify those system resources which should be excluded from sandboxing, this tool can be used with the Sandboxie Trace options. Important: Please consider to use the Trace Log before opening a new issue. Using the Trace Log 1. Enable Trace Log tab by opening View menu -> Trace Logging . 2. When the Trace Log tab is activated, it immediately starts to collect and display resource access information from all sandboxed programs that are running. 3. At this point, perform any specific tasks that fail when done under the supervision of Sandboxie Plus. 4. Finally, right click on the collected data and select the entry named Copy Panel . This copies the collected data into the clipboard. 5. You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis. 6. Optionally, the keyboard shortcut CTRL+F can be used to search for specific entries within the Trace Log tab. Performance Impact When inactive, the Trace Log does not use any system resources and does not have any performance impact on any running programs. When active, the Trace Log has a small performance penalty on sandboxed programs. Additional Improvements Sandboxie Plus v0.7.0 adds the ability to adjust the buffer size with TraceBufferPages=2560 . Sandboxie Plus v0.8.0 adds the ability to disable resource access monitor for selected sandboxes with DisableResourceMonitor=y . Sandboxie Plus v0.9.8b adds the ability to save the trace log output into a new .log file (via the floppy disk icon). Sandboxie Plus v0.9.8d adds the ability to select multiple access types at once. Sandboxie Plus v1.0.16 adds a monitor mode to the resource access trace. Sandboxie Plus v1.9.6 adds a full stack trace to all trace messages. Note that activating the Trace Log also turns on the Keep Terminated feature. This is not a bug, but a new intended behaviour. Without it, the stack trace in the Trace Log would not work properly, as it uses the process objects to cache the symbols. Sandboxie Plus v1.10.1 adds an auto scroll functionality (enabled by default in the monitor mode).","title":"Trace logging (for Sandboxie Plus)"},{"location":"PlusContent/TraceLog/#trace-logging-for-sandboxie-plus","text":"The Trace Log tool displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie Plus. Designed to make it easy to identify those system resources which should be excluded from sandboxing, this tool can be used with the Sandboxie Trace options. Important: Please consider to use the Trace Log before opening a new issue.","title":"Trace logging (for Sandboxie Plus)"},{"location":"PlusContent/TraceLog/#using-the-trace-log","text":"1. Enable Trace Log tab by opening View menu -> Trace Logging . 2. When the Trace Log tab is activated, it immediately starts to collect and display resource access information from all sandboxed programs that are running. 3. At this point, perform any specific tasks that fail when done under the supervision of Sandboxie Plus. 4. Finally, right click on the collected data and select the entry named Copy Panel . This copies the collected data into the clipboard. 5. You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis. 6. Optionally, the keyboard shortcut CTRL+F can be used to search for specific entries within the Trace Log tab.","title":"Using the Trace Log"},{"location":"PlusContent/TraceLog/#performance-impact","text":"When inactive, the Trace Log does not use any system resources and does not have any performance impact on any running programs. When active, the Trace Log has a small performance penalty on sandboxed programs.","title":"Performance Impact"},{"location":"PlusContent/TraceLog/#additional-improvements","text":"Sandboxie Plus v0.7.0 adds the ability to adjust the buffer size with TraceBufferPages=2560 . Sandboxie Plus v0.8.0 adds the ability to disable resource access monitor for selected sandboxes with DisableResourceMonitor=y . Sandboxie Plus v0.9.8b adds the ability to save the trace log output into a new .log file (via the floppy disk icon). Sandboxie Plus v0.9.8d adds the ability to select multiple access types at once. Sandboxie Plus v1.0.16 adds a monitor mode to the resource access trace. Sandboxie Plus v1.9.6 adds a full stack trace to all trace messages. Note that activating the Trace Log also turns on the Keep Terminated feature. This is not a bug, but a new intended behaviour. Without it, the stack trace in the Trace Log would not work properly, as it uses the process objects to cache the symbols. Sandboxie Plus v1.10.1 adds an auto scroll functionality (enabled by default in the monitor mode).","title":"Additional Improvements"},{"location":"PlusContent/USBSandboxing/","text":"USB Sandboxing Sandboxie-Plus introduces USB Drive Sandboxing, a new and impactful feature within our Insider builds. This innovative addition enhances your system's defense by automatically sandboxing any connected USB drive. This proactive layer of security isolates potential threats, safeguarding your system from malware and unauthorized access. Key Benefits: Instant Isolation: When you plug in a USB drive, Sandboxie-Plus automatically forces all applications on the volume to be confined to a preset sandbox. Malware Defense: USB Drive Sandboxing guards against malicious content, ensuring that harmful elements remain contained within the sandbox. Effortless Protection: With automated sandboxing, there's no need for manual intervention. Your workflow remains uninterrupted while your system's security is bolstered. Data Integrity: Even in the presence of a potentially unsafe USB drive, your data remains intact while the malicious process is confined to the sandboxed environment. Embrace a more secure future with USB Drive Sandboxing \u2013 a feature that revolutionizes your approach to external storage security, mitigating risks and reinforcing your system's defense mechanisms.","title":"USB Sandboxing"},{"location":"PlusContent/USBSandboxing/#usb-sandboxing","text":"Sandboxie-Plus introduces USB Drive Sandboxing, a new and impactful feature within our Insider builds. This innovative addition enhances your system's defense by automatically sandboxing any connected USB drive. This proactive layer of security isolates potential threats, safeguarding your system from malware and unauthorized access.","title":"USB Sandboxing"},{"location":"PlusContent/USBSandboxing/#key-benefits","text":"Instant Isolation: When you plug in a USB drive, Sandboxie-Plus automatically forces all applications on the volume to be confined to a preset sandbox. Malware Defense: USB Drive Sandboxing guards against malicious content, ensuring that harmful elements remain contained within the sandbox. Effortless Protection: With automated sandboxing, there's no need for manual intervention. Your workflow remains uninterrupted while your system's security is bolstered. Data Integrity: Even in the presence of a potentially unsafe USB drive, your data remains intact while the malicious process is confined to the sandboxed environment. Embrace a more secure future with USB Drive Sandboxing \u2013 a feature that revolutionizes your approach to external storage security, mitigating risks and reinforcing your system's defense mechanisms.","title":"Key Benefits:"},{"location":"PlusContent/WFPSupport/","text":"WFP (Windows Filtering Platform) support Sandboxie Plus v0.9.3 introduced a unique approach to manage network connectivity by implementing not only a kernel mode (using a driver) \"per box\" firewall built on Windows Filtering Platform (WFP) but also a user mode , outbound rule-based packet filter. WFP implementation To enable WFP functionality, add NetworkEnableWFP=y to the [GlobalSettings] section of the configuration file Sandboxie Ini and reboot the machine or reload the driver for it to take effect. WFP filtering works for both inbound and outbound traffic. To enable blocking globally, add AllowNetworkAccess=n to the [GlobalSettings] section. To enable WFP blocking for a box, such as DefaultBox, add AllowNetworkAccess=n to the [DefaultBox] section. To exempt blocking for a box, such as DefaultBox, add AllowNetworkAccess=y to the [DefaultBox] section. To allow a selected program in a box, such as DefaultBox, add AllowNetworkAccess=program.exe,y to the [DefaultBox] section. To block a selected program in a box, such as DefaultBox, add AllowNetworkAccess=program.exe,n to the [DefaultBox] section. Limitations of the WFP implementation: WFP will filter only TCP/UDP protocols. The WFP filter rules can be implemented by restricting communication only to specified IP addresses or selected port numbers by using a rule based hierarchy based on \"NetworkAccess=...\" (as described later). Restricted boxed processes will still be able to resolve domain names using the system service but will not be able to send or receive data packets directly. User Mode Packet Filter implementation Sandboxie Plus v0.9.3 also added a fully functional rule-based packet filter in user mode for the case when NetworkEnableWFP=y is not set. This mechanism also replaces the primitive \"BlockPort=...\" functionality of older versions. Limitations of the user mode filter: If WFP support is not enabled, the same rules can still be set and used, but they will be applied only by means of user mode hooks. Unlike the WFP implementation, they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application. Caveat: For reliable isolation, the use of kernel mode WFP-based filtering is strongly recommended . The rationale for two filtering modes: The rationale for implementing network functionality in both user mode and kernel mode (driver) is twofold. First, it allows for easier debugging of the rule processing code (simpler to debug in user mode) as both modes use the same code to make decisions based on the preset rules. Second, the WFP callouts are global i.e. they are triggered for any process on the system whether sandboxed or not. In the latter case they don't do anything and the use of a hash map to identify sandboxed programs that require action can provide optimal performance. Combining WFP with user mode filtering: If you set \"block internet access\" for a given process and have the driver (for WFP) enabled, you can select for that box which method to apply: using WFP or blocking network devices. Even though the approach of blocking the network device endpoints is more absolute, it has been known to cause some applications to crash. WFP and multiple firewalls Commercially available firewalls implement the Windows Filtering Platform (WFP) by installing a provider of filter rules. Some use the standard Windows Firewall's provider, while others create their own. Some use WFP at the user mode level (no drivers), while others use WFP in kernel mode (based on their own driver). If several firewalls are installed and active at the same time, each driver installs its own callout functions at the positions in the network stack it wants to control and all those functions are then called by the kernel for ALL the drivers (providers). This results in an amalgamation of rules set by each firewall. An inbuilt arbitration mechanism in WFP then decides which rules take precedence. Some firewalls recommend turning off the native Windows firewall in order to work effectively, while others can work even with the Windows firewall active. Users who have found a firewall they like are typically very reluctant to switch. Does Sandboxie Plus conflict with other firewalls? Another firewall installed on a system (including the Windows firewall) does not conflict with Sandboxie Plus and can be used to block programs (sandboxed or not), but its rules are typically global and based on absolute program paths. The WFP implementation in Sandboxie Plus, on the other hand, offers the added advantage of \"per box\" rules which affect only processes within a given sandbox (without specifying program paths). For example, Box1 may allow network access for Program1, while in Box2 the same Program1 may be blocked or even allowed but with a different set of rules for network access. Implementing network access rules in Sandboxie Plus The Sandman UI provides us with a method for editing and testing network rules. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Then click on Network Options in the left panel and select the Network Firewall tab. The Test Rules row appears at the bottom, below the rule list (which may or may not be already populated). One can enter program name, port number, IP address and protocol to see which rules are in play and which rule will be applied in the end. The choice of blocking (using WFP or by denying access to network devices) is selected in the Process Restrictions tab. The attributes at our disposal (with some examples of syntax) are: Action = Allow | Block (selected from the Network Restrictions tab) Program = program.exe Port = 80,443,1000-2000 Address = 111.222.333.444,0.0.0.0-255.255.255.255 Protocol = TCP | UDP The following rules precedence scheme determines rule hierarchy: A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs. A rule with a Port number or IP address trumps a rule without: 2a. A rule with an IP address and Port number trumps a rule with an IP address only or Port number only. 2b. A rule with one IP address trumps a rule with an IP address range that is besides that on the same level. Block rules trump Allow rules. A rule without a Protocol means all protocols. 4a. A rule with a Protocol trumps a rule without, if it is the only difference. Some examples: NetworkAccess=*,Block;Port=80,443 - block rule for selected port numbers NetworkAccess=*,Block;Port=80,443;Protocol=TCP - block rule for all TCP connections NetworkAccess=*,Block;Port=80,443;Address=0.0.0.0-255.255.255.255 - block rule to deny network access NetworkAccess=*,Allow;Port=80,443;Address=111.222.333.444 - allow any program to access this IP address NetworkAccess=chrome.exe,Allow;Port=80,443 - allow chrome.exe to access any IP address NetworkAccess=chrome.exe,Allow;Port=80,443;Address=111.222.333.444 - allow chrome.exe to access one IP address BlockPorts template: - NetworkAccess=*,Block;Port=137,138,139,445 - enabled by default since version 1.3.4 / 5.58.4","title":"WFP (Windows Filtering Platform) support"},{"location":"PlusContent/WFPSupport/#wfp-windows-filtering-platform-support","text":"Sandboxie Plus v0.9.3 introduced a unique approach to manage network connectivity by implementing not only a kernel mode (using a driver) \"per box\" firewall built on Windows Filtering Platform (WFP) but also a user mode , outbound rule-based packet filter.","title":"WFP (Windows Filtering Platform) support"},{"location":"PlusContent/WFPSupport/#wfp-implementation","text":"To enable WFP functionality, add NetworkEnableWFP=y to the [GlobalSettings] section of the configuration file Sandboxie Ini and reboot the machine or reload the driver for it to take effect. WFP filtering works for both inbound and outbound traffic. To enable blocking globally, add AllowNetworkAccess=n to the [GlobalSettings] section. To enable WFP blocking for a box, such as DefaultBox, add AllowNetworkAccess=n to the [DefaultBox] section. To exempt blocking for a box, such as DefaultBox, add AllowNetworkAccess=y to the [DefaultBox] section. To allow a selected program in a box, such as DefaultBox, add AllowNetworkAccess=program.exe,y to the [DefaultBox] section. To block a selected program in a box, such as DefaultBox, add AllowNetworkAccess=program.exe,n to the [DefaultBox] section. Limitations of the WFP implementation: WFP will filter only TCP/UDP protocols. The WFP filter rules can be implemented by restricting communication only to specified IP addresses or selected port numbers by using a rule based hierarchy based on \"NetworkAccess=...\" (as described later). Restricted boxed processes will still be able to resolve domain names using the system service but will not be able to send or receive data packets directly.","title":"WFP implementation"},{"location":"PlusContent/WFPSupport/#user-mode-packet-filter-implementation","text":"Sandboxie Plus v0.9.3 also added a fully functional rule-based packet filter in user mode for the case when NetworkEnableWFP=y is not set. This mechanism also replaces the primitive \"BlockPort=...\" functionality of older versions. Limitations of the user mode filter: If WFP support is not enabled, the same rules can still be set and used, but they will be applied only by means of user mode hooks. Unlike the WFP implementation, they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application. Caveat: For reliable isolation, the use of kernel mode WFP-based filtering is strongly recommended . The rationale for two filtering modes: The rationale for implementing network functionality in both user mode and kernel mode (driver) is twofold. First, it allows for easier debugging of the rule processing code (simpler to debug in user mode) as both modes use the same code to make decisions based on the preset rules. Second, the WFP callouts are global i.e. they are triggered for any process on the system whether sandboxed or not. In the latter case they don't do anything and the use of a hash map to identify sandboxed programs that require action can provide optimal performance. Combining WFP with user mode filtering: If you set \"block internet access\" for a given process and have the driver (for WFP) enabled, you can select for that box which method to apply: using WFP or blocking network devices. Even though the approach of blocking the network device endpoints is more absolute, it has been known to cause some applications to crash.","title":"User Mode Packet Filter implementation"},{"location":"PlusContent/WFPSupport/#wfp-and-multiple-firewalls","text":"Commercially available firewalls implement the Windows Filtering Platform (WFP) by installing a provider of filter rules. Some use the standard Windows Firewall's provider, while others create their own. Some use WFP at the user mode level (no drivers), while others use WFP in kernel mode (based on their own driver). If several firewalls are installed and active at the same time, each driver installs its own callout functions at the positions in the network stack it wants to control and all those functions are then called by the kernel for ALL the drivers (providers). This results in an amalgamation of rules set by each firewall. An inbuilt arbitration mechanism in WFP then decides which rules take precedence. Some firewalls recommend turning off the native Windows firewall in order to work effectively, while others can work even with the Windows firewall active. Users who have found a firewall they like are typically very reluctant to switch. Does Sandboxie Plus conflict with other firewalls? Another firewall installed on a system (including the Windows firewall) does not conflict with Sandboxie Plus and can be used to block programs (sandboxed or not), but its rules are typically global and based on absolute program paths. The WFP implementation in Sandboxie Plus, on the other hand, offers the added advantage of \"per box\" rules which affect only processes within a given sandbox (without specifying program paths). For example, Box1 may allow network access for Program1, while in Box2 the same Program1 may be blocked or even allowed but with a different set of rules for network access.","title":"WFP and multiple firewalls"},{"location":"PlusContent/WFPSupport/#implementing-network-access-rules-in-sandboxie-plus","text":"The Sandman UI provides us with a method for editing and testing network rules. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Then click on Network Options in the left panel and select the Network Firewall tab. The Test Rules row appears at the bottom, below the rule list (which may or may not be already populated). One can enter program name, port number, IP address and protocol to see which rules are in play and which rule will be applied in the end. The choice of blocking (using WFP or by denying access to network devices) is selected in the Process Restrictions tab. The attributes at our disposal (with some examples of syntax) are: Action = Allow | Block (selected from the Network Restrictions tab) Program = program.exe Port = 80,443,1000-2000 Address = 111.222.333.444,0.0.0.0-255.255.255.255 Protocol = TCP | UDP The following rules precedence scheme determines rule hierarchy: A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs. A rule with a Port number or IP address trumps a rule without: 2a. A rule with an IP address and Port number trumps a rule with an IP address only or Port number only. 2b. A rule with one IP address trumps a rule with an IP address range that is besides that on the same level. Block rules trump Allow rules. A rule without a Protocol means all protocols. 4a. A rule with a Protocol trumps a rule without, if it is the only difference. Some examples: NetworkAccess=*,Block;Port=80,443 - block rule for selected port numbers NetworkAccess=*,Block;Port=80,443;Protocol=TCP - block rule for all TCP connections NetworkAccess=*,Block;Port=80,443;Address=0.0.0.0-255.255.255.255 - block rule to deny network access NetworkAccess=*,Allow;Port=80,443;Address=111.222.333.444 - allow any program to access this IP address NetworkAccess=chrome.exe,Allow;Port=80,443 - allow chrome.exe to access any IP address NetworkAccess=chrome.exe,Allow;Port=80,443;Address=111.222.333.444 - allow chrome.exe to access one IP address BlockPorts template: - NetworkAccess=*,Block;Port=137,138,139,445 - enabled by default since version 1.3.4 / 5.58.4","title":"Implementing network access rules in Sandboxie Plus"},{"location":"PlusContent/applying-supporter-certificate/","text":"Applying a Supporter Certificate using the Modern SandMan UI To apply a supporter certificate, please start Sandboxie Plus and open the global settings: In the global options, please go to the \"Support & Updates\" page: Enter your entire certificate starting with NAME: up to and including the last two equal signs == , then press Apply (or OK): Then you will be prompted to grant administrative privileges, you will need to allow them for the certificate to be installed: Depending on your OS preset, you may also need to confirm an UAC prompt: Once the certificate is accepted, the entry field should become green: And a notification popup window should appear.","title":"Applying a Supporter Certificate using the Modern SandMan UI"},{"location":"PlusContent/applying-supporter-certificate/#applying-a-supporter-certificate-using-the-modern-sandman-ui","text":"To apply a supporter certificate, please start Sandboxie Plus and open the global settings: In the global options, please go to the \"Support & Updates\" page: Enter your entire certificate starting with NAME: up to and including the last two equal signs == , then press Apply (or OK): Then you will be prompted to grant administrative privileges, you will need to allow them for the certificate to be installed: Depending on your OS preset, you may also need to confirm an UAC prompt: Once the certificate is accepted, the entry field should become green: And a notification popup window should appear.","title":"Applying a Supporter Certificate using the Modern SandMan UI"},{"location":"PlusContent/black-box/","text":"Black Box TODO","title":"Black Box"},{"location":"PlusContent/black-box/#black-box","text":"TODO","title":"Black Box"},{"location":"PlusContent/box-preset-comparison/","text":"Sandboxie Plus offers a bunch of different box configuration presets. A sandbox typically isolates your host system from processes running within the box, it prevents them from making permanent changes to other programs and data in your computer. The level of isolation impacts your security as well as the compatibility with applications. Sandboxie Plus can protect your personal data from being accessed by processes running under its supervision. Sandboxie Plus can also be used to protect confidential data by creating an encrypted sandbox and restricting access to the root folder for processes running within the sandbox. Box Preset Security Hardened Data Protection Compatibility Encrypted Confidential Red Box YES YES NO NO NO Orange Box YES NO NO NO NO Blue Box NO YES NO NO NO Yellow Box NO NO NO NO NO Cyan Box NO YES YES NO NO Green Box NO NO YES NO NO Black Box NO NO YES YES YES","title":"Box preset comparison"},{"location":"PlusContent/compartment-mode/","text":"Compartment Mode NOTE: This feature requires a supporter certificate . The concept of an \"Application Compartment\" mode was introduced in Sandboxie Plus v1.0.0 . This mode disables the normally used token-based security isolation in order to significantly improve compatibility while still retaining a level of security comparable to that of other available sandboxing products. It avoids many of the typical Sandboxie issues caused by processes running with a heavily restricted token. The setting for a compartment box can be enabled by adding NoSecurityIsolation=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Application Compartment (NO Isolation)\" (with a green box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Application Compartment . In compartment mode, file system and registry filtering are still in place to enforce any access rules. So, processes do run without administrative privileges. This filtering can be disabled by adding NoSecurityFiltering=y to the box settings section of Sandboxie Ini in order to provide a greater degree of compatibility. A new object access filter, enabled by default for new installations since Sandboxie Plus v1.0.16 , replaces the Sandboxie's old process/thread handle filter to facilitate process isolation. For previous versions starting with Sandboxie Plus v1.0.0 , it can be enabled by adding EnableObjectFiltering=y to the [GlobalSettings] section of Sandboxie Ini . Caveat: Even though an application compartment virtualizes the file system and registry, it does not change the process token or apply other more limiting restrictions. As a result, a process could potentially escape the virtualization. Because of this reduced security (even though it is only a slight reduction), this mode should be avoided for untrusted applications . Recent Changes: Token based workarounds were added in subsequent Sandboxie Plus versions to facilitate even greater compatibility with the more commonly used programs. They used DropAppContainerToken=y for such workarounds and FakeAppContainerToken=program.exe,n to disable their use for a specific program. In Sandboxie Plus v1.8.2a and above, such workarounds are disabled when in compartment mode. In case of issues with some programs (primarily browsers), they can be re-enabled by using DeprecatedTokenHacks=y . Sandboxie Plus v1.8.0 moved the built-in access rules for an application compartment box to a dedicated template (included in the file Templates.ini under the [TemplateAppCPaths] section) for easier management. Sandboxie Plus v1.10.1 addressed and fixed various long-standing bugs affecting application compartment boxes. Fun Fact (for any box type): If you add OpenFilePath=* to the box settings section of Sandboxie Ini (or disable the isolation in some other way), the status column in the Sandman UI displays OPEN Root Access as a warning that this box is no longer really a \"sandbox\"! Starting with Sandboxie Plus v1.3.2 , the box icon also changes its default color.","title":"Compartment Mode"},{"location":"PlusContent/compartment-mode/#compartment-mode","text":"NOTE: This feature requires a supporter certificate . The concept of an \"Application Compartment\" mode was introduced in Sandboxie Plus v1.0.0 . This mode disables the normally used token-based security isolation in order to significantly improve compatibility while still retaining a level of security comparable to that of other available sandboxing products. It avoids many of the typical Sandboxie issues caused by processes running with a heavily restricted token. The setting for a compartment box can be enabled by adding NoSecurityIsolation=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Application Compartment (NO Isolation)\" (with a green box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Application Compartment . In compartment mode, file system and registry filtering are still in place to enforce any access rules. So, processes do run without administrative privileges. This filtering can be disabled by adding NoSecurityFiltering=y to the box settings section of Sandboxie Ini in order to provide a greater degree of compatibility. A new object access filter, enabled by default for new installations since Sandboxie Plus v1.0.16 , replaces the Sandboxie's old process/thread handle filter to facilitate process isolation. For previous versions starting with Sandboxie Plus v1.0.0 , it can be enabled by adding EnableObjectFiltering=y to the [GlobalSettings] section of Sandboxie Ini . Caveat: Even though an application compartment virtualizes the file system and registry, it does not change the process token or apply other more limiting restrictions. As a result, a process could potentially escape the virtualization. Because of this reduced security (even though it is only a slight reduction), this mode should be avoided for untrusted applications . Recent Changes: Token based workarounds were added in subsequent Sandboxie Plus versions to facilitate even greater compatibility with the more commonly used programs. They used DropAppContainerToken=y for such workarounds and FakeAppContainerToken=program.exe,n to disable their use for a specific program. In Sandboxie Plus v1.8.2a and above, such workarounds are disabled when in compartment mode. In case of issues with some programs (primarily browsers), they can be re-enabled by using DeprecatedTokenHacks=y . Sandboxie Plus v1.8.0 moved the built-in access rules for an application compartment box to a dedicated template (included in the file Templates.ini under the [TemplateAppCPaths] section) for easier management. Sandboxie Plus v1.10.1 addressed and fixed various long-standing bugs affecting application compartment boxes. Fun Fact (for any box type): If you add OpenFilePath=* to the box settings section of Sandboxie Ini (or disable the isolation in some other way), the status column in the Sandman UI displays OPEN Root Access as a warning that this box is no longer really a \"sandbox\"! Starting with Sandboxie Plus v1.3.2 , the box icon also changes its default color.","title":"Compartment Mode"},{"location":"PlusContent/imdisk/","text":"ImDisk TODO","title":"ImDisk"},{"location":"PlusContent/imdisk/#imdisk","text":"TODO","title":"ImDisk"},{"location":"PlusContent/privacy-mode/","text":"Privacy Mode NOTE: This feature requires a supporter certificate . The concept of privacy mode and privacy enhanced (or Data Protection) boxes was introduced in Sandboxie Plus v1.0.0 . In this mode, most of the locations on a PC are set to be treated like a Write[File/Key]Path, which means the sandboxed locations are writable, but the unsandboxed locations are not readable. In addition, the registry does not allow reading of user root keys. In other words, even though sandboxed processes can continue to work, they cannot access private user data. The setting for a privacy enhanced box can be enabled by adding UsePrivacyMode=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Sandbox with Data Protection\" (with a blue box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Privacy Enhanced . What is User Space? AppGuard refers to user space as \"computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives.\" Think of \"user space\" as everything outside the system (where the core operating system and programs live), in other words, outside the C:\\Windows , C:\\Program Files , and C:\\Program Files (x86) folders! Internally, a privacy enhanced box is based on three defaults: 1. Allow read access to system resources: - C:\\Windows - C:\\Program Files - C:\\Program Files (x86) - C:\\ProgramData\\Microsoft (since Sandboxie Plus v1.12.7 ) - Registry resources under HKLM (but not HKCU) are readable and can be sandboxed. - Note: The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using Write[File/Key]Path ) if desired. Hide (and block access to) user space: In user space, a privacy box works in default block mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking Rule Specificity . Enable Rule Specificity: Internally, rule specificity is always enabled in privacy mode. It uses the Normal path directive ( Normal[File/Ipc/Key]Path ) to open selected locations to be readable and sandboxed . Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for blue boxes (based on privacy mode) but also for red boxes (with both privacy mode and security mode enabled). Recent Changes: Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with Sandboxie Plus v1.8.0 , all built-in access rules have been moved to a set of default templates (included in the file Templates.ini under the [TemplatePModPaths] section) for easier management.","title":"Privacy Mode"},{"location":"PlusContent/privacy-mode/#privacy-mode","text":"NOTE: This feature requires a supporter certificate . The concept of privacy mode and privacy enhanced (or Data Protection) boxes was introduced in Sandboxie Plus v1.0.0 . In this mode, most of the locations on a PC are set to be treated like a Write[File/Key]Path, which means the sandboxed locations are writable, but the unsandboxed locations are not readable. In addition, the registry does not allow reading of user root keys. In other words, even though sandboxed processes can continue to work, they cannot access private user data. The setting for a privacy enhanced box can be enabled by adding UsePrivacyMode=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Sandbox with Data Protection\" (with a blue box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Privacy Enhanced . What is User Space? AppGuard refers to user space as \"computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives.\" Think of \"user space\" as everything outside the system (where the core operating system and programs live), in other words, outside the C:\\Windows , C:\\Program Files , and C:\\Program Files (x86) folders! Internally, a privacy enhanced box is based on three defaults: 1. Allow read access to system resources: - C:\\Windows - C:\\Program Files - C:\\Program Files (x86) - C:\\ProgramData\\Microsoft (since Sandboxie Plus v1.12.7 ) - Registry resources under HKLM (but not HKCU) are readable and can be sandboxed. - Note: The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using Write[File/Key]Path ) if desired. Hide (and block access to) user space: In user space, a privacy box works in default block mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking Rule Specificity . Enable Rule Specificity: Internally, rule specificity is always enabled in privacy mode. It uses the Normal path directive ( Normal[File/Ipc/Key]Path ) to open selected locations to be readable and sandboxed . Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for blue boxes (based on privacy mode) but also for red boxes (with both privacy mode and security mode enabled). Recent Changes: Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with Sandboxie Plus v1.8.0 , all built-in access rules have been moved to a set of default templates (included in the file Templates.ini under the [TemplatePModPaths] section) for easier management.","title":"Privacy Mode"},{"location":"PlusContent/sandboxie-plus/","text":"Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. It is being developed by David Xanatos since it became open source, before that it was developed by Sophos (which acquired it from Invincea, which acquired it earlier from the original author Ronen Tzur). It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying the local or mapped drive. An isolated virtual environment allows controlled testing of untrusted programs and web surfing. Since the open sourcing, Sandboxie is being released in two flavors: the Classic build with a MFC -based UI and a Plus build that incorporates new features with an entirely new Qt -based UI. All newly added features target the Plus branch, but can often be utilized in the Classic edition by manually editing the Sandboxie Ini file. The full Sandboxie documentation can be found through the Support Page Index , or you can start directly with the Help Topics overview.","title":"Sandboxie plus"},{"location":"PlusContent/sandboxie-portable/","text":"Sandboxie-Portable TODO","title":"Sandboxie-Portable"},{"location":"PlusContent/sandboxie-portable/#sandboxie-portable","text":"TODO","title":"Sandboxie-Portable"},{"location":"PlusContent/security-mode/","text":"Security Hardened Mode NOTE: This feature requires a supporter certificate . The security hardened box and the concept of security hardened mode was introduced in Sandboxie Plus v1.3.0 . It restricts NT syscall elevation to approved known safe/filtered syscalls. It also provides device security by restricting device access to known safe/filtered endpoints. The setting for a security hardened box can be enabled by adding UseSecurityMode=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Security Hardened Sandbox\" (with an orange box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Enhanced Isolation . Internally, the security hardened mode is based on four settings: DropAdminRights=y RestrictDevices=y SysCallLockDown=y UseRuleSpecificity=y DropAdminRights : Prior to Sandboxie Plus v1.3.0 , any box with DropAdminRights=y was considered hardened and labeled \"Enhanced Isolation\" in the Sandman UI status column. Starting with Sandboxie Plus v1.3.0 , only boxes with UseSecurityMode=y have their status listed as \"Enhanced Isolation\". SysCallLockDown: The setting SysCallLockDown=y limits the use of NT system calls. Only those calls that are included as defaults in the file Templates.ini or calls configured in the [GlobalSettings] section of Sandboxie Ini as ApproveWinNtSysCall=... or ApproveWin32SysCall=... are executed with the original token. Any NT syscalls that are not approved are executed with the sandboxed token and may break compatibility in certain scenarios. To find which syscalls may be needed to make a particular program work is tedious and involves trial and error. But once these syscalls are found, they can be added to the [GlobalSettings] section of Sandboxie Ini . Note that the configuration must be reloaded using \"Options -> Reload configuration\" for these settings to take effect . RestrictDevices: An earlier \"DeviceSecurity\" template was replaced by a dedicated setting RestrictDevices=y in Sandboxie Plus v1.3.0 to harden box security even further. A security enhanced sandbox does not have access to drivers installed on the host. However, the use of appropriate Normal path directives can allow one to open specific devices as needed. Rule Specificity : The setting UseRuleSpecificity=y allows rules to be prioritized based on their \"specificity\". When rule specificity is combined with Normal[File/Key/Ipc]Path entries, selected subpaths can be made readable/writeable while parent paths are still protected. A security hardened box works in a default allow mode: every path is a Normal[File/Key/Ipc]Path (which allows read/write changes to a sandbox) unless specifically blocked by an overriding rule. Comparison with Other Box Types: RuleSpecificity along with Normal[File/Key/Ipc]Path entries is also used in blue ( privacy enhanced ) boxes and in red boxes (that combine enhanced privacy and enhanced security). These two box types work in a default block mode: all drive paths are set to WriteFilePath . This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Recent Changes: Starting with Sandboxie Plus v1.8.0 , all built-in access rules for a security hardened box have been moved to a dedicated template (included in the file Templates.ini under the [TemplateSModPaths] section) for easier management.","title":"Security Hardened Mode"},{"location":"PlusContent/security-mode/#security-hardened-mode","text":"NOTE: This feature requires a supporter certificate . The security hardened box and the concept of security hardened mode was introduced in Sandboxie Plus v1.3.0 . It restricts NT syscall elevation to approved known safe/filtered syscalls. It also provides device security by restricting device access to known safe/filtered endpoints. The setting for a security hardened box can be enabled by adding UseSecurityMode=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Security Hardened Sandbox\" (with an orange box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Enhanced Isolation . Internally, the security hardened mode is based on four settings: DropAdminRights=y RestrictDevices=y SysCallLockDown=y UseRuleSpecificity=y DropAdminRights : Prior to Sandboxie Plus v1.3.0 , any box with DropAdminRights=y was considered hardened and labeled \"Enhanced Isolation\" in the Sandman UI status column. Starting with Sandboxie Plus v1.3.0 , only boxes with UseSecurityMode=y have their status listed as \"Enhanced Isolation\". SysCallLockDown: The setting SysCallLockDown=y limits the use of NT system calls. Only those calls that are included as defaults in the file Templates.ini or calls configured in the [GlobalSettings] section of Sandboxie Ini as ApproveWinNtSysCall=... or ApproveWin32SysCall=... are executed with the original token. Any NT syscalls that are not approved are executed with the sandboxed token and may break compatibility in certain scenarios. To find which syscalls may be needed to make a particular program work is tedious and involves trial and error. But once these syscalls are found, they can be added to the [GlobalSettings] section of Sandboxie Ini . Note that the configuration must be reloaded using \"Options -> Reload configuration\" for these settings to take effect . RestrictDevices: An earlier \"DeviceSecurity\" template was replaced by a dedicated setting RestrictDevices=y in Sandboxie Plus v1.3.0 to harden box security even further. A security enhanced sandbox does not have access to drivers installed on the host. However, the use of appropriate Normal path directives can allow one to open specific devices as needed. Rule Specificity : The setting UseRuleSpecificity=y allows rules to be prioritized based on their \"specificity\". When rule specificity is combined with Normal[File/Key/Ipc]Path entries, selected subpaths can be made readable/writeable while parent paths are still protected. A security hardened box works in a default allow mode: every path is a Normal[File/Key/Ipc]Path (which allows read/write changes to a sandbox) unless specifically blocked by an overriding rule. Comparison with Other Box Types: RuleSpecificity along with Normal[File/Key/Ipc]Path entries is also used in blue ( privacy enhanced ) boxes and in red boxes (that combine enhanced privacy and enhanced security). These two box types work in a default block mode: all drive paths are set to WriteFilePath . This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Recent Changes: Starting with Sandboxie Plus v1.8.0 , all built-in access rules for a security hardened box have been moved to a dedicated template (included in the file Templates.ini under the [TemplateSModPaths] section) for easier management.","title":"Security Hardened Mode"},{"location":"PlusContent/supporter-certificate/","text":"A supporter certificate is like a license key, but for awesome people using and supporting open source software. :-) Keeping Sandboxie up to date with the rolling releases of Windows and compatible with all web browsers is a never-ending endeavor. Please consider supporting this work with a PayPal donation or by purchasing a Sandboxie Plus Supporter Certificate , you can also provide continuous support with a Patreon subscription . A support certificate enables the use of new supporter exclusive features, like Privacy Mode or App Compartment Boxes , see the Feature Comparison Table for more details and certificate options. Please note that a Business Certificate is required to use Sandboxie Plus in a business or educational setting! Patreon certificates are valid for as long as the subscription is active and unlock all features. Patreons who have ended their subscription are entitled to a residual certificate corresponding to the total amount of their support. Contributor certificates are available to all people that help by contributing to the project, these certificates do not expire. If you are a contributor, please get in touch by email or alike to get your certificate.","title":"Supporter certificate"},{"location":"PlusContent/translations/","text":"Language Classic Plus Albanian Yes Arabic Yes Bulgarian Yes Croatian Yes Czech Yes Danish Yes Dutch Yes Yes English Yes Yes Estonian Yes Farsi Yes Finnish Yes French Yes Yes German Yes Yes Greek Yes Hebrew Yes Hungarian Yes Yes Indonesian Yes Italian Yes Yes Japanese Yes Korean Yes Yes Macedonian Yes Polish Yes Yes Portuguese Yes Yes PortugueseBr Yes Yes Russian Yes Yes SimpChinese Yes Yes Slovak Yes Spanish Yes Yes Swedish Yes Yes TradChinese Yes Yes Turkish Yes Yes Ukrainian Yes Yes Vietnamese Yes","title":"Translations"}]}
\ No newline at end of file
+{"config":{"indexing":"full","lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"Sandboxie documentation Introduction Sandboxie is a sandbox-based isolation software for Windows that lets you try and run untrusted applications without worrying about unwanted changes to your files or registry. After Sandboxie became open source , it was decided to release the documentation, so that it would be accessible and easily updated by the community, as opposed to the dated documentation available at sandboxie-plus.com and other archived sources. Get Sandboxie Feature/Edition comparison | System requirements | Download the latest release Contribute If you have development, testing or translation skills, then feel free to check out our Contribution guidelines .","title":"Sandboxie documentation"},{"location":"#sandboxie-documentation","text":"","title":"Sandboxie documentation"},{"location":"#introduction","text":"Sandboxie is a sandbox-based isolation software for Windows that lets you try and run untrusted applications without worrying about unwanted changes to your files or registry. After Sandboxie became open source , it was decided to release the documentation, so that it would be accessible and easily updated by the community, as opposed to the dated documentation available at sandboxie-plus.com and other archived sources.","title":"Introduction"},{"location":"#get-sandboxie","text":"Feature/Edition comparison | System requirements | Download the latest release","title":"Get Sandboxie"},{"location":"#contribute","text":"If you have development, testing or translation skills, then feel free to check out our Contribution guidelines .","title":"Contribute"},{"location":"Content/AdvancedTopics/","text":"Advanced Topics Sandbox Hierarchy discusses how Sandboxie isolates programs. Privacy Concerns for programs running under Sandboxie. Information about the Sandboxie Service Programs . Instructions for use of Resource Access Monitor with Sandboxie Classic. Instructions for use of Trace Logging with Sandboxie Plus. Read How To Use Win Dbg to identify problems with Sandboxie. Go to Help Topics .","title":"Advanced Topics"},{"location":"Content/AdvancedTopics/#advanced-topics","text":"Sandbox Hierarchy discusses how Sandboxie isolates programs. Privacy Concerns for programs running under Sandboxie. Information about the Sandboxie Service Programs . Instructions for use of Resource Access Monitor with Sandboxie Classic. Instructions for use of Trace Logging with Sandboxie Plus. Read How To Use Win Dbg to identify problems with Sandboxie. Go to Help Topics .","title":"Advanced Topics"},{"location":"Content/AlertFolder/","text":"Alert Folder AlertFolder is a global setting in Sandboxie Ini available since v0.5.0 / 5.45.0. It specifies path patterns that, if started outside the sandbox, will cause Sandboxie to issue message SBIE1301 . Usage: . . . [GlobalSettings] AlertFolder=%ProgramFiles%\\Mozilla Firefox Related Sandboxie Plus setting: Options menu > Global Settings > Program Control > Program Alerts See also: Alert Process .","title":"Alert Folder"},{"location":"Content/AlertFolder/#alert-folder","text":"AlertFolder is a global setting in Sandboxie Ini available since v0.5.0 / 5.45.0. It specifies path patterns that, if started outside the sandbox, will cause Sandboxie to issue message SBIE1301 . Usage: . . . [GlobalSettings] AlertFolder=%ProgramFiles%\\Mozilla Firefox Related Sandboxie Plus setting: Options menu > Global Settings > Program Control > Program Alerts See also: Alert Process .","title":"Alert Folder"},{"location":"Content/AlertProcess/","text":"Alert Process AlertProcess is a global setting in Sandboxie Ini . It specifies names of programs that, if started outside the sandbox, will cause Sandboxie to issue message SBIE1301 . Usage: . . . [GlobalSettings] AlertProcess=iexplore.exe AlertProcess=firefox.exe Related Sandboxie Control settings: * Program Settings * Configure Menu > Alert Programs Related Sandboxie Plus setting: * Options menu > Global Settings > Program Control > Program Alerts See also: Alert Folder .","title":"Alert Process"},{"location":"Content/AlertProcess/#alert-process","text":"AlertProcess is a global setting in Sandboxie Ini . It specifies names of programs that, if started outside the sandbox, will cause Sandboxie to issue message SBIE1301 . Usage: . . . [GlobalSettings] AlertProcess=iexplore.exe AlertProcess=firefox.exe Related Sandboxie Control settings: * Program Settings * Configure Menu > Alert Programs Related Sandboxie Plus setting: * Options menu > Global Settings > Program Control > Program Alerts See also: Alert Folder .","title":"Alert Process"},{"location":"Content/AllPages/","text":"All Pages A Advanced Topics Alert Folder Alert Process Allow Raw Disk Read Allow Spooler Print To File Appearance Settings Applications Settings Applying a Supporter Certificate Auto Delete Auto Exec Auto Recover Auto Recover Ignore B Block Drivers (removed since Sandboxie v4.xx) Block Fake Input (removed since Sandboxie v4.xx) Block Net Param Block Network Files Block Password (obsolete) Block Port (removed since Sandboxie v0.9.0 / 5.51.0) Block Screen Capture Block Sys Param (removed since Sandboxie v4.xx) Block Win Hooks (removed since Sandboxie v4.xx) Border Color Box Encryption Box Name Title Box Preset Comparison Box Root Folder (deprecated since Sandboxie v3.xx) Box Snapshots Breakout Document Breakout Folder Breakout Process Byte Order Mark (removed since Sandboxie v0.6.5 / 5.47.0) C Close Print Spooler Closed Clsid Path Closed File Path Closed Ipc Path Closed Key Path Closed RT Code Injection Compartment Mode Confidential Box Config Level Configuration Protection Configure Menu Copy Limit Kb Copy Limit Silent Cover Boxed Windows D Delete Command Delete Sandbox Delete Settings Delete V2 Deprecated/Obsolete/Removed Sandboxie Ini Settings Description Detecting Key Loggers Disable RT Blacklist DNS Filter Drop Admin Rights E Edit Admin Only Edit Password Email Protection Enabled Expandable Variables External Tutorials F FAQ Email FAQ Virus Feature Comparison File Menu File Migration Settings File Root Path Files And Folders View Firefox Tips Force Disable Admin Only Force Disable Seconds Force Folder Force Process Forget Password Frequently Asked Questions G General Tips Getting Started Getting Started Part Five Getting Started Part Four Getting Started Part Six Getting Started Part Three Getting Started Part Two H Help Menu Help Topics Hide Host Process Hide Message Hide Other Boxes How It Works How To Use Win Dbg I ImDisk Integration Immediate Recovery Inject Dll Inject Dll 64 Internet Explorer Tips Ipc Root Path Isolation Mechanism J K Key Root Path Known Conflicts L Leader Process Linger Exempt Wnds Linger Process M Messages From Sandboxie Monitor Admin Only Msi Installer Exemptions N Never Delete No Rename Win Class Normal File Path Normal Ipc Path Normal Key Path Notify Direct Disk Access Notify Internet Access Denied Notify Process Access Denied Notify Start Run Access Denied Nt Namespace Isolation Nt Status Codes O Open Clipboard Open Clsid Open Conf Path Open Credentials Open File Path Open Ipc Path Open Key Path Open Pipe Path Open Print Spooler Open Protected Storage Open Win Class P Paper Analogy Popup Message Log Portable Sandbox Privacy Concerns Privacy Mode Process Limit Process Limit 1 (removed since Sandboxie v0.7.1 / 5.48.5) Process Limit 2 (removed since Sandboxie v0.7.1 / 5.48.5) Program Name Prefix Program Settings Program Start Settings Program Stop Settings Programs View Prompt For File Migration Protect Host Images Protected Storage Proxy Support Q Quick Recovery R RAM Disk Support Ransomware Read File Path Read Ipc Path Read Key Path Recover Folder Recovery Settings Resource Access Resource Access Monitor for Sandboxie Classic Resource Access Settings Restrictions Settings Rule Specificity S Sandbox Hierarchy Sandbox Menu Sandbox Settings Sandboxie Sandboxie Control Sandboxie Ini Sandboxie Insider Sandboxie Live Sandboxie Plus Sandboxie Plus Migration Guide Sandboxie Plus UI Features Sandboxie Portable Sandboxie Trace SandboxieDrv use of undocumented kernel exports SBIE DLL API SBIE Messages SBIE1101 SBIE1102 SBIE1103 SBIE1104 SBIE1105 SBIE1106 SBIE1108 SBIE1109 SBIE1110 SBIE1111 SBIE1112 SBIE1113 SBIE1114 SBIE1116 SBIE1119 SBIE1120 SBIE1121 SBIE1122 SBIE1151 SBIE1152 SBIE1153 SBIE1201 SBIE1202 SBIE1203 SBIE1204 SBIE1211 SBIE1212 SBIE1213 SBIE1214 (obsolete) SBIE1215 (obsolete) SBIE1216 (obsolete) SBIE1222 SBIE1223 SBIE1224 SBIE1241 SBIE1242 (obsolete since Sandboxie 0.9.0 / 5.51.0) SBIE1301 SBIE1303 (obsolete since Sandboxie 5.31.4) SBIE1304 (obsolete) SBIE1306 SBIE1307 SBIE1308 SBIE1309 (obsolete) SBIE1310 (obsolete since Sandboxie 5.31.4) SBIE1311 (obsolete) SBIE1312 SBIE1313 SBIE1314 SBIE1401 SBIE1402 SBIE1403 SBIE1404 SBIE1405 SBIE1406 SBIE1408 SBIE1409 SBIE1410 SBIE1411 SBIE1412 SBIE2102 SBIE2103 SBIE2104 SBIE2108 SBIE2111 SBIE2191 SBIE2192 SBIE2193 (obsolete since Sandboxie 1.0.14 / 5.55.14) SBIE2202 SBIE2203 SBIE2204 SBIE2205 SBIE2206 SBIE2207 SBIE2208 SBIE2209 SBIE2210 SBIE2211 SBIE2212 SBIE2213 SBIE2214 SBIE2217 SBIE2218 SBIE2219 SBIE2220 SBIE2221 SBIE2222 SBIE2223 SBIE2303 SBIE2304 SBIE2305 SBIE2306 SBIE2307 SBIE2308 SBIE2309 SBIE2310 SBIE2311 SBIE2312 SBIE2313 SBIE2314 SBIE2315 SBIE2316 SBIE2317 SBIE2318 SBIE2321 SBIE2322 SBIE2323 SBIE2326 SBIE2327 SBIE2331 SBIE2332 SBIE2334 SBIE3207 SBIE3208 SBIE3209 SBIE9101 SBIE9153 SBIE9154 SBIE9156 SBIE9201 SBIE9202 SBIE9203 SBIE9204 SBIE9205 SBIE9206 SBIE9207 SBIE9208 SBIE9251 SBIE9252 SBIE9253 SBIE9302 SBIE9304 SBIE9305 Secure Delete Sandbox Security Mode Separate User Folders Service Programs Shell Folders Show For Run In Start Command Line Start Program Start Service Supporter Certificate System Event Log T Technical Aspects Test Email Configuration Trace logging Translations Tray Icon Menu U Usage Tips USB Sandboxing Use Privacy Mode Use Rule Specificity Use SbieDesk Hack Use Security Mode User Accounts Settings V View Menu W WFP Support Windows 8 Windows XP Mode Write File Path Write Key Path X Y Yes Or No Settings Z","title":"All Pages"},{"location":"Content/AllPages/#all-pages","text":"","title":"All Pages"},{"location":"Content/AllPages/#a","text":"Advanced Topics Alert Folder Alert Process Allow Raw Disk Read Allow Spooler Print To File Appearance Settings Applications Settings Applying a Supporter Certificate Auto Delete Auto Exec Auto Recover Auto Recover Ignore","title":"A"},{"location":"Content/AllPages/#b","text":"Block Drivers (removed since Sandboxie v4.xx) Block Fake Input (removed since Sandboxie v4.xx) Block Net Param Block Network Files Block Password (obsolete) Block Port (removed since Sandboxie v0.9.0 / 5.51.0) Block Screen Capture Block Sys Param (removed since Sandboxie v4.xx) Block Win Hooks (removed since Sandboxie v4.xx) Border Color Box Encryption Box Name Title Box Preset Comparison Box Root Folder (deprecated since Sandboxie v3.xx) Box Snapshots Breakout Document Breakout Folder Breakout Process Byte Order Mark (removed since Sandboxie v0.6.5 / 5.47.0)","title":"B"},{"location":"Content/AllPages/#c","text":"Close Print Spooler Closed Clsid Path Closed File Path Closed Ipc Path Closed Key Path Closed RT Code Injection Compartment Mode Confidential Box Config Level Configuration Protection Configure Menu Copy Limit Kb Copy Limit Silent Cover Boxed Windows","title":"C"},{"location":"Content/AllPages/#d","text":"Delete Command Delete Sandbox Delete Settings Delete V2 Deprecated/Obsolete/Removed Sandboxie Ini Settings Description Detecting Key Loggers Disable RT Blacklist DNS Filter Drop Admin Rights","title":"D"},{"location":"Content/AllPages/#e","text":"Edit Admin Only Edit Password Email Protection Enabled Expandable Variables External Tutorials","title":"E"},{"location":"Content/AllPages/#f","text":"FAQ Email FAQ Virus Feature Comparison File Menu File Migration Settings File Root Path Files And Folders View Firefox Tips Force Disable Admin Only Force Disable Seconds Force Folder Force Process Forget Password Frequently Asked Questions","title":"F"},{"location":"Content/AllPages/#g","text":"General Tips Getting Started Getting Started Part Five Getting Started Part Four Getting Started Part Six Getting Started Part Three Getting Started Part Two","title":"G"},{"location":"Content/AllPages/#h","text":"Help Menu Help Topics Hide Host Process Hide Message Hide Other Boxes How It Works How To Use Win Dbg","title":"H"},{"location":"Content/AllPages/#i","text":"ImDisk Integration Immediate Recovery Inject Dll Inject Dll 64 Internet Explorer Tips Ipc Root Path Isolation Mechanism","title":"I"},{"location":"Content/AllPages/#j","text":"","title":"J"},{"location":"Content/AllPages/#k","text":"Key Root Path Known Conflicts","title":"K"},{"location":"Content/AllPages/#l","text":"Leader Process Linger Exempt Wnds Linger Process","title":"L"},{"location":"Content/AllPages/#m","text":"Messages From Sandboxie Monitor Admin Only Msi Installer Exemptions","title":"M"},{"location":"Content/AllPages/#n","text":"Never Delete No Rename Win Class Normal File Path Normal Ipc Path Normal Key Path Notify Direct Disk Access Notify Internet Access Denied Notify Process Access Denied Notify Start Run Access Denied Nt Namespace Isolation Nt Status Codes","title":"N"},{"location":"Content/AllPages/#o","text":"Open Clipboard Open Clsid Open Conf Path Open Credentials Open File Path Open Ipc Path Open Key Path Open Pipe Path Open Print Spooler Open Protected Storage Open Win Class","title":"O"},{"location":"Content/AllPages/#p","text":"Paper Analogy Popup Message Log Portable Sandbox Privacy Concerns Privacy Mode Process Limit Process Limit 1 (removed since Sandboxie v0.7.1 / 5.48.5) Process Limit 2 (removed since Sandboxie v0.7.1 / 5.48.5) Program Name Prefix Program Settings Program Start Settings Program Stop Settings Programs View Prompt For File Migration Protect Host Images Protected Storage Proxy Support","title":"P"},{"location":"Content/AllPages/#q","text":"Quick Recovery","title":"Q"},{"location":"Content/AllPages/#r","text":"RAM Disk Support Ransomware Read File Path Read Ipc Path Read Key Path Recover Folder Recovery Settings Resource Access Resource Access Monitor for Sandboxie Classic Resource Access Settings Restrictions Settings Rule Specificity","title":"R"},{"location":"Content/AllPages/#s","text":"Sandbox Hierarchy Sandbox Menu Sandbox Settings Sandboxie Sandboxie Control Sandboxie Ini Sandboxie Insider Sandboxie Live Sandboxie Plus Sandboxie Plus Migration Guide Sandboxie Plus UI Features Sandboxie Portable Sandboxie Trace SandboxieDrv use of undocumented kernel exports SBIE DLL API SBIE Messages SBIE1101 SBIE1102 SBIE1103 SBIE1104 SBIE1105 SBIE1106 SBIE1108 SBIE1109 SBIE1110 SBIE1111 SBIE1112 SBIE1113 SBIE1114 SBIE1116 SBIE1119 SBIE1120 SBIE1121 SBIE1122 SBIE1151 SBIE1152 SBIE1153 SBIE1201 SBIE1202 SBIE1203 SBIE1204 SBIE1211 SBIE1212 SBIE1213 SBIE1214 (obsolete) SBIE1215 (obsolete) SBIE1216 (obsolete) SBIE1222 SBIE1223 SBIE1224 SBIE1241 SBIE1242 (obsolete since Sandboxie 0.9.0 / 5.51.0) SBIE1301 SBIE1303 (obsolete since Sandboxie 5.31.4) SBIE1304 (obsolete) SBIE1306 SBIE1307 SBIE1308 SBIE1309 (obsolete) SBIE1310 (obsolete since Sandboxie 5.31.4) SBIE1311 (obsolete) SBIE1312 SBIE1313 SBIE1314 SBIE1401 SBIE1402 SBIE1403 SBIE1404 SBIE1405 SBIE1406 SBIE1408 SBIE1409 SBIE1410 SBIE1411 SBIE1412 SBIE2102 SBIE2103 SBIE2104 SBIE2108 SBIE2111 SBIE2191 SBIE2192 SBIE2193 (obsolete since Sandboxie 1.0.14 / 5.55.14) SBIE2202 SBIE2203 SBIE2204 SBIE2205 SBIE2206 SBIE2207 SBIE2208 SBIE2209 SBIE2210 SBIE2211 SBIE2212 SBIE2213 SBIE2214 SBIE2217 SBIE2218 SBIE2219 SBIE2220 SBIE2221 SBIE2222 SBIE2223 SBIE2303 SBIE2304 SBIE2305 SBIE2306 SBIE2307 SBIE2308 SBIE2309 SBIE2310 SBIE2311 SBIE2312 SBIE2313 SBIE2314 SBIE2315 SBIE2316 SBIE2317 SBIE2318 SBIE2321 SBIE2322 SBIE2323 SBIE2326 SBIE2327 SBIE2331 SBIE2332 SBIE2334 SBIE3207 SBIE3208 SBIE3209 SBIE9101 SBIE9153 SBIE9154 SBIE9156 SBIE9201 SBIE9202 SBIE9203 SBIE9204 SBIE9205 SBIE9206 SBIE9207 SBIE9208 SBIE9251 SBIE9252 SBIE9253 SBIE9302 SBIE9304 SBIE9305 Secure Delete Sandbox Security Mode Separate User Folders Service Programs Shell Folders Show For Run In Start Command Line Start Program Start Service Supporter Certificate System Event Log","title":"S"},{"location":"Content/AllPages/#t","text":"Technical Aspects Test Email Configuration Trace logging Translations Tray Icon Menu","title":"T"},{"location":"Content/AllPages/#u","text":"Usage Tips USB Sandboxing Use Privacy Mode Use Rule Specificity Use SbieDesk Hack Use Security Mode User Accounts Settings","title":"U"},{"location":"Content/AllPages/#v","text":"View Menu","title":"V"},{"location":"Content/AllPages/#w","text":"WFP Support Windows 8 Windows XP Mode Write File Path Write Key Path","title":"W"},{"location":"Content/AllPages/#x","text":"","title":"X"},{"location":"Content/AllPages/#y","text":"Yes Or No Settings","title":"Y"},{"location":"Content/AllPages/#z","text":"","title":"Z"},{"location":"Content/AllowRawDiskRead/","text":"Allow Raw Disk Read AllowRawDiskRead is a sandbox setting in Sandboxie Ini available since v0.7.0 / 5.48.0. This setting can be used to disable protection which prevents elevated sandboxed processes from accessing volumes/disks for reading. . . . [DefaultBox] AllowRawDiskRead=y Related Sandboxie Plus setting: Sandbox Options > File Options > Allow elevated sandboxed applications to read the harddrive","title":"Allow Raw Disk Read"},{"location":"Content/AllowRawDiskRead/#allow-raw-disk-read","text":"AllowRawDiskRead is a sandbox setting in Sandboxie Ini available since v0.7.0 / 5.48.0. This setting can be used to disable protection which prevents elevated sandboxed processes from accessing volumes/disks for reading. . . . [DefaultBox] AllowRawDiskRead=y Related Sandboxie Plus setting: Sandbox Options > File Options > Allow elevated sandboxed applications to read the harddrive","title":"Allow Raw Disk Read"},{"location":"Content/AllowSpoolerPrintToFile/","text":"Allow Spooler Print To File AllowSpoolerPrintToFile is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] AllowSpoolerPrintToFile=n This setting can be used to prevent sandboxed applications from printing to file. By default, Sandboxie blocks all CreateFile calls that ask for write access for a sandboxed spoolsv.exe .","title":"Allow Spooler Print To File"},{"location":"Content/AllowSpoolerPrintToFile/#allow-spooler-print-to-file","text":"AllowSpoolerPrintToFile is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] AllowSpoolerPrintToFile=n This setting can be used to prevent sandboxed applications from printing to file. By default, Sandboxie blocks all CreateFile calls that ask for write access for a sandboxed spoolsv.exe .","title":"Allow Spooler Print To File"},{"location":"Content/AppearanceSettings/","text":"Appearance Settings Sandboxie Control > Sandbox Settings > Appearance: Normally, Sandboxie inserts the Sandboxie marks [#] in the title bar of windows associated with sandboxed programs. You can use the first checkbox to override this default behavior and prevent the Sandboxie marks from appearing. You can use the second checkbox to extend this default behavior to also insert the name of the sandbox between the [#] marks. This is useful when you frequently use the same programs in more than one sandbox. Note: It is not possible to enable both checkboxes at the same time. Sandboxie can also draw a colored border around the active (foreground) window, if that windows belongs to a sandboxed program. Use the third checkbox to enable this behavior and choose the border color for programs in this sandbox. Related Sandboxie Ini setting: BoxNameTitle , BorderColor .","title":"Appearance Settings"},{"location":"Content/AppearanceSettings/#appearance-settings","text":"Sandboxie Control > Sandbox Settings > Appearance: Normally, Sandboxie inserts the Sandboxie marks [#] in the title bar of windows associated with sandboxed programs. You can use the first checkbox to override this default behavior and prevent the Sandboxie marks from appearing. You can use the second checkbox to extend this default behavior to also insert the name of the sandbox between the [#] marks. This is useful when you frequently use the same programs in more than one sandbox. Note: It is not possible to enable both checkboxes at the same time. Sandboxie can also draw a colored border around the active (foreground) window, if that windows belongs to a sandboxed program. Use the third checkbox to enable this behavior and choose the border color for programs in this sandbox. Related Sandboxie Ini setting: BoxNameTitle , BorderColor .","title":"Appearance Settings"},{"location":"Content/ApplicationsSettings/","text":"Applications Settings Applications\" Settings Group Sandboxie Control > Sandbox Settings > Applications. This group of settings pages offers quick configuration of Sandboxie for use with other applications, particularly the various well-known Web browsers and email programs, but also some third-party applications that are known to require special configuration in Sandboxie. Web Browser Sandboxie Control > Sandbox Settings > Applications > Web Browser This settings sub-group is itself divided into three sub-groups: Internet Explorer See also: Internet Explorer Tips Firefox See also: Firefox Tips Other Browsers This settings page offers quick configuration for the following browsers: Internet Explorer, Mozilla Firefox and SeaMonkey, the Opera Web browser, Maxthon 2, and Google Chrome. Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. If you use non-default locations for the data (profile) folders used by your Web browsers, make sure to also visit the Applications > Folders settings page to specify the alternate locations. Two special settings on the Internet Explorer settings page: Save outside sandbox: History of search strings and invoked commands. For detailed information, see Sandboxie Ini setting: OpenProtectedStorage . Save outside sandbox: Account information for Hotmail and Messenger. (no longer available since Sandboxie v0.8.0 / 5.50.0). For detailed information, see Sandboxie Ini setting: OpenCredentials . See also Save Outside Sandbox in Internet Explorer Tips for more information and recommendations. Email Reader Sandboxie Control > Sandbox Settings > Applications > Email Reader This settings page offers quick configuration for the following email programs: Outlook Express Office Outlook Windows Vista Mail Windows Live Mail Mozilla Thunderbird Mozilla SeaMonkey Opera Mail IncrediMail Eudora The Bat! Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. You may also need to tell Sandboxie where your mailbox data files reside, in the following cases: If your mailbox resides in a non-default or non-standard location. If you use the Eudora or The-Bat! email software. To do that, open Sandbox Settings > Applications > Folders , select your email software from the drop-down list, and then select a folder location to be associated with it. After completing the email configuration, you may want to test it, to make sure that even when running under Sandboxie, new emails are not lost when you delete the sandbox. To do that, follow the steps outlined in Test Email Configuration . If your email program is not known to Sandboxie, you can use Sandbox Settings > Resource Access > File Access > Direct Access to explicitly add direct access to the folder containing your mailbox data files. See also message SBIE2212 , Email Protection , and FAQ Email . Miscellaneous The following settings pages are used to enable configurations for third-party software, categorized by subject. There are settings pages for PDF and printing software, for password and security software, for desktop utilities and other miscellaneous programs and settings. Select (highlight) the desired configuration and click the Open Web Site button to visit the vendor Web site for a particular program recognized by Sandboxie. Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. In some cases, you also specify the locations of the data files used by the third-party software. Use Applications > Folders settings page to specify the alternate locations. Local Sandboxie Control > Sandbox Settings > Applications > Local Use this settings page to enter your own custom settings as an application configuration package that can be easily enabled or disabled for a particular sandbox. For more information about designing your own application configuration packages, or templates, consult the Templates.ini file in the Sandboxie installation folder. Folders Sandboxie Control > Sandbox Settings > Applications > Folders Use this settings page to specify any alternate (non-default) folder locations for the data files used by applications for which you have enabled in (or add to) the sandbox. First, select (highlight) the desired application, then click the Add button to specify the alternate location. Accessibility Settings Sandboxie Control > Sandbox Settings > Applications > Accessibility This settings page offers quick configuration for the following screen reading programs: JAWS NVDA Windows-Eyes System Access Accessibility support in Windows allows any program to provide hints and information about the content it is displaying. Screen reader software typically uses these hints to offer more detail about the content of the screen. Normally, the isolation of Sandboxie prevents the screen reader from accessing the accessibility hints provided by the sandboxed program. Enabling the setting will weaken the protection of the Sandboxie in order to permit two-way communication between the screen reader program and the sandboxed program. You may wish to enable Sandbox Settings > Restrictions > Drop Rights to compensate for the lost protection.","title":"Applications Settings"},{"location":"Content/ApplicationsSettings/#applications-settings","text":"","title":"Applications Settings"},{"location":"Content/ApplicationsSettings/#applications-settings-group","text":"Sandboxie Control > Sandbox Settings > Applications. This group of settings pages offers quick configuration of Sandboxie for use with other applications, particularly the various well-known Web browsers and email programs, but also some third-party applications that are known to require special configuration in Sandboxie.","title":"Applications\" Settings Group"},{"location":"Content/ApplicationsSettings/#web-browser","text":"Sandboxie Control > Sandbox Settings > Applications > Web Browser This settings sub-group is itself divided into three sub-groups:","title":"Web Browser"},{"location":"Content/ApplicationsSettings/#internet-explorer","text":"See also: Internet Explorer Tips","title":"Internet Explorer"},{"location":"Content/ApplicationsSettings/#firefox","text":"See also: Firefox Tips","title":"Firefox"},{"location":"Content/ApplicationsSettings/#other-browsers","text":"This settings page offers quick configuration for the following browsers: Internet Explorer, Mozilla Firefox and SeaMonkey, the Opera Web browser, Maxthon 2, and Google Chrome. Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. If you use non-default locations for the data (profile) folders used by your Web browsers, make sure to also visit the Applications > Folders settings page to specify the alternate locations. Two special settings on the Internet Explorer settings page: Save outside sandbox: History of search strings and invoked commands. For detailed information, see Sandboxie Ini setting: OpenProtectedStorage . Save outside sandbox: Account information for Hotmail and Messenger. (no longer available since Sandboxie v0.8.0 / 5.50.0). For detailed information, see Sandboxie Ini setting: OpenCredentials . See also Save Outside Sandbox in Internet Explorer Tips for more information and recommendations.","title":"Other Browsers"},{"location":"Content/ApplicationsSettings/#email-reader","text":"Sandboxie Control > Sandbox Settings > Applications > Email Reader This settings page offers quick configuration for the following email programs: Outlook Express Office Outlook Windows Vista Mail Windows Live Mail Mozilla Thunderbird Mozilla SeaMonkey Opera Mail IncrediMail Eudora The Bat! Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. You may also need to tell Sandboxie where your mailbox data files reside, in the following cases: If your mailbox resides in a non-default or non-standard location. If you use the Eudora or The-Bat! email software. To do that, open Sandbox Settings > Applications > Folders , select your email software from the drop-down list, and then select a folder location to be associated with it. After completing the email configuration, you may want to test it, to make sure that even when running under Sandboxie, new emails are not lost when you delete the sandbox. To do that, follow the steps outlined in Test Email Configuration . If your email program is not known to Sandboxie, you can use Sandbox Settings > Resource Access > File Access > Direct Access to explicitly add direct access to the folder containing your mailbox data files. See also message SBIE2212 , Email Protection , and FAQ Email .","title":"Email Reader"},{"location":"Content/ApplicationsSettings/#miscellaneous","text":"The following settings pages are used to enable configurations for third-party software, categorized by subject. There are settings pages for PDF and printing software, for password and security software, for desktop utilities and other miscellaneous programs and settings. Select (highlight) the desired configuration and click the Open Web Site button to visit the vendor Web site for a particular program recognized by Sandboxie. Select (highlight) the desired configuration and click the Add button to enable it for this sandbox. In some cases, you also specify the locations of the data files used by the third-party software. Use Applications > Folders settings page to specify the alternate locations.","title":"Miscellaneous"},{"location":"Content/ApplicationsSettings/#local","text":"Sandboxie Control > Sandbox Settings > Applications > Local Use this settings page to enter your own custom settings as an application configuration package that can be easily enabled or disabled for a particular sandbox. For more information about designing your own application configuration packages, or templates, consult the Templates.ini file in the Sandboxie installation folder.","title":"Local"},{"location":"Content/ApplicationsSettings/#folders","text":"Sandboxie Control > Sandbox Settings > Applications > Folders Use this settings page to specify any alternate (non-default) folder locations for the data files used by applications for which you have enabled in (or add to) the sandbox. First, select (highlight) the desired application, then click the Add button to specify the alternate location.","title":"Folders"},{"location":"Content/ApplicationsSettings/#accessibility-settings","text":"Sandboxie Control > Sandbox Settings > Applications > Accessibility This settings page offers quick configuration for the following screen reading programs: JAWS NVDA Windows-Eyes System Access Accessibility support in Windows allows any program to provide hints and information about the content it is displaying. Screen reader software typically uses these hints to offer more detail about the content of the screen. Normally, the isolation of Sandboxie prevents the screen reader from accessing the accessibility hints provided by the sandboxed program. Enabling the setting will weaken the protection of the Sandboxie in order to permit two-way communication between the screen reader program and the sandboxed program. You may wish to enable Sandbox Settings > Restrictions > Drop Rights to compensate for the lost protection.","title":"Accessibility Settings"},{"location":"Content/AutoDelete/","text":"Auto Delete AutoDelete is a sandbox setting in Sandboxie Ini . It is typically specified as AutoDelete=y, and indicates that the contents of the sandbox should be automatically deleted as soon as the last sandboxed process is terminated. For example: . . . [DefaultBox] AutoDelete=y Related Sandboxie Control setting: Sandbox Settings > Delete > Invocation Related Sandboxie Plus setting: Sandbox Options > File Options > Box Delete options > Auto delete content when last sandboxed process terminates","title":"Auto Delete"},{"location":"Content/AutoDelete/#auto-delete","text":"AutoDelete is a sandbox setting in Sandboxie Ini . It is typically specified as AutoDelete=y, and indicates that the contents of the sandbox should be automatically deleted as soon as the last sandboxed process is terminated. For example: . . . [DefaultBox] AutoDelete=y Related Sandboxie Control setting: Sandbox Settings > Delete > Invocation Related Sandboxie Plus setting: Sandbox Options > File Options > Box Delete options > Auto delete content when last sandboxed process terminates","title":"Auto Delete"},{"location":"Content/AutoExec/","text":"Auto Exec AutoExec is a sandbox setting in Sandboxie Ini . It specifies a list of commands that are executed every time the sandbox is initially populated. Examples: . . . [DefaultBox] AutoExec=regedit /s c:\\defaultbox.reg AutoExec=cmd /c del /f \"%windir%\\system32\\someExploitableDLL.dll\" The first example shows using AutoExec to populate the sandboxed registry in some way. The second example shows using AutoExec to delete an undesirable DLL file. In both cases the customization takes place only within the sandbox. Multiple AutoExec settings may be specified for a single sandbox. The commands listed are executed one by one. The commands (whether one or any number of them) are executed once in the life-time of a particular sandbox. To get Sandboxie to execute these commands again, the sandbox must be deleted. This is true even if the command execution fails -- it will not be executed again, unless the sandbox is deleted. At this time, there is no corresponding Sandboxie Control configuration for this setting. Technical Details Each AutoExec command, as it is executed by Sandboxie, is recorded in the registry of that sandbox, in the key HKEY_CURRENT_USER\\Software\\SandboxieAutoExec . The command will not be executed if it was already recorded in the sandboxed registry. Thus, deleting the sandbox clears all recorded AutoExec commands, so they are executed again the next time any sandboxed program starts in that sandbox. But it is also possible to get them to execute again, by manually deleting the command from that sandboxed registry key.","title":"Auto Exec"},{"location":"Content/AutoExec/#auto-exec","text":"AutoExec is a sandbox setting in Sandboxie Ini . It specifies a list of commands that are executed every time the sandbox is initially populated. Examples: . . . [DefaultBox] AutoExec=regedit /s c:\\defaultbox.reg AutoExec=cmd /c del /f \"%windir%\\system32\\someExploitableDLL.dll\" The first example shows using AutoExec to populate the sandboxed registry in some way. The second example shows using AutoExec to delete an undesirable DLL file. In both cases the customization takes place only within the sandbox. Multiple AutoExec settings may be specified for a single sandbox. The commands listed are executed one by one. The commands (whether one or any number of them) are executed once in the life-time of a particular sandbox. To get Sandboxie to execute these commands again, the sandbox must be deleted. This is true even if the command execution fails -- it will not be executed again, unless the sandbox is deleted. At this time, there is no corresponding Sandboxie Control configuration for this setting. Technical Details Each AutoExec command, as it is executed by Sandboxie, is recorded in the registry of that sandbox, in the key HKEY_CURRENT_USER\\Software\\SandboxieAutoExec . The command will not be executed if it was already recorded in the sandboxed registry. Thus, deleting the sandbox clears all recorded AutoExec commands, so they are executed again the next time any sandboxed program starts in that sandbox. But it is also possible to get them to execute again, by manually deleting the command from that sandboxed registry key.","title":"Auto Exec"},{"location":"Content/AutoRecover/","text":"Auto Recover AutoRecover is a sandbox setting in Sandboxie Ini . It is typically specified as AutoRecover=y , and enables the Immediate Recovery extension of Quick Recovery . Usage: . . . [DefaultBox] AutoRecover=y Related Sandboxie Control setting: Sandbox Settings > Recovery > Immediate Recovery","title":"Auto Recover"},{"location":"Content/AutoRecover/#auto-recover","text":"AutoRecover is a sandbox setting in Sandboxie Ini . It is typically specified as AutoRecover=y , and enables the Immediate Recovery extension of Quick Recovery . Usage: . . . [DefaultBox] AutoRecover=y Related Sandboxie Control setting: Sandbox Settings > Recovery > Immediate Recovery","title":"Auto Recover"},{"location":"Content/AutoRecoverIgnore/","text":"Auto Recover Ignore AutoRecoverIgnore is a sandbox setting in Sandboxie Ini . It specifies folders or file types that should be ignored by the Immediate Recovery extension of Quick Recovery . For example: . . . [DefaultBox] AutoRecoverIgnore=.part AutoRecoverIgnore=%Desktop% AutoRecoverIgnore=C:\\Folder The first example excludes from Immediate Recovery any files ending in .part . These files are created by the download manager of the Mozilla browsers, and represent incomplete downloads. When the download completes, the .part extension is removed from the file, thus making it eligible for Immediate Recovery. Note that .part is a default setting. The second and third examples exclude the specified folders from Immediate Recovery. Related Sandboxie Control setting: Sandbox Settings > Recovery > Immediate Recovery","title":"Auto Recover Ignore"},{"location":"Content/AutoRecoverIgnore/#auto-recover-ignore","text":"AutoRecoverIgnore is a sandbox setting in Sandboxie Ini . It specifies folders or file types that should be ignored by the Immediate Recovery extension of Quick Recovery . For example: . . . [DefaultBox] AutoRecoverIgnore=.part AutoRecoverIgnore=%Desktop% AutoRecoverIgnore=C:\\Folder The first example excludes from Immediate Recovery any files ending in .part . These files are created by the download manager of the Mozilla browsers, and represent incomplete downloads. When the download completes, the .part extension is removed from the file, thus making it eligible for Immediate Recovery. Note that .part is a default setting. The second and third examples exclude the specified folders from Immediate Recovery. Related Sandboxie Control setting: Sandbox Settings > Recovery > Immediate Recovery","title":"Auto Recover Ignore"},{"location":"Content/BlockDrivers/","text":"Block Drivers This feature was removed in SBIE version 4.+ and up. It is no longer available. BlockDrivers was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to load drivers into the operating system. However, this setting did not govern the installation of new drivers -- see more below. Usage: . . . [DefaultBox] BlockDrivers=n Specifying n indicates that a sandboxed program may load drivers into the operating system. If this is not done, Sandboxie will deny the driver load attempt, and instead issue message SBIE2103 . Note: Disabling the protection afforded by BlockDrivers is not recommended. Driver Installation Before a driver can be loaded, it must first be installed. Driver installation is not affected by the BlockDrivers setting. To allow driver installation, you should add the following OpenKeyPath setting: OpenKeyPath=HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services And you should additionally open the driver file, using OpenFilePath. This is needed because the driver path that will be set in the registry (in a key created below CurrentControlSet\\Services) will typically not point inside the sandbox. OpenFilePath=c:\\program files\\MyNewSoftware\\SoftwareDriver.sys Note: Allowing sandboxed programs to install drivers is not recommended. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Drivers"},{"location":"Content/BlockDrivers/#block-drivers","text":"This feature was removed in SBIE version 4.+ and up. It is no longer available. BlockDrivers was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to load drivers into the operating system. However, this setting did not govern the installation of new drivers -- see more below. Usage: . . . [DefaultBox] BlockDrivers=n Specifying n indicates that a sandboxed program may load drivers into the operating system. If this is not done, Sandboxie will deny the driver load attempt, and instead issue message SBIE2103 . Note: Disabling the protection afforded by BlockDrivers is not recommended. Driver Installation Before a driver can be loaded, it must first be installed. Driver installation is not affected by the BlockDrivers setting. To allow driver installation, you should add the following OpenKeyPath setting: OpenKeyPath=HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services And you should additionally open the driver file, using OpenFilePath. This is needed because the driver path that will be set in the registry (in a key created below CurrentControlSet\\Services) will typically not point inside the sandbox. OpenFilePath=c:\\program files\\MyNewSoftware\\SoftwareDriver.sys Note: Allowing sandboxed programs to install drivers is not recommended. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Drivers"},{"location":"Content/BlockFakeInput/","text":"Block Fake Input This feature was removed in SBIE version 4 and up. It is no longer available. BlockFakeInput was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to manufacture fake keyboard input and send it to windows of applications running outside that sandbox. Usage: . . . [DefaultBox] BlockFakeInput=n Keyboard input is received by the active, highlighted window. This is true whether the keyboard input was manufactured by a program (fake input), or coming from the keyboard (real input). By default, Sandboxie will allow a program running in a sandbox to manufacture fake input, provided the recipient window belongs to an application which is running in the same sandbox. If the fake input will end up in a window outside that sandbox, Sandboxie will discard the input and issue message SBIE1304 . Specifying BlockFakeInput=n indicates that a sandboxed program should be allowed to manufacture fake keyboard input, regardless of the recipient of that input. To experiment with this setting, you can run a sandboxed instance of osk.exe , the Windows on-screen keyboard. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access","title":"Block Fake Input"},{"location":"Content/BlockFakeInput/#block-fake-input","text":"This feature was removed in SBIE version 4 and up. It is no longer available. BlockFakeInput was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to manufacture fake keyboard input and send it to windows of applications running outside that sandbox. Usage: . . . [DefaultBox] BlockFakeInput=n Keyboard input is received by the active, highlighted window. This is true whether the keyboard input was manufactured by a program (fake input), or coming from the keyboard (real input). By default, Sandboxie will allow a program running in a sandbox to manufacture fake input, provided the recipient window belongs to an application which is running in the same sandbox. If the fake input will end up in a window outside that sandbox, Sandboxie will discard the input and issue message SBIE1304 . Specifying BlockFakeInput=n indicates that a sandboxed program should be allowed to manufacture fake keyboard input, regardless of the recipient of that input. To experiment with this setting, you can run a sandboxed instance of osk.exe , the Windows on-screen keyboard. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access","title":"Block Fake Input"},{"location":"Content/BlockNetParam/","text":"Block Net Param BlockNetParam is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will allow sandboxed programs to change network and firewall parameters. Usage: . . . [DefaultBox] BlockNetParam=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change network and firewall parameters.","title":"Block Net Param"},{"location":"Content/BlockNetParam/#block-net-param","text":"BlockNetParam is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will allow sandboxed programs to change network and firewall parameters. Usage: . . . [DefaultBox] BlockNetParam=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change network and firewall parameters.","title":"Block Net Param"},{"location":"Content/BlockNetworkFiles/","text":"Block Network Files BlockNetworkFiles is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will block sandboxed programs from accessing network files and folders without specifically opened. . . . [DefaultBox] BlockNetworkFiles=n Specifying n indicates that a sandboxed program may access network files without specifically opened, in this case \"Net Share\" will appear in sandbox status. Related Sandboxie Plus setting: Sandbox Options > Network Options > Other Options > Block network files and folders, unless specifically opened Related Sandboxie Plus setting when creating a new sandbox with \"Configure advanced options\" selected: Sandbox Isolation options > Network Access > Allow access to network files and folders","title":"Block Network Files"},{"location":"Content/BlockNetworkFiles/#block-network-files","text":"BlockNetworkFiles is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will block sandboxed programs from accessing network files and folders without specifically opened. . . . [DefaultBox] BlockNetworkFiles=n Specifying n indicates that a sandboxed program may access network files without specifically opened, in this case \"Net Share\" will appear in sandbox status. Related Sandboxie Plus setting: Sandbox Options > Network Options > Other Options > Block network files and folders, unless specifically opened Related Sandboxie Plus setting when creating a new sandbox with \"Configure advanced options\" selected: Sandbox Isolation options > Network Access > Allow access to network files and folders","title":"Block Network Files"},{"location":"Content/BlockPassword/","text":"Block Password This feature is obsolete. If you use Windows 10 or later, we recommend OpenSamEndpoint since version 0.7.0 / 5.48.0: #938 BlockPassword is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will allow sandboxed programs to change the password of user accounts. Usage: . . . [DefaultBox] BlockPassword=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change the user account password. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Password"},{"location":"Content/BlockPassword/#block-password","text":"This feature is obsolete. If you use Windows 10 or later, we recommend OpenSamEndpoint since version 0.7.0 / 5.48.0: #938 BlockPassword is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will allow sandboxed programs to change the password of user accounts. Usage: . . . [DefaultBox] BlockPassword=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change the user account password. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Password"},{"location":"Content/BlockPort/","text":"Block Port This feature was removed since v0.9.0 / 5.51.0. If you have custom BlockPort entries in your Sandboxie Ini , they will need to be updated by hand to the new format, so for example BlockPort=137,138,139,445 becomes NetworkAccess=*,Block;Port=137,138,139,445 (currently included in the Templates.ini file under the [Template_BlockPorts] section). BlockPort was a sandbox setting in Sandboxie Ini . It specified IP port numbers to block for outgoing communications. Usage: . . . [DefaultBox] BlockPort=137-139,445 BlockPort=*,80,8080 The port numbers listed above are associated with the SMB/CIFS network file sharing subsystem. The primary purpose of this setting is to block outgoing communications on SMB/CIFS ports, in order to prevent a rogue sandboxed program from accessing files through the SMB/CIFS subsystem, rather than by issuing direct requests to the local system. The setting can be specified repeatedly over multiple lines and the effects will accumulate. Port ranges may be specified as shown in the first example. The second example shows negated use: Block all ports except those specified following the asterisk (star) character. This setting is not configurable through Sandboxie Control, except to enable or disable a pre-defined list of default blocked ports: Sandbox Settings > Applications > Miscellaneous > Default list of blocked TCP/IP ports Note that this setting will prevent programs such as smbclient from properly running under Sandboxie. In case this is required, the setting can be turned off.","title":"Block Port"},{"location":"Content/BlockPort/#block-port","text":"This feature was removed since v0.9.0 / 5.51.0. If you have custom BlockPort entries in your Sandboxie Ini , they will need to be updated by hand to the new format, so for example BlockPort=137,138,139,445 becomes NetworkAccess=*,Block;Port=137,138,139,445 (currently included in the Templates.ini file under the [Template_BlockPorts] section). BlockPort was a sandbox setting in Sandboxie Ini . It specified IP port numbers to block for outgoing communications. Usage: . . . [DefaultBox] BlockPort=137-139,445 BlockPort=*,80,8080 The port numbers listed above are associated with the SMB/CIFS network file sharing subsystem. The primary purpose of this setting is to block outgoing communications on SMB/CIFS ports, in order to prevent a rogue sandboxed program from accessing files through the SMB/CIFS subsystem, rather than by issuing direct requests to the local system. The setting can be specified repeatedly over multiple lines and the effects will accumulate. Port ranges may be specified as shown in the first example. The second example shows negated use: Block all ports except those specified following the asterisk (star) character. This setting is not configurable through Sandboxie Control, except to enable or disable a pre-defined list of default blocked ports: Sandbox Settings > Applications > Miscellaneous > Default list of blocked TCP/IP ports Note that this setting will prevent programs such as smbclient from properly running under Sandboxie. In case this is required, the setting can be turned off.","title":"Block Port"},{"location":"Content/BlockScreenCapture/","text":"Block Screen Capture BlockScreenCapture is a sandbox setting in Sandboxie Ini available since v1.13.6 / 5.68.6. If enabled, it will prevent sandboxed processes from accessing the images of the window outside the sandbox. For example: . . . [DefaultBox] BlockScreenCapture=y A setting similar to BlockScreenCapture is CoverBoxedWindows . Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Prevent sandboxed processes from capturing window images","title":"Block Screen Capture"},{"location":"Content/BlockScreenCapture/#block-screen-capture","text":"BlockScreenCapture is a sandbox setting in Sandboxie Ini available since v1.13.6 / 5.68.6. If enabled, it will prevent sandboxed processes from accessing the images of the window outside the sandbox. For example: . . . [DefaultBox] BlockScreenCapture=y A setting similar to BlockScreenCapture is CoverBoxedWindows . Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Prevent sandboxed processes from capturing window images","title":"Block Screen Capture"},{"location":"Content/BlockSysParam/","text":"Block Sys Param BlockSysParam feature was removed in SBIE version 4.+ and up. It is no longer available. BlockSysParam was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to change various system parameters. Usage: . . . [DefaultBox] BlockSysParam=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change various system parameters, such as the desktop wallpaper. For an extensive discussion about the system parameters that can be changed, please consult the discussion on the SystemParametersInfo API on the Microsoft MSDN web site. Technical Note: When Sandboxie blocks a request to change a system parameter, this is logged in the Resource Access Monitor as operation (SystemParametersInfo:nnnnnnnn) where nnnnnnnn is a hexadecimal value corresponding to the uiAction parameter passed to the SystemParametersInfo API. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Sys Param"},{"location":"Content/BlockSysParam/#block-sys-param","text":"BlockSysParam feature was removed in SBIE version 4.+ and up. It is no longer available. BlockSysParam was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to change various system parameters. Usage: . . . [DefaultBox] BlockSysParam=n Specifying n indicates that a sandboxed program should be permitted to issue requests to change various system parameters, such as the desktop wallpaper. For an extensive discussion about the system parameters that can be changed, please consult the discussion on the SystemParametersInfo API on the Microsoft MSDN web site. Technical Note: When Sandboxie blocks a request to change a system parameter, this is logged in the Resource Access Monitor as operation (SystemParametersInfo:nnnnnnnn) where nnnnnnnn is a hexadecimal value corresponding to the uiAction parameter passed to the SystemParametersInfo API. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Sys Param"},{"location":"Content/BlockWinHooks/","text":"Block Win Hooks BlockWinHooks feature was removed in SBIE version 4.+ and up. It is no longer available. BlockWinHooks was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to install system-global hooks. Usage: . . . [DefaultBox] BlockWinHooks=n One application may attach to other applications in the system by employing a mechanism called windows hooks. This mechanism associates a component of the requesting application (called a DLL file) with all other applications. By default, Sandboxie denies a request to install a global hook, and will instead convert the hook into an application-specific hook, and install this converted hook only into applications running in the same sandbox as the requesting application. In effect, this restricts the effect of global hooks to a specific sandbox, and increases the protection provided by Sandboxie while still allowing applications that rely on global hooks to execute correctly. Specifying BlockWinHooks=n disables this protection, and allows a sandboxed application to install global hooks into all running applications, both inside and outside the sandbox. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Win Hooks"},{"location":"Content/BlockWinHooks/#block-win-hooks","text":"BlockWinHooks feature was removed in SBIE version 4.+ and up. It is no longer available. BlockWinHooks was a sandbox setting in Sandboxie Ini . It specified whether Sandboxie should allow sandboxed programs to install system-global hooks. Usage: . . . [DefaultBox] BlockWinHooks=n One application may attach to other applications in the system by employing a mechanism called windows hooks. This mechanism associates a component of the requesting application (called a DLL file) with all other applications. By default, Sandboxie denies a request to install a global hook, and will instead convert the hook into an application-specific hook, and install this converted hook only into applications running in the same sandbox as the requesting application. In effect, this restricts the effect of global hooks to a specific sandbox, and increases the protection provided by Sandboxie while still allowing applications that rely on global hooks to execute correctly. Specifying BlockWinHooks=n disables this protection, and allows a sandboxed application to install global hooks into all running applications, both inside and outside the sandbox. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access","title":"Block Win Hooks"},{"location":"Content/BorderColor/","text":"Border Color BorderColor is a sandbox setting in Sandboxie Ini . It controls whether Sandboxie displays a colored border around the active foreground window, if that windows belongs to a sandboxed application. Usage: . . . [DefaultBox] BorderColor=#00FFFF,ttl,6 BorderColor=#00FFFF,off,6 BorderColor=#00FFFF,on,6 Its default value is \"#00FFFF,ttl,6\" . The number represents the default pixel width of the drawn border and can be omitted. Sandboxie doesn't draw the border if BorderColor ends with \",off,6\" , while in previous versions it was \",n\" . The color is specified in HTML-like RGB color notation: The hash mark prefixes a hexadecimal (base-16) number that is exactly 6-digits long. The first two hex digits denote the red component of the color. The next two hex digits denote the green component of the color. The last two hex digits denote the blue component of the color. The border will not be drawn when Sandboxie Control is not running. Related Sandboxie Control setting: Sandbox Settings > Appearance","title":"Border Color"},{"location":"Content/BorderColor/#border-color","text":"BorderColor is a sandbox setting in Sandboxie Ini . It controls whether Sandboxie displays a colored border around the active foreground window, if that windows belongs to a sandboxed application. Usage: . . . [DefaultBox] BorderColor=#00FFFF,ttl,6 BorderColor=#00FFFF,off,6 BorderColor=#00FFFF,on,6 Its default value is \"#00FFFF,ttl,6\" . The number represents the default pixel width of the drawn border and can be omitted. Sandboxie doesn't draw the border if BorderColor ends with \",off,6\" , while in previous versions it was \",n\" . The color is specified in HTML-like RGB color notation: The hash mark prefixes a hexadecimal (base-16) number that is exactly 6-digits long. The first two hex digits denote the red component of the color. The next two hex digits denote the green component of the color. The last two hex digits denote the blue component of the color. The border will not be drawn when Sandboxie Control is not running. Related Sandboxie Control setting: Sandbox Settings > Appearance","title":"Border Color"},{"location":"Content/BoxNameTitle/","text":"Box Name Title BoxNameTitle is a sandbox setting in Sandboxie Ini . It controls whether Sandboxie displays the name of the sandbox in the title bar of a window that belongs to a sandboxed application. Usage: . . . [DefaultBox] BoxNameTitle=y By default, Sandboxie only displays the sandboxed [#] indicator in the title bar of a window that belongs to a sandboxed application. For example: [#] Sandboxie - Front Page - Windows Internet Explorer [#] Specifying BoxNameTitle=y places the sandbox name in the title bar: [#] [DefaultBox] Sandboxie - Front Page - Windows Internet Explorer [#] Related Sandboxie Control setting: Sandbox Settings > Appearance","title":"Box Name Title"},{"location":"Content/BoxNameTitle/#box-name-title","text":"BoxNameTitle is a sandbox setting in Sandboxie Ini . It controls whether Sandboxie displays the name of the sandbox in the title bar of a window that belongs to a sandboxed application. Usage: . . . [DefaultBox] BoxNameTitle=y By default, Sandboxie only displays the sandboxed [#] indicator in the title bar of a window that belongs to a sandboxed application. For example: [#] Sandboxie - Front Page - Windows Internet Explorer [#] Specifying BoxNameTitle=y places the sandbox name in the title bar: [#] [DefaultBox] Sandboxie - Front Page - Windows Internet Explorer [#] Related Sandboxie Control setting: Sandbox Settings > Appearance","title":"Box Name Title"},{"location":"Content/BoxRootFolder/","text":"Box Root Folder This setting is deprecated. Please use FileRootPath instead. BoxRootFolder is a global setting in Sandboxie Ini . It specifies the folder containing all sandboxes. One sub-folder is created within the container folder for each sandbox in active use. In Sandboxie version 3 and later, the FileRootPath setting is the preferred way to specify the location of sandboxes, and takes precedence over BoxRootFolder in case both settings exist. Note that as any other sandbox setting, the FileRootPath may appear in the GlobalSettings section, and in that case, it applies to all sandboxes. See Sandbox Hierarchy for more information. Usage: . . . [GlobalSettings] BoxRootFolder=C:\\Sandbox Related Sandboxie Control setting: Sandbox menu > Set Container Folder","title":"Box Root Folder"},{"location":"Content/BoxRootFolder/#box-root-folder","text":"This setting is deprecated. Please use FileRootPath instead. BoxRootFolder is a global setting in Sandboxie Ini . It specifies the folder containing all sandboxes. One sub-folder is created within the container folder for each sandbox in active use. In Sandboxie version 3 and later, the FileRootPath setting is the preferred way to specify the location of sandboxes, and takes precedence over BoxRootFolder in case both settings exist. Note that as any other sandbox setting, the FileRootPath may appear in the GlobalSettings section, and in that case, it applies to all sandboxes. See Sandbox Hierarchy for more information. Usage: . . . [GlobalSettings] BoxRootFolder=C:\\Sandbox Related Sandboxie Control setting: Sandbox menu > Set Container Folder","title":"Box Root Folder"},{"location":"Content/BreakoutDocument/","text":"Breakout Document BreakoutDocument is a sandbox setting in Sandboxie Ini available since v1.8.5 / 5.63.5. It specifies which documents shall be opened unsandboxed when opened from within the sandbox. Usage: . . . [DefaultBox] BreakoutDocument=C:\\path\\*.txt BreakoutDocument=C:\\path\\*.jpg","title":"Breakout Document"},{"location":"Content/BreakoutDocument/#breakout-document","text":"BreakoutDocument is a sandbox setting in Sandboxie Ini available since v1.8.5 / 5.63.5. It specifies which documents shall be opened unsandboxed when opened from within the sandbox. Usage: . . . [DefaultBox] BreakoutDocument=C:\\path\\*.txt BreakoutDocument=C:\\path\\*.jpg","title":"Breakout Document"},{"location":"Content/BreakoutFolder/","text":"Breakout Folder BreakoutFolder is a sandbox setting in Sandboxie Ini available since v1.0.8 / 5.55.8. It forces a folder's content to run unsandboxed even if started from inside the sandbox. Usage: . . . [DefaultBox] BreakoutFolder=C:\\Downloads BreakoutFolder=E:\\ BreakoutFolder=C:\\App\\* BreakoutFolder=C:\\App? BreakoutFolder=C:\\?pp\\* The first example specifies that any content inside the folder \"C:\\Downloads\" will be launched unsandboxed. Entire drives can also be specified as shown in the second example. The third and fourth lines show basic characters from wildcards. * defines any subfolder beyond App folder (App\\1, App\\1\\1 and etc.). ? defines a single character from folder (Appa, App8 and etc.) but not subfolders. Also, you can combine several wildcards to match the specified folder name and subfolders. NOTE: * Shortcuts that link to a program outside the specified folders will be launched sandboxed. For example: if you place a shortcut inside a broken out folder and it links to some program in a non broken out folder, then the shortcut will launch sandboxed. Check BreakoutProcess for information on breaking out programs. Also check ForceFolder , the counterpart of this setting, which forces a folder's content to launch sandboxed.","title":"Breakout Folder"},{"location":"Content/BreakoutFolder/#breakout-folder","text":"BreakoutFolder is a sandbox setting in Sandboxie Ini available since v1.0.8 / 5.55.8. It forces a folder's content to run unsandboxed even if started from inside the sandbox. Usage: . . . [DefaultBox] BreakoutFolder=C:\\Downloads BreakoutFolder=E:\\ BreakoutFolder=C:\\App\\* BreakoutFolder=C:\\App? BreakoutFolder=C:\\?pp\\* The first example specifies that any content inside the folder \"C:\\Downloads\" will be launched unsandboxed. Entire drives can also be specified as shown in the second example. The third and fourth lines show basic characters from wildcards. * defines any subfolder beyond App folder (App\\1, App\\1\\1 and etc.). ? defines a single character from folder (Appa, App8 and etc.) but not subfolders. Also, you can combine several wildcards to match the specified folder name and subfolders. NOTE: * Shortcuts that link to a program outside the specified folders will be launched sandboxed. For example: if you place a shortcut inside a broken out folder and it links to some program in a non broken out folder, then the shortcut will launch sandboxed. Check BreakoutProcess for information on breaking out programs. Also check ForceFolder , the counterpart of this setting, which forces a folder's content to launch sandboxed.","title":"Breakout Folder"},{"location":"Content/BreakoutProcess/","text":"Breakout Process BreakoutProcess is a sandbox setting in Sandboxie Ini available since v1.0.8 / 5.55.8. It specifies which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. Usage: . . . [DefaultBox] BreakoutProcess=ProgramName.exe BreakoutProcess=Program*.exe BreakoutProcess=Program?.exe BreakoutProcess=Pro?ram*.exe * defines any name after Program (Program0Test1.exe, Program5Test92G.exe and etc.). ? defines one character from name (Program1.exe, Programg.exe and etc.). Also, you can combine several wildcards to match the specified name. Specifying ProgramName indicates the application that should be launched unsandboxed. Alternatively, the program's path can be specified. Priority System: If you set a program to breakout from a sandbox and force it to be sandboxed in another, this acts as a useful priority system. Example: Let's say you happen to use your browser as a PDF viewer and have 2 sandboxes \"Browser\" and \"Email\". Assume you received a PDF through an email and would rather have the PDF launch a browser tab in the respective \"Browser\" sandbox rather than the current (\"Email\") sandbox. You can break out your browser exe in the \"Email\" sandbox and force it in the \"Browser\" sandbox. Check ForceProcess for more information.","title":"Breakout Process"},{"location":"Content/BreakoutProcess/#breakout-process","text":"BreakoutProcess is a sandbox setting in Sandboxie Ini available since v1.0.8 / 5.55.8. It specifies which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. Usage: . . . [DefaultBox] BreakoutProcess=ProgramName.exe BreakoutProcess=Program*.exe BreakoutProcess=Program?.exe BreakoutProcess=Pro?ram*.exe * defines any name after Program (Program0Test1.exe, Program5Test92G.exe and etc.). ? defines one character from name (Program1.exe, Programg.exe and etc.). Also, you can combine several wildcards to match the specified name. Specifying ProgramName indicates the application that should be launched unsandboxed. Alternatively, the program's path can be specified. Priority System: If you set a program to breakout from a sandbox and force it to be sandboxed in another, this acts as a useful priority system. Example: Let's say you happen to use your browser as a PDF viewer and have 2 sandboxes \"Browser\" and \"Email\". Assume you received a PDF through an email and would rather have the PDF launch a browser tab in the respective \"Browser\" sandbox rather than the current (\"Email\") sandbox. You can break out your browser exe in the \"Email\" sandbox and force it in the \"Browser\" sandbox. Check ForceProcess for more information.","title":"Breakout Process"},{"location":"Content/ByteOrderMark/","text":"Byte Order Mark This feature was removed since v0.6.5 / 5.47.0. ByteOrderMark was a global setting in Sandboxie Ini . It was typically specified as ByteOrderMark=y (see Yes Or No Settings ), and indicated that Sandboxie Control should insert a UTF-16 UNICODE Byte Order Mark (BOM) character at the top of the configuration file. Usage: . . . [GlobalSettings] ByteOrderMark=y This setting must be edited into Sandboxie Ini , then Sandboxie configuration must be manually reloaded . Following this, the next time Sandboxie Control rewrites the configuration, it will insert the UNICODE BOM character into the very first two bytes in the Sandboxie Ini configuration file, thus: (hex.) FF FE. You need only bother with this setting if both these statements are true: You plan to edit the Sandboxie Ini file manually; Your text editor cannot recognize that Sandboxie Ini file is a UNICODE text file.","title":"Byte Order Mark"},{"location":"Content/ByteOrderMark/#byte-order-mark","text":"This feature was removed since v0.6.5 / 5.47.0. ByteOrderMark was a global setting in Sandboxie Ini . It was typically specified as ByteOrderMark=y (see Yes Or No Settings ), and indicated that Sandboxie Control should insert a UTF-16 UNICODE Byte Order Mark (BOM) character at the top of the configuration file. Usage: . . . [GlobalSettings] ByteOrderMark=y This setting must be edited into Sandboxie Ini , then Sandboxie configuration must be manually reloaded . Following this, the next time Sandboxie Control rewrites the configuration, it will insert the UNICODE BOM character into the very first two bytes in the Sandboxie Ini configuration file, thus: (hex.) FF FE. You need only bother with this setting if both these statements are true: You plan to edit the Sandboxie Ini file manually; Your text editor cannot recognize that Sandboxie Ini file is a UNICODE text file.","title":"Byte Order Mark"},{"location":"Content/ClosePrintSpooler/","text":"Close Print Spooler ClosePrintSpooler is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] ClosePrintSpooler=n This setting can be used to prevent sandboxed applications from interacting with the print spooler service. When set to y , sandboxed applications will be unable to interact with the print spooler service - for example, print. Added as part of 0.5.4 / 5.46.0 version. Interaction with OpenPrintSpooler . . . [DefaultBox] ClosePrintSpooler=n OpenPrintSpooler=n When both settings are configured as shown above, requests from sandboxed applications to the print spooler are selectively filtered. This means that certain actions related to the print spooler are permitted (\"open\") while others are restricted (\"closed\"). Specifically, this configuration allows for printing operations but restricts activities that would modify printer configurations or the installation/removal of printers on the system.","title":"Close Print Spooler"},{"location":"Content/ClosePrintSpooler/#close-print-spooler","text":"ClosePrintSpooler is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] ClosePrintSpooler=n This setting can be used to prevent sandboxed applications from interacting with the print spooler service. When set to y , sandboxed applications will be unable to interact with the print spooler service - for example, print. Added as part of 0.5.4 / 5.46.0 version.","title":"Close Print Spooler"},{"location":"Content/ClosePrintSpooler/#interaction-with-openprintspooler","text":". . . [DefaultBox] ClosePrintSpooler=n OpenPrintSpooler=n When both settings are configured as shown above, requests from sandboxed applications to the print spooler are selectively filtered. This means that certain actions related to the print spooler are permitted (\"open\") while others are restricted (\"closed\"). Specifically, this configuration allows for printing operations but restricts activities that would modify printer configurations or the installation/removal of printers on the system.","title":"Interaction with OpenPrintSpooler"},{"location":"Content/ClosedClsid/","text":"Closed Clsid ClosedClsid is a sandbox setting in Sandboxie Ini available since v0.5.3a / 5.45.2. It specifies the COM class identifiers for unsandboxed COM objects that should not be accessible by a sandboxed program. Usage: . . . [DefaultBox] ClosedClsid={8BC3F05E-D86B-11D0-A075-00C04FB68820} This example makes the Windows Management and Instrumentation not accessible to sandboxed programs. Related Sandboxie Plus setting: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Closed","title":"Closed Clsid"},{"location":"Content/ClosedClsid/#closed-clsid","text":"ClosedClsid is a sandbox setting in Sandboxie Ini available since v0.5.3a / 5.45.2. It specifies the COM class identifiers for unsandboxed COM objects that should not be accessible by a sandboxed program. Usage: . . . [DefaultBox] ClosedClsid={8BC3F05E-D86B-11D0-A075-00C04FB68820} This example makes the Windows Management and Instrumentation not accessible to sandboxed programs. Related Sandboxie Plus setting: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Closed","title":"Closed Clsid"},{"location":"Content/ClosedFilePath/","text":"Closed File Path ClosedFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks files and folders from being accessed by sandboxed programs. Shell Folders may be specified. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedFilePath=!iexplore.exe,%Cookies% ClosedFilePath=%Personal% ClosedFilePath=!iexplore.exe,\\Device\\RawIp ClosedFilePath=!iexplore.exe,\\Device\\Ip* ClosedFilePath=!iexplore.exe,\\Device\\Tcp* ClosedFilePath=!iexplore.exe,\\Device\\Afd* The example blocks any program other than Internet Explorer ( iexplore.exe ) from accessing the folder containing downloaded Internet cookies for the active user account. This would block any downloaded malicious software from spying on cookies. (Note that this does not stop browser extensions, like add-on toolbars, from looking into the Cookies folder, because these extensions execute inside the Internet Explorer program process.) The second example shows how to configure Sandboxie to block sandboxed programs from accessing the Documents folder. The value specified for ClosedFilePath can include wildcards. For more information on this, including examples that show the use of wildcards, see OpenFilePath . The third example (spanning four lines) disables Internet access within a sandbox except for Internet Explorer ( iexplore.exe ). See also Sandbox Settings > Restrictions > Internet Access . Note: Unlike the corresponding OpenFilePath setting, the ClosedFilePath settings always applies to sandboxed programs, whether the program executable file resides within the sandbox, or out of it. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Closed","title":"Closed File Path"},{"location":"Content/ClosedFilePath/#closed-file-path","text":"ClosedFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks files and folders from being accessed by sandboxed programs. Shell Folders may be specified. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedFilePath=!iexplore.exe,%Cookies% ClosedFilePath=%Personal% ClosedFilePath=!iexplore.exe,\\Device\\RawIp ClosedFilePath=!iexplore.exe,\\Device\\Ip* ClosedFilePath=!iexplore.exe,\\Device\\Tcp* ClosedFilePath=!iexplore.exe,\\Device\\Afd* The example blocks any program other than Internet Explorer ( iexplore.exe ) from accessing the folder containing downloaded Internet cookies for the active user account. This would block any downloaded malicious software from spying on cookies. (Note that this does not stop browser extensions, like add-on toolbars, from looking into the Cookies folder, because these extensions execute inside the Internet Explorer program process.) The second example shows how to configure Sandboxie to block sandboxed programs from accessing the Documents folder. The value specified for ClosedFilePath can include wildcards. For more information on this, including examples that show the use of wildcards, see OpenFilePath . The third example (spanning four lines) disables Internet access within a sandbox except for Internet Explorer ( iexplore.exe ). See also Sandbox Settings > Restrictions > Internet Access . Note: Unlike the corresponding OpenFilePath setting, the ClosedFilePath settings always applies to sandboxed programs, whether the program executable file resides within the sandbox, or out of it. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Closed","title":"Closed File Path"},{"location":"Content/ClosedIpcPath/","text":"Closed Ipc Path ClosedIpcPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks resources from being accessed by sandboxed programs. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedIpcPath=\\RPC Control\\AudioSrv Unlike sandboxed files, folders and registry keys, Sandboxie will generally not allow a sandboxed program to access a non-sandboxed resource. The exceptions to this rule are if the resource was specified in an OpenIpcPath setting, or if Sandboxie by default recognizes the resource and exposes it for use inside the sandbox. The ClosedIpcPath setting is typically useful to block those resources that Sandboxie recognizes by default. In the example above, the AudioSrv resource is blocked. This resource provides access to audio hardware, in other words, it enables sandboxed programs to generate sound. By blocking it, the sandboxed program is essentially muted. This setting accepts wildcards. For more information on the use of wildcards in the OpenXxxPath and ClosedXxxPath settings, see OpenFilePath . Note: Unlike the corresponding OpenIpcPath setting, the ClosedKeyPath settings always applies to sandboxed programs, whether the program executable file resides within the sandbox, or out of it. Related Sandboxie Control setting: Sandbox Settings > Resource Access > IPC Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Closed","title":"Closed Ipc Path"},{"location":"Content/ClosedIpcPath/#closed-ipc-path","text":"ClosedIpcPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks resources from being accessed by sandboxed programs. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedIpcPath=\\RPC Control\\AudioSrv Unlike sandboxed files, folders and registry keys, Sandboxie will generally not allow a sandboxed program to access a non-sandboxed resource. The exceptions to this rule are if the resource was specified in an OpenIpcPath setting, or if Sandboxie by default recognizes the resource and exposes it for use inside the sandbox. The ClosedIpcPath setting is typically useful to block those resources that Sandboxie recognizes by default. In the example above, the AudioSrv resource is blocked. This resource provides access to audio hardware, in other words, it enables sandboxed programs to generate sound. By blocking it, the sandboxed program is essentially muted. This setting accepts wildcards. For more information on the use of wildcards in the OpenXxxPath and ClosedXxxPath settings, see OpenFilePath . Note: Unlike the corresponding OpenIpcPath setting, the ClosedKeyPath settings always applies to sandboxed programs, whether the program executable file resides within the sandbox, or out of it. Related Sandboxie Control setting: Sandbox Settings > Resource Access > IPC Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Closed","title":"Closed Ipc Path"},{"location":"Content/ClosedKeyPath/","text":"Closed Key Path ClosedKeyPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks registry keys from being accessed by sandboxed programs. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedKeyPath=!msimn.exe,HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager The example blocks any program other than Outlook Express ( msimn.exe ) from accessing the registry key containing configured email accounts for the active user account. The value specified for ClosedKeyPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: ClosedKeyPath only blocks access to registry keys outside the sandbox, which have not yet been copied (or created) in the sandbox. Note: Unlike the corresponding OpenKeyPath setting, the ClosedKeyPath settings are always applied to programs in the sandbox, regardless of whether the program's executable file is inside or outside the sandbox. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Closed","title":"Closed Key Path"},{"location":"Content/ClosedKeyPath/#closed-key-path","text":"ClosedKeyPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will deny all access by sandboxed programs, including read access. This setting essentially blocks registry keys from being accessed by sandboxed programs. Program Name Prefix may be specified. Example: . . . [DefaultBox] ClosedKeyPath=!msimn.exe,HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager The example blocks any program other than Outlook Express ( msimn.exe ) from accessing the registry key containing configured email accounts for the active user account. The value specified for ClosedKeyPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: ClosedKeyPath only blocks access to registry keys outside the sandbox, which have not yet been copied (or created) in the sandbox. Note: Unlike the corresponding OpenKeyPath setting, the ClosedKeyPath settings are always applied to programs in the sandbox, regardless of whether the program's executable file is inside or outside the sandbox. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Blocked Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Closed","title":"Closed Key Path"},{"location":"Content/ClosedRT/","text":"Closed RT ClosedRT is a sandbox setting in Sandboxie Ini available since v0.5.3a / 5.45.2. It specifies the problematic Windows RT interfaces that should not be accessible by a sandboxed program. Usage: . . . [DefaultBox] ClosedRT=ExampleRT This example makes the ExampleRT interface not accessible to sandboxed programs. Related Sandboxie Plus setting: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Closed RT","title":"Closed RT"},{"location":"Content/ClosedRT/#closed-rt","text":"ClosedRT is a sandbox setting in Sandboxie Ini available since v0.5.3a / 5.45.2. It specifies the problematic Windows RT interfaces that should not be accessible by a sandboxed program. Usage: . . . [DefaultBox] ClosedRT=ExampleRT This example makes the ExampleRT interface not accessible to sandboxed programs. Related Sandboxie Plus setting: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Closed RT","title":"Closed RT"},{"location":"Content/CodeInjection/","text":"Code Injection Sandboxie employs a particularly low level approach of injecting its code into processes during creation. Trigger The driver registers a PsSetCreateProcessNotifyRoutine callback and when this is triggered inspects if the process should be sandboxed, when it decides so it blocks and requests the SbieSvc service to inject a loader into the process image. Alternatively a suspended process can be created and the driver triggered to put it into a sandbox by using API_START_PROCESS and resuming the process once the driver has finished. The injection mechanism itself can be adapted to be utilized without the driver. As of version 5.44 the loader code has been moved from the SbieSvc.exe to SbieDll.dll. Overview The Code Injection mechanism is made up of 3 components, the injector itself, a low-level shell code (LowLevel.dll), and the to be injected payload (SbieDll.dll). Note that the LowLevel.dll is embedded into the loader as a resource. Remote Injection The injection is done calling _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle) and providing the required arguments, the function then: Starts with preparing a data block lowdata of type SBIELOW_DATA , and filling in various values like is_wow64, bHostInject and others... Then it uses SbieDll_InjectLow_CopyCode to allocate sizeof(shell_code) + sizeof(SBIELOW_J_TABLE) + 0x400 bytes of Memory in the target process and write the shell code to it. This function also, in an unrelated last step, copies 48 bytes from the begin of ntdll!LdrInitializeThunk into lowdata.LdrInitializeThunk_tramp . Then if dup_drv_handle was set SbieDll_InjectLow_SendHandle is used to open a handle to the driver and duplicate it into the process, saving its value to lowdata.api_device_handle . Then duplicates of a couple of required NTDLL functions are saved to the lowdata data block, and the address of the SBIELOW_J_TABLE section is stored to lowdata.Sbie64bitJumpTable . Then the actual trampoline is build by SbieDll_InjectLow_BuildTramp in lowdata.LdrInitializeThunk_tramp . Now the function uses SbieDll_InjectLow_CopySyscalls to allocate and fill in another memory segment syscall_data . This block is made up of 2 sections one containing information from the driver that are used to hook all system calls, this is optionally done by the shell code when bHostInject == 0 , that is followed by the SBIELOW_EXTRA_DATA that points to values stored behind it in the memory block. The data stored there a couple of offsets, as well as the full paths to the SbieDll.dll that is to be injected later on. The address of that auxiliary memory is saved to lowdata.syscall_data and the lowdata block is written with SbieDll_InjectLow_CopyData directly into the shell code memory. Finally the ntdll!LdrInitializeThunk in the target process gets overwritten using SbieDll_InjectLow_WriteJump with a jump instruction into the shell code's entry point. Now the process can be resumed and the injected code will do its thing. An important note to make here is that this function does the same for native 64 bit and wow64 emulated 32 bit processes, in fact, on a 64-bit system the injected shell code is always 64 bit. Only much later in the initialization of the process running under wow64 it switches to 32-bit. Shell Code (LowLevel.dll) operation The LowLevel.dll is written partially in assembler and partially in C, its base address is set to 0 to gain position independence. The initial entry point _Start retrieves the current address and calculates the addresses of the data block data of type SBIELOW_DATA and those of a couple of helper functions written in assembler, with those values as parameter it calls the EntrypointC function handing off the operation to the C portion. The EntrypointC function ensures that it will be executed only once, using a spinlock, and then checks if the data->bHostInject field is set to 0 it first hooks all the ntdll sys call functions using InitSyscalls then it prepares the later loading of the SbieDll.dll using InitInject and, on 64 bit systems only, it calls InitConsole to modify the ConsoleHandle. If bHostInject != 0 the function only calls InitInject . Last the trampoline to the original function data->LdrInitializeThunk_tramp is called. InitInject The InitInject function checks if the process is running natively (i.e. 32-bit on a x86 system or 64-bit in a x64 system), or if it's running under wow64 (that is a 32-bit process on a 64-bit system) and selects either the native ntdll base address or the one of the wow64 ntdll. On Windows versions prior to 8, that address was located in KUSER_SHARED_DATA::Wow64SharedInformation structure, but not on later versions. Sandboxie used the driver to record the address of the wow64 ntdll during image loading and InitInject queried the driver for it. Since version 5.44, however, it's driver independent, the loader code uses NtQueryVirtualMemory to find the image base address and saves it into the ntdll_wow64_base field of the data block. At this point the top portion of the data->syscall_data before the SBIELOW_EXTRA_DATA region is no longer required and is repurposed to store temporary data of the type INJECT_DATA . The function then finds the addresses of LdrLoadDll , LdrGetProcedureAddress , NtRaiseHardError and RtlFindActivationContextSectionString using a custom FindDllExport lookup function by parsing through the previously selected ntdll image, these addresses are stored into the INJECT_DATA region, then a couple values from the SBIELOW_EXTRA_DATA are also copied into that region, containing paths to the SbieDll.dll (both 32 and 64 bit paths), as well as the name of kernel32.dll. On 64-bit systems the function distinguishes between the native and the wow64 execution, in the latter case branching off to InitInjectWow64 . In the native case it continues with hooking the RtlFindActivationContextSectionString function in the ntdll.dll. An original copy of the functions begin is first saved to the INJECT_DATA structure. The address of the structure is written into the detour function which is implemented in assembler. Then the RtlFindActivationContextSectionString begin is overwritten with a jump instruction to the detour function. Last a pointer to the SBIELOW_DATA region is saved into the very top of the INJECT_DATA region, and the function exits. In the wow64 case InitInjectWow64 sets up the RtlFindActivationContextSectionString hook on the 32-bit version of the function in the wow64 ntdll.dll in a similar way. RtlFindActivationContextSectionString Detour In contrary to the above operations which are always executed natively, the RtlFindActivationContextSectionString detour function is executed in the mode matching the bit-ness of the started process. The function first restores the original RtlFindActivationContextSectionString begin. Then it loads the kernel32.dll followed by loading the SbieDll.dll and retrieving the address of Ordinal 1. Then it saves value of the first argument to the INJECT_DATA structure and replaces it with a pointer to said structure. Finally, it jumps to address of Ordinal 1, it uses a jump rather than call to invoke it so that when it returns it will return directly to the current caller. Payload (SbieDll.dll) operation The SbieDll.dll hook entry point Dll_Ordinal1 function starts of by obtaining a few required values from the INJECT_DATA structure that was passed as first argument, like the address of SBIELOW_DATA data block, and the original value of the first argument. Having copied the required values, it can free the no longer needed INJECT_DATA , formally syscall_data region. The function now checks if bHostInject is set to 0 in which case it Calls SbieDll!Dll_InitInjected this function hooks pretty much everything, ?, last but not least it calls SbieDll!Ldr_Init which sets up callbacks for dll loading and calls SbieDll!Ldr_Inject_Init . If bHostInject != 0 however SbieDll!Ldr_Inject_Init is called directly from Dll_Ordinal1 . Once the initialization is completed Dll_Ordinal1 runs the real RtlFindActivationContextSectionString with its original arguments and returns. As if all this hooking wouldn?t be enough SbieDll!Ldr_Inject_Init sets up yet an other hook, this time targeting the actual entry point of the starting process. The function saves the initial bytes of the entry point, and overwrites it with a jump to SbieDll!Ldr_Inject_Entry64 or to SbieDll!Ldr_Inject_Entry32 respectively. Those are implemented in assembler, they pass a pointer to the return address location as argument to SbieDll!Ldr_Inject_Entry and clean up the stack, then they return to the begin of the entry point. Ldr_Inject_Entry This function first restores the original entry point function from SbieDll!Ldr_Inject_SaveBytes and changes its caller?s return address to point to the begin of the entry point. This way once the caller returns the real entry point will be invoked. Then the function checks if bHostInject is set to 0 in which case it first calls SbieDll!Ldr_LoadInjectDlls and then SbieDll!Dll_InitExeEntry which performs the last initialization steps. If bHostInject != 0 it calls only SbieDll!Ldr_LoadInjectDlls this function checks the Sandboxie.ini for the InjectDll or the InjectDll64 respectively, and loads the additional dll?s if any are configured.","title":"Code Injection"},{"location":"Content/CodeInjection/#code-injection","text":"Sandboxie employs a particularly low level approach of injecting its code into processes during creation.","title":"Code Injection"},{"location":"Content/CodeInjection/#trigger","text":"The driver registers a PsSetCreateProcessNotifyRoutine callback and when this is triggered inspects if the process should be sandboxed, when it decides so it blocks and requests the SbieSvc service to inject a loader into the process image. Alternatively a suspended process can be created and the driver triggered to put it into a sandbox by using API_START_PROCESS and resuming the process once the driver has finished. The injection mechanism itself can be adapted to be utilized without the driver. As of version 5.44 the loader code has been moved from the SbieSvc.exe to SbieDll.dll.","title":"Trigger"},{"location":"Content/CodeInjection/#overview","text":"The Code Injection mechanism is made up of 3 components, the injector itself, a low-level shell code (LowLevel.dll), and the to be injected payload (SbieDll.dll). Note that the LowLevel.dll is embedded into the loader as a resource.","title":"Overview"},{"location":"Content/CodeInjection/#remote-injection","text":"The injection is done calling _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle) and providing the required arguments, the function then: Starts with preparing a data block lowdata of type SBIELOW_DATA , and filling in various values like is_wow64, bHostInject and others... Then it uses SbieDll_InjectLow_CopyCode to allocate sizeof(shell_code) + sizeof(SBIELOW_J_TABLE) + 0x400 bytes of Memory in the target process and write the shell code to it. This function also, in an unrelated last step, copies 48 bytes from the begin of ntdll!LdrInitializeThunk into lowdata.LdrInitializeThunk_tramp . Then if dup_drv_handle was set SbieDll_InjectLow_SendHandle is used to open a handle to the driver and duplicate it into the process, saving its value to lowdata.api_device_handle . Then duplicates of a couple of required NTDLL functions are saved to the lowdata data block, and the address of the SBIELOW_J_TABLE section is stored to lowdata.Sbie64bitJumpTable . Then the actual trampoline is build by SbieDll_InjectLow_BuildTramp in lowdata.LdrInitializeThunk_tramp . Now the function uses SbieDll_InjectLow_CopySyscalls to allocate and fill in another memory segment syscall_data . This block is made up of 2 sections one containing information from the driver that are used to hook all system calls, this is optionally done by the shell code when bHostInject == 0 , that is followed by the SBIELOW_EXTRA_DATA that points to values stored behind it in the memory block. The data stored there a couple of offsets, as well as the full paths to the SbieDll.dll that is to be injected later on. The address of that auxiliary memory is saved to lowdata.syscall_data and the lowdata block is written with SbieDll_InjectLow_CopyData directly into the shell code memory. Finally the ntdll!LdrInitializeThunk in the target process gets overwritten using SbieDll_InjectLow_WriteJump with a jump instruction into the shell code's entry point. Now the process can be resumed and the injected code will do its thing. An important note to make here is that this function does the same for native 64 bit and wow64 emulated 32 bit processes, in fact, on a 64-bit system the injected shell code is always 64 bit. Only much later in the initialization of the process running under wow64 it switches to 32-bit.","title":"Remote Injection"},{"location":"Content/CodeInjection/#shell-code-lowleveldll-operation","text":"The LowLevel.dll is written partially in assembler and partially in C, its base address is set to 0 to gain position independence. The initial entry point _Start retrieves the current address and calculates the addresses of the data block data of type SBIELOW_DATA and those of a couple of helper functions written in assembler, with those values as parameter it calls the EntrypointC function handing off the operation to the C portion. The EntrypointC function ensures that it will be executed only once, using a spinlock, and then checks if the data->bHostInject field is set to 0 it first hooks all the ntdll sys call functions using InitSyscalls then it prepares the later loading of the SbieDll.dll using InitInject and, on 64 bit systems only, it calls InitConsole to modify the ConsoleHandle. If bHostInject != 0 the function only calls InitInject . Last the trampoline to the original function data->LdrInitializeThunk_tramp is called.","title":"Shell Code (LowLevel.dll) operation"},{"location":"Content/CodeInjection/#initinject","text":"The InitInject function checks if the process is running natively (i.e. 32-bit on a x86 system or 64-bit in a x64 system), or if it's running under wow64 (that is a 32-bit process on a 64-bit system) and selects either the native ntdll base address or the one of the wow64 ntdll. On Windows versions prior to 8, that address was located in KUSER_SHARED_DATA::Wow64SharedInformation structure, but not on later versions. Sandboxie used the driver to record the address of the wow64 ntdll during image loading and InitInject queried the driver for it. Since version 5.44, however, it's driver independent, the loader code uses NtQueryVirtualMemory to find the image base address and saves it into the ntdll_wow64_base field of the data block. At this point the top portion of the data->syscall_data before the SBIELOW_EXTRA_DATA region is no longer required and is repurposed to store temporary data of the type INJECT_DATA . The function then finds the addresses of LdrLoadDll , LdrGetProcedureAddress , NtRaiseHardError and RtlFindActivationContextSectionString using a custom FindDllExport lookup function by parsing through the previously selected ntdll image, these addresses are stored into the INJECT_DATA region, then a couple values from the SBIELOW_EXTRA_DATA are also copied into that region, containing paths to the SbieDll.dll (both 32 and 64 bit paths), as well as the name of kernel32.dll. On 64-bit systems the function distinguishes between the native and the wow64 execution, in the latter case branching off to InitInjectWow64 . In the native case it continues with hooking the RtlFindActivationContextSectionString function in the ntdll.dll. An original copy of the functions begin is first saved to the INJECT_DATA structure. The address of the structure is written into the detour function which is implemented in assembler. Then the RtlFindActivationContextSectionString begin is overwritten with a jump instruction to the detour function. Last a pointer to the SBIELOW_DATA region is saved into the very top of the INJECT_DATA region, and the function exits. In the wow64 case InitInjectWow64 sets up the RtlFindActivationContextSectionString hook on the 32-bit version of the function in the wow64 ntdll.dll in a similar way.","title":"InitInject"},{"location":"Content/CodeInjection/#rtlfindactivationcontextsectionstring-detour","text":"In contrary to the above operations which are always executed natively, the RtlFindActivationContextSectionString detour function is executed in the mode matching the bit-ness of the started process. The function first restores the original RtlFindActivationContextSectionString begin. Then it loads the kernel32.dll followed by loading the SbieDll.dll and retrieving the address of Ordinal 1. Then it saves value of the first argument to the INJECT_DATA structure and replaces it with a pointer to said structure. Finally, it jumps to address of Ordinal 1, it uses a jump rather than call to invoke it so that when it returns it will return directly to the current caller.","title":"RtlFindActivationContextSectionString Detour"},{"location":"Content/CodeInjection/#payload-sbiedlldll-operation","text":"The SbieDll.dll hook entry point Dll_Ordinal1 function starts of by obtaining a few required values from the INJECT_DATA structure that was passed as first argument, like the address of SBIELOW_DATA data block, and the original value of the first argument. Having copied the required values, it can free the no longer needed INJECT_DATA , formally syscall_data region. The function now checks if bHostInject is set to 0 in which case it Calls SbieDll!Dll_InitInjected this function hooks pretty much everything, ?, last but not least it calls SbieDll!Ldr_Init which sets up callbacks for dll loading and calls SbieDll!Ldr_Inject_Init . If bHostInject != 0 however SbieDll!Ldr_Inject_Init is called directly from Dll_Ordinal1 . Once the initialization is completed Dll_Ordinal1 runs the real RtlFindActivationContextSectionString with its original arguments and returns. As if all this hooking wouldn?t be enough SbieDll!Ldr_Inject_Init sets up yet an other hook, this time targeting the actual entry point of the starting process. The function saves the initial bytes of the entry point, and overwrites it with a jump to SbieDll!Ldr_Inject_Entry64 or to SbieDll!Ldr_Inject_Entry32 respectively. Those are implemented in assembler, they pass a pointer to the return address location as argument to SbieDll!Ldr_Inject_Entry and clean up the stack, then they return to the begin of the entry point.","title":"Payload (SbieDll.dll) operation"},{"location":"Content/CodeInjection/#ldr_inject_entry","text":"This function first restores the original entry point function from SbieDll!Ldr_Inject_SaveBytes and changes its caller?s return address to point to the begin of the entry point. This way once the caller returns the real entry point will be invoked. Then the function checks if bHostInject is set to 0 in which case it first calls SbieDll!Ldr_LoadInjectDlls and then SbieDll!Dll_InitExeEntry which performs the last initialization steps. If bHostInject != 0 it calls only SbieDll!Ldr_LoadInjectDlls this function checks the Sandboxie.ini for the InjectDll or the InjectDll64 respectively, and loads the additional dll?s if any are configured.","title":"Ldr_Inject_Entry"},{"location":"Content/ConfidentialBox/","text":"Confidential Box ConfidentialBox is a sandbox setting in Sandboxie Ini . . . . [DefaultBox] ConfidentialBox=y Use the 'ConfidentialBox=y' option to prevent the host process from reading access to the isolated process. Technical Details For more information, see Box Encryption and Box Preset Comparison .","title":"Confidential Box"},{"location":"Content/ConfidentialBox/#confidential-box","text":"ConfidentialBox is a sandbox setting in Sandboxie Ini . . . . [DefaultBox] ConfidentialBox=y Use the 'ConfidentialBox=y' option to prevent the host process from reading access to the isolated process. Technical Details For more information, see Box Encryption and Box Preset Comparison .","title":"Confidential Box"},{"location":"Content/ConfigLevel/","text":"Config Level Note: In Sandboxie versions before 3.xx, ConfigLevel was a global setting in the [GlobalSettings] section. The global ConfigLevel setting is no longer used, and is ignored if it exists in the configuration file. ConfigLevel is a sandbox setting in Sandboxie Ini . It is used by Sandboxie Control to manage default configuration for a sandbox. When ConfigLevel is missing, not a number, or a number below 9, Sandboxie Control will add the following configuration to the sandbox: . . . [DefaultBox] ConfigLevel=9 Template=OpenSmartCard Template=OpenBluetooth Note that ConfigLevel value was changed from 8 to 9 with the release of Sandboxie v0.7.5 / 5.49.8. In the future, new configuration levels may be added in later versions of Sandboxie.","title":"Config Level"},{"location":"Content/ConfigLevel/#config-level","text":"Note: In Sandboxie versions before 3.xx, ConfigLevel was a global setting in the [GlobalSettings] section. The global ConfigLevel setting is no longer used, and is ignored if it exists in the configuration file. ConfigLevel is a sandbox setting in Sandboxie Ini . It is used by Sandboxie Control to manage default configuration for a sandbox. When ConfigLevel is missing, not a number, or a number below 9, Sandboxie Control will add the following configuration to the sandbox: . . . [DefaultBox] ConfigLevel=9 Template=OpenSmartCard Template=OpenBluetooth Note that ConfigLevel value was changed from 8 to 9 with the release of Sandboxie v0.7.5 / 5.49.8. In the future, new configuration levels may be added in later versions of Sandboxie.","title":"Config Level"},{"location":"Content/ConfigurationProtection/","text":"Configuration Protection Initially, anyone using Sandboxie Control or the Sandman UI can change any aspect of the Sandboxie configuration, which is stored in the Sandboxie Ini configuration file. Additionally, anyone with access to the configuration text file can also manipulate the configuration and reload it into Sandboxie. It is possible to activate protection of Sandboxie Ini configuration file from unauthorized changes. Sandboxie offers four modes of protection: Only Administrator user accounts can make changes (See also: EditAdminOnly .) Password must be entered in order to make changes (See also: EditPassword .) Only Administrator user accounts can use Pause Forcing Programs command (See also: ForceDisableAdminOnly .) Clear password when main window becomes hidden (See also: ForgetPassword.) All modes can be active at the same time. The protection applies to the Global Settings , Sandbox Settings and Template Settings sections of the Sandboxie Ini configuration file. It does not apply to any User Settings sections, which store per-user preferences. To activate the protection in Sandboxie Control , use the Configure menu > Lock Configuration command. To activate the protection in Sandman , use the Options menu > Global Settings > Advanced Config > Sandboxie.ini Presets > Config Protection command. To prevent circumvention of the protection, please consider the following points: Placement of the configuration file: As discussed in the Sandboxie Ini page, Sandboxie looks for its configuration file in the Windows folder first, and in the Sandboxie installation folder second. The protection should be applied to a configuration file that is located in the Windows folder. If the protection is applied to the configuration file in the Sandboxie installation folder, an attacker might create an empty configuration file in the Windows folder. This will effectively deactivate the protection the next time Sandboxie reads its configuration. This would happen because Sandboxie would switch to using the new empty configuration file, for which protection is not activated. Access to the configuration file: Adjust the permissions on the Sandboxie Ini configuration file to allow write access only to the SYSTEM account. Any other user account must still be able to read the configuration, so read access should be allowed to the user group Authenticated Users or Everyone .","title":"Configuration Protection"},{"location":"Content/ConfigurationProtection/#configuration-protection","text":"Initially, anyone using Sandboxie Control or the Sandman UI can change any aspect of the Sandboxie configuration, which is stored in the Sandboxie Ini configuration file. Additionally, anyone with access to the configuration text file can also manipulate the configuration and reload it into Sandboxie. It is possible to activate protection of Sandboxie Ini configuration file from unauthorized changes. Sandboxie offers four modes of protection: Only Administrator user accounts can make changes (See also: EditAdminOnly .) Password must be entered in order to make changes (See also: EditPassword .) Only Administrator user accounts can use Pause Forcing Programs command (See also: ForceDisableAdminOnly .) Clear password when main window becomes hidden (See also: ForgetPassword.) All modes can be active at the same time. The protection applies to the Global Settings , Sandbox Settings and Template Settings sections of the Sandboxie Ini configuration file. It does not apply to any User Settings sections, which store per-user preferences. To activate the protection in Sandboxie Control , use the Configure menu > Lock Configuration command. To activate the protection in Sandman , use the Options menu > Global Settings > Advanced Config > Sandboxie.ini Presets > Config Protection command. To prevent circumvention of the protection, please consider the following points: Placement of the configuration file: As discussed in the Sandboxie Ini page, Sandboxie looks for its configuration file in the Windows folder first, and in the Sandboxie installation folder second. The protection should be applied to a configuration file that is located in the Windows folder. If the protection is applied to the configuration file in the Sandboxie installation folder, an attacker might create an empty configuration file in the Windows folder. This will effectively deactivate the protection the next time Sandboxie reads its configuration. This would happen because Sandboxie would switch to using the new empty configuration file, for which protection is not activated. Access to the configuration file: Adjust the permissions on the Sandboxie Ini configuration file to allow write access only to the SYSTEM account. Any other user account must still be able to read the configuration, so read access should be allowed to the user group Authenticated Users or Everyone .","title":"Configuration Protection"},{"location":"Content/ConfigureMenu/","text":"Configure Menu Sandboxie Control > Configure Menu Program Alerts The Program Alerts command opens the following window in which you can configure Sandboxie to issue message SBIE1301 whenever specific programs start outside any sandbox. Use the Add Program button to open the Program Groups window and select a program to add. For example, iexplore.exe for Internet Explorer, or firefox.exe for Firefox. Alternatively, Internet Explorer is typically found in the folder C:\\Program Files\\Internet Explorer . Mozilla Firefox is typically found in the folder C:\\Program Files\\Mozilla Firefox . If the desired program is already running sandboxed, you can also use Program Settings to specify that message SBIE1301 should be issued for the program. Related Sandboxie Ini setting: AlertProcess . Windows Shell Integration The Windows Shell Integration command opens a window which controls how Sandboxie Control integrates into and associates itself with your Windows desktop. It can also be used to create desktop shortcut icons to run your programs sandboxed. By default, all settings in the window are enabled. The top frame indicates when Sandboxie Control should start: When Windows starts will integrate Sandboxie Control into the startup sequence When a sandboxed program starts will start Sandboxie Control (if it is not already running) when a sandboxed program starts. This applies to programs that are started explicitly through Sandboxie, such as when using the Run Sandboxed commands, or shortcuts created using Add Shortcut Icons (see below). It also applies to forced programs and forced folders . The middle frame deals with shortcut icons: Add desktop shortcut for starting Web browser under Sandboxie creates (when checked) or removes (when cleared) the Sandboxed Web Browser shortcut icon on your desktop. Add Quick Launch shortcut for starting Web browser under Sandboxie creates (when checked) or removes (when cleared) the Sandboxed Web Browser shortcut icons on your Quick Launch bar. The Quick Launch bar is typically adjacent to the Windows Start menu button. Add Shortcut Icons creates a shortcut icon on your desktop to run a specific program under the supervision of Sandboxie. The program is selected from the Sandboxie Start menu. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation, and they can be used to create desktop shortcuts. To remove desktop shortcuts created using Add Shortcut Icons , simply delete them from your desktop. The bottom frame controls \"right-click\" shell integration: Add right-click action \"Run Sandboxed\" to files and folders enables (when checked) or removes (when cleared) the Run Sandboxed option which appears when you click the right mouse button on a file or folder on your desktop or in Windows Explorer. Add sandboxes as targets for \"Send To\" action enables (when checked) or removes (when cleared) the available sandboxes as an option in the Send To action that appears when you click the right mouse button on a file or folder on your desktop or in Windows Explorer. If this setting is enabled, Sandboxie Control will automatically update the list of Send To targets whenever sandboxes are created or removed. Software Compatibility The Software Compatibility command opens a window with a list of available compatibility templates. Forget Hidden Messages Whenever Sandboxie Control displays one or more SBIE Messages , you have the option to hide future instances of the message. This is accomplished by highlighting and clicking the Hide command: Note that messages are filtered by message code alone. For instance, the picture above shows message SBIE1304 with information detail osk.exe . Hiding that message will hide all future instances of message SBIE1304, regardless of the information detail. The Forget Hidden Messages command tells Sandboxie to stop filtering messages, and resume the display of all SBIExxxx messages that occurs. Tips When Sandboxie Control displays a warning or notification message box, it usually includes a checkbox labeled In the future, don't show this message. If you mark the checkbox, that particular message will not be displayed again. The Show All Tips command tells Sandboxie to disregard any such use of the checkboxes, and resume displaying of all warnings and notifications. The Hide All Tips command tells Sandboxie to consider all checkboxes as checked, and not display any warnings or notifications. Lock Configuration Please see Configuration Protection . Edit Configuration Opens the system text editor (typically, Windows Notepad ) to edit the Sandboxie Ini configuration file. The Reload Configuration command will be automatically invoked when the editor is closed. Note: Manual editing of Sandboxie.ini is not recommended. You are advised to use Sandbox Settings and other configuration windows in Sandboxie Control to make any changes to the configuration of Sandboxie. Note: The Sandboxie Ini configuration file is usually located in the Windows folder, and cannot be modified by non-privileged user accounts. If you use Windows with User Account Control (UAC), you may have to elevate to an Administrator account before you can modify Sandboxie.ini. Reload Configuration Forces Sandboxie to reload its configuration from the Sandboxie Ini configuration file. Go to Sandboxie Control , Help Topics .","title":"Configure Menu"},{"location":"Content/ConfigureMenu/#configure-menu","text":"Sandboxie Control > Configure Menu","title":"Configure Menu"},{"location":"Content/ConfigureMenu/#program-alerts","text":"The Program Alerts command opens the following window in which you can configure Sandboxie to issue message SBIE1301 whenever specific programs start outside any sandbox. Use the Add Program button to open the Program Groups window and select a program to add. For example, iexplore.exe for Internet Explorer, or firefox.exe for Firefox. Alternatively, Internet Explorer is typically found in the folder C:\\Program Files\\Internet Explorer . Mozilla Firefox is typically found in the folder C:\\Program Files\\Mozilla Firefox . If the desired program is already running sandboxed, you can also use Program Settings to specify that message SBIE1301 should be issued for the program. Related Sandboxie Ini setting: AlertProcess .","title":"Program Alerts"},{"location":"Content/ConfigureMenu/#windows-shell-integration","text":"The Windows Shell Integration command opens a window which controls how Sandboxie Control integrates into and associates itself with your Windows desktop. It can also be used to create desktop shortcut icons to run your programs sandboxed. By default, all settings in the window are enabled. The top frame indicates when Sandboxie Control should start: When Windows starts will integrate Sandboxie Control into the startup sequence When a sandboxed program starts will start Sandboxie Control (if it is not already running) when a sandboxed program starts. This applies to programs that are started explicitly through Sandboxie, such as when using the Run Sandboxed commands, or shortcuts created using Add Shortcut Icons (see below). It also applies to forced programs and forced folders . The middle frame deals with shortcut icons: Add desktop shortcut for starting Web browser under Sandboxie creates (when checked) or removes (when cleared) the Sandboxed Web Browser shortcut icon on your desktop. Add Quick Launch shortcut for starting Web browser under Sandboxie creates (when checked) or removes (when cleared) the Sandboxed Web Browser shortcut icons on your Quick Launch bar. The Quick Launch bar is typically adjacent to the Windows Start menu button. Add Shortcut Icons creates a shortcut icon on your desktop to run a specific program under the supervision of Sandboxie. The program is selected from the Sandboxie Start menu. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation, and they can be used to create desktop shortcuts. To remove desktop shortcuts created using Add Shortcut Icons , simply delete them from your desktop. The bottom frame controls \"right-click\" shell integration: Add right-click action \"Run Sandboxed\" to files and folders enables (when checked) or removes (when cleared) the Run Sandboxed option which appears when you click the right mouse button on a file or folder on your desktop or in Windows Explorer. Add sandboxes as targets for \"Send To\" action enables (when checked) or removes (when cleared) the available sandboxes as an option in the Send To action that appears when you click the right mouse button on a file or folder on your desktop or in Windows Explorer. If this setting is enabled, Sandboxie Control will automatically update the list of Send To targets whenever sandboxes are created or removed.","title":"Windows Shell Integration"},{"location":"Content/ConfigureMenu/#software-compatibility","text":"The Software Compatibility command opens a window with a list of available compatibility templates.","title":"Software Compatibility"},{"location":"Content/ConfigureMenu/#forget-hidden-messages","text":"Whenever Sandboxie Control displays one or more SBIE Messages , you have the option to hide future instances of the message. This is accomplished by highlighting and clicking the Hide command: Note that messages are filtered by message code alone. For instance, the picture above shows message SBIE1304 with information detail osk.exe . Hiding that message will hide all future instances of message SBIE1304, regardless of the information detail. The Forget Hidden Messages command tells Sandboxie to stop filtering messages, and resume the display of all SBIExxxx messages that occurs.","title":"Forget Hidden Messages"},{"location":"Content/ConfigureMenu/#tips","text":"When Sandboxie Control displays a warning or notification message box, it usually includes a checkbox labeled In the future, don't show this message. If you mark the checkbox, that particular message will not be displayed again. The Show All Tips command tells Sandboxie to disregard any such use of the checkboxes, and resume displaying of all warnings and notifications. The Hide All Tips command tells Sandboxie to consider all checkboxes as checked, and not display any warnings or notifications.","title":"Tips"},{"location":"Content/ConfigureMenu/#lock-configuration","text":"Please see Configuration Protection .","title":"Lock Configuration"},{"location":"Content/ConfigureMenu/#edit-configuration","text":"Opens the system text editor (typically, Windows Notepad ) to edit the Sandboxie Ini configuration file. The Reload Configuration command will be automatically invoked when the editor is closed. Note: Manual editing of Sandboxie.ini is not recommended. You are advised to use Sandbox Settings and other configuration windows in Sandboxie Control to make any changes to the configuration of Sandboxie. Note: The Sandboxie Ini configuration file is usually located in the Windows folder, and cannot be modified by non-privileged user accounts. If you use Windows with User Account Control (UAC), you may have to elevate to an Administrator account before you can modify Sandboxie.ini.","title":"Edit Configuration"},{"location":"Content/ConfigureMenu/#reload-configuration","text":"Forces Sandboxie to reload its configuration from the Sandboxie Ini configuration file. Go to Sandboxie Control , Help Topics .","title":"Reload Configuration"},{"location":"Content/CopyLimitKb/","text":"Copy Limit Kb CopyLimitKb is a sandbox setting in Sandboxie Ini . Existing files that are modified by sandboxed programs have to be copied into the sandbox first. This setting specifies the file size limit for this copy operation. Files larger than the limit will not be copied into the sandbox, and cannot be modified by sandboxd programs. The limit is specified in units of kilobytes (1 kilobyte = 1024 bytes). For more information, see SBIE2102 . Usage: . . . [DefaultBox] CopyLimitKb=128000 This example specifies that only files smaller than (approx.) 128MB will be copied into the sandbox DefaultBox , when needed. Files larger than this limit can only be read, not updated, by sandboxed programs. The default setting is 49152 kilobytes, or 48 megabytes. Setting CopyLimitKb to some value for one sandbox does not change the default value for other sandboxes. The size limit and alert message can be configured in SandboxSettings > File Migration . Related Sandboxie Ini setting: CopyLimitSilent","title":"Copy Limit Kb"},{"location":"Content/CopyLimitKb/#copy-limit-kb","text":"CopyLimitKb is a sandbox setting in Sandboxie Ini . Existing files that are modified by sandboxed programs have to be copied into the sandbox first. This setting specifies the file size limit for this copy operation. Files larger than the limit will not be copied into the sandbox, and cannot be modified by sandboxd programs. The limit is specified in units of kilobytes (1 kilobyte = 1024 bytes). For more information, see SBIE2102 . Usage: . . . [DefaultBox] CopyLimitKb=128000 This example specifies that only files smaller than (approx.) 128MB will be copied into the sandbox DefaultBox , when needed. Files larger than this limit can only be read, not updated, by sandboxed programs. The default setting is 49152 kilobytes, or 48 megabytes. Setting CopyLimitKb to some value for one sandbox does not change the default value for other sandboxes. The size limit and alert message can be configured in SandboxSettings > File Migration . Related Sandboxie Ini setting: CopyLimitSilent","title":"Copy Limit Kb"},{"location":"Content/CopyLimitSilent/","text":"Copy Limit Silent CopyLimitSilent is a sandbox setting in Sandboxie Ini . It is typically specified as CopyLimitSilent=y (see Yes Or No Settings ), and indicates that Sandboxie should not issue alert message SBIE2102 . Usage: . . . [DefaultBox] CopyLimitSilent=y Related Sandboxie Ini setting: CopyLimitKb .","title":"Copy Limit Silent"},{"location":"Content/CopyLimitSilent/#copy-limit-silent","text":"CopyLimitSilent is a sandbox setting in Sandboxie Ini . It is typically specified as CopyLimitSilent=y (see Yes Or No Settings ), and indicates that Sandboxie should not issue alert message SBIE2102 . Usage: . . . [DefaultBox] CopyLimitSilent=y Related Sandboxie Ini setting: CopyLimitKb .","title":"Copy Limit Silent"},{"location":"Content/CoverBoxedWindows/","text":"Cover Boxed Windows CoverBoxedWindows is a sandbox setting in Sandboxie Ini available since v1.13.6 / 5.68.6. If enabled, it will block host processes from taking screenshots of sandboxed processes. . . . [DefaultBox] CoverBoxedWindows=y A setting similar to CoverBoxedWindows is BlockScreenCapture . Related Sandboxie Plus setting: Sandbox Options > Security Options > Box Protection > Prevent processes from capturing window images from sandboxed windows","title":"Cover Boxed Windows"},{"location":"Content/CoverBoxedWindows/#cover-boxed-windows","text":"CoverBoxedWindows is a sandbox setting in Sandboxie Ini available since v1.13.6 / 5.68.6. If enabled, it will block host processes from taking screenshots of sandboxed processes. . . . [DefaultBox] CoverBoxedWindows=y A setting similar to CoverBoxedWindows is BlockScreenCapture . Related Sandboxie Plus setting: Sandbox Options > Security Options > Box Protection > Prevent processes from capturing window images from sandboxed windows","title":"Cover Boxed Windows"},{"location":"Content/Delete-V2/","text":"Sandboxie's new filesystem and registry virtualization scheme can be enabled by adding UseFileDeleteV2=y and UseRegDeleteV2=y to the Sandboxie.ini, which changes the mechanism of how host files/keys are marked within the sandbox as deleted. The old scheme worked by creating a dummy file/key with a specified invalid creation date and marking the file/key as deleted. This scheme did fail when a folder/key containing \u201cdeleted\u201d items was moved and a new folder of the same name created. Furthermore, for every path access it required the entire parent path to be scanned to see if one of the parents hasn\u2019t been marked deleted. The new Scheme saves this information in the FilePaths.dat/KeyPaths.dat files in the box root. Furthermore, when a folder/key is renamed within the sandbox, a redirection entry is created such that listing of the host content in the box under the new location is working.","title":"Delete V2"},{"location":"Content/DeleteCommand/","text":"Delete Command DeleteCommand is a sandbox setting in Sandboxie Ini . It specifies the command to issue to physically delete the contents of the sandbox. Its primary purpose is to make it possible to plug a third-party secure deletion utility into Sandboxie. See Secure Delete Sandbox . Usage: . . . [DefaultBox] DeleteCommand=%SystemRoot%\\System32\\cmd.exe /c RMDIR /s /q \"%SANDBOX%\" The example is the default setting used when DeleteCommand is not explicitly specified, and invokes the Windows RMDIR command to remove the sandbox folder. For more examples, see Secure Delete Sandbox . When specifying this setting, make sure to include \"%SANDBOX%\" (with quote marks) in the command. Note: Secure deletion is a privacy measure, not a security measure. Both regular deletion and secure deletion effectively remove undesired software that was collected into the sandbox. See Secure Delete Sandbox . Related Sandboxie Control setting: Sandbox Settings > Delete > Command","title":"Delete Command"},{"location":"Content/DeleteCommand/#delete-command","text":"DeleteCommand is a sandbox setting in Sandboxie Ini . It specifies the command to issue to physically delete the contents of the sandbox. Its primary purpose is to make it possible to plug a third-party secure deletion utility into Sandboxie. See Secure Delete Sandbox . Usage: . . . [DefaultBox] DeleteCommand=%SystemRoot%\\System32\\cmd.exe /c RMDIR /s /q \"%SANDBOX%\" The example is the default setting used when DeleteCommand is not explicitly specified, and invokes the Windows RMDIR command to remove the sandbox folder. For more examples, see Secure Delete Sandbox . When specifying this setting, make sure to include \"%SANDBOX%\" (with quote marks) in the command. Note: Secure deletion is a privacy measure, not a security measure. Both regular deletion and secure deletion effectively remove undesired software that was collected into the sandbox. See Secure Delete Sandbox . Related Sandboxie Control setting: Sandbox Settings > Delete > Command","title":"Delete Command"},{"location":"Content/DeleteSandbox/","text":"Delete Sandbox Sandboxie Control > Sandbox Menu > Delete Contents Sandboxie Control > Tray Icon Menu > Delete Contents The Delete Sandbox window appears when the sandbox is about to be deleted. The window is split into two areas: The upper part (about 3/4 of the window) shows the Quick Recovery display and controls, and operates in the same way as the Quick Recovery window. See Quick Recovery for more information. The lower part counts the size of the sandbox (in files, folders, and bytes of disk space) and contains the Delete Sandbox button which initiates delete processing for the sandbox. The window is displayed when the Sandbox Menu > Sandbox > Delete Contents command (or the corresponding command from the Tray Icon Menu ) is invoked. The window is also displayed if the sandbox is configured for automatic delete (see Sandbox Settings > Delete > Invocation ), and any files are eligible for Quick Recovery . Note that if no files are eligible, the sandbox is deleted silently, without displaying the Delete Sandbox window. Note that the Delete Sandbox command terminates any programs that are running in the sandbox and initiates the delete process. An empty sandbox will be immediately available to run programs as soon as you click the Delete Sandbox button. While the delete process is undergoing on the old sandbox, the Sandboxie tray icon changes to a red X icon to indicate that sandbox delete is in progress. In correct operation, the red X icon should not remain displayed for more than a few seconds. Go to Quick Recovery , Sandboxie Control , Help Topics .","title":"Delete Sandbox"},{"location":"Content/DeleteSandbox/#delete-sandbox","text":"Sandboxie Control > Sandbox Menu > Delete Contents Sandboxie Control > Tray Icon Menu > Delete Contents The Delete Sandbox window appears when the sandbox is about to be deleted. The window is split into two areas: The upper part (about 3/4 of the window) shows the Quick Recovery display and controls, and operates in the same way as the Quick Recovery window. See Quick Recovery for more information. The lower part counts the size of the sandbox (in files, folders, and bytes of disk space) and contains the Delete Sandbox button which initiates delete processing for the sandbox. The window is displayed when the Sandbox Menu > Sandbox > Delete Contents command (or the corresponding command from the Tray Icon Menu ) is invoked. The window is also displayed if the sandbox is configured for automatic delete (see Sandbox Settings > Delete > Invocation ), and any files are eligible for Quick Recovery . Note that if no files are eligible, the sandbox is deleted silently, without displaying the Delete Sandbox window. Note that the Delete Sandbox command terminates any programs that are running in the sandbox and initiates the delete process. An empty sandbox will be immediately available to run programs as soon as you click the Delete Sandbox button. While the delete process is undergoing on the old sandbox, the Sandboxie tray icon changes to a red X icon to indicate that sandbox delete is in progress. In correct operation, the red X icon should not remain displayed for more than a few seconds. Go to Quick Recovery , Sandboxie Control , Help Topics .","title":"Delete Sandbox"},{"location":"Content/DeleteSettings/","text":"Delete Settings \"Delete\" Settings Group Sandboxie Control > Sandbox Settings > Delete: Here you configure when and how Sandboxie deletes the sandbox. Invocation Sandboxie Control > Sandbox Settings > Delete > Invocation: Use this settings page to indicate when you want the sandbox deleted: Deleted only by explicit request: Keep both checkboxes cleared Deleted regularly and automatically: Mark the first checkbox Never deleted: Mark the second checkbox Note that while both checkboxes can be cleared, only one checkbox can be marked at any time. As long as the second checkbox is marked, Sandboxie will not initiate any delete operation on the sandbox, even if you explicitly ask for it. Important: This does not protect the sandbox from being deleted by other programs. Related Sandboxie Ini settings: AutoDelete , NeverDelete , DeleteCommand . Command Sandboxie Control > Sandbox Settings > Delete > Command: Use this settings page to specify the system command that will be used to delete the sandbox. By default this is a simple RMDIR (remove directory) command. People who are concerned with privacy issues may choose to use secure deletion instead, as described in more detail in Secure Delete Sandbox . You can use the buttons to select a preset command. The RMDIR button selects the simple RMDIR noted above. The SDelete button uses SDelete by SysInternals/Microsoft to delete the contents of sandbox. Note that you will need to adjust the path to the command. The Eraserl button uses Eraser by Heidi Computers to delete the contents of sandbox.","title":"Delete Settings"},{"location":"Content/DeleteSettings/#delete-settings","text":"","title":"Delete Settings"},{"location":"Content/DeleteSettings/#delete-settings-group","text":"Sandboxie Control > Sandbox Settings > Delete: Here you configure when and how Sandboxie deletes the sandbox.","title":"\"Delete\" Settings Group"},{"location":"Content/DeleteSettings/#invocation","text":"Sandboxie Control > Sandbox Settings > Delete > Invocation: Use this settings page to indicate when you want the sandbox deleted: Deleted only by explicit request: Keep both checkboxes cleared Deleted regularly and automatically: Mark the first checkbox Never deleted: Mark the second checkbox Note that while both checkboxes can be cleared, only one checkbox can be marked at any time. As long as the second checkbox is marked, Sandboxie will not initiate any delete operation on the sandbox, even if you explicitly ask for it. Important: This does not protect the sandbox from being deleted by other programs. Related Sandboxie Ini settings: AutoDelete , NeverDelete , DeleteCommand .","title":"Invocation"},{"location":"Content/DeleteSettings/#command","text":"Sandboxie Control > Sandbox Settings > Delete > Command: Use this settings page to specify the system command that will be used to delete the sandbox. By default this is a simple RMDIR (remove directory) command. People who are concerned with privacy issues may choose to use secure deletion instead, as described in more detail in Secure Delete Sandbox . You can use the buttons to select a preset command. The RMDIR button selects the simple RMDIR noted above. The SDelete button uses SDelete by SysInternals/Microsoft to delete the contents of sandbox. Note that you will need to adjust the path to the command. The Eraserl button uses Eraser by Heidi Computers to delete the contents of sandbox.","title":"Command"},{"location":"Content/DeprecatedSandboxieIniSettings/","text":"Deprecated/Obsolete/Removed Sandboxie Ini Settings The following settings are deprecated, obsolete or removed: BlockDrivers (removed before the open source release) BlockFakeInput (removed before the open source release) BlockPassword (obsolete) BlockPort (removed) BlockSysParam (removed before the open source release) BlockWinHooks (removed before the open source release) BoxRootFolder (deprecated) ByteOrderMark (removed) ProcessLimit1 (removed) ProcessLimit2 (removed)","title":"Deprecated/Obsolete/Removed Sandboxie Ini Settings"},{"location":"Content/DeprecatedSandboxieIniSettings/#deprecatedobsoleteremoved-sandboxie-ini-settings","text":"The following settings are deprecated, obsolete or removed: BlockDrivers (removed before the open source release) BlockFakeInput (removed before the open source release) BlockPassword (obsolete) BlockPort (removed) BlockSysParam (removed before the open source release) BlockWinHooks (removed before the open source release) BoxRootFolder (deprecated) ByteOrderMark (removed) ProcessLimit1 (removed) ProcessLimit2 (removed)","title":"Deprecated/Obsolete/Removed Sandboxie Ini Settings"},{"location":"Content/Description/","text":"Description Description is a sandbox settings in Sandboxie Ini . It specifies free text, which can explain, for example, the purpose of the sandbox. . . . [DefaultBox] Description=Example<BR>text. . . . [PrivateBox] Description=Access denied to sensitive file locations ClosedFilePath=%Personal% ClosedFilePath=D:\\MyDocs The <BR> sequence in the text is used to indicate a line break. The free text is displayed in a balloon pop-up in the Run Sandboxed sandbox selection dialog box.","title":"Description"},{"location":"Content/Description/#description","text":"Description is a sandbox settings in Sandboxie Ini . It specifies free text, which can explain, for example, the purpose of the sandbox. . . . [DefaultBox] Description=Example<BR>text. . . . [PrivateBox] Description=Access denied to sensitive file locations ClosedFilePath=%Personal% ClosedFilePath=D:\\MyDocs The <BR> sequence in the text is used to indicate a line break. The free text is displayed in a balloon pop-up in the Run Sandboxed sandbox selection dialog box.","title":"Description"},{"location":"Content/DetectingKeyLoggers/","text":"Detecting Key Loggers Go to Help Topics , Usage Tips . Overview It is very difficult to reliably detect all classes of key-loggers. This section first explains why this is so, and concludes by offering a possible defense against them. First, a distinction must be made between several classes of key-loggers: external key-loggers rootkit key-loggers windows hook key-loggers windows message key-loggers scripted key-loggers External Key-Loggers External (or hardware) key-loggers are devices that connect to your computer in some way. Two examples are a small device plugged between the keyboard and the computer, or a device that snoops on radio signals transmitted by a wireless keyboard. The common principle of key-loggers in this class is that they are external to the Windows system on which they are spying. Software running within Windows cannot detect, remove or protect against external key-loggers. The other classes of key-loggers described here are software key-loggers which do operate within Windows. Rootkit Key-Loggers Rootkit key-loggers record keystrokes at the lowest software level, typically by positioning themselves as a second keyboard hardware driver (a filter driver, in Windows terminology). Once installed, this class of key-loggers may provide the best logging facilities, and may be difficult to get rid of. But to be installed in the first place, this key-logger needs the explicit help of the operating system, and so is easily blocked by Sandboxie. If such a key-logger attempts to install, Sandboxie should report an informational message SBIE2103 , unless the BlockDrivers setting (see also Sandbox Settings > Restrictions > Low-Level Access ) was explicitly used to disable this protection. Windows Hook Key-Loggers These key-loggers don't masquerade as hardware drivers, but they still have to ask the operating system to load them (or hook them ) into every program executing on the desktop. It is not uncommon for applications to install such hooks as part of normal operation, and blocking all of them would prevent some programs from running successfully inside the sandbox. Removed From Sandboxie - Block Hooks Command The approach Sandboxie takes is to honor the hook request partially, by applying the hook only to applications in the same sandbox as the requesting application. The BlockWinHooks setting (see also Sandbox Settings > Restrictions > Low-Level Access ) may be used to explicitly disable this protection. Windows Message Key-Loggers This class of key-loggers doesn't need any assistance from the operating system, and can only reliably record activity within one program. However, from the point of view of a supervisory program like Sandboxie, they don't do anything suspicious, and so cannot be stopped. In order for a program running on the desktop to actually process the keyboard input, the operating system sends that program a message describing the input. The message key-logger, which is likely running in the same process space as the program being logged, can snoop on these messages in a variety of ways, which don't raise suspicion. Typically this key-logger will be a secret Web browser plugin (or a secret component of a plugin), so it can easily record keyboard activity related to the Web browser. Scripted Key-Loggers This class of key-loggers target and compromise the Web site you will be visiting. This is in contrast to the three other forms of key-loggers discussed here, which target and compromise your own computer. The JavaScript and VBScript languages offer facilities for a Web page to react to keystrokes. Legitimate uses of these facilities enable the creation of sophisticated Web pages. For example, consider how Google and Yahoo! searches react to the keys you type in order to suggest a possible search string. Exploiting security weaknesses in a Web site, a spy embeds a scripted key-logger into one of the pages in the site. These key-logger are practically indistinguishable from other scripts on the same site, and can use the same script facilities to react to your keystrokes, record them or transmit them to a third-party site. Defending Against Key-Logger Sandboxie is not designed to detect or disable key-loggers, but it is designed to make sure that sandboxed software stays in the sandbox, that such software can't integrate into Windows, and that it can be completely discarded when you delete the sandbox. This means that if you take care to carry out all untrusted activity in the sandbox, you can always delete the sandbox to undo the effects of that activity, and restore your computer to a trusted state. The first step is to make sure your system is not infected by malicious key-loggers, prior to using Sandboxie. A system scan by an anti-virus or anti-malware tool should help here. Then carry out all untrusted activity -- such as browsing the Web, reading email, and testing unknown programs -- only in the restricted area of the sandbox. This doesn't mean you won't be infected by key-loggers, but it does mean you can get rid of them: You can make sure you stop all of them, by telling Sandboxie to stop all activity in all sandboxes. See also the Terminate All Programs command in the File Menu and the Tray Icon Menu . Once stopped, you can discard the traces of their program code, by deleting the contents of the sandbox. See also Delete Sandbox . Once discarded, they can no longer record your keyboard activity, and you are safe to browse to trusted sites and enter your passwords. Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. Another protection measure against a key-logger is to configure Sandboxie to deny access to the Internet for anything other than your Web browser, in an attempt to prevent the key-logger from sending out the recorded information. See the setting for \"the only program that can access the Internet\" in Program Settings . Note two caveats: The Internet access feature is neither a replacement for a proper firewall, nor was it designed as a mechanism to counter or hinder key-loggers. Some key-loggers could possibly circumvent the Internet access restriction by hijacking the Web browser to be used as a vehicle through which to send out the recorded information. Go to Help Topics , Usage Tips .","title":"Detecting Key Loggers"},{"location":"Content/DetectingKeyLoggers/#detecting-key-loggers","text":"Go to Help Topics , Usage Tips .","title":"Detecting Key Loggers"},{"location":"Content/DetectingKeyLoggers/#overview","text":"It is very difficult to reliably detect all classes of key-loggers. This section first explains why this is so, and concludes by offering a possible defense against them. First, a distinction must be made between several classes of key-loggers: external key-loggers rootkit key-loggers windows hook key-loggers windows message key-loggers scripted key-loggers","title":"Overview"},{"location":"Content/DetectingKeyLoggers/#external-key-loggers","text":"External (or hardware) key-loggers are devices that connect to your computer in some way. Two examples are a small device plugged between the keyboard and the computer, or a device that snoops on radio signals transmitted by a wireless keyboard. The common principle of key-loggers in this class is that they are external to the Windows system on which they are spying. Software running within Windows cannot detect, remove or protect against external key-loggers. The other classes of key-loggers described here are software key-loggers which do operate within Windows.","title":"External Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#rootkit-key-loggers","text":"Rootkit key-loggers record keystrokes at the lowest software level, typically by positioning themselves as a second keyboard hardware driver (a filter driver, in Windows terminology). Once installed, this class of key-loggers may provide the best logging facilities, and may be difficult to get rid of. But to be installed in the first place, this key-logger needs the explicit help of the operating system, and so is easily blocked by Sandboxie. If such a key-logger attempts to install, Sandboxie should report an informational message SBIE2103 , unless the BlockDrivers setting (see also Sandbox Settings > Restrictions > Low-Level Access ) was explicitly used to disable this protection.","title":"Rootkit Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#windows-hook-key-loggers","text":"These key-loggers don't masquerade as hardware drivers, but they still have to ask the operating system to load them (or hook them ) into every program executing on the desktop. It is not uncommon for applications to install such hooks as part of normal operation, and blocking all of them would prevent some programs from running successfully inside the sandbox. Removed From Sandboxie - Block Hooks Command The approach Sandboxie takes is to honor the hook request partially, by applying the hook only to applications in the same sandbox as the requesting application. The BlockWinHooks setting (see also Sandbox Settings > Restrictions > Low-Level Access ) may be used to explicitly disable this protection.","title":"Windows Hook Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#windows-message-key-loggers","text":"This class of key-loggers doesn't need any assistance from the operating system, and can only reliably record activity within one program. However, from the point of view of a supervisory program like Sandboxie, they don't do anything suspicious, and so cannot be stopped. In order for a program running on the desktop to actually process the keyboard input, the operating system sends that program a message describing the input. The message key-logger, which is likely running in the same process space as the program being logged, can snoop on these messages in a variety of ways, which don't raise suspicion. Typically this key-logger will be a secret Web browser plugin (or a secret component of a plugin), so it can easily record keyboard activity related to the Web browser.","title":"Windows Message Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#scripted-key-loggers","text":"This class of key-loggers target and compromise the Web site you will be visiting. This is in contrast to the three other forms of key-loggers discussed here, which target and compromise your own computer. The JavaScript and VBScript languages offer facilities for a Web page to react to keystrokes. Legitimate uses of these facilities enable the creation of sophisticated Web pages. For example, consider how Google and Yahoo! searches react to the keys you type in order to suggest a possible search string. Exploiting security weaknesses in a Web site, a spy embeds a scripted key-logger into one of the pages in the site. These key-logger are practically indistinguishable from other scripts on the same site, and can use the same script facilities to react to your keystrokes, record them or transmit them to a third-party site.","title":"Scripted Key-Loggers"},{"location":"Content/DetectingKeyLoggers/#defending-against-key-logger","text":"Sandboxie is not designed to detect or disable key-loggers, but it is designed to make sure that sandboxed software stays in the sandbox, that such software can't integrate into Windows, and that it can be completely discarded when you delete the sandbox. This means that if you take care to carry out all untrusted activity in the sandbox, you can always delete the sandbox to undo the effects of that activity, and restore your computer to a trusted state. The first step is to make sure your system is not infected by malicious key-loggers, prior to using Sandboxie. A system scan by an anti-virus or anti-malware tool should help here. Then carry out all untrusted activity -- such as browsing the Web, reading email, and testing unknown programs -- only in the restricted area of the sandbox. This doesn't mean you won't be infected by key-loggers, but it does mean you can get rid of them: You can make sure you stop all of them, by telling Sandboxie to stop all activity in all sandboxes. See also the Terminate All Programs command in the File Menu and the Tray Icon Menu . Once stopped, you can discard the traces of their program code, by deleting the contents of the sandbox. See also Delete Sandbox . Once discarded, they can no longer record your keyboard activity, and you are safe to browse to trusted sites and enter your passwords. Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. Another protection measure against a key-logger is to configure Sandboxie to deny access to the Internet for anything other than your Web browser, in an attempt to prevent the key-logger from sending out the recorded information. See the setting for \"the only program that can access the Internet\" in Program Settings . Note two caveats: The Internet access feature is neither a replacement for a proper firewall, nor was it designed as a mechanism to counter or hinder key-loggers. Some key-loggers could possibly circumvent the Internet access restriction by hijacking the Web browser to be used as a vehicle through which to send out the recorded information. Go to Help Topics , Usage Tips .","title":"Defending Against Key-Logger"},{"location":"Content/DisableRTBlacklist/","text":"Disable RT Blacklist DisableRTBlacklist is a sandbox setting in Sandboxie Ini available since v1.0.7 / 5.55.7. This setting allows you to disable the hardcoded runtime class blacklist. Usage: . . . [DefaultBox] DisableRTBlacklist=y","title":"Disable RT Blacklist"},{"location":"Content/DisableRTBlacklist/#disable-rt-blacklist","text":"DisableRTBlacklist is a sandbox setting in Sandboxie Ini available since v1.0.7 / 5.55.7. This setting allows you to disable the hardcoded runtime class blacklist. Usage: . . . [DefaultBox] DisableRTBlacklist=y","title":"Disable RT Blacklist"},{"location":"Content/DropAdminRights/","text":"Drop Admin Rights DropAdminRights is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will strip Administrator rights from programs running in this sandbox. Usage: . . . [DefaultBox] DropAdminRights=y The setting in this page causes Sandboxie to strip administrative rights from programs running in this sandbox. Specifically, the security credentials used to start the sandboxed program will not include membership in the Administrators and Power Users groups. Note that this has little effect if you are already running under a non-Administrator user account. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Drop Rights","title":"Drop Admin Rights"},{"location":"Content/DropAdminRights/#drop-admin-rights","text":"DropAdminRights is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will strip Administrator rights from programs running in this sandbox. Usage: . . . [DefaultBox] DropAdminRights=y The setting in this page causes Sandboxie to strip administrative rights from programs running in this sandbox. Specifically, the security credentials used to start the sandboxed program will not include membership in the Administrators and Power Users groups. Note that this has little effect if you are already running under a non-Administrator user account. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Drop Rights","title":"Drop Admin Rights"},{"location":"Content/EditAdminOnly/","text":"Edit Admin Only EditAdminOnly is a global setting in Sandboxie Ini . If specified, Sandboxie Control or Sandman running under user accounts which are not members of the Administrators group will not be able to make any configuration changes in the global settings section or any sandbox section. However, even in that case, they will still be able to make changes in the user settings section. Usage: . . . [GlobalSettings] EditAdminOnly=y This setting is designed for use by network administrators.","title":"Edit Admin Only"},{"location":"Content/EditAdminOnly/#edit-admin-only","text":"EditAdminOnly is a global setting in Sandboxie Ini . If specified, Sandboxie Control or Sandman running under user accounts which are not members of the Administrators group will not be able to make any configuration changes in the global settings section or any sandbox section. However, even in that case, they will still be able to make changes in the user settings section. Usage: . . . [GlobalSettings] EditAdminOnly=y This setting is designed for use by network administrators.","title":"Edit Admin Only"},{"location":"Content/EditPassword/","text":"Edit Password EditPassword is a global setting in Sandboxie Ini . It is managed by the Sandboxie service and specifies a 160-bit SHA1 hash generated from the configuration password. Usage: . . . [GlobalSettings] EditPassword=0D03090004070E09050C0A010100000108010B03 When the Sandboxie Ini configuration file includes this setting, the Sandboxie service will keep the configuration file permanently locked, in order to prevent unauthorized modifications. See also: Configuration Protection .","title":"Edit Password"},{"location":"Content/EditPassword/#edit-password","text":"EditPassword is a global setting in Sandboxie Ini . It is managed by the Sandboxie service and specifies a 160-bit SHA1 hash generated from the configuration password. Usage: . . . [GlobalSettings] EditPassword=0D03090004070E09050C0A010100000108010B03 When the Sandboxie Ini configuration file includes this setting, the Sandboxie service will keep the configuration file permanently locked, in order to prevent unauthorized modifications. See also: Configuration Protection .","title":"Edit Password"},{"location":"Content/EmailProtection/","text":"Email Protection For a shorter version of this discussion, see FAQ Email . It is not uncommon to receive virus in an email message. Traditionally, your anti-virus and anti-spyware software works with your email software to identify malicious software as soon as it is received, or at least, as soon as it begins to execute in your computer. That works well for well-known viruses and spyware, but leaves you vulnerable to zero-day exploits , that is, vulnerable to malicious software that is not yet properly identified by the security software. Sandboxie offers another approach. If you run your email reader program sandboxed under the control of Sandboxie, this protection will also extend to any software spawned by the email reader, such as viruses and spyware, thus severely limiting the effects of the malicious software on your computer. For example, suppose you get an email message with the a virus that presents itself as an attachment called Click_Me_For_Best_Joke_Ever.exe . Suppose you don't know this is a virus, and further suppose that your anti-virus has not yet been updated to identify this particular virus. You click the attachment, and it delivers the best joke ever, but it also secretly installs malicious software. This example may not specifically name any known virus, but it is not at all farfetched. Quoting Wikipedia on Malware : \"Since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for illicit purposes ...\" See also: Construction (from Wikipedia) . If you run your email program sandboxed, then Click_Me_For_Best_Joke_Ever.exe also runs sandboxed, and any changes it makes to the computer, or software it installs, will be confined to the sandbox. These changes will be discarded in their entirety as soon as you delete the sandbox. Sandboxie is not an anti-virus, and will neither identify or warn about viruses. However, Sandboxie treats all software it runs as potentially malicious software which cannot be trusted, and will not let any program -- malicious or legitimate -- to break out of the sandbox and make permanent changes to your computer. Note that the virus itself, in its original form as an email attachment, will remain in your mailbox even after you delete the sandbox. However, a computer virus is a piece of software, not a living creature: It cannot cause any harm your computer by merely being stored in your mailbox. It must be invoked before it can cause harm. Thus if you always run your email program sandboxed, the worst that can happen is that you will rerun the virus inside the sandbox, and then delete the sandbox again. Eventually, your anti-virus will be updated to identify this attachment as malicious software. The following section is concerned with configuring the use of email software with Sandboxie. You may access your email online via a Web browser running under Sandboxie, as is the case with Hotmail, Yahoo! or Gmail, to name three of the many Web mail services. In that case, no special configuration is necessary, and the following section is not relevant. The Sandboxie protection comes at a small cost: You should always keep in mind that Sandboxie considers all content created within the sandbox as discardable content. This means for example, that a malicious program installed by a virus is placed in the sandbox and considered discardable. But it also means that if you save an email message to a file, then that file is also put in the sandbox and will be discarded when the sandbox is deleted. And most importantly, this means that Sandboxie will treat incoming new mail as discardable content. For this reason, you must configure Sandboxie to treat your mailbox data files as trusted content, or you stand to lose important information. To protect against accidental loss of data, Sandboxie will issue message SBIE2212 if you run your email program without first properly configuring Sandboxie. Sandboxie offers easy configuration for most popular email reader programs. See Sandbox Settings > Applications > Email Reader . You may also need to tell Sandboxie where your mailbox data files reside, in the following cases: If your mailbox resides in a non-default or non-standard location. If you use the Eudora or The-Bat! email software. To do that, open Sandbox Settings > Applications > Folders , select your email software from the drop-down list, and then select a folder location to be associated with it. After completing the email configuration, you may want to test it, to make sure that even when running under Sandboxie, new emails are not lost when you delete the sandbox. To do that, follow the steps outlined in Test Email Configuration .","title":"Email Protection"},{"location":"Content/EmailProtection/#email-protection","text":"For a shorter version of this discussion, see FAQ Email . It is not uncommon to receive virus in an email message. Traditionally, your anti-virus and anti-spyware software works with your email software to identify malicious software as soon as it is received, or at least, as soon as it begins to execute in your computer. That works well for well-known viruses and spyware, but leaves you vulnerable to zero-day exploits , that is, vulnerable to malicious software that is not yet properly identified by the security software. Sandboxie offers another approach. If you run your email reader program sandboxed under the control of Sandboxie, this protection will also extend to any software spawned by the email reader, such as viruses and spyware, thus severely limiting the effects of the malicious software on your computer. For example, suppose you get an email message with the a virus that presents itself as an attachment called Click_Me_For_Best_Joke_Ever.exe . Suppose you don't know this is a virus, and further suppose that your anti-virus has not yet been updated to identify this particular virus. You click the attachment, and it delivers the best joke ever, but it also secretly installs malicious software. This example may not specifically name any known virus, but it is not at all farfetched. Quoting Wikipedia on Malware : \"Since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for illicit purposes ...\" See also: Construction (from Wikipedia) . If you run your email program sandboxed, then Click_Me_For_Best_Joke_Ever.exe also runs sandboxed, and any changes it makes to the computer, or software it installs, will be confined to the sandbox. These changes will be discarded in their entirety as soon as you delete the sandbox.","title":"Email Protection"},{"location":"Content/EmailProtection/#sandboxie-is-not-an-anti-virus-and-will-neither-identify-or-warn-about-viruses-however-sandboxie-treats-all-software-it-runs-as-potentially-malicious-software-which-cannot-be-trusted-and-will-not-let-any-program-malicious-or-legitimate-to-break-out-of-the-sandbox-and-make-permanent-changes-to-your-computer","text":"Note that the virus itself, in its original form as an email attachment, will remain in your mailbox even after you delete the sandbox. However, a computer virus is a piece of software, not a living creature: It cannot cause any harm your computer by merely being stored in your mailbox. It must be invoked before it can cause harm. Thus if you always run your email program sandboxed, the worst that can happen is that you will rerun the virus inside the sandbox, and then delete the sandbox again. Eventually, your anti-virus will be updated to identify this attachment as malicious software. The following section is concerned with configuring the use of email software with Sandboxie. You may access your email online via a Web browser running under Sandboxie, as is the case with Hotmail, Yahoo! or Gmail, to name three of the many Web mail services. In that case, no special configuration is necessary, and the following section is not relevant. The Sandboxie protection comes at a small cost: You should always keep in mind that Sandboxie considers all content created within the sandbox as discardable content. This means for example, that a malicious program installed by a virus is placed in the sandbox and considered discardable. But it also means that if you save an email message to a file, then that file is also put in the sandbox and will be discarded when the sandbox is deleted. And most importantly, this means that Sandboxie will treat incoming new mail as discardable content. For this reason, you must configure Sandboxie to treat your mailbox data files as trusted content, or you stand to lose important information. To protect against accidental loss of data, Sandboxie will issue message SBIE2212 if you run your email program without first properly configuring Sandboxie. Sandboxie offers easy configuration for most popular email reader programs. See Sandbox Settings > Applications > Email Reader . You may also need to tell Sandboxie where your mailbox data files reside, in the following cases: If your mailbox resides in a non-default or non-standard location. If you use the Eudora or The-Bat! email software. To do that, open Sandbox Settings > Applications > Folders , select your email software from the drop-down list, and then select a folder location to be associated with it. After completing the email configuration, you may want to test it, to make sure that even when running under Sandboxie, new emails are not lost when you delete the sandbox. To do that, follow the steps outlined in Test Email Configuration .","title":"Sandboxie is not an anti-virus, and will neither identify or warn about viruses. However, Sandboxie treats all software it runs as potentially malicious software which cannot be trusted, and will not let any program -- malicious or legitimate -- to break out of the sandbox and make permanent changes to your computer."},{"location":"Content/Enabled/","text":"Enabled Enabled is a sandbox setting in Sandboxie Ini . It is typically specified as Enabled=y (see Yes Or No Settings ), and indicates that programs can be launched in that sandbox. For example: . . . [InstallBox] Enabled=y Enabled=y,Administrators The first example is the typical form of Enabled , a required part of any sandbox section in the configuration file. It indicates that the sandbox InstallBox can be used for sandboxing. The second example similarly defines the sandbox InstallBox while also restricting its use to the Administrators user accounts group. Any user account or group that is recognized by the local Windows system can be specified. Multiple Enabled lines may be specified if the list of user accounts does not fit in one line. A sandbox that has been restricted to specific users is considered hidden to all other user accounts. Those other user accounts will not see the sandbox listed in Sandboxie Control , and any Force Process or Force Folder settings will not apply to those user accounts. Attempts to explicitly start a program in a sandbox that does not have an associated Enabled=y setting will fail. Related Sandboxie Control setting: Sandbox Settings > User Accounts Related Sandboxie Control command: Sandbox Menu > Reveal Hidden Sandbox","title":"Enabled"},{"location":"Content/Enabled/#enabled","text":"Enabled is a sandbox setting in Sandboxie Ini . It is typically specified as Enabled=y (see Yes Or No Settings ), and indicates that programs can be launched in that sandbox. For example: . . . [InstallBox] Enabled=y Enabled=y,Administrators The first example is the typical form of Enabled , a required part of any sandbox section in the configuration file. It indicates that the sandbox InstallBox can be used for sandboxing. The second example similarly defines the sandbox InstallBox while also restricting its use to the Administrators user accounts group. Any user account or group that is recognized by the local Windows system can be specified. Multiple Enabled lines may be specified if the list of user accounts does not fit in one line. A sandbox that has been restricted to specific users is considered hidden to all other user accounts. Those other user accounts will not see the sandbox listed in Sandboxie Control , and any Force Process or Force Folder settings will not apply to those user accounts. Attempts to explicitly start a program in a sandbox that does not have an associated Enabled=y setting will fail. Related Sandboxie Control setting: Sandbox Settings > User Accounts Related Sandboxie Control command: Sandbox Menu > Reveal Hidden Sandbox","title":"Enabled"},{"location":"Content/ExpandableVariables/","text":"Expandable Variables Some Sandboxie settings may include variables . These are placeholder names which are expanded to (replaced by) text which may be specific to a particular computer and user account. For example, RecoverFolder=%Personal%\\Song_Lyrics In this simple example, Sandboxie expands the variable Personal by the actual folder for the Documents folder. RecoverFolder=C:\\Users\\joe\\Documents\\Song_Lyrics The following table lists the variables that Sandboxie recognizes. Variable Name Expands To SbieHome Root path of Sandboxie installation sandbox Name of sandbox in which the program is running. Example: DefaultBox user username User account in which the program is running. Example: joe sid SID string identifying the user account in which the program is running. Example: S-1-5-21-414-171-1981-1005 session The number of the logon session in which the program is running. Example: 1 ProgramFiles Location of program files folder. Example: C:\\Program Files SystemRoot Location of the Windows installation folder. Example: C:\\Windows SystemDrive First two characters of %SystemRoot%. Example: C: DefaultSpoolDirectory Location of the print spool folder. Example: C:\\Windows\\System32\\spool\\printers UserProfile Location of the user account root folder. Example: C:\\Users\\joe AllUsersProfile Location of the shared user account root folder. Example: C:\\ProgramData HomeDrive HomePath HomeShare Partial locations of the user account root folder, as defined in the registry key: HKEY_CURRENT_USER\\Volatile Environment temp tmp Location of the Windows temporary files folder as defined in the registry key: HKEY_CURRENT_USER\\Environment. Example: C:\\Windows\\Temp Personal AppData Local AppData Favorites And more Locations of user account and system folders as are known to Windows Explorer. For more information, see Shell Folders . Template Variables Global templates are part of the Sandboxie installation and located in the file Templates.ini in the Sandboxie installation folder. Additional local templates may be added to Sandboxie Ini . Any template may reference template variables in the form %Tmpl.SomeVariableName% . These variable names are not built into the core of Sandboxie. They must be defined in Templates.ini or Sandboxie.ini in a [TemplateSettings] section. Overriding Variables Any of the variables in the table above, including the Shell Folders and template variables, can be overridden by the Sandboxie Ini configuration file. To override a variable, add a parameter prefixed with Ovr. . For example: [GlobalSettings] Ovr.SystemRoot=X:\\WIN Ovr.Tmpl.Firefox=C:\\Firefox\\Profiles\\ [DefaultBox] Ovr.Personal=Z:\\MY_FILES RecoverFolder=%Personal% OpenFilePath=%SystemRoot%\\Temp When a variable is overridden in this way, its expanded value will always match the value specified in the configuration file. Registry Fallbacks Some of the variables in the table above are taken from the system registry. Those variables are ProgramFiles and any other variable that appears below ProgramFiles in the table above. For these variables, it is possible to specify \"fallback\" values in the Sandboxie Ini configuration file. To specify a fallback for a variable, add a parameter prefixed with Reg. . For example: [GlobalSettings] Reg.Desktop=%USERPROFILE%\\Desktop [DefaultBox] Reg.Cookies=%USERPROFILE%\\Cookies Note that \"Ovr.\" style overrides (described above) will cause Sandboxie to ignore the registry. On the other hand, Sandboxie only checks \"Reg.\" style fallbacks if the expanded variable cannot be found in the registry. This means that if both Ovr.X and Reg.X are specified for the same variable X, the Ovr.X form will always apply when X is expanded, and the Reg.X form will never apply. It is generally preferable to use \"Ovr.\" style overrides than \"Reg.\" style fallbacks.","title":"Expandable Variables"},{"location":"Content/ExpandableVariables/#expandable-variables","text":"Some Sandboxie settings may include variables . These are placeholder names which are expanded to (replaced by) text which may be specific to a particular computer and user account. For example, RecoverFolder=%Personal%\\Song_Lyrics In this simple example, Sandboxie expands the variable Personal by the actual folder for the Documents folder. RecoverFolder=C:\\Users\\joe\\Documents\\Song_Lyrics The following table lists the variables that Sandboxie recognizes. Variable Name Expands To SbieHome Root path of Sandboxie installation sandbox Name of sandbox in which the program is running. Example: DefaultBox user username User account in which the program is running. Example: joe sid SID string identifying the user account in which the program is running. Example: S-1-5-21-414-171-1981-1005 session The number of the logon session in which the program is running. Example: 1 ProgramFiles Location of program files folder. Example: C:\\Program Files SystemRoot Location of the Windows installation folder. Example: C:\\Windows SystemDrive First two characters of %SystemRoot%. Example: C: DefaultSpoolDirectory Location of the print spool folder. Example: C:\\Windows\\System32\\spool\\printers UserProfile Location of the user account root folder. Example: C:\\Users\\joe AllUsersProfile Location of the shared user account root folder. Example: C:\\ProgramData HomeDrive HomePath HomeShare Partial locations of the user account root folder, as defined in the registry key: HKEY_CURRENT_USER\\Volatile Environment temp tmp Location of the Windows temporary files folder as defined in the registry key: HKEY_CURRENT_USER\\Environment. Example: C:\\Windows\\Temp Personal AppData Local AppData Favorites And more Locations of user account and system folders as are known to Windows Explorer. For more information, see Shell Folders .","title":"Expandable Variables"},{"location":"Content/ExpandableVariables/#template-variables","text":"Global templates are part of the Sandboxie installation and located in the file Templates.ini in the Sandboxie installation folder. Additional local templates may be added to Sandboxie Ini . Any template may reference template variables in the form %Tmpl.SomeVariableName% . These variable names are not built into the core of Sandboxie. They must be defined in Templates.ini or Sandboxie.ini in a [TemplateSettings] section.","title":"Template Variables"},{"location":"Content/ExpandableVariables/#overriding-variables","text":"Any of the variables in the table above, including the Shell Folders and template variables, can be overridden by the Sandboxie Ini configuration file. To override a variable, add a parameter prefixed with Ovr. . For example: [GlobalSettings] Ovr.SystemRoot=X:\\WIN Ovr.Tmpl.Firefox=C:\\Firefox\\Profiles\\ [DefaultBox] Ovr.Personal=Z:\\MY_FILES RecoverFolder=%Personal% OpenFilePath=%SystemRoot%\\Temp When a variable is overridden in this way, its expanded value will always match the value specified in the configuration file.","title":"Overriding Variables"},{"location":"Content/ExpandableVariables/#registry-fallbacks","text":"Some of the variables in the table above are taken from the system registry. Those variables are ProgramFiles and any other variable that appears below ProgramFiles in the table above. For these variables, it is possible to specify \"fallback\" values in the Sandboxie Ini configuration file. To specify a fallback for a variable, add a parameter prefixed with Reg. . For example: [GlobalSettings] Reg.Desktop=%USERPROFILE%\\Desktop [DefaultBox] Reg.Cookies=%USERPROFILE%\\Cookies Note that \"Ovr.\" style overrides (described above) will cause Sandboxie to ignore the registry. On the other hand, Sandboxie only checks \"Reg.\" style fallbacks if the expanded variable cannot be found in the registry. This means that if both Ovr.X and Reg.X are specified for the same variable X, the Ovr.X form will always apply when X is expanded, and the Reg.X form will never apply. It is generally preferable to use \"Ovr.\" style overrides than \"Reg.\" style fallbacks.","title":"Registry Fallbacks"},{"location":"Content/ExternalTutorials/","text":"External Tutorials For the official Getting Started tutorial on this web site, please click: Getting Started Other web sites offer more tutorials: English An Introduction and a Quick Guide to Sandboxie (Tutorial) Using SANDBOXIE to Safely Browse the Internet (PDF) (PDF) Sandboxie Isolation Demonstration (Video) Sandboxie Plus is an open source fork of Sandboxie with a modern interface (Article) German First steps in Sandboxie (PDF) Back Go back to the official Getting Started tutorial.","title":"External Tutorials"},{"location":"Content/ExternalTutorials/#external-tutorials","text":"For the official Getting Started tutorial on this web site, please click: Getting Started Other web sites offer more tutorials: English An Introduction and a Quick Guide to Sandboxie (Tutorial) Using SANDBOXIE to Safely Browse the Internet (PDF) (PDF) Sandboxie Isolation Demonstration (Video) Sandboxie Plus is an open source fork of Sandboxie with a modern interface (Article) German First steps in Sandboxie (PDF) Back Go back to the official Getting Started tutorial.","title":"External Tutorials"},{"location":"Content/FAQEmail/","text":"FAQ Email Questions and answers regarding the use of Sandboxie with email software. For a longer discussion, see Email Protection . Q. Why should I use Sandboxie to run my email software? A. Email software, as any other Internet-facing application, processes data that cannot be completely trusted, as it was received from the Internet. That data -- which is your email -- might contain viruses, and small bits of software designed to exploit vulnerabilities in your email software. By launching your email software under the supervision of Sandboxie, you can confine it to its sandbox, along with any potential viruses and exploits. See Email Protection for more information. Q. Will Sandboxie identify and delete viruses in my email? A. No. Sandboxie leaves this task to your anti-virus and anti-malware software. The job of Sandboxie is to provide the first line of defense and prevent a virus from infecting your computer, and potentially even your anti-virus software. Q. Message SBIE2212 appears when I run my email software in Sandboxie, does this indicate an error? A. No. As a safety measure, Sandboxie refuses to launch your email software under its supervision, until it is properly configured. For more information, see the reference page for message SBIE2212 . To learn how to configure support for your email software, see the next question in this FAQ. Q. How do I configure Sandboxie for use with my email software? A. Open Sandbox Settings > Applications > Email Reader and select the email software that you use. If your mailbox data files are not in the default location, see Sandbox Settings > Applications > Folders . Then, you should also test the configuration; see Test Email Configuration . Q. How do I run my email software under Sandboxie? A. You can use the Run Email Reader command from the Sandbox Menu or Tray Icon Menu of Sandboxie Control . You can also right-click Run Sandboxed on the executable icon for your email software. Q. How can I force my email software to always run under Sandboxie? A. When the software is already running under Sandboxie, go to Program Settings , Page 1, and select the checkbox to Force program to run in this sandbox . You can also use Sandbox Settings > Program Start > Forced Programs to accomplish the same. Q. My email software is periodically updated (automatically or manually). Will the updates become permanent? A. No. The updates will be installed in the sandbox and will disappear when the sandbox is deleted . To properly update your software, launch it outside the supervision of Sandboxie, then initiate the update process. If it is already set as a forced program (see previous question), use the Disable Forced Programs command before starting your email software. Q. Should I create a separate, dedicated sandbox just for email, or can I use the same sandbox for email and web browsing? A. This depends primarily on your habits. If you want the convenience of opening your email software by clicking an email link ( mailto ) in your browser, then you have to use (and configure) the same sandbox for both web browsing and email reading. On the other hand, some people prefer to isolate the two unrelated activities into separate sandboxes. There is no strict answer, and both approaches work well. Q. I want to launch my web browser in a sandbox, but not my email software. When I click an email link ( mailto ), the web browser tries to launch my email software in the sandbox. What should I do? A. You can avoid this issue by right-clicking the email link instead of left (normal) clicking it. The right-click menu will let you copy the email address. Then switch to your email software and paste the email address. If the pasted email address begins with a mailto: prefix, then make sure to delete that prefix, including the colon (:). Q. I want to launch my email software in a different sandbox than my web browser. When I click an email link ( mailto ), the web browser tries to open my email software in the wrong sandbox. What should I do? A. See the answer to the previous question. Q. I have a web mail account and I read my email via my web browser, do I need to configure anything? A. No, because in this case, none of your emails are stored in your computer.","title":"FAQ Email"},{"location":"Content/FAQEmail/#faq-email","text":"Questions and answers regarding the use of Sandboxie with email software. For a longer discussion, see Email Protection .","title":"FAQ Email"},{"location":"Content/FAQEmail/#q-why-should-i-use-sandboxie-to-run-my-email-software","text":"A. Email software, as any other Internet-facing application, processes data that cannot be completely trusted, as it was received from the Internet. That data -- which is your email -- might contain viruses, and small bits of software designed to exploit vulnerabilities in your email software. By launching your email software under the supervision of Sandboxie, you can confine it to its sandbox, along with any potential viruses and exploits. See Email Protection for more information.","title":"Q. Why should I use Sandboxie to run my email software?"},{"location":"Content/FAQEmail/#q-will-sandboxie-identify-and-delete-viruses-in-my-email","text":"A. No. Sandboxie leaves this task to your anti-virus and anti-malware software. The job of Sandboxie is to provide the first line of defense and prevent a virus from infecting your computer, and potentially even your anti-virus software.","title":"Q. Will Sandboxie identify and delete viruses in my email?"},{"location":"Content/FAQEmail/#q-message-sbie2212-appears-when-i-run-my-email-software-in-sandboxie-does-this-indicate-an-error","text":"A. No. As a safety measure, Sandboxie refuses to launch your email software under its supervision, until it is properly configured. For more information, see the reference page for message SBIE2212 . To learn how to configure support for your email software, see the next question in this FAQ.","title":"Q. Message SBIE2212 appears when I run my email software in Sandboxie, does this indicate an error?"},{"location":"Content/FAQEmail/#q-how-do-i-configure-sandboxie-for-use-with-my-email-software","text":"A. Open Sandbox Settings > Applications > Email Reader and select the email software that you use. If your mailbox data files are not in the default location, see Sandbox Settings > Applications > Folders . Then, you should also test the configuration; see Test Email Configuration .","title":"Q. How do I configure Sandboxie for use with my email software?"},{"location":"Content/FAQEmail/#q-how-do-i-run-my-email-software-under-sandboxie","text":"A. You can use the Run Email Reader command from the Sandbox Menu or Tray Icon Menu of Sandboxie Control . You can also right-click Run Sandboxed on the executable icon for your email software.","title":"Q. How do I run my email software under Sandboxie?"},{"location":"Content/FAQEmail/#q-how-can-i-force-my-email-software-to-always-run-under-sandboxie","text":"A. When the software is already running under Sandboxie, go to Program Settings , Page 1, and select the checkbox to Force program to run in this sandbox . You can also use Sandbox Settings > Program Start > Forced Programs to accomplish the same.","title":"Q. How can I force my email software to always run under Sandboxie?"},{"location":"Content/FAQEmail/#q-my-email-software-is-periodically-updated-automatically-or-manually-will-the-updates-become-permanent","text":"A. No. The updates will be installed in the sandbox and will disappear when the sandbox is deleted . To properly update your software, launch it outside the supervision of Sandboxie, then initiate the update process. If it is already set as a forced program (see previous question), use the Disable Forced Programs command before starting your email software.","title":"Q. My email software is periodically updated (automatically or manually). Will the updates become permanent?"},{"location":"Content/FAQEmail/#q-should-i-create-a-separate-dedicated-sandbox-just-for-email-or-can-i-use-the-same-sandbox-for-email-and-web-browsing","text":"A. This depends primarily on your habits. If you want the convenience of opening your email software by clicking an email link ( mailto ) in your browser, then you have to use (and configure) the same sandbox for both web browsing and email reading. On the other hand, some people prefer to isolate the two unrelated activities into separate sandboxes. There is no strict answer, and both approaches work well.","title":"Q. Should I create a separate, dedicated sandbox just for email, or can I use the same sandbox for email and web browsing?"},{"location":"Content/FAQEmail/#q-i-want-to-launch-my-web-browser-in-a-sandbox-but-not-my-email-software-when-i-click-an-email-link-mailto-the-web-browser-tries-to-launch-my-email-software-in-the-sandbox-what-should-i-do","text":"A. You can avoid this issue by right-clicking the email link instead of left (normal) clicking it. The right-click menu will let you copy the email address. Then switch to your email software and paste the email address. If the pasted email address begins with a mailto: prefix, then make sure to delete that prefix, including the colon (:).","title":"Q. I want to launch my web browser in a sandbox, but not my email software. When I click an email link (mailto), the web browser tries to launch my email software in the sandbox. What should I do?"},{"location":"Content/FAQEmail/#q-i-want-to-launch-my-email-software-in-a-different-sandbox-than-my-web-browser-when-i-click-an-email-link-mailto-the-web-browser-tries-to-open-my-email-software-in-the-wrong-sandbox-what-should-i-do","text":"A. See the answer to the previous question.","title":"Q. I want to launch my email software in a different sandbox than my web browser. When I click an email link (mailto), the web browser tries to open my email software in the wrong sandbox. What should I do?"},{"location":"Content/FAQEmail/#q-i-have-a-web-mail-account-and-i-read-my-email-via-my-web-browser-do-i-need-to-configure-anything","text":"A. No, because in this case, none of your emails are stored in your computer.","title":"Q. I have a web mail account and I read my email via my web browser, do I need to configure anything?"},{"location":"Content/FAQVirus/","text":"FAQ Virus Questions and answers regarding Sandboxie and viruses and malware. For brevity, the text below mentions only viruses, but it equally applies to malware. Sandboxie protects your from viruses, malware, ransom-ware, zero day threats, etc. Sandboxie does not need to rely on virus database signature updates, heuristics, etc. If you get a virus in your sandbox, you simply delete the contents of that sandbox and move along. Your host machine, software and browser is not touched. Nothing on your host machine is harmed. Q. What does malicious software do? A. Malicious software is typically designed to infect your computer. This infection is accomplished by the integration with, or the taking over of, various aspects of your Windows operating system. Following this infection, different types of malicious software have different goals. For example, a virus program might spread to more computers, and a spyware program might record your keyboard activity. Q. How does Sandboxie protect against computer viruses? A. Sandboxie considers the program it supervises as potentially harmful, and keeps the programs bound within a sandbox , which is a kind of protective bubble. The program cannot escape the sandbox, and therefore cannot change, harm or infect your computer in any way. When you're done with the program, you delete the sandbox. Q. Does Sandboxie remove viruses? A. Yes, but not in the sense that Sandboxie discards just the viruses, and leaves everything else intact. What Sandboxie does is delete the entire sandbox, which deletes any viruses trapped within the sandbox, as well as any other changes (good or bad) that were attempted by the program running under the supervision of Sandboxie. Q. Is Sandboxie an anti-virus? A. No. While Sandboxie is a countermeasure against malicious software, it works differently from traditional anti-virus software. Unlike an anti-virus, Sandboxie does not attempt to identify or differentiate between \"good\" and \"bad\" (or harmful) programs. An anti-virus might not identify a new virus, and might let it slip by and infect your computer. Sandboxie, on the other hand, considers all programs as potentially harmful, and does not let any program modify your computer in any way. Q. Should I use Sandboxie instead of anti-virus software? A. No. Sandboxie can prevent a virus in the sandbox from escaping into your real computer. However, common sense dictates that it is preferable to prevent the virus from running in the first place. Therefore it is a good idea to use anti-virus software to prevent known threats, while relying on Sandboxie to be your first line of defense against threats that are not yet known to the anti-virus. Q. Is Sandboxie 100% fool-proof? A. No, but it tries to be as close as possible to 100%. At the same time, it is important to remember that Sandboxie is never the only software in your computer. Your other software, including your Windows operating system, might have security holes that could be abused by viruses in ways that no security software can prevent. Therefore it is always important to keep up with software updates. As the saying goes: \"The only truly secure computer is one buried in concrete, with the power turned off and the network cable cut.\" Q. Can the anti-virus detect a virus in the sandbox? A. Yes. Files contained in the sandbox are stored in the hard disk, typically in the folder SANDBOX in drive C. Programs under the supervision of Sandboxie can only operate within this folder, but there is nothing special about the folder itself. The anti-virus software may detect viruses as they arrive into this folder, or at any later time. Q. How should I respond to the anti-virus detecting a virus A. Your anti-virus should tell you where the virus was identified. If the virus was identified within the sandbox (typically, in the SANDBOX folder in drive C), there is little cause for alarm. You can immediately invoke the Delete Sandbox command, or you may direct the anti-virus to delete the virus file, or move it to quarantine. Q. When the anti-virus moves a virus file out of the sandbox and into quarantine, does it bypass Sandboxie? A. No. The anti-virus itself is not operating under the supervision of Sandboxie, even if the virus alert seems to indicate otherwise. Operating outside the sandbox, the anti-virus can reach into the sandbox folder, pull the virus file, and move it into quarantine. The process is similar to Sandboxie Quick Recovery , wherein Sandboxie Control reaches inside the sandbox to pull some file out of it. Q. Will viruses remain in the sandbox after I close all programs in the sandbox? A. Yes and no: 1. No, if your sandbox is set to automatically delete; 2. Yes, in the configuration, but only until you manually delete the contents of the sandbox. It is important to note that a virus file in the sandbox is just that -- a file , not much different from your average text file. Unless you move the file out of the sandbox and invoke it, there is little cause for alarm. Q. Do I have to securely wipe the contents of the sandbox to make sure the virus is gone? A. No. Although you can configure Sandboxie to use a third-party data wiping utility, the key point is to make the virus file itself inaccessible, and this is accomplished even with non-secure deletion. There is, however, an advantage to secure deletion, as discussed in the next answer. Q. Why does my anti-virus detect a virus in the System Volume Information folder? A. The System Restore component in Windows collects various files into the System Volume Information when they are deleted. While the intention is to protect your system, sometimes System Restore ends up making copies of virus files. These virus files are inactive, and even if restored, will be restored into the sandbox, so there is little cause for alarm. Nevertheless, it is a good idea to let your anti-virus get rid of any such virus files. Note that this will not occur if you securely wipe the contents of the sandbox (see previous question). Q. My computer is already infected with a virus, will Sandboxie protect against that virus? A. No. Sandboxie can only protect your computer from the programs that run under the supervision of Sandboxie. The virus which has already infected your computer is running unencumbered outside the supervision of Sandboxie. It might also serve as an infection channel and assist other viruses in the sandbox to break out of the sandbox and infect your computer. It is strongly recommended that you dis-infect your computer as soon as possible, then install Sandboxie to protect against future threats. Q. Does Sandboxie protect against the KillDisk virus? A. Yes. The KillDisk virus works by modifying the hard disk partition directly, bypassing any file systems. This kind of access has been blocked since Sandboxie version 2.33 (early 2006). Q. Can I install an anti-virus (or firewalls or other security software) into the sandbox? A. For most security software, the answer is no. This type of software wants to integrate with Windows in order to monitor access to files and network connections. Sandboxie is designed to isolate programs in the sandbox from the rest of the system, which means the security software will be unable to monitor the system correctly. Note that virus scanner software which does not include active (\"real time\") monitoring should be able to function correctly under Sandboxie. Please note: Not all Anti-virus \"suites\" will work. Sandboxie may not function with certain suites (Kaspersky.)","title":"FAQ Virus"},{"location":"Content/FAQVirus/#faq-virus","text":"Questions and answers regarding Sandboxie and viruses and malware. For brevity, the text below mentions only viruses, but it equally applies to malware. Sandboxie protects your from viruses, malware, ransom-ware, zero day threats, etc. Sandboxie does not need to rely on virus database signature updates, heuristics, etc. If you get a virus in your sandbox, you simply delete the contents of that sandbox and move along. Your host machine, software and browser is not touched. Nothing on your host machine is harmed.","title":"FAQ Virus"},{"location":"Content/FAQVirus/#q-what-does-malicious-software-do","text":"A. Malicious software is typically designed to infect your computer. This infection is accomplished by the integration with, or the taking over of, various aspects of your Windows operating system. Following this infection, different types of malicious software have different goals. For example, a virus program might spread to more computers, and a spyware program might record your keyboard activity.","title":"Q. What does malicious software do?"},{"location":"Content/FAQVirus/#q-how-does-sandboxie-protect-against-computer-viruses","text":"A. Sandboxie considers the program it supervises as potentially harmful, and keeps the programs bound within a sandbox , which is a kind of protective bubble. The program cannot escape the sandbox, and therefore cannot change, harm or infect your computer in any way. When you're done with the program, you delete the sandbox.","title":"Q. How does Sandboxie protect against computer viruses?"},{"location":"Content/FAQVirus/#q-does-sandboxie-remove-viruses","text":"A. Yes, but not in the sense that Sandboxie discards just the viruses, and leaves everything else intact. What Sandboxie does is delete the entire sandbox, which deletes any viruses trapped within the sandbox, as well as any other changes (good or bad) that were attempted by the program running under the supervision of Sandboxie.","title":"Q. Does Sandboxie remove viruses?"},{"location":"Content/FAQVirus/#q-is-sandboxie-an-anti-virus","text":"A. No. While Sandboxie is a countermeasure against malicious software, it works differently from traditional anti-virus software. Unlike an anti-virus, Sandboxie does not attempt to identify or differentiate between \"good\" and \"bad\" (or harmful) programs. An anti-virus might not identify a new virus, and might let it slip by and infect your computer. Sandboxie, on the other hand, considers all programs as potentially harmful, and does not let any program modify your computer in any way.","title":"Q. Is Sandboxie an anti-virus?"},{"location":"Content/FAQVirus/#q-should-i-use-sandboxie-instead-of-anti-virus-software","text":"A. No. Sandboxie can prevent a virus in the sandbox from escaping into your real computer. However, common sense dictates that it is preferable to prevent the virus from running in the first place. Therefore it is a good idea to use anti-virus software to prevent known threats, while relying on Sandboxie to be your first line of defense against threats that are not yet known to the anti-virus.","title":"Q. Should I use Sandboxie instead of anti-virus software?"},{"location":"Content/FAQVirus/#q-is-sandboxie-100-fool-proof","text":"A. No, but it tries to be as close as possible to 100%. At the same time, it is important to remember that Sandboxie is never the only software in your computer. Your other software, including your Windows operating system, might have security holes that could be abused by viruses in ways that no security software can prevent. Therefore it is always important to keep up with software updates. As the saying goes: \"The only truly secure computer is one buried in concrete, with the power turned off and the network cable cut.\"","title":"Q. Is Sandboxie 100% fool-proof?"},{"location":"Content/FAQVirus/#q-can-the-anti-virus-detect-a-virus-in-the-sandbox","text":"A. Yes. Files contained in the sandbox are stored in the hard disk, typically in the folder SANDBOX in drive C. Programs under the supervision of Sandboxie can only operate within this folder, but there is nothing special about the folder itself. The anti-virus software may detect viruses as they arrive into this folder, or at any later time.","title":"Q. Can the anti-virus detect a virus in the sandbox?"},{"location":"Content/FAQVirus/#q-how-should-i-respond-to-the-anti-virus-detecting-a-virus","text":"A. Your anti-virus should tell you where the virus was identified. If the virus was identified within the sandbox (typically, in the SANDBOX folder in drive C), there is little cause for alarm. You can immediately invoke the Delete Sandbox command, or you may direct the anti-virus to delete the virus file, or move it to quarantine.","title":"Q. How should I respond to the anti-virus detecting a virus"},{"location":"Content/FAQVirus/#q-when-the-anti-virus-moves-a-virus-file-out-of-the-sandbox-and-into-quarantine-does-it-bypass-sandboxie","text":"A. No. The anti-virus itself is not operating under the supervision of Sandboxie, even if the virus alert seems to indicate otherwise. Operating outside the sandbox, the anti-virus can reach into the sandbox folder, pull the virus file, and move it into quarantine. The process is similar to Sandboxie Quick Recovery , wherein Sandboxie Control reaches inside the sandbox to pull some file out of it.","title":"Q. When the anti-virus moves a virus file out of the sandbox and into quarantine, does it bypass Sandboxie?"},{"location":"Content/FAQVirus/#q-will-viruses-remain-in-the-sandbox-after-i-close-all-programs-in-the-sandbox","text":"A. Yes and no: 1. No, if your sandbox is set to automatically delete; 2. Yes, in the configuration, but only until you manually delete the contents of the sandbox. It is important to note that a virus file in the sandbox is just that -- a file , not much different from your average text file. Unless you move the file out of the sandbox and invoke it, there is little cause for alarm.","title":"Q. Will viruses remain in the sandbox after I close all programs in the sandbox?"},{"location":"Content/FAQVirus/#q-do-i-have-to-securely-wipe-the-contents-of-the-sandbox-to-make-sure-the-virus-is-gone","text":"A. No. Although you can configure Sandboxie to use a third-party data wiping utility, the key point is to make the virus file itself inaccessible, and this is accomplished even with non-secure deletion. There is, however, an advantage to secure deletion, as discussed in the next answer.","title":"Q. Do I have to securely wipe the contents of the sandbox to make sure the virus is gone?"},{"location":"Content/FAQVirus/#q-why-does-my-anti-virus-detect-a-virus-in-the-system-volume-information-folder","text":"A. The System Restore component in Windows collects various files into the System Volume Information when they are deleted. While the intention is to protect your system, sometimes System Restore ends up making copies of virus files. These virus files are inactive, and even if restored, will be restored into the sandbox, so there is little cause for alarm. Nevertheless, it is a good idea to let your anti-virus get rid of any such virus files. Note that this will not occur if you securely wipe the contents of the sandbox (see previous question).","title":"Q. Why does my anti-virus detect a virus in the System Volume Information folder?"},{"location":"Content/FAQVirus/#q-my-computer-is-already-infected-with-a-virus-will-sandboxie-protect-against-that-virus","text":"A. No. Sandboxie can only protect your computer from the programs that run under the supervision of Sandboxie. The virus which has already infected your computer is running unencumbered outside the supervision of Sandboxie. It might also serve as an infection channel and assist other viruses in the sandbox to break out of the sandbox and infect your computer. It is strongly recommended that you dis-infect your computer as soon as possible, then install Sandboxie to protect against future threats.","title":"Q. My computer is already infected with a virus, will Sandboxie protect against that virus?"},{"location":"Content/FAQVirus/#q-does-sandboxie-protect-against-the-killdisk-virus","text":"A. Yes. The KillDisk virus works by modifying the hard disk partition directly, bypassing any file systems. This kind of access has been blocked since Sandboxie version 2.33 (early 2006).","title":"Q. Does Sandboxie protect against the KillDisk virus?"},{"location":"Content/FAQVirus/#q-can-i-install-an-anti-virus-or-firewalls-or-other-security-software-into-the-sandbox","text":"A. For most security software, the answer is no. This type of software wants to integrate with Windows in order to monitor access to files and network connections. Sandboxie is designed to isolate programs in the sandbox from the rest of the system, which means the security software will be unable to monitor the system correctly. Note that virus scanner software which does not include active (\"real time\") monitoring should be able to function correctly under Sandboxie. Please note: Not all Anti-virus \"suites\" will work. Sandboxie may not function with certain suites (Kaspersky.)","title":"Q. Can I install an anti-virus (or firewalls or other security software) into the sandbox?"},{"location":"Content/FeatureComparison/","text":"Sandboxie Plus and Classic share the same core components, the main difference is that the Classic user interface is no longer under development. Hence, new core functionality is only available in the SandMan user interface of Sandboxie Plus. Likewise, various other new features are only implemented in the SandMan UI. Another difference is that Sandboxie Plus is provided under a custom license , while Sandboxie Classic is provided under a GPL-3.0+ license . Some exclusive functionality is only available to project supporters with a valid Supporter Certificate , see the table below. Starting with version 1.11.0, an Advanced Encryption Pack is also available, which must be obtained in addition to the supporter certificate in order to use sandbox encryption. Please note that a Business Certificate is required to use Sandboxie Plus in a commercial or educational setting! Plus vs. Classic Free Premium Free vs. Premium Free HOME PERSONAL FAMILY PACK BUSINESS ETERNAL Usage Personal Personal Personal Personal Commercial Personal Support reminder Yes No Yes No No No No No PCs per certificate As Certified Personal** Personal Personal and Family*** 1 Personal and Family Expiration As Certified 1 year of use 1 year of updates* 1 year of use 1 year of use No Old builds work after expiration As Certified No Yes No No Sandboxie-Live No No No 1 year of support 1 year of support 1 year of support 1 year of support Yes**** UI dark mode No No Yes Yes Yes Yes Yes Yes Start Menu integration No No Yes Yes Yes Yes Yes Yes Windows 11 context menu No No Yes Yes Yes Yes Yes Yes Box snapshots No No Yes Yes Yes Yes Yes Yes WFP support No Yes (no UI) Yes Yes Yes Yes Yes Yes Privacy enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Security enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Compatibility enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes ARM64 support No No Trial Yes Yes Yes Yes Yes RAM Disk integration No Yes (no UI) No Yes Yes Yes Yes Yes * A personal type certificate, once expired, does not unlock features in builds compiled after its expiration date. Builds compiled before that time retain their exclusive unlocked features state. ** Personal covers all devices you use yourself, so if you have a laptop and a desktop, one certificate covers both. *** A family pack can be used for the entire family, it is not required for the family to live in the same household, so the certificate can be used for children who have moved out or your grandparents. **** For as long as the service exists.","title":"FeatureComparison"},{"location":"Content/FeatureComparisonOld/","text":"Feature Comparison (obsolete) Sandboxie Plus and Classic share the same core components, the main difference is that the Classic UI is no longer under development. Hence, a UI for new core functionality is only available in the SandMan UI of the Sandboxie Plus. Likewise, various other new features are only implemented in the SandMan UI. Another difference is that Sandboxie Plus is provided under a custom license , while Sandboxie Classic is provided under a GPL-3.0+ license . Some exclusive functionality is only available to project supporters with a valid Supporter Certificate . Please note that a Business Certificate is required to use Sandboxie Plus in a commercial or educational setting! \u26a0\ufe0f Warning The following comparison is obsolete as of version 1.11.0 / 5.66.0 , please see the new page . CLASSIC VS. PLUS CLASSIC PLUS LICENSE FREE SUPPORTED FREE SMALL MEDIUM LARGE BUSINESS HUGE Usage - - Personal Personal Personal Personal Commercial Commercial Support reminder Yes No Yes No No No No No PCs per Certificate - As Certified - Personal Personal Personal and Family 1 Personal and Family Expiration - As Certified - 1 year 1 year 2 years 1 year No Old builds work after expiration - As Certified - No Yes Yes Yes Yes UI Dark mode No No Yes Yes Yes Yes Yes Yes Start Menu Integration No No Yes Yes Yes Yes Yes Yes Windows 11 Context menu No No Yes Yes Yes Yes Yes Yes Box Snapshots No No Yes Yes Yes Yes Yes Yes Object Filtering Yes Yes Yes Yes Yes Yes Yes Yes WFP support No Yes (no UI) Yes Yes Yes Yes Yes Yes Privacy enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Security enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Compatibility enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Process Breakout Yes (no UI) Yes (no UI) Yes Yes Yes Yes Yes Yes","title":"Feature Comparison (obsolete)"},{"location":"Content/FeatureComparisonOld/#feature-comparison-obsolete","text":"Sandboxie Plus and Classic share the same core components, the main difference is that the Classic UI is no longer under development. Hence, a UI for new core functionality is only available in the SandMan UI of the Sandboxie Plus. Likewise, various other new features are only implemented in the SandMan UI. Another difference is that Sandboxie Plus is provided under a custom license , while Sandboxie Classic is provided under a GPL-3.0+ license . Some exclusive functionality is only available to project supporters with a valid Supporter Certificate . Please note that a Business Certificate is required to use Sandboxie Plus in a commercial or educational setting! \u26a0\ufe0f Warning The following comparison is obsolete as of version 1.11.0 / 5.66.0 , please see the new page . CLASSIC VS. PLUS CLASSIC PLUS LICENSE FREE SUPPORTED FREE SMALL MEDIUM LARGE BUSINESS HUGE Usage - - Personal Personal Personal Personal Commercial Commercial Support reminder Yes No Yes No No No No No PCs per Certificate - As Certified - Personal Personal Personal and Family 1 Personal and Family Expiration - As Certified - 1 year 1 year 2 years 1 year No Old builds work after expiration - As Certified - No Yes Yes Yes Yes UI Dark mode No No Yes Yes Yes Yes Yes Yes Start Menu Integration No No Yes Yes Yes Yes Yes Yes Windows 11 Context menu No No Yes Yes Yes Yes Yes Yes Box Snapshots No No Yes Yes Yes Yes Yes Yes Object Filtering Yes Yes Yes Yes Yes Yes Yes Yes WFP support No Yes (no UI) Yes Yes Yes Yes Yes Yes Privacy enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Security enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Compatibility enhanced boxes No Yes (no UI) No Yes Yes Yes Yes Yes Process Breakout Yes (no UI) Yes (no UI) Yes Yes Yes Yes Yes Yes","title":"Feature Comparison (obsolete)"},{"location":"Content/FileMenu/","text":"File Menu Sandboxie Control > File Menu Terminate All Programs Sandboxie Control > File Menu > Terminate All Programs The Terminate All Programs command immediately stops all programs running in all sandboxes. There is no window associated with this command. However, you may be warned about the potential loss of any data processed by the programs which are about to be terminated: This warning refers to, for example, any open documents which will not be saved. This warning can be disabled by selecting the checkbox at the bottom: In the future, terminate processes without asking. See also: Terminate All Programs in Tray Icon Menu . Disable Forced Programs Sandboxie Control > File Menu > Disable Forced Programs The Disable Forced Programs toggle command temporarily disables or re-enables forced sandboxing. Normally, any forced programs (or programs in any forced folders ) will automatically start under the supervision of Sandboxie. Forced sandboxing is temporarily suspended when the Disable Forced Programs command is invoked. By default, forced sandboxing is suspended for 10 seconds. The number of seconds can be changed in the following dialog box, which appears when you select this command. Note that the associated command in the Tray Icon Menu does not show this dialog box, and uses the last duration specified, or the default of 10 seconds. For the duration that the Disable Forced Programs mode is in effect: The Sandboxie icon in the system tray area includes a small red X. The \"Disable Forced Programs\" command in the File Menu and Tray Icon Menu appears with a checkmark next to it. Message SBIE1301 will be issued if any forced programs are started. Selecting this command again will cancel the mode, restore the icon to its original appearance, and resume the normal operation of forced sandboxing. See also: Disable Forced Programs in Tray Icon Menu . Run As UAC Administrator Sandboxie Control > File Menu > Run As UAC Administrator The Run As UAC Administrator toggle command tells Sandboxie to ask for elevation to Administrative privileges before starting any programs. This command is only available on Windows when User Account Control (UAC) is in effect, and the user account is not already elevated. If this command is available in the menu, then it is typically necessary to enable it before installing programs into the sandbox, and it is recommended to disable it when that installation is complete. There is no window associated with this command. However, while the Run As UAC Administrator is in effect, the command appears in the File Menu and Tray Icon Menu with a checkmark next to it. See also: Run As UAC Administrator in Tray Icon Menu . Is Window Sandboxed? Sandboxie Control > File Menu > Is Window Sandboxed? The Is Window Sandboxed? command is used to select a window displayed on the screen, and if the window is owned by a sandboxed program, the command displays the name of the program and the sandbox it is running in. To use the command, click and hold the left mouse button on the Finder Tool , that is, the icon of a target within a window. Without releasing the left mouse button, drag the target over the desired window, and when the target is within the boundaries of the desired window, release the left mouse button. If the window is owned by a sandboxed program, Sandboxie will display the program name and sandbox name, will switch the view to Programs View , and highlight that program. Some programs display their windows using customized graphics, and this prevents Sandboxie from showing the [#] indicators in the title bar. In these cases, you can use the Is Window Sandboxed? command to make sure that the window and its related program are running sandboxed. Exit Sandboxie Control > File Menu > Exit The Exit command quits Sandboxie Control . Note that merely closing the window (or selecting the Hide Window command from the Tray Icon Menu ) does not quit Sandboxie Control. Sandboxie is still active and correctly supervise programs even when the front-end application, Sandboxie Control, is inactive. However, the following features are provided by the Sandboxie Control and will not be available when the front-end program is not running: Automatic Delete Sandbox Quick and Immediate Recovery Disable Forced Programs mode (when initiated from the Sandboxie Start program) If you do not wish to see Sandboxie Control in your system tray area, consider configuring the Windows task bar to always hide the icon, rather than exit Sandboxie Control. Go to Sandboxie Control , Tray Icon Menu , Help Topics .","title":"File Menu"},{"location":"Content/FileMenu/#file-menu","text":"Sandboxie Control > File Menu","title":"File Menu"},{"location":"Content/FileMenu/#terminate-all-programs","text":"Sandboxie Control > File Menu > Terminate All Programs The Terminate All Programs command immediately stops all programs running in all sandboxes. There is no window associated with this command. However, you may be warned about the potential loss of any data processed by the programs which are about to be terminated: This warning refers to, for example, any open documents which will not be saved. This warning can be disabled by selecting the checkbox at the bottom: In the future, terminate processes without asking. See also: Terminate All Programs in Tray Icon Menu .","title":"Terminate All Programs"},{"location":"Content/FileMenu/#disable-forced-programs","text":"Sandboxie Control > File Menu > Disable Forced Programs The Disable Forced Programs toggle command temporarily disables or re-enables forced sandboxing. Normally, any forced programs (or programs in any forced folders ) will automatically start under the supervision of Sandboxie. Forced sandboxing is temporarily suspended when the Disable Forced Programs command is invoked. By default, forced sandboxing is suspended for 10 seconds. The number of seconds can be changed in the following dialog box, which appears when you select this command. Note that the associated command in the Tray Icon Menu does not show this dialog box, and uses the last duration specified, or the default of 10 seconds. For the duration that the Disable Forced Programs mode is in effect: The Sandboxie icon in the system tray area includes a small red X. The \"Disable Forced Programs\" command in the File Menu and Tray Icon Menu appears with a checkmark next to it. Message SBIE1301 will be issued if any forced programs are started. Selecting this command again will cancel the mode, restore the icon to its original appearance, and resume the normal operation of forced sandboxing. See also: Disable Forced Programs in Tray Icon Menu .","title":"Disable Forced Programs"},{"location":"Content/FileMenu/#run-as-uac-administrator","text":"Sandboxie Control > File Menu > Run As UAC Administrator The Run As UAC Administrator toggle command tells Sandboxie to ask for elevation to Administrative privileges before starting any programs. This command is only available on Windows when User Account Control (UAC) is in effect, and the user account is not already elevated. If this command is available in the menu, then it is typically necessary to enable it before installing programs into the sandbox, and it is recommended to disable it when that installation is complete. There is no window associated with this command. However, while the Run As UAC Administrator is in effect, the command appears in the File Menu and Tray Icon Menu with a checkmark next to it. See also: Run As UAC Administrator in Tray Icon Menu .","title":"Run As UAC Administrator"},{"location":"Content/FileMenu/#is-window-sandboxed","text":"Sandboxie Control > File Menu > Is Window Sandboxed? The Is Window Sandboxed? command is used to select a window displayed on the screen, and if the window is owned by a sandboxed program, the command displays the name of the program and the sandbox it is running in. To use the command, click and hold the left mouse button on the Finder Tool , that is, the icon of a target within a window. Without releasing the left mouse button, drag the target over the desired window, and when the target is within the boundaries of the desired window, release the left mouse button. If the window is owned by a sandboxed program, Sandboxie will display the program name and sandbox name, will switch the view to Programs View , and highlight that program. Some programs display their windows using customized graphics, and this prevents Sandboxie from showing the [#] indicators in the title bar. In these cases, you can use the Is Window Sandboxed? command to make sure that the window and its related program are running sandboxed.","title":"Is Window Sandboxed?"},{"location":"Content/FileMenu/#exit","text":"Sandboxie Control > File Menu > Exit The Exit command quits Sandboxie Control . Note that merely closing the window (or selecting the Hide Window command from the Tray Icon Menu ) does not quit Sandboxie Control. Sandboxie is still active and correctly supervise programs even when the front-end application, Sandboxie Control, is inactive. However, the following features are provided by the Sandboxie Control and will not be available when the front-end program is not running: Automatic Delete Sandbox Quick and Immediate Recovery Disable Forced Programs mode (when initiated from the Sandboxie Start program) If you do not wish to see Sandboxie Control in your system tray area, consider configuring the Windows task bar to always hide the icon, rather than exit Sandboxie Control. Go to Sandboxie Control , Tray Icon Menu , Help Topics .","title":"Exit"},{"location":"Content/FileMigrationSettings/","text":"File Migration Settings Sandboxie Control > Sandbox Settings > File Migration: Before a sandboxed program can make changes to a file that already exists in your computer, Sandboxie first must make a copy of this file in the sandbox. However, making copies of very large files would be a long operation. For this reason, Sandboxie will only make copies of files that are below a certain maximum size. Files larger than this size will be considered read-only inside the sandbox, and any attempt to modify them will result in message SBIE2102 . Use this settings page to set the maximum size threshold, and whether or not you wish to see message SBIE2102 issued when an attempt is made to modify files larger than that maximum size. Related Sandboxie Ini settings: CopyLimitKb , CopyLimitSilent .","title":"File Migration Settings"},{"location":"Content/FileMigrationSettings/#file-migration-settings","text":"Sandboxie Control > Sandbox Settings > File Migration: Before a sandboxed program can make changes to a file that already exists in your computer, Sandboxie first must make a copy of this file in the sandbox. However, making copies of very large files would be a long operation. For this reason, Sandboxie will only make copies of files that are below a certain maximum size. Files larger than this size will be considered read-only inside the sandbox, and any attempt to modify them will result in message SBIE2102 . Use this settings page to set the maximum size threshold, and whether or not you wish to see message SBIE2102 issued when an attempt is made to modify files larger than that maximum size. Related Sandboxie Ini settings: CopyLimitKb , CopyLimitSilent .","title":"File Migration Settings"},{"location":"Content/FileRootPath/","text":"File Root Path FileRootPath is a sandbox setting in Sandboxie Ini . It specifies the root folder for a particular sandbox. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] FileRootPath=C:\\Sandbox\\MySandbox Related Sandboxie Control setting: Sandbox menu > Set Container Folder Related Sandboxie Plus setting: Options menu > Global Settings > Advanced Config > Sandboxie Config > Sandbox file system root Technical Details The following substitution variables may be useful in this path. Shell Folders variables such as %Personal% which expands to the user's Documents folder The variable %SBIEHOME% which expands to the root of the Sandboxie installation The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security ID (SID) The variable %SESSION% which expands to the Terminal Services session number If FileRootPath is not specified, its default value is constructed using the deprecated BoxRootFolder setting, thus: BoxRootFolder\\Sandbox\\%SANDBOX% If BoxRootFolder is also not specified, then the default setting is: C:\\Sandbox\\%USER%\\%SANDBOX%","title":"File Root Path"},{"location":"Content/FileRootPath/#file-root-path","text":"FileRootPath is a sandbox setting in Sandboxie Ini . It specifies the root folder for a particular sandbox. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] FileRootPath=C:\\Sandbox\\MySandbox Related Sandboxie Control setting: Sandbox menu > Set Container Folder Related Sandboxie Plus setting: Options menu > Global Settings > Advanced Config > Sandboxie Config > Sandbox file system root Technical Details The following substitution variables may be useful in this path. Shell Folders variables such as %Personal% which expands to the user's Documents folder The variable %SBIEHOME% which expands to the root of the Sandboxie installation The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security ID (SID) The variable %SESSION% which expands to the Terminal Services session number If FileRootPath is not specified, its default value is constructed using the deprecated BoxRootFolder setting, thus: BoxRootFolder\\Sandbox\\%SANDBOX% If BoxRootFolder is also not specified, then the default setting is: C:\\Sandbox\\%USER%\\%SANDBOX%","title":"File Root Path"},{"location":"Content/FilesAndFoldersView/","text":"Files And Folders View Sandboxie Control > View Menu > Files and Folders The Files and Folders View is a secondary view mode in Sandboxie Control . It displays the files and folders in each of the sandboxes, organized into a tree of folders, and grouped by sandbox name. Within each sandbox, there are two top-level folders: Quick Recover Folders shows the folders configured to Quick Recovery , and any folders or files contained within these folders. All Files and Folders contains the full contents of the sandbox (as described in Sandbox Hierarchy ) in a friendly way. This folder is itself organized into two folders: Drives shows the sandboxed contents that were created for drives in the system. User Files shows the sandboxed contents of user profile folders. A user profile folder contains folders such as My Documents , Desktop and Favorites . The All Files and Folders folder typically also contains RegHive files which represent the sandboxed copy of the Windows registry. Use the small + or - icon, located at the beginning of each sandbox row, to expand or collapse the display of files and folders in the sandbox. Context Menus The Files and Folders View provides context menus for sandboxes and programs. To display a context menu for the item (sandbox or file or folder) in some row, do one of the following: Click the right mouse button anywhere on the row. Select (highlight) the row using the mouse or keyboard, then press Shift+F10. Select (highlight) the row using the mouse or keyboard, then use the View Menu -> Context Menu command. For a sandbox row, the context menu displayed is the same as Sandbox Menu -> Sandbox Sub-Menu . See there for a full description. For a file or folder, the context menu offers these commands: The Run Sandboxed command opens the file or folder under the supervision of Sandboxie: Executable program files will be invoked directly. Document files will be opened in a sandboxed instance of the program associated with the document type. Folders will be opened in a sandboxed instance of Windows Explorer. The Recover to Same Folder and Recover to Any Folder commands move the file or folder out of the sandbox. See Quick Recovery for a full description. The Add Folder to Quick Recovery command is available in folders below the top-level All Files and Folders folder, and adds the folder to the list of Quick Recovery folders. The Remove Folder from Quick Recovery command is available in folders below the top-level Quick Recovery Folders folder, and removes the folder from the list of Quick Recovery folders. Go to Sandboxie Control , Programs View , Help Topics .","title":"Files And Folders View"},{"location":"Content/FilesAndFoldersView/#files-and-folders-view","text":"Sandboxie Control > View Menu > Files and Folders The Files and Folders View is a secondary view mode in Sandboxie Control . It displays the files and folders in each of the sandboxes, organized into a tree of folders, and grouped by sandbox name. Within each sandbox, there are two top-level folders: Quick Recover Folders shows the folders configured to Quick Recovery , and any folders or files contained within these folders. All Files and Folders contains the full contents of the sandbox (as described in Sandbox Hierarchy ) in a friendly way. This folder is itself organized into two folders: Drives shows the sandboxed contents that were created for drives in the system. User Files shows the sandboxed contents of user profile folders. A user profile folder contains folders such as My Documents , Desktop and Favorites . The All Files and Folders folder typically also contains RegHive files which represent the sandboxed copy of the Windows registry. Use the small + or - icon, located at the beginning of each sandbox row, to expand or collapse the display of files and folders in the sandbox. Context Menus The Files and Folders View provides context menus for sandboxes and programs. To display a context menu for the item (sandbox or file or folder) in some row, do one of the following: Click the right mouse button anywhere on the row. Select (highlight) the row using the mouse or keyboard, then press Shift+F10. Select (highlight) the row using the mouse or keyboard, then use the View Menu -> Context Menu command. For a sandbox row, the context menu displayed is the same as Sandbox Menu -> Sandbox Sub-Menu . See there for a full description. For a file or folder, the context menu offers these commands: The Run Sandboxed command opens the file or folder under the supervision of Sandboxie: Executable program files will be invoked directly. Document files will be opened in a sandboxed instance of the program associated with the document type. Folders will be opened in a sandboxed instance of Windows Explorer. The Recover to Same Folder and Recover to Any Folder commands move the file or folder out of the sandbox. See Quick Recovery for a full description. The Add Folder to Quick Recovery command is available in folders below the top-level All Files and Folders folder, and adds the folder to the list of Quick Recovery folders. The Remove Folder from Quick Recovery command is available in folders below the top-level Quick Recovery Folders folder, and removes the folder from the list of Quick Recovery folders. Go to Sandboxie Control , Programs View , Help Topics .","title":"Files And Folders View"},{"location":"Content/FirefoxTips/","text":"Firefox Tips Tips Specific to Firefox Sandboxie Control > Sandbox Settings > Applications > Web Browser > Firefox Always Run In Sandbox Setting: Force Firefox to run in this sandbox This setting tells Sandboxie to automatically supervise any instance of Firefox as it starts, even if it was not started directly through a Sandboxie facility or command. Updating Firefox and its Add-ons In the default configuration, any updates to Firefox or its add-ons will happen only within the sandbox. When the sandbox is deleted, all such updates will be deleted as well. To avoid this problem, you should run Firefox outside the sandbox when you recognize that any updates are available. Let the normal Firefox finish updating, including any necessary restarts of Firefox. Finally, exit Firefox and restart it under Sandboxie. If Firefox is forced to always run under Sandboxie (as discussed above), use the Disable Forced Programs command to disable forced sandboxing for a duration of several minutes. Then follow the procedure in the preceding paragraph. Finally, use the Disable Forced Programs command again to resume forced sandboxing. Bookmarks, History and Favorites Setting: Allow direct access to Firefox bookmarks and history database This setting allows Firefox running under Sandboxie to store bookmarks outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, bookmarks are stored only in the sandbox, and will be deleted when the sandbox is deleted. Please note that, starting with Firefox 3, the same file (called places.sqlite ) stores both bookmarks and the history of visited sites. Therefore this setting will cause Firefox to also store the history of visited outside the sandbox. One approach to this is to install the PlainOldFavorites add-on, which lets Firefox create and manage Internet Explorer-style Favorites in addition to Mozilla-style bookmarks. Then consult the discussion on favorites in Internet Explorer Tips . Bottom line: * If you don't mind the extra add-on, install PlainOldFavorites to enhance Firefox with Internet Explorer-style favorites, then read the recommendations for handling favorites in Internet Explorer Tips . * If you are happy with Firefox bookmarks, then select this setting. Cookies Setting: Allow direct access to Firefox cookies This setting allows Firefox running under Sandboxie to store cookies outside the sandbox (in a file called cookies.sqlite ), so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. An alternative approach is to this setting is to visit your favorite sites once with a normal Firefox, to get these sites to remember you in their cookies. Then switch to a Firefox under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. Bottom line: If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. If you need web sites that you visit in a sandboxed Firefox to remember you, then select this setting. Phishing Database Setting: Allow direct access to Firefox phishing database This setting allows Firefox running under Sandboxie to update and maintain the database of phishing web sites (a file called urlclassifier*.sqlite ). When this option is not set, then whenever the sandbox is deleted, Firefox might have to spend time to copy the phishing database (potentially a very large file) into the sandbox, and then download updates to the database. The setting is enabled by default. Bottom line: Keep the setting selected. Full Profile Access Setting: Allow direct access to entire Firefox profile folder This setting allows Firefox running under Sandboxie to have access to any data file within the entire Firefox profile. This setting includes any other Firefox data file mentioned above, and overrides all other \"direct access\" setting discussed earlier. Bottom line: Do not select this setting. General Tips Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"Firefox Tips"},{"location":"Content/FirefoxTips/#firefox-tips","text":"","title":"Firefox Tips"},{"location":"Content/FirefoxTips/#tips-specific-to-firefox","text":"Sandboxie Control > Sandbox Settings > Applications > Web Browser > Firefox Always Run In Sandbox Setting: Force Firefox to run in this sandbox This setting tells Sandboxie to automatically supervise any instance of Firefox as it starts, even if it was not started directly through a Sandboxie facility or command. Updating Firefox and its Add-ons In the default configuration, any updates to Firefox or its add-ons will happen only within the sandbox. When the sandbox is deleted, all such updates will be deleted as well. To avoid this problem, you should run Firefox outside the sandbox when you recognize that any updates are available. Let the normal Firefox finish updating, including any necessary restarts of Firefox. Finally, exit Firefox and restart it under Sandboxie. If Firefox is forced to always run under Sandboxie (as discussed above), use the Disable Forced Programs command to disable forced sandboxing for a duration of several minutes. Then follow the procedure in the preceding paragraph. Finally, use the Disable Forced Programs command again to resume forced sandboxing. Bookmarks, History and Favorites Setting: Allow direct access to Firefox bookmarks and history database This setting allows Firefox running under Sandboxie to store bookmarks outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, bookmarks are stored only in the sandbox, and will be deleted when the sandbox is deleted. Please note that, starting with Firefox 3, the same file (called places.sqlite ) stores both bookmarks and the history of visited sites. Therefore this setting will cause Firefox to also store the history of visited outside the sandbox. One approach to this is to install the PlainOldFavorites add-on, which lets Firefox create and manage Internet Explorer-style Favorites in addition to Mozilla-style bookmarks. Then consult the discussion on favorites in Internet Explorer Tips . Bottom line: * If you don't mind the extra add-on, install PlainOldFavorites to enhance Firefox with Internet Explorer-style favorites, then read the recommendations for handling favorites in Internet Explorer Tips . * If you are happy with Firefox bookmarks, then select this setting. Cookies Setting: Allow direct access to Firefox cookies This setting allows Firefox running under Sandboxie to store cookies outside the sandbox (in a file called cookies.sqlite ), so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. An alternative approach is to this setting is to visit your favorite sites once with a normal Firefox, to get these sites to remember you in their cookies. Then switch to a Firefox under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. Bottom line: If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. If you need web sites that you visit in a sandboxed Firefox to remember you, then select this setting. Phishing Database Setting: Allow direct access to Firefox phishing database This setting allows Firefox running under Sandboxie to update and maintain the database of phishing web sites (a file called urlclassifier*.sqlite ). When this option is not set, then whenever the sandbox is deleted, Firefox might have to spend time to copy the phishing database (potentially a very large file) into the sandbox, and then download updates to the database. The setting is enabled by default. Bottom line: Keep the setting selected. Full Profile Access Setting: Allow direct access to entire Firefox profile folder This setting allows Firefox running under Sandboxie to have access to any data file within the entire Firefox profile. This setting includes any other Firefox data file mentioned above, and overrides all other \"direct access\" setting discussed earlier. Bottom line: Do not select this setting.","title":"Tips Specific to Firefox"},{"location":"Content/FirefoxTips/#general-tips","text":"Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"General Tips"},{"location":"Content/ForceDisableAdminOnly/","text":"Force Disable Admin Only ForceDisableAdminOnly is a global setting in Sandboxie Ini . If specified, the Disable Forced Programs mode will only be available to user accounts that are members of the Administrators group. Usage: . . . [GlobalSettings] ForceDisableAdminOnly=y This setting is designed for use by network administrators.","title":"Force Disable Admin Only"},{"location":"Content/ForceDisableAdminOnly/#force-disable-admin-only","text":"ForceDisableAdminOnly is a global setting in Sandboxie Ini . If specified, the Disable Forced Programs mode will only be available to user accounts that are members of the Administrators group. Usage: . . . [GlobalSettings] ForceDisableAdminOnly=y This setting is designed for use by network administrators.","title":"Force Disable Admin Only"},{"location":"Content/ForceDisableSeconds/","text":"Force Disable Seconds ForceDisableSeconds is a global setting in Sandboxie Ini . It specifies the time, in seconds, that the Disable Forced Programs mode will stay in effect. Usage: . . . [GlobalSettings] ForceDisableSeconds=25 ForceDisableSeconds=0 The default value for this setting is 10 seconds. Setting the value to zero effectively disables the Disable Forced Programs feature itself. See also: ForceDisableAdminOnly . The Disable Forced Programs mode is engaged through Sandboxie Control , which can also configure the number of seconds. Use the FileMenu > Disable Forced Programs command, or the same command from the Tray Icon Menu . When active, the Disable Forced Programs mode causes Sandboxie to issue message SBIE1301 whenever a forced program is started.","title":"Force Disable Seconds"},{"location":"Content/ForceDisableSeconds/#force-disable-seconds","text":"ForceDisableSeconds is a global setting in Sandboxie Ini . It specifies the time, in seconds, that the Disable Forced Programs mode will stay in effect. Usage: . . . [GlobalSettings] ForceDisableSeconds=25 ForceDisableSeconds=0 The default value for this setting is 10 seconds. Setting the value to zero effectively disables the Disable Forced Programs feature itself. See also: ForceDisableAdminOnly . The Disable Forced Programs mode is engaged through Sandboxie Control , which can also configure the number of seconds. Use the FileMenu > Disable Forced Programs command, or the same command from the Tray Icon Menu . When active, the Disable Forced Programs mode causes Sandboxie to issue message SBIE1301 whenever a forced program is started.","title":"Force Disable Seconds"},{"location":"Content/ForceFolder/","text":"Force Folder ForceFolder is a sandbox setting in Sandboxie.ini which allows to force folder contents to run inside a specific sandbox. If any files or programs in these folders* (or in a sub-folder of one of these folders) are started outside any sandbox, they will be automatically sandboxed into a particular sandbox. For example: . . . [DefaultBox] ForceFolder=C:\\Download ForceFolder=E:\\ The first example specifies that files/programs started from the C:\\Download folder (or any folders below contained in those folders) will be forced to run sandboxed in the sandbox DefaultBox . The second example specifies that any files/programs started from drive E will be forced to run sandboxed in the sandbox DefaultBox . For CDROM and DVD drives, this includes forcing the AutoRun programs that are automatically started by Windows. Please keep in mind that shortcuts located inside a ForceFolder, that are pointing to a path that is not a ForceFolder, will not start a Sandboxed application. For example: if you place a shortcut inside C:\\ForcedFolder and it points to C:\\SomeOtherPathThatIsNotForced, then the shortcut will trigger a non-sandboxed application. Another consideration is that Modern / Store Apps are not supported. If your default application for opening a specific file type is a Windows Modern app (such as the Photos app in Windows 10), the application will not launch at all. For more information, please see the Known Conflicts page. See also: ForceProcess . If both a ForceFolder and a ForceProcess are applicable to a program that is starting, the ForceFolder setting takes precedence. Related Sandboxie Control setting: Sandbox Settings > Program Start > Forced Folders","title":"Force Folder"},{"location":"Content/ForceFolder/#force-folder","text":"ForceFolder is a sandbox setting in Sandboxie.ini which allows to force folder contents to run inside a specific sandbox. If any files or programs in these folders* (or in a sub-folder of one of these folders) are started outside any sandbox, they will be automatically sandboxed into a particular sandbox. For example: . . . [DefaultBox] ForceFolder=C:\\Download ForceFolder=E:\\ The first example specifies that files/programs started from the C:\\Download folder (or any folders below contained in those folders) will be forced to run sandboxed in the sandbox DefaultBox . The second example specifies that any files/programs started from drive E will be forced to run sandboxed in the sandbox DefaultBox . For CDROM and DVD drives, this includes forcing the AutoRun programs that are automatically started by Windows. Please keep in mind that shortcuts located inside a ForceFolder, that are pointing to a path that is not a ForceFolder, will not start a Sandboxed application. For example: if you place a shortcut inside C:\\ForcedFolder and it points to C:\\SomeOtherPathThatIsNotForced, then the shortcut will trigger a non-sandboxed application. Another consideration is that Modern / Store Apps are not supported. If your default application for opening a specific file type is a Windows Modern app (such as the Photos app in Windows 10), the application will not launch at all. For more information, please see the Known Conflicts page. See also: ForceProcess . If both a ForceFolder and a ForceProcess are applicable to a program that is starting, the ForceFolder setting takes precedence. Related Sandboxie Control setting: Sandbox Settings > Program Start > Forced Folders","title":"Force Folder"},{"location":"Content/ForceProcess/","text":"Force Process ForceProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs. If any of these programs are started outside any sandbox, they will be automatically sandboxed in a particular sandbox. For example: . . . [DefaultBox] ForceProcess=iexplore.exe ForceProcess=firefox.exe ForceProcess=App*.exe ForceProcess=App?.exe [MailBox] ForceProcess=outlook.exe ForceProcess=cl?cke?.exe * defines any character. ? defines one character. The example specifies that Internet Explorer (iexplore.exe), Firefox (firefox.exe), App* (Appga, App03 and etc.). and App? (App1, Appg, Appa and etc.). will be forced to run sandboxed in the sandbox DefaultBox . Outlook.exe and cl?cke? (clicker, clicked and etc.). will be forced to run sandboxed in the sandbox MailBox . Note that the ForceProcess settings only apply to programs that start unsandboxed. If a program is specifically started in a sandbox, or started by a program that is already sandboxed, then ForceProcess settings are not applied. See also: ForceFolder . If both a ForceFolder and a ForceProcess are applicable to a program that is starting, the ForceFolder setting takes precedence. Related Sandboxie Control setting: Sandbox Settings > Program Start > Forced Programs See also: Program Settings .","title":"Force Process"},{"location":"Content/ForceProcess/#force-process","text":"ForceProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs. If any of these programs are started outside any sandbox, they will be automatically sandboxed in a particular sandbox. For example: . . . [DefaultBox] ForceProcess=iexplore.exe ForceProcess=firefox.exe ForceProcess=App*.exe ForceProcess=App?.exe [MailBox] ForceProcess=outlook.exe ForceProcess=cl?cke?.exe * defines any character. ? defines one character. The example specifies that Internet Explorer (iexplore.exe), Firefox (firefox.exe), App* (Appga, App03 and etc.). and App? (App1, Appg, Appa and etc.). will be forced to run sandboxed in the sandbox DefaultBox . Outlook.exe and cl?cke? (clicker, clicked and etc.). will be forced to run sandboxed in the sandbox MailBox . Note that the ForceProcess settings only apply to programs that start unsandboxed. If a program is specifically started in a sandbox, or started by a program that is already sandboxed, then ForceProcess settings are not applied. See also: ForceFolder . If both a ForceFolder and a ForceProcess are applicable to a program that is starting, the ForceFolder setting takes precedence. Related Sandboxie Control setting: Sandbox Settings > Program Start > Forced Programs See also: Program Settings .","title":"Force Process"},{"location":"Content/ForgetPassword/","text":"Forget Password ForgetPassword is a global setting in Sandboxie Ini . If set in Sandboxie Control or Sandman , the configuration password is cleared when the main window is hidden - and will need to be re-entered in order to modify configuration settings. Usage: . . . [GlobalSettings] ForgetPassword=y See also: Configuration Protection . Related Sandboxie Plus setting: Options menu > Global Settings > Advanced Config > Sandboxie.ini Presets > Clear password when main window becomes hidden","title":"Forget Password"},{"location":"Content/ForgetPassword/#forget-password","text":"ForgetPassword is a global setting in Sandboxie Ini . If set in Sandboxie Control or Sandman , the configuration password is cleared when the main window is hidden - and will need to be re-entered in order to modify configuration settings. Usage: . . . [GlobalSettings] ForgetPassword=y See also: Configuration Protection . Related Sandboxie Plus setting: Options menu > Global Settings > Advanced Config > Sandboxie.ini Presets > Clear password when main window becomes hidden","title":"Forget Password"},{"location":"Content/FrequentlyAskedQuestions/","text":"Frequently Asked Questions Overview What is Sandboxie and how is it different than other solutions? How safe would I be, by using Sandboxie? Do I need other solutions if I use Sandboxie? What kinds of programs can I run using Sandboxie? What are the technical requirements to run Sandboxie? Technical How does Sandboxie protect me, technically? Will Sandboxie protect me from malicious key-loggers? Some competing products require a reboot to initiate sandboxing, why? Why am I getting some Messages from Sandbox Driver? Why are so many files copied into the sandbox? What are SandboxieRpcSs and SandboxieDcomLaunch? How can I use Sandboxie to protect myself from viruses in email? How to configure Sandboxie for only an occasional use? Problems How do I make Quick Recovery show my saved favorites and downloads? I saved a downloaded file, a document or an email inside the sandbox, how do I get it out? Why does the wrong program start when I run my default Web browser sandboxed? Why does Sysinternals Process Monitor not work inside the sandbox? If you have a program that doesn't work properly sandboxed, please look it up on the Known Conflicts page before posting a problem report . Back to HelpTopics What is Sandboxie and how is it different than other solutions? Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper. Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely. On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. Thanks to esalkin for the paper metaphor. Thanks to warwagon for the graphics. Back to Table of Contents How safe would I be, by using Sandboxie? You would be quite safe using Sandboxie. It should be noted that, from time to time, people are able to find some vulnerability in Sandboxie, an open hole through which malicious software can still infiltrate the system. This is very rare and is quickly resolved by closing the hole that is the attack vector. Thus it's a good idea to have more traditional anti-malware software. This is is the subject of the following question. Back to Table of Contents Do I need other solutions if I use Sandboxie? Sandboxie may be your first line of defense, but it should certainly be complemented by the more traditional anti-virus and anti-malware solutions. These solutions can let you know if your system does become infected in any way. Typically, those other solutions employ various forms of pattern matching to discover malicious software and other threats. Sandboxie, on the other hand, quite simply does not trust any software code enough to let it out of the sandbox. The combination of the two approaches should keep malicious software -- which is serving the interest of other unknown parties -- out of your computer. Back to Table of Contents What kinds of programs can I run using Sandboxie? You should be able to run most applications sandboxed. Major Web browsers Mail and news readers instant messengers and chat clients peer-to-peer networking Office Suites (MS Office, LibreOffice, OpenOffice) Most games in particular, online games which download extension software code In all cases on this list, your client-side program is exposed to remote software code, which could use the program as a channel to infiltrate your system. By running the program sandboxed, you greatly increase the control you have over that channel. And in addition, you can even install some applications into the sandbox. Back to Table of Contents What are the requirements to run Sandboxie? Sandboxie works on Windows XP SP3 (Up until Sandboxie 5.22 and solely in v5.40 ) Windows Vista SP2 (Up until Sandboxie 5.22) Windows 7 32/64 Windows 8.1 32/64 Windows 10 32/64 ( Modern Apps not supported ) Windows 11 64 ( Modern Apps not supported ) See the download page . Supported Web Browsers (32 & 64 bit supported) Internet Explorer 8, 9, 10 & 11 Microsoft Edge (Chromium) Google Chrome Firefox Opera PaleMoon SeaMonkey Vivaldi Waterfox Brave Browser And many others! Sandboxie does not work on... Windows XP x64 bit Windows 95, 98 or ME Mac or Linux operating systems. Sandboxie should not be installed on Microsoft Server Operating Systems as it's not directly supported. However, we have many users that have deployed it successfully. You can run Sandboxie in a VM Environment (VMWare, VirtualBox, Apple BootCamp, etc.) There are no particular hardware requirements to run Sandboxie. However, we do no test on touchscreen devices (many users have successfully installed Sandboxie on Surface pro and similar devices). Sandboxie needs only a small amount of memory and should have a very small impact on performance. Back to Table of Contents How does Sandboxie protect me, technically? Sandboxie extends the operating system (OS) with sandboxing capabilities by blending into it. Applications can never access hardware such as disk storage directly, they have to ask the OS to do it for them. Since Sandboxie integrates into the OS, it can do what it does without risk of being circumvented. The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexes (Mutants in NT speak), Semaphores, Sections and LPC Ports. For some more information on this, see Sandbox Hierarchy . Sandboxie also takes measures to prevent programs executing inside the sandbox from hijacking non-sandboxed programs and using them as a vehicle to operate outside the sandbox. For the same reason, Sandboxie doesn't allow a sandboxed process from reading the memory of unsandboxed processes and it provides a feature to hide selected host processes from sandboxed processes. For more information about this, see #59 and 0.3 / 5.42 notes . Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program. It should be noted, however, that Sandboxie does not typically prevent the exfiltration of user data by processes running under its supervision without advanced configuration, as the default file and registry access scheme is Allow Read to anything except when the user specified a particular path to be closed. However, by careful configuration of the ClosedFilePath and ClosedKeyPath settings, you can achieve this goal as well. If you want to follow the future development on this, see New privacy enhanced File/Registry access scheme, White list/Template Mode, plans and discussion . Back to Table of Contents Will Sandboxie protect me from malicious key-loggers? Yes, to some extent. First of all, your system (outside the sandbox) must not have been already compromised by an installed key-logger. Sandboxie can not protect against key-loggers that are already running outside the sandbox. You may want to consider always browsing sandboxed, so you don't accidentally get any key-loggers into your system. It is very difficult to reliably detect a key-logger. For a lengthy explanation, see Detecting Key Loggers . So the most important tool Sandboxie offers you for protection against key-loggers, is to delete the sandbox. When you stop all sandboxed activity (in all sandboxes), then proceed to delete the sandbox you're about to use, you can be fairly certain that all key-loggers are dead. Back to Table of Contents Some competing products require a reboot to initiate sandboxing, why? Changes to the computing environment must eventually make their way to disk storage, if they are to be permanent. This obviously applies to files. But it also applies to things like settings and preferences saved in the system registry. Some competing products require a reboot before each use, because they sandbox disk storage as a whole. They provide the operating system and everything in it with a single virtual disk, which is used to trap those permanent changes. The operating system is not designed to use one disk for some tasks, and another disk for other tasks. Therefore a reboot is required to switch to and from the virtual disk. Sandboxie does not require a reboot because it sandboxes access to files, rather than to the disk as a whole. It also sandboxes access to registry keys. It also sandboxes access to many other classes of system components, in order to trick the sandboxed program into believing that it isn't being tricked. This low-level sandboxing in some competing products makes it possible to install a wider range of applications and system tools -- including system drivers -- into the sandbox. Sandboxie can install most applications into the sandbox, but not system software nor drivers. It becomes apparent that, like most other things, each tool has its advantages and disadvantages, and one must choose the best tool for the task at hand. Back to Table of Contents Why am I getting some Messages from Sandbox Driver? Not all messages are errors, some simply inform you of an event that has occurred. For more information, see SBIE Messages and Log Messages To A File . Back to Table of Contents Why are so many files copied into the sandbox? When a program accesses a file, it declares what operations it plans to do on the file: if it plans to read from the file, to write the file, to change its attributes, and so on. Whenever a program declares any kind of write access to a file, Sandboxie copies it into the sandbox. In some cases, programs declare they intend to write to the file when in fact they do not, but nevertheless Sandboxie must copy the file into the sandbox. Back to Table of Contents What are SandboxieRpcSs and SandboxieDcomLaunch? See Service Programs . Back to Table of Contents How can I use Sandboxie to protect myself from viruses in email? See full article: Email Protection . Back to Table of Contents How to configure Sandboxie for only an occasional use? By default Sandboxie is configured to load and start automatically. To have Sandboxie load only when you need it, make the following changes. In Sandboxie Control , open the Configure -> Shell Integration window, and clear the checkbox When Windows starts to stop Sandboxie Control from starting. In Sandboxie Plus, see the Sandboxie-Plus Migration Guide . Open the Windows Services configuration window: Start menu -> Control Panel -> Administrative Tools -> Services . Then locate the Sandboxie Service. Double click to bring up its properties window. Set its Startup type to Manual rather than automatic. The driver component of Sandboxie is started by the Sandboxie Service. Therefore, setting the service to start manually, indirectly also sets the driver to start manually. Starting Sandboxie Control will also start the service. (But note that Administrative rights are required to start a service.) Back to Table of Contents How do I make Quick Recovery show my saved favorites and downloads? You may not see all your folders in Quick Recovery, as only a few are configured by default in the initial installation. See also Quick Recovery . Back to Table of Contents I saved a downloaded file, a document or an email inside the sandbox, how do I get it out? If you read What is Sandboxie then you know Sandboxie is like a transparency layer placed over the paper. (The paper is your computer.) When you save files (downloads, documents, emails, or anything else) through a sandboxed program, these files go into the transparency layer that is the sandbox. You can use Quick Recovery to get these files out. Unless configured otherwise, Quick Recovery looks in your Documents , Favorites , Desktop and Downloads folders. If you save the files to either of these folders, then you can use Quick Recovery to easily get them out. Another approach is configuring one or more folders as an OpenFilePath . Saving files into such folders bypasses the sandbox mechanism, and goes directly to the real folders. Setting this is more complicated, but may also prove useful, in some cases. Back to Table of Contents Why does the wrong program start when I run my default Web browser sandboxed? This happens for some people. In Windows 7, open Control Panel in Icon view and select Default Programs > Set your default programs. You can then select the browser you want as default. In Windows 8/8.1, point to (but do not click) the lower-right or top-right corner of the screen, and then click the Settings icon. In the lower-right corner, click Change PC Settings > Search and apps > Defaults. You can then select the browser you want as default. If using Windows 10/11, ensure that your default Web Browser for Windows is set correctly (click on the Start menu, type \"default apps\" and Choose your default apps). Back to Table of Contents Why does Sysinternals Process Monitor not work inside the sandbox? While Process Monitor can't run sandboxed, it can monitor the activity inside the sandbox. Back to Table of Contents","title":"Frequently Asked Questions"},{"location":"Content/FrequentlyAskedQuestions/#frequently-asked-questions","text":"","title":"Frequently Asked Questions"},{"location":"Content/FrequentlyAskedQuestions/#overview","text":"What is Sandboxie and how is it different than other solutions? How safe would I be, by using Sandboxie? Do I need other solutions if I use Sandboxie? What kinds of programs can I run using Sandboxie? What are the technical requirements to run Sandboxie?","title":"Overview"},{"location":"Content/FrequentlyAskedQuestions/#technical","text":"How does Sandboxie protect me, technically? Will Sandboxie protect me from malicious key-loggers? Some competing products require a reboot to initiate sandboxing, why? Why am I getting some Messages from Sandbox Driver? Why are so many files copied into the sandbox? What are SandboxieRpcSs and SandboxieDcomLaunch? How can I use Sandboxie to protect myself from viruses in email? How to configure Sandboxie for only an occasional use?","title":"Technical"},{"location":"Content/FrequentlyAskedQuestions/#problems","text":"How do I make Quick Recovery show my saved favorites and downloads? I saved a downloaded file, a document or an email inside the sandbox, how do I get it out? Why does the wrong program start when I run my default Web browser sandboxed? Why does Sysinternals Process Monitor not work inside the sandbox? If you have a program that doesn't work properly sandboxed, please look it up on the Known Conflicts page before posting a problem report . Back to HelpTopics","title":"Problems"},{"location":"Content/FrequentlyAskedQuestions/#what-is-sandboxie-and-how-is-it-different-than-other-solutions","text":"Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper. Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely. On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. Thanks to esalkin for the paper metaphor. Thanks to warwagon for the graphics. Back to Table of Contents","title":"What is Sandboxie and how is it different than other solutions?"},{"location":"Content/FrequentlyAskedQuestions/#how-safe-would-i-be-by-using-sandboxie","text":"You would be quite safe using Sandboxie. It should be noted that, from time to time, people are able to find some vulnerability in Sandboxie, an open hole through which malicious software can still infiltrate the system. This is very rare and is quickly resolved by closing the hole that is the attack vector. Thus it's a good idea to have more traditional anti-malware software. This is is the subject of the following question. Back to Table of Contents","title":"How safe would I be, by using Sandboxie?"},{"location":"Content/FrequentlyAskedQuestions/#do-i-need-other-solutions-if-i-use-sandboxie","text":"Sandboxie may be your first line of defense, but it should certainly be complemented by the more traditional anti-virus and anti-malware solutions. These solutions can let you know if your system does become infected in any way. Typically, those other solutions employ various forms of pattern matching to discover malicious software and other threats. Sandboxie, on the other hand, quite simply does not trust any software code enough to let it out of the sandbox. The combination of the two approaches should keep malicious software -- which is serving the interest of other unknown parties -- out of your computer. Back to Table of Contents","title":"Do I need other solutions if I use Sandboxie?"},{"location":"Content/FrequentlyAskedQuestions/#what-kinds-of-programs-can-i-run-using-sandboxie","text":"You should be able to run most applications sandboxed. Major Web browsers Mail and news readers instant messengers and chat clients peer-to-peer networking Office Suites (MS Office, LibreOffice, OpenOffice) Most games in particular, online games which download extension software code In all cases on this list, your client-side program is exposed to remote software code, which could use the program as a channel to infiltrate your system. By running the program sandboxed, you greatly increase the control you have over that channel. And in addition, you can even install some applications into the sandbox. Back to Table of Contents","title":"What kinds of programs can I run using Sandboxie?"},{"location":"Content/FrequentlyAskedQuestions/#what-are-the-requirements-to-run-sandboxie","text":"Sandboxie works on Windows XP SP3 (Up until Sandboxie 5.22 and solely in v5.40 ) Windows Vista SP2 (Up until Sandboxie 5.22) Windows 7 32/64 Windows 8.1 32/64 Windows 10 32/64 ( Modern Apps not supported ) Windows 11 64 ( Modern Apps not supported ) See the download page . Supported Web Browsers (32 & 64 bit supported) Internet Explorer 8, 9, 10 & 11 Microsoft Edge (Chromium) Google Chrome Firefox Opera PaleMoon SeaMonkey Vivaldi Waterfox Brave Browser And many others! Sandboxie does not work on... Windows XP x64 bit Windows 95, 98 or ME Mac or Linux operating systems. Sandboxie should not be installed on Microsoft Server Operating Systems as it's not directly supported. However, we have many users that have deployed it successfully. You can run Sandboxie in a VM Environment (VMWare, VirtualBox, Apple BootCamp, etc.) There are no particular hardware requirements to run Sandboxie. However, we do no test on touchscreen devices (many users have successfully installed Sandboxie on Surface pro and similar devices). Sandboxie needs only a small amount of memory and should have a very small impact on performance. Back to Table of Contents","title":"What are the requirements to run Sandboxie?"},{"location":"Content/FrequentlyAskedQuestions/#how-does-sandboxie-protect-me-technically","text":"Sandboxie extends the operating system (OS) with sandboxing capabilities by blending into it. Applications can never access hardware such as disk storage directly, they have to ask the OS to do it for them. Since Sandboxie integrates into the OS, it can do what it does without risk of being circumvented. The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexes (Mutants in NT speak), Semaphores, Sections and LPC Ports. For some more information on this, see Sandbox Hierarchy . Sandboxie also takes measures to prevent programs executing inside the sandbox from hijacking non-sandboxed programs and using them as a vehicle to operate outside the sandbox. For the same reason, Sandboxie doesn't allow a sandboxed process from reading the memory of unsandboxed processes and it provides a feature to hide selected host processes from sandboxed processes. For more information about this, see #59 and 0.3 / 5.42 notes . Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program. It should be noted, however, that Sandboxie does not typically prevent the exfiltration of user data by processes running under its supervision without advanced configuration, as the default file and registry access scheme is Allow Read to anything except when the user specified a particular path to be closed. However, by careful configuration of the ClosedFilePath and ClosedKeyPath settings, you can achieve this goal as well. If you want to follow the future development on this, see New privacy enhanced File/Registry access scheme, White list/Template Mode, plans and discussion . Back to Table of Contents","title":"How does Sandboxie protect me, technically?"},{"location":"Content/FrequentlyAskedQuestions/#will-sandboxie-protect-me-from-malicious-key-loggers","text":"Yes, to some extent. First of all, your system (outside the sandbox) must not have been already compromised by an installed key-logger. Sandboxie can not protect against key-loggers that are already running outside the sandbox. You may want to consider always browsing sandboxed, so you don't accidentally get any key-loggers into your system. It is very difficult to reliably detect a key-logger. For a lengthy explanation, see Detecting Key Loggers . So the most important tool Sandboxie offers you for protection against key-loggers, is to delete the sandbox. When you stop all sandboxed activity (in all sandboxes), then proceed to delete the sandbox you're about to use, you can be fairly certain that all key-loggers are dead. Back to Table of Contents","title":"Will Sandboxie protect me from malicious key-loggers?"},{"location":"Content/FrequentlyAskedQuestions/#some-competing-products-require-a-reboot-to-initiate-sandboxing-why","text":"Changes to the computing environment must eventually make their way to disk storage, if they are to be permanent. This obviously applies to files. But it also applies to things like settings and preferences saved in the system registry. Some competing products require a reboot before each use, because they sandbox disk storage as a whole. They provide the operating system and everything in it with a single virtual disk, which is used to trap those permanent changes. The operating system is not designed to use one disk for some tasks, and another disk for other tasks. Therefore a reboot is required to switch to and from the virtual disk. Sandboxie does not require a reboot because it sandboxes access to files, rather than to the disk as a whole. It also sandboxes access to registry keys. It also sandboxes access to many other classes of system components, in order to trick the sandboxed program into believing that it isn't being tricked. This low-level sandboxing in some competing products makes it possible to install a wider range of applications and system tools -- including system drivers -- into the sandbox. Sandboxie can install most applications into the sandbox, but not system software nor drivers. It becomes apparent that, like most other things, each tool has its advantages and disadvantages, and one must choose the best tool for the task at hand. Back to Table of Contents","title":"Some competing products require a reboot to initiate sandboxing, why?"},{"location":"Content/FrequentlyAskedQuestions/#why-am-i-getting-some-messages-from-sandbox-driver","text":"Not all messages are errors, some simply inform you of an event that has occurred. For more information, see SBIE Messages and Log Messages To A File . Back to Table of Contents","title":"Why am I getting some Messages from Sandbox Driver?"},{"location":"Content/FrequentlyAskedQuestions/#why-are-so-many-files-copied-into-the-sandbox","text":"When a program accesses a file, it declares what operations it plans to do on the file: if it plans to read from the file, to write the file, to change its attributes, and so on. Whenever a program declares any kind of write access to a file, Sandboxie copies it into the sandbox. In some cases, programs declare they intend to write to the file when in fact they do not, but nevertheless Sandboxie must copy the file into the sandbox. Back to Table of Contents","title":"Why are so many files copied into the sandbox?"},{"location":"Content/FrequentlyAskedQuestions/#what-are-sandboxierpcss-and-sandboxiedcomlaunch","text":"See Service Programs . Back to Table of Contents","title":"What are SandboxieRpcSs and SandboxieDcomLaunch?"},{"location":"Content/FrequentlyAskedQuestions/#how-can-i-use-sandboxie-to-protect-myself-from-viruses-in-email","text":"See full article: Email Protection . Back to Table of Contents","title":"How can I use Sandboxie to protect myself from viruses in email?"},{"location":"Content/FrequentlyAskedQuestions/#how-to-configure-sandboxie-for-only-an-occasional-use","text":"By default Sandboxie is configured to load and start automatically. To have Sandboxie load only when you need it, make the following changes. In Sandboxie Control , open the Configure -> Shell Integration window, and clear the checkbox When Windows starts to stop Sandboxie Control from starting. In Sandboxie Plus, see the Sandboxie-Plus Migration Guide . Open the Windows Services configuration window: Start menu -> Control Panel -> Administrative Tools -> Services . Then locate the Sandboxie Service. Double click to bring up its properties window. Set its Startup type to Manual rather than automatic. The driver component of Sandboxie is started by the Sandboxie Service. Therefore, setting the service to start manually, indirectly also sets the driver to start manually. Starting Sandboxie Control will also start the service. (But note that Administrative rights are required to start a service.) Back to Table of Contents","title":"How to configure Sandboxie for only an occasional use?"},{"location":"Content/FrequentlyAskedQuestions/#how-do-i-make-quick-recovery-show-my-saved-favorites-and-downloads","text":"You may not see all your folders in Quick Recovery, as only a few are configured by default in the initial installation. See also Quick Recovery . Back to Table of Contents","title":"How do I make Quick Recovery show my saved favorites and downloads?"},{"location":"Content/FrequentlyAskedQuestions/#i-saved-a-downloaded-file-a-document-or-an-email-inside-the-sandbox-how-do-i-get-it-out","text":"If you read What is Sandboxie then you know Sandboxie is like a transparency layer placed over the paper. (The paper is your computer.) When you save files (downloads, documents, emails, or anything else) through a sandboxed program, these files go into the transparency layer that is the sandbox. You can use Quick Recovery to get these files out. Unless configured otherwise, Quick Recovery looks in your Documents , Favorites , Desktop and Downloads folders. If you save the files to either of these folders, then you can use Quick Recovery to easily get them out. Another approach is configuring one or more folders as an OpenFilePath . Saving files into such folders bypasses the sandbox mechanism, and goes directly to the real folders. Setting this is more complicated, but may also prove useful, in some cases. Back to Table of Contents","title":"I saved a downloaded file, a document or an email inside the sandbox, how do I get it out?"},{"location":"Content/FrequentlyAskedQuestions/#why-does-the-wrong-program-start-when-i-run-my-default-web-browser-sandboxed","text":"This happens for some people. In Windows 7, open Control Panel in Icon view and select Default Programs > Set your default programs. You can then select the browser you want as default. In Windows 8/8.1, point to (but do not click) the lower-right or top-right corner of the screen, and then click the Settings icon. In the lower-right corner, click Change PC Settings > Search and apps > Defaults. You can then select the browser you want as default. If using Windows 10/11, ensure that your default Web Browser for Windows is set correctly (click on the Start menu, type \"default apps\" and Choose your default apps). Back to Table of Contents","title":"Why does the wrong program start when I run my default Web browser sandboxed?"},{"location":"Content/FrequentlyAskedQuestions/#why-does-sysinternals-process-monitor-not-work-inside-the-sandbox","text":"While Process Monitor can't run sandboxed, it can monitor the activity inside the sandbox. Back to Table of Contents","title":"Why does Sysinternals Process Monitor not work inside the sandbox?"},{"location":"Content/FrontPageAnimation/","text":"","title":"FrontPageAnimation"},{"location":"Content/GeneralTips/","text":"General Tips Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"General Tips"},{"location":"Content/GeneralTips/#general-tips","text":"Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"General Tips"},{"location":"Content/GettingStarted/","text":"Getting Started Part One: Introduction Sandboxie runs your applications in an isolated abstraction area called a sandbox. Under the supervision of Sandboxie, an application operates normally and at full speed, but can't effect permanent changes to your computer. Instead, the changes are effected only in the sandbox. This Getting Started tutorial will show you: How to to use Sandboxie to run your applications How the changes are trapped in the sandbox How to recover important files and documents out of the sandbox How to delete the sandbox Or skip ahead to Getting Started Part Six which discusses a few final points. You can also review the External Tutorials page for more links to tutorials about Sandboxie, some in languages other than English, others are in video form rather than text. Sandboxie Control interface Sandboxie Classic is operated through the Sandboxie Control program. This program adds the yellow Sandboxie icon to the system notification (\"tray\") area of your taskbar: If Sandboxie Control is not already active, you can find it and launch it from the Sandboxie program group in your Windows Start menu: When active, you can use the Sandboxie tray icon to hide and show the main window of Sandboxie Control , by double-clicking the icon. Or, you can right-click the icon and select the first command, which alternates between Hide Window and Show Window . For this tutorial, make sure the main window of Sandboxie Control is visible. You should view this tutorial in a sandboxed Web browser. To do that, use the Getting Started Tutorial (Web) command in the Help Menu of Sandboxie Control , and make sure you tell Sandboxie Control to run your browser sandboxed : The tutorial continues in Getting Started Part Two .","title":"Getting Started"},{"location":"Content/GettingStarted/#getting-started","text":"","title":"Getting Started"},{"location":"Content/GettingStarted/#part-one-introduction","text":"Sandboxie runs your applications in an isolated abstraction area called a sandbox. Under the supervision of Sandboxie, an application operates normally and at full speed, but can't effect permanent changes to your computer. Instead, the changes are effected only in the sandbox. This Getting Started tutorial will show you: How to to use Sandboxie to run your applications How the changes are trapped in the sandbox How to recover important files and documents out of the sandbox How to delete the sandbox Or skip ahead to Getting Started Part Six which discusses a few final points. You can also review the External Tutorials page for more links to tutorials about Sandboxie, some in languages other than English, others are in video form rather than text.","title":"Part One: Introduction"},{"location":"Content/GettingStarted/#sandboxie-control-interface","text":"Sandboxie Classic is operated through the Sandboxie Control program. This program adds the yellow Sandboxie icon to the system notification (\"tray\") area of your taskbar: If Sandboxie Control is not already active, you can find it and launch it from the Sandboxie program group in your Windows Start menu: When active, you can use the Sandboxie tray icon to hide and show the main window of Sandboxie Control , by double-clicking the icon. Or, you can right-click the icon and select the first command, which alternates between Hide Window and Show Window . For this tutorial, make sure the main window of Sandboxie Control is visible. You should view this tutorial in a sandboxed Web browser. To do that, use the Getting Started Tutorial (Web) command in the Help Menu of Sandboxie Control , and make sure you tell Sandboxie Control to run your browser sandboxed : The tutorial continues in Getting Started Part Two .","title":"Sandboxie Control interface"},{"location":"Content/GettingStartedPartFive/","text":"Getting Started Part Five Part Five: Delete Sandbox When you are finished using the application under Sandboxie, and you have recovered the downloaded files, documents and other desired work items, it is a good idea to delete the contents of the sandbox. Click the Delete Contents command in the Tray Icon Menu : You can also invoke the Delete Contents command from the Sandbox Menu in the main window of Sandboxie Control. The Delete Sandbox window appears, giving you one last chance to recover any files still remaining in the sandbox: The upper part of the window in the picture above was introduced in the last part as the Quick Recovery command. The lower part counts the accumulated size of the contents of the sandbox. Finally, when you are sure you have recovered everything you need, click Delete Sandbox to delete the sandbox. Note that regardless of the size of the sandbox, the delete process always takes only a few seconds. This should be considered normal and expected. During this time, the Sandboxie tray icon changes to a red X icon to indicate that sandbox delete is in progress. In the default configuration, the sandbox is not deleted automatically, so you will have to manually invoke the Delete Contents command whenever you want to delete the contents of the sandbox. This behavior can be changed by altering a setting. In the main window of Sandboxie Control , use the Sandbox Menu to open the Sandbox Settings window: The Sandbox Settings window appears. Click on Delete to expand the delete settings group, then on Invocation to show the Delete > Invocation settings page: Place a checkmark in the box Automatically delete contents of sandbox to have Sandboxie automatically invoke the Delete Sandbox command, as described in the settings page. The tutorial concludes in Getting Started Part Six .","title":"Getting Started Part Five"},{"location":"Content/GettingStartedPartFive/#getting-started-part-five","text":"","title":"Getting Started Part Five"},{"location":"Content/GettingStartedPartFive/#part-five-delete-sandbox","text":"When you are finished using the application under Sandboxie, and you have recovered the downloaded files, documents and other desired work items, it is a good idea to delete the contents of the sandbox. Click the Delete Contents command in the Tray Icon Menu : You can also invoke the Delete Contents command from the Sandbox Menu in the main window of Sandboxie Control. The Delete Sandbox window appears, giving you one last chance to recover any files still remaining in the sandbox: The upper part of the window in the picture above was introduced in the last part as the Quick Recovery command. The lower part counts the accumulated size of the contents of the sandbox. Finally, when you are sure you have recovered everything you need, click Delete Sandbox to delete the sandbox. Note that regardless of the size of the sandbox, the delete process always takes only a few seconds. This should be considered normal and expected. During this time, the Sandboxie tray icon changes to a red X icon to indicate that sandbox delete is in progress. In the default configuration, the sandbox is not deleted automatically, so you will have to manually invoke the Delete Contents command whenever you want to delete the contents of the sandbox. This behavior can be changed by altering a setting. In the main window of Sandboxie Control , use the Sandbox Menu to open the Sandbox Settings window: The Sandbox Settings window appears. Click on Delete to expand the delete settings group, then on Invocation to show the Delete > Invocation settings page: Place a checkmark in the box Automatically delete contents of sandbox to have Sandboxie automatically invoke the Delete Sandbox command, as described in the settings page. The tutorial concludes in Getting Started Part Six .","title":"Part Five: Delete Sandbox"},{"location":"Content/GettingStartedPartFour/","text":"Getting Started Part Four Part Four: Quick Recovery You may have noticed that when you saved the file favicon.ico to your desktop folder, earlier, Sandboxie offered Immediate Recovery for that file. However, no such offer was made when you saved test1.txt to the root folder of drive C. This is because the desktop folder is (by default) configured as a recoverable folder location, from which you will typically want to recover files. The root folder of drive C is not considered a recoverable location. The Quick Recovery command scans the recoverable folders and displays a summary of all recoverable files: You can invoke the Quick Recovery command: From the Sandbox Menu in the main window of Sandboxie Control. By right-clicking the Tray Icon Menu at the corner of the screen. The picture above shows favicon.ico as the only recoverable file, because it was the only file saved to a recoverable location -- the desktop folder in this case. Other folder locations that are set as recoverable folders by default are your Documents folder, the Windows Favorites folder. Where applicable, your Downloads folder is also considered a recoverable folder. Since these folders don't contain any files eligible for recovery, they are not listed at all in the picture above. You can use the Add Folder button to add more folders to Quick Recovery. You can switch Sandboxie Control to the Files And Folders View to view and recover any file that resides anywhere in the sandbox. When recovering a file (or a folder), you can choose to recover the file to the corresponding location outside the sandbox -- for example, from the sandboxed desktop folder, to the real desktop. The Recover to Same Folder command (shown as a button in the picture above) does that. Alternatively, you can use the Recover to Any Folder command, which can move the sandboxed file to any folder location in your computer system. Immediate Recovery The Immediate Recovery feature, which was mentioned briefly in the previous part of this guide, is an extension of Quick Recovery . Immediate Recovery keeps scanning the same set of recoverable folders, and will enable you to recover files as soon as they are created: As with Quick Recovery, you can Recover to Same Folder or Recover to Any Folder . Summary: Files must be created in recoverable folders if they are to be noticed by Quick Recovery and Immediate Recovery . You can customize the set of recoverable folders. You can use Files And Folders View to recover files that do not reside in any recoverable folder. The tutorial continues in Getting Started Part Five .","title":"Getting Started Part Four"},{"location":"Content/GettingStartedPartFour/#getting-started-part-four","text":"","title":"Getting Started Part Four"},{"location":"Content/GettingStartedPartFour/#part-four-quick-recovery","text":"You may have noticed that when you saved the file favicon.ico to your desktop folder, earlier, Sandboxie offered Immediate Recovery for that file. However, no such offer was made when you saved test1.txt to the root folder of drive C. This is because the desktop folder is (by default) configured as a recoverable folder location, from which you will typically want to recover files. The root folder of drive C is not considered a recoverable location. The Quick Recovery command scans the recoverable folders and displays a summary of all recoverable files: You can invoke the Quick Recovery command: From the Sandbox Menu in the main window of Sandboxie Control. By right-clicking the Tray Icon Menu at the corner of the screen. The picture above shows favicon.ico as the only recoverable file, because it was the only file saved to a recoverable location -- the desktop folder in this case. Other folder locations that are set as recoverable folders by default are your Documents folder, the Windows Favorites folder. Where applicable, your Downloads folder is also considered a recoverable folder. Since these folders don't contain any files eligible for recovery, they are not listed at all in the picture above. You can use the Add Folder button to add more folders to Quick Recovery. You can switch Sandboxie Control to the Files And Folders View to view and recover any file that resides anywhere in the sandbox. When recovering a file (or a folder), you can choose to recover the file to the corresponding location outside the sandbox -- for example, from the sandboxed desktop folder, to the real desktop. The Recover to Same Folder command (shown as a button in the picture above) does that. Alternatively, you can use the Recover to Any Folder command, which can move the sandboxed file to any folder location in your computer system.","title":"Part Four: Quick Recovery"},{"location":"Content/GettingStartedPartFour/#immediate-recovery","text":"The Immediate Recovery feature, which was mentioned briefly in the previous part of this guide, is an extension of Quick Recovery . Immediate Recovery keeps scanning the same set of recoverable folders, and will enable you to recover files as soon as they are created: As with Quick Recovery, you can Recover to Same Folder or Recover to Any Folder . Summary: Files must be created in recoverable folders if they are to be noticed by Quick Recovery and Immediate Recovery . You can customize the set of recoverable folders. You can use Files And Folders View to recover files that do not reside in any recoverable folder. The tutorial continues in Getting Started Part Five .","title":"Immediate Recovery"},{"location":"Content/GettingStartedPartSix/","text":"Getting Started Part Six Part Six: Conclusion This tutorial has walked you through the basic principles of using and understanding Sandboxie: * How to use Sandboxie to run your applications * How the changes are trapped in the sandbox * How to recover important files and documents out of the sandbox * How to delete the sandbox You can read more tips about using Sandboxie in the Usage Tips page, and in pages about specific web browsers: Internet Explorer Tips and Firefox Tips . An important point to keep in mind when using Sandboxie is that it is designed to isolate programs from each other. Therefore you should expect to lose a small measure of interoperability between programs. For example: Email: Clicking email ( mailto ) links typically causes your web browser to start your email software. This will not work correctly unless Sandboxie is configured to run your email software in that sandbox. See FAQ Email . You can avoid this problem by right-clicking the email link instead of left (normal) clicking it. The right-click menu will let you copy the email address. Then switch to your email software and paste the email address. If the pasted email address begins with a mailto: prefix, then make sure to delete that prefix, including the colon (:). Download manager: Clicking download links is intercepted and handled by software which is operating outside your web browser. When the web browser is running in a sandbox, this might cause it to start the download manager in the sandbox as well, which would probably not be the desired result. You can avoid this problem by right-clicking the download link instead of left (normal) clicking it. The right-click menu will let you copy the link. Then switch to your download manager program, and paste the link to start the download process. On the other hand, you should not expect to lose every measure of interoperability between programs. For example, you may use a dictionary software which should react to keystrokes or mouse-clicks to display information in a pop-up window. Sandboxie may or may not interfere with this, depending on how the dictionary software is designed. When things do not work as expected, please report it on the Sandboxie support and ask for a solution. Please also take some time now to review the many settings in the Sandbox Settings window. The settings are explained clearly, and you will find many settings that allow you to find the best balance between security and convenience. For example, one person may prefer greater security and control over web bookmarks and favorites, by letting them first save into the sandbox, and then recovering selected items through Quick Recovery or Immediate Recovery . (This is the default configuration in Sandboxie.) But another person may prefer to configure Sandboxie such that a sandboxed web browser can directly access the bookmarks or favorites, without an intermediate recovery step, thus sacrificing some security for greater convenience. Sandboxie allows you to find your personal balance of security and convenience. Enjoy! This is the end of the tutorial. Go back to Help Topics , where you can read more Usage Tips .","title":"Getting Started Part Six"},{"location":"Content/GettingStartedPartSix/#getting-started-part-six","text":"","title":"Getting Started Part Six"},{"location":"Content/GettingStartedPartSix/#part-six-conclusion","text":"This tutorial has walked you through the basic principles of using and understanding Sandboxie: * How to use Sandboxie to run your applications * How the changes are trapped in the sandbox * How to recover important files and documents out of the sandbox * How to delete the sandbox You can read more tips about using Sandboxie in the Usage Tips page, and in pages about specific web browsers: Internet Explorer Tips and Firefox Tips . An important point to keep in mind when using Sandboxie is that it is designed to isolate programs from each other. Therefore you should expect to lose a small measure of interoperability between programs. For example: Email: Clicking email ( mailto ) links typically causes your web browser to start your email software. This will not work correctly unless Sandboxie is configured to run your email software in that sandbox. See FAQ Email . You can avoid this problem by right-clicking the email link instead of left (normal) clicking it. The right-click menu will let you copy the email address. Then switch to your email software and paste the email address. If the pasted email address begins with a mailto: prefix, then make sure to delete that prefix, including the colon (:). Download manager: Clicking download links is intercepted and handled by software which is operating outside your web browser. When the web browser is running in a sandbox, this might cause it to start the download manager in the sandbox as well, which would probably not be the desired result. You can avoid this problem by right-clicking the download link instead of left (normal) clicking it. The right-click menu will let you copy the link. Then switch to your download manager program, and paste the link to start the download process. On the other hand, you should not expect to lose every measure of interoperability between programs. For example, you may use a dictionary software which should react to keystrokes or mouse-clicks to display information in a pop-up window. Sandboxie may or may not interfere with this, depending on how the dictionary software is designed. When things do not work as expected, please report it on the Sandboxie support and ask for a solution. Please also take some time now to review the many settings in the Sandbox Settings window. The settings are explained clearly, and you will find many settings that allow you to find the best balance between security and convenience. For example, one person may prefer greater security and control over web bookmarks and favorites, by letting them first save into the sandbox, and then recovering selected items through Quick Recovery or Immediate Recovery . (This is the default configuration in Sandboxie.) But another person may prefer to configure Sandboxie such that a sandboxed web browser can directly access the bookmarks or favorites, without an intermediate recovery step, thus sacrificing some security for greater convenience. Sandboxie allows you to find your personal balance of security and convenience. Enjoy! This is the end of the tutorial. Go back to Help Topics , where you can read more Usage Tips .","title":"Part Six: Conclusion"},{"location":"Content/GettingStartedPartThree/","text":"Getting Started Part Three Part Three: The Sandbox You should now have your Web browser running sandboxed . It can be Internet Explorer or any other browser. The browser program may make changes to your computer. These changes will all be trapped in the sandbox. Try it now. Right-click on the following link, and save the file to your desktop. If you're using Internet Explorer, this is the Save Target As command in the right-click menu. If you're using Firefox, this is the Save Link As command in the right-click menu: favicon.ico In the default and recommended configuration, Sandboxie will identify that a file was saved to an interesting location -- your desktop, in this case -- and will offer Immediate Recovery for the file: Because the point of this exercise is to show that files remain in the sandbox unless recovered, click the Close button on the window above, to tell Sandboxie to keep the file in the sandbox. The file you saved, favicon.ico would appear on your desktop as this icon: If you minimize all windows and examine your desktop, you should not be able to see the new icon, because the file was in fact saved in the sandbox , and not yet recovered. Sandboxie Control initially operates in Programs View where it lists the programs running in the sandbox, but you can use the View Menu to switch the view mode to Files And Folders View which shows the contents of the sandbox. Click Files and Folders in the View menu. Expand the branches (by clicking the + signs) to reveal the contents of the sandbox, arranged into folders. As you can see in the picture directly above, the file favicon.ico that you saved earlier has been placed in the sandboxed desktop folder. In the same way, any file created by any sandboxed program will be placed in a sandbox folder corresponding to the real folder where it should have been placed. Let's try this again, this time with a sandboxed Notepad. To do this, use the Run Any Program command: Sandboxie displays its Run... dialog box. Type notepad : Notepad should start sandboxed: Type a few letters into the new Notepad document, and save it as file test1.txt at the root folder of drive C. Then, look for this file in the root folder of drive C. You should not be able to find it. That's because the file was saved in the sandbox: Summary: Files created or modified by sandboxed programs are initially placed in the sandbox. Files in the sandbox are not visible to programs outside the sandbox. The tutorial continues in Getting Started Part Four .","title":"Getting Started Part Three"},{"location":"Content/GettingStartedPartThree/#getting-started-part-three","text":"","title":"Getting Started Part Three"},{"location":"Content/GettingStartedPartThree/#part-three-the-sandbox","text":"You should now have your Web browser running sandboxed . It can be Internet Explorer or any other browser. The browser program may make changes to your computer. These changes will all be trapped in the sandbox. Try it now. Right-click on the following link, and save the file to your desktop. If you're using Internet Explorer, this is the Save Target As command in the right-click menu. If you're using Firefox, this is the Save Link As command in the right-click menu: favicon.ico In the default and recommended configuration, Sandboxie will identify that a file was saved to an interesting location -- your desktop, in this case -- and will offer Immediate Recovery for the file: Because the point of this exercise is to show that files remain in the sandbox unless recovered, click the Close button on the window above, to tell Sandboxie to keep the file in the sandbox. The file you saved, favicon.ico would appear on your desktop as this icon: If you minimize all windows and examine your desktop, you should not be able to see the new icon, because the file was in fact saved in the sandbox , and not yet recovered. Sandboxie Control initially operates in Programs View where it lists the programs running in the sandbox, but you can use the View Menu to switch the view mode to Files And Folders View which shows the contents of the sandbox. Click Files and Folders in the View menu. Expand the branches (by clicking the + signs) to reveal the contents of the sandbox, arranged into folders. As you can see in the picture directly above, the file favicon.ico that you saved earlier has been placed in the sandboxed desktop folder. In the same way, any file created by any sandboxed program will be placed in a sandbox folder corresponding to the real folder where it should have been placed. Let's try this again, this time with a sandboxed Notepad. To do this, use the Run Any Program command: Sandboxie displays its Run... dialog box. Type notepad : Notepad should start sandboxed: Type a few letters into the new Notepad document, and save it as file test1.txt at the root folder of drive C. Then, look for this file in the root folder of drive C. You should not be able to find it. That's because the file was saved in the sandbox: Summary: Files created or modified by sandboxed programs are initially placed in the sandbox. Files in the sandbox are not visible to programs outside the sandbox. The tutorial continues in Getting Started Part Four .","title":"Part Three: The Sandbox"},{"location":"Content/GettingStartedPartTwo/","text":"Getting Started Part Two Part Two: Run Web Browser To launch your Web browser, find the desktop shortcut icon for Sandboxed Web Browser and click it: Alternatively, right-click the Sandboxie Control tray icon, and navigate the popup Tray Icon Menu to select the Run Web Browser action. A third option is via the Sandbox Menu in the main window of Sandboxie Control: Your Web browser should come up sandboxed . You can tell that a program is sandboxed because its window title bar contains additional Sandboxie [#] indicators: ((NOTE: Newer browsers may not show the # in the title bar, however if you hover your mouse along the edges of the window, it will turn yellow.) (Note: In some computer systems, Sandboxie starts the wrong program when you select Run Web Browser . If this is the case for you, see Frequently Asked Questions to fix this.) The sandboxed program should appear in the main window of Sandboxie Control : The window displays the list of programs that are currently running sandboxed under the supervision of Sandboxie. Initially there is just one sandbox, DefaultBox , however, more sandboxes can be created; see the Create New Sandbox command in the Sandbox Menu . The picture above shows Sandboxie is running three programs. The first, iexplore.exe , stands for Internet Explorer, as this tutorial assumes Internet Explorer is the Web browser in use. If the default Web browser in your system is Firefox, or Opera, then you would see firefox.exe or opera.exe , respectively, as the first program running in the sandbox. The screenshot shows two more programs are running, SandboxieRpcss.exe and SandboxieDcomLaunch.exe . These support programs are part of Sandboxie. If they are needed, they will be automatically started, without any explicit action on your part. See Service Programs . When Sandboxie is actively running programs in any of the sandboxes, the Sandboxie tray icon (at the corner of the screen) displays red dots: The tutorial continues in Getting Started Part Three .","title":"Getting Started Part Two"},{"location":"Content/GettingStartedPartTwo/#getting-started-part-two","text":"","title":"Getting Started Part Two"},{"location":"Content/GettingStartedPartTwo/#part-two-run-web-browser","text":"To launch your Web browser, find the desktop shortcut icon for Sandboxed Web Browser and click it: Alternatively, right-click the Sandboxie Control tray icon, and navigate the popup Tray Icon Menu to select the Run Web Browser action. A third option is via the Sandbox Menu in the main window of Sandboxie Control: Your Web browser should come up sandboxed . You can tell that a program is sandboxed because its window title bar contains additional Sandboxie [#] indicators: ((NOTE: Newer browsers may not show the # in the title bar, however if you hover your mouse along the edges of the window, it will turn yellow.) (Note: In some computer systems, Sandboxie starts the wrong program when you select Run Web Browser . If this is the case for you, see Frequently Asked Questions to fix this.) The sandboxed program should appear in the main window of Sandboxie Control : The window displays the list of programs that are currently running sandboxed under the supervision of Sandboxie. Initially there is just one sandbox, DefaultBox , however, more sandboxes can be created; see the Create New Sandbox command in the Sandbox Menu . The picture above shows Sandboxie is running three programs. The first, iexplore.exe , stands for Internet Explorer, as this tutorial assumes Internet Explorer is the Web browser in use. If the default Web browser in your system is Firefox, or Opera, then you would see firefox.exe or opera.exe , respectively, as the first program running in the sandbox. The screenshot shows two more programs are running, SandboxieRpcss.exe and SandboxieDcomLaunch.exe . These support programs are part of Sandboxie. If they are needed, they will be automatically started, without any explicit action on your part. See Service Programs . When Sandboxie is actively running programs in any of the sandboxes, the Sandboxie tray icon (at the corner of the screen) displays red dots: The tutorial continues in Getting Started Part Three .","title":"Part Two: Run Web Browser"},{"location":"Content/HelpMenu/","text":"Help Menu Sandboxie Control > Help Menu Help Topics (Web) Sandboxie Control > Help Menu > Help Topics (Web) Opens a web browser on the Help Topics page of this online documentation. A window will open to ask if the web browser should run under the supervision of Sandboxie (recommended) or not. See Getting Stated Tutorial (Web) below. Getting Started Tutorial (Web) Sandboxie Control > Help Menu > Getting Started Tutorial (Web) Opens a web browser on the Getting Started page of this online documentation. A window will open to ask if the web browser should run under the supervision of Sandboxie (recommended) or not: Check For Updates Sandboxie Control > Help Menu > Check For Updates This command checks if the Sandboxie web site reports a newer version of Sandboxie than the one installed on the computer. Click the Now button to initiate an immediate check. Click the Next Week button to postpone the check to a later time. Click the Never button to disable automatic check for updates. About Sandboxie Sandboxie Control > Help Menu > About Sandboxie Displays product and registration information for the Sandboxie program. Go to Sandboxie Control , Help Topics .","title":"Help Menu"},{"location":"Content/HelpMenu/#help-menu","text":"Sandboxie Control > Help Menu","title":"Help Menu"},{"location":"Content/HelpMenu/#help-topics-web","text":"Sandboxie Control > Help Menu > Help Topics (Web) Opens a web browser on the Help Topics page of this online documentation. A window will open to ask if the web browser should run under the supervision of Sandboxie (recommended) or not. See Getting Stated Tutorial (Web) below.","title":"Help Topics (Web)"},{"location":"Content/HelpMenu/#getting-started-tutorial-web","text":"Sandboxie Control > Help Menu > Getting Started Tutorial (Web) Opens a web browser on the Getting Started page of this online documentation. A window will open to ask if the web browser should run under the supervision of Sandboxie (recommended) or not:","title":"Getting Started Tutorial (Web)"},{"location":"Content/HelpMenu/#check-for-updates","text":"Sandboxie Control > Help Menu > Check For Updates This command checks if the Sandboxie web site reports a newer version of Sandboxie than the one installed on the computer. Click the Now button to initiate an immediate check. Click the Next Week button to postpone the check to a later time. Click the Never button to disable automatic check for updates.","title":"Check For Updates"},{"location":"Content/HelpMenu/#about-sandboxie","text":"Sandboxie Control > Help Menu > About Sandboxie Displays product and registration information for the Sandboxie program. Go to Sandboxie Control , Help Topics .","title":"About Sandboxie"},{"location":"Content/HelpTopics/","text":"Help Topics Tutorial: Getting Started with Sandboxie General Usage Tips for using Sandboxie Usage Manual for Sandboxie Control Known Conflicts with other programs Frequently Asked Questions Advanced Topics Technical Aspects Reference for error and informational SBIE Messages Sandboxie Start Command Line parameters Configuring Sandboxie through Sandboxie Ini Documentation Index","title":"Help Topics"},{"location":"Content/HelpTopics/#help-topics","text":"","title":"Help Topics"},{"location":"Content/HelpTopics/#tutorial-getting-started-with-sandboxie","text":"","title":"Tutorial: Getting Started with Sandboxie"},{"location":"Content/HelpTopics/#general-usage-tips-for-using-sandboxie","text":"","title":"General Usage Tips for using Sandboxie"},{"location":"Content/HelpTopics/#usage-manual-for-sandboxie-control","text":"","title":"Usage Manual for Sandboxie Control"},{"location":"Content/HelpTopics/#known-conflicts-with-other-programs","text":"","title":"Known Conflicts with other programs"},{"location":"Content/HelpTopics/#frequently-asked-questions","text":"","title":"Frequently Asked Questions"},{"location":"Content/HelpTopics/#advanced-topics","text":"","title":"Advanced Topics"},{"location":"Content/HelpTopics/#technical-aspects","text":"","title":"Technical Aspects"},{"location":"Content/HelpTopics/#reference-for-error-and-informational-sbie-messages","text":"","title":"Reference for error and informational SBIE Messages"},{"location":"Content/HelpTopics/#sandboxie-start-command-line-parameters","text":"","title":"Sandboxie Start Command Line parameters"},{"location":"Content/HelpTopics/#configuring-sandboxie-through-sandboxie-ini","text":"","title":"Configuring Sandboxie through Sandboxie Ini"},{"location":"Content/HelpTopics/#documentation-index","text":"","title":"Documentation Index"},{"location":"Content/HideHostProcess/","text":"Hide Host Process HideHostProcess is a sandbox setting in Sandboxie Ini available since v0.3 / 5.42. It is used to hide unsandboxed host processes. It can also be used to hide Sandboxie services. . . . [DefaultBox] HideHostProcess=program.exe Related Sandboxie Plus setting: Sandbox Options > Advanced Options > Hide Processes","title":"Hide Host Process"},{"location":"Content/HideHostProcess/#hide-host-process","text":"HideHostProcess is a sandbox setting in Sandboxie Ini available since v0.3 / 5.42. It is used to hide unsandboxed host processes. It can also be used to hide Sandboxie services. . . . [DefaultBox] HideHostProcess=program.exe Related Sandboxie Plus setting: Sandbox Options > Advanced Options > Hide Processes","title":"Hide Host Process"},{"location":"Content/HideOtherBoxes/","text":"Hide Other Boxes HideOtherBoxes is a sandbox setting in Sandboxie Ini available since v0.3 / 5.42. By default, Sandboxie enables this feature, which allows processes to be hidden from other boxes. Example of disabling this setting: . . . [DefaultBox] HideOtherBoxes=n Related Sandboxie Plus setting: Sandbox Options > Advanced Options > Hide Processes > Don't allow sandboxed processes to see processes running in other boxes","title":"Hide Other Boxes"},{"location":"Content/HideOtherBoxes/#hide-other-boxes","text":"HideOtherBoxes is a sandbox setting in Sandboxie Ini available since v0.3 / 5.42. By default, Sandboxie enables this feature, which allows processes to be hidden from other boxes. Example of disabling this setting: . . . [DefaultBox] HideOtherBoxes=n Related Sandboxie Plus setting: Sandbox Options > Advanced Options > Hide Processes > Don't allow sandboxed processes to see processes running in other boxes","title":"Hide Other Boxes"},{"location":"Content/HowToUseWinDbg/","text":"How To Use Win Dbg In some rare cases, programs running under the supervision of Sandboxie might not work correctly, without providing any hint to the cause of the malfunction. In these cases, Microsoft's free Debugging Tools for Windows can help to shed more light on the problem or even to identify the cause of the problem. Download and install the latest release of Windows SDK (both 32-bit and 64-bit). If you just need the Debugging Tools for Windows , you can install the debugging tools as a standalone component. The package installs into C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers by default. The package creates an application group called Windows Kits in the Windows Start menu. The application group contains the program WinDbg . You probably should use the 32-bit debugger, even on 64-bit Windows. You only need to use the 64-bit debugger to debug 64-bit programs. For more information, see Choosing the 32-Bit or 64-Bit Debugging Tools . Scenario 1: Start a program from the debugger Start the debugger under Sandboxie by using the Sandboxie Start menu. Sandboxie Control > Sandbox Menu > Run From Start Menu Sandboxie Plus window > right click on your sandbox > Run > Run From Start Menu Then navigate the Sandboxie Start menu to locate and invoke the WinDbg program within the Windows Kits group. The WinDbg debugger should start and open its main window. In the debugger, invoke the File menu > Open Executable command. Then navigate to and select the EXE file for the program that you want to run in the debugger. For example, navigate to and select C:\\Windows\\System32\\notepad.exe The debugger will open a command window, to control (or to debug) the new program. Use the Debug menu > Go command to begin the execution of the program. (You can also press F5.) At this time the debugger status line will change to say BUSY . Proceed to read the section below titled Final Step . Scenario 2: Attach the debugger to a running program In this scenario, you already used Sandboxie to start the program, and the program is already running. Start the debugger normally from the Windows Start menu: Locate and invoke the WinDbg program within the Windows Kits group. The WinDbg debugger should start and open its main window. In the debugger, invoke the File menu > Attach to a Process command. (You can also press F6.) Then identify the EXE file for the program to which you want to attach the debugger. The debugger will open a command window, to control (or to debug) the attached program. If you attached to the a program after it was already exhibiting the problem, then proceed to read the section below titled Final Step . Otherwise use the Debug menu > Go command to continue the execution of the program. (You can also press F5.) At this time the debugger status line will change to say BUSY . Proceed to read the section below titled Final Step . Final Step This section assumes the program in question has already exhibited the problem: If the program gets stuck in a loop, then it should already be stuck. If the program crashes, then it should already have crashed. If the problem condition has not yet occurred, you should now cause the program to malfunction. Once the program exhibits the problem, switch back to the WinDbg debugger command window. If the debugger status line still says BUSY , use the Debug menu > Break command to stop the program. (You can also press Ctrl+Break.) When the debugger status line no longer says BUSY , enter the following commands. Enter one command at a time, then press Enter. .sympath srv*C:\\Symbols*https://msdl.microsoft.com/download/symbols .reload ~* k 99 The third command will cause the debugger to produce some output. When the command completes, please copy the entire debug log. Use the Edit menu > Copy Window Text to Clipboard command to copy the entire debug log to your clipboard, then go back to the Sandboxie support and paste this debug log into your comment. Thank you in advance.","title":"How To Use Win Dbg"},{"location":"Content/HowToUseWinDbg/#how-to-use-win-dbg","text":"In some rare cases, programs running under the supervision of Sandboxie might not work correctly, without providing any hint to the cause of the malfunction. In these cases, Microsoft's free Debugging Tools for Windows can help to shed more light on the problem or even to identify the cause of the problem. Download and install the latest release of Windows SDK (both 32-bit and 64-bit). If you just need the Debugging Tools for Windows , you can install the debugging tools as a standalone component. The package installs into C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers by default. The package creates an application group called Windows Kits in the Windows Start menu. The application group contains the program WinDbg . You probably should use the 32-bit debugger, even on 64-bit Windows. You only need to use the 64-bit debugger to debug 64-bit programs. For more information, see Choosing the 32-Bit or 64-Bit Debugging Tools . Scenario 1: Start a program from the debugger Start the debugger under Sandboxie by using the Sandboxie Start menu. Sandboxie Control > Sandbox Menu > Run From Start Menu Sandboxie Plus window > right click on your sandbox > Run > Run From Start Menu Then navigate the Sandboxie Start menu to locate and invoke the WinDbg program within the Windows Kits group. The WinDbg debugger should start and open its main window. In the debugger, invoke the File menu > Open Executable command. Then navigate to and select the EXE file for the program that you want to run in the debugger. For example, navigate to and select C:\\Windows\\System32\\notepad.exe The debugger will open a command window, to control (or to debug) the new program. Use the Debug menu > Go command to begin the execution of the program. (You can also press F5.) At this time the debugger status line will change to say BUSY . Proceed to read the section below titled Final Step . Scenario 2: Attach the debugger to a running program In this scenario, you already used Sandboxie to start the program, and the program is already running. Start the debugger normally from the Windows Start menu: Locate and invoke the WinDbg program within the Windows Kits group. The WinDbg debugger should start and open its main window. In the debugger, invoke the File menu > Attach to a Process command. (You can also press F6.) Then identify the EXE file for the program to which you want to attach the debugger. The debugger will open a command window, to control (or to debug) the attached program. If you attached to the a program after it was already exhibiting the problem, then proceed to read the section below titled Final Step . Otherwise use the Debug menu > Go command to continue the execution of the program. (You can also press F5.) At this time the debugger status line will change to say BUSY . Proceed to read the section below titled Final Step . Final Step This section assumes the program in question has already exhibited the problem: If the program gets stuck in a loop, then it should already be stuck. If the program crashes, then it should already have crashed. If the problem condition has not yet occurred, you should now cause the program to malfunction. Once the program exhibits the problem, switch back to the WinDbg debugger command window. If the debugger status line still says BUSY , use the Debug menu > Break command to stop the program. (You can also press Ctrl+Break.) When the debugger status line no longer says BUSY , enter the following commands. Enter one command at a time, then press Enter. .sympath srv*C:\\Symbols*https://msdl.microsoft.com/download/symbols .reload ~* k 99 The third command will cause the debugger to produce some output. When the command completes, please copy the entire debug log. Use the Edit menu > Copy Window Text to Clipboard command to copy the entire debug log to your clipboard, then go back to the Sandboxie support and paste this debug log into your comment. Thank you in advance.","title":"How To Use Win Dbg"},{"location":"Content/HowitWorks/","text":"How it Works Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox , depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once. Download Sandboxie now and give it a try!","title":"How it Works"},{"location":"Content/HowitWorks/#how-it-works","text":"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox , depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once. Download Sandboxie now and give it a try!","title":"How it Works"},{"location":"Content/ImmediateRecovery/","text":"Immediate Recovery Immediate Recovery is an extension of Quick Recovery . Both Quick and Immediate Recovery scan the list of folders configured in Sandbox Settings > Recovery > Quick Recovery , and suggest an easy way to move any files (or folders) found out of the sandbox. Quick Recovery is invoked by explicit request, or just before the sandbox is deleted, that is, typically it is invoked after the sandboxed programs have finished running. By contrast, Immediate Recovery works within the sandboxed program, and identifies files as soon as they are created and eligible for recovery. As soon as a file is eligible for recovery, the Immediate Recovery window appears, and as long as the window stays open, any further files that become eligible for recovery will be collected into that window. The upper area (see picture above) shows the files eligible for recovery, while the lower area lists destination folders. To recover files, select one or more files in the upper area, then select a folder from the lower area, and click Recover . (Use the CTRL and SHIFT keys to select multiple files in the upper area). The lower area initially offers just the special destinations Recover to Same Folder and Recover to Any Folder . These work the same as described in Quick Recovery . As you use the Recover to Any Folder command, more destinations will be recorded in the lower area for later use. You can disable this feature by clearing the checkbox Store selected folders for later use in the Browse For Folder dialog box that appears when you invoke the Recover to Any Folder command. Immediate Recovery can be temporarily disabled until all sandboxed activity stops, by marking the checkbox Don't prompt again until all sandboxed programs stop at the bottom of the window. Go to Quick Recovery , Sandboxie Control , Help Topics .","title":"Immediate Recovery"},{"location":"Content/ImmediateRecovery/#immediate-recovery","text":"Immediate Recovery is an extension of Quick Recovery . Both Quick and Immediate Recovery scan the list of folders configured in Sandbox Settings > Recovery > Quick Recovery , and suggest an easy way to move any files (or folders) found out of the sandbox. Quick Recovery is invoked by explicit request, or just before the sandbox is deleted, that is, typically it is invoked after the sandboxed programs have finished running. By contrast, Immediate Recovery works within the sandboxed program, and identifies files as soon as they are created and eligible for recovery. As soon as a file is eligible for recovery, the Immediate Recovery window appears, and as long as the window stays open, any further files that become eligible for recovery will be collected into that window. The upper area (see picture above) shows the files eligible for recovery, while the lower area lists destination folders. To recover files, select one or more files in the upper area, then select a folder from the lower area, and click Recover . (Use the CTRL and SHIFT keys to select multiple files in the upper area). The lower area initially offers just the special destinations Recover to Same Folder and Recover to Any Folder . These work the same as described in Quick Recovery . As you use the Recover to Any Folder command, more destinations will be recorded in the lower area for later use. You can disable this feature by clearing the checkbox Store selected folders for later use in the Browse For Folder dialog box that appears when you invoke the Recover to Any Folder command. Immediate Recovery can be temporarily disabled until all sandboxed activity stops, by marking the checkbox Don't prompt again until all sandboxed programs stop at the bottom of the window. Go to Quick Recovery , Sandboxie Control , Help Topics .","title":"Immediate Recovery"},{"location":"Content/InjectDll/","text":"Inject Dll InjectDll is a sandbox setting in Sandboxie Ini . It tells Sandboxie to \"inject\" some DLL into every program in the sandbox. \"Inject\" means the DLL is . . . [DefaultBox] InjectDll=c:\\Program Files\\Sandboxie Utilities\\Sample.dll You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. Note: The InjectDll setting specifies 32-bit DLLs, and will be ignored in a 64-bit process on 64-bit Windows. Use the InjectDll64 setting to specify 64-bit DLLs. The order of DLLs loaded into the sandboxed program is thus: Ntdll.dll KernelBase.dll (on Windows 7 and later) Kernel32.dll SbieDll.dll (on 64-bit Windows, this can be either the 64-bit SbieDll or the 32-bit SbieDll) InjectDlls (loaded in the order specified in Sandboxie.ini) Optionally, ShimEng (or AppHelp on Windows 7 and later) and related DLLs All statically-linked DLLs The behavior described above applies to Sandboxie version 3.46 and later. Earlier versions of Sandboxie implemented a different behavior which is described below: The injected DLL is loaded into the sandboxed process (or program) after all the statically-linked DLLs are loaded and initialized, but before the program itself begins to execute at its entry point. If the DLL exports the symbol InjectDllMain or InjectDllMain@8 , Sandboxie will call this procedure after the DLL is loaded, and pass the address of the SbieDll module. Declare InjectDllMain in your code: __declspec(dllexport) void __stdcall InjectDllMain( HINSTANCE hSbieDll, ULONG_PTR UnusedParameter); It is recommended to use the hSbieDll parameter as the module instance handle for SbieDll.Dll, instead of relying on GetModuleHandle(\"SbieDll.dll\"). This makes it possible for the injected DLL to interact with SbieDll.dll regardless of the actual name used for SbieDll.dll. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine. At this time, this setting cannot be manipulated from Sandboxie Control . You have to manually edit it into Sandboxie Ini . See also: InjectDll64 , SBIE DLL API , Start Command Line .","title":"Inject Dll"},{"location":"Content/InjectDll/#inject-dll","text":"InjectDll is a sandbox setting in Sandboxie Ini . It tells Sandboxie to \"inject\" some DLL into every program in the sandbox. \"Inject\" means the DLL is . . . [DefaultBox] InjectDll=c:\\Program Files\\Sandboxie Utilities\\Sample.dll You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. Note: The InjectDll setting specifies 32-bit DLLs, and will be ignored in a 64-bit process on 64-bit Windows. Use the InjectDll64 setting to specify 64-bit DLLs. The order of DLLs loaded into the sandboxed program is thus: Ntdll.dll KernelBase.dll (on Windows 7 and later) Kernel32.dll SbieDll.dll (on 64-bit Windows, this can be either the 64-bit SbieDll or the 32-bit SbieDll) InjectDlls (loaded in the order specified in Sandboxie.ini) Optionally, ShimEng (or AppHelp on Windows 7 and later) and related DLLs All statically-linked DLLs The behavior described above applies to Sandboxie version 3.46 and later. Earlier versions of Sandboxie implemented a different behavior which is described below: The injected DLL is loaded into the sandboxed process (or program) after all the statically-linked DLLs are loaded and initialized, but before the program itself begins to execute at its entry point. If the DLL exports the symbol InjectDllMain or InjectDllMain@8 , Sandboxie will call this procedure after the DLL is loaded, and pass the address of the SbieDll module. Declare InjectDllMain in your code: __declspec(dllexport) void __stdcall InjectDllMain( HINSTANCE hSbieDll, ULONG_PTR UnusedParameter); It is recommended to use the hSbieDll parameter as the module instance handle for SbieDll.Dll, instead of relying on GetModuleHandle(\"SbieDll.dll\"). This makes it possible for the injected DLL to interact with SbieDll.dll regardless of the actual name used for SbieDll.dll. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine. At this time, this setting cannot be manipulated from Sandboxie Control . You have to manually edit it into Sandboxie Ini . See also: InjectDll64 , SBIE DLL API , Start Command Line .","title":"Inject Dll"},{"location":"Content/InjectDll64/","text":"Inject Dll 64 InjectDll is a sandbox setting in Sandboxie Ini . It tells Sandboxie to \"inject\" some DLL into every program in the sandbox. \"Inject\" means the DLL is . . . [DefaultBox] InjectDll64=c:\\Program Files\\Sandboxie Utilities\\Sample64.dll You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. Note: The InjectDll64 setting specifies 64-bit DLLs, and will be ignored in a 32-bit process, even on 64-bit Windows. Use the InjectDll setting to specify 32-bit DLLs. See also: InjectDll for a comprehensive discussion.","title":"Inject Dll 64"},{"location":"Content/InjectDll64/#inject-dll-64","text":"InjectDll is a sandbox setting in Sandboxie Ini . It tells Sandboxie to \"inject\" some DLL into every program in the sandbox. \"Inject\" means the DLL is . . . [DefaultBox] InjectDll64=c:\\Program Files\\Sandboxie Utilities\\Sample64.dll You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. Note: The InjectDll64 setting specifies 64-bit DLLs, and will be ignored in a 32-bit process, even on 64-bit Windows. Use the InjectDll setting to specify 32-bit DLLs. See also: InjectDll for a comprehensive discussion.","title":"Inject Dll 64"},{"location":"Content/InternetExplorerTips/","text":"Internet Explorer Tips Tips Specific to Internet Explorer Sandboxie Control > Sandbox Settings > Applications > Web Browser > Internet Explorer Always Run In Sandbox Setting: Force Internet Explorer to run in this sandbox This setting tells Sandboxie to automatically supervise any instance of Internet Explorer as it starts, even if it was not started directly through a Sandboxie facility or command. Internet Explorer with UAC Enabled In Windows Vista/7/8/8.1 with UAC enabled, Internet Explorer maintains two sets of configurations: Normal configuration and administrator configuration. Each set contains its own cookies, home pages and some other settings. When you normally launch Internet Explorer, you get the normal configuration. When you right-click Internet Explorer and select the Run as administrator action, you get the administrator configuration. Under Sandboxie, Internet Explorer selects the Administrator configuration. (But Internet Explorer does not necessarily run as Administrator under Sandboxie.) To fine-tune the administrator configuration, use the Run as administrator right-click action when you run Internet Explorer outside the sandbox. Windows Update on Windows XP When you wish to visit the Windows Update web site, you should run Internet Explorer outside the sandbox. If Internet Explorer is forced to always run under Sandboxie (as discussed above), then use the Disable Forced Programs command to disable forced sandboxing before and after visiting the Windows Update web site. Note the Automatic Updates facility in Windows does not rely on Internet Explorer and should not be affected by any Sandboxie settings related to Internet Explorer. Similarly, the Windows Updates window in Windows Vista also does not rely on Internet Explorer and is also not affected by Sandboxie. Favorites Setting: Allow direct access to Internet Explorer favorites Setting: Add Internet Explorer favorites to Quick Recovery folders These settings allows Internet Explorer running under Sandboxie to store favorites outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, favorites are stored only in the sandbox, and will be deleted when the sandbox is deleted. The first setting (direct access) stores favorites directly outside the sandbox. The second setting ( Quick Recovery ) initially keeps the favorites in the sandbox but offers to recover (move out of the sandbox) any new favorites as they are added. The first setting is more flexible in that you can add, edit and delete favorites freely. The second setting is more secure, but at the cost of some measure of convenience. Bottom line: For greater convenience, select the setting \"Allow direct access to Internet Explorer favorites.\" Cookies Setting: Allow direct access to Internet Explorer cookies This setting allows Internet Explorer running under Sandboxie to store cookies outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. An alternative approach is to this setting is to visit your favorite sites once with a normal Internet Explorer, to get these sites to remember you in their cookies. Then switch to an Internet Explorer under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. Bottom line: If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. If you need web sites that you visit in a sandboxed Internet Explorer to remember you, then select this setting. Feeds Setting: Allow direct access to Internet Explorer feeds This setting allows Internet Explorer running under Sandboxie to store feed links outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, feed links are stored only in the sandbox, and will be deleted when the sandbox is deleted. Internet Explorer perdiocally checks its feeds from a component which is running outside the web browser. That component will not see (and will not check or refresh) feeds that are created in the sandbox when this setting is not in effect. (Technically, the component is a scheduled task. The task is created and altered whenever you use the Feed Settings tab in the Internet Options dialog.) Bottom line: If you work with Internet Explorer feeds, it is recommended that you select this setting. Save Outside Sandbox Setting: Save outside sandbox: History of search strings and invoked commands. Setting: Save outside sandbox: Account information for Hotmail and Messenger. (replaced with OpenCredentials since Sandboxie v0.8.0 / 5.50.0) The first setting allows Internet Explorer running under Sandboxie to store \"AutoComplete\" information, which is typically used for keeping history: History of search strings, or history of commands typed into an input box. The second setting allows Internet Explorer running under Sandboxie to store \"Credentials\" information, which is typically used by Microsoft web sites, such as Hotmail, to remember your Windows Live ID. It is also used by Windows (Live) Messenger. Bottom line: These settings are concerned with privacy more than security. Information that you enter into web sites can be kept permanently (as with a normal browser) or only until you delete the sandbox. To keep it permanently, select these settings. Otherwise, leave the settings unselected. General Tips Automatic Delete Sandbox Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. Highlight Windows of Programs Running Under Sandboxie Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"Internet Explorer Tips"},{"location":"Content/InternetExplorerTips/#internet-explorer-tips","text":"","title":"Internet Explorer Tips"},{"location":"Content/InternetExplorerTips/#tips-specific-to-internet-explorer","text":"Sandboxie Control > Sandbox Settings > Applications > Web Browser > Internet Explorer","title":"Tips Specific to Internet Explorer"},{"location":"Content/InternetExplorerTips/#always-run-in-sandbox","text":"Setting: Force Internet Explorer to run in this sandbox This setting tells Sandboxie to automatically supervise any instance of Internet Explorer as it starts, even if it was not started directly through a Sandboxie facility or command.","title":"Always Run In Sandbox"},{"location":"Content/InternetExplorerTips/#internet-explorer-with-uac-enabled","text":"In Windows Vista/7/8/8.1 with UAC enabled, Internet Explorer maintains two sets of configurations: Normal configuration and administrator configuration. Each set contains its own cookies, home pages and some other settings. When you normally launch Internet Explorer, you get the normal configuration. When you right-click Internet Explorer and select the Run as administrator action, you get the administrator configuration. Under Sandboxie, Internet Explorer selects the Administrator configuration. (But Internet Explorer does not necessarily run as Administrator under Sandboxie.) To fine-tune the administrator configuration, use the Run as administrator right-click action when you run Internet Explorer outside the sandbox.","title":"Internet Explorer with UAC Enabled"},{"location":"Content/InternetExplorerTips/#windows-update-on-windows-xp","text":"When you wish to visit the Windows Update web site, you should run Internet Explorer outside the sandbox. If Internet Explorer is forced to always run under Sandboxie (as discussed above), then use the Disable Forced Programs command to disable forced sandboxing before and after visiting the Windows Update web site. Note the Automatic Updates facility in Windows does not rely on Internet Explorer and should not be affected by any Sandboxie settings related to Internet Explorer. Similarly, the Windows Updates window in Windows Vista also does not rely on Internet Explorer and is also not affected by Sandboxie.","title":"Windows Update on Windows XP"},{"location":"Content/InternetExplorerTips/#favorites","text":"Setting: Allow direct access to Internet Explorer favorites Setting: Add Internet Explorer favorites to Quick Recovery folders These settings allows Internet Explorer running under Sandboxie to store favorites outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, favorites are stored only in the sandbox, and will be deleted when the sandbox is deleted. The first setting (direct access) stores favorites directly outside the sandbox. The second setting ( Quick Recovery ) initially keeps the favorites in the sandbox but offers to recover (move out of the sandbox) any new favorites as they are added. The first setting is more flexible in that you can add, edit and delete favorites freely. The second setting is more secure, but at the cost of some measure of convenience. Bottom line: For greater convenience, select the setting \"Allow direct access to Internet Explorer favorites.\"","title":"Favorites"},{"location":"Content/InternetExplorerTips/#cookies","text":"Setting: Allow direct access to Internet Explorer cookies This setting allows Internet Explorer running under Sandboxie to store cookies outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. An alternative approach is to this setting is to visit your favorite sites once with a normal Internet Explorer, to get these sites to remember you in their cookies. Then switch to an Internet Explorer under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. Bottom line: If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. If you need web sites that you visit in a sandboxed Internet Explorer to remember you, then select this setting.","title":"Cookies"},{"location":"Content/InternetExplorerTips/#feeds","text":"Setting: Allow direct access to Internet Explorer feeds This setting allows Internet Explorer running under Sandboxie to store feed links outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, feed links are stored only in the sandbox, and will be deleted when the sandbox is deleted. Internet Explorer perdiocally checks its feeds from a component which is running outside the web browser. That component will not see (and will not check or refresh) feeds that are created in the sandbox when this setting is not in effect. (Technically, the component is a scheduled task. The task is created and altered whenever you use the Feed Settings tab in the Internet Options dialog.) Bottom line: If you work with Internet Explorer feeds, it is recommended that you select this setting.","title":"Feeds"},{"location":"Content/InternetExplorerTips/#save-outside-sandbox","text":"Setting: Save outside sandbox: History of search strings and invoked commands. Setting: Save outside sandbox: Account information for Hotmail and Messenger. (replaced with OpenCredentials since Sandboxie v0.8.0 / 5.50.0) The first setting allows Internet Explorer running under Sandboxie to store \"AutoComplete\" information, which is typically used for keeping history: History of search strings, or history of commands typed into an input box. The second setting allows Internet Explorer running under Sandboxie to store \"Credentials\" information, which is typically used by Microsoft web sites, such as Hotmail, to remember your Windows Live ID. It is also used by Windows (Live) Messenger. Bottom line: These settings are concerned with privacy more than security. Information that you enter into web sites can be kept permanently (as with a normal browser) or only until you delete the sandbox. To keep it permanently, select these settings. Otherwise, leave the settings unselected.","title":"Save Outside Sandbox"},{"location":"Content/InternetExplorerTips/#general-tips","text":"","title":"General Tips"},{"location":"Content/InternetExplorerTips/#automatic-delete-sandbox","text":"Sandboxie Control > Sandbox Settings > Delete > Invocation Setting: Automatically delete contents of sandbox This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running.","title":"Automatic Delete Sandbox"},{"location":"Content/InternetExplorerTips/#highlight-windows-of-programs-running-under-sandboxie","text":"Sandboxie Control > Sandbox Settings > Appearance Settings Setting: Display a border around the window This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting \"Don't show Sandboxie indicator in the window title.\"","title":"Highlight Windows of Programs Running Under Sandboxie"},{"location":"Content/IpcRootPath/","text":"Ipc Root Path IpcRootPath is a sandbox setting in Sandboxie Ini . It specifies the location within the NT object namespace where a particular sandbox is created. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] IpcRootPath=\\Sandbox\\%BOXNAME% The following substitution variables may be useful in this path. The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security-ID (SID) The variable %SESSION% which expands to the Terminal Services session number If IpcRootPath is not specified, its default value is: \\Sandbox\\%USER%\\%SANDBOX%\\Session %SESSION%_ There is probably no reason to change the default value for this setting, and doing so is not recommended.","title":"Ipc Root Path"},{"location":"Content/IpcRootPath/#ipc-root-path","text":"IpcRootPath is a sandbox setting in Sandboxie Ini . It specifies the location within the NT object namespace where a particular sandbox is created. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] IpcRootPath=\\Sandbox\\%BOXNAME% The following substitution variables may be useful in this path. The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security-ID (SID) The variable %SESSION% which expands to the Terminal Services session number If IpcRootPath is not specified, its default value is: \\Sandbox\\%USER%\\%SANDBOX%\\Session %SESSION%_ There is probably no reason to change the default value for this setting, and doing so is not recommended.","title":"Ipc Root Path"},{"location":"Content/IsolationMechanism/","text":"Isolation Mechanism Processes started under Sandboxie's supervision are created with a very restricted user token, such that they basically don't have the right to access almost anything. In this state, they would be pretty much useless and would crash right away. This token manipulation is done using half a dozen undocumented symbols in the Windows kernel. In a next step, Sandboxie tries to repair that by hooking most ntdll.dll syscalls and replacing them with a redirection to the own SbieDrv driver. The driver then evaluates the calls and enforces the sandboxing rules, for example, no write access outside the sandbox and no read access to closed resources. When a malicious application would unhook ntdll.dll, for example, by trying to use direct syscalls to the Windows kernel, the kernel would see the restricted user token and operations would fail with an access denied. Not all functionality can be restored this way, so Sandboxie also hooks a myriad of other functions in standard Windows DLLs, providing workarounds and redirects through the helper service SbieSvc, although sometimes it opts for disabling some functionality outright. The file system and registry virtualization is implemented on the user level in SbieDll, which is responsible for combining the data from the real system with the ones from the sandbox and for properly redirecting all access attempts. If that mechanism is improperly bypassed, it results in an access denied error.","title":"Isolation Mechanism"},{"location":"Content/IsolationMechanism/#isolation-mechanism","text":"Processes started under Sandboxie's supervision are created with a very restricted user token, such that they basically don't have the right to access almost anything. In this state, they would be pretty much useless and would crash right away. This token manipulation is done using half a dozen undocumented symbols in the Windows kernel. In a next step, Sandboxie tries to repair that by hooking most ntdll.dll syscalls and replacing them with a redirection to the own SbieDrv driver. The driver then evaluates the calls and enforces the sandboxing rules, for example, no write access outside the sandbox and no read access to closed resources. When a malicious application would unhook ntdll.dll, for example, by trying to use direct syscalls to the Windows kernel, the kernel would see the restricted user token and operations would fail with an access denied. Not all functionality can be restored this way, so Sandboxie also hooks a myriad of other functions in standard Windows DLLs, providing workarounds and redirects through the helper service SbieSvc, although sometimes it opts for disabling some functionality outright. The file system and registry virtualization is implemented on the user level in SbieDll, which is responsible for combining the data from the real system with the ones from the sandbox and for properly redirecting all access attempts. If that mechanism is improperly bypassed, it results in an access denied error.","title":"Isolation Mechanism"},{"location":"Content/KeyRootPath/","text":"Key Root Path KeyRootPath is a sandbox setting in Sandboxie Ini . It specifies the registry location where the registry hive for a particular sandbox is mounted. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] KeyRootPath=\\REGISTRY\\USER\\%BOXNAME% The following substitution variables may be useful in this path. The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security-ID (SID) The variable %SESSION% which expands to the Terminal Services session number If KeyRootPath is not specified, its default value is: \\REGISTRY\\USER\\Sandbox %USER% %SANDBOX% The value must begin with the prefix * \\REGISTRY\\USER* or Sandboxie will not be able to mount the registry hive. There is probably no reason to change the default value for this setting, and doing so is not recommended. If Sandboxie cannot successfully mount or un-mount the sandboxed registry hive, it will issue messages SBIE1241 and SBIE2208 , respectively.","title":"Key Root Path"},{"location":"Content/KeyRootPath/#key-root-path","text":"KeyRootPath is a sandbox setting in Sandboxie Ini . It specifies the registry location where the registry hive for a particular sandbox is mounted. As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. See Sandbox Hierarchy for more information. Usage: . . . [DefaultBox] KeyRootPath=\\REGISTRY\\USER\\%BOXNAME% The following substitution variables may be useful in this path. The variable %SANDBOX% which expands to the name of the sandbox The variable %USER% which expands to the user name The variable %SID% which expands to the user security-ID (SID) The variable %SESSION% which expands to the Terminal Services session number If KeyRootPath is not specified, its default value is: \\REGISTRY\\USER\\Sandbox %USER% %SANDBOX% The value must begin with the prefix * \\REGISTRY\\USER* or Sandboxie will not be able to mount the registry hive. There is probably no reason to change the default value for this setting, and doing so is not recommended. If Sandboxie cannot successfully mount or un-mount the sandboxed registry hive, it will issue messages SBIE1241 and SBIE2208 , respectively.","title":"Key Root Path"},{"location":"Content/KnownConflicts/","text":"Known Conflicts Known conflicts can be resolved by activating application configurations in Sandbox Settings > Applications or in Sandbox Options > App Templates (Plus edition). Not all programs can be installed or run inside Sandboxie Problem: Some applications that invoke services or drivers may not install/run inside Sandboxie. Solution #1: You may have a conflict with a third-party security software installed on your system (see issue #647 and #293 ). If you want to know more about which security suite could be involved, take a look at the archived forums . Solution #2: If you have already tried to install your application in a new empty sandbox, then install it on your host and run it sandboxed. If problems persist, especially with applications working on previous Sandboxie versions, please let us know the details by posting on the GitHub repository . Microsoft Store apps Problem: Microsoft store apps will not work in Sandboxie Classic and Sandboxie Plus. Solution: None at this time. See issue #19 to track any possible change about this. Office 2013/2016/2019 & Office 365 (C2R versions only) Problem: Click to Run versions of Microsoft Office 2013, 2016, 2019 and Office 365 will crash when sandboxed. This includes Outlook 2013 and up. Solution: A fix was included on v0.9.7 / 5.52.1 . Office 2021 Problem: Office 2021 cannot be installed inside a sandbox. Solution: None at this time. See issue #1675 or #1900 to track any possible change about this. Tor Browser Problem: Tor Browser is very slow in a sandbox, crashes or crashes after a certain time. Solution: A fix was included on v1.0.21 / 5.55.21 . HP Universal Print Driver Problem: The HP Universal Printer Status Monitor pop-up component is failing when printing from a sandboxed Web browser. Solution: Open Sandbox Settings > Resource Access > COM Access, click Add and enter this resource name: {D713F357-7920-4B91-9EB6-49054709EC7A} Autodelete feature on Microsoft Edge Problem: Autodelete feature no longer works on Microsoft Edge. Solution: Microsoft Edge was updated with a new setting (under System) called \"Startup boost\", which is enabled by default. It prevents Edge from fully shutting down, so we suggest to disable the option or install v1.1.2 / 5.56.2 or newer versions which include the fix. Steam games Problem: Not all Steam games will function while Sandboxed. Solution: Install the games on your computer, not in a sandbox. Most games can work. However, there are known reports that some simply may not. If you run into a problem with a Steam game, you should make sure Steam client is updated on your host machine. Run Steam not sandboxed, download and install the game on your host computer and then \"right click\" on the game shortcut and select \"Run Sandboxed\" as a workaround. If problems persist, please let us know the details by posting on the GitHub repository . GOG Games and Galaxy Beta Problem: Games from GOG Galaxy may not run while sandboxed. Solution: A partial workaround is available in #1246 . You can \"force\" GOG Program folder so that it works correctly within a sandbox. See also: ForceFolder . No access to microphone or camera on any sandbox in Windows 11 Problem: There is no access to microphone/camera on any sandbox in Windows 11 systems. Solution: A workaround is available in #1669 , but no permanent fix. Tabs sessions on Chromium browsers are sometimes not restored correctly in Sandboxie Problem: Tabs sessions are lost when a Chromium browser is running outside of the sandbox. Solution: No fix yet, but some workarounds are available in #558 . Windows Explorer takes a long time to open folders, drives or context menus Problem: Windows Explorer can take a long time to open while sandboxed on Windows 10 and 11. Solution: No fix yet, see #69 . \"Open With\" dialog does not work in a sandboxed File Explorer instance Problem: \"Open with\" functionality is not working with Sandboxie. Solution: A fix was included on v1.0.6 / 5.55.6 . Can't use the search box in File Explorer Problem: The search box in File Explorer doesn't get focused while sandboxed, and you can't input anything. Solution: A fix was included on v0.9.8c / 5.53.2 . \"Sandboxed service failed to start: BITS\" or \"Request to start service bits was denied\" can appear while a program is sandboxed Problem: BITS service seems to be broken since a few Windows 10 releases, as it's using some parts of WMI which is blocked in Sandboxie. Solution: A workaround was directly included on v1.0.1 / 5.55.1 . I can't find my issue in this list If you would like to search for further issues, please refer to the GitHub repository .","title":"Known Conflicts"},{"location":"Content/KnownConflicts/#known-conflicts","text":"Known conflicts can be resolved by activating application configurations in Sandbox Settings > Applications or in Sandbox Options > App Templates (Plus edition).","title":"Known Conflicts"},{"location":"Content/KnownConflicts/#not-all-programs-can-be-installed-or-run-inside-sandboxie","text":"Problem: Some applications that invoke services or drivers may not install/run inside Sandboxie. Solution #1: You may have a conflict with a third-party security software installed on your system (see issue #647 and #293 ). If you want to know more about which security suite could be involved, take a look at the archived forums . Solution #2: If you have already tried to install your application in a new empty sandbox, then install it on your host and run it sandboxed. If problems persist, especially with applications working on previous Sandboxie versions, please let us know the details by posting on the GitHub repository .","title":"Not all programs can be installed or run inside Sandboxie"},{"location":"Content/KnownConflicts/#microsoft-store-apps","text":"Problem: Microsoft store apps will not work in Sandboxie Classic and Sandboxie Plus. Solution: None at this time. See issue #19 to track any possible change about this.","title":"Microsoft Store apps"},{"location":"Content/KnownConflicts/#office-201320162019-office-365-c2r-versions-only","text":"Problem: Click to Run versions of Microsoft Office 2013, 2016, 2019 and Office 365 will crash when sandboxed. This includes Outlook 2013 and up. Solution: A fix was included on v0.9.7 / 5.52.1 .","title":"Office 2013/2016/2019 &amp; Office 365 (C2R versions only)"},{"location":"Content/KnownConflicts/#office-2021","text":"Problem: Office 2021 cannot be installed inside a sandbox. Solution: None at this time. See issue #1675 or #1900 to track any possible change about this.","title":"Office 2021"},{"location":"Content/KnownConflicts/#tor-browser","text":"Problem: Tor Browser is very slow in a sandbox, crashes or crashes after a certain time. Solution: A fix was included on v1.0.21 / 5.55.21 .","title":"Tor Browser"},{"location":"Content/KnownConflicts/#hp-universal-print-driver","text":"Problem: The HP Universal Printer Status Monitor pop-up component is failing when printing from a sandboxed Web browser. Solution: Open Sandbox Settings > Resource Access > COM Access, click Add and enter this resource name: {D713F357-7920-4B91-9EB6-49054709EC7A}","title":"HP Universal Print Driver"},{"location":"Content/KnownConflicts/#autodelete-feature-on-microsoft-edge","text":"Problem: Autodelete feature no longer works on Microsoft Edge. Solution: Microsoft Edge was updated with a new setting (under System) called \"Startup boost\", which is enabled by default. It prevents Edge from fully shutting down, so we suggest to disable the option or install v1.1.2 / 5.56.2 or newer versions which include the fix.","title":"Autodelete feature on Microsoft Edge"},{"location":"Content/KnownConflicts/#steam-games","text":"Problem: Not all Steam games will function while Sandboxed. Solution: Install the games on your computer, not in a sandbox. Most games can work. However, there are known reports that some simply may not. If you run into a problem with a Steam game, you should make sure Steam client is updated on your host machine. Run Steam not sandboxed, download and install the game on your host computer and then \"right click\" on the game shortcut and select \"Run Sandboxed\" as a workaround. If problems persist, please let us know the details by posting on the GitHub repository .","title":"Steam games"},{"location":"Content/KnownConflicts/#gog-games-and-galaxy-beta","text":"Problem: Games from GOG Galaxy may not run while sandboxed. Solution: A partial workaround is available in #1246 . You can \"force\" GOG Program folder so that it works correctly within a sandbox. See also: ForceFolder .","title":"GOG Games and Galaxy Beta"},{"location":"Content/KnownConflicts/#no-access-to-microphone-or-camera-on-any-sandbox-in-windows-11","text":"Problem: There is no access to microphone/camera on any sandbox in Windows 11 systems. Solution: A workaround is available in #1669 , but no permanent fix.","title":"No access to microphone or camera on any sandbox in Windows 11"},{"location":"Content/KnownConflicts/#tabs-sessions-on-chromium-browsers-are-sometimes-not-restored-correctly-in-sandboxie","text":"Problem: Tabs sessions are lost when a Chromium browser is running outside of the sandbox. Solution: No fix yet, but some workarounds are available in #558 .","title":"Tabs sessions on Chromium browsers are sometimes not restored correctly in Sandboxie"},{"location":"Content/KnownConflicts/#windows-explorer-takes-a-long-time-to-open-folders-drives-or-context-menus","text":"Problem: Windows Explorer can take a long time to open while sandboxed on Windows 10 and 11. Solution: No fix yet, see #69 .","title":"Windows Explorer takes a long time to open folders, drives or context menus"},{"location":"Content/KnownConflicts/#open-with-dialog-does-not-work-in-a-sandboxed-file-explorer-instance","text":"Problem: \"Open with\" functionality is not working with Sandboxie. Solution: A fix was included on v1.0.6 / 5.55.6 .","title":"\"Open With\" dialog does not work in a sandboxed File Explorer instance"},{"location":"Content/KnownConflicts/#cant-use-the-search-box-in-file-explorer","text":"Problem: The search box in File Explorer doesn't get focused while sandboxed, and you can't input anything. Solution: A fix was included on v0.9.8c / 5.53.2 .","title":"Can't use the search box in File Explorer"},{"location":"Content/KnownConflicts/#sandboxed-service-failed-to-start-bits-or-request-to-start-service-bits-was-denied-can-appear-while-a-program-is-sandboxed","text":"Problem: BITS service seems to be broken since a few Windows 10 releases, as it's using some parts of WMI which is blocked in Sandboxie. Solution: A workaround was directly included on v1.0.1 / 5.55.1 .","title":"\"Sandboxed service failed to start: BITS\" or \"Request to start service bits was denied\" can appear while a program is sandboxed"},{"location":"Content/KnownConflicts/#i-cant-find-my-issue-in-this-list","text":"If you would like to search for further issues, please refer to the GitHub repository .","title":"I can't find my issue in this list"},{"location":"Content/LeaderProcess/","text":"Leader Process LeaderProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs that are considered primary in the sandbox, and when they stop running, all other programs in the sandbox are stopped as well. For example: . . . [DefaultBox] LeaderProcess=iexplore.exe iexplore.exe is Internet Explorer. Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Leader Programs See also: Program Settings .","title":"Leader Process"},{"location":"Content/LeaderProcess/#leader-process","text":"LeaderProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs that are considered primary in the sandbox, and when they stop running, all other programs in the sandbox are stopped as well. For example: . . . [DefaultBox] LeaderProcess=iexplore.exe iexplore.exe is Internet Explorer. Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Leader Programs See also: Program Settings .","title":"Leader Process"},{"location":"Content/LingerExemptWnds/","text":"Linger Exempt Wnds LingerExemptWnds is a sandbox setting in Sandboxie Ini available since v1.13.4 / 5.68.4. To make the lingering process monitor mechanism no longer exempt lingering processes with windows from termination. For example: . . . [DefaultBox] LingerExemptWnds=n Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Lingering Programs See also: Program Settings .","title":"Linger Exempt Wnds"},{"location":"Content/LingerExemptWnds/#linger-exempt-wnds","text":"LingerExemptWnds is a sandbox setting in Sandboxie Ini available since v1.13.4 / 5.68.4. To make the lingering process monitor mechanism no longer exempt lingering processes with windows from termination. For example: . . . [DefaultBox] LingerExemptWnds=n Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Lingering Programs See also: Program Settings .","title":"Linger Exempt Wnds"},{"location":"Content/LingerProcess/","text":"Linger Process LingerProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs that will be automatically terminated, when they are the last programs that remain in execution in a particular sandbox. This is useful as some programs occasionally launch helper programs to carry out a specific task, and the helper program remains in execution even after the original program has ended. For example: . . . [DefaultBox] LingerProcess=jusched.exe jusched.exe is part of the Sun Java framework. It is occasionally launched when Internet Explorer starts the Java framework. This LingerProcess example setting specifies that if jusched.exe remains the last program running in the sandbox DefaultBox, then it should be terminated. LingerProcess will not terminate a process, if that process was the first process launched in the sandbox. For example, the default configuration includes Adobe Acrobat Reader as a LingerProcess, because it is typically launched when viewing PDF files through the Web browser, and remains running even after the browser has closed. LingerProcess=acrord32.exe However, if you manually start Adobe Acrobat Reader sandboxed, for example by running it from the Sandboxie Start Menu, then the LingerProcess setting will not apply to that process. Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Lingering Programs See also: Program Settings .","title":"Linger Process"},{"location":"Content/LingerProcess/#linger-process","text":"LingerProcess is a sandbox setting in Sandboxie Ini . It specifies names of programs that will be automatically terminated, when they are the last programs that remain in execution in a particular sandbox. This is useful as some programs occasionally launch helper programs to carry out a specific task, and the helper program remains in execution even after the original program has ended. For example: . . . [DefaultBox] LingerProcess=jusched.exe jusched.exe is part of the Sun Java framework. It is occasionally launched when Internet Explorer starts the Java framework. This LingerProcess example setting specifies that if jusched.exe remains the last program running in the sandbox DefaultBox, then it should be terminated. LingerProcess will not terminate a process, if that process was the first process launched in the sandbox. For example, the default configuration includes Adobe Acrobat Reader as a LingerProcess, because it is typically launched when viewing PDF files through the Web browser, and remains running even after the browser has closed. LingerProcess=acrord32.exe However, if you manually start Adobe Acrobat Reader sandboxed, for example by running it from the Sandboxie Start Menu, then the LingerProcess setting will not apply to that process. Related Sandboxie Control setting: Sandbox Settings -> Program Stop -> Lingering Programs See also: Program Settings .","title":"Linger Process"},{"location":"Content/MessagesFromSandboxie/","text":"Messages From Sandboxie The Messages From Sandboxie window is displayed automatically whenever Sandboxie logs at least one error or informational message. (For more information about Sandboxie messages, SBIE Messages .) The window displays one message per line, as in the example below. Clicking the Help button opens the Web browser and navigates to the documentation page for the highlighted message. Clicking the Hide button indicates that you don't wish to receive this message again. If the message contains an information detail, the Hide button hides the message only in combination with that particular detail. For example, the SBIE1304 message shown above has the detail osk.exe . In this case, the Hide button will hide future occurrences of SBIE1304 for osk.exe . If SBIE1304 is issued for some other program name, it will still be displayed. Clicking the Close button closes the window. Log Messages To A File It's possible to log Messages From Sandboxie to a file with a simple configuration inside the registry: reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v LogFile /d \"2;C:\\Windows\\System32\\LogFiles\\Sandboxie.log\" /f The LogFile value consists of two pieces of information: 2 is the log level. Only two values are correct: 2 (classic log) or 3 (log with process SID) C:\\Windows\\System32\\LogFiles\\Sandboxie.log is the full path of the log Example of output for a log level of 2: 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] Since version 1.3.3 / 5.58.3, it is possible to pass logs in verbose mode to have the SID of the account used by the target process. Example of output for a log level of 3: 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) Another registry key allows to filter and split logs on specific messages: reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v LogFile /d \"2;C:\\Windows\\System32\\LogFiles\\Sandboxie.log\" /f reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v MultiLog /d \"1308,1307\" /f This simple configuration will: put all logs without filter inside C:\\Windows\\System32\\LogFiles\\Sandboxie.log create one file per box (ie: C:\\Windows\\System32\\LogFiles\\Sandboxie_DefaultBox.log ) with only event 1308 and 1307","title":"Messages From Sandboxie"},{"location":"Content/MessagesFromSandboxie/#messages-from-sandboxie","text":"The Messages From Sandboxie window is displayed automatically whenever Sandboxie logs at least one error or informational message. (For more information about Sandboxie messages, SBIE Messages .) The window displays one message per line, as in the example below. Clicking the Help button opens the Web browser and navigates to the documentation page for the highlighted message. Clicking the Hide button indicates that you don't wish to receive this message again. If the message contains an information detail, the Hide button hides the message only in combination with that particular detail. For example, the SBIE1304 message shown above has the detail osk.exe . In this case, the Hide button will hide future occurrences of SBIE1304 for osk.exe . If SBIE1304 is issued for some other program name, it will still be displayed. Clicking the Close button closes the window.","title":"Messages From Sandboxie"},{"location":"Content/MessagesFromSandboxie/#log-messages-to-a-file","text":"It's possible to log Messages From Sandboxie to a file with a simple configuration inside the registry: reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v LogFile /d \"2;C:\\Windows\\System32\\LogFiles\\Sandboxie.log\" /f The LogFile value consists of two pieces of information: 2 is the log level. Only two values are correct: 2 (classic log) or 3 (log with process SID) C:\\Windows\\System32\\LogFiles\\Sandboxie.log is the full path of the log Example of output for a log level of 2: 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] Since version 1.3.3 / 5.58.3, it is possible to pass logs in verbose mode to have the SID of the account used by the target process. Example of output for a log level of 3: 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] (DESKTOP-RZ4242\\administrator) Another registry key allows to filter and split logs on specific messages: reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v LogFile /d \"2;C:\\Windows\\System32\\LogFiles\\Sandboxie.log\" /f reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieSvc\" /t REG_SZ /v MultiLog /d \"1308,1307\" /f This simple configuration will: put all logs without filter inside C:\\Windows\\System32\\LogFiles\\Sandboxie.log create one file per box (ie: C:\\Windows\\System32\\LogFiles\\Sandboxie_DefaultBox.log ) with only event 1308 and 1307","title":"Log Messages To A File"},{"location":"Content/MonitorAdminOnly/","text":"Monitor Admin Only MonitorAdminOnly is a global setting in Sandboxie Ini . If specified, Sandboxie Control running under user accounts which are not members of the Administrators group will not be able to invoke the Resource Access Monitor facility. The rationale is that Resource Access Monitor consumes 64K bytes of system memory for each user session in which it is invoked, so network administrators may wish to prevent their users from invoking that facility. Usage: . . . [GlobalSettings] MonitorAdminOnly=y This setting is designed for use by network administrators.","title":"Monitor Admin Only"},{"location":"Content/MonitorAdminOnly/#monitor-admin-only","text":"MonitorAdminOnly is a global setting in Sandboxie Ini . If specified, Sandboxie Control running under user accounts which are not members of the Administrators group will not be able to invoke the Resource Access Monitor facility. The rationale is that Resource Access Monitor consumes 64K bytes of system memory for each user session in which it is invoked, so network administrators may wish to prevent their users from invoking that facility. Usage: . . . [GlobalSettings] MonitorAdminOnly=y This setting is designed for use by network administrators.","title":"Monitor Admin Only"},{"location":"Content/MsiInstallerExemptions/","text":"Msi Installer Exemptions MsiInstallerExemptions is a sandbox setting in Sandboxie Ini available since v0.7.2 / 5.49.0. . . . [DefaultBox] MsiInstallerExemptions=y Use the 'MsiInstallerExemptions=y' option to allow MSIServer to run with a sandboxed system token and apply other exceptions. This option may help with installing an MSI package. Related Sandboxie Plus setting: Sandbox Options > Security Options > Security Hardening > Allow MSIServer to run with a sandboxed system token and apply other exceptions if required","title":"Msi Installer Exemptions"},{"location":"Content/MsiInstallerExemptions/#msi-installer-exemptions","text":"MsiInstallerExemptions is a sandbox setting in Sandboxie Ini available since v0.7.2 / 5.49.0. . . . [DefaultBox] MsiInstallerExemptions=y Use the 'MsiInstallerExemptions=y' option to allow MSIServer to run with a sandboxed system token and apply other exceptions. This option may help with installing an MSI package. Related Sandboxie Plus setting: Sandbox Options > Security Options > Security Hardening > Allow MSIServer to run with a sandboxed system token and apply other exceptions if required","title":"Msi Installer Exemptions"},{"location":"Content/NeverDelete/","text":"Never Delete NeverDelete is a sandbox setting in Sandboxie Ini . It is typically specified as NeverDelete=y , and indicates that the contents of the sandbox should never be deleted by Sandboxie. For example: . . . [DefaultBox] NeverDelete=y Related Sandboxie Control setting: Sandbox Settings > Delete > Invocation","title":"Never Delete"},{"location":"Content/NeverDelete/#never-delete","text":"NeverDelete is a sandbox setting in Sandboxie Ini . It is typically specified as NeverDelete=y , and indicates that the contents of the sandbox should never be deleted by Sandboxie. For example: . . . [DefaultBox] NeverDelete=y Related Sandboxie Control setting: Sandbox Settings > Delete > Invocation","title":"Never Delete"},{"location":"Content/NoRenameWinClass/","text":"No Rename Win Class NoRenameWinClass is a sandbox setting in Sandboxie Ini . It specifies the window class names that should not be translated by Sandboxie. Usage: . . . [DefaultBox] NoRenameWinClass=ExampleWinClass NoRenameWinClass=program.exe,* The first setting tells Sandboxie to not translate ExampleWinClass window class name by making it accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. The second setting tells Sandboxie to not translate window class names created by program.exe by making them accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. Related Sandboxie Plus setting: Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > No Rename","title":"No Rename Win Class"},{"location":"Content/NoRenameWinClass/#no-rename-win-class","text":"NoRenameWinClass is a sandbox setting in Sandboxie Ini . It specifies the window class names that should not be translated by Sandboxie. Usage: . . . [DefaultBox] NoRenameWinClass=ExampleWinClass NoRenameWinClass=program.exe,* The first setting tells Sandboxie to not translate ExampleWinClass window class name by making it accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. The second setting tells Sandboxie to not translate window class names created by program.exe by making them accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. Related Sandboxie Plus setting: Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > No Rename","title":"No Rename Win Class"},{"location":"Content/NormalFilePath/","text":"Normal File Path Normal File Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Program Name Prefix may be specified. Example: . . . [DefaultBox] NormalFilePath=C:\\Downloads\\ NormalFilePath=*.eml NormalFilePath=iexplore.exe,%Favorites% NormalFilePath=msimn.exe,*.eml Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Normal","title":"Normal File Path"},{"location":"Content/NormalFilePath/#normal-file-path","text":"Normal File Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Program Name Prefix may be specified. Example: . . . [DefaultBox] NormalFilePath=C:\\Downloads\\ NormalFilePath=*.eml NormalFilePath=iexplore.exe,%Favorites% NormalFilePath=msimn.exe,*.eml Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Normal","title":"Normal File Path"},{"location":"Content/NormalIpcPath/","text":"Normal Ipc Path Normal Ipc Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Example: . . . [DefaultBox] NormalIpcPath=\\RPC Control\\AudioSrv Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Normal","title":"Normal Ipc Path"},{"location":"Content/NormalIpcPath/#normal-ipc-path","text":"Normal Ipc Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Example: . . . [DefaultBox] NormalIpcPath=\\RPC Control\\AudioSrv Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Normal","title":"Normal Ipc Path"},{"location":"Content/NormalKeyPath/","text":"Normal Key Path Normal Key Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Program Name Prefix may be specified. Example: . . . [DefaultBox] NormalIpcPath=*BaseNamedObjects*\\__ComCatalogCache__ NormalIpcPath=*BaseNamedObjects*\\ComPlusCOMRegTable NormalIpcPath=*BaseNamedObjects*\\RotHintTable NormalIpcPath=*BaseNamedObjects*\\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5} NormalIpcPath=*BaseNamedObjects*\\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9} NormalIpcPath=\\RPC Control\\actkernel NormalIpcPath=\\RPC Control\\epmapper NormalIpcPath=\\RPC Control\\OLE* NormalIpcPath=\\RPC Control\\LRPC* Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Normal","title":"Normal Key Path"},{"location":"Content/NormalKeyPath/#normal-key-path","text":"Normal Key Path is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with Rule Specificity where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. Program Name Prefix may be specified. Example: . . . [DefaultBox] NormalIpcPath=*BaseNamedObjects*\\__ComCatalogCache__ NormalIpcPath=*BaseNamedObjects*\\ComPlusCOMRegTable NormalIpcPath=*BaseNamedObjects*\\RotHintTable NormalIpcPath=*BaseNamedObjects*\\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5} NormalIpcPath=*BaseNamedObjects*\\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9} NormalIpcPath=\\RPC Control\\actkernel NormalIpcPath=\\RPC Control\\epmapper NormalIpcPath=\\RPC Control\\OLE* NormalIpcPath=\\RPC Control\\LRPC* Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Normal","title":"Normal Key Path"},{"location":"Content/NotifyDirectDiskAccess/","text":"Notify Direct Disk Access NotifyDirectDiskAccess is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyDirectDiskAccess=y . Usage: . . . [DefaultBox] NotifyDirectDiskAccess=y Note that the default behavior of Sandboxie is to deny all direct access requests, unless explicit direct access is given to the hard disk device through the OpenFilePath or OpenPipePath settings. Normally, a message is not issued when such access is denied. This setting can not be altered using Sandboxie Control and must be edited in Sandboxie Ini .","title":"Notify Direct Disk Access"},{"location":"Content/NotifyDirectDiskAccess/#notify-direct-disk-access","text":"NotifyDirectDiskAccess is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyDirectDiskAccess=y . Usage: . . . [DefaultBox] NotifyDirectDiskAccess=y Note that the default behavior of Sandboxie is to deny all direct access requests, unless explicit direct access is given to the hard disk device through the OpenFilePath or OpenPipePath settings. Normally, a message is not issued when such access is denied. This setting can not be altered using Sandboxie Control and must be edited in Sandboxie Ini .","title":"Notify Direct Disk Access"},{"location":"Content/NotifyInternetAccessDenied/","text":"Notify Internet Access Denied NotifyInternetAccessDenied is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyInternetAccessDenied=y , and indicates that Sandboxie should issue message SBIE1307 when programs are denied access to the Internet. Usage: . . . [DefaultBox] NotifyInternetAccessDenied=y Related Sandboxie Control setting: Sandbox Settings > Restrictions > Internet Access Related Sandboxie Control setting: Program Settings","title":"Notify Internet Access Denied"},{"location":"Content/NotifyInternetAccessDenied/#notify-internet-access-denied","text":"NotifyInternetAccessDenied is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyInternetAccessDenied=y , and indicates that Sandboxie should issue message SBIE1307 when programs are denied access to the Internet. Usage: . . . [DefaultBox] NotifyInternetAccessDenied=y Related Sandboxie Control setting: Sandbox Settings > Restrictions > Internet Access Related Sandboxie Control setting: Program Settings","title":"Notify Internet Access Denied"},{"location":"Content/NotifyProcessAccessDenied/","text":"Notify Process Access Denied NotifyProcessAccessDenied is a sandbox setting in Sandboxie Ini since v1.0.16 / 5.55.16. It is typically specified as NotifyProcessAccessDenied=y , and indicates that Sandboxie should issue message SBIE2111 when programs are denied reading from the address space of the process. Usage: . . . [DefaultBox] NotifyProcessAccessDenied=y Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Issue message 2111 when a process access is denied For more information, see SBIE2111 .","title":"Notify Process Access Denied"},{"location":"Content/NotifyProcessAccessDenied/#notify-process-access-denied","text":"NotifyProcessAccessDenied is a sandbox setting in Sandboxie Ini since v1.0.16 / 5.55.16. It is typically specified as NotifyProcessAccessDenied=y , and indicates that Sandboxie should issue message SBIE2111 when programs are denied reading from the address space of the process. Usage: . . . [DefaultBox] NotifyProcessAccessDenied=y Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Issue message 2111 when a process access is denied For more information, see SBIE2111 .","title":"Notify Process Access Denied"},{"location":"Content/NotifyStartRunAccessDenied/","text":"Notify Start Run Access Denied NotifyStartRunAccessDenied is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyStartRunAccessDenied=y , and indicates that Sandboxie should issue message SBIE1308 when programs are denied from starting or running. Usage: . . . [DefaultBox] NotifyStartRunAccessDenied=y Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Control setting: Program Settings","title":"Notify Start Run Access Denied"},{"location":"Content/NotifyStartRunAccessDenied/#notify-start-run-access-denied","text":"NotifyStartRunAccessDenied is a sandbox setting in Sandboxie Ini . It is typically specified as NotifyStartRunAccessDenied=y , and indicates that Sandboxie should issue message SBIE1308 when programs are denied from starting or running. Usage: . . . [DefaultBox] NotifyStartRunAccessDenied=y Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Control setting: Program Settings","title":"Notify Start Run Access Denied"},{"location":"Content/NtNamespaceIsolation/","text":"Nt Namespace Isolation NtNamespaceIsolation is a sandbox setting in Sandboxie Ini available since v1.8.0 / 5.63.0. It can be used to disable virtualization for CreateDirectoryObject and OpenDirectoryObject - which will reduce security and remove measures to prevent name squatting. . . . [DefaultBox] NtNamespaceIsolation=n","title":"Nt Namespace Isolation"},{"location":"Content/NtNamespaceIsolation/#nt-namespace-isolation","text":"NtNamespaceIsolation is a sandbox setting in Sandboxie Ini available since v1.8.0 / 5.63.0. It can be used to disable virtualization for CreateDirectoryObject and OpenDirectoryObject - which will reduce security and remove measures to prevent name squatting. . . . [DefaultBox] NtNamespaceIsolation=n","title":"Nt Namespace Isolation"},{"location":"Content/NtStatusCodes/","text":"Nt Status Codes NT status codes may appear in some of the messages issued by Sandboxie. The table below lists common status codes which may help in understanding the specific cause of error. Standard Windows NT Kernel Status Codes for Error Conditions: C0000022 Access denied to an object C0000034 Object not found C000009A Insufficient system resources, typically indicates an out-of-memory condition","title":"Nt Status Codes"},{"location":"Content/NtStatusCodes/#nt-status-codes","text":"NT status codes may appear in some of the messages issued by Sandboxie. The table below lists common status codes which may help in understanding the specific cause of error. Standard Windows NT Kernel Status Codes for Error Conditions: C0000022 Access denied to an object C0000034 Object not found C000009A Insufficient system resources, typically indicates an out-of-memory condition","title":"Nt Status Codes"},{"location":"Content/OpenClipboard/","text":"Open Clipboard OpenClipboard is a sandbox setting in Sandboxie Ini available since v0.7.5 / 5.49.8. It allows to disable clipboard access for a sandbox. For example: . . . [DefaultBox] OpenClipboard=n Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Block read access to the clipboard","title":"Open Clipboard"},{"location":"Content/OpenClipboard/#open-clipboard","text":"OpenClipboard is a sandbox setting in Sandboxie Ini available since v0.7.5 / 5.49.8. It allows to disable clipboard access for a sandbox. For example: . . . [DefaultBox] OpenClipboard=n Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Block read access to the clipboard","title":"Open Clipboard"},{"location":"Content/OpenClsid/","text":"Open Clsid OpenClsid is a sandbox setting in Sandboxie Ini . It specifies the COM class identifiers for unsandboxed COM objects that should be accessible by a sandboxed program. Examples: . . . [DefaultBox] OpenClsid={D713F357-7920-4B91-9EB6-49054709EC7A} This example makes the HP Universal Printer Status Monitor pop-up component accessible to sandboxed programs. Related Sandboxie Control setting: Sandbox Settings > Resource Access > COM Access Related Sandboxie Plus settings: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Open Sandbox Options > Resource Access > COM > Don't use virtualized COM, Open access to hosts COM infrastructure (not recommended)","title":"Open Clsid"},{"location":"Content/OpenClsid/#open-clsid","text":"OpenClsid is a sandbox setting in Sandboxie Ini . It specifies the COM class identifiers for unsandboxed COM objects that should be accessible by a sandboxed program. Examples: . . . [DefaultBox] OpenClsid={D713F357-7920-4B91-9EB6-49054709EC7A} This example makes the HP Universal Printer Status Monitor pop-up component accessible to sandboxed programs. Related Sandboxie Control setting: Sandbox Settings > Resource Access > COM Access Related Sandboxie Plus settings: Sandbox Options > Resource Access > COM > Add COM Object > Access column > Open Sandbox Options > Resource Access > COM > Don't use virtualized COM, Open access to hosts COM infrastructure (not recommended)","title":"Open Clsid"},{"location":"Content/OpenConfPath/","text":"Open Conf Path OpenConfPath is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. It specifies a path pattern, for which Sandboxie will not apply sandboxing for registry keys. This lets sandboxed programs have direct access to update system settings outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular registry key location. It is the same as the OpenKeyPath setting, except that this setting is always applied, whereas OpenKeyPath is only applied if the application is running from a file or folder that is located outside the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenConfPath=firefox.exe,HKEY_LOCAL_MACHINE\\Software\\Mozilla OpenConfPath=firefox.exe,HKEY_CURRENT_USER\\Software\\Mozilla These examples let the Firefox program, firefox.exe , have direct access to the Mozilla registry key trees (both system-wide and per-user registry trees). The value specified for OpenConfPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: This setting does apply even when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, can take advantage of this setting. Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Open for All","title":"Open Conf Path"},{"location":"Content/OpenConfPath/#open-conf-path","text":"OpenConfPath is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. It specifies a path pattern, for which Sandboxie will not apply sandboxing for registry keys. This lets sandboxed programs have direct access to update system settings outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular registry key location. It is the same as the OpenKeyPath setting, except that this setting is always applied, whereas OpenKeyPath is only applied if the application is running from a file or folder that is located outside the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenConfPath=firefox.exe,HKEY_LOCAL_MACHINE\\Software\\Mozilla OpenConfPath=firefox.exe,HKEY_CURRENT_USER\\Software\\Mozilla These examples let the Firefox program, firefox.exe , have direct access to the Mozilla registry key trees (both system-wide and per-user registry trees). The value specified for OpenConfPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: This setting does apply even when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, can take advantage of this setting. Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Open for All","title":"Open Conf Path"},{"location":"Content/OpenCredentials/","text":"Open Credentials OpenCredentials is a sandbox setting in Sandboxie Ini . It is typically specified as OpenCredentials=y (see Yes Or No Settings ), and indicates that Sandboxie should not isolate Windows credentials in the sandbox. For example: . . . [DefaultBox] OpenCredentials=y Indicates that programs running in the DefaultBox sandbox will update the real credential store, rather than a sandboxed instance of it. Windows credentials are used primarily by Windows and Microsoft applications to store user name and password information for: Network shares Microsoft accounts To manage Windows credentials, start Control Panel > User Accounts, select an account, and the click on the Related Task labeled Manage my network passwords. Note: Sandboxie stores credentials in the sandboxed protected storage. Thus, if the setting Save outside sandbox: History of search strings and invoked commands in Sandbox Settings > Applications > Web Browser is enabled, credentials will not be stored in the sandbox, regardless of the OpenCredentials setting. Related Sandboxie Control setting: Save outside sandbox: Account information for Hotmail and Messenger in Sandbox Settings > Applications > Web Browser (no longer available since Sandboxie v0.8.0 / 5.50.0) Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Open System Protected Storage","title":"Open Credentials"},{"location":"Content/OpenCredentials/#open-credentials","text":"OpenCredentials is a sandbox setting in Sandboxie Ini . It is typically specified as OpenCredentials=y (see Yes Or No Settings ), and indicates that Sandboxie should not isolate Windows credentials in the sandbox. For example: . . . [DefaultBox] OpenCredentials=y Indicates that programs running in the DefaultBox sandbox will update the real credential store, rather than a sandboxed instance of it. Windows credentials are used primarily by Windows and Microsoft applications to store user name and password information for: Network shares Microsoft accounts To manage Windows credentials, start Control Panel > User Accounts, select an account, and the click on the Related Task labeled Manage my network passwords. Note: Sandboxie stores credentials in the sandboxed protected storage. Thus, if the setting Save outside sandbox: History of search strings and invoked commands in Sandbox Settings > Applications > Web Browser is enabled, credentials will not be stored in the sandbox, regardless of the OpenCredentials setting. Related Sandboxie Control setting: Save outside sandbox: Account information for Hotmail and Messenger in Sandbox Settings > Applications > Web Browser (no longer available since Sandboxie v0.8.0 / 5.50.0) Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Open System Protected Storage","title":"Open Credentials"},{"location":"Content/OpenFilePath/","text":"Open File Path OpenFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files. This lets sandboxed programs have direct access to update files and folders outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular folder location. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] OpenFilePath=C:\\Downloads\\ OpenFilePath=*.eml OpenFilePath=iexplore.exe,%Favorites% OpenFilePath=msimn.exe,*.eml When reviewing these examples, keep in mind that Sandboxie places a wildcard star at the end of the value, unless a star already appears anywhere in the value . So for example, C:\\Downloads_ becomes _C:\\Downloads* , while *.eml remains unchanged. Wildcard stars are used to specify patterns with variable, unknown parts. For example, a.eml matches only that one file, whereas *.eml matches a.eml , test.eml , important message.eml and so on. But note that neither form matches a.txt . The first example setting specifies that any files (or folders) created in the folder C:\\Downloads (and in any folder below it) will not be sandboxed. Note that the final backslash character is important, because a star will be placed at the end of the string. The second example shows how wildcards can be used to exempt *.eml files from sandboxing, regardless of where they are created. .eml files are typically created by Outlook and Outlook Express, when a message is explicitly saved to disk. The third example setting specifies that the Favorites folder of the active user account should be exempted. This means that new Favorite shortcuts will added outside the sandbox. In this example, a ProgramNamePrefix is used, so the setting only applies to the Internet Explorer program, iexplore.exe The fourth example combines the previous two examples, by showing a path containing a wildcard, applied only to a specific program. Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting. A setting similar to OpenFilePath , which is always applied, is OpenPipePath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Open","title":"Open File Path"},{"location":"Content/OpenFilePath/#open-file-path","text":"OpenFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files. This lets sandboxed programs have direct access to update files and folders outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular folder location. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] OpenFilePath=C:\\Downloads\\ OpenFilePath=*.eml OpenFilePath=iexplore.exe,%Favorites% OpenFilePath=msimn.exe,*.eml When reviewing these examples, keep in mind that Sandboxie places a wildcard star at the end of the value, unless a star already appears anywhere in the value . So for example, C:\\Downloads_ becomes _C:\\Downloads* , while *.eml remains unchanged. Wildcard stars are used to specify patterns with variable, unknown parts. For example, a.eml matches only that one file, whereas *.eml matches a.eml , test.eml , important message.eml and so on. But note that neither form matches a.txt . The first example setting specifies that any files (or folders) created in the folder C:\\Downloads (and in any folder below it) will not be sandboxed. Note that the final backslash character is important, because a star will be placed at the end of the string. The second example shows how wildcards can be used to exempt *.eml files from sandboxing, regardless of where they are created. .eml files are typically created by Outlook and Outlook Express, when a message is explicitly saved to disk. The third example setting specifies that the Favorites folder of the active user account should be exempted. This means that new Favorite shortcuts will added outside the sandbox. In this example, a ProgramNamePrefix is used, so the setting only applies to the Internet Explorer program, iexplore.exe The fourth example combines the previous two examples, by showing a path containing a wildcard, applied only to a specific program. Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting. A setting similar to OpenFilePath , which is always applied, is OpenPipePath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Open","title":"Open File Path"},{"location":"Content/OpenIpcPath/","text":"Open Ipc Path OpenIpcPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for inter-process objects. This lets sandboxed programs access resources and services provided by programs running outside the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenIpcPath=\\RPC Control\\IcaApi OpenIpcPath=\\RPC Control\\seclogon OpenIpcPath=$:program.exe As described in Sandboxie Trace , some sandboxed programs may need access to system resources outside the sandbox, in order to function correctly. After using the Sandboxie trace facility to isolate the needed resources, this setting is used to expose the resources for use by a sandboxed program. OpenIpcPath=\\RPC Control\\IcaApi The first example exposes a resource provided by the Terminal Services subsystem. It can let a sandboxed program talk to that subsystem and discover other Terminal Server sessions active in the computer. But this resource can also be used to terminate programs outside the control of Sandboxie. OpenIpcPath=\\RPC Control\\seclogon The second example exposes the resource provided by the Windows Run As service. It can let a sandboxed program launch another program using the credentials of a different user. The launched program was executed outside of the control of Sandboxie until v0.7.3 / 5.49.5 , which runs it inside the sandbox. This setting accepts wildcards. For more information on the use of wildcards in the OpenXxxPath and ClosedXxxPath settings, see OpenFilePath . OpenIpcPath=$:program.exe The third example permits a program running inside the sandbox to have full access into the address space of a target process running outside the sandbox. The process name of the target process must match the name specified in the setting. When this setting is not specified, Sandboxie allows only read-access by a sandboxed process into a process outside the sandbox. This form of the OpenIpcPath setting does not support wildcards. Note: The examples in this page, if applied, will create vulnerabilities within the sandbox. They are meant only to show why some resources are blocked, and how they can be un-blocked and exposed for use, if necessary. Related Sandboxie Control setting: Sandbox Settings > Resource Access > IPC Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Open","title":"Open Ipc Path"},{"location":"Content/OpenIpcPath/#open-ipc-path","text":"OpenIpcPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for inter-process objects. This lets sandboxed programs access resources and services provided by programs running outside the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenIpcPath=\\RPC Control\\IcaApi OpenIpcPath=\\RPC Control\\seclogon OpenIpcPath=$:program.exe As described in Sandboxie Trace , some sandboxed programs may need access to system resources outside the sandbox, in order to function correctly. After using the Sandboxie trace facility to isolate the needed resources, this setting is used to expose the resources for use by a sandboxed program. OpenIpcPath=\\RPC Control\\IcaApi The first example exposes a resource provided by the Terminal Services subsystem. It can let a sandboxed program talk to that subsystem and discover other Terminal Server sessions active in the computer. But this resource can also be used to terminate programs outside the control of Sandboxie. OpenIpcPath=\\RPC Control\\seclogon The second example exposes the resource provided by the Windows Run As service. It can let a sandboxed program launch another program using the credentials of a different user. The launched program was executed outside of the control of Sandboxie until v0.7.3 / 5.49.5 , which runs it inside the sandbox. This setting accepts wildcards. For more information on the use of wildcards in the OpenXxxPath and ClosedXxxPath settings, see OpenFilePath . OpenIpcPath=$:program.exe The third example permits a program running inside the sandbox to have full access into the address space of a target process running outside the sandbox. The process name of the target process must match the name specified in the setting. When this setting is not specified, Sandboxie allows only read-access by a sandboxed process into a process outside the sandbox. This form of the OpenIpcPath setting does not support wildcards. Note: The examples in this page, if applied, will create vulnerabilities within the sandbox. They are meant only to show why some resources are blocked, and how they can be un-blocked and exposed for use, if necessary. Related Sandboxie Control setting: Sandbox Settings > Resource Access > IPC Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Open","title":"Open Ipc Path"},{"location":"Content/OpenKeyPath/","text":"Open Key Path OpenKeyPath is a sandbox setting in Sandboxie Ini . It specifies a path patterns, for which Sandboxie will not apply sandboxing for registry keys. This lets sandboxed programs have direct access to update system settings outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular registry key location. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenKeyPath=firefox.exe,HKEY_LOCAL_MACHINE\\Software\\Mozilla OpenKeyPath=firefox.exe,HKEY_CURRENT_USER\\Software\\Mozilla These examples let the Firefox program, firefox.exe , have direct access to the Mozilla registry key trees (both system-wide and per-user registry trees). The value specified for OpenKeyPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Open","title":"Open Key Path"},{"location":"Content/OpenKeyPath/#open-key-path","text":"OpenKeyPath is a sandbox setting in Sandboxie Ini . It specifies a path patterns, for which Sandboxie will not apply sandboxing for registry keys. This lets sandboxed programs have direct access to update system settings outside the sandbox . This setting essentially punches a hole in the sandbox, at a particular registry key location. Program Name Prefix may be specified. Example: . . . [DefaultBox] OpenKeyPath=firefox.exe,HKEY_LOCAL_MACHINE\\Software\\Mozilla OpenKeyPath=firefox.exe,HKEY_CURRENT_USER\\Software\\Mozilla These examples let the Firefox program, firefox.exe , have direct access to the Mozilla registry key trees (both system-wide and per-user registry trees). The value specified for OpenKeyPath can include wildcards, although for registry keys, the use of wildcards is rarely needed. For more information on this, including examples that show the use of wildcards, see OpenFilePath . ( OpenFilePath deals with files, not registry keys, but the principle of using wildcards remains the same.) Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Direct Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Open","title":"Open Key Path"},{"location":"Content/OpenPipePath/","text":"Open Pipe Path OpenPipePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files. It is the same as the OpenFilePath setting, except that this setting is always applied, whereas OpenFilePath is only applied if the application is running from a file or folder that is located outside the sandbox. See OpenFilePath for general usage instructions. The OpenPipePath setting is primarily intended to allow sandboxed programs access to file communication device resources, which can be identified using the Sandboxie Trace . However, it can also be used to define files and folders that should be exempt (in the way that OpenFilePath exempts files) even for programs that are running from within the sandbox itself. Example usage: . . . [DefaultBox] OpenPipePath=\\Device\\NamedPipe\\wkssvc OpenPipePath=\\Device\\NamedPipe\\srvsvc Will allow the sandboxed program to manage shares and user accounts on the computer, through the resources wkssvc and srvsvc . Note: This specific example is not recommended, as it weakens the protection of the sandbox. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Full Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Open for All","title":"Open Pipe Path"},{"location":"Content/OpenPipePath/#open-pipe-path","text":"OpenPipePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files. It is the same as the OpenFilePath setting, except that this setting is always applied, whereas OpenFilePath is only applied if the application is running from a file or folder that is located outside the sandbox. See OpenFilePath for general usage instructions. The OpenPipePath setting is primarily intended to allow sandboxed programs access to file communication device resources, which can be identified using the Sandboxie Trace . However, it can also be used to define files and folders that should be exempt (in the way that OpenFilePath exempts files) even for programs that are running from within the sandbox itself. Example usage: . . . [DefaultBox] OpenPipePath=\\Device\\NamedPipe\\wkssvc OpenPipePath=\\Device\\NamedPipe\\srvsvc Will allow the sandboxed program to manage shares and user accounts on the computer, through the resources wkssvc and srvsvc . Note: This specific example is not recommended, as it weakens the protection of the sandbox. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Full Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Open for All","title":"Open Pipe Path"},{"location":"Content/OpenPrintSpooler/","text":"Open Print Spooler OpenPrintSpooler is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] OpenPrintSpooler=n This setting prevents sandboxed applications from setting up printers outside the sandbox. The filter can be disabled by setting OpenPrintSpooler=y . Added as part of 0.5.4 / 5.46.0 version. See also ClosePrintSpooler .","title":"Open Print Spooler"},{"location":"Content/OpenPrintSpooler/#open-print-spooler","text":"OpenPrintSpooler is a sandbox setting that provides nuanced control over how sandboxed applications interact with the print spooler service. . . . [DefaultBox] OpenPrintSpooler=n This setting prevents sandboxed applications from setting up printers outside the sandbox. The filter can be disabled by setting OpenPrintSpooler=y . Added as part of 0.5.4 / 5.46.0 version. See also ClosePrintSpooler .","title":"Open Print Spooler"},{"location":"Content/OpenProtectedStorage/","text":"Open Protected Storage OpenProtectedStorage is a sandbox setting in Sandboxie Ini . It is typically specified as OpenProtectedStorage=y (see Yes Or No Settings ), and indicates that Sandboxie should not isolate Protected Storage in the sandbox. For example: . . . [DefaultBox] OpenProtectedStorage=y Indicates that programs running in the DefaultBox sandbox will update the global system Protected Storage , rather than a sandboxed instance of it. Related Sandboxie Plus setting: Sandbox Options > App Templates > Templates > Open Protected Storage Related Sandboxie Control setting: Save outside sandbox: History of search strings and invoked commands in Sandbox Settings > Applications > Web Browser","title":"Open Protected Storage"},{"location":"Content/OpenProtectedStorage/#open-protected-storage","text":"OpenProtectedStorage is a sandbox setting in Sandboxie Ini . It is typically specified as OpenProtectedStorage=y (see Yes Or No Settings ), and indicates that Sandboxie should not isolate Protected Storage in the sandbox. For example: . . . [DefaultBox] OpenProtectedStorage=y Indicates that programs running in the DefaultBox sandbox will update the global system Protected Storage , rather than a sandboxed instance of it. Related Sandboxie Plus setting: Sandbox Options > App Templates > Templates > Open Protected Storage Related Sandboxie Control setting: Save outside sandbox: History of search strings and invoked commands in Sandbox Settings > Applications > Web Browser","title":"Open Protected Storage"},{"location":"Content/OpenWinClass/","text":"Open Win Class OpenWinClass is a sandbox setting in Sandboxie Ini . It specifies the class names for unsandboxed windows that should be accessible by a sandboxed program. Examples: . . . [DefaultBox] OpenWinClass=ConsoleWindowClass OpenWinClass=$:program.exe/IgnoreUIPI OpenWinClass=# OpenWinClass=* The first example makes console windows created by the cmd.exe process accessible to sandboxed programs. Normally, Sandboxie will not permit a sandboxed program to access, communicate, close or destroy a window outside the sandbox. The OpenWinClass settings makes an exception to this rule, and allows specific unsandboxed windows to be accessible. Special Forms OpenWinClass=$:program.exe/IgnoreUIPI This permits a program running inside the sandbox to use the PostThreadMessage API to send a message directly to a thread in a target process running outside the sandbox. This form of the OpenWinClass setting does not support wildcards, so the process name of the target process must match the name specified in the setting. OpenWinClass=# This setting tells Sandboxie to not alter window class names created by sandboxed programs. Normally, Sandboxie translates class names such as IEFrame to Sandbox:DefaultBox::IEFrame in order to better separate windows that belong to sandboxed programs from the rest of the windows in the system. However, in some cases, a program outside the sandbox might expect window class names to have a specific name, and therefore might not recognize the windows created by a sandboxed program. Specifying OpenWinClass=# resolves this problem, at the cost of a lesser degree of separation. Note that OpenWinClass=# does not allow communication with any windows outside the sandbox, and may interfere with some drag-and-drop operations. OpenWinClass=* This setting tells Sandboxie to not translate window class names as described above, and also makes all windows in the system accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. Note that OpenWinClass=* allows full communication with all windows outside the sandbox, but may interfere with some drag-and-drop operations. Identifying Window Class Names The unsandboxed windows are identified by their window class name , which is an internal name given to the window by the application that created it. You can use a tool like WinSpy to identify window class names. The Resource Access Monitor tool in Sandboxie Classic and the Trace Logging tool in Sandboxie Plus also display window class names. Related Sandboxie Plus settings: Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > Open Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > Ignore UIPI Sandbox Options > Resource Access > Wnd > Don't alter window class names created by sandboxed programs See also: No Rename Win Class .","title":"Open Win Class"},{"location":"Content/OpenWinClass/#open-win-class","text":"OpenWinClass is a sandbox setting in Sandboxie Ini . It specifies the class names for unsandboxed windows that should be accessible by a sandboxed program. Examples: . . . [DefaultBox] OpenWinClass=ConsoleWindowClass OpenWinClass=$:program.exe/IgnoreUIPI OpenWinClass=# OpenWinClass=* The first example makes console windows created by the cmd.exe process accessible to sandboxed programs. Normally, Sandboxie will not permit a sandboxed program to access, communicate, close or destroy a window outside the sandbox. The OpenWinClass settings makes an exception to this rule, and allows specific unsandboxed windows to be accessible. Special Forms OpenWinClass=$:program.exe/IgnoreUIPI This permits a program running inside the sandbox to use the PostThreadMessage API to send a message directly to a thread in a target process running outside the sandbox. This form of the OpenWinClass setting does not support wildcards, so the process name of the target process must match the name specified in the setting. OpenWinClass=# This setting tells Sandboxie to not alter window class names created by sandboxed programs. Normally, Sandboxie translates class names such as IEFrame to Sandbox:DefaultBox::IEFrame in order to better separate windows that belong to sandboxed programs from the rest of the windows in the system. However, in some cases, a program outside the sandbox might expect window class names to have a specific name, and therefore might not recognize the windows created by a sandboxed program. Specifying OpenWinClass=# resolves this problem, at the cost of a lesser degree of separation. Note that OpenWinClass=# does not allow communication with any windows outside the sandbox, and may interfere with some drag-and-drop operations. OpenWinClass=* This setting tells Sandboxie to not translate window class names as described above, and also makes all windows in the system accessible to sandboxed programs, and goes a step further to disable a few other windowing-related Sandboxie functions. This may also cause the Sandboxie indicator [#] to not appear in window titles. Note that OpenWinClass=* allows full communication with all windows outside the sandbox, but may interfere with some drag-and-drop operations. Identifying Window Class Names The unsandboxed windows are identified by their window class name , which is an internal name given to the window by the application that created it. You can use a tool like WinSpy to identify window class names. The Resource Access Monitor tool in Sandboxie Classic and the Trace Logging tool in Sandboxie Plus also display window class names. Related Sandboxie Plus settings: Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > Open Sandbox Options > Resource Access > Wnd > Add Wnd Class > Access column > Ignore UIPI Sandbox Options > Resource Access > Wnd > Don't alter window class names created by sandboxed programs See also: No Rename Win Class .","title":"Open Win Class"},{"location":"Content/PaperAnalogy/","text":"Paper Analogy Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper. Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely and remove any traces left. On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. (Note: The graphics depicts the Sandboxie Control application prior to version 3.20.) Thanks to esalkin for the paper metaphor. Thanks to warwagon for the graphics. See also the Sandboxie demonstration for a different illustration of the same concept.","title":"Paper Analogy"},{"location":"Content/PaperAnalogy/#paper-analogy","text":"Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper. Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely and remove any traces left. On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. (Note: The graphics depicts the Sandboxie Control application prior to version 3.20.) Thanks to esalkin for the paper metaphor. Thanks to warwagon for the graphics. See also the Sandboxie demonstration for a different illustration of the same concept.","title":"Paper Analogy"},{"location":"Content/PlusMigrationGuide/","text":"Sandboxie-Plus Migration Guide This guide shows where all the known Sandboxie functions can be found in the new UI. Main Window The overall layout of the main window of SandMan.exe is exactly the same as the old one in SbieCtrl.exe when the \"Simple View\" is chosen. If the \"Advanced View\" is chosen, there are three additional tabs on the bottom of the window (\"Sbie Messages\" etc.), so it corresponds with what can be seen in the right picture. File and Sandbox Menus All important menu commands can be found in similar locations, although some have been moved. Create New Box dialog The \"Create New Box\" command opens the new box dialog. Unlike in Classic, here a box type preset can be selected. The feature to copy an existing box can be found now on another place. (See the following unit.) Copying Sandbox Configuration To copy a existing box configuration, the \"Duplicate Sandbox\" menu command can be used. View Menu The \"View\" menu offers a few more functions, and the option to enable a simplified view mode. The recovery log is no longer a separate window but a tab at the bottom (visible when the \"Advanced View\" is chosen). View Menu - Files and Folders The modern Sandboxie UI has replaced the \"Files and Folders\" view with a separate window that can be opened from the box context menu. Files and Folders - view / window The window \"Files\" offers the same functionality as the old view, but enhances it by providing a full context menu. Global Settings The new Sandboxie Plus UI has a global settings window (Options --> Global Settings) where all options are located together on vertical tabs instead of having to open individual windows. File System Root In the modern UI, it is possible to change not only the file system root path, but also the registry root and the IPC root. Program Start monitoring Sandboxie Plus can not only warn when unboxed processes are started, but it can also prevent them from starting at all. Shell Integration On this tab, the shell integration can be configured. Most functions are available, although some deprecated features were dropped and other options were moved out. Create Sandbox shortcut To create a shortcut to a boxed program, now an option in the box context menu is to be used, which can be reached quicker. Software Compatibility Also the compatibility dialog is now integrated into the window with the global settings (tab \"Compatibility\"). Lock Configuration Starting with version 1.9.0 / 5.64.0, the Configuration Protection options are located in the sub tab \"Sandboxie.ini Presets\" of the tab \"Advanced Config\". Sandbox Context Menu The sandbox context menu is much more advanced, and contains all the options from the old menu. Double click on the sandbox name now opens the sandbox settings. Explore Contents In addition to being able to explore contents, the \"Box Content\" sub menu allows to mount and browse the sandboxed registry. Sandbox Settings All functionality from the old Sandbox Settings are now located in the Sandbox Options. Some areas are similar, but many have also been moved around. Quick and Immediate Recover The options for Quick Recovery and Immediate Recovery have been merged into one tab (\"File Recovery\"). Delete Options The Delete Options have been moved to the sub tab \"File Options\" of the tab \"General Options\". Delete Command The \"Delete Command\" option can now be found on the sub tab \"Triggers\" of the tab \"Advanced Options\". Program Groups The new UI supports groups just like the old one. Forced Programs and Folders Forced programs and folders are also merged into one tab (\"Program Control\", sub tab \"Force* Programs\"). Lingering Programs & Leader Programs Program stop behaviours are also merged into one tab. File Migration File Migration options have been integrated into the \"File Options\" sub tab of the \"General Options\" tab. Internet Access Sandboxie Plus can not only use the old method of blocking internet access but also the Windows Filtering Platform (WFP), which provides better compatibility. Network Access Additionally, using the WFP facility, a per sandbox firewall can be configured (tab \"Internet Restrictions\" --> sub tab \"Network Firewall Rules\"). Start/Run Access Start restriction options have been promoted to a top level tab. Drop Rights The \"Drop Admin Rights\" option is in the new UI located on the \"Security\" sub tab of the \"General Options\" tab, together with additional security enhancements. Network Files \"Block network files and folders access\" has been moved to the \"Access Restrictions\" sub tab of the \"General Options\" tab. Resource Access The \"Resource Access\" options have been integrated into a joined view which shows all presets in one list, the options can be edited as well as disabled without removing them. Application Compatibility Templates The compatibility Templates are now also presented as a joined view (tab \"App Templates\", sub tab \"Compatibility Templates\"). User Accounts Last but not least, the ability to restrict a box to selected users has been moved to the sub tab \"Users\" of the tab \"Advanced Options\". About Dialog And finally, we have the About dialog. As is apparent, Sandboxie Plus has much more additional options not shown here, as this guide is only meant to facilitate the migration from Sandboxie Classic to Sandboxie Plus.","title":"Sandboxie-Plus Migration Guide"},{"location":"Content/PlusMigrationGuide/#sandboxie-plus-migration-guide","text":"This guide shows where all the known Sandboxie functions can be found in the new UI.","title":"Sandboxie-Plus Migration Guide"},{"location":"Content/PlusMigrationGuide/#main-window","text":"The overall layout of the main window of SandMan.exe is exactly the same as the old one in SbieCtrl.exe when the \"Simple View\" is chosen. If the \"Advanced View\" is chosen, there are three additional tabs on the bottom of the window (\"Sbie Messages\" etc.), so it corresponds with what can be seen in the right picture.","title":"Main Window"},{"location":"Content/PlusMigrationGuide/#file-and-sandbox-menus","text":"All important menu commands can be found in similar locations, although some have been moved.","title":"File and Sandbox Menus"},{"location":"Content/PlusMigrationGuide/#create-new-box-dialog","text":"The \"Create New Box\" command opens the new box dialog. Unlike in Classic, here a box type preset can be selected. The feature to copy an existing box can be found now on another place. (See the following unit.)","title":"Create New Box dialog"},{"location":"Content/PlusMigrationGuide/#copying-sandbox-configuration","text":"To copy a existing box configuration, the \"Duplicate Sandbox\" menu command can be used.","title":"Copying Sandbox Configuration"},{"location":"Content/PlusMigrationGuide/#view-menu","text":"The \"View\" menu offers a few more functions, and the option to enable a simplified view mode. The recovery log is no longer a separate window but a tab at the bottom (visible when the \"Advanced View\" is chosen).","title":"View Menu"},{"location":"Content/PlusMigrationGuide/#view-menu-files-and-folders","text":"The modern Sandboxie UI has replaced the \"Files and Folders\" view with a separate window that can be opened from the box context menu.","title":"View Menu - Files and Folders"},{"location":"Content/PlusMigrationGuide/#files-and-folders-view-window","text":"The window \"Files\" offers the same functionality as the old view, but enhances it by providing a full context menu.","title":"Files and Folders - view / window"},{"location":"Content/PlusMigrationGuide/#global-settings","text":"The new Sandboxie Plus UI has a global settings window (Options --> Global Settings) where all options are located together on vertical tabs instead of having to open individual windows.","title":"Global Settings"},{"location":"Content/PlusMigrationGuide/#file-system-root","text":"In the modern UI, it is possible to change not only the file system root path, but also the registry root and the IPC root.","title":"File System Root"},{"location":"Content/PlusMigrationGuide/#program-start-monitoring","text":"Sandboxie Plus can not only warn when unboxed processes are started, but it can also prevent them from starting at all.","title":"Program Start monitoring"},{"location":"Content/PlusMigrationGuide/#shell-integration","text":"On this tab, the shell integration can be configured. Most functions are available, although some deprecated features were dropped and other options were moved out.","title":"Shell Integration"},{"location":"Content/PlusMigrationGuide/#create-sandbox-shortcut","text":"To create a shortcut to a boxed program, now an option in the box context menu is to be used, which can be reached quicker.","title":"Create Sandbox shortcut"},{"location":"Content/PlusMigrationGuide/#software-compatibility","text":"Also the compatibility dialog is now integrated into the window with the global settings (tab \"Compatibility\").","title":"Software Compatibility"},{"location":"Content/PlusMigrationGuide/#lock-configuration","text":"Starting with version 1.9.0 / 5.64.0, the Configuration Protection options are located in the sub tab \"Sandboxie.ini Presets\" of the tab \"Advanced Config\".","title":"Lock Configuration"},{"location":"Content/PlusMigrationGuide/#sandbox-context-menu","text":"The sandbox context menu is much more advanced, and contains all the options from the old menu. Double click on the sandbox name now opens the sandbox settings.","title":"Sandbox Context Menu"},{"location":"Content/PlusMigrationGuide/#explore-contents","text":"In addition to being able to explore contents, the \"Box Content\" sub menu allows to mount and browse the sandboxed registry.","title":"Explore Contents"},{"location":"Content/PlusMigrationGuide/#sandbox-settings","text":"All functionality from the old Sandbox Settings are now located in the Sandbox Options. Some areas are similar, but many have also been moved around.","title":"Sandbox Settings"},{"location":"Content/PlusMigrationGuide/#quick-and-immediate-recover","text":"The options for Quick Recovery and Immediate Recovery have been merged into one tab (\"File Recovery\").","title":"Quick and Immediate Recover"},{"location":"Content/PlusMigrationGuide/#delete-options","text":"The Delete Options have been moved to the sub tab \"File Options\" of the tab \"General Options\".","title":"Delete Options"},{"location":"Content/PlusMigrationGuide/#delete-command","text":"The \"Delete Command\" option can now be found on the sub tab \"Triggers\" of the tab \"Advanced Options\".","title":"Delete Command"},{"location":"Content/PlusMigrationGuide/#program-groups","text":"The new UI supports groups just like the old one.","title":"Program Groups"},{"location":"Content/PlusMigrationGuide/#forced-programs-and-folders","text":"Forced programs and folders are also merged into one tab (\"Program Control\", sub tab \"Force* Programs\").","title":"Forced Programs and Folders"},{"location":"Content/PlusMigrationGuide/#lingering-programs-leader-programs","text":"Program stop behaviours are also merged into one tab.","title":"Lingering Programs &amp; Leader Programs"},{"location":"Content/PlusMigrationGuide/#file-migration","text":"File Migration options have been integrated into the \"File Options\" sub tab of the \"General Options\" tab.","title":"File Migration"},{"location":"Content/PlusMigrationGuide/#internet-access","text":"Sandboxie Plus can not only use the old method of blocking internet access but also the Windows Filtering Platform (WFP), which provides better compatibility.","title":"Internet Access"},{"location":"Content/PlusMigrationGuide/#network-access","text":"Additionally, using the WFP facility, a per sandbox firewall can be configured (tab \"Internet Restrictions\" --> sub tab \"Network Firewall Rules\").","title":"Network Access"},{"location":"Content/PlusMigrationGuide/#startrun-access","text":"Start restriction options have been promoted to a top level tab.","title":"Start/Run Access"},{"location":"Content/PlusMigrationGuide/#drop-rights","text":"The \"Drop Admin Rights\" option is in the new UI located on the \"Security\" sub tab of the \"General Options\" tab, together with additional security enhancements.","title":"Drop Rights"},{"location":"Content/PlusMigrationGuide/#network-files","text":"\"Block network files and folders access\" has been moved to the \"Access Restrictions\" sub tab of the \"General Options\" tab.","title":"Network Files"},{"location":"Content/PlusMigrationGuide/#resource-access","text":"The \"Resource Access\" options have been integrated into a joined view which shows all presets in one list, the options can be edited as well as disabled without removing them.","title":"Resource Access"},{"location":"Content/PlusMigrationGuide/#application-compatibility-templates","text":"The compatibility Templates are now also presented as a joined view (tab \"App Templates\", sub tab \"Compatibility Templates\").","title":"Application Compatibility Templates"},{"location":"Content/PlusMigrationGuide/#user-accounts","text":"Last but not least, the ability to restrict a box to selected users has been moved to the sub tab \"Users\" of the tab \"Advanced Options\".","title":"User Accounts"},{"location":"Content/PlusMigrationGuide/#about-dialog","text":"And finally, we have the About dialog. As is apparent, Sandboxie Plus has much more additional options not shown here, as this guide is only meant to facilitate the migration from Sandboxie Classic to Sandboxie Plus.","title":"About Dialog"},{"location":"Content/PopupMessageLog/","text":"Popup Message Log Sandboxie popup messages are displayed by Sandboxie Control in the Messages From Sandboxie pop-up window. Please see the documentation for the Messages From Sandboxie pop-up window for more information.","title":"Popup Message Log"},{"location":"Content/PopupMessageLog/#popup-message-log","text":"Sandboxie popup messages are displayed by Sandboxie Control in the Messages From Sandboxie pop-up window. Please see the documentation for the Messages From Sandboxie pop-up window for more information.","title":"Popup Message Log"},{"location":"Content/PortableSandbox/","text":"Portable Sandbox The revised layout of the sandbox that is introduced in version 2.80 allows for greater portability of the sandbox across computers. By redirecting programs to create sandboxed objects which have a nonspecific path, it is possible to populate a sandbox on one computer, then carry this sandbox to another computer and keep using it. For example, consider installing a game program to a portable device such as a USB memory stick which is mounted as drive P. The game may install its files to a folder on drive P, but any menu shortcuts it creates will be installed in the Windows Start menu of the local computer, outside drive P. And any registry keys it creates will also be created in the Windows registry, also outside the USB device. By contrast, if you set the container folder to drive P (for instance P:\\Sandbox ), then install the game into the (sandboxed) drive C, then all objects created by the installation will be redirected to drive P. You can then carry the USB drive to another computer where Sandboxie is installed, and set the container folder on that other computer to drive P. Through the Sandboxie Start menu, you will see the menu shortcuts installed by the game, and when you start it, the game will find its settings as they were recorded in the sandboxed registry. Note that Sandboxie itself is not portable software, but it facilitates the portability of a large number of applications.","title":"Portable Sandbox"},{"location":"Content/PortableSandbox/#portable-sandbox","text":"The revised layout of the sandbox that is introduced in version 2.80 allows for greater portability of the sandbox across computers. By redirecting programs to create sandboxed objects which have a nonspecific path, it is possible to populate a sandbox on one computer, then carry this sandbox to another computer and keep using it. For example, consider installing a game program to a portable device such as a USB memory stick which is mounted as drive P. The game may install its files to a folder on drive P, but any menu shortcuts it creates will be installed in the Windows Start menu of the local computer, outside drive P. And any registry keys it creates will also be created in the Windows registry, also outside the USB device. By contrast, if you set the container folder to drive P (for instance P:\\Sandbox ), then install the game into the (sandboxed) drive C, then all objects created by the installation will be redirected to drive P. You can then carry the USB drive to another computer where Sandboxie is installed, and set the container folder on that other computer to drive P. Through the Sandboxie Start menu, you will see the menu shortcuts installed by the game, and when you start it, the game will find its settings as they were recorded in the sandboxed registry. Note that Sandboxie itself is not portable software, but it facilitates the portability of a large number of applications.","title":"Portable Sandbox"},{"location":"Content/PrivacyConcerns/","text":"Privacy Concerns This is an advanced topic, which explains that even after running a program under Sandboxie, your computer may still record which programs were executed or what they did. It is important to emphasize that this is not a security breach as it will never allow sandboxed programs to infect or otherwise abuse your computer. However, this may be interesting reading for those concerned with the privacy aspects of using Sandboxie. Overview The guiding principle of Sandboxie is to isolate and contain any actions taken by programs that Sandboxie supervises, for the purpose of keeping your computer and operating system in a clean and healthy state. Most of the side effects of running a program under Sandboxie are in fact caused by the very program that is running under Sandboxie, and are gone when the sandbox is deleted. For example, a Web browser running under Sandboxie will record your browsing history in the sandbox, and this history will be completely erased when you delete the sandbox. Thus it is easy to make a small leap of logic from the guiding principle above, and assume that a principle of Sandboxie is to protect your privacy and clean any all traces caused directly or indirectly by any program running under its supervision. However, this assumption would not be correct. Sandboxie puts a great deal of effort into containing the actions taken by the program it supervises, however Sandboxie makes no effect at all to prevent your own Windows operating system from keeping records of what you do in your computer. One who makes the incorrect assumption of extreme concern for privacy on the part of Sandboxie might be surprised to find several kinds of traces and logs in Windows that record which programs have been running, even inside the sandbox. This page will explain the various known mechanisms that record information about the programs you run, either inside or outside the supervision of Sandboxie. Prefetch and SuperFetch Prefetch, introduced in Windows XP, and SuperFetch, introduced in Windows Vista, make up the prefetcher component in Windows. This component is designed to improve application start up time by keeping copies of program files in a location that can be quickly accessed. The copies are kept in a folder called Prefetch that resides within the main Windows folder; typically that is C:\\Windows\\Prefetch . Windows may store copies of programs files in this Prefetch folder even when the programs were executed under Sandboxie. Prefetch behavior can be reduced to caching only programs using during the boot sequence, or to not cache anything at all. Follow these links for more information: https://www.ghacks.net/2008/01/13/enableprefetcher-in-prefetchparameters https://www.howtogeek.com/998/change-superfetch-to-only-cache-system-boot-files-in-vista https://www.howtogeek.com/989/how-to-disable-superfetch-on-windows-vista MUI Cache Windows Explorer records in the registry the names of programs that are launched directly through it. This includes launching programs through the Start menu, the desktop, the quick launch area, or any folder views. It is true even if the right-click \"Run Sandboxed\" action is used to launch the program under Sandboxie. The recorded information is kept in this registry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache If launch a program through a Sandboxie facility (such as the Sandboxie Start menu) or through a program which is already running under Sandboxie, then this information is kept in the registry inside the sandbox. There are various third-party registry cleaning tools that can erase this information. Windows Taskbar On Windows 7 and later, Windows Explorer stores information associated with icons on the taskbar. This information includes the icon for the program and the command used to launch it. The information is stored in files in the following folder, within the user profile folder: %Appdata%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts The Sandbox Settings > Applications > Miscellaneous settings page includes the setting \"Permit programs to update jump lists in the Windows 7 taskbar\". If this setting is enabled, additional files are created in the following folders, within the user profile folder: %Appdata%\\Microsoft\\Windows\\Recent\\CustomDestinations %Appdata%\\Microsoft\\Windows\\Recent\\AutomaticDestinations Windows Page File During its normal course of operation, Windows sometimes needs to put away the contents of memory used by one program in order to make room for another program. The memory contents are stored in the Windows page file . Programs that run under Sandboxie are still running in the same Windows operating system as any other program in the computer, so portions of sandboxed and normal programs may end up sitting side by side in the same page file. It is possible to configure Windows to clear the contents of the page file at shutdown. More information here and here . It is possible to configure Windows to encrypt the contents of the page file: Run secpol.msc to open the Local Security Policy editor Expand the group labeled Public Key Policies Right-click Properties on the item labeled Encrypting File System Select Allow to enable Encrypting File System (EFS) Click Apply and then OK Reboot to put the new setting into effect Windows Hibernate File Similar to the Windows Page File, the hibernate file stores a copy of the memory and state of the system before the computer is turned off as part of the hibernate process. Thus the hibernate file may contain bits of memory that were used by a sandboxed program. System Restore Restore points are snapshots of the state of the operating system at some points in time. The System Restore component in Windows XP and later versions records and restores these snapshots. Snapshots are recorded in the (typically inaccessible) folder called System Volume Information and may include many types of files found throughout the system, including within the folders of the sandbox. Thus it is possible that System Restore will create backup copies in its folders for files or programs that exist only in the sandbox. The System Restore component can be set to ignore files and folders in temporary folders, so moving the sandbox to %TEMP%\\SANDBOX (instead of the default C:\\SANDBOX ) and adding the path within the registry key FilesNotToSnapshot , System Restore should ignore the sandbox when creating a Shadow Copy snapshot. More information here . System, Audit and Other Event Logs Windows sometimes records bits of information about running programs in its various event logs . Typically, very little if any information is logged about a program. However, if security auditing has been enabled for some aspects of the system, Windows will have no trouble logging the details of any actions taken by a program running under Sandboxie. Windows has an Event Viewer program which can be used to view and delete the event logs. More information here . Windows System Tray Icons When a programs which is running under Sandboxie asks to place an icon in the system tray area , Sandboxie lets the program place the icon in the real system tray, which is typically located at the bottom right corner of the display. This has the advantage that interaction with the tray icon of the sandboxed program is as easy as interacting with any other tray icon. However, it also means that Windows will record this icon and its description in the history of all tray icons it has ever displayed. It is possible to manually clear this history in Windows . There may also be third-party registry cleaning tools that can erase this information. Disk Defragmentation Disk defragmenter software can be used to organize the contents of the hard disk at the level of data blocks, so that files may be accessed faster by the operating system. Although this is not a privacy concern, the issue of sandboxed programs being able to defragment the disk has been raised and should be addressed. Sandboxie isolation occurs at the higher file level rather than the lower level of data blocks. Moving data blocks around on the disk has no impact on the isolation of the sandbox, and cannot be used by a malicious program to somehow \"move\" its data out of the sandbox. IP Privacy Sandboxie isolation and protection occurs entirely within the local computer and is not visible to any other remote computer. Thus accessing the Internet using a sandboxed program looks the same as accessing the Internet using a program that is not running under Sandboxie. In both cases the remote computer identifies the accessing computer by its IP address. There are various third-party solutions for anonymous Web access. More information here . Windows DNS Host Cache Sandboxie does not prevent the logging and storage of the hosts file (DNS cache) on your Windows machine. This is written to C:\\Windows\\System32\\drivers\\etc .","title":"Privacy Concerns"},{"location":"Content/PrivacyConcerns/#privacy-concerns","text":"This is an advanced topic, which explains that even after running a program under Sandboxie, your computer may still record which programs were executed or what they did. It is important to emphasize that this is not a security breach as it will never allow sandboxed programs to infect or otherwise abuse your computer. However, this may be interesting reading for those concerned with the privacy aspects of using Sandboxie. Overview The guiding principle of Sandboxie is to isolate and contain any actions taken by programs that Sandboxie supervises, for the purpose of keeping your computer and operating system in a clean and healthy state. Most of the side effects of running a program under Sandboxie are in fact caused by the very program that is running under Sandboxie, and are gone when the sandbox is deleted. For example, a Web browser running under Sandboxie will record your browsing history in the sandbox, and this history will be completely erased when you delete the sandbox. Thus it is easy to make a small leap of logic from the guiding principle above, and assume that a principle of Sandboxie is to protect your privacy and clean any all traces caused directly or indirectly by any program running under its supervision. However, this assumption would not be correct. Sandboxie puts a great deal of effort into containing the actions taken by the program it supervises, however Sandboxie makes no effect at all to prevent your own Windows operating system from keeping records of what you do in your computer. One who makes the incorrect assumption of extreme concern for privacy on the part of Sandboxie might be surprised to find several kinds of traces and logs in Windows that record which programs have been running, even inside the sandbox. This page will explain the various known mechanisms that record information about the programs you run, either inside or outside the supervision of Sandboxie. Prefetch and SuperFetch Prefetch, introduced in Windows XP, and SuperFetch, introduced in Windows Vista, make up the prefetcher component in Windows. This component is designed to improve application start up time by keeping copies of program files in a location that can be quickly accessed. The copies are kept in a folder called Prefetch that resides within the main Windows folder; typically that is C:\\Windows\\Prefetch . Windows may store copies of programs files in this Prefetch folder even when the programs were executed under Sandboxie. Prefetch behavior can be reduced to caching only programs using during the boot sequence, or to not cache anything at all. Follow these links for more information: https://www.ghacks.net/2008/01/13/enableprefetcher-in-prefetchparameters https://www.howtogeek.com/998/change-superfetch-to-only-cache-system-boot-files-in-vista https://www.howtogeek.com/989/how-to-disable-superfetch-on-windows-vista MUI Cache Windows Explorer records in the registry the names of programs that are launched directly through it. This includes launching programs through the Start menu, the desktop, the quick launch area, or any folder views. It is true even if the right-click \"Run Sandboxed\" action is used to launch the program under Sandboxie. The recorded information is kept in this registry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache If launch a program through a Sandboxie facility (such as the Sandboxie Start menu) or through a program which is already running under Sandboxie, then this information is kept in the registry inside the sandbox. There are various third-party registry cleaning tools that can erase this information. Windows Taskbar On Windows 7 and later, Windows Explorer stores information associated with icons on the taskbar. This information includes the icon for the program and the command used to launch it. The information is stored in files in the following folder, within the user profile folder: %Appdata%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts The Sandbox Settings > Applications > Miscellaneous settings page includes the setting \"Permit programs to update jump lists in the Windows 7 taskbar\". If this setting is enabled, additional files are created in the following folders, within the user profile folder: %Appdata%\\Microsoft\\Windows\\Recent\\CustomDestinations %Appdata%\\Microsoft\\Windows\\Recent\\AutomaticDestinations Windows Page File During its normal course of operation, Windows sometimes needs to put away the contents of memory used by one program in order to make room for another program. The memory contents are stored in the Windows page file . Programs that run under Sandboxie are still running in the same Windows operating system as any other program in the computer, so portions of sandboxed and normal programs may end up sitting side by side in the same page file. It is possible to configure Windows to clear the contents of the page file at shutdown. More information here and here . It is possible to configure Windows to encrypt the contents of the page file: Run secpol.msc to open the Local Security Policy editor Expand the group labeled Public Key Policies Right-click Properties on the item labeled Encrypting File System Select Allow to enable Encrypting File System (EFS) Click Apply and then OK Reboot to put the new setting into effect Windows Hibernate File Similar to the Windows Page File, the hibernate file stores a copy of the memory and state of the system before the computer is turned off as part of the hibernate process. Thus the hibernate file may contain bits of memory that were used by a sandboxed program. System Restore Restore points are snapshots of the state of the operating system at some points in time. The System Restore component in Windows XP and later versions records and restores these snapshots. Snapshots are recorded in the (typically inaccessible) folder called System Volume Information and may include many types of files found throughout the system, including within the folders of the sandbox. Thus it is possible that System Restore will create backup copies in its folders for files or programs that exist only in the sandbox. The System Restore component can be set to ignore files and folders in temporary folders, so moving the sandbox to %TEMP%\\SANDBOX (instead of the default C:\\SANDBOX ) and adding the path within the registry key FilesNotToSnapshot , System Restore should ignore the sandbox when creating a Shadow Copy snapshot. More information here . System, Audit and Other Event Logs Windows sometimes records bits of information about running programs in its various event logs . Typically, very little if any information is logged about a program. However, if security auditing has been enabled for some aspects of the system, Windows will have no trouble logging the details of any actions taken by a program running under Sandboxie. Windows has an Event Viewer program which can be used to view and delete the event logs. More information here . Windows System Tray Icons When a programs which is running under Sandboxie asks to place an icon in the system tray area , Sandboxie lets the program place the icon in the real system tray, which is typically located at the bottom right corner of the display. This has the advantage that interaction with the tray icon of the sandboxed program is as easy as interacting with any other tray icon. However, it also means that Windows will record this icon and its description in the history of all tray icons it has ever displayed. It is possible to manually clear this history in Windows . There may also be third-party registry cleaning tools that can erase this information. Disk Defragmentation Disk defragmenter software can be used to organize the contents of the hard disk at the level of data blocks, so that files may be accessed faster by the operating system. Although this is not a privacy concern, the issue of sandboxed programs being able to defragment the disk has been raised and should be addressed. Sandboxie isolation occurs at the higher file level rather than the lower level of data blocks. Moving data blocks around on the disk has no impact on the isolation of the sandbox, and cannot be used by a malicious program to somehow \"move\" its data out of the sandbox. IP Privacy Sandboxie isolation and protection occurs entirely within the local computer and is not visible to any other remote computer. Thus accessing the Internet using a sandboxed program looks the same as accessing the Internet using a program that is not running under Sandboxie. In both cases the remote computer identifies the accessing computer by its IP address. There are various third-party solutions for anonymous Web access. More information here . Windows DNS Host Cache Sandboxie does not prevent the logging and storage of the hosts file (DNS cache) on your Windows machine. This is written to C:\\Windows\\System32\\drivers\\etc .","title":"Privacy Concerns"},{"location":"Content/ProcessLimit/","text":"Process Limit ProcessLimit is a sandbox setting in Sandboxie Ini available since v0.9.7 / 5.52.1. This setting allows you to limit the maximum number of processes that Sandboxie will allow in the sandbox at the same time. Note: The start of new processes is delayed for 3 seconds when 80% of the set limit is reached. Once the limit is reached, no new process will be allowed to start (until another process is killed). . . . [DefaultBox] ProcessLimit=100","title":"Process Limit"},{"location":"Content/ProcessLimit/#process-limit","text":"ProcessLimit is a sandbox setting in Sandboxie Ini available since v0.9.7 / 5.52.1. This setting allows you to limit the maximum number of processes that Sandboxie will allow in the sandbox at the same time. Note: The start of new processes is delayed for 3 seconds when 80% of the set limit is reached. Once the limit is reached, no new process will be allowed to start (until another process is killed). . . . [DefaultBox] ProcessLimit=100","title":"Process Limit"},{"location":"Content/ProcessLimit1/","text":"Process Limit 1 ProcessLimit1 and ProcessLimit2 were removed since Sandboxie v0.7.1 / 5.48.5 in favour of ProcessLimit . ProcessLimit1 and ProcessLimit2 were sandbox settings in Sandboxie Ini . They limited the maximum number of processes that Sandboxie allowed in the sandbox at the same time. . . . [DefaultBox] ProcessLimit1=100 ProcessLimit2=200 ProcessLimit1: Once the sandbox has more than X programs at the same time, each new program will be delayed for ten seconds before it starts to run. X is the number specified in ProcessLimit1. The length of the delay, ten seconds, is not configurable. ProcessLimit2: Once the sandbox has more than Y programs at the same time, each new program will be immediately terminated. Y is the number specified in ProcessLimit2. The default numbers are 100 and 200 as mentioned above. ProcessLimit2 cannot be smaller than ProcessLimit1. Creative values can turn off one or both modes. For example, ProcessLimit2=999999 will effectively disable the termination feature. On the other hand, ProcessLimit1=50 ProcessLimit2=50 will effectively disable the delaying feature.","title":"Process Limit 1"},{"location":"Content/ProcessLimit1/#process-limit-1","text":"ProcessLimit1 and ProcessLimit2 were removed since Sandboxie v0.7.1 / 5.48.5 in favour of ProcessLimit . ProcessLimit1 and ProcessLimit2 were sandbox settings in Sandboxie Ini . They limited the maximum number of processes that Sandboxie allowed in the sandbox at the same time. . . . [DefaultBox] ProcessLimit1=100 ProcessLimit2=200 ProcessLimit1: Once the sandbox has more than X programs at the same time, each new program will be delayed for ten seconds before it starts to run. X is the number specified in ProcessLimit1. The length of the delay, ten seconds, is not configurable. ProcessLimit2: Once the sandbox has more than Y programs at the same time, each new program will be immediately terminated. Y is the number specified in ProcessLimit2. The default numbers are 100 and 200 as mentioned above. ProcessLimit2 cannot be smaller than ProcessLimit1. Creative values can turn off one or both modes. For example, ProcessLimit2=999999 will effectively disable the termination feature. On the other hand, ProcessLimit1=50 ProcessLimit2=50 will effectively disable the delaying feature.","title":"Process Limit 1"},{"location":"Content/ProcessLimit2/","text":"Process Limit 2 Please see Process Limit 1 .","title":"Process Limit 2"},{"location":"Content/ProcessLimit2/#process-limit-2","text":"Please see Process Limit 1 .","title":"Process Limit 2"},{"location":"Content/ProgramNamePrefix/","text":"Program Name Prefix In several settings in the Sandboxie Ini configuration file, a program name can be specified. This tells the setting to take effect only for sandboxed processes that match the program name criteria. The prefix is specified as the name of the executable, with an extension, but without a folder path: iexplore.exe - right C:\\Program Files\\Internet Explorer\\iexplore.exe - wrong The prefix may start with an exclamation point (!) to indicate negative criteria. A comma (,) separates the prefix from the rest of the setting specification. For example: . . . [DefaultBox] OpenFilePath=iexplore.exe,%Favorites% ClosedFilePath=!iexplore.exe,%Favorites% This combination means that Internet Explorer ( iexplore.exe ) has direct access to the Favorites folder and the shortcuts within it. On the other hand, any other program (NOT iexplore.exe , note the exclamation point) is denied any kind of access to that same folder.","title":"Program Name Prefix"},{"location":"Content/ProgramNamePrefix/#program-name-prefix","text":"In several settings in the Sandboxie Ini configuration file, a program name can be specified. This tells the setting to take effect only for sandboxed processes that match the program name criteria. The prefix is specified as the name of the executable, with an extension, but without a folder path: iexplore.exe - right C:\\Program Files\\Internet Explorer\\iexplore.exe - wrong The prefix may start with an exclamation point (!) to indicate negative criteria. A comma (,) separates the prefix from the rest of the setting specification. For example: . . . [DefaultBox] OpenFilePath=iexplore.exe,%Favorites% ClosedFilePath=!iexplore.exe,%Favorites% This combination means that Internet Explorer ( iexplore.exe ) has direct access to the Favorites folder and the shortcuts within it. On the other hand, any other program (NOT iexplore.exe , note the exclamation point) is denied any kind of access to that same folder.","title":"Program Name Prefix"},{"location":"Content/ProgramSettings/","text":"Program Settings Overview The Program Settings window is a quick way to configure some of the aspects of Sandboxie. To access the window, right-click on the name of a running sandboxed program to show the context menu, and select Program Settings : (You can also use Shift+F10 or the View menu to show the context menu.) The Program Settings window displays the sandbox where the program is running, the name of the program executable file, and checkboxes for the quick configurations settings. It is composed of two pages. Switch between the pages using the View Page 1 and View Page 2 radio buttons. Page 1 Program Start These settings control how Sandboxie handles programs that start outside any sandbox. Issue alert message SBIE1301 Sandboxie will issue message SBIE1301 whenever this program starts outside any sandbox. See also Configure Menu > Program Alerts . Force program to run in this sandbox Sandboxie will automatically force the program to run in this sandbox. See also Sandbox Settings > Program Start > Forced Programs . Program Stop These settings control how Sandboxie handles this program stopping in this sandbox. Stop this program if it lingers in the sandbox after other programs have ended Sandboxie will automatically terminate this program if it remains running when all other programs stopped. See also Sandbox Settings > Program Stop > Lingering Programs . Stop other programs after this leader program has ended Sandboxie will terminate every other program in the sandbox when this program stops. See also Sandbox Settings > Program Stop > Leader Programs . Page 2 These settings control which restrictions apply to this program. Internet Restrictions : Enable restrictions and allow this program to connect to the Internet Enable Internet restrictions in the sandbox, which means no program can connect to the Internet unless explicitly allowed. Additionally, explicitly allows this program to connect to the Internet from this sandbox. See also Sandbox Settings > Restrictions > Internet Access . Start/Run Restrictions : Enable restrictions and allow this program to start Enable Start/Run restrictions in the sandbox, which means no program can start unless explicitly allowed. Additionally, explicitly allows this program to start and run in this sandbox. See also Sandbox Settings > Restrictions > Start/Run Access .","title":"Program Settings"},{"location":"Content/ProgramSettings/#program-settings","text":"","title":"Program Settings"},{"location":"Content/ProgramSettings/#overview","text":"The Program Settings window is a quick way to configure some of the aspects of Sandboxie. To access the window, right-click on the name of a running sandboxed program to show the context menu, and select Program Settings : (You can also use Shift+F10 or the View menu to show the context menu.) The Program Settings window displays the sandbox where the program is running, the name of the program executable file, and checkboxes for the quick configurations settings. It is composed of two pages. Switch between the pages using the View Page 1 and View Page 2 radio buttons.","title":"Overview"},{"location":"Content/ProgramSettings/#page-1","text":"Program Start These settings control how Sandboxie handles programs that start outside any sandbox. Issue alert message SBIE1301 Sandboxie will issue message SBIE1301 whenever this program starts outside any sandbox. See also Configure Menu > Program Alerts . Force program to run in this sandbox Sandboxie will automatically force the program to run in this sandbox. See also Sandbox Settings > Program Start > Forced Programs . Program Stop These settings control how Sandboxie handles this program stopping in this sandbox. Stop this program if it lingers in the sandbox after other programs have ended Sandboxie will automatically terminate this program if it remains running when all other programs stopped. See also Sandbox Settings > Program Stop > Lingering Programs . Stop other programs after this leader program has ended Sandboxie will terminate every other program in the sandbox when this program stops. See also Sandbox Settings > Program Stop > Leader Programs .","title":"Page 1"},{"location":"Content/ProgramSettings/#page-2","text":"These settings control which restrictions apply to this program. Internet Restrictions : Enable restrictions and allow this program to connect to the Internet Enable Internet restrictions in the sandbox, which means no program can connect to the Internet unless explicitly allowed. Additionally, explicitly allows this program to connect to the Internet from this sandbox. See also Sandbox Settings > Restrictions > Internet Access . Start/Run Restrictions : Enable restrictions and allow this program to start Enable Start/Run restrictions in the sandbox, which means no program can start unless explicitly allowed. Additionally, explicitly allows this program to start and run in this sandbox. See also Sandbox Settings > Restrictions > Start/Run Access .","title":"Page 2"},{"location":"Content/ProgramStartSettings/","text":"Program Start Settings \"Program Start\" Settings Group Sandboxie Control > Sandbox Settings > Program Start: Settings in this section control which programs will be automatically sandboxed when started outside any sandbox. Put another way, here you select the program which Sandboxie will \"force\" to run sandboxed. Forced Folders Sandboxie Control > Sandbox Settings > Program Start > Forced Folders You may designate some folders for automatic, or forced, sandboxing. This means that if any program from that folder starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. Some examples where this is useful: On your \"download\" folder, where you typically download software from the Internet On your CDROM or DVD drive, so \"AutoRun\" programs on CDs and DVDs will start sandboxed. If you install several versions of the same program in separate folders, and wish to isolate each version to a separate sandbox. Use this settings page to select the folders (or drives) to which Forced Folders should apply. Notes: Forced Folders can be temporarily suspended using the Disable Forced Programs command. Forced Folders take precedence over Forced Programs . In other words, when a program matches both a Forced Folders and a Forced Programs setting, the Forced Folder setting will apply, and the Forced Programs setting will be ignored. Related Sandboxie Ini setting: ForceFolder . Forced Programs Sandboxie Control > Sandbox Settings > Program Start > Forced Programs You may designate some program names for automatic, or forced, sandboxing. This means that if that program starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. The most common use for the Forced Programs setting is to set the Web browser to automatically run sandboxed. Use this settings page to select the programs that will be forced to run in the sandbox. Use the Add By Name button to enter the program name, or the Add By File button to select the program file through folder navigation. You can also configure this setting in the Program Settings window. On your \"download\" folder, where you typically download software from the Internet On your CDROM or DVD drive, so \"AutoRun\" programs on the CD or DVD will start sandboxed. If you install several versions of the same program in separate folders, and wish to isolate each version to a separate sandbox. Notes: Forced Programs can be temporarily suspended using the Disable Forced Programs command. Forced Folders take precedence over Forced Programs. In other words, when a program matches both a Forced Folders and a Forced Programs setting, the Forced Folder setting will apply, and the Forced Programs setting will be ignored. Related Sandboxie Ini setting: ForceProcess .","title":"Program Start Settings"},{"location":"Content/ProgramStartSettings/#program-start-settings","text":"","title":"Program Start Settings"},{"location":"Content/ProgramStartSettings/#program-start-settings-group","text":"Sandboxie Control > Sandbox Settings > Program Start: Settings in this section control which programs will be automatically sandboxed when started outside any sandbox. Put another way, here you select the program which Sandboxie will \"force\" to run sandboxed.","title":"\"Program Start\" Settings Group"},{"location":"Content/ProgramStartSettings/#forced-folders","text":"Sandboxie Control > Sandbox Settings > Program Start > Forced Folders You may designate some folders for automatic, or forced, sandboxing. This means that if any program from that folder starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. Some examples where this is useful: On your \"download\" folder, where you typically download software from the Internet On your CDROM or DVD drive, so \"AutoRun\" programs on CDs and DVDs will start sandboxed. If you install several versions of the same program in separate folders, and wish to isolate each version to a separate sandbox. Use this settings page to select the folders (or drives) to which Forced Folders should apply. Notes: Forced Folders can be temporarily suspended using the Disable Forced Programs command. Forced Folders take precedence over Forced Programs . In other words, when a program matches both a Forced Folders and a Forced Programs setting, the Forced Folder setting will apply, and the Forced Programs setting will be ignored. Related Sandboxie Ini setting: ForceFolder .","title":"Forced Folders"},{"location":"Content/ProgramStartSettings/#forced-programs","text":"Sandboxie Control > Sandbox Settings > Program Start > Forced Programs You may designate some program names for automatic, or forced, sandboxing. This means that if that program starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. The most common use for the Forced Programs setting is to set the Web browser to automatically run sandboxed. Use this settings page to select the programs that will be forced to run in the sandbox. Use the Add By Name button to enter the program name, or the Add By File button to select the program file through folder navigation. You can also configure this setting in the Program Settings window. On your \"download\" folder, where you typically download software from the Internet On your CDROM or DVD drive, so \"AutoRun\" programs on the CD or DVD will start sandboxed. If you install several versions of the same program in separate folders, and wish to isolate each version to a separate sandbox. Notes: Forced Programs can be temporarily suspended using the Disable Forced Programs command. Forced Folders take precedence over Forced Programs. In other words, when a program matches both a Forced Folders and a Forced Programs setting, the Forced Folder setting will apply, and the Forced Programs setting will be ignored. Related Sandboxie Ini setting: ForceProcess .","title":"Forced Programs"},{"location":"Content/ProgramStopSettings/","text":"Program Stop Settings \"Program Stop\" Settings Group Sandboxie Control > Sandbox Settings > Program Stop: Settings in this section control when Sandboxie automatically ends programs that run in the sandbox. Lingering Programs Sandboxie Control > Sandbox Settings > Program Stop > Lingering Programs When one sandboxed program starts another program, that other program will be started in the same sandbox. However, the end of first program does not necessarily mean that the second program ends as well. This means that the sandbox can still be active after the primary program in the sandbox has been stopped. For example, viewing a PDF file in Internet Explorer may cause the Adobe Acrobat Reader program (acrord32.exe) to start in the sandbox. The Reader program will linger in the sandbox even after the Internet Explorer program has ended. This behavior is usually not desired. Use this settings page to identify the programs that Sandboxie should automatically stop, if they are lingering in the sandbox after all other (non-lingering) programs have ended. You can also configure this setting in the Program Settings window. (Note that acrord32.exe is already a default setting.) Note: When no program is running in the sandbox, and you explicitly start one of the lingering programs, then that program will not be considered a lingering program, and will not be stopped automatically. For example, if nothing is running in the sandbox, and you explicitly start Adobe Acrobat Reader sandboxed, then Sandboxie will not immediately stop this program. Related Sandboxie Ini setting: LingerProcess . Leader Programs Sandboxie Control > Sandbox Settings > Program Stop > Leader Programs When this sandboxed program ends, Sandboxie will stop all other programs in the sandbox. Use this settings page to identify those programs that should be considered primary programs in the sandbox, such that whenever they finish and stop, all other programs in the sandbox are stopped as well. For example, if you have a sandbox dedicated for Web browsing, then rather than listing all possible lingering programs (see Lingering Programs above for a discussion of a lingering program),you can list just the Web browser program as the leader program. You can also configure this setting in the Program Settings window. Related Sandboxie Ini setting: LeaderProcess .","title":"Program Stop Settings"},{"location":"Content/ProgramStopSettings/#program-stop-settings","text":"","title":"Program Stop Settings"},{"location":"Content/ProgramStopSettings/#program-stop-settings-group","text":"Sandboxie Control > Sandbox Settings > Program Stop: Settings in this section control when Sandboxie automatically ends programs that run in the sandbox.","title":"\"Program Stop\" Settings Group"},{"location":"Content/ProgramStopSettings/#lingering-programs","text":"Sandboxie Control > Sandbox Settings > Program Stop > Lingering Programs When one sandboxed program starts another program, that other program will be started in the same sandbox. However, the end of first program does not necessarily mean that the second program ends as well. This means that the sandbox can still be active after the primary program in the sandbox has been stopped. For example, viewing a PDF file in Internet Explorer may cause the Adobe Acrobat Reader program (acrord32.exe) to start in the sandbox. The Reader program will linger in the sandbox even after the Internet Explorer program has ended. This behavior is usually not desired. Use this settings page to identify the programs that Sandboxie should automatically stop, if they are lingering in the sandbox after all other (non-lingering) programs have ended. You can also configure this setting in the Program Settings window. (Note that acrord32.exe is already a default setting.) Note: When no program is running in the sandbox, and you explicitly start one of the lingering programs, then that program will not be considered a lingering program, and will not be stopped automatically. For example, if nothing is running in the sandbox, and you explicitly start Adobe Acrobat Reader sandboxed, then Sandboxie will not immediately stop this program. Related Sandboxie Ini setting: LingerProcess .","title":"Lingering Programs"},{"location":"Content/ProgramStopSettings/#leader-programs","text":"Sandboxie Control > Sandbox Settings > Program Stop > Leader Programs When this sandboxed program ends, Sandboxie will stop all other programs in the sandbox. Use this settings page to identify those programs that should be considered primary programs in the sandbox, such that whenever they finish and stop, all other programs in the sandbox are stopped as well. For example, if you have a sandbox dedicated for Web browsing, then rather than listing all possible lingering programs (see Lingering Programs above for a discussion of a lingering program),you can list just the Web browser program as the leader program. You can also configure this setting in the Program Settings window. Related Sandboxie Ini setting: LeaderProcess .","title":"Leader Programs"},{"location":"Content/ProgramsView/","text":"Programs View Sandboxie Control > View Menu > Programs The Programs View is the default view mode in Sandboxie Control . The programs running in each sandbox are displayed here, grouped by sandbox name. The list shows three columns: The Program Name column displays the name of the executable file of the program. For example, the picture shows iexplore.exe , which is the executable name for Internet Explorer. For a row describing a sandbox, this column displays the name of the sandbox. The PID column displays the process ID of the program. This is the same number that appears in the Processes tab of the Windows Task Manager. (The Windows Task Manager appears when you press the Ctrl+Shift+Esc keyboard shortcut or Ctrl+Alt+Del, which leads to the Windows logon screen.) For a row describing a sandbox, this column displays Active if any programs are running in the sandbox. The Window Title column displays the title associated with the main window of the program. Use the small + or - icon, located at the start of each Active sandbox row, to expand or collapse the display of programs in the sandbox. Context Menus The Programs View provides context menus for sandboxes and programs. To display a context menu for the item (sandbox or program) in some row, do one of the following: Click the right mouse button anywhere on the row. Select (highlight) the row using the mouse or keyboard, then press Shift+F10. Select (highlight) the row using the mouse or keyboard, then use the View Menu -> Context Menu command. For a sandbox row, the context menu displayed is the same as Sandbox Menu -> Sandbox Sub-Menu . See there for a full description. For a program row, the context menu offers the following commands: The Terminate Program command terminates the program. The Program Settings command displays the Program Settings window for the program. The Resource Access command displays the Sandbox Settings > Resource Access group of settings pages, where the program name is pre-selected in the program name filter ( The list above applies to filter). Go to Sandboxie Control , Files And Folders View , Help Topics .","title":"Programs View"},{"location":"Content/ProgramsView/#programs-view","text":"Sandboxie Control > View Menu > Programs The Programs View is the default view mode in Sandboxie Control . The programs running in each sandbox are displayed here, grouped by sandbox name. The list shows three columns: The Program Name column displays the name of the executable file of the program. For example, the picture shows iexplore.exe , which is the executable name for Internet Explorer. For a row describing a sandbox, this column displays the name of the sandbox. The PID column displays the process ID of the program. This is the same number that appears in the Processes tab of the Windows Task Manager. (The Windows Task Manager appears when you press the Ctrl+Shift+Esc keyboard shortcut or Ctrl+Alt+Del, which leads to the Windows logon screen.) For a row describing a sandbox, this column displays Active if any programs are running in the sandbox. The Window Title column displays the title associated with the main window of the program. Use the small + or - icon, located at the start of each Active sandbox row, to expand or collapse the display of programs in the sandbox. Context Menus The Programs View provides context menus for sandboxes and programs. To display a context menu for the item (sandbox or program) in some row, do one of the following: Click the right mouse button anywhere on the row. Select (highlight) the row using the mouse or keyboard, then press Shift+F10. Select (highlight) the row using the mouse or keyboard, then use the View Menu -> Context Menu command. For a sandbox row, the context menu displayed is the same as Sandbox Menu -> Sandbox Sub-Menu . See there for a full description. For a program row, the context menu offers the following commands: The Terminate Program command terminates the program. The Program Settings command displays the Program Settings window for the program. The Resource Access command displays the Sandbox Settings > Resource Access group of settings pages, where the program name is pre-selected in the program name filter ( The list above applies to filter). Go to Sandboxie Control , Files And Folders View , Help Topics .","title":"Programs View"},{"location":"Content/PromptForFileMigration/","text":"Prompt For File Migration PromptForFileMigration is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will prompt for large file migration. For more information, see SBIE2102 . . . . [DefaultBox] PromptForFileMigration=n Specifying n indicates sandbox will not prompt user for file migration (the access will be read-only). Related Sandboxie Plus setting: Sandbox Options > File Options > File Migration > Prompt user for large file migration Related Sandboxie Ini setting: CopyLimitKb , CopyLimitSilent","title":"Prompt For File Migration"},{"location":"Content/PromptForFileMigration/#prompt-for-file-migration","text":"PromptForFileMigration is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will prompt for large file migration. For more information, see SBIE2102 . . . . [DefaultBox] PromptForFileMigration=n Specifying n indicates sandbox will not prompt user for file migration (the access will be read-only). Related Sandboxie Plus setting: Sandbox Options > File Options > File Migration > Prompt user for large file migration Related Sandboxie Ini setting: CopyLimitKb , CopyLimitSilent","title":"Prompt For File Migration"},{"location":"Content/ProtectHostImages/","text":"Protect Host Images ProtectHostImages is a sandbox setting in Sandboxie Ini available since v1.9.0 / 5.64.0. This setting can be enabled to prevent processes located outside the sandbox from loading boxed DLLs. . . . [DefaultBox] ProtectHostImages=y Related Sandboxie Plus setting: Sandbox Options > Various Options > Dlls & Extensions > Prevent sandboxed programs installed on host from loading DLLs from the sandbox","title":"Protect Host Images"},{"location":"Content/ProtectHostImages/#protect-host-images","text":"ProtectHostImages is a sandbox setting in Sandboxie Ini available since v1.9.0 / 5.64.0. This setting can be enabled to prevent processes located outside the sandbox from loading boxed DLLs. . . . [DefaultBox] ProtectHostImages=y Related Sandboxie Plus setting: Sandbox Options > Various Options > Dlls & Extensions > Prevent sandboxed programs installed on host from loading DLLs from the sandbox","title":"Protect Host Images"},{"location":"Content/ProtectedStorage/","text":"Protected Storage Protected Storage (hereafter PStore) was a small memory space available until Windows 7, managed by the system security component, and usable by applications. Applications that needed to store sensitive information, such as passwords, could use PStore rather than implement means to encrypt and protect that information. Note that PStore memory of one user account is not accessible by another user account; but all programs running in the same user account can see and change information entered into the memory store by any other application. The best application example is Internet Explorer version 6, which uses PStore to store AutoComplete history (such as the Google search box) and passwords in Web forms. (Note that Internet Explorer version 7 still encrypts this information, but no longer uses PStore to do it. Presumably this is an effort to hide the sensitive information from other programs -- most likely spyware that may be running in the same user account.) Sandboxie can provide its own implementation of PStore, for sandboxed applications. This is the default setting, unless altered in Sandbox Settings > Applications > Web Browser . The Sandboxie PStore is stored in the file SbiePst.dat in the sandboxed Windows folder. The Sandboxie implementation of PStore encrypts data using a much weaker method than what the system security component would have done. However, information entered into the Sandboxie PStore will likely disappear quickly, as part of the process of deleting the sandbox.","title":"Protected Storage"},{"location":"Content/ProtectedStorage/#protected-storage","text":"Protected Storage (hereafter PStore) was a small memory space available until Windows 7, managed by the system security component, and usable by applications. Applications that needed to store sensitive information, such as passwords, could use PStore rather than implement means to encrypt and protect that information. Note that PStore memory of one user account is not accessible by another user account; but all programs running in the same user account can see and change information entered into the memory store by any other application. The best application example is Internet Explorer version 6, which uses PStore to store AutoComplete history (such as the Google search box) and passwords in Web forms. (Note that Internet Explorer version 7 still encrypts this information, but no longer uses PStore to do it. Presumably this is an effort to hide the sensitive information from other programs -- most likely spyware that may be running in the same user account.) Sandboxie can provide its own implementation of PStore, for sandboxed applications. This is the default setting, unless altered in Sandbox Settings > Applications > Web Browser . The Sandboxie PStore is stored in the file SbiePst.dat in the sandboxed Windows folder. The Sandboxie implementation of PStore encrypts data using a much weaker method than what the system security component would have done. However, information entered into the Sandboxie PStore will likely disappear quickly, as part of the process of deleting the sandbox.","title":"Protected Storage"},{"location":"Content/QuickRecovery/","text":"Quick Recovery Sandboxie Control > Sandbox Menu > Quick Recovery Sandboxie Control > Tray Icon Menu > Quick Recovery Sandboxed programs create files and folders inside the sandbox. It may be desirable to move some of these created files out of the sandbox. For instance, a document file downloaded by a sandboxed browser is saved into the sandbox, but that file should be extracted and placed in the Documents folder outside the sandbox. The rudimentary approach is to use the regular, non-sandboxed Windows Explorer to navigate inside the folders that make up the sandbox. By using the Sandbox Menu > Sandbox > Explore Contents command, you can open a folder window (unsandboxed) with a view into the sandbox. You can then navigate in the depth of the sandbox folder, and cut sandboxed files in order to paste them somewhere else. The Quick Recovery feature makes it easier to extract files (and even whole folders) that are created and saved by sandboxed programs. It scans a few sandboxed folders, which have to be selected in advance, and lists the files (and folders) it finds within them. These files (and folders) can be recovered into the corresponding location outside the sandbox, or to any location. To invoke the Quick Recovery window, use the Sandbox Menu > Sandbox > Quick Recovery command (or the corresponding command from the Tray Icon Menu ). Quick Recovery also appear as part of the Delete Sandbox window. The Quick Recovery Window The central area which extends to the lower right corner of the window shows the quick-recoverable files and folders in a particular sandbox. Select a file or folder, and then click one of the two Recover to buttons on the left: Recover to Same Folder moves the file (or folder) from the sandbox to a corresponding location outside the sandbox. For example, the picture above shows the file favicon.ico in the sandboxed Desktop folder. Clicking this command on the file will move it to the real desktop folder. Recover to Any Folder first displays a Browse For Folder dialog box, then moves the file (or folder) to the folder selected in the dialog box. These commands are also available if you invoke the context menu on a file or folder, typically by clicking the right mouse button on it. Adding Folders to Quick Recovery As noted, Quick Recovery only scans folders which are explicitly selected. By default, it scans the Desktop , Favorites and Documents folders. Where applicable, your Downloads folder is also considered a recoverable folder. You can add more folders using the Add Folder button. You can use Sandbox Settings > Recovery > Quick Recovery to add and remove folders. When Sandboxie Control is in Files And Folders View view, you can right-click a folder and select Add Folder to Quick Recovery . Go to Delete Sandbox , Immediate Recovery , Sandboxie Control , Help Topics .","title":"Quick Recovery"},{"location":"Content/QuickRecovery/#quick-recovery","text":"Sandboxie Control > Sandbox Menu > Quick Recovery Sandboxie Control > Tray Icon Menu > Quick Recovery Sandboxed programs create files and folders inside the sandbox. It may be desirable to move some of these created files out of the sandbox. For instance, a document file downloaded by a sandboxed browser is saved into the sandbox, but that file should be extracted and placed in the Documents folder outside the sandbox. The rudimentary approach is to use the regular, non-sandboxed Windows Explorer to navigate inside the folders that make up the sandbox. By using the Sandbox Menu > Sandbox > Explore Contents command, you can open a folder window (unsandboxed) with a view into the sandbox. You can then navigate in the depth of the sandbox folder, and cut sandboxed files in order to paste them somewhere else. The Quick Recovery feature makes it easier to extract files (and even whole folders) that are created and saved by sandboxed programs. It scans a few sandboxed folders, which have to be selected in advance, and lists the files (and folders) it finds within them. These files (and folders) can be recovered into the corresponding location outside the sandbox, or to any location. To invoke the Quick Recovery window, use the Sandbox Menu > Sandbox > Quick Recovery command (or the corresponding command from the Tray Icon Menu ). Quick Recovery also appear as part of the Delete Sandbox window. The Quick Recovery Window The central area which extends to the lower right corner of the window shows the quick-recoverable files and folders in a particular sandbox. Select a file or folder, and then click one of the two Recover to buttons on the left: Recover to Same Folder moves the file (or folder) from the sandbox to a corresponding location outside the sandbox. For example, the picture above shows the file favicon.ico in the sandboxed Desktop folder. Clicking this command on the file will move it to the real desktop folder. Recover to Any Folder first displays a Browse For Folder dialog box, then moves the file (or folder) to the folder selected in the dialog box. These commands are also available if you invoke the context menu on a file or folder, typically by clicking the right mouse button on it. Adding Folders to Quick Recovery As noted, Quick Recovery only scans folders which are explicitly selected. By default, it scans the Desktop , Favorites and Documents folders. Where applicable, your Downloads folder is also considered a recoverable folder. You can add more folders using the Add Folder button. You can use Sandbox Settings > Recovery > Quick Recovery to add and remove folders. When Sandboxie Control is in Files And Folders View view, you can right-click a folder and select Add Folder to Quick Recovery . Go to Delete Sandbox , Immediate Recovery , Sandboxie Control , Help Topics .","title":"Quick Recovery"},{"location":"Content/Ransomware/","text":"Ransomware Of all the classes of malware, ransomware may be the most destructive because often its not possible to recover from its negative effects. While most malware is disruptive in nature (including banking Trojans that steal financial data and credentials, malware that targets information like intellectual property, and those that turn your machines into bots to send out spam campaigns), an organization can eventually recover from their damage after significant cost, effort, and time. Not so with ransomware your important business data can be lost forever. Did you know that ransomware can hold your data hostage, and can't be stopped with anti-virus software alone? Sandboxie runs your programs in an isolated space which prevents malware - including ransomware - from making permanent changes to other programs and data in your computer.","title":"Ransomware"},{"location":"Content/Ransomware/#ransomware","text":"Of all the classes of malware, ransomware may be the most destructive because often its not possible to recover from its negative effects. While most malware is disruptive in nature (including banking Trojans that steal financial data and credentials, malware that targets information like intellectual property, and those that turn your machines into bots to send out spam campaigns), an organization can eventually recover from their damage after significant cost, effort, and time. Not so with ransomware your important business data can be lost forever. Did you know that ransomware can hold your data hostage, and can't be stopped with anti-virus software alone? Sandboxie runs your programs in an isolated space which prevents malware - including ransomware - from making permanent changes to other programs and data in your computer.","title":"Ransomware"},{"location":"Content/ReadFilePath/","text":"Read File Path ReadFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files, and will not allow writing. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] ReadFilePath=C:\\WINDOWS This example forces the C:\\WINDOWS folder, and everything below it, to be readable, but not writable (or deletable) by sandboxed programs. Note: ReadFilePath is a restricted form of OpenFilePath . As with OpenFilePath , any already-existing sandboxed contents for the specified file or folder locations, are ignored. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Read-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Read Only","title":"Read File Path"},{"location":"Content/ReadFilePath/#read-file-path","text":"ReadFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will not apply sandboxing for files, and will not allow writing. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] ReadFilePath=C:\\WINDOWS This example forces the C:\\WINDOWS folder, and everything below it, to be readable, but not writable (or deletable) by sandboxed programs. Note: ReadFilePath is a restricted form of OpenFilePath . As with OpenFilePath , any already-existing sandboxed contents for the specified file or folder locations, are ignored. Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Read-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Read Only","title":"Read File Path"},{"location":"Content/ReadIpcPath/","text":"Read Ipc Path ReadIpcPath is a sandbox setting in Sandboxie Ini available since v1.0.16 / 5.55.16. It specifies path patterns for which Sandboxie will allow read access to unsandboxed processes or processes in other boxes. This lets sandboxed programs access resources and services provided by programs running outside the sandbox. Program Name Prefix may be specified. Usage: . . . [DefaultBox] ReadIpcPath=$:program.exe This example permits a program running inside the sandbox to have read access into the address space of a target process running outside the sandbox or processes in other boxes. The process name of the target process must match the name specified in the setting. It is also possible to restore the old behavior entirely by specifying: . . . [DefaultBox] ReadIpcPath=$:* By default, the only process whose memory can be read is explorer.exe . Many processes requires it and Windows File Explorer should not keep any secrets anyway. To block this, you can use: . . . [DefaultBox] ClosedIpcPath=$:explorer.exe Related Sandboxie Plus settings: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Read Only Sandbox Options > General Options > Restrictions > Other restrictions > Allow to read memory of unsandboxed processes (not recommended)","title":"Read Ipc Path"},{"location":"Content/ReadIpcPath/#read-ipc-path","text":"ReadIpcPath is a sandbox setting in Sandboxie Ini available since v1.0.16 / 5.55.16. It specifies path patterns for which Sandboxie will allow read access to unsandboxed processes or processes in other boxes. This lets sandboxed programs access resources and services provided by programs running outside the sandbox. Program Name Prefix may be specified. Usage: . . . [DefaultBox] ReadIpcPath=$:program.exe This example permits a program running inside the sandbox to have read access into the address space of a target process running outside the sandbox or processes in other boxes. The process name of the target process must match the name specified in the setting. It is also possible to restore the old behavior entirely by specifying: . . . [DefaultBox] ReadIpcPath=$:* By default, the only process whose memory can be read is explorer.exe . Many processes requires it and Windows File Explorer should not keep any secrets anyway. To block this, you can use: . . . [DefaultBox] ClosedIpcPath=$:explorer.exe Related Sandboxie Plus settings: Sandbox Options > Resource Access > IPC > Add IPC Path > Access column > Read Only Sandbox Options > General Options > Restrictions > Other restrictions > Allow to read memory of unsandboxed processes (not recommended)","title":"Read Ipc Path"},{"location":"Content/ReadKeyPath/","text":"Read Key Path ReadKeyPath is a sandbox setting in Sandboxie Ini . It specifies a path patterns, for which Sandboxie will not apply sandboxing for registry keys, and will not allow writing. Program Name Prefix may be specified. Example: . . . [DefaultBox] ReadKeyPath=HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies This example forces the Policies key, and everything below it, to be readable, but not writable (or deletable) by sandboxed programs. Note: ReadKeyPath is a restricted form of OpenKeyPath . As with OpenKeyPath , any already-existing sandboxed contents for the specified file or folder locations, are ignored. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Read-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Read Only","title":"Read Key Path"},{"location":"Content/ReadKeyPath/#read-key-path","text":"ReadKeyPath is a sandbox setting in Sandboxie Ini . It specifies a path patterns, for which Sandboxie will not apply sandboxing for registry keys, and will not allow writing. Program Name Prefix may be specified. Example: . . . [DefaultBox] ReadKeyPath=HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies This example forces the Policies key, and everything below it, to be readable, but not writable (or deletable) by sandboxed programs. Note: ReadKeyPath is a restricted form of OpenKeyPath . As with OpenKeyPath , any already-existing sandboxed contents for the specified file or folder locations, are ignored. Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Read-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Read Only","title":"Read Key Path"},{"location":"Content/RecoverFolder/","text":"Recover Folder RecoverFolder is a sandbox setting in Sandboxie Ini . It specifies the sandboxed folders that Quick Recovery should examine. Shell Folders may be specified. For example: . . . [DefaultBox] RecoverFolder=%Personal% RecoverFolder=C:\\Downloads [InstallBox] RecoverFolder=D:\\Program Files The first two example settings specify that Quick Recovery from the DefaultBox sandbox should look in the Documents and the Downloads folders in drive C. The third example setting specifies that QuickRecovery from the InstallBox sandbox should look in the Program Files folder in drive D. Note that when Quick Recovery looks in the specified folder, it also looks in any folders within that folder, and any folders within those folders, for as many levels of depth as are needed. Related Sandboxie Control setting: Sandbox Settings > Recovery > Quick Recovery","title":"Recover Folder"},{"location":"Content/RecoverFolder/#recover-folder","text":"RecoverFolder is a sandbox setting in Sandboxie Ini . It specifies the sandboxed folders that Quick Recovery should examine. Shell Folders may be specified. For example: . . . [DefaultBox] RecoverFolder=%Personal% RecoverFolder=C:\\Downloads [InstallBox] RecoverFolder=D:\\Program Files The first two example settings specify that Quick Recovery from the DefaultBox sandbox should look in the Documents and the Downloads folders in drive C. The third example setting specifies that QuickRecovery from the InstallBox sandbox should look in the Program Files folder in drive D. Note that when Quick Recovery looks in the specified folder, it also looks in any folders within that folder, and any folders within those folders, for as many levels of depth as are needed. Related Sandboxie Control setting: Sandbox Settings > Recovery > Quick Recovery","title":"Recover Folder"},{"location":"Content/RecoverySettings/","text":"Recovery Settings \"Recovery\" Settings Group Sandboxie Control > Sandbox Settings > Recovery: While you can manually explore the contents of the sandbox and extract the files you need, Sandboxie has a Quick Recovery tool that scans particular folders and informs you if any files are available for recovery out of the sandbox. The Recovery group configures this tool. Quick Recovery Sandboxie Control > Sandbox Settings > Recovery > Quick Recovery: Use this settings page to add and remove folders that should be scanned by Sandboxie. You can also influence this setting indirectly: In Files And Folders View , by right-clicking on folder items and invoking the actions Add Folder to Quick Recovery or Remove Folder from Quick Recovery . In the Delete Sandbox or Quick Recovery windows, by clicking the Add Folder button. Related Sandboxie Ini setting: RecoverFolder . Immediate Recovery Sandboxie Control > Sandbox Settings > Recovery > Immediate Recovery: The Quick Recovery tool scans folders only when invoked, which is either explicitly, or when the sandbox is about to be deleted. Immediate Recovery is an extension which notifies you about recoverable files as soon as they are created by a sandboxed program. This behavior is usually useful and is enabled by default, but it may be disabled if so desired. It may also be desirable to keep Immediate Recovery enabled, but exclude some file types from Immediate Recovery. For example: You may want to receive Immediate Recovery notifications about document files saved to the (sandboxed) desktop, but not about shortcuts ( .LNK ) files that may be created on the desktop during the installation of sandboxed programs. Use this settings page to enable or disable the Immediate Recovery extension, and configure exclusions to Immediate Recovery. Related Sandboxie Ini settings: AutoRecover , AutoRecoverIgnore .","title":"Recovery Settings"},{"location":"Content/RecoverySettings/#recovery-settings","text":"","title":"Recovery Settings"},{"location":"Content/RecoverySettings/#recovery-settings-group","text":"Sandboxie Control > Sandbox Settings > Recovery: While you can manually explore the contents of the sandbox and extract the files you need, Sandboxie has a Quick Recovery tool that scans particular folders and informs you if any files are available for recovery out of the sandbox. The Recovery group configures this tool.","title":"\"Recovery\" Settings Group"},{"location":"Content/RecoverySettings/#quick-recovery","text":"Sandboxie Control > Sandbox Settings > Recovery > Quick Recovery: Use this settings page to add and remove folders that should be scanned by Sandboxie. You can also influence this setting indirectly: In Files And Folders View , by right-clicking on folder items and invoking the actions Add Folder to Quick Recovery or Remove Folder from Quick Recovery . In the Delete Sandbox or Quick Recovery windows, by clicking the Add Folder button. Related Sandboxie Ini setting: RecoverFolder .","title":"Quick Recovery"},{"location":"Content/RecoverySettings/#immediate-recovery","text":"Sandboxie Control > Sandbox Settings > Recovery > Immediate Recovery: The Quick Recovery tool scans folders only when invoked, which is either explicitly, or when the sandbox is about to be deleted. Immediate Recovery is an extension which notifies you about recoverable files as soon as they are created by a sandboxed program. This behavior is usually useful and is enabled by default, but it may be disabled if so desired. It may also be desirable to keep Immediate Recovery enabled, but exclude some file types from Immediate Recovery. For example: You may want to receive Immediate Recovery notifications about document files saved to the (sandboxed) desktop, but not about shortcuts ( .LNK ) files that may be created on the desktop during the installation of sandboxed programs. Use this settings page to enable or disable the Immediate Recovery extension, and configure exclusions to Immediate Recovery. Related Sandboxie Ini settings: AutoRecover , AutoRecoverIgnore .","title":"Immediate Recovery"},{"location":"Content/ResourceAccess/","text":"Resource Access In Sandboxie, various Resource Access Settings apply only to programs installed outside of Sandboxie, as not to be bypassed by sandboxed programs changing their exe name. The following table shows which settings apply to what installation locations. Outside Inside ClosedFilePath Yes Yes ClosedIpcPath Yes Yes ClosedKeyPath Yes Yes ClosedRT Yes Yes OpenClsid Yes Yes ClosedClsid Yes Yes OpenConfPath Yes Yes OpenFilePath Yes No OpenIpcPath Yes Yes OpenKeyPath Yes No OpenPipePath Yes Yes OpenWinClass Yes Yes NoRenameWinClass Yes Yes NormalFilePath Read-only Yes NormalIpcPath Read-only Yes NormalKeyPath Read-only Yes ReadFilePath Read-only No ReadIpcPath Read-only No ReadKeyPath Read-only No WriteFilePath No Yes WriteKeyPath No Yes Note that all Close...=!<program>,... excludes only programs from outside the sandbox.","title":"Resource Access"},{"location":"Content/ResourceAccess/#resource-access","text":"In Sandboxie, various Resource Access Settings apply only to programs installed outside of Sandboxie, as not to be bypassed by sandboxed programs changing their exe name. The following table shows which settings apply to what installation locations. Outside Inside ClosedFilePath Yes Yes ClosedIpcPath Yes Yes ClosedKeyPath Yes Yes ClosedRT Yes Yes OpenClsid Yes Yes ClosedClsid Yes Yes OpenConfPath Yes Yes OpenFilePath Yes No OpenIpcPath Yes Yes OpenKeyPath Yes No OpenPipePath Yes Yes OpenWinClass Yes Yes NoRenameWinClass Yes Yes NormalFilePath Read-only Yes NormalIpcPath Read-only Yes NormalKeyPath Read-only Yes ReadFilePath Read-only No ReadIpcPath Read-only No ReadKeyPath Read-only No WriteFilePath No Yes WriteKeyPath No Yes Note that all Close...=!<program>,... excludes only programs from outside the sandbox.","title":"Resource Access"},{"location":"Content/ResourceAccessMonitor/","text":"Resource Access Monitor (for Sandboxie Classic) The Resource Access Monitor tool displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie. Designed to make it easy to identify those system resources which should be excluded from sandboxing, this tool can be used with the Sandboxie Trace options. Important: Please consider to use the Resource Access Monitor before opening a new issue. Using the Monitor 1. To activate the monitor, expand or open the Sandboxie Control window, then select the File Menu -> Resource Access Monitor command. 2. You should typically activate the monitor before any programs are running in any sandbox. Note that the Resource Access Monitor window blocks access to the Sandboxie Control main window, including its menu, so you will have to start sandboxed programs through the Tray Icon Menu . 3. When the monitor is activated and its window appears on the screen, it immediately starts to collect and display resource access information from all sandboxed programs that are running. 4. At this point, perform any specific tasks that fail when done under the supervision of Sandboxie. 5. Finally, click the button labeled Copy Contents to Clipboard and Close Window . This copies the collected data into the clipboard, and de-activates the monitor. 6. You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis. Performance Impact When inactive, the Resource Access Monitor does not use any system resources and does not have any performance impact on any running programs. When active, the Resource Access Monitor consumes 64K bytes of system memory and has a small performance penalty on sandboxed programs. Network Administrators may want to use the MonitorAdminOnly setting to restrict the use of this tool for user accounts which are not members of the Administrators group.","title":"Resource Access Monitor (for Sandboxie Classic)"},{"location":"Content/ResourceAccessMonitor/#resource-access-monitor-for-sandboxie-classic","text":"The Resource Access Monitor tool displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie. Designed to make it easy to identify those system resources which should be excluded from sandboxing, this tool can be used with the Sandboxie Trace options. Important: Please consider to use the Resource Access Monitor before opening a new issue.","title":"Resource Access Monitor (for Sandboxie Classic)"},{"location":"Content/ResourceAccessMonitor/#using-the-monitor","text":"1. To activate the monitor, expand or open the Sandboxie Control window, then select the File Menu -> Resource Access Monitor command. 2. You should typically activate the monitor before any programs are running in any sandbox. Note that the Resource Access Monitor window blocks access to the Sandboxie Control main window, including its menu, so you will have to start sandboxed programs through the Tray Icon Menu . 3. When the monitor is activated and its window appears on the screen, it immediately starts to collect and display resource access information from all sandboxed programs that are running. 4. At this point, perform any specific tasks that fail when done under the supervision of Sandboxie. 5. Finally, click the button labeled Copy Contents to Clipboard and Close Window . This copies the collected data into the clipboard, and de-activates the monitor. 6. You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis.","title":"Using the Monitor"},{"location":"Content/ResourceAccessMonitor/#performance-impact","text":"When inactive, the Resource Access Monitor does not use any system resources and does not have any performance impact on any running programs. When active, the Resource Access Monitor consumes 64K bytes of system memory and has a small performance penalty on sandboxed programs. Network Administrators may want to use the MonitorAdminOnly setting to restrict the use of this tool for user accounts which are not members of the Administrators group.","title":"Performance Impact"},{"location":"Content/ResourceAccessSettings/","text":"Resource Access Settings \"Resource Access\" Settings Group Sandboxie Control > Sandbox Settings > Resource Access Programs that run in a sandbox are generally not allowed to access system resources directly. In some cases, it may be desirable to make exceptions to this rule. The settings here display and change that set of exceptions. Examples where exceptions are convenient or necessary: Allow direct access to some specific folder. For example, let the Web browser place downloads directly in a Downloads folder. See the File Access category below. A program may need access to some resource for correct operation. If the program is known and trusted, it is reasonable to make such an exception. See Known Conflicts for some examples. Configuration changes do not apply to programs that are already running sandboxed at the time the configuration is changed. To keep things simple, you are advised to make configuration changes when no programs are running in the sandbox. General Information Each settings page within the Resource Access group generally has the following characteristics: There is a Title for the page, for example, Direct File Acccess or Read-Only Registry Access . There is a Short Explanation describing what the setting does. There is a List of Resources that shows the resources that get a special treatment. Depending on the particular setting, it may mean that those resources will be fully accessible to sandboxed programs. Or it may mean that these resources will not be accessible at all. The Short Explanation briefly describes the relationship between those resources and the programs which access them. You should also consult the documentation below for the particular setting, to fully understand what this means. The resources in the list may apply only to a particular program. Generally, however, they apply to All Programs . There is an Add button which adds a new resource entry to the list. There is an Edit/Add (sometimes just Edit ) which edits a resource entry in the list, or adds a new resource entry to the list. There is a Remove button which removes a resource entry from the list. There is a list-box labeled The list above applies to. This list-box associates the resources with a specific program. By default, resources apply to All Programs as shown in the example above. You can select to apply resources to a specific program, by selecting that program from the list-box. You can also type the name of the specific program directly into the list-box. You can also use the Add Pgm button to select a specific program by navigating to its folder. File Access Sandboxie Control > Sandbox Settings > Resource Access > File Access This category manages the following types of resources: Files, folders, drives, and other devices. See General Information above for more information about editing resources and associating resources with particular programs. File Access > Direct Access Allow direct access to some file or folder, bypassing the supervision of Sandboxie. For example, if you add a folder C:\\Downloads , then a program running under Sandboxie will be able to create or update files in that folder. Note that Direct Access exclusions do not apply when the program itself resides in the sandbox. For example, suppose that you allow direct access to a C:\\Downloads folder, and then you go on to install a new Web browser into the sandbox. This new sandboxed browser will not have direct access to the C:\\Downloads folder. Related Sandboxie Ini settings: OpenFilePath File Access > Full Access Similar to Direct Access , but always applies, even if the sandboxed program itself resides in the sandbox. For better protection, you are advised to use Direct Access rather than Full Access whenever possible. Related Sandboxie Ini settings: OpenPipePath File Access > Read-Only Access This access mode excludes the effects of sandboxing on a file (or folder) resource, while allowing a program to read, but not modify, the real resource. Related Sandboxie Ini settings: ReadFilePath File Access > Write-Only Access This access mode hides all files and folders which are located within the selected folder outside the sandbox. However, programs in the sandbox can create new files within the corresponding folder in the sandbox. This setting can only be used effectively on folders. If a file is selected, the effect is the same as the Blocked Access setting (see below). Related Sandboxie Ini settings: WriteFilePath File Access > Blocked Access Deny all access to the resource, for example to a folder containing sensitive data. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for C:\\Downloads appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the folder. Related Sandboxie Ini settings: ClosedFilePath Registry Access Sandboxie Control > Sandbox Settings > Resource Access > Registry Access This category manages registry key resources. The registry is a mechanism provided by Windows for programs to store configuration and settings. See General Information above for more information about editing resources and associating resources with particular programs. Registry Access > Direct Access Allow direct access to a registry key resource. Note that Direct Access exclusions do not apply when the program itself resides in the sandbox. This is described in more detail in the File Access category above. Note that unlike in the File Access category, there is no Full Access access mode for registry keys. Related Sandboxie Ini settings: OpenKeyPath Registry Access > Read-Only Access This access mode excludes the effects of sandboxing on a registry key resource, while allowing a program to read, but not modify, the real resource. Related Sandboxie Ini settings: ReadKeyPath Registry Access > Write-Only Access This access mode hides all registry data which is located within the selected registry key outside the sandbox. However, programs in the sandbox can create new registry data within the corresponding folder in the sandbox. Related Sandboxie Ini settings: WriteKeyPath Registry Access > Blocked Access Deny all access to a registry key resource, for example to a key containing Windows policy settings. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for a registry key appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the registry key. Related Sandboxie Ini settings: ClosedKeyPath IPC Access Sandboxie Control > Sandbox Settings > Resource Access > IPC Access This category manages exclusions for NT IPC objects. These resources are created by programs running the system as a way to coordinate operations or otherwise communicate. See General Information above for more information about editing resources and associating resources with particular programs. IPC Access > Direct Access Allow direct access to an IPC object resource. Note that unlike in the File Access and Registry Access categories, Direct Access exclusions for IPC objects always apply to all sandboxed programs. Related Sandboxie Ini settings: OpenIpcPath IPC Access > Blocked Access Deny all access to an IPC object resource. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for an IPC object appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the object. This setting can be used to override default IPC Access > Direct Access settings in Sandboxie, and block the access. For example, by default Sandboxie allows sandboxed programs to access the audio device. To override this and cut off audio output by sandboxed programs, add an exclusion for \\RPC Control\\AudioSrv . Related Sandboxie Ini settings: ClosedIpcPath Window Access Sandboxie Control > Sandbox Settings > Resource Access > Window Access This category manages exclusions for window classes. These resources are primarily related to windows displayed on the screen, but can also be used by programs as a way to coordinate operations or otherwise communicate. You can specify which window classes, that were created outside the sandbox, will be available for use by sandboxed programs. See General Information above for more information about editing resources and associating resources with particular programs. Related Sandboxie Ini settings: OpenWinClass COM Access Sandboxie Control > Sandbox Settings > Resource Access > COM Access This category manages exclusions for COM classes. These resources represent objects which are used as a way to coordinate operations or otherwise communicate. You can specify the COM class identifiers for those COM objects that exist outside the sandbox, and which should be accessible to sandboxed programs. See General Information above for more information about editing resources and associating resources with particular programs. Related Sandboxie Ini settings: OpenClsid","title":"Resource Access Settings"},{"location":"Content/ResourceAccessSettings/#resource-access-settings","text":"","title":"Resource Access Settings"},{"location":"Content/ResourceAccessSettings/#resource-access-settings-group","text":"Sandboxie Control > Sandbox Settings > Resource Access Programs that run in a sandbox are generally not allowed to access system resources directly. In some cases, it may be desirable to make exceptions to this rule. The settings here display and change that set of exceptions. Examples where exceptions are convenient or necessary: Allow direct access to some specific folder. For example, let the Web browser place downloads directly in a Downloads folder. See the File Access category below. A program may need access to some resource for correct operation. If the program is known and trusted, it is reasonable to make such an exception. See Known Conflicts for some examples. Configuration changes do not apply to programs that are already running sandboxed at the time the configuration is changed. To keep things simple, you are advised to make configuration changes when no programs are running in the sandbox.","title":"\"Resource Access\" Settings Group"},{"location":"Content/ResourceAccessSettings/#general-information","text":"Each settings page within the Resource Access group generally has the following characteristics: There is a Title for the page, for example, Direct File Acccess or Read-Only Registry Access . There is a Short Explanation describing what the setting does. There is a List of Resources that shows the resources that get a special treatment. Depending on the particular setting, it may mean that those resources will be fully accessible to sandboxed programs. Or it may mean that these resources will not be accessible at all. The Short Explanation briefly describes the relationship between those resources and the programs which access them. You should also consult the documentation below for the particular setting, to fully understand what this means. The resources in the list may apply only to a particular program. Generally, however, they apply to All Programs . There is an Add button which adds a new resource entry to the list. There is an Edit/Add (sometimes just Edit ) which edits a resource entry in the list, or adds a new resource entry to the list. There is a Remove button which removes a resource entry from the list. There is a list-box labeled The list above applies to. This list-box associates the resources with a specific program. By default, resources apply to All Programs as shown in the example above. You can select to apply resources to a specific program, by selecting that program from the list-box. You can also type the name of the specific program directly into the list-box. You can also use the Add Pgm button to select a specific program by navigating to its folder.","title":"General Information"},{"location":"Content/ResourceAccessSettings/#file-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > File Access This category manages the following types of resources: Files, folders, drives, and other devices. See General Information above for more information about editing resources and associating resources with particular programs.","title":"File Access"},{"location":"Content/ResourceAccessSettings/#file-access-direct-access","text":"Allow direct access to some file or folder, bypassing the supervision of Sandboxie. For example, if you add a folder C:\\Downloads , then a program running under Sandboxie will be able to create or update files in that folder. Note that Direct Access exclusions do not apply when the program itself resides in the sandbox. For example, suppose that you allow direct access to a C:\\Downloads folder, and then you go on to install a new Web browser into the sandbox. This new sandboxed browser will not have direct access to the C:\\Downloads folder. Related Sandboxie Ini settings: OpenFilePath","title":"File Access &gt; Direct Access"},{"location":"Content/ResourceAccessSettings/#file-access-full-access","text":"Similar to Direct Access , but always applies, even if the sandboxed program itself resides in the sandbox. For better protection, you are advised to use Direct Access rather than Full Access whenever possible. Related Sandboxie Ini settings: OpenPipePath","title":"File Access &gt; Full Access"},{"location":"Content/ResourceAccessSettings/#file-access-read-only-access","text":"This access mode excludes the effects of sandboxing on a file (or folder) resource, while allowing a program to read, but not modify, the real resource. Related Sandboxie Ini settings: ReadFilePath","title":"File Access &gt; Read-Only Access"},{"location":"Content/ResourceAccessSettings/#file-access-write-only-access","text":"This access mode hides all files and folders which are located within the selected folder outside the sandbox. However, programs in the sandbox can create new files within the corresponding folder in the sandbox. This setting can only be used effectively on folders. If a file is selected, the effect is the same as the Blocked Access setting (see below). Related Sandboxie Ini settings: WriteFilePath","title":"File Access &gt; Write-Only Access"},{"location":"Content/ResourceAccessSettings/#file-access-blocked-access","text":"Deny all access to the resource, for example to a folder containing sensitive data. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for C:\\Downloads appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the folder. Related Sandboxie Ini settings: ClosedFilePath","title":"File Access &gt; Blocked Access"},{"location":"Content/ResourceAccessSettings/#registry-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > Registry Access This category manages registry key resources. The registry is a mechanism provided by Windows for programs to store configuration and settings. See General Information above for more information about editing resources and associating resources with particular programs.","title":"Registry Access"},{"location":"Content/ResourceAccessSettings/#registry-access-direct-access","text":"Allow direct access to a registry key resource. Note that Direct Access exclusions do not apply when the program itself resides in the sandbox. This is described in more detail in the File Access category above. Note that unlike in the File Access category, there is no Full Access access mode for registry keys. Related Sandboxie Ini settings: OpenKeyPath","title":"Registry Access &gt; Direct Access"},{"location":"Content/ResourceAccessSettings/#registry-access-read-only-access","text":"This access mode excludes the effects of sandboxing on a registry key resource, while allowing a program to read, but not modify, the real resource. Related Sandboxie Ini settings: ReadKeyPath","title":"Registry Access &gt; Read-Only Access"},{"location":"Content/ResourceAccessSettings/#registry-access-write-only-access","text":"This access mode hides all registry data which is located within the selected registry key outside the sandbox. However, programs in the sandbox can create new registry data within the corresponding folder in the sandbox. Related Sandboxie Ini settings: WriteKeyPath","title":"Registry Access &gt; Write-Only Access"},{"location":"Content/ResourceAccessSettings/#registry-access-blocked-access","text":"Deny all access to a registry key resource, for example to a key containing Windows policy settings. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for a registry key appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the registry key. Related Sandboxie Ini settings: ClosedKeyPath","title":"Registry Access &gt; Blocked Access"},{"location":"Content/ResourceAccessSettings/#ipc-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > IPC Access This category manages exclusions for NT IPC objects. These resources are created by programs running the system as a way to coordinate operations or otherwise communicate. See General Information above for more information about editing resources and associating resources with particular programs.","title":"IPC Access"},{"location":"Content/ResourceAccessSettings/#ipc-access-direct-access","text":"Allow direct access to an IPC object resource. Note that unlike in the File Access and Registry Access categories, Direct Access exclusions for IPC objects always apply to all sandboxed programs. Related Sandboxie Ini settings: OpenIpcPath","title":"IPC Access &gt; Direct Access"},{"location":"Content/ResourceAccessSettings/#ipc-access-blocked-access","text":"Deny all access to an IPC object resource. Blocked Access settings take precedence over all other resource access rules. For example, if an exclusion for an IPC object appears in both Direct Access and Blocked Access , the latter will apply, denying all access to the object. This setting can be used to override default IPC Access > Direct Access settings in Sandboxie, and block the access. For example, by default Sandboxie allows sandboxed programs to access the audio device. To override this and cut off audio output by sandboxed programs, add an exclusion for \\RPC Control\\AudioSrv . Related Sandboxie Ini settings: ClosedIpcPath","title":"IPC Access &gt; Blocked Access"},{"location":"Content/ResourceAccessSettings/#window-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > Window Access This category manages exclusions for window classes. These resources are primarily related to windows displayed on the screen, but can also be used by programs as a way to coordinate operations or otherwise communicate. You can specify which window classes, that were created outside the sandbox, will be available for use by sandboxed programs. See General Information above for more information about editing resources and associating resources with particular programs. Related Sandboxie Ini settings: OpenWinClass","title":"Window Access"},{"location":"Content/ResourceAccessSettings/#com-access","text":"Sandboxie Control > Sandbox Settings > Resource Access > COM Access This category manages exclusions for COM classes. These resources represent objects which are used as a way to coordinate operations or otherwise communicate. You can specify the COM class identifiers for those COM objects that exist outside the sandbox, and which should be accessible to sandboxed programs. See General Information above for more information about editing resources and associating resources with particular programs. Related Sandboxie Ini settings: OpenClsid","title":"COM Access"},{"location":"Content/RestrictionsSettings/","text":"Restrictions Settings \"Restrictions\" Settings Group Sandboxie Control > Sandbox Settings > Restrictions Settings in this section are intended to alter the default set of restrictions that Sandboxie places on programs running in the sandbox. You can place additional restrictions on programs, to tighten the security of the sandbox. You can relax some of the default restrictions, which is normally not recommended, but may enable some esoteric programs to work. Internet Access Sandboxie Control > Sandbox Settings > Restrictions > Internet Access Use these settings to select which programs, if any, will be allowed to access the Internet in the sandbox. Initially, all programs in the sandbox can access the Internet. Use the Add by Name button to add a program by typing its explicit executable name. Alternatively, use the Add by File button to navigate to the program folder and select its program executable. Blocking of SMB/CIFS which you can block as well by visiting BlockPort When any restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to access the Internet. Use the Remove button to remove some program previously added to the list. The button Block All Programs prevents all programs in the sandbox from accessing the Internet. When this mode is in effect, the button changes to Allow All Programs , and when clicked, will undo the effect of blocking all programs. Issue message SBIE1307 when access is denied : When a program is restricted due to this setting, Sandboxie can issue a notification message. Use this checkbox setting to indicate whether you would like to receive these notifications. See also message SBIE1307 . You can also configure this setting in the Program Settings window. Related Sandboxie Ini settings: ClosedFilePath , Notify Internet Access Denied . Start/Run Access Sandboxie Control > Sandbox Settings > Restrictions > Start/Run Access Use these settings to select which programs, if any, will be allowed to start and run in the sandbox. Initially, all programs in the sandbox can start and run in the sandbox. Use the Add by Name button to add a program by typing its explicit executable name. Alternatively, use the Add by File button to navigate to the program folder and select its program executable. When any Start/Run restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to start or run. Use the Remove button to remove some program previously added to the list. The Allow All Programs has the same effect as clicking Remove on each and every entry that appears in the list. Issue message SBIE1308 when access is denied : When a program is restricted due to this setting, Sandboxie can issue a notification message. Use this checkbox setting to indicate whether you would like to receive these notifications. See also message SBIE1308 . You can also configure this setting in the Program Settings window. Related Sandboxie Ini settings: ClosedIpcPath , Notify Start Run Access Denied . Drop Rights Sandboxie Control > Sandbox Settings > Restrictions > Drop Rights The setting in this page causes Sandboxie to strip administrative rights from programs running in this sandbox. Specifically, the security credentials used to start the sandboxed program will not include membership in the Administrators and Power Users groups. Note that this has little effect if you are already running under a non-Administrator user account. Related Sandboxie Ini settings: DropAdminRights . Low-Level Access -REMOVED Hardware Access has been removed from Sandboxie v4 and up. Previous versions of Sandboxie should not be used and they may not function. Sandboxie Control > Sandbox Settings > Restrictions > Low-Level Access This category manages restrictions for several types of global operations which are restricted in some way within the sandbox. Please see the associated Sandboxie Ini settings for more information. Permit programs in this sandbox to load kernel mode drivers into the operating system Related Sandboxie Ini settings: BlockDrivers Permit programs in this sandbox to load application (Win32) hooks into other programs Related Sandboxie Ini settings: BlockWinHooks Permit programs in this sandbox to change desktop wallpaper and other system parameters Related Sandboxie Ini settings: BlockSysParam Permit programs in this sandbox to change user account password Related Sandboxie Ini settings: BlockPassword See also message SBIE1309 . Hardware Access -REMOVED Hardware Access has been removed from Sandboxie v4 and up. Previous versions of Sandboxie should not be used and they may not function. Sandboxie Control > Sandbox Settings > Restrictions > Hardware Access This category manages restrictions for three types of global operations which are restricted in some way within the sandbox. Please see the associated Sandboxie Ini settings for more information. Permit programs in this sandbox to simulate keyboard and mouse input Related Sandboxie Ini settings: BlockFakeInput See also message SBIE1304 . Permit programs in this sandbox to manage hardware device configuration Related Sandboxie Ini settings: Template=PlugPlay This setting permits a program to update configuration and drivers for hardware devices. You are advised to keep the hardware access settings in their default, disabled state. However, when running games or other full screen applications in the sandbox, it may be useful to permit the simulation of keyboard and mouse input.","title":"Restrictions Settings"},{"location":"Content/RestrictionsSettings/#restrictions-settings","text":"","title":"Restrictions Settings"},{"location":"Content/RestrictionsSettings/#restrictions-settings-group","text":"Sandboxie Control > Sandbox Settings > Restrictions Settings in this section are intended to alter the default set of restrictions that Sandboxie places on programs running in the sandbox. You can place additional restrictions on programs, to tighten the security of the sandbox. You can relax some of the default restrictions, which is normally not recommended, but may enable some esoteric programs to work.","title":"\"Restrictions\" Settings Group"},{"location":"Content/RestrictionsSettings/#internet-access","text":"Sandboxie Control > Sandbox Settings > Restrictions > Internet Access Use these settings to select which programs, if any, will be allowed to access the Internet in the sandbox. Initially, all programs in the sandbox can access the Internet. Use the Add by Name button to add a program by typing its explicit executable name. Alternatively, use the Add by File button to navigate to the program folder and select its program executable. Blocking of SMB/CIFS which you can block as well by visiting BlockPort When any restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to access the Internet. Use the Remove button to remove some program previously added to the list. The button Block All Programs prevents all programs in the sandbox from accessing the Internet. When this mode is in effect, the button changes to Allow All Programs , and when clicked, will undo the effect of blocking all programs. Issue message SBIE1307 when access is denied : When a program is restricted due to this setting, Sandboxie can issue a notification message. Use this checkbox setting to indicate whether you would like to receive these notifications. See also message SBIE1307 . You can also configure this setting in the Program Settings window. Related Sandboxie Ini settings: ClosedFilePath , Notify Internet Access Denied .","title":"Internet Access"},{"location":"Content/RestrictionsSettings/#startrun-access","text":"Sandboxie Control > Sandbox Settings > Restrictions > Start/Run Access Use these settings to select which programs, if any, will be allowed to start and run in the sandbox. Initially, all programs in the sandbox can start and run in the sandbox. Use the Add by Name button to add a program by typing its explicit executable name. Alternatively, use the Add by File button to navigate to the program folder and select its program executable. When any Start/Run restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to start or run. Use the Remove button to remove some program previously added to the list. The Allow All Programs has the same effect as clicking Remove on each and every entry that appears in the list. Issue message SBIE1308 when access is denied : When a program is restricted due to this setting, Sandboxie can issue a notification message. Use this checkbox setting to indicate whether you would like to receive these notifications. See also message SBIE1308 . You can also configure this setting in the Program Settings window. Related Sandboxie Ini settings: ClosedIpcPath , Notify Start Run Access Denied .","title":"Start/Run Access"},{"location":"Content/RestrictionsSettings/#drop-rights","text":"Sandboxie Control > Sandbox Settings > Restrictions > Drop Rights The setting in this page causes Sandboxie to strip administrative rights from programs running in this sandbox. Specifically, the security credentials used to start the sandboxed program will not include membership in the Administrators and Power Users groups. Note that this has little effect if you are already running under a non-Administrator user account. Related Sandboxie Ini settings: DropAdminRights .","title":"Drop Rights"},{"location":"Content/RestrictionsSettings/#low-level-access-removed","text":"","title":"Low-Level Access -REMOVED"},{"location":"Content/RestrictionsSettings/#hardware-access-has-been-removed-from-sandboxie-v4-and-up","text":"","title":"Hardware Access has been removed from Sandboxie v4 and up."},{"location":"Content/RestrictionsSettings/#previous-versions-of-sandboxie-should-not-be-used-and-they-may-not-function","text":"Sandboxie Control > Sandbox Settings > Restrictions > Low-Level Access This category manages restrictions for several types of global operations which are restricted in some way within the sandbox. Please see the associated Sandboxie Ini settings for more information. Permit programs in this sandbox to load kernel mode drivers into the operating system Related Sandboxie Ini settings: BlockDrivers Permit programs in this sandbox to load application (Win32) hooks into other programs Related Sandboxie Ini settings: BlockWinHooks Permit programs in this sandbox to change desktop wallpaper and other system parameters Related Sandboxie Ini settings: BlockSysParam Permit programs in this sandbox to change user account password Related Sandboxie Ini settings: BlockPassword See also message SBIE1309 .","title":"Previous versions of Sandboxie should not be used and they may not function."},{"location":"Content/RestrictionsSettings/#hardware-access-removed","text":"","title":"Hardware Access -REMOVED"},{"location":"Content/RestrictionsSettings/#hardware-access-has-been-removed-from-sandboxie-v4-and-up_1","text":"","title":"Hardware Access has been removed from Sandboxie v4 and up."},{"location":"Content/RestrictionsSettings/#previous-versions-of-sandboxie-should-not-be-used-and-they-may-not-function_1","text":"Sandboxie Control > Sandbox Settings > Restrictions > Hardware Access This category manages restrictions for three types of global operations which are restricted in some way within the sandbox. Please see the associated Sandboxie Ini settings for more information. Permit programs in this sandbox to simulate keyboard and mouse input Related Sandboxie Ini settings: BlockFakeInput See also message SBIE1304 . Permit programs in this sandbox to manage hardware device configuration Related Sandboxie Ini settings: Template=PlugPlay This setting permits a program to update configuration and drivers for hardware devices. You are advised to keep the hardware access settings in their default, disabled state. However, when running games or other full screen applications in the sandbox, it may be useful to permit the simulation of keyboard and mouse input.","title":"Previous versions of Sandboxie should not be used and they may not function."},{"location":"Content/SBIE1101/","text":"SBIE1101 Message: SBIE1101 Sandboxie driver (SbieDrv) version x.yy initialized Logged To: System Event Log Explanation: The driver component of Sandboxie has been successfully initialized. This message is typically logged at some point during the system start-up sequence, once the driver component has started. The message will also be logged after a successful Sandboxie installation, which causes the driver to start or restart.","title":"SBIE1101"},{"location":"Content/SBIE1101/#sbie1101","text":"Message: SBIE1101 Sandboxie driver (SbieDrv) version x.yy initialized Logged To: System Event Log Explanation: The driver component of Sandboxie has been successfully initialized. This message is typically logged at some point during the system start-up sequence, once the driver component has started. The message will also be logged after a successful Sandboxie installation, which causes the driver to start or restart.","title":"SBIE1101"},{"location":"Content/SBIE1102/","text":"SBIE1102 Message: SBIE1102 Sandboxie driver (SbieDrv) unloading Logged To: System Event Log Explanation: The driver component of Sandboxie has stopped. This message is typically logged when Sandboxie is upgraded or uninstalled.","title":"SBIE1102"},{"location":"Content/SBIE1102/#sbie1102","text":"Message: SBIE1102 Sandboxie driver (SbieDrv) unloading Logged To: System Event Log Explanation: The driver component of Sandboxie has stopped. This message is typically logged when Sandboxie is upgraded or uninstalled.","title":"SBIE1102"},{"location":"Content/SBIE1103/","text":"SBIE1103 Message: SBIE1103 Sandboxie driver (SbieDrv) version x.yy failed to start Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization due to some error or incompatibility. This message does not specify the cause of the failure. To identify the cause of the failure, examine the Event Log for any other SBIExxxx messages that precede message SBIE1103.","title":"SBIE1103"},{"location":"Content/SBIE1103/#sbie1103","text":"Message: SBIE1103 Sandboxie driver (SbieDrv) version x.yy failed to start Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization due to some error or incompatibility. This message does not specify the cause of the failure. To identify the cause of the failure, examine the Event Log for any other SBIExxxx messages that precede message SBIE1103.","title":"SBIE1103"},{"location":"Content/SBIE1104/","text":"SBIE1104 Message: SBIE1104 Insufficient system resources to complete initialization Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. The cause of the failure is insufficient system resources, typically memory. This message is followed by message SBIE1103 .","title":"SBIE1104"},{"location":"Content/SBIE1104/#sbie1104","text":"Message: SBIE1104 Insufficient system resources to complete initialization Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. The cause of the failure is insufficient system resources, typically memory. This message is followed by message SBIE1103 .","title":"SBIE1104"},{"location":"Content/SBIE1105/","text":"SBIE1105 Message: SBIE1105 Unknown operating system version: x.yy Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. The driver component integrates into the core of the operating system (also called the kernel). For this integration to work seamlessly, the driver must recognize the operating system. This message indicates the driver did not recognize the operating system. This message is followed by message SBIE1103 .","title":"SBIE1105"},{"location":"Content/SBIE1105/#sbie1105","text":"Message: SBIE1105 Unknown operating system version: x.yy Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. The driver component integrates into the core of the operating system (also called the kernel). For this integration to work seamlessly, the driver must recognize the operating system. This message indicates the driver did not recognize the operating system. This message is followed by message SBIE1103 .","title":"SBIE1105"},{"location":"Content/SBIE1106/","text":"SBIE1106 Message: SBIE1106 error [ ntstatus / yy] , detail zzz Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This messages indicates the driver experienced an error while trying to determine the installation folder for Sandboxie. The particular problem depends on the yy value in the message. When yy = 11, there was a problem accessing the following registry key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SbieDrv When yy = 22 or 33, there was a problem querying the value ImagePath from the registry key noted above. When yy = 44, there was not enough memory to complete the operation. When yy = 55 or 66 or 77, there was some problem accessing the folder specified in the value of ImagePath from the registry key noted above. This message is followed by message SBIE1103 .","title":"SBIE1106"},{"location":"Content/SBIE1106/#sbie1106","text":"Message: SBIE1106 error [ ntstatus / yy] , detail zzz Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This messages indicates the driver experienced an error while trying to determine the installation folder for Sandboxie. The particular problem depends on the yy value in the message. When yy = 11, there was a problem accessing the following registry key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SbieDrv When yy = 22 or 33, there was a problem querying the value ImagePath from the registry key noted above. When yy = 44, there was not enough memory to complete the operation. When yy = 55 or 66 or 77, there was some problem accessing the folder specified in the value of ImagePath from the registry key noted above. This message is followed by message SBIE1103 .","title":"SBIE1106"},{"location":"Content/SBIE1108/","text":"SBIE1108 Message: SBIE1108 Procedure name could not be analyzed Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This messages indicates the driver was unable to locate the specified procedure in the operating system kernel. This message is followed by message SBIE1103 .","title":"SBIE1108"},{"location":"Content/SBIE1108/#sbie1108","text":"Message: SBIE1108 Procedure name could not be analyzed Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This messages indicates the driver was unable to locate the specified procedure in the operating system kernel. This message is followed by message SBIE1103 .","title":"SBIE1108"},{"location":"Content/SBIE1109/","text":"SBIE1109 Message: SBIE1109 Invalid license information: [ ntstatus / yy] Logged To: System Event Log Explanation: Sandboxie was unable to read or verify the license/registration information. Sandboxie will start in unregistered mode.","title":"SBIE1109"},{"location":"Content/SBIE1109/#sbie1109","text":"Message: SBIE1109 Invalid license information: [ ntstatus / yy] Logged To: System Event Log Explanation: Sandboxie was unable to read or verify the license/registration information. Sandboxie will start in unregistered mode.","title":"SBIE1109"},{"location":"Content/SBIE1110/","text":"SBIE1110 Message: SBIE1110 Cannot intercept type name , error [ ntstatus / yy] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to integrate into the operating system. This message is followed by message SBIE1103 .","title":"SBIE1110"},{"location":"Content/SBIE1110/#sbie1110","text":"Message: SBIE1110 Cannot intercept type name , error [ ntstatus / yy] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to integrate into the operating system. This message is followed by message SBIE1103 .","title":"SBIE1110"},{"location":"Content/SBIE1111/","text":"SBIE1111 Message: SBIE1111 System DLL name could not be loaded [ ntstatus / yy] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to load the specified system DLL. This message is followed by message SBIE1103 .","title":"SBIE1111"},{"location":"Content/SBIE1111/#sbie1111","text":"Message: SBIE1111 System DLL name could not be loaded [ ntstatus / yy] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to load the specified system DLL. This message is followed by message SBIE1103 .","title":"SBIE1111"},{"location":"Content/SBIE1112/","text":"SBIE1112 Message: SBIE1112 Procedure name could not be located Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find the specified procedure in one of the system DLLs. This message is followed by message SBIE1103 .","title":"SBIE1112"},{"location":"Content/SBIE1112/#sbie1112","text":"Message: SBIE1112 Procedure name could not be located Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find the specified procedure in one of the system DLLs. This message is followed by message SBIE1103 .","title":"SBIE1112"},{"location":"Content/SBIE1113/","text":"SBIE1113 Message: SBIE1113 Cannot find Nt system service, reason xx Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find some system procedure. This message is followed by message SBIE1108 , which specifies the related procedure name.","title":"SBIE1113"},{"location":"Content/SBIE1113/#sbie1113","text":"Message: SBIE1113 Cannot find Nt system service, reason xx Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find some system procedure. This message is followed by message SBIE1108 , which specifies the related procedure name.","title":"SBIE1113"},{"location":"Content/SBIE1114/","text":"SBIE1114 Message: SBIE1114 Cannot find Zw system service, reason xx Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find some system procedure. This message is followed by message SBIE1108 , which specifies the related procedure name. Note: Reason code 36 can appear on 64-bit Windows, when the Windows built-in Driver Verifier is enabled for the Sandboxie driver SbieDrv .","title":"SBIE1114"},{"location":"Content/SBIE1114/#sbie1114","text":"Message: SBIE1114 Cannot find Zw system service, reason xx Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates the driver was unable to find some system procedure. This message is followed by message SBIE1108 , which specifies the related procedure name. Note: Reason code 36 can appear on 64-bit Windows, when the Windows built-in Driver Verifier is enabled for the Sandboxie driver SbieDrv .","title":"SBIE1114"},{"location":"Content/SBIE1116/","text":"SBIE1116 Message: SBIE1116 Driver failed to register process notification routine [ ntstatus / yy ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie asked the system to provide notifications when processes (applications) start and stop, but the system was not able to accommodate this request. In technical terms, Sandboxie is asking to register a process notification routine, and this request has failed. Errors [C000000D / 11] and [C000009A / 22] Typically the message is issued with the error detail [C000000D / 11] or [C000009A / 22]. This indicates that a number of other security products have already registered such process notification routines. The system will only register a limited number of these routines. In this case, the problem may be resolved by uninstalling some other security product, to make room, so to speak, for Sandboxie. Please see Microsoft's hotfix for this issue: https://support.microsoft.com/kb/2922790 This message is followed by message SBIE1103 .","title":"SBIE1116"},{"location":"Content/SBIE1116/#sbie1116","text":"Message: SBIE1116 Driver failed to register process notification routine [ ntstatus / yy ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie asked the system to provide notifications when processes (applications) start and stop, but the system was not able to accommodate this request. In technical terms, Sandboxie is asking to register a process notification routine, and this request has failed. Errors [C000000D / 11] and [C000009A / 22] Typically the message is issued with the error detail [C000000D / 11] or [C000009A / 22]. This indicates that a number of other security products have already registered such process notification routines. The system will only register a limited number of these routines. In this case, the problem may be resolved by uninstalling some other security product, to make room, so to speak, for Sandboxie. Please see Microsoft's hotfix for this issue: https://support.microsoft.com/kb/2922790 This message is followed by message SBIE1103 .","title":"SBIE1116"},{"location":"Content/SBIE1119/","text":"SBIE1119 Message: SBIE1119 Cannot create API device [ ntstatus ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message is issued when the internal logical device object which is used to control Sandboxie could not be created. This message is followed by message SBIE1103 .","title":"SBIE1119"},{"location":"Content/SBIE1119/#sbie1119","text":"Message: SBIE1119 Cannot create API device [ ntstatus ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message is issued when the internal logical device object which is used to control Sandboxie could not be created. This message is followed by message SBIE1103 .","title":"SBIE1119"},{"location":"Content/SBIE1120/","text":"SBIE1120 Message: SBIE1120 Mismatch in service name Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not identify the system service specified by name . This message is followed by message SBIE1103 .","title":"SBIE1120"},{"location":"Content/SBIE1120/#sbie1120","text":"Message: SBIE1120 Mismatch in service name Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not identify the system service specified by name . This message is followed by message SBIE1103 .","title":"SBIE1120"},{"location":"Content/SBIE1121/","text":"SBIE1121 Message: SBIE1121 Hook failed for service name Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not intercept and extend the system service specified by name . This message is followed by message SBIE1103 .","title":"SBIE1121"},{"location":"Content/SBIE1121/#sbie1121","text":"Message: SBIE1121 Hook failed for service name Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not intercept and extend the system service specified by name . This message is followed by message SBIE1103 .","title":"SBIE1121"},{"location":"Content/SBIE1122/","text":"SBIE1122 Message: SBIE1122 Error: [ ntstatus ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not intercept and extend some system service. This message is followed by message SBIE1121 , which specifies the name of the system service for which the error occurred.","title":"SBIE1122"},{"location":"Content/SBIE1122/#sbie1122","text":"Message: SBIE1122 Error: [ ntstatus ] Logged To: System Event Log Explanation: The driver component of Sandboxie could not complete initialization. This message indicates that Sandboxie could not intercept and extend some system service. This message is followed by message SBIE1121 , which specifies the name of the system service for which the error occurred.","title":"SBIE1122"},{"location":"Content/SBIE1151/","text":"SBIE1151 Message: SBIE1151 Cannot handle instruction [ detail ] Logged To: System Event Log and Popup Message Log . Explanation: Sandboxie attempted to analyze instructions of executable code, and detected an unknown sequence. No further information is available.","title":"SBIE1151"},{"location":"Content/SBIE1151/#sbie1151","text":"Message: SBIE1151 Cannot handle instruction [ detail ] Logged To: System Event Log and Popup Message Log . Explanation: Sandboxie attempted to analyze instructions of executable code, and detected an unknown sequence. No further information is available.","title":"SBIE1151"},{"location":"Content/SBIE1152/","text":"SBIE1152 Message: SBIE1152 Trampoline allocation failed [ ntstatus / yy] Logged To: System Event Log and Popup Message Log . Explanation: Sandboxie could not allocate some memory.","title":"SBIE1152"},{"location":"Content/SBIE1152/#sbie1152","text":"Message: SBIE1152 Trampoline allocation failed [ ntstatus / yy] Logged To: System Event Log and Popup Message Log . Explanation: Sandboxie could not allocate some memory.","title":"SBIE1152"},{"location":"Content/SBIE1153/","text":"SBIE1153 Message: SBIE1153 Sandboxie initialization failed. Close all programs and then re-install Sandboxie OR restart your computer. Logged To: System Event Log and Popup Message Log . Explanation: The driver component of Sandboxie completed its first phase of initialization, but failed during the second phase of initialization. The driver remains loaded in the system, but is disabled. You may try to resolve the problem by re-installing Sandboxie, which stops the driver and starts a new instance of the driver. Alternatively, you may restart your computer. In some cases this problem occurs due to some conflict with third-party security software.","title":"SBIE1153"},{"location":"Content/SBIE1153/#sbie1153","text":"Message: SBIE1153 Sandboxie initialization failed. Close all programs and then re-install Sandboxie OR restart your computer. Logged To: System Event Log and Popup Message Log . Explanation: The driver component of Sandboxie completed its first phase of initialization, but failed during the second phase of initialization. The driver remains loaded in the system, but is disabled. You may try to resolve the problem by re-installing Sandboxie, which stops the driver and starts a new instance of the driver. Alternatively, you may restart your computer. In some cases this problem occurs due to some conflict with third-party security software.","title":"SBIE1153"},{"location":"Content/SBIE1201/","text":"SBIE1201 Message: SBIE1201 Not enough memory Logged To: Popup Message Log . Explanation: There was insufficient memory to complete some requested operation. The operation fails.","title":"SBIE1201"},{"location":"Content/SBIE1201/#sbie1201","text":"Message: SBIE1201 Not enough memory Logged To: Popup Message Log . Explanation: There was insufficient memory to complete some requested operation. The operation fails.","title":"SBIE1201"},{"location":"Content/SBIE1202/","text":"SBIE1202 Message: SBIE1202 Cannot update license information: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while recording your license/registration information.","title":"SBIE1202"},{"location":"Content/SBIE1202/#sbie1202","text":"Message: SBIE1202 Cannot update license information: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while recording your license/registration information.","title":"SBIE1202"},{"location":"Content/SBIE1203/","text":"SBIE1203 Message: SBIE1203 Cannot build path list (error in name ) Logged To: Popup Message Log . Explanation: Whenever a program starts in the sandbox, Sandboxie applies configuration settings from the Sandboxie Ini file to that program. This error message indicates a problem has occurred while preparing the configuration settings for name . name can be OpenFilePath , OpenPipePath , ClosedFilePath , ReadFilePath , OpenKeyPath , ClosedKeyPath , ReadKeyPath , OpenIpcPath , ClosedIpcPath , or OpenWinClass . This message is similar to message SBIE2317 .","title":"SBIE1203"},{"location":"Content/SBIE1203/#sbie1203","text":"Message: SBIE1203 Cannot build path list (error in name ) Logged To: Popup Message Log . Explanation: Whenever a program starts in the sandbox, Sandboxie applies configuration settings from the Sandboxie Ini file to that program. This error message indicates a problem has occurred while preparing the configuration settings for name . name can be OpenFilePath , OpenPipePath , ClosedFilePath , ReadFilePath , OpenKeyPath , ClosedKeyPath , ReadKeyPath , OpenIpcPath , ClosedIpcPath , or OpenWinClass . This message is similar to message SBIE2317 .","title":"SBIE1203"},{"location":"Content/SBIE1204/","text":"SBIE1204 Message: SBIE1204 Sandbox creation failed for name__[xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Whenever a program starts in a sandbox, Sandboxie should initialize this program with some data and information related to the sandbox in which the program runs. This message indicates that some error has occurred during this initialization.","title":"SBIE1204"},{"location":"Content/SBIE1204/#sbie1204","text":"Message: SBIE1204 Sandbox creation failed for name__[xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Whenever a program starts in a sandbox, Sandboxie should initialize this program with some data and information related to the sandbox in which the program runs. This message indicates that some error has occurred during this initialization.","title":"SBIE1204"},{"location":"Content/SBIE1211/","text":"SBIE1211 Message: SBIE1211 Could not initiate sandboxing for process name Logged To: Popup Message Log . Explanation: Whenever a program starts in a sandbox, Sandboxie has to complete a series of initialization steps which prepare the program to run successfully in the sandbox. This message indicates that one or more of these steps have failed. This is a summary message, and it follows one or more other error messages which indicate the precise cause of the error.","title":"SBIE1211"},{"location":"Content/SBIE1211/#sbie1211","text":"Message: SBIE1211 Could not initiate sandboxing for process name Logged To: Popup Message Log . Explanation: Whenever a program starts in a sandbox, Sandboxie has to complete a series of initialization steps which prepare the program to run successfully in the sandbox. This message indicates that one or more of these steps have failed. This is a summary message, and it follows one or more other error messages which indicate the precise cause of the error.","title":"SBIE1211"},{"location":"Content/SBIE1212/","text":"SBIE1212 Message: SBIE1212 Cannot create directory path__[xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie experienced an error while trying to create the sandbox folder identified by path . To change the location of the sandbox folder, use Sandbox Menu -> Set Container Folder or manually edit the FileRootPath configuration setting.","title":"SBIE1212"},{"location":"Content/SBIE1212/#sbie1212","text":"Message: SBIE1212 Cannot create directory path__[xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie experienced an error while trying to create the sandbox folder identified by path . To change the location of the sandbox folder, use Sandbox Menu -> Set Container Folder or manually edit the FileRootPath configuration setting.","title":"SBIE1212"},{"location":"Content/SBIE1213/","text":"SBIE1213 Message: SBIE1213 Cannot create object directory path__[xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie experienced an error while trying to create the sandbox object directory identified by path .","title":"SBIE1213"},{"location":"Content/SBIE1213/#sbie1213","text":"Message: SBIE1213 Cannot create object directory path__[xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie experienced an error while trying to create the sandbox object directory identified by path .","title":"SBIE1213"},{"location":"Content/SBIE1214/","text":"SBIE1214 OBSOLETE Message: SBIE1214 Cannot inject SbieDll [xxxxxxxx] Logged To: Popup Message Log . Explanation: The Sandboxie driver component was not able to inject (load) the Sandboxie DLL component into a sandboxed program that was started in the sandbox. This error rarely occurs, but when it does, it is typically for very small programs or for very large and complicated programs. In either case, it may be possible to work around this error by compressing the program executable file using UPX .","title":"SBIE1214"},{"location":"Content/SBIE1214/#sbie1214","text":"OBSOLETE Message: SBIE1214 Cannot inject SbieDll [xxxxxxxx] Logged To: Popup Message Log . Explanation: The Sandboxie driver component was not able to inject (load) the Sandboxie DLL component into a sandboxed program that was started in the sandbox. This error rarely occurs, but when it does, it is typically for very small programs or for very large and complicated programs. In either case, it may be possible to work around this error by compressing the program executable file using UPX .","title":"SBIE1214"},{"location":"Content/SBIE1215/","text":"SBIE1215 OBSOLETE Message: SBIE1215 Cannot resolve path to process image [xxxxxxxx] Logged To: Popup Message Log . Explanation: Some error has prohibited Sandboxie from identifying the full path to a program that was started in the sandbox. Sandboxie requires the full path in order to identify if the program is installed inside or outside the sandbox. This distinction has an effect on settings such as OpenFilePath (compare with OpenPipePath ), ClosedFilePath , ClosedKeyPath and ClosedIpcPath .","title":"SBIE1215"},{"location":"Content/SBIE1215/#sbie1215","text":"OBSOLETE Message: SBIE1215 Cannot resolve path to process image [xxxxxxxx] Logged To: Popup Message Log . Explanation: Some error has prohibited Sandboxie from identifying the full path to a program that was started in the sandbox. Sandboxie requires the full path in order to identify if the program is installed inside or outside the sandbox. This distinction has an effect on settings such as OpenFilePath (compare with OpenPipePath ), ClosedFilePath , ClosedKeyPath and ClosedIpcPath .","title":"SBIE1215"},{"location":"Content/SBIE1216/","text":"SBIE1216 OBSOLETE Message: SBIE1216 Could not query security ID [xxxxxxxx] Logged To: Popup Message Log . Explanation: Some error has prohibited Sandboxie from identifying the security ID (the SID) for a program that was started in the sandbox.","title":"SBIE1216"},{"location":"Content/SBIE1216/#sbie1216","text":"OBSOLETE Message: SBIE1216 Could not query security ID [xxxxxxxx] Logged To: Popup Message Log . Explanation: Some error has prohibited Sandboxie from identifying the security ID (the SID) for a program that was started in the sandbox.","title":"SBIE1216"},{"location":"Content/SBIE1222/","text":"SBIE1222 Message: SBIE1222 Cannot restrict token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while removing some privileges from a security token.","title":"SBIE1222"},{"location":"Content/SBIE1222/#sbie1222","text":"Message: SBIE1222 Cannot restrict token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while removing some privileges from a security token.","title":"SBIE1222"},{"location":"Content/SBIE1223/","text":"SBIE1223 Message: SBIE1223 Cannot replace token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while replacing the original security token of a program with a security token that has less privileges.","title":"SBIE1223"},{"location":"Content/SBIE1223/#sbie1223","text":"Message: SBIE1223 Cannot replace token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while replacing the original security token of a program with a security token that has less privileges.","title":"SBIE1223"},{"location":"Content/SBIE1224/","text":"SBIE1224 Message: SBIE1224 Cannot query token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while querying information from a security token.","title":"SBIE1224"},{"location":"Content/SBIE1224/#sbie1224","text":"Message: SBIE1224 Cannot query token: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: Sandboxie has experienced an error while querying information from a security token.","title":"SBIE1224"},{"location":"Content/SBIE1241/","text":"SBIE1241 Message: SBIE1241 Cannot mount registry hive: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: When a sandboxed program starts, Sandboxie may need to prepare the sandboxed registry for that sandbox. Sandboxie will load the registry hive file into the system. This error message indicates a problem has occurred and the registry hive file was not loaded. If yy is 11, the KeyRootPath setting may be improperly set, causing more than one sandbox to use the same registry location (or registry key). If yy is 22, the registry hive file may be corrupt, or the drive containing the registry hive file (and its associated sandbox) may be full. If yy is 33, the FileRootPath setting may be improperly set, causing more than one sandbox to use the same registry hive file.","title":"SBIE1241"},{"location":"Content/SBIE1241/#sbie1241","text":"Message: SBIE1241 Cannot mount registry hive: [xxxxxxxx / yy] Logged To: Popup Message Log . Explanation: When a sandboxed program starts, Sandboxie may need to prepare the sandboxed registry for that sandbox. Sandboxie will load the registry hive file into the system. This error message indicates a problem has occurred and the registry hive file was not loaded. If yy is 11, the KeyRootPath setting may be improperly set, causing more than one sandbox to use the same registry location (or registry key). If yy is 22, the registry hive file may be corrupt, or the drive containing the registry hive file (and its associated sandbox) may be full. If yy is 33, the FileRootPath setting may be improperly set, causing more than one sandbox to use the same registry hive file.","title":"SBIE1241"},{"location":"Content/SBIE1242/","text":"SBIE1242 OBSOLETE SINCE 0.9.0 / 5.51.0 Message: SBIE1242 Monitor buffer overflow Logged To: Popup Message Log . Explanation: When enabled, the Resource Access Monitor component of Sandboxie records every access attempt by a sandboxed program to some system resource. The name and type of the resource are stored in a \"monitor buffer\". The monitor buffer uses only 64KB of memory. Because of the small size of the monitor buffer, it can keep only a limited number of access attempts at the same time. This error indicates the Resource Access Monitor detected more attempts to access resources than the monitor buffer can handle. Effectively, this means that some resource accesses will not be displayed by the Resource Access Monitor. This may or may not be important. A possible solution is to lower the priority level of the sandboxed program, or, in the case of a multiple-processor system, restrict it to just one processor. This would ideally reduce the number of resource accesses that the program can carry out at once.","title":"SBIE1242"},{"location":"Content/SBIE1242/#sbie1242","text":"OBSOLETE SINCE 0.9.0 / 5.51.0 Message: SBIE1242 Monitor buffer overflow Logged To: Popup Message Log . Explanation: When enabled, the Resource Access Monitor component of Sandboxie records every access attempt by a sandboxed program to some system resource. The name and type of the resource are stored in a \"monitor buffer\". The monitor buffer uses only 64KB of memory. Because of the small size of the monitor buffer, it can keep only a limited number of access attempts at the same time. This error indicates the Resource Access Monitor detected more attempts to access resources than the monitor buffer can handle. Effectively, this means that some resource accesses will not be displayed by the Resource Access Monitor. This may or may not be important. A possible solution is to lower the priority level of the sandboxed program, or, in the case of a multiple-processor system, restrict it to just one processor. This would ideally reduce the number of resource accesses that the program can carry out at once.","title":"SBIE1242"},{"location":"Content/SBIE1301/","text":"SBIE1301 Message: SBIE1301 Program program.exe was launched outside of the sandbox Logged To: Popup Message Log . Explanation: This is an informational/warning message. This message appears when a Program Alert has been started outside the supervision of Sandboxie. This message also appears when a Forced Program (or a program from a Forced Folder ) has been started, while the Disable Forced Programs mode is in effect. For configuration of Program Alerts , see: Configure Menu -> Program Alerts Program Settings For configuration of Forced Programs , see: SandboxSettings > Forced Programs SandboxSettings > Forced Folders Program Settings","title":"SBIE1301"},{"location":"Content/SBIE1301/#sbie1301","text":"Message: SBIE1301 Program program.exe was launched outside of the sandbox Logged To: Popup Message Log . Explanation: This is an informational/warning message. This message appears when a Program Alert has been started outside the supervision of Sandboxie. This message also appears when a Forced Program (or a program from a Forced Folder ) has been started, while the Disable Forced Programs mode is in effect. For configuration of Program Alerts , see: Configure Menu -> Program Alerts Program Settings For configuration of Forced Programs , see: SandboxSettings > Forced Programs SandboxSettings > Forced Folders Program Settings","title":"SBIE1301"},{"location":"Content/SBIE1303/","text":"SBIE1303 OBSOLETE Message: SBIE1303 Only one sandbox can be active at a time Logged To: Popup Message Log . Explanation: This error message appeared in the unregistered version of Sandboxie when programs were started in more than one sandbox at the same time. The unregistered version was limited in that it can only run programs in one sandbox at a time. This limitation is no longer present since Sandboxie 5.31.4.","title":"SBIE1303"},{"location":"Content/SBIE1303/#sbie1303","text":"OBSOLETE Message: SBIE1303 Only one sandbox can be active at a time Logged To: Popup Message Log . Explanation: This error message appeared in the unregistered version of Sandboxie when programs were started in more than one sandbox at the same time. The unregistered version was limited in that it can only run programs in one sandbox at a time. This limitation is no longer present since Sandboxie 5.31.4.","title":"SBIE1303"},{"location":"Content/SBIE1304/","text":"SBIE1304 OBSOLETE Message: SBIE1304 Blocked simulated keyboard or mouse input by process program.exe Logged To: Popup Message Log . Explanation: This warning message appeared when a sandboxed program had simulated keyboard or mouse action which would have been received by a window running in another sandbox or outside any sandboxes. As a result, the keyboard or mouse action was discarded. The point of this protection was to block a scenario where a malicious program running in a sandbox managed to circumvent Sandboxie by communicating with programs outside Sandboxie, such as the Windows Explorer. The malicious program could simulate keyboard actions that would instruct Windows Explorer to navigate into the sandbox and launch a malicious program. Games and Full Screen Applications: Sometimes this message was issued while launching a game or an application. In that case the message was not an indication of malicious activity, and it was safe to hide message SBIE1304, or to disable this protection. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access Related Sandboxie Ini setting: BlockFakeInput .","title":"SBIE1304"},{"location":"Content/SBIE1304/#sbie1304","text":"OBSOLETE Message: SBIE1304 Blocked simulated keyboard or mouse input by process program.exe Logged To: Popup Message Log . Explanation: This warning message appeared when a sandboxed program had simulated keyboard or mouse action which would have been received by a window running in another sandbox or outside any sandboxes. As a result, the keyboard or mouse action was discarded. The point of this protection was to block a scenario where a malicious program running in a sandbox managed to circumvent Sandboxie by communicating with programs outside Sandboxie, such as the Windows Explorer. The malicious program could simulate keyboard actions that would instruct Windows Explorer to navigate into the sandbox and launch a malicious program. Games and Full Screen Applications: Sometimes this message was issued while launching a game or an application. In that case the message was not an indication of malicious activity, and it was safe to hide message SBIE1304, or to disable this protection. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access Related Sandboxie Ini setting: BlockFakeInput .","title":"SBIE1304"},{"location":"Content/SBIE1306/","text":"SBIE1306 Message: SBIE1306 Sandboxie driver (SbieDrv) cannot be unloaded now Logged To: Popup Message Log . Explanation: The Sandboxie driver component is in use and cannot be unloaded at this time. Note that the Sandboxie driver component does not respond to the standard, generic \"Stop Service\" request, until a Sandboxie-specific \"Prepare to Stop\" request has been issued. The Sandboxie-specific request may fail if the driver is in use by any other program at the time the request is issued. If the Sandboxie-specific request succeeds, the driver component disables itself, and waits for the generic \"Stop Service\" request before it is unloaded from memory. Note also that the driver component does not honor stop requests from a program that is running under the supervision of Sandboxie.","title":"SBIE1306"},{"location":"Content/SBIE1306/#sbie1306","text":"Message: SBIE1306 Sandboxie driver (SbieDrv) cannot be unloaded now Logged To: Popup Message Log . Explanation: The Sandboxie driver component is in use and cannot be unloaded at this time. Note that the Sandboxie driver component does not respond to the standard, generic \"Stop Service\" request, until a Sandboxie-specific \"Prepare to Stop\" request has been issued. The Sandboxie-specific request may fail if the driver is in use by any other program at the time the request is issued. If the Sandboxie-specific request succeeds, the driver component disables itself, and waits for the generic \"Stop Service\" request before it is unloaded from memory. Note also that the driver component does not honor stop requests from a program that is running under the supervision of Sandboxie.","title":"SBIE1306"},{"location":"Content/SBIE1307/","text":"SBIE1307 Message: SBIE1307 Program cannot access the Internet due to restrictions - program.exe Logged To: Popup Message Log . Explanation: Internet Access restrictions are in effect for the sandbox in which the program is running. The program is prohibited from accessing the Internet. This message is issued just once for any running sandboxed program. Related Sandboxie Control setting: Sandbox Settings > Restrictions Settings > Internet Access Related Sandboxie Ini settings: ClosedFilePath , NotifyInternetAccessDenied .","title":"SBIE1307"},{"location":"Content/SBIE1307/#sbie1307","text":"Message: SBIE1307 Program cannot access the Internet due to restrictions - program.exe Logged To: Popup Message Log . Explanation: Internet Access restrictions are in effect for the sandbox in which the program is running. The program is prohibited from accessing the Internet. This message is issued just once for any running sandboxed program. Related Sandboxie Control setting: Sandbox Settings > Restrictions Settings > Internet Access Related Sandboxie Ini settings: ClosedFilePath , NotifyInternetAccessDenied .","title":"SBIE1307"},{"location":"Content/SBIE1308/","text":"SBIE1308 Message: SBIE1308 Program cannot start due to restrictions - program.exe Logged To: Popup Message Log . Explanation: Start/Run restrictions are in effect for the sandbox in which the program is running. The program is prohibited from starting or running. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Ini settings: ClosedIpcPath , NotifyStartRunAccessDenied .","title":"SBIE1308"},{"location":"Content/SBIE1308/#sbie1308","text":"Message: SBIE1308 Program cannot start due to restrictions - program.exe Logged To: Popup Message Log . Explanation: Start/Run restrictions are in effect for the sandbox in which the program is running. The program is prohibited from starting or running. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Ini settings: ClosedIpcPath , NotifyStartRunAccessDenied .","title":"SBIE1308"},{"location":"Content/SBIE1309/","text":"SBIE1309 OBSOLETE Message: SBIE1311 Blocked request to change desktop wallpaper by process program.exe Logged To: Popup Message Log . Explanation: Sandboxie detected that a program issued a request to change the desktop wallpaper, and blocked the request. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini settings: BlockSysParam .","title":"SBIE1309"},{"location":"Content/SBIE1309/#sbie1309","text":"OBSOLETE Message: SBIE1311 Blocked request to change desktop wallpaper by process program.exe Logged To: Popup Message Log . Explanation: Sandboxie detected that a program issued a request to change the desktop wallpaper, and blocked the request. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini settings: BlockSysParam .","title":"SBIE1309"},{"location":"Content/SBIE1310/","text":"SBIE1310 OBSOLETE Message: SBIE1310 Extended features are disabled until the license is reactivated Logged To: Popup Message Log . Explanation: This message indicated that the license had expired before Sandboxie became a free software in version 5.31.4. The FAQ Licensing page listed those extra features that were available only in the registered versions of Sandboxie. To renew your license, invoke the Sandboxie License Manager: Open Sandboxie Control . You can find it in your Windows Start menu, under the Sandboxie program group. Then, select the Help Menu and invoke the Register Sandboxie command. Please see Sandboxie is now an open source tool for more information.","title":"SBIE1310"},{"location":"Content/SBIE1310/#sbie1310","text":"OBSOLETE Message: SBIE1310 Extended features are disabled until the license is reactivated Logged To: Popup Message Log . Explanation: This message indicated that the license had expired before Sandboxie became a free software in version 5.31.4. The FAQ Licensing page listed those extra features that were available only in the registered versions of Sandboxie. To renew your license, invoke the Sandboxie License Manager: Open Sandboxie Control . You can find it in your Windows Start menu, under the Sandboxie program group. Then, select the Help Menu and invoke the Register Sandboxie command. Please see Sandboxie is now an open source tool for more information.","title":"SBIE1310"},{"location":"Content/SBIE1311/","text":"SBIE1311 OBSOLETE Message: SBIE1311 Blocked request to change desktop wallpaper by process program.exe Logged To: Popup Message Log . Explanation: Sandboxie detected that a program issued a request to change the desktop wallpaper, and blocked the request. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini settings: BlockSysParam .","title":"SBIE1311"},{"location":"Content/SBIE1311/#sbie1311","text":"OBSOLETE Message: SBIE1311 Blocked request to change desktop wallpaper by process program.exe Logged To: Popup Message Log . Explanation: Sandboxie detected that a program issued a request to change the desktop wallpaper, and blocked the request. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini settings: BlockSysParam .","title":"SBIE1311"},{"location":"Content/SBIE1312/","text":"SBIE1312 Message: SBIE1312 Blocked request to start a 16-bit DOS program in the sandbox Logged To: Popup Message Log . Explanation: Sandboxie blocks the execution of 16-bit DOS programs in the sandbox, because Sandboxie cannot guarantee sandbox isolation for such programs. Note that this message only appears in the 32-bit edition of Sandboxie on 32-bit Windows, as 64-bit Windows does not run 16-bit DOS programs. One possible workaround is to install the DOS emulation software DOSBox into a sandbox, and use that to run the 16-bit DOS program.","title":"SBIE1312"},{"location":"Content/SBIE1312/#sbie1312","text":"Message: SBIE1312 Blocked request to start a 16-bit DOS program in the sandbox Logged To: Popup Message Log . Explanation: Sandboxie blocks the execution of 16-bit DOS programs in the sandbox, because Sandboxie cannot guarantee sandbox isolation for such programs. Note that this message only appears in the 32-bit edition of Sandboxie on 32-bit Windows, as 64-bit Windows does not run 16-bit DOS programs. One possible workaround is to install the DOS emulation software DOSBox into a sandbox, and use that to run the 16-bit DOS program.","title":"SBIE1312"},{"location":"Content/SBIE1313/","text":"SBIE1313 OBSOLETE Message: SBIE1313 Blocked direct disk access by process program.exe Logged To: Popup Message Log . Explanation: This message indicated that a program requested direct access to a hard disk device and Sandboxie denied this access. Note that the default behavior of Sandboxie is to deny all direct access requests without issuing this message. The message was issued only when the NotifyDirectDiskAccess setting was already enabled. Please see NotifyDirectDiskAccess for more information.","title":"SBIE1313"},{"location":"Content/SBIE1313/#sbie1313","text":"OBSOLETE Message: SBIE1313 Blocked direct disk access by process program.exe Logged To: Popup Message Log . Explanation: This message indicated that a program requested direct access to a hard disk device and Sandboxie denied this access. Note that the default behavior of Sandboxie is to deny all direct access requests without issuing this message. The message was issued only when the NotifyDirectDiskAccess setting was already enabled. Please see NotifyDirectDiskAccess for more information.","title":"SBIE1313"},{"location":"Content/SBIE1314/","text":"SBIE1314 Message: SBIE1314 Blocked request to alter network/firewall settings by process program.exe Logged To: Popup Message Log . Explanation: This message indicates that a program attempted to change TCP/IP network configuration, and the request was blocked. Sandboxie may issue this message when it blocks a program from attempting to change the IP address or routing tables for the local computer, or other networking parameters. Note that at this time, the message is not actually issued when a program attempts to change firewall parameters, but the program will not be able to modify the parameters of the firewall. To permit a program to alter network and firewall parameters, please see the following settings: Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access Related Sandboxie Ini settings: BlockNetParam .","title":"SBIE1314"},{"location":"Content/SBIE1314/#sbie1314","text":"Message: SBIE1314 Blocked request to alter network/firewall settings by process program.exe Logged To: Popup Message Log . Explanation: This message indicates that a program attempted to change TCP/IP network configuration, and the request was blocked. Sandboxie may issue this message when it blocks a program from attempting to change the IP address or routing tables for the local computer, or other networking parameters. Note that at this time, the message is not actually issued when a program attempts to change firewall parameters, but the program will not be able to modify the parameters of the firewall. To permit a program to alter network and firewall parameters, please see the following settings: Related Sandboxie Control setting: Sandbox Settings > Restrictions > Hardware Access Related Sandboxie Ini settings: BlockNetParam .","title":"SBIE1314"},{"location":"Content/SBIE1401/","text":"SBIE1401 Message: SBIE1401 Configuration file not found, using defaults Logged To: System Event Log and Popup Message Log . Explanation: This is a notification message which indicates that Sandboxie did not find the Sandboxie Ini configuration file, and will be using default settings. Sandboxie looks for the Sandboxie Ini file first in the Windows directory (typically C:\\Windows), and if not found there, in the Sandboxie installation folder.","title":"SBIE1401"},{"location":"Content/SBIE1401/#sbie1401","text":"Message: SBIE1401 Configuration file not found, using defaults Logged To: System Event Log and Popup Message Log . Explanation: This is a notification message which indicates that Sandboxie did not find the Sandboxie Ini configuration file, and will be using default settings. Sandboxie looks for the Sandboxie Ini file first in the Windows directory (typically C:\\Windows), and if not found there, in the Sandboxie installation folder.","title":"SBIE1401"},{"location":"Content/SBIE1402/","text":"SBIE1402 Message: SBIE1402 Configuration file error in line number : [xxxxxxxx] Logged To: System Event Log and Popup Message Log . Explanation: There was some error reading the Sandboxie Ini configuration file. Note that messages SBIE1403 , SBIE1404 and SBIE1405 are concerned with specific error conditions, while this message indicates some other, unspecified condition.","title":"SBIE1402"},{"location":"Content/SBIE1402/#sbie1402","text":"Message: SBIE1402 Configuration file error in line number : [xxxxxxxx] Logged To: System Event Log and Popup Message Log . Explanation: There was some error reading the Sandboxie Ini configuration file. Note that messages SBIE1403 , SBIE1404 and SBIE1405 are concerned with specific error conditions, while this message indicates some other, unspecified condition.","title":"SBIE1402"},{"location":"Content/SBIE1403/","text":"SBIE1403 Message: SBIE1403 Configuration file error in line number : line too long Logged To: System Event Log and Popup Message Log . Explanation: The maximum length of a line in the Sandboxie Ini configuration file is 1000 characters. This message indicates that a particular line in the file was longer than this limit.","title":"SBIE1403"},{"location":"Content/SBIE1403/#sbie1403","text":"Message: SBIE1403 Configuration file error in line number : line too long Logged To: System Event Log and Popup Message Log . Explanation: The maximum length of a line in the Sandboxie Ini configuration file is 1000 characters. This message indicates that a particular line in the file was longer than this limit.","title":"SBIE1403"},{"location":"Content/SBIE1404/","text":"SBIE1404 Message: SBIE1404 Configuration file error in line number : too many lines Logged To: System Event Log and Popup Message Log . Explanation: The maximum number of a lines in the Sandboxie Ini configuration file is 30000. This message indicates that the configuration file has more lines than this limiting number.","title":"SBIE1404"},{"location":"Content/SBIE1404/#sbie1404","text":"Message: SBIE1404 Configuration file error in line number : too many lines Logged To: System Event Log and Popup Message Log . Explanation: The maximum number of a lines in the Sandboxie Ini configuration file is 30000. This message indicates that the configuration file has more lines than this limiting number.","title":"SBIE1404"},{"location":"Content/SBIE1405/","text":"SBIE1405 Message: SBIE1405 Configuration file error in line number : syntax error Logged To: System Event Log and Popup Message Log . Explanation: The Sandboxie Ini configuration file is structured as a set of sections. Each section begins with a section name between brackets, for example: [GlobalSettings]. Within each section, each line must be formatted as name=value . Alternatively, a line in the configuration file may be blank, or may begin with the hash character (#), in which case the line is considered a comment and is ignored. This message indicates that some text in the configuration file could not be parsed according to the syntax described above.","title":"SBIE1405"},{"location":"Content/SBIE1405/#sbie1405","text":"Message: SBIE1405 Configuration file error in line number : syntax error Logged To: System Event Log and Popup Message Log . Explanation: The Sandboxie Ini configuration file is structured as a set of sections. Each section begins with a section name between brackets, for example: [GlobalSettings]. Within each section, each line must be formatted as name=value . Alternatively, a line in the configuration file may be blank, or may begin with the hash character (#), in which case the line is considered a comment and is ignored. This message indicates that some text in the configuration file could not be parsed according to the syntax described above.","title":"SBIE1405"},{"location":"Content/SBIE1406/","text":"SBIE1406 Message: SBIE1406 Missing or invalid expansion for variable : [xxxxxxxx] Logged To: System Event Log and Popup Message Log . Explanation: This messages indicates that the variable referenced in the configuration file, whose name is noted in the message, cannot be replaced by textual content. For example, the variables %USERNAME% are expanded to (or replaced by) the user account name. If Sandboxie cannot determine the user account name (see messages SBIE1408 and SBIE2209 ), then message SBIE1406 will be issued, naming the variable USERNAME. For a list of expandable variables, see Expandable Variables . Template Variables If the variable name in the message begins with Tmpl , then you should go to Sandbox Settings > Applications > Folders and select a folder location to be associated with the missing variable. For example, if you see this error message for Tmpl.Eudora , go to the Folders settings page, and select a folder for Eudora.","title":"SBIE1406"},{"location":"Content/SBIE1406/#sbie1406","text":"Message: SBIE1406 Missing or invalid expansion for variable : [xxxxxxxx] Logged To: System Event Log and Popup Message Log . Explanation: This messages indicates that the variable referenced in the configuration file, whose name is noted in the message, cannot be replaced by textual content. For example, the variables %USERNAME% are expanded to (or replaced by) the user account name. If Sandboxie cannot determine the user account name (see messages SBIE1408 and SBIE2209 ), then message SBIE1406 will be issued, naming the variable USERNAME. For a list of expandable variables, see Expandable Variables . Template Variables If the variable name in the message begins with Tmpl , then you should go to Sandbox Settings > Applications > Folders and select a folder location to be associated with the missing variable. For example, if you see this error message for Tmpl.Eudora , go to the Folders settings page, and select a folder for Eudora.","title":"SBIE1406"},{"location":"Content/SBIE1408/","text":"SBIE1408 Message: SBIE1408 Unknown user name for SID: S-1-5-x-y-z Logged To: Popup Message Log . Explanation: Sandboxie needs to translate security S-1-5-x-y-z to a user account name. This message indicates that an error has occurred and revented this translation. If this message is not accompanied by message SBIE2209 , then it may be an indication that the Sandboxie service is not running.","title":"SBIE1408"},{"location":"Content/SBIE1408/#sbie1408","text":"Message: SBIE1408 Unknown user name for SID: S-1-5-x-y-z Logged To: Popup Message Log . Explanation: Sandboxie needs to translate security S-1-5-x-y-z to a user account name. This message indicates that an error has occurred and revented this translation. If this message is not accompanied by message SBIE2209 , then it may be an indication that the Sandboxie service is not running.","title":"SBIE1408"},{"location":"Content/SBIE1409/","text":"SBIE1409 Message: SBIE1409 The Templates.ini file cannot be opened [xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie expects to find the global configuration file Templates.ini in its installation folder. This file should be considered a stock part of the installation and should not be edited or removed. See also: Nt Status Codes .","title":"SBIE1409"},{"location":"Content/SBIE1409/#sbie1409","text":"Message: SBIE1409 The Templates.ini file cannot be opened [xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie expects to find the global configuration file Templates.ini in its installation folder. This file should be considered a stock part of the installation and should not be edited or removed. See also: Nt Status Codes .","title":"SBIE1409"},{"location":"Content/SBIE1410/","text":"SBIE1410 Message: SBIE1410 The following message indicates an error in the Templates.ini file Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the global configuration file Templates.ini . This message precedes one of the other SBIE14xx messages: SBIE1402 , SBIE1403 , SBIE1404 , SBIE1405 , SBIE1406 . The message indicates the follow-up SBIE14xx message refers to the Templates.ini file rather than the Sandboxie.ini configuration file.","title":"SBIE1410"},{"location":"Content/SBIE1410/#sbie1410","text":"Message: SBIE1410 The following message indicates an error in the Templates.ini file Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the global configuration file Templates.ini . This message precedes one of the other SBIE14xx messages: SBIE1402 , SBIE1403 , SBIE1404 , SBIE1405 , SBIE1406 . The message indicates the follow-up SBIE14xx message refers to the Templates.ini file rather than the Sandboxie.ini configuration file.","title":"SBIE1410"},{"location":"Content/SBIE1411/","text":"SBIE1411 Message: SBIE1411 Sandbox %2 specifies unknown template %3 Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the Sandboxie.ini file. One of the sandboxes configured in the file references a global template section which does not appear in the global configuration file Templates.ini . Note that local templates should be defined in the Sandboxie.ini file while stock global templates are delivered as part of the installation of Sandboxie in the Templates.ini file.","title":"SBIE1411"},{"location":"Content/SBIE1411/#sbie1411","text":"Message: SBIE1411 Sandbox %2 specifies unknown template %3 Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the Sandboxie.ini file. One of the sandboxes configured in the file references a global template section which does not appear in the global configuration file Templates.ini . Note that local templates should be defined in the Sandboxie.ini file while stock global templates are delivered as part of the installation of Sandboxie in the Templates.ini file.","title":"SBIE1411"},{"location":"Content/SBIE1412/","text":"SBIE1412 Message: SBIE1412 In text: %2 Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the configuration file. In addition to other messages which explain and identify the error, such as message SBIE1405 , this SBIE1412 message quotes the text line in which the error occurred.","title":"SBIE1412"},{"location":"Content/SBIE1412/#sbie1412","text":"Message: SBIE1412 In text: %2 Logged To: Popup Message Log . Explanation: Sandboxie encountered an error while processing the configuration file. In addition to other messages which explain and identify the error, such as message SBIE1405 , this SBIE1412 message quotes the text line in which the error occurred.","title":"SBIE1412"},{"location":"Content/SBIE2102/","text":"SBIE2102 Message: SBIE2102 File is too large to copy into sandbox - path Logged To: Popup Message Log . Explanation: This is an informational message. Before a sandboxed program can make changes to a file that already exists in your computer, Sandboxie first must make a copy of this file in the sandbox. This works very well for small files (up to a few megabytes in size), as the copy operation completes very quickly. But for larger files, the copy operation may take a noticeable length of time. For example, suppose you created a backup for a DVD, in the form of a 4GB file. If a sandboxed program tries to access the file, Sandboxie would have to make a sandboxed copy of the 4 GB file. This would take several minutes to complete, and would cost 4 GB of disk space. For this reason, Sandboxie will only make copies of files that are below a certain size threshold. Files larger than this size will be considered read-only inside the sandbox, and any attempt to modify them will result in message SBIE2102. The size threshold and alert message can be configured in Sandbox Settings > File Migration . Related Sandboxie Ini setting: CopyLimitKb , CopyLimitSilent","title":"SBIE2102"},{"location":"Content/SBIE2102/#sbie2102","text":"Message: SBIE2102 File is too large to copy into sandbox - path Logged To: Popup Message Log . Explanation: This is an informational message. Before a sandboxed program can make changes to a file that already exists in your computer, Sandboxie first must make a copy of this file in the sandbox. This works very well for small files (up to a few megabytes in size), as the copy operation completes very quickly. But for larger files, the copy operation may take a noticeable length of time. For example, suppose you created a backup for a DVD, in the form of a 4GB file. If a sandboxed program tries to access the file, Sandboxie would have to make a sandboxed copy of the 4 GB file. This would take several minutes to complete, and would cost 4 GB of disk space. For this reason, Sandboxie will only make copies of files that are below a certain size threshold. Files larger than this size will be considered read-only inside the sandbox, and any attempt to modify them will result in message SBIE2102. The size threshold and alert message can be configured in Sandbox Settings > File Migration . Related Sandboxie Ini setting: CopyLimitKb , CopyLimitSilent","title":"SBIE2102"},{"location":"Content/SBIE2103/","text":"SBIE2103 Message: SBIE2103 Denied attempt to load system driver driver Logged To: Popup Message Log . Explanation: This is an informational message. Programs running under the supervision of Sandboxie are stripped of privileges required to start drivers. (Unless this is explicitly allowed through the Block Drivers settings.) This message indicates that a sandboxed program has requested to start a driver, and that the request was denied. Note, depending on the circumstances, this message may indicate that an attempt to install a malicious rootkit into the system, has been subverted by Sandboxie. On the other hand, if this message appears during the sandboxed installation of a program that is known to install and activate drivers, then the previous statement does not apply. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini setting: BlockDrivers","title":"SBIE2103"},{"location":"Content/SBIE2103/#sbie2103","text":"Message: SBIE2103 Denied attempt to load system driver driver Logged To: Popup Message Log . Explanation: This is an informational message. Programs running under the supervision of Sandboxie are stripped of privileges required to start drivers. (Unless this is explicitly allowed through the Block Drivers settings.) This message indicates that a sandboxed program has requested to start a driver, and that the request was denied. Note, depending on the circumstances, this message may indicate that an attempt to install a malicious rootkit into the system, has been subverted by Sandboxie. On the other hand, if this message appears during the sandboxed installation of a program that is known to install and activate drivers, then the previous statement does not apply. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Low-Level Access Related Sandboxie Ini setting: BlockDrivers","title":"SBIE2103"},{"location":"Content/SBIE2104/","text":"SBIE2104 Message: SBIE2104 Denied attempt to end this Windows session Logged To: Popup Message Log . Explanation: This is an informational message. Programs running under the supervision of Sandboxie are stripped of privileges required to logoff the active user or shut down or restart the system. This message indicates that a sandboxed program has requested to end the Windows session through logoff, shutdown or restart, and that the request was denied.","title":"SBIE2104"},{"location":"Content/SBIE2104/#sbie2104","text":"Message: SBIE2104 Denied attempt to end this Windows session Logged To: Popup Message Log . Explanation: This is an informational message. Programs running under the supervision of Sandboxie are stripped of privileges required to logoff the active user or shut down or restart the system. This message indicates that a sandboxed program has requested to end the Windows session through logoff, shutdown or restart, and that the request was denied.","title":"SBIE2104"},{"location":"Content/SBIE2108/","text":"SBIE2108 Message: SBIE2108 Faking successful completion for program program.exe Logged To: Popup Message Log . Explanation: This is an informational message. In some specific cases, installation of particular software into the sandbox fails due to an error condition occurring in some minor component of the entire process. This message indicates that Sandboxie has hidden this error condition in the minor component, in order to allow the installation to succeed.","title":"SBIE2108"},{"location":"Content/SBIE2108/#sbie2108","text":"Message: SBIE2108 Faking successful completion for program program.exe Logged To: Popup Message Log . Explanation: This is an informational message. In some specific cases, installation of particular software into the sandbox fails due to an error condition occurring in some minor component of the entire process. This message indicates that Sandboxie has hidden this error condition in the minor component, in order to allow the installation to succeed.","title":"SBIE2108"},{"location":"Content/SBIE2111/","text":"SBIE2111 Message: SBIE2111 Process is not accessible: program , call call Logged To: Popup Message Log . Explanation: This is an informational message. Before v1.0.16 / 5.55.16, Sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence, from v1.0.16 / 5.55.16 onwards Sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other sandboxes. To facilitate compatibility, this build introduces a ReadIpcPath sandbox setting. Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Issue message 2111 when a process access is denied See also: Notify Process Access Denied .","title":"SBIE2111"},{"location":"Content/SBIE2111/#sbie2111","text":"Message: SBIE2111 Process is not accessible: program , call call Logged To: Popup Message Log . Explanation: This is an informational message. Before v1.0.16 / 5.55.16, Sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence, from v1.0.16 / 5.55.16 onwards Sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other sandboxes. To facilitate compatibility, this build introduces a ReadIpcPath sandbox setting. Related Sandboxie Plus setting: Sandbox Options > General Options > Restrictions > Other restrictions > Issue message 2111 when a process access is denied See also: Notify Process Access Denied .","title":"SBIE2111"},{"location":"Content/SBIE2191/","text":"SBIE2191 Message: SBIE2191 browser should not be updated while running under Sandboxie. Logged To: Popup Message Log . Explanation: This is an informational message. This message is always followed by SBIE2192 and SBIE2193 : SBIE2191 browser should not be updated while running under Sandboxie. SBIE2192 To update the program, run it outside of the supervision of Sandboxie. SBIE2193 Make sure to delete the sandbox after completing the update process. (unavailable since Sandboxie 1.0.14 / 5.55.14) The browser in the message is Mozilla Firefox or Google Chrome.","title":"SBIE2191"},{"location":"Content/SBIE2191/#sbie2191","text":"Message: SBIE2191 browser should not be updated while running under Sandboxie. Logged To: Popup Message Log . Explanation: This is an informational message. This message is always followed by SBIE2192 and SBIE2193 : SBIE2191 browser should not be updated while running under Sandboxie. SBIE2192 To update the program, run it outside of the supervision of Sandboxie. SBIE2193 Make sure to delete the sandbox after completing the update process. (unavailable since Sandboxie 1.0.14 / 5.55.14) The browser in the message is Mozilla Firefox or Google Chrome.","title":"SBIE2191"},{"location":"Content/SBIE2192/","text":"SBIE2192 Message: SBIE2192 To update the program, run it outside of the supervision of Sandboxie. Logged To: Popup Message Log . Explanation: See message SBIE2191 .","title":"SBIE2192"},{"location":"Content/SBIE2192/#sbie2192","text":"Message: SBIE2192 To update the program, run it outside of the supervision of Sandboxie. Logged To: Popup Message Log . Explanation: See message SBIE2191 .","title":"SBIE2192"},{"location":"Content/SBIE2193/","text":"SBIE2193 OBSOLETE SINCE 1.0.14 / 5.55.14 Message: SBIE2193 Make sure to delete the sandbox after completing the update process. Logged To: Popup Message Log . Explanation: See message SBIE2191 .","title":"SBIE2193"},{"location":"Content/SBIE2193/#sbie2193","text":"OBSOLETE SINCE 1.0.14 / 5.55.14 Message: SBIE2193 Make sure to delete the sandbox after completing the update process. Logged To: Popup Message Log . Explanation: See message SBIE2191 .","title":"SBIE2193"},{"location":"Content/SBIE2202/","text":"SBIE2202 Message: SBIE2202 Missing list of installed hardware devices Logged To: Popup Message Log . Explanation: The Sandboxie DLL component executing within the sandboxed program needs to access information prepared, in advance, by the Sandboxie service component (SbieSvc). This message indicates that information was not available. Typically, the reason is that the Sandboxie service is not running.","title":"SBIE2202"},{"location":"Content/SBIE2202/#sbie2202","text":"Message: SBIE2202 Missing list of installed hardware devices Logged To: Popup Message Log . Explanation: The Sandboxie DLL component executing within the sandboxed program needs to access information prepared, in advance, by the Sandboxie service component (SbieSvc). This message indicates that information was not available. Typically, the reason is that the Sandboxie service is not running.","title":"SBIE2202"},{"location":"Content/SBIE2203/","text":"SBIE2203 Message: SBIE2203 Failed to communicate with Sandboxie Service: detail Logged To: Popup Message Log . Explanation: The Sandboxie DLL component executing within the sandboxed program needs to communicate with the Sandboxie service component (SbieSvc). This message indicates that some communication failure has occurred. When detail is connect , the likely reason is that the Sandboxie service is not running. Any other value of detail indicates that communication has been established, but could not be completed, due to some error.","title":"SBIE2203"},{"location":"Content/SBIE2203/#sbie2203","text":"Message: SBIE2203 Failed to communicate with Sandboxie Service: detail Logged To: Popup Message Log . Explanation: The Sandboxie DLL component executing within the sandboxed program needs to communicate with the Sandboxie service component (SbieSvc). This message indicates that some communication failure has occurred. When detail is connect , the likely reason is that the Sandboxie service is not running. Any other value of detail indicates that communication has been established, but could not be completed, due to some error.","title":"SBIE2203"},{"location":"Content/SBIE2204/","text":"SBIE2204 Message: SBIE2204 Cannot start sandboxed service name__(xxxxxxxx) Logged To: Popup Message Log . Explanation: The message indicates that Sandboxie was unable to start one of the helper programs SandboxieRpcSs or SandboxieDcomLaunch . The name noted in the message can be rpcss or dcomlaunch . For more information about these programs, see Service Programs .","title":"SBIE2204"},{"location":"Content/SBIE2204/#sbie2204","text":"Message: SBIE2204 Cannot start sandboxed service name__(xxxxxxxx) Logged To: Popup Message Log . Explanation: The message indicates that Sandboxie was unable to start one of the helper programs SandboxieRpcSs or SandboxieDcomLaunch . The name noted in the message can be rpcss or dcomlaunch . For more information about these programs, see Service Programs .","title":"SBIE2204"},{"location":"Content/SBIE2205/","text":"SBIE2205 Message: SBIE2205 Service not implemented: name Logged To: Popup Message Log . Explanation: Some little-used system service, which is identified by name , is not implemented by Sandboxie. This is a warning/notification message from Sandboxie. The sandboxed program may or may not fail. Missing functionality related to Protected Storage and Windows Credentials The explanation below applies to these missing services: CredReadA IPStore::GetTypeInfo Protected Storage is a facility that some Windows programs use to collect history of typed text. Windows credentials is a facility that some Windows programs (like Windows Messenger), and some Microsoft web sites (like Hotmail) use to remember user/password information. Sandboxie provides its own implementation for these facilities, which store any collected information in the sandbox rather than in the real Protected Storage. This is part of the overall approach of Sandboxie which aims to contain any effects by a programs into the sandbox. This Sandboxie implementation is complete enough that it enables most programs to work as expected. However, it is not 100% compatible with the real implementation of the facilities in Windows. Few programs use services which are not implemented. In this cases, Sandboxie issues message SBIE2205 to report that a program tried to do something which was not supported, and that the operation failed. The message does not imply that any information was stored outside the sandbox. More information: Protected Storage , Open Protected Storage , Open Credentials , and Save Outside Sandbox in Internet Explorer Tips .","title":"SBIE2205"},{"location":"Content/SBIE2205/#sbie2205","text":"Message: SBIE2205 Service not implemented: name Logged To: Popup Message Log . Explanation: Some little-used system service, which is identified by name , is not implemented by Sandboxie. This is a warning/notification message from Sandboxie. The sandboxed program may or may not fail. Missing functionality related to Protected Storage and Windows Credentials The explanation below applies to these missing services: CredReadA IPStore::GetTypeInfo Protected Storage is a facility that some Windows programs use to collect history of typed text. Windows credentials is a facility that some Windows programs (like Windows Messenger), and some Microsoft web sites (like Hotmail) use to remember user/password information. Sandboxie provides its own implementation for these facilities, which store any collected information in the sandbox rather than in the real Protected Storage. This is part of the overall approach of Sandboxie which aims to contain any effects by a programs into the sandbox. This Sandboxie implementation is complete enough that it enables most programs to work as expected. However, it is not 100% compatible with the real implementation of the facilities in Windows. Few programs use services which are not implemented. In this cases, Sandboxie issues message SBIE2205 to report that a program tried to do something which was not supported, and that the operation failed. The message does not imply that any information was stored outside the sandbox. More information: Protected Storage , Open Protected Storage , Open Credentials , and Save Outside Sandbox in Internet Explorer Tips .","title":"SBIE2205"},{"location":"Content/SBIE2206/","text":"SBIE2206 Message: SBIE2206 Failed processing AutoExec setting yy__[ ntstatus ] Logged To: Popup Message Log . Explanation: There was an error in the processing one of the AutoExec settings from the Sandboxie Ini configuration file. Note that this message is specifically not concerned with errors that occur as the result of running the program or command specified by the AutoExec setting. This message indicates that it is the bookkeeping , which is related to AutoExec settings, that has failed in some way.","title":"SBIE2206"},{"location":"Content/SBIE2206/#sbie2206","text":"Message: SBIE2206 Failed processing AutoExec setting yy__[ ntstatus ] Logged To: Popup Message Log . Explanation: There was an error in the processing one of the AutoExec settings from the Sandboxie Ini configuration file. Note that this message is specifically not concerned with errors that occur as the result of running the program or command specified by the AutoExec setting. This message indicates that it is the bookkeeping , which is related to AutoExec settings, that has failed in some way.","title":"SBIE2206"},{"location":"Content/SBIE2207/","text":"SBIE2207 Message: SBIE2207 Invalid value for setting name , using default Logged To: Popup Message Log . Explanation: The Sandboxie Ini configuration setting identified by name has an invalid value. Consult the documentation for the relevant setting.","title":"SBIE2207"},{"location":"Content/SBIE2207/#sbie2207","text":"Message: SBIE2207 Invalid value for setting name , using default Logged To: Popup Message Log . Explanation: The Sandboxie Ini configuration setting identified by name has an invalid value. Consult the documentation for the relevant setting.","title":"SBIE2207"},{"location":"Content/SBIE2208/","text":"SBIE2208 Message: SBIE2208 Cannot remove registry hive: [ ntstatus ] Logged To: Popup Message Log . Explanation: When all sandboxed programs end, Sandboxie removes the sandboxed registry from the system. This error message indicates the removal was unsuccessful. Typically the ntstatus code is C0000121, and indicates that some other program is using the sandboxed registry, from outside the sandbox. Note, as long as the registry remains loaded into the system, the sandbox cannot be deleted. Logging-off the current user account may resolve the problem.","title":"SBIE2208"},{"location":"Content/SBIE2208/#sbie2208","text":"Message: SBIE2208 Cannot remove registry hive: [ ntstatus ] Logged To: Popup Message Log . Explanation: When all sandboxed programs end, Sandboxie removes the sandboxed registry from the system. This error message indicates the removal was unsuccessful. Typically the ntstatus code is C0000121, and indicates that some other program is using the sandboxed registry, from outside the sandbox. Note, as long as the registry remains loaded into the system, the sandbox cannot be deleted. Logging-off the current user account may resolve the problem.","title":"SBIE2208"},{"location":"Content/SBIE2209/","text":"SBIE2209 Message: SBIE2209 Cannot translate SID to user name: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie needs to translate security S-1-5-x-y-z to a user account name. This message indicates that an error has occurred and prevented this translation.","title":"SBIE2209"},{"location":"Content/SBIE2209/#sbie2209","text":"Message: SBIE2209 Cannot translate SID to user name: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie needs to translate security S-1-5-x-y-z to a user account name. This message indicates that an error has occurred and prevented this translation.","title":"SBIE2209"},{"location":"Content/SBIE2210/","text":"SBIE2210 Message: SBIE2210 Cannot start Windows Explorer for: folder__(xxxx) Logged To: Popup Message Log . Explanation: Sandboxie tries to launch Windows Explorer (the program explorer.exe ) when a sandboxed program requests to 'explore' a folder. This message indicates that the Windows Explorer program could not be started to explore the folder noted in the message.","title":"SBIE2210"},{"location":"Content/SBIE2210/#sbie2210","text":"Message: SBIE2210 Cannot start Windows Explorer for: folder__(xxxx) Logged To: Popup Message Log . Explanation: Sandboxie tries to launch Windows Explorer (the program explorer.exe ) when a sandboxed program requests to 'explore' a folder. This message indicates that the Windows Explorer program could not be started to explore the folder noted in the message.","title":"SBIE2210"},{"location":"Content/SBIE2211/","text":"SBIE2211 Message: SBIE2211 Sandboxed service failed to start: name Logged To: Popup Message Log . Explanation: Windows Services that are installed into the sandbox are managed by Sandboxie. This management includes starting and stopping the service. This message reports that the sandboxed service name has failed to start. User Account Control In Windows Vista and later, software may not correctly install into the sandbox unless you enable the option Run As UAC Administrator prior to running the installation. Particularly, Windows Installer packages, which are installed through the Windows Installer service, require enabling this option. This is not a security issue: The \"Run As UAC Administrator\" option does not diminish the protection of Sandboxie in any way.","title":"SBIE2211"},{"location":"Content/SBIE2211/#sbie2211","text":"Message: SBIE2211 Sandboxed service failed to start: name Logged To: Popup Message Log . Explanation: Windows Services that are installed into the sandbox are managed by Sandboxie. This management includes starting and stopping the service. This message reports that the sandboxed service name has failed to start. User Account Control In Windows Vista and later, software may not correctly install into the sandbox unless you enable the option Run As UAC Administrator prior to running the installation. Particularly, Windows Installer packages, which are installed through the Windows Installer service, require enabling this option. This is not a security issue: The \"Run As UAC Administrator\" option does not diminish the protection of Sandboxie in any way.","title":"SBIE2211"},{"location":"Content/SBIE2212/","text":"SBIE2212 Message: SBIE2212 Email reader program.exe is not configured to run sandboxed Logged To: Popup Message Log . Explanation: This message is displayed when you run your mail reader program sandboxed, but have not yet enabled proper support for that program in Sandboxie. Sandboxie offers quick configuration for most email programs. Please see Sandbox Settings > Applications > Email Reader , and then Test Email Configuration . By default, Sandboxie traps all changes in the sandbox, including changes to mailbox files, such as the addition of new mail. These changes will be deleted when the sandbox is deleted. To properly run your mail program sandboxed, you should configure Sandboxie to exclude your mailbox data files from sandboxing. For more information, see Email Protection .","title":"SBIE2212"},{"location":"Content/SBIE2212/#sbie2212","text":"Message: SBIE2212 Email reader program.exe is not configured to run sandboxed Logged To: Popup Message Log . Explanation: This message is displayed when you run your mail reader program sandboxed, but have not yet enabled proper support for that program in Sandboxie. Sandboxie offers quick configuration for most email programs. Please see Sandbox Settings > Applications > Email Reader , and then Test Email Configuration . By default, Sandboxie traps all changes in the sandbox, including changes to mailbox files, such as the addition of new mail. These changes will be deleted when the sandbox is deleted. To properly run your mail program sandboxed, you should configure Sandboxie to exclude your mailbox data files from sandboxing. For more information, see Email Protection .","title":"SBIE2212"},{"location":"Content/SBIE2213/","text":"SBIE2213 Message: SBIE2213 Windows Credentials cannot be stored in the sandbox Logged To: Popup Message Log . Explanation: Windows Credentials are username and password information stored in Windows by some Microsoft applications. For example, Windows Messenger stores email addresses and passwords as Windows Credentials. Sandboxie provides its own implementation of Windows Credentials which stores the information in the sandbox in order to keep them isolated from the rest of the system. To disable this implementation of isolated credentials, specify the OpenCredentials =y setting. This message is an indication that the Sandboxie implementation of Windows Credentials was asked to store Windows Credentials but failed to do so. The credentials in question are discarded.","title":"SBIE2213"},{"location":"Content/SBIE2213/#sbie2213","text":"Message: SBIE2213 Windows Credentials cannot be stored in the sandbox Logged To: Popup Message Log . Explanation: Windows Credentials are username and password information stored in Windows by some Microsoft applications. For example, Windows Messenger stores email addresses and passwords as Windows Credentials. Sandboxie provides its own implementation of Windows Credentials which stores the information in the sandbox in order to keep them isolated from the rest of the system. To disable this implementation of isolated credentials, specify the OpenCredentials =y setting. This message is an indication that the Sandboxie implementation of Windows Credentials was asked to store Windows Credentials but failed to do so. The credentials in question are discarded.","title":"SBIE2213"},{"location":"Content/SBIE2214/","text":"SBIE2214 Message: SBIE2214 Request to start service name was denied due to dropped rights Logged To: Popup Message Log . Explanation: The Drop Rights setting is enabled in the sandbox, and this prevents the service program from starting with full (LocalSystem) privileges. Note that the 64-bit edition of Sandboxie enables the Drop Rights setting by default. This message is followed by message SBIE2219 . Resolution: Turn off the Drop Rights setting.","title":"SBIE2214"},{"location":"Content/SBIE2214/#sbie2214","text":"Message: SBIE2214 Request to start service name was denied due to dropped rights Logged To: Popup Message Log . Explanation: The Drop Rights setting is enabled in the sandbox, and this prevents the service program from starting with full (LocalSystem) privileges. Note that the 64-bit edition of Sandboxie enables the Drop Rights setting by default. This message is followed by message SBIE2219 . Resolution: Turn off the Drop Rights setting.","title":"SBIE2214"},{"location":"Content/SBIE2217/","text":"SBIE2217 Message: SBIE2217 Request to run as Administrator was denied due to dropped rights Logged To: Popup Message Log . Explanation: The Drop Rights setting is enabled in the sandbox, and this prevents the program from starting with Administrator account privileges. This message is followed by message SBIE2219 . Resolution: Turn off the Drop Rights setting: Sandbox Settings > Restrictions > Drop Rights .","title":"SBIE2217"},{"location":"Content/SBIE2217/#sbie2217","text":"Message: SBIE2217 Request to run as Administrator was denied due to dropped rights Logged To: Popup Message Log . Explanation: The Drop Rights setting is enabled in the sandbox, and this prevents the program from starting with Administrator account privileges. This message is followed by message SBIE2219 . Resolution: Turn off the Drop Rights setting: Sandbox Settings > Restrictions > Drop Rights .","title":"SBIE2217"},{"location":"Content/SBIE2218/","text":"SBIE2218 Message: SBIE2218 Failed to get elevated privileges: [xx / yyyyyyyy] Logged To: Popup Message Log . Explanation: Some error has occurred which prevents Sandboxie from successfully completing a privilege elevation operation which was issued by a program running in the sandbox. A privilege elevation operation can be: a request to start some service in the sandbox, or on Windows Vista and later, a request to use User Account Control (UAC) to elevate to Administrator privileges. This message is followed by message SBIE2219 . Resolution: This error might occur during program installation. A possible workaround is to run the installation with Administrator privileges: Use the right-click command Run Sandboxed to launch the installation setup program under Sandboxie, and make sure to select the Run as UAC Administrator option in the Run Sandboxed dialog box.","title":"SBIE2218"},{"location":"Content/SBIE2218/#sbie2218","text":"Message: SBIE2218 Failed to get elevated privileges: [xx / yyyyyyyy] Logged To: Popup Message Log . Explanation: Some error has occurred which prevents Sandboxie from successfully completing a privilege elevation operation which was issued by a program running in the sandbox. A privilege elevation operation can be: a request to start some service in the sandbox, or on Windows Vista and later, a request to use User Account Control (UAC) to elevate to Administrator privileges. This message is followed by message SBIE2219 . Resolution: This error might occur during program installation. A possible workaround is to run the installation with Administrator privileges: Use the right-click command Run Sandboxed to launch the installation setup program under Sandboxie, and make sure to select the Run as UAC Administrator option in the Run Sandboxed dialog box.","title":"SBIE2218"},{"location":"Content/SBIE2219/","text":"SBIE2219 Message: SBIE2219 Request was issued by program ' name ' Logged To: Popup Message Log . Explanation: This message names a program (identified as ' name ') that has issued an operation that could not be completed. More information about the request, including the reason of failure, is given by one of the messages SBIE2214 , SBIE2217 , or SBIE2218 , which precede message SBIE2219.","title":"SBIE2219"},{"location":"Content/SBIE2219/#sbie2219","text":"Message: SBIE2219 Request was issued by program ' name ' Logged To: Popup Message Log . Explanation: This message names a program (identified as ' name ') that has issued an operation that could not be completed. More information about the request, including the reason of failure, is given by one of the messages SBIE2214 , SBIE2217 , or SBIE2218 , which precede message SBIE2219.","title":"SBIE2219"},{"location":"Content/SBIE2220/","text":"SBIE2220 Message: SBIE2220 To permit use of Administrator privileges, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE2217 and offers a quick way to enable the Drop Rights setting in the sandbox. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Drop Rights Related Sandboxie Ini setting: DropAdminRights","title":"SBIE2220"},{"location":"Content/SBIE2220/#sbie2220","text":"Message: SBIE2220 To permit use of Administrator privileges, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE2217 and offers a quick way to enable the Drop Rights setting in the sandbox. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Drop Rights Related Sandboxie Ini setting: DropAdminRights","title":"SBIE2220"},{"location":"Content/SBIE2221/","text":"SBIE2221 Message: SBIE2221 To add the program to Internet Access Restrictions, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE1307 and offers a quick way to add a program to Internet Access restrictions. Related Sandboxie Control setting: Sandbox Settings > Restrictions Settings > Internet Access . Related Sandboxie Ini settings: ClosedFilePath , NotifyInternetAccessDenied .","title":"SBIE2221"},{"location":"Content/SBIE2221/#sbie2221","text":"Message: SBIE2221 To add the program to Internet Access Restrictions, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE1307 and offers a quick way to add a program to Internet Access restrictions. Related Sandboxie Control setting: Sandbox Settings > Restrictions Settings > Internet Access . Related Sandboxie Ini settings: ClosedFilePath , NotifyInternetAccessDenied .","title":"SBIE2221"},{"location":"Content/SBIE2222/","text":"SBIE2222 Message: SBIE2222 To add the program to Start/Run Access Restrictions, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE1308 and offers a quick way to add a program to Start/Run Access restrictions. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Ini settings: ClosedIpcPath , NotifyStartRunAccessDenied .","title":"SBIE2222"},{"location":"Content/SBIE2222/#sbie2222","text":"Message: SBIE2222 To add the program to Start/Run Access Restrictions, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE1308 and offers a quick way to add a program to Start/Run Access restrictions. Related Sandboxie Control setting: Sandbox Settings > Restrictions > Start/Run Access Related Sandboxie Ini settings: ClosedIpcPath , NotifyStartRunAccessDenied .","title":"SBIE2222"},{"location":"Content/SBIE2223/","text":"SBIE2223 Message: SBIE2223 To increase the file size limit for copying files, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE2102 and offers a quick way to adjust the File Migration size limit. Related Sandboxie Control setting: Sandbox Settings > File Migration Related Sandboxie Ini setting: CopyLimitKb","title":"SBIE2223"},{"location":"Content/SBIE2223/#sbie2223","text":"Message: SBIE2223 To increase the file size limit for copying files, please double-click on this message line Logged To: Popup Message Log . Explanation: This message follows message SBIE2102 and offers a quick way to adjust the File Migration size limit. Related Sandboxie Control setting: Sandbox Settings > File Migration Related Sandboxie Ini setting: CopyLimitKb","title":"SBIE2223"},{"location":"Content/SBIE2303/","text":"SBIE2303 Message: SBIE2303 Could not hook name__(reason) Logged To: Popup Message Log . Explanation: This message indicates that the Sandboxie DLL component, which is running within the sandboxed program, has failed to intercept and replace the system function identified by name . This message is typically an indication of incompatibility with some third party software.","title":"SBIE2303"},{"location":"Content/SBIE2303/#sbie2303","text":"Message: SBIE2303 Could not hook name__(reason) Logged To: Popup Message Log . Explanation: This message indicates that the Sandboxie DLL component, which is running within the sandboxed program, has failed to intercept and replace the system function identified by name . This message is typically an indication of incompatibility with some third party software.","title":"SBIE2303"},{"location":"Content/SBIE2304/","text":"SBIE2304 Message: SBIE2304 Initialization failed for process program.exe Logged To: Popup Message Log . Explanation: This message indicates that the Sandboxie DLL component, which is running within the sandboxed program, has failed to initialize.","title":"SBIE2304"},{"location":"Content/SBIE2304/#sbie2304","text":"Message: SBIE2304 Initialization failed for process program.exe Logged To: Popup Message Log . Explanation: This message indicates that the Sandboxie DLL component, which is running within the sandboxed program, has failed to initialize.","title":"SBIE2304"},{"location":"Content/SBIE2305/","text":"SBIE2305 Message: SBIE2305 Out of memory Logged To: Popup Message Log . Explanation: There was not enough memory. This message does not necessarily mean that the computer has run out of memory. However, there is no more memory available for use within the region of memory that was allocated to the sandboxed program.","title":"SBIE2305"},{"location":"Content/SBIE2305/#sbie2305","text":"Message: SBIE2305 Out of memory Logged To: Popup Message Log . Explanation: There was not enough memory. This message does not necessarily mean that the computer has run out of memory. However, there is no more memory available for use within the region of memory that was allocated to the sandboxed program.","title":"SBIE2305"},{"location":"Content/SBIE2306/","text":"SBIE2306 Message: SBIE2306 Could not locate user directory: [ ntstatus / yy] Logged To: Popup Message Log . Explanation: Sandboxie attempts to enhance the portability of the sandbox by storing personal (also known as \"user profile\") files in a folder that has a generic name rather than a specific one. For example, instead of storing files in \\sandbox\\drive\\c\\Users\\joe\\Documents Sandboxie prefers to store files in \\sandbox\\drive\\c\\user\\current\\Documents This means you can use the same sandbox with some other user account or even some other computer. This message indicates that Sandboxie failed to find the user profile folder, and does not know which folder to associate with the sandbox folder user\\current .","title":"SBIE2306"},{"location":"Content/SBIE2306/#sbie2306","text":"Message: SBIE2306 Could not locate user directory: [ ntstatus / yy] Logged To: Popup Message Log . Explanation: Sandboxie attempts to enhance the portability of the sandbox by storing personal (also known as \"user profile\") files in a folder that has a generic name rather than a specific one. For example, instead of storing files in \\sandbox\\drive\\c\\Users\\joe\\Documents Sandboxie prefers to store files in \\sandbox\\drive\\c\\user\\current\\Documents This means you can use the same sandbox with some other user account or even some other computer. This message indicates that Sandboxie failed to find the user profile folder, and does not know which folder to associate with the sandbox folder user\\current .","title":"SBIE2306"},{"location":"Content/SBIE2307/","text":"SBIE2307 Message: SBIE2307 Could not map drive x__[ ntstatus ] Logged To: Popup Message Log . Explanation: Internally, Windows does not recognize drive letters such as A: or C: and instead uses a naming scheme that identifies devices. For example \\Device\\Floppy0 \\Device\\HarddiskVolume1 May be the internal name for drives A: and C: respectively. Sandboxie works in this lower level of Windows and uses the internal names. But for convenience, when files are stored in the sandbox folder, they are stored as \\sandbox\\drive\\a and \\sandbox\\drive\\c . Therefore for every drive, Sandboxie needs to know its associated internal name, so it can map, for example, between C: and \\Device\\HarddiskVolume1 . This message indicates that Sandboxie failed to find the internal name for the drive x noted in the message.","title":"SBIE2307"},{"location":"Content/SBIE2307/#sbie2307","text":"Message: SBIE2307 Could not map drive x__[ ntstatus ] Logged To: Popup Message Log . Explanation: Internally, Windows does not recognize drive letters such as A: or C: and instead uses a naming scheme that identifies devices. For example \\Device\\Floppy0 \\Device\\HarddiskVolume1 May be the internal name for drives A: and C: respectively. Sandboxie works in this lower level of Windows and uses the internal names. But for convenience, when files are stored in the sandbox folder, they are stored as \\sandbox\\drive\\a and \\sandbox\\drive\\c . Therefore for every drive, Sandboxie needs to know its associated internal name, so it can map, for example, between C: and \\Device\\HarddiskVolume1 . This message indicates that Sandboxie failed to find the internal name for the drive x noted in the message.","title":"SBIE2307"},{"location":"Content/SBIE2308/","text":"SBIE2308 Message: SBIE2308 Could not create object directory: [yy / xxxx] Logged To: Popup Message Log . Explanation: Inter-process communication (IPC) objects are logical objects which are used for various forms of communication between programs. The IPC objects have identifying names and are organized into a hierarchial structure of directories. Sandboxie redirects all IPC objects created by sandboxed programs to an isolated directory in the hierarchial structure, in order to guarantee separation of communications between programs inside and outside the sandbox. This message indicates that Sandboxie failed to create the isolated directory. Guest or Limited Account If you are running Sandboxie under a guest or limited user account, make sure the user account is allowed to create IPC objects: Open Control Panel > Administrative Tools > Local Security Policy Expand Security Settings > Local Policies > User Rights Assignment Find the entry named \"Create global objects\" Make sure the guest or limited user account is listed for that entry Find the entry named \"Create permanent shared objects\" Make sure the guest or limited user account is listed for that entry","title":"SBIE2308"},{"location":"Content/SBIE2308/#sbie2308","text":"Message: SBIE2308 Could not create object directory: [yy / xxxx] Logged To: Popup Message Log . Explanation: Inter-process communication (IPC) objects are logical objects which are used for various forms of communication between programs. The IPC objects have identifying names and are organized into a hierarchial structure of directories. Sandboxie redirects all IPC objects created by sandboxed programs to an isolated directory in the hierarchial structure, in order to guarantee separation of communications between programs inside and outside the sandbox. This message indicates that Sandboxie failed to create the isolated directory. Guest or Limited Account If you are running Sandboxie under a guest or limited user account, make sure the user account is allowed to create IPC objects: Open Control Panel > Administrative Tools > Local Security Policy Expand Security Settings > Local Policies > User Rights Assignment Find the entry named \"Create global objects\" Make sure the guest or limited user account is listed for that entry Find the entry named \"Create permanent shared objects\" Make sure the guest or limited user account is listed for that entry","title":"SBIE2308"},{"location":"Content/SBIE2309/","text":"SBIE2309 Message: SBIE2309 Could not disable COM+/DCOM: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to disable cross-computer COM connectivity (DCOM) from within the sandbox. The customization prevents the COM framework in the sandbox (see SandboxieRpcSs and SandboxieDcomLaunch ) from providing this cross-computer connectivity. This message indicates the customization has failed due to an error.","title":"SBIE2309"},{"location":"Content/SBIE2309/#sbie2309","text":"Message: SBIE2309 Could not disable COM+/DCOM: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to disable cross-computer COM connectivity (DCOM) from within the sandbox. The customization prevents the COM framework in the sandbox (see SandboxieRpcSs and SandboxieDcomLaunch ) from providing this cross-computer connectivity. This message indicates the customization has failed due to an error.","title":"SBIE2309"},{"location":"Content/SBIE2310/","text":"SBIE2310 Message: SBIE2310 Name buffer is approaching overflow ( n ) Logged To: Popup Message Log . Explanation: This message identifies a problem condition in Sandboxie, which is the result of an internal error, or more commonly, an incompatibility with some third-party software has occurred Known Conflict This message is usually an indication of a conflict with PC-Tools Spyware Doctor V7 . See the Known Conflicts page.","title":"SBIE2310"},{"location":"Content/SBIE2310/#sbie2310","text":"Message: SBIE2310 Name buffer is approaching overflow ( n ) Logged To: Popup Message Log . Explanation: This message identifies a problem condition in Sandboxie, which is the result of an internal error, or more commonly, an incompatibility with some third-party software has occurred Known Conflict This message is usually an indication of a conflict with PC-Tools Spyware Doctor V7 . See the Known Conflicts page.","title":"SBIE2310"},{"location":"Content/SBIE2311/","text":"SBIE2311 Message: SBIE2311 Could not disable recycle bin (BitBucket): [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to disable the Recycle Bin for sandboxed programs. Instead, sandboxed programs should delete files and folders directly, without using the Recycle Bin. This message indicates the customization has failed due to an error.","title":"SBIE2311"},{"location":"Content/SBIE2311/#sbie2311","text":"Message: SBIE2311 Could not disable recycle bin (BitBucket): [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to disable the Recycle Bin for sandboxed programs. Instead, sandboxed programs should delete files and folders directly, without using the Recycle Bin. This message indicates the customization has failed due to an error.","title":"SBIE2311"},{"location":"Content/SBIE2312/","text":"SBIE2312 Message: SBIE2312 Could not enable BrowseNewProcess setting: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to prevent multiple instances of the Internet Explorer program from coalescing into a single instance. This message indicates the customization has failed due to an error.","title":"SBIE2312"},{"location":"Content/SBIE2312/#sbie2312","text":"Message: SBIE2312 Could not enable BrowseNewProcess setting: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: Sandboxie attempted to customize the sandbox in such a way as to prevent multiple instances of the Internet Explorer program from coalescing into a single instance. This message indicates the customization has failed due to an error.","title":"SBIE2312"},{"location":"Content/SBIE2313/","text":"SBIE2313 Message: SBIE2313 Could not execute program.exe Logged To: Popup Message Log . Explanation: Sandboxie was not able to execute one of its own programs. Check access permissions to the Sandboxie installation folder and/or reinstall Sandboxie. Possible Causes Sandboxie was configured to block access to the folder containing its program files. See Sandbox Settings > Resource Access > File Access > Blocked Access . A third-party (HIPS) security software was configured to block the execution of the program mentioned in the message. Known Conflicts The message: SBIE2313 Could not execute SandboxieDcomLaunch.exe May be caused by the combination of Sandboxie and versions of PC Tools Firewall Plus prior to 5.0.0.38, if the Enhanced Security Verification (ESV) feature was enabled in the firewall software. To resolve this conflict, please upgrade to the version 5.0.0.38 or later of PC Tools Firewall Plus.","title":"SBIE2313"},{"location":"Content/SBIE2313/#sbie2313","text":"Message: SBIE2313 Could not execute program.exe Logged To: Popup Message Log . Explanation: Sandboxie was not able to execute one of its own programs. Check access permissions to the Sandboxie installation folder and/or reinstall Sandboxie. Possible Causes Sandboxie was configured to block access to the folder containing its program files. See Sandbox Settings > Resource Access > File Access > Blocked Access . A third-party (HIPS) security software was configured to block the execution of the program mentioned in the message. Known Conflicts The message: SBIE2313 Could not execute SandboxieDcomLaunch.exe May be caused by the combination of Sandboxie and versions of PC Tools Firewall Plus prior to 5.0.0.38, if the Enhanced Security Verification (ESV) feature was enabled in the firewall software. To resolve this conflict, please upgrade to the version 5.0.0.38 or later of PC Tools Firewall Plus.","title":"SBIE2313"},{"location":"Content/SBIE2314/","text":"SBIE2314 Message: SBIE2314 Canceling process program.exe Logged To: Popup Message Log . Explanation: An update to Windows may cause Sandboxie to issue this message on Windows 7. COM Servers In some specific cases, Sandboxie might need to launch an instance of Internet Explorer, Window Media Player or other media players, to receive the file name that should be opened in the sandbox, when the requester is outside the sandbox. For instance, when Window Media Player is forced to run in the sandbox, and a request is made through Windows Explorer (running outside the sandbox) to open a media file, then Sandboxie needs to launch an instance of Windows Media Player to receive the file name for the media file, so it can then open a properly sandboxed instance of Window Media Player and play the file. This message indicates that a program that was launched in this way to receive the file name experienced some error, and had to be closed. For Internet Explorer and Media Players: As of version 3.32 this message can only be issued for the Internet Explorer program, iexplore.exe , and only when Internet Explorer has been configured as a forced program . The message indicates that a special instance of a Internet Explorer, which has been started in order to accept an Internet address (a URL) from a program running outside the sandbox, has encountered an error. You should be able to work around this problem by invoking the Disable Forced Programs command and retrying the operation that opens an Internet address.","title":"SBIE2314"},{"location":"Content/SBIE2314/#sbie2314","text":"Message: SBIE2314 Canceling process program.exe Logged To: Popup Message Log . Explanation: An update to Windows may cause Sandboxie to issue this message on Windows 7. COM Servers In some specific cases, Sandboxie might need to launch an instance of Internet Explorer, Window Media Player or other media players, to receive the file name that should be opened in the sandbox, when the requester is outside the sandbox. For instance, when Window Media Player is forced to run in the sandbox, and a request is made through Windows Explorer (running outside the sandbox) to open a media file, then Sandboxie needs to launch an instance of Windows Media Player to receive the file name for the media file, so it can then open a properly sandboxed instance of Window Media Player and play the file. This message indicates that a program that was launched in this way to receive the file name experienced some error, and had to be closed. For Internet Explorer and Media Players: As of version 3.32 this message can only be issued for the Internet Explorer program, iexplore.exe , and only when Internet Explorer has been configured as a forced program . The message indicates that a special instance of a Internet Explorer, which has been started in order to accept an Internet address (a URL) from a program running outside the sandbox, has encountered an error. You should be able to work around this problem by invoking the Disable Forced Programs command and retrying the operation that opens an Internet address.","title":"SBIE2314"},{"location":"Content/SBIE2315/","text":"SBIE2315 Message: SBIE2315 Could not fix executable image Logged To: Popup Message Log . Explanation: As explained in message SBIE1214 , the Sandboxie driver injects the Sandboxie DLL component into a sandboxed program that was started in the sandbox. When the DLL component starts executing within the sandboxed program, it first needs to \"clean up\" the side-effects of the injection. This message indicates an error has occurred and the clean-up is not possible.","title":"SBIE2315"},{"location":"Content/SBIE2315/#sbie2315","text":"Message: SBIE2315 Could not fix executable image Logged To: Popup Message Log . Explanation: As explained in message SBIE1214 , the Sandboxie driver injects the Sandboxie DLL component into a sandboxed program that was started in the sandbox. When the DLL component starts executing within the sandboxed program, it first needs to \"clean up\" the side-effects of the injection. This message indicates an error has occurred and the clean-up is not possible.","title":"SBIE2315"},{"location":"Content/SBIE2316/","text":"SBIE2316 Message: SBIE2316 Memory corrupted Logged To: Popup Message Log . Explanation: The memory areas that Sandboxie maintains within the sandboxed programs have been corrupted. This could be due to an error in Sandboxie which causes it to corrupt its own memory, or due to an error in the sandboxed program which causes it to corrupt the memory areas that are owned by Sandboxie. The sandboxed program immediately aborts. Note that a sandboxed program cannot corrupt these memory areas in an attempt to circumvent Sandboxie. Sandboxie effects its restrictions through its driver component, which cannot be damaged or altered in any way by a sandboxed program.","title":"SBIE2316"},{"location":"Content/SBIE2316/#sbie2316","text":"Message: SBIE2316 Memory corrupted Logged To: Popup Message Log . Explanation: The memory areas that Sandboxie maintains within the sandboxed programs have been corrupted. This could be due to an error in Sandboxie which causes it to corrupt its own memory, or due to an error in the sandboxed program which causes it to corrupt the memory areas that are owned by Sandboxie. The sandboxed program immediately aborts. Note that a sandboxed program cannot corrupt these memory areas in an attempt to circumvent Sandboxie. Sandboxie effects its restrictions through its driver component, which cannot be damaged or altered in any way by a sandboxed program.","title":"SBIE2316"},{"location":"Content/SBIE2317/","text":"SBIE2317 Message: SBIE2317 Cannot initialize path list '%2' Logged To: Popup Message Log . Explanation: Whenever a program starts in the sandbox, Sandboxie applies configuration settings from the Sandboxie Ini file to that program. This error message indicates a problem has occurred while preparing the configuration settings for name . name can be OpenFilePath , OpenPipePath , ClosedFilePath , ReadFilePath , OpenKeyPath , ClosedKeyPath , ReadKeyPath , OpenIpcPath , ClosedIpcPath , or OpenWinClass . This message is similar to message SBIE1203 .","title":"SBIE2317"},{"location":"Content/SBIE2317/#sbie2317","text":"Message: SBIE2317 Cannot initialize path list '%2' Logged To: Popup Message Log . Explanation: Whenever a program starts in the sandbox, Sandboxie applies configuration settings from the Sandboxie Ini file to that program. This error message indicates a problem has occurred while preparing the configuration settings for name . name can be OpenFilePath , OpenPipePath , ClosedFilePath , ReadFilePath , OpenKeyPath , ClosedKeyPath , ReadKeyPath , OpenIpcPath , ClosedIpcPath , or OpenWinClass . This message is similar to message SBIE1203 .","title":"SBIE2317"},{"location":"Content/SBIE2318/","text":"SBIE2318 Message: SBIE2318 DLL initialization failed for library.dll Logged To: Popup Message Log . Explanation: The sandboxed program issued a request to load the system DLL named in the message. Some functionality in some system DLLs does not work \"out of the box\" when running sandboxed, due to the restrictions placed on the sandboxed program. In these cases, Sandboxie has to alter the DLL in order to assist it in accomplishing its tasks. The message indicates Sandboxie could not \"fix\" the system DLL.","title":"SBIE2318"},{"location":"Content/SBIE2318/#sbie2318","text":"Message: SBIE2318 DLL initialization failed for library.dll Logged To: Popup Message Log . Explanation: The sandboxed program issued a request to load the system DLL named in the message. Some functionality in some system DLLs does not work \"out of the box\" when running sandboxed, due to the restrictions placed on the sandboxed program. In these cases, Sandboxie has to alter the DLL in order to assist it in accomplishing its tasks. The message indicates Sandboxie could not \"fix\" the system DLL.","title":"SBIE2318"},{"location":"Content/SBIE2321/","text":"SBIE2321 Message: SBIE2321 Cannot manage device map: [ ntstatus / yy] Logged To: Popup Message Log . Explanation: The device map is the set of drive letters in the Windows sessions and their corresponding devices. Normally, a program (whether it is running sandboxed or not) automatically inherits the device map of the session in which it is running. However, in some cases, Sandboxie starts programs in a way that disassociates them from the device map. In these cases, Sandboxie also makes an attempt to restore the correct device map. This message indicates that the device map could not be applied to the sandboxed program because some error has occurred.","title":"SBIE2321"},{"location":"Content/SBIE2321/#sbie2321","text":"Message: SBIE2321 Cannot manage device map: [ ntstatus / yy] Logged To: Popup Message Log . Explanation: The device map is the set of drive letters in the Windows sessions and their corresponding devices. Normally, a program (whether it is running sandboxed or not) automatically inherits the device map of the session in which it is running. However, in some cases, Sandboxie starts programs in a way that disassociates them from the device map. In these cases, Sandboxie also makes an attempt to restore the correct device map. This message indicates that the device map could not be applied to the sandboxed program because some error has occurred.","title":"SBIE2321"},{"location":"Content/SBIE2322/","text":"SBIE2322 Message: SBIE2322 Cannot rewrite Sandboxie.ini: [yy / xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie was unable to rewrite the contents of the Sandboxie Ini configuration file. During its operation, Sandboxie Control occasionally has to update the contents of the configuration file to reflect changes to sandbox settings and other information. This error indicates that a problem has occurred while updating the configuration file.","title":"SBIE2322"},{"location":"Content/SBIE2322/#sbie2322","text":"Message: SBIE2322 Cannot rewrite Sandboxie.ini: [yy / xxxxxxxx] Logged To: Popup Message Log . Explanation: Sandboxie was unable to rewrite the contents of the Sandboxie Ini configuration file. During its operation, Sandboxie Control occasionally has to update the contents of the configuration file to reflect changes to sandbox settings and other information. This error indicates that a problem has occurred while updating the configuration file.","title":"SBIE2322"},{"location":"Content/SBIE2323/","text":"SBIE2323 Message: SBIE2323 Cryptography error: [yy / xxxxxxxx] Logged To: Popup Message Log . Explanation: Password protection is enabled for the Sandboxie Ini configuration file, and Sandboxie encountered some error when trying to apply the password to the file. For more information about protecting the configuration file, please see Configuration Protection .","title":"SBIE2323"},{"location":"Content/SBIE2323/#sbie2323","text":"Message: SBIE2323 Cryptography error: [yy / xxxxxxxx] Logged To: Popup Message Log . Explanation: Password protection is enabled for the Sandboxie Ini configuration file, and Sandboxie encountered some error when trying to apply the password to the file. For more information about protecting the configuration file, please see Configuration Protection .","title":"SBIE2323"},{"location":"Content/SBIE2326/","text":"SBIE2326 Message: SBIE2326 Cannot prepare registry: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: This message indicates than an error has occurred while customizing the registry in the sandbox. This customization creates and links together some registry keys in order to mimic the behavior of the real registry.","title":"SBIE2326"},{"location":"Content/SBIE2326/#sbie2326","text":"Message: SBIE2326 Cannot prepare registry: [yy / ntstatus ] Logged To: Popup Message Log . Explanation: This message indicates than an error has occurred while customizing the registry in the sandbox. This customization creates and links together some registry keys in order to mimic the behavior of the real registry.","title":"SBIE2326"},{"location":"Content/SBIE2327/","text":"SBIE2327 Message: SBIE2327 Error in COM server: [yy / xxxx] Logged To: Popup Message Log . Explanation: In some specific cases, Sandboxie acts as a communication channel on behalf of a sandboxed program, and forwards specific requests to a COM object which is executing outside the sandbox. The communication channel is implemented as SbieSvc.exe programs which are started by the Sandboxie service component (which is also called SbieSvc.exe ). This message reports that an error has occurred in one of those SbieSvc.exe programs that serve as a communnication channel. This communication channel is used when a sandboxed program tries to contact a COM object using a CLSID identifier which matches the OpenClsid setting. Related Sandboxie Control setting: Sandbox Settings > Resource Access > COM Access Related Sandboxie Ini setting: OpenClsid .","title":"SBIE2327"},{"location":"Content/SBIE2327/#sbie2327","text":"Message: SBIE2327 Error in COM server: [yy / xxxx] Logged To: Popup Message Log . Explanation: In some specific cases, Sandboxie acts as a communication channel on behalf of a sandboxed program, and forwards specific requests to a COM object which is executing outside the sandbox. The communication channel is implemented as SbieSvc.exe programs which are started by the Sandboxie service component (which is also called SbieSvc.exe ). This message reports that an error has occurred in one of those SbieSvc.exe programs that serve as a communnication channel. This communication channel is used when a sandboxed program tries to contact a COM object using a CLSID identifier which matches the OpenClsid setting. Related Sandboxie Control setting: Sandbox Settings > Resource Access > COM Access Related Sandboxie Ini setting: OpenClsid .","title":"SBIE2327"},{"location":"Content/SBIE2331/","text":"SBIE2331 Message: SBIE2331 Service start failed: [yy / xxxx] text Logged To: Popup Message Log . Explanation: Sandboxie Control has detected that the Sandboxie service component (SbieSvc) is not running. Sandboxie Control then tried to start the service, but failed to do so. This message specifies the error code that prevents the service from starting. For example, if the detail is [22 / 5] Access is denied , it indicates that the service SbieSvc is not running, and that Sandboxie Control is running in a user account which does not have the authority to start the service.","title":"SBIE2331"},{"location":"Content/SBIE2331/#sbie2331","text":"Message: SBIE2331 Service start failed: [yy / xxxx] text Logged To: Popup Message Log . Explanation: Sandboxie Control has detected that the Sandboxie service component (SbieSvc) is not running. Sandboxie Control then tried to start the service, but failed to do so. This message specifies the error code that prevents the service from starting. For example, if the detail is [22 / 5] Access is denied , it indicates that the service SbieSvc is not running, and that Sandboxie Control is running in a user account which does not have the authority to start the service.","title":"SBIE2331"},{"location":"Content/SBIE2332/","text":"SBIE2332 Message: SBIE2332 Cannot access file SbiePst.dat Logged To: Popup Message Log . Explanation: The SbiePst.dat file is created in the sandbox and is used by Sandboxie to implement the Protected Storage facility. This error message indicates that Sandboxie experienced a problem either creating or accessing the SbiePst.dat file. For more information, please see Protected Storage .","title":"SBIE2332"},{"location":"Content/SBIE2332/#sbie2332","text":"Message: SBIE2332 Cannot access file SbiePst.dat Logged To: Popup Message Log . Explanation: The SbiePst.dat file is created in the sandbox and is used by Sandboxie to implement the Protected Storage facility. This error message indicates that Sandboxie experienced a problem either creating or accessing the SbiePst.dat file. For more information, please see Protected Storage .","title":"SBIE2332"},{"location":"Content/SBIE2334/","text":"SBIE2334 Message: SBIE2334 Cannot load DLL file: dllname.dll Logged To: Popup Message Log . Explanation: When trying to initialize a new process in the sandbox, Sandboxie was unable to load or initialize one of the DLLs used by the main EXE file.","title":"SBIE2334"},{"location":"Content/SBIE2334/#sbie2334","text":"Message: SBIE2334 Cannot load DLL file: dllname.dll Logged To: Popup Message Log . Explanation: When trying to initialize a new process in the sandbox, Sandboxie was unable to load or initialize one of the DLLs used by the main EXE file.","title":"SBIE2334"},{"location":"Content/SBIE3207/","text":"SBIE3207 Message: SBIE3207 Cannot find the Internet Explorer executable Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for Internet Explorer executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\Applications\\iexplore.exe Typically, the information is contained in the default value of this registry key: HKEY_CLASSES_ROOT\\Applications\\iexplore.exe\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: Consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to Internet Explorer.","title":"SBIE3207"},{"location":"Content/SBIE3207/#sbie3207","text":"Message: SBIE3207 Cannot find the Internet Explorer executable Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for Internet Explorer executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\Applications\\iexplore.exe Typically, the information is contained in the default value of this registry key: HKEY_CLASSES_ROOT\\Applications\\iexplore.exe\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: Consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to Internet Explorer.","title":"SBIE3207"},{"location":"Content/SBIE3208/","text":"SBIE3208 Message: SBIE3208 Cannot find the executable for the default Web browser Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for the Web browser executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\.html Typically, that registry key points to further information to be found in the following registry key: HKEY_CLASSES_ROOT\\htmlfile And the actual information comes from either of these registry keys: HKEY_CLASSES_ROOT\\htmlfile\\shell\\opennew\\command HKEY_CLASSES_ROOT\\htmlfile\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: It may be possible to fix this problem by forcing your web browser to reset itself as the default web browser for the system. Different browsers provide this feature in different ways, so please consult the documentation for your particular web browser. Alternatively, consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to the web browser program.","title":"SBIE3208"},{"location":"Content/SBIE3208/#sbie3208","text":"Message: SBIE3208 Cannot find the executable for the default Web browser Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for the Web browser executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\.html Typically, that registry key points to further information to be found in the following registry key: HKEY_CLASSES_ROOT\\htmlfile And the actual information comes from either of these registry keys: HKEY_CLASSES_ROOT\\htmlfile\\shell\\opennew\\command HKEY_CLASSES_ROOT\\htmlfile\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: It may be possible to fix this problem by forcing your web browser to reset itself as the default web browser for the system. Different browsers provide this feature in different ways, so please consult the documentation for your particular web browser. Alternatively, consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to the web browser program.","title":"SBIE3208"},{"location":"Content/SBIE3209/","text":"SBIE3209 Message: SBIE3209 Cannot find the executable for the default mail agent Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for the Web browser executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\mailto And the actual information comes from either of these registry keys: HKEY_CLASSES_ROOT\\mailto\\shell\\opennew\\command HKEY_CLASSES_ROOT\\mailto\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: It may be possible to fix this problem by forcing your mail program to reset itself as the default mail program for the system. Different programs provide this feature in different ways, so please consult the documentation for your particular mail program. Alternatively, consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to the web browser program.","title":"SBIE3209"},{"location":"Content/SBIE3209/#sbie3209","text":"Message: SBIE3209 Cannot find the executable for the default mail agent Logged To: Popup Message Log . Explanation: The Sandboxie Start.exe program attempts to identify the location for the Web browser executable program file by looking at information contained under the following registry key: HKEY_CLASSES_ROOT\\mailto And the actual information comes from either of these registry keys: HKEY_CLASSES_ROOT\\mailto\\shell\\opennew\\command HKEY_CLASSES_ROOT\\mailto\\shell\\open\\command This error message indicates that the required information could not be extracted from the registry. Resolution: It may be possible to fix this problem by forcing your mail program to reset itself as the default mail program for the system. Different programs provide this feature in different ways, so please consult the documentation for your particular mail program. Alternatively, consider working around this problem by using the Add Shortcut Icons function in Sandboxie Control to create a shortcut directly to the web browser program.","title":"SBIE3209"},{"location":"Content/SBIE9101/","text":"SBIE9101 Message: SBIE9101 Insufficient system resources Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) was not able to complete some operation. The cause of the failure is insufficient system resources, typically memory.","title":"SBIE9101"},{"location":"Content/SBIE9101/#sbie9101","text":"Message: SBIE9101 Insufficient system resources Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) was not able to complete some operation. The cause of the failure is insufficient system resources, typically memory.","title":"SBIE9101"},{"location":"Content/SBIE9153/","text":"SBIE9153 Message: SBIE9153 Cannot start driver (SbieDrv) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) was not able to start the driver component of Sandboxie (SbieDrv). The message does not specify the cause of the error, because that information is not known. Some possible causes for the error: The driver component SbieDrv is not installed correctly. Try to re-install Sandboxie over itself (an update/upgrade installation). If that does not resolve the problem, try to uninstall Sandboxie and re-install a fresh copy. The driver is blocked by Windows. Examine the System Event Log for any related messages from Windows. The driver is blocked by third-party security software. Consult the documentation for your third-party security software.","title":"SBIE9153"},{"location":"Content/SBIE9153/#sbie9153","text":"Message: SBIE9153 Cannot start driver (SbieDrv) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) was not able to start the driver component of Sandboxie (SbieDrv). The message does not specify the cause of the error, because that information is not known. Some possible causes for the error: The driver component SbieDrv is not installed correctly. Try to re-install Sandboxie over itself (an update/upgrade installation). If that does not resolve the problem, try to uninstall Sandboxie and re-install a fresh copy. The driver is blocked by Windows. Examine the System Event Log for any related messages from Windows. The driver is blocked by third-party security software. Consult the documentation for your third-party security software.","title":"SBIE9153"},{"location":"Content/SBIE9154/","text":"SBIE9154 Message: SBIE9154 Driver (SbieDrv) and service (SbieSvc) have different version numbers Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has a different version number than the driver component (SbieDrv). To resolve this problem, try to re-install Sandboxie over itself (an update/upgrade installation). If that does not resolve the problem, try to uninstall Sandboxie and re-install a fresh copy.","title":"SBIE9154"},{"location":"Content/SBIE9154/#sbie9154","text":"Message: SBIE9154 Driver (SbieDrv) and service (SbieSvc) have different version numbers Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has a different version number than the driver component (SbieDrv). To resolve this problem, try to re-install Sandboxie over itself (an update/upgrade installation). If that does not resolve the problem, try to uninstall Sandboxie and re-install a fresh copy.","title":"SBIE9154"},{"location":"Content/SBIE9156/","text":"SBIE9156 Message: SBIE9156 Driver initialization not completed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has detected that the driver component (SbieDrv) failed to start. Search the System Event Log for any SBIExxxx messages in order to determine the cause of the failure in the driver.","title":"SBIE9156"},{"location":"Content/SBIE9156/#sbie9156","text":"Message: SBIE9156 Driver initialization not completed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has detected that the driver component (SbieDrv) failed to start. Search the System Event Log for any SBIExxxx messages in order to determine the cause of the failure in the driver.","title":"SBIE9156"},{"location":"Content/SBIE9201/","text":"SBIE9201 Message: SBIE9201 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9201"},{"location":"Content/SBIE9201/#sbie9201","text":"Message: SBIE9201 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9201"},{"location":"Content/SBIE9202/","text":"SBIE9202 Message: SBIE9202 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9202"},{"location":"Content/SBIE9202/#sbie9202","text":"Message: SBIE9202 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9202"},{"location":"Content/SBIE9203/","text":"SBIE9203 Message: SBIE9203 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9203"},{"location":"Content/SBIE9203/#sbie9203","text":"Message: SBIE9203 Token error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9203"},{"location":"Content/SBIE9204/","text":"SBIE9204 Message: SBIE9204 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9204"},{"location":"Content/SBIE9204/#sbie9204","text":"Message: SBIE9204 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9204"},{"location":"Content/SBIE9205/","text":"SBIE9205 Message: SBIE9205 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9205"},{"location":"Content/SBIE9205/#sbie9205","text":"Message: SBIE9205 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9205"},{"location":"Content/SBIE9206/","text":"SBIE9206 Message: SBIE9206 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9206"},{"location":"Content/SBIE9206/#sbie9206","text":"Message: SBIE9206 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9206"},{"location":"Content/SBIE9207/","text":"SBIE9207 Message: SBIE9207 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9207"},{"location":"Content/SBIE9207/#sbie9207","text":"Message: SBIE9207 Security descriptor error Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9207"},{"location":"Content/SBIE9208/","text":"SBIE9208 Message: SBIE9208 Cannot enable SeRestorePrivilege Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9208"},{"location":"Content/SBIE9208/#sbie9208","text":"Message: SBIE9208 Cannot enable SeRestorePrivilege Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to security. No further information is available.","title":"SBIE9208"},{"location":"Content/SBIE9251/","text":"SBIE9251 Message: SBIE9251 Port event creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9251"},{"location":"Content/SBIE9251/#sbie9251","text":"Message: SBIE9251 Port event creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9251"},{"location":"Content/SBIE9252/","text":"SBIE9252 Message: SBIE9252 Port creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9252"},{"location":"Content/SBIE9252/#sbie9252","text":"Message: SBIE9252 Port creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9252"},{"location":"Content/SBIE9253/","text":"SBIE9253 Message: SBIE9253 Port thread creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9253"},{"location":"Content/SBIE9253/#sbie9253","text":"Message: SBIE9253 Port thread creation failed Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process communications using LPC ports.","title":"SBIE9253"},{"location":"Content/SBIE9302/","text":"SBIE9302 Message: SBIE9302 Section creation failed (device setup classes) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. This message typically occurs when the Sandboxie service is restarted while one or more programs are running sandboxed. This message is followed by message SBIE9305 .","title":"SBIE9302"},{"location":"Content/SBIE9302/#sbie9302","text":"Message: SBIE9302 Section creation failed (device setup classes) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. This message typically occurs when the Sandboxie service is restarted while one or more programs are running sandboxed. This message is followed by message SBIE9305 .","title":"SBIE9302"},{"location":"Content/SBIE9304/","text":"SBIE9304 Message: SBIE9304 Section creation failed (device id list) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. This message typically occurs when the Sandboxie service is restarted while one or more programs are running sandboxed. This message is followed by message SBIE9305 .","title":"SBIE9304"},{"location":"Content/SBIE9304/#sbie9304","text":"Message: SBIE9304 Section creation failed (device id list) Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. This message typically occurs when the Sandboxie service is restarted while one or more programs are running sandboxed. This message is followed by message SBIE9305 .","title":"SBIE9304"},{"location":"Content/SBIE9305/","text":"SBIE9305 Message: SBIE9305 Terminate sandboxed programs, if any are running Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. The message follows messages SBIE9302 and SBIE9304 and indicates an error condition that typically occurs when the Sandboxie service is restarted while one or more program is running sandboxed.","title":"SBIE9305"},{"location":"Content/SBIE9305/#sbie9305","text":"Message: SBIE9305 Terminate sandboxed programs, if any are running Logged To: System Event Log Explanation: The service component of Sandboxie (SbieSvc) has experienced some error related to inter-process shared memory sections. The message follows messages SBIE9302 and SBIE9304 and indicates an error condition that typically occurs when the Sandboxie service is restarted while one or more program is running sandboxed.","title":"SBIE9305"},{"location":"Content/SBIEDLLAPI/","text":"SBIE DLL API This page describes the callable entrypoints in the SbieDll.dll dynamically-linked library (DLL). These entrypoints expose some functionality of Sandboxie that can be accessed programmatically, that is, through other programs rather than through a person interacting with Sandboxie. There are three aspects to using Sandboxie programmatically: Driving some functionality using the Start.exe program. See Start Command Line . Injecting custom DLLs into sandboxed programs. See InjectDll . Calling Sandboxie entrypoints from programs running (sandboxed or not). Described here. The entrypoints described here are all exported by SbieDll.dll . To access an entrypoint, you should dynamically load this DLL into your program, and get the address of the desired entrypoint. For example, __declspec(dllexport) void __stdcall InjectDllMain(HINSTANCE hSbieDll, ULONG_PTR UnusedParameter) { // // locate the address of SbieDll_Hook in SbieDll.dll // typedef void *(__stdcall *P_SbieDll_Hook)( const char *ApiName, void *ApiFunc, void *NewFunc); P_SbieDll_Hook p_SbieDll_Hook = GetProcAddress(hSbieDll, \"SbieDll_Hook\"); // // invoke SbieDll_Hook through the function pointer // p_SbieDll_Hook(...); } Note the use of InjectDllMain (see Inject Dll ) to get a handle to the loaded instance of SbieDll. That is the recommended approach. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine. Enumerate Sandbox Names Prototype: typedef LONG (__stdcall *P_SbieApi_EnumBoxes)( LONG index, // initialize to -1 WCHAR *box_name); // pointer to WCHAR [34] Export Name: SbieApi_EnumBoxes Parameters: index [in] specifies which sandbox to return. Initialize to -1. Sandboxes are enumerated in the order they appear in Sandboxie.ini. box_name [out] receives the sandbox name. Note: this function cannot be used by a sandboxed program. Return Value: Returns the next value to use for the index parameter. Returns -1 when there is nothing left to enumerate. Sample Code: WCHAR name[34]; int index = -1; while (1) { index = SbieApi_EnumBoxes(index, name); if (index == -1) break; SandboxNames_StringArray.add(name); } Query Sandbox Paths by Sandbox Name Prototype: typedef LONG (__stdcall *P_SbieApi_QueryBoxPath)( const WCHAR *box_name, // pointer to WCHAR [34] WCHAR *file_path, WCHAR *key_path, WCHAR *ipc_path, ULONG *file_path_len, ULONG *key_path_len, ULONG *ipc_path_len); Export Name: SbieApi_QueryBoxPath Parameters: box_name [in] specifies the name of the sandbox for which to return path information. file_path [out] receives the path to the root directory of the sandbox, as set by the FileRootPath setting. The buffer receives at most the number of bytes specified by the file_path_len parameter. Pass NULL to ignore this parameter. key_path [out] receives the path to the root key of the sandbox registry, as set by the KeyRootPath setting. The buffer receives at most the number of bytes specified by the key_path_len parameter. Pass NULL to ignore this parameter. ipc_path [out] receives the path to the root object directory of the sandbox, as set by the IpcRootPath setting. The buffer receives at most the number of bytes specified by the ipc_path_len parameter. Pass NULL to ignore this parameter. file_path_len [in/out] specifies the length in bytes of the file_path buffer. On return, receives the length in bytes needed to receive a complete buffer. key_path_len [in/out] specifies the length in bytes of the key_path buffer. On return, receives the length in bytes needed to receive a complete buffer. ipc_path_len [in/out] specifies the length in bytes of the ipc_path buffer. On return, receives the length in bytes needed to receive a complete buffer. Return Value: Returns zero on success, a non-zero value on error. Sample Code: ULONG FileLen = 0; ULONG KeyLen = 0; ULONG IpcLen = 0; SbieApi_QueryBoxPath( NULL, NULL, NULL, NULL, &FileLen, &KeyLen, &IpcLen); // note that lengths are returned as the number of bytes, // rather than number of WCHAR characters WCHAR *FileBuf = malloc(FileLen); WCHAR *KeyBuf = malloc(KeyLen); WCHAR *IpcBuf = malloc(IpcLen); SbieApi_QueryBoxPath( FileBuf, KeyBuf, IpcBuf, &FileLen, &KeyLen, &IpcLen); // now use wcslen to count the number of characters FileLen = wcslen(FileBuf); KeyLen = wcslen(KeyBuf); IpcLen = wcslen(IpcBuf); Query Sandbox Paths by Process ID Prototype: typedef LONG (__stdcall *P_SbieApi_QueryProcessPath)( HANDLE process_id, WCHAR *file_path, WCHAR *key_path, WCHAR *ipc_path, ULONG *file_path_len, ULONG *key_path_len, ULONG *ipc_path_len); Export Name: SbieApi_QueryProcessPath Parameters: process_id [in] specifies the ID of the sandboxed process to query. file_path [out] key_path [out] ipc_path [out] file_path_len [in/out] key_path_len [in/out] ipc_path_len [in/out] The last six parameters are similar to the last six parameters for the QueryBoxPath function, discussed above. However, QueryProcessPath (this function) returns the sandbox paths that are in use by a running program, whereas QueryBoxPath returns the paths as they are recorded in the Sandboxie configuration. Or put another way: Suppose a sandboxed program starts with PID 124, and then some sandbox path (for instance FileRootPath) is set to a new value. At this point, QueryBoxPath will return the new value, but QueryProcessPath for PID 124 will return the old value. Return Value: Returns zero on success, a non-zero value on error. Enumerate Running Processes Prototype: typedef LONG (__stdcall *P_SbieApi_EnumProcessEx)( const WCHAR *box_name, // pointer to WCHAR [34] BOOLEAN all_sessions, ULONG which_session, ULONG *boxed_pids, // pointer to ULONG [] ULONG *boxed_count); Export Name: SbieApi_EnumProcessEx Parameters: box_name [in] specifies the name of the sandbox in which processes will be enumerated. all_sessions [in] specifies TRUE to enumerate processes in all logon sessions or only in a particular logon session which_session [in] specifies the logon session number in which processes will be enumerated. Ignored if all_sessions if TRUE. Pass the value -1 to specify the current logon session. boxed_pids [out] receives the process ID (PID) numbers. The first ULONG receives the number of processes enumerated. The second ULONG receives the first PID, the third ULONG receives the second PID, and so on. Return Value: Returns zero on success, a non-zero value on error. Query Process Information Prototype: typedef LONG (__stdcall *P_SbieApi_QueryProcess)( HANDLE process_id, WCHAR *box_name, // pointer to WCHAR [34] WCHAR *image_name, // pointer to WCHAR [96] WCHAR *sid_string, // pointer to WCHAR [96] ULONG *session_id); Export Name: SbieApi_QueryProcess Parameters: process_id [in] specifies the ID of the sandboxed process to query. box_name [out] receives the name of the sandbox in which the process is running. Pass NULL to ignore this parameter. image_name [out] receives the process name. Pass NULL to ignore this parameter. sid_string [out] receives the SID string for the process. Pass NULL to ignore this parameter. session_id [out] receives the logon session number in which the process is running. Pass NULL to ignore this parameter. Return Value: Returns zero on success, a non-zero value on error. Terminate a Single Sandboxed Process Prototype: typedef BOOLEAN (__stdcall *P_SbieDll_KillOne)( HANDLE process_id); Export Name: SbieDll_KillOne Parameters: process_id [in] specifies the process ID for the sandboxed process that should be terminated. Return Value: Returns TRUE on success, FALSE on failure. The target process is terminated by the Sandboxie service (SbieSvc) with exit code 1 through a call to the Windows API TerminateProcess (ProcessId, 1). Terminate All Sandboxed Processes Prototype: typedef BOOLEAN (__stdcall *P_SbieDll_KillAll)( ULONG session_id, const WCHAR *box_name); Export Name: SbieDll_KillAll Parameters: session_id [in] specifies the logon session number in which sandboxed programs should be terminated. box_name [in] specifies the sandbox name in which sandboxed programs should be terminated. Specify -1 to indicate the current logon session. Return Value: Returns TRUE on success, FALSE on failure. The target processes are terminated in the fashion described above; see SbieDll_KillOne. Query Configuration from Sandboxie.ini Prototype: typedef LONG (__stdcall *P_SbieApi_QueryConf)( const WCHAR *section_name, // pointer to WCHAR [34] const WCHAR *setting_name, // pointer to WCHAR [66] ULONG setting_index, WCHAR *value, ULONG value_len) Export Name: SbieApi_QueryConf Parameters: section_name [in] specifies the section name that contains the setting to query. setting_name [in] specifies the setting name to query. setting_index [in] specifies the zero-based index number for a setting that may appear multiple times. The index number can be logically OR'ed with these special values: 0x40000000 - do not scan the [GlobalSettings] section if the specified setting name does appear in the specified section. 0x20000000 - do not expand any variables in the result. 0x10000000 - ignore any settings that originate from a template (typically defined in the Templates.ini file). only query those settings that appear explicitly in the Sandboxie.ini file. value [out] receives the value of the specified setting. value_len [in] specifies the maximum length in bytes of the buffer pointed to by the value parameter. Return Value: Returns zero on success. Returns 0xC000008B if the setting was not found. Any other return value indicates some other error. Update Configuration in Sandboxie.ini Prototype: typedef LONG (__stdcall *P_SbieDll_UpdateConf)( WCHAR operation_code, const WCHAR *password, // limited to 64 chars const WCHAR *section_name, // limited to 32 chars const WCHAR *setting_name, // limited to 64 chars const WCHAR *value) // limited to 2000 chars Export Name: SbieDll_UpdateConf Parameters: operation_code [in] specifies how to update the request setting: 's' to set (overwrite), replacing any existing values 'a' to append the new value at the bottom of a list of values (or simply set the new value if there isn't one already) 'i' to insert the new value at the top of a list of values (or simply set the new value if there isn't one already) 'd' to delete an existing value in a list of values password [in] specifies the password to use if one is required, or NULL or an empty string otherwise. section_name [in] is a required parameter which specifies the section name that contains the setting to set. setting_name [in] is a required parameter which specifies the setting name to set. value [ini] is an optional parameter specifies the new value. If operation_code is 's' and value is omitted, the corresponding setting in the specified section will be deleted. If operation_code is 's' and setting_name is \"*\" (wildcard star) and value is omitted, this function deletes a complete section from the configuration file. Return Value: Returns zero on success. Reload Configuration from Sandboxie.ini Prototype: typedef LONG (__stdcall *P_SbieApi_ReloadConf)( ULONG session_id); Export Name: SbieApi_ReloadConf Parameters: session_id [in] specifies the logon session number to which Sandboxie will log any error messages. Pass -1 for the current logon session. Return Value: Returns zero on success, a non-zero value on error. Hook a User-Mode Entrypoint Prototype: typedef void *(__stdcall *P_SbieDll_Hook)( const char *name, void *source_func, void *detour_func); Export Name: SbieDll_Hook Parameters: name [in] specifies an ASCII-string naming the entrypoint to be hooked. In case of error, SbieDll_Hook logs a Sandboxie error message which includes this descriptive name. source_func [in] pointer to the function to hook. detour_func [in] pointer to the hook code. This function will cause the source function to invoke the detour function. In other words, the detour function will intercept all calls to the source function. Return Value: Returns a function pointer which can be used by the detour function to invoke the source function. Sample Code: typedef BOOL (__stdcall *P_DeleteFileW)(const WCHAR *Path); P_DeleteFileW pDeleteFileW = NULL; BOOL __stdcall MyDeleteFileW(const WCHAR *Path) { if (Path[0] == L'C') { // silently ignore requests to delete any file on drive C SetLastError(0); return TRUE; } else { // otherwise invoke the original DeleteFileW function return pDeleteFileW(Path); } } main() { pDeleteFileW = GetProcAddress(kernel32dll, \"DeleteFileW\"); pDeleteFileW = SbieDll_Hook(\"DeleteFile\", pDeleteFileW, MyDeleteFileW); } Register for DLL Load/Unload Callbacks Prototype: typedef void (__stdcall *P_DllCallback)(const WCHAR *ImageName, HMODULE ImageBase); typedef BOOLEAN *(__stdcall *P_SbieDll_RegisterDllCallback)( P_DllCallback pCallback); Export Name: SbieDll_RegisterDllCallback This API is available starting with version 3.46 of Sandboxie. Parameters: pCallback specifies a callback function to be invoked whenever any DLL is loaded or unloaded in the process. The callback function cannot be unregistered. The ImageName (first) parameter to the callback function specifies the UNICODE name string for the DLL that was loaded or unloaded. The name string does not include a path. The ImageBase (second) parameter to the callback function specifies the load base address for the DLL, when the callback function is invoked to notify of a DLL load. When the callback function is invoked to notify of a DLL unload, this parameter is set to zero. Return Value: Returns TRUE on success, FALSE if the callback cannot be registered. As of version 3.46, Sandboxie supports up to 8 registrations within a single process. Get Sandboxie Home Folder Prototype: typedef LONG *(__stdcall *P_SbieApi_GetHomePath)( WCHAR *NtPath, ULONG NtPathMaxLen, WCHAR *DosPath, ULONG DosPathMaxLen); Export Name: SbieApi_GetHomePath This API is available starting with version 3.52 of Sandboxie. Parameters: NtPath specifies a pointer to a buffer which will receive the full path of the Sandboxie installation folder in NT-path syntax. NtPathMaxLen specifies the size of the NtPath buffer. Specify NULL for NtPath and zero for NtPathMaxLen to not receive the NT path. DosPath specifies a pointer to a buffer which will receive the full path of the Sandboxie installation folder in DOS-path syntax. DosPathMaxLen specifies the size of the DosPath buffer. Specify NULL for DosPath and zero for DosPathMaxLen to not receive the NT path. Return Value: Returns zero on success, a non-zero value on error. STATUS_BUFFER_TOO_SMALL (0xC0000023) indicates either NtPathMaxLen or DosPathMaxLen specifies a buffer that is too small. Increase the size of the input buffer and retry the call.","title":"SBIE DLL API"},{"location":"Content/SBIEDLLAPI/#sbie-dll-api","text":"This page describes the callable entrypoints in the SbieDll.dll dynamically-linked library (DLL). These entrypoints expose some functionality of Sandboxie that can be accessed programmatically, that is, through other programs rather than through a person interacting with Sandboxie. There are three aspects to using Sandboxie programmatically: Driving some functionality using the Start.exe program. See Start Command Line . Injecting custom DLLs into sandboxed programs. See InjectDll . Calling Sandboxie entrypoints from programs running (sandboxed or not). Described here. The entrypoints described here are all exported by SbieDll.dll . To access an entrypoint, you should dynamically load this DLL into your program, and get the address of the desired entrypoint. For example, __declspec(dllexport) void __stdcall InjectDllMain(HINSTANCE hSbieDll, ULONG_PTR UnusedParameter) { // // locate the address of SbieDll_Hook in SbieDll.dll // typedef void *(__stdcall *P_SbieDll_Hook)( const char *ApiName, void *ApiFunc, void *NewFunc); P_SbieDll_Hook p_SbieDll_Hook = GetProcAddress(hSbieDll, \"SbieDll_Hook\"); // // invoke SbieDll_Hook through the function pointer // p_SbieDll_Hook(...); } Note the use of InjectDllMain (see Inject Dll ) to get a handle to the loaded instance of SbieDll. That is the recommended approach. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine.","title":"SBIE DLL API"},{"location":"Content/SBIEDLLAPI/#enumerate-sandbox-names","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_EnumBoxes)( LONG index, // initialize to -1 WCHAR *box_name); // pointer to WCHAR [34] Export Name: SbieApi_EnumBoxes Parameters: index [in] specifies which sandbox to return. Initialize to -1. Sandboxes are enumerated in the order they appear in Sandboxie.ini. box_name [out] receives the sandbox name. Note: this function cannot be used by a sandboxed program. Return Value: Returns the next value to use for the index parameter. Returns -1 when there is nothing left to enumerate. Sample Code: WCHAR name[34]; int index = -1; while (1) { index = SbieApi_EnumBoxes(index, name); if (index == -1) break; SandboxNames_StringArray.add(name); }","title":"Enumerate Sandbox Names"},{"location":"Content/SBIEDLLAPI/#query-sandbox-paths-by-sandbox-name","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_QueryBoxPath)( const WCHAR *box_name, // pointer to WCHAR [34] WCHAR *file_path, WCHAR *key_path, WCHAR *ipc_path, ULONG *file_path_len, ULONG *key_path_len, ULONG *ipc_path_len); Export Name: SbieApi_QueryBoxPath Parameters: box_name [in] specifies the name of the sandbox for which to return path information. file_path [out] receives the path to the root directory of the sandbox, as set by the FileRootPath setting. The buffer receives at most the number of bytes specified by the file_path_len parameter. Pass NULL to ignore this parameter. key_path [out] receives the path to the root key of the sandbox registry, as set by the KeyRootPath setting. The buffer receives at most the number of bytes specified by the key_path_len parameter. Pass NULL to ignore this parameter. ipc_path [out] receives the path to the root object directory of the sandbox, as set by the IpcRootPath setting. The buffer receives at most the number of bytes specified by the ipc_path_len parameter. Pass NULL to ignore this parameter. file_path_len [in/out] specifies the length in bytes of the file_path buffer. On return, receives the length in bytes needed to receive a complete buffer. key_path_len [in/out] specifies the length in bytes of the key_path buffer. On return, receives the length in bytes needed to receive a complete buffer. ipc_path_len [in/out] specifies the length in bytes of the ipc_path buffer. On return, receives the length in bytes needed to receive a complete buffer. Return Value: Returns zero on success, a non-zero value on error. Sample Code: ULONG FileLen = 0; ULONG KeyLen = 0; ULONG IpcLen = 0; SbieApi_QueryBoxPath( NULL, NULL, NULL, NULL, &FileLen, &KeyLen, &IpcLen); // note that lengths are returned as the number of bytes, // rather than number of WCHAR characters WCHAR *FileBuf = malloc(FileLen); WCHAR *KeyBuf = malloc(KeyLen); WCHAR *IpcBuf = malloc(IpcLen); SbieApi_QueryBoxPath( FileBuf, KeyBuf, IpcBuf, &FileLen, &KeyLen, &IpcLen); // now use wcslen to count the number of characters FileLen = wcslen(FileBuf); KeyLen = wcslen(KeyBuf); IpcLen = wcslen(IpcBuf);","title":"Query Sandbox Paths by Sandbox Name"},{"location":"Content/SBIEDLLAPI/#query-sandbox-paths-by-process-id","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_QueryProcessPath)( HANDLE process_id, WCHAR *file_path, WCHAR *key_path, WCHAR *ipc_path, ULONG *file_path_len, ULONG *key_path_len, ULONG *ipc_path_len); Export Name: SbieApi_QueryProcessPath Parameters: process_id [in] specifies the ID of the sandboxed process to query. file_path [out] key_path [out] ipc_path [out] file_path_len [in/out] key_path_len [in/out] ipc_path_len [in/out] The last six parameters are similar to the last six parameters for the QueryBoxPath function, discussed above. However, QueryProcessPath (this function) returns the sandbox paths that are in use by a running program, whereas QueryBoxPath returns the paths as they are recorded in the Sandboxie configuration. Or put another way: Suppose a sandboxed program starts with PID 124, and then some sandbox path (for instance FileRootPath) is set to a new value. At this point, QueryBoxPath will return the new value, but QueryProcessPath for PID 124 will return the old value. Return Value: Returns zero on success, a non-zero value on error.","title":"Query Sandbox Paths by Process ID"},{"location":"Content/SBIEDLLAPI/#enumerate-running-processes","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_EnumProcessEx)( const WCHAR *box_name, // pointer to WCHAR [34] BOOLEAN all_sessions, ULONG which_session, ULONG *boxed_pids, // pointer to ULONG [] ULONG *boxed_count); Export Name: SbieApi_EnumProcessEx Parameters: box_name [in] specifies the name of the sandbox in which processes will be enumerated. all_sessions [in] specifies TRUE to enumerate processes in all logon sessions or only in a particular logon session which_session [in] specifies the logon session number in which processes will be enumerated. Ignored if all_sessions if TRUE. Pass the value -1 to specify the current logon session. boxed_pids [out] receives the process ID (PID) numbers. The first ULONG receives the number of processes enumerated. The second ULONG receives the first PID, the third ULONG receives the second PID, and so on. Return Value: Returns zero on success, a non-zero value on error.","title":"Enumerate Running Processes"},{"location":"Content/SBIEDLLAPI/#query-process-information","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_QueryProcess)( HANDLE process_id, WCHAR *box_name, // pointer to WCHAR [34] WCHAR *image_name, // pointer to WCHAR [96] WCHAR *sid_string, // pointer to WCHAR [96] ULONG *session_id); Export Name: SbieApi_QueryProcess Parameters: process_id [in] specifies the ID of the sandboxed process to query. box_name [out] receives the name of the sandbox in which the process is running. Pass NULL to ignore this parameter. image_name [out] receives the process name. Pass NULL to ignore this parameter. sid_string [out] receives the SID string for the process. Pass NULL to ignore this parameter. session_id [out] receives the logon session number in which the process is running. Pass NULL to ignore this parameter. Return Value: Returns zero on success, a non-zero value on error.","title":"Query Process Information"},{"location":"Content/SBIEDLLAPI/#terminate-a-single-sandboxed-process","text":"Prototype: typedef BOOLEAN (__stdcall *P_SbieDll_KillOne)( HANDLE process_id); Export Name: SbieDll_KillOne Parameters: process_id [in] specifies the process ID for the sandboxed process that should be terminated. Return Value: Returns TRUE on success, FALSE on failure. The target process is terminated by the Sandboxie service (SbieSvc) with exit code 1 through a call to the Windows API TerminateProcess (ProcessId, 1).","title":"Terminate a Single Sandboxed Process"},{"location":"Content/SBIEDLLAPI/#terminate-all-sandboxed-processes","text":"Prototype: typedef BOOLEAN (__stdcall *P_SbieDll_KillAll)( ULONG session_id, const WCHAR *box_name); Export Name: SbieDll_KillAll Parameters: session_id [in] specifies the logon session number in which sandboxed programs should be terminated. box_name [in] specifies the sandbox name in which sandboxed programs should be terminated. Specify -1 to indicate the current logon session. Return Value: Returns TRUE on success, FALSE on failure. The target processes are terminated in the fashion described above; see SbieDll_KillOne.","title":"Terminate All Sandboxed Processes"},{"location":"Content/SBIEDLLAPI/#query-configuration-from-sandboxieini","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_QueryConf)( const WCHAR *section_name, // pointer to WCHAR [34] const WCHAR *setting_name, // pointer to WCHAR [66] ULONG setting_index, WCHAR *value, ULONG value_len) Export Name: SbieApi_QueryConf Parameters: section_name [in] specifies the section name that contains the setting to query. setting_name [in] specifies the setting name to query. setting_index [in] specifies the zero-based index number for a setting that may appear multiple times. The index number can be logically OR'ed with these special values: 0x40000000 - do not scan the [GlobalSettings] section if the specified setting name does appear in the specified section. 0x20000000 - do not expand any variables in the result. 0x10000000 - ignore any settings that originate from a template (typically defined in the Templates.ini file). only query those settings that appear explicitly in the Sandboxie.ini file. value [out] receives the value of the specified setting. value_len [in] specifies the maximum length in bytes of the buffer pointed to by the value parameter. Return Value: Returns zero on success. Returns 0xC000008B if the setting was not found. Any other return value indicates some other error.","title":"Query Configuration from Sandboxie.ini"},{"location":"Content/SBIEDLLAPI/#update-configuration-in-sandboxieini","text":"Prototype: typedef LONG (__stdcall *P_SbieDll_UpdateConf)( WCHAR operation_code, const WCHAR *password, // limited to 64 chars const WCHAR *section_name, // limited to 32 chars const WCHAR *setting_name, // limited to 64 chars const WCHAR *value) // limited to 2000 chars Export Name: SbieDll_UpdateConf Parameters: operation_code [in] specifies how to update the request setting: 's' to set (overwrite), replacing any existing values 'a' to append the new value at the bottom of a list of values (or simply set the new value if there isn't one already) 'i' to insert the new value at the top of a list of values (or simply set the new value if there isn't one already) 'd' to delete an existing value in a list of values password [in] specifies the password to use if one is required, or NULL or an empty string otherwise. section_name [in] is a required parameter which specifies the section name that contains the setting to set. setting_name [in] is a required parameter which specifies the setting name to set. value [ini] is an optional parameter specifies the new value. If operation_code is 's' and value is omitted, the corresponding setting in the specified section will be deleted. If operation_code is 's' and setting_name is \"*\" (wildcard star) and value is omitted, this function deletes a complete section from the configuration file. Return Value: Returns zero on success.","title":"Update Configuration in Sandboxie.ini"},{"location":"Content/SBIEDLLAPI/#reload-configuration-from-sandboxieini","text":"Prototype: typedef LONG (__stdcall *P_SbieApi_ReloadConf)( ULONG session_id); Export Name: SbieApi_ReloadConf Parameters: session_id [in] specifies the logon session number to which Sandboxie will log any error messages. Pass -1 for the current logon session. Return Value: Returns zero on success, a non-zero value on error.","title":"Reload Configuration from Sandboxie.ini"},{"location":"Content/SBIEDLLAPI/#hook-a-user-mode-entrypoint","text":"Prototype: typedef void *(__stdcall *P_SbieDll_Hook)( const char *name, void *source_func, void *detour_func); Export Name: SbieDll_Hook Parameters: name [in] specifies an ASCII-string naming the entrypoint to be hooked. In case of error, SbieDll_Hook logs a Sandboxie error message which includes this descriptive name. source_func [in] pointer to the function to hook. detour_func [in] pointer to the hook code. This function will cause the source function to invoke the detour function. In other words, the detour function will intercept all calls to the source function. Return Value: Returns a function pointer which can be used by the detour function to invoke the source function. Sample Code: typedef BOOL (__stdcall *P_DeleteFileW)(const WCHAR *Path); P_DeleteFileW pDeleteFileW = NULL; BOOL __stdcall MyDeleteFileW(const WCHAR *Path) { if (Path[0] == L'C') { // silently ignore requests to delete any file on drive C SetLastError(0); return TRUE; } else { // otherwise invoke the original DeleteFileW function return pDeleteFileW(Path); } } main() { pDeleteFileW = GetProcAddress(kernel32dll, \"DeleteFileW\"); pDeleteFileW = SbieDll_Hook(\"DeleteFile\", pDeleteFileW, MyDeleteFileW); }","title":"Hook a User-Mode Entrypoint"},{"location":"Content/SBIEDLLAPI/#register-for-dll-loadunload-callbacks","text":"Prototype: typedef void (__stdcall *P_DllCallback)(const WCHAR *ImageName, HMODULE ImageBase); typedef BOOLEAN *(__stdcall *P_SbieDll_RegisterDllCallback)( P_DllCallback pCallback); Export Name: SbieDll_RegisterDllCallback This API is available starting with version 3.46 of Sandboxie. Parameters: pCallback specifies a callback function to be invoked whenever any DLL is loaded or unloaded in the process. The callback function cannot be unregistered. The ImageName (first) parameter to the callback function specifies the UNICODE name string for the DLL that was loaded or unloaded. The name string does not include a path. The ImageBase (second) parameter to the callback function specifies the load base address for the DLL, when the callback function is invoked to notify of a DLL load. When the callback function is invoked to notify of a DLL unload, this parameter is set to zero. Return Value: Returns TRUE on success, FALSE if the callback cannot be registered. As of version 3.46, Sandboxie supports up to 8 registrations within a single process.","title":"Register for DLL Load/Unload Callbacks"},{"location":"Content/SBIEDLLAPI/#get-sandboxie-home-folder","text":"Prototype: typedef LONG *(__stdcall *P_SbieApi_GetHomePath)( WCHAR *NtPath, ULONG NtPathMaxLen, WCHAR *DosPath, ULONG DosPathMaxLen); Export Name: SbieApi_GetHomePath This API is available starting with version 3.52 of Sandboxie. Parameters: NtPath specifies a pointer to a buffer which will receive the full path of the Sandboxie installation folder in NT-path syntax. NtPathMaxLen specifies the size of the NtPath buffer. Specify NULL for NtPath and zero for NtPathMaxLen to not receive the NT path. DosPath specifies a pointer to a buffer which will receive the full path of the Sandboxie installation folder in DOS-path syntax. DosPathMaxLen specifies the size of the DosPath buffer. Specify NULL for DosPath and zero for DosPathMaxLen to not receive the NT path. Return Value: Returns zero on success, a non-zero value on error. STATUS_BUFFER_TOO_SMALL (0xC0000023) indicates either NtPathMaxLen or DosPathMaxLen specifies a buffer that is too small. Increase the size of the input buffer and retry the call.","title":"Get Sandboxie Home Folder"},{"location":"Content/SBIEMessages/","text":"SBIE Messages Sandboxie messages may be issued to the System Event Log or the Popup Message Log . This is not an exhaustive list. For more information, please look in our GitHub repository . Some messages are informational and notify of a common, or in some cases special, event that has occurred. Other messages indicate an error condition. To consult the documentation for a particular message, please use the navigation frame on the right. Some messages display details which include NT status codes, denoted in the help pages as ntstatus . For a list of common NT status codes, please consult Nt Status Codes . All documented Messages SBIE1101 SBIE1102 SBIE1103 SBIE1104 SBIE1105 SBIE1106 SBIE1108 SBIE1109 SBIE1110 SBIE1111 SBIE1112 SBIE1113 SBIE1114 SBIE1116 SBIE1119 SBIE1120 SBIE1121 SBIE1122 SBIE1151 SBIE1152 SBIE1153 SBIE1201 SBIE1202 SBIE1203 SBIE1204 SBIE1211 SBIE1212 SBIE1213 SBIE1214 SBIE1215 SBIE1216 SBIE1222 SBIE1223 SBIE1224 SBIE1241 SBIE1242 SBIE1301 SBIE1303 SBIE1304 SBIE1306 SBIE1307 SBIE1308 SBIE1309 SBIE1310 SBIE1311 SBIE1312 SBIE1313 SBIE1314 SBIE1401 SBIE1402 SBIE1403 SBIE1404 SBIE1405 SBIE1406 SBIE1408 SBIE1409 SBIE1410 SBIE1411 SBIE1412 SBIE2102 SBIE2103 SBIE2104 SBIE2108 SBIE2191 SBIE2192 SBIE2193 SBIE2202 SBIE2203 SBIE2204 SBIE2205 SBIE2206 SBIE2207 SBIE2208 SBIE2209 SBIE2210 SBIE2211 SBIE2212 SBIE2213 SBIE2214 SBIE2217 SBIE2218 SBIE2219 SBIE2220 SBIE2221 SBIE2222 SBIE2223 SBIE2303 SBIE2304 SBIE2305 SBIE2306 SBIE2307 SBIE2308 SBIE2309 SBIE2310 SBIE2311 SBIE2312 SBIE2313 SBIE2314 SBIE2315 SBIE2316 SBIE2317 SBIE2318 SBIE2321 SBIE2322 SBIE2323 SBIE2326 SBIE2327 SBIE2331 SBIE2332 SBIE2334 SBIE3207 SBIE3208 SBIE3209 SBIE9101 SBIE9153 SBIE9154 SBIE9156 SBIE9201 SBIE9202 SBIE9203 SBIE9204 SBIE9205 SBIE9206 SBIE9207 SBIE9208 SBIE9251 SBIE9252 SBIE9253 SBIE9302 SBIE9304 SBIE9305","title":"SBIE Messages"},{"location":"Content/SBIEMessages/#sbie-messages","text":"Sandboxie messages may be issued to the System Event Log or the Popup Message Log . This is not an exhaustive list. For more information, please look in our GitHub repository . Some messages are informational and notify of a common, or in some cases special, event that has occurred. Other messages indicate an error condition. To consult the documentation for a particular message, please use the navigation frame on the right. Some messages display details which include NT status codes, denoted in the help pages as ntstatus . For a list of common NT status codes, please consult Nt Status Codes .","title":"SBIE Messages"},{"location":"Content/SBIEMessages/#all-documented-messages","text":"SBIE1101 SBIE1102 SBIE1103 SBIE1104 SBIE1105 SBIE1106 SBIE1108 SBIE1109 SBIE1110 SBIE1111 SBIE1112 SBIE1113 SBIE1114 SBIE1116 SBIE1119 SBIE1120 SBIE1121 SBIE1122 SBIE1151 SBIE1152 SBIE1153 SBIE1201 SBIE1202 SBIE1203 SBIE1204 SBIE1211 SBIE1212 SBIE1213 SBIE1214 SBIE1215 SBIE1216 SBIE1222 SBIE1223 SBIE1224 SBIE1241 SBIE1242 SBIE1301 SBIE1303 SBIE1304 SBIE1306 SBIE1307 SBIE1308 SBIE1309 SBIE1310 SBIE1311 SBIE1312 SBIE1313 SBIE1314 SBIE1401 SBIE1402 SBIE1403 SBIE1404 SBIE1405 SBIE1406 SBIE1408 SBIE1409 SBIE1410 SBIE1411 SBIE1412 SBIE2102 SBIE2103 SBIE2104 SBIE2108 SBIE2191 SBIE2192 SBIE2193 SBIE2202 SBIE2203 SBIE2204 SBIE2205 SBIE2206 SBIE2207 SBIE2208 SBIE2209 SBIE2210 SBIE2211 SBIE2212 SBIE2213 SBIE2214 SBIE2217 SBIE2218 SBIE2219 SBIE2220 SBIE2221 SBIE2222 SBIE2223 SBIE2303 SBIE2304 SBIE2305 SBIE2306 SBIE2307 SBIE2308 SBIE2309 SBIE2310 SBIE2311 SBIE2312 SBIE2313 SBIE2314 SBIE2315 SBIE2316 SBIE2317 SBIE2318 SBIE2321 SBIE2322 SBIE2323 SBIE2326 SBIE2327 SBIE2331 SBIE2332 SBIE2334 SBIE3207 SBIE3208 SBIE3209 SBIE9101 SBIE9153 SBIE9154 SBIE9156 SBIE9201 SBIE9202 SBIE9203 SBIE9204 SBIE9205 SBIE9206 SBIE9207 SBIE9208 SBIE9251 SBIE9252 SBIE9253 SBIE9302 SBIE9304 SBIE9305","title":"All documented Messages"},{"location":"Content/SandboxHierarchy/","text":"Sandbox Hierarchy Overview When sandboxed programs create (or modify) objects, such as files, in fact, some kind of data should be created. Sandboxie creates these objects out of the way, to protect the system from harmful changes. But these objects must reside somewhere in the system. This page describes where various types of sandboxed objects are placed. Beginning with version 2.80 of Sandboxie, the layout of the sandbox is not tied to computer-specific device names and account names. See Portable Sandbox for more information. Files Files are created in the Sandbox folder according to the following hierarchy: . FileRootPath . . drive . . . C . . . D . . . Q . . user . . . all . . . current The FileRootPath setting specifies a path to the root of a particular sandbox. In other words, if FileRootPath specifies the folder C:\\MySandbox , then the sub-folders drive and user are created as C:\\MySandbox\\drive and C:\\MySandbox\\user, respectively. If the FileRootPath setting is omitted, the BoxRootFolder setting is used instead. The Box Root Folder setting specifies a path to a group of sandboxes. In other words, if Box Root Folder specifies the folder C:\\MySandbox , then the sub-folders drive and user are created as C:\\MySandbox\\Sandbox\\DefaultBox\\drive and C:\\MySandbox\\Sandbox\\DefaultBox\\user, respectively, and assuming the sandbox is called DefaultBox. Please note that BoxRootFolder is a deprecated setting. As sandboxed programs create new files or modify existing files, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the file C:\\NEW.TXT , it will be redirected to create instead ( FileRootPath )\\drive\\C\\NEW.TXT . If the sandboxed program was trying to create the file C:\\Users\\joe\\Documents\\NEW.TXT , it will be redirected to create ( FileRootPath )\\user\\current\\Documents\\NEW.TXT . Files that are created or modified in or below profile (or home ) folders, such as C:\\Users\\joe (on Windows Vista and later) are redirected into the sandboxed user\\current folder. Files that are created or modified in or below the generic (or All Users ) profile, are redirected into the sandboxed user\\all folder. Other files that don't match either of the above paths are redirected to the sandboxed drive\\X folder, where X would be the drive in which the files were supposed to have been written. Files that are created or modified on a remote network share are redirected into the sandboxed share\\servername\\sharename folder. When a program tries to open a file for which a copy already exists in the sandbox, Sandboxie will redirect the program to the copy of the file that was previously stored in the sandbox. On the other hand, if a copy for the file does not exist in the sandbox, and if the program does not try to modify the file, then Sandboxie will permit read-only access on the original file outside the sandbox. This behavior can be affected with the file-related settings OpenFilePath , ReadFilePath , and ClosedFilePath . Note that the Sandbox folder itself resides on one particular drive, so even as sandboxed programs may create and modify files in multiple drives, all these files will end up residing physically in the same drive -- the drive where the Sandbox folder resides. Apart from the two sub-folders, drive and user , the Sandbox folder itself contains the file RegHive , and typically also RegHive.LOG . These hold the sandboxed registry. See below. Registry Registry keys are created in a sandboxed registry hive. A registry hive is the Microsoft Windows term for a group of related registry keys that are stored in a single hive file . Sandboxie creates the hive file in the Sandbox folder, as the files RegHive and RegHive.LOG . This hive is mounted (or in other words, loaded into the registry) when a sandboxed program starts. The hive is unmounted when all sandboxed programs end. The sandboxed hive has the following position and structure within the global structure of the Windows registry. . HKEY_USERS . . KeyRootPath . . . machine . . . user . . . . current The KeyRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to HKEY_USERS\\Sandbox (user name) (sandbox name) . For example, if the user joe is using the sandbox DefaultBox, the default KeyRootPath is HKEY_USERS\\Sandbox_joe_DefaultBox . As sandboxed programs create new registry keys or modify existing keys, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the key HKEY_LOCAL_MACHINE\\Software\\NewKey , it will be redirected to create instead ( KeyRootPath )\\machine\\Software\\NewKey . If the sandboxed program was trying to create the key HKEY_CURRENT_USER\\Software\\NewKey , it will be redirected to create ( KeyRootPath )\\user\\current\\Software\\NewKey . With the sandboxed registry, the rules for redirection are simpler than for sandboxed files: A registry key created or modified below the HKEY_LOCAL_MACHINE tree will be redirected below the sandboxed machine key. A registry key created or modified below the HKEY_CURRENT_USER tree will be redirected below the sandboxed user\\current key. A registry key created or modified below the HKEY_CLASSES_ROOT tree will be redirected below the sandboxed user\\current_classes key. Note that the sandboxed user\\current\\software\\classes key is a symbolic link to the user\\current_classes key which means and the keys are effectively synonyms and share the same content in the sandboxed Windows registry. As with files, access to a key which has a copy in the sandboxed registry will be redirected to use the copy in the sandbox. Read-only access to a key which does not have a copy in the sandboxed registry will be permitted to access the key outside the sandbox. This behavior can be affected with the registry-related settings OpenKeyPath , ReadKeyPath , and ClosedKeyPath . Inter-Process Objects These objects are used by programs to share information, synchronize processing, and provide services. These objects are never written to disk and they disappear when the system shuts down. Sandboxie isolates these objects in order to make it possible to run the same program sandboxed and un-sandboxed side-by-side. It also keeps sandboxed programs from interfering with un-sandboxed ones. These objects are created in the NT object namespace. Their position and structure within that namespace are as follows. . IpcRootPath . . BaseNamedObjects . . . Global . . . Local . . . Session . . RPC Control The IpcRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to \\Sandbox(user name)(sandbox name)\\Session (session number) . For example, if the user joe is running in session zero, and using the sandbox DefaultBox, the default IpcRootPath is \\Sandbox\\joe\\DefaultBox\\Session_0_. Below the IpcRootPath , there are object directories which comprise the NT namespace, and match the layout of existing object directories outside the sandbox area. The directories are created with a persistent attribute, which means they will only disappear at system shutdown. Objects created by sandboxed programs are created within the sandbox object directories. If the program is running outside the supervision of Sandboxie, it would typically create such objects in the \\BaseNamedObjects object directory. Note that objects may be created without a name, in which case the object is effectively isolated to the particular program which created it. However, a program can access the internals of another program in order to locate and use such nameless objects. To mitigate this, Sandboxie prevents a program in the sandbox from accessing a program outside the sandbox in this way. The free utility WinObj by Sysinternals (now a part of Microsoft) can be used to display the NT object namespace. Unlike the case with files or registry keys, sandboxed programs are never permitted to access IPC objects outside the sandbox namespace, not even for read-only access. This behavior can be affected with the registry-related settings OpenIpcPath and ClosedIpcPath . Note that Sandboxie includes a number of built-in OpenIpcPath settings to allow programs to function correctly, and in a typical system, more OpenIpcPath settings are applied through compatibility settings for third-party software.","title":"Sandbox Hierarchy"},{"location":"Content/SandboxHierarchy/#sandbox-hierarchy","text":"","title":"Sandbox Hierarchy"},{"location":"Content/SandboxHierarchy/#overview","text":"When sandboxed programs create (or modify) objects, such as files, in fact, some kind of data should be created. Sandboxie creates these objects out of the way, to protect the system from harmful changes. But these objects must reside somewhere in the system. This page describes where various types of sandboxed objects are placed. Beginning with version 2.80 of Sandboxie, the layout of the sandbox is not tied to computer-specific device names and account names. See Portable Sandbox for more information.","title":"Overview"},{"location":"Content/SandboxHierarchy/#files","text":"Files are created in the Sandbox folder according to the following hierarchy: . FileRootPath . . drive . . . C . . . D . . . Q . . user . . . all . . . current The FileRootPath setting specifies a path to the root of a particular sandbox. In other words, if FileRootPath specifies the folder C:\\MySandbox , then the sub-folders drive and user are created as C:\\MySandbox\\drive and C:\\MySandbox\\user, respectively. If the FileRootPath setting is omitted, the BoxRootFolder setting is used instead. The Box Root Folder setting specifies a path to a group of sandboxes. In other words, if Box Root Folder specifies the folder C:\\MySandbox , then the sub-folders drive and user are created as C:\\MySandbox\\Sandbox\\DefaultBox\\drive and C:\\MySandbox\\Sandbox\\DefaultBox\\user, respectively, and assuming the sandbox is called DefaultBox. Please note that BoxRootFolder is a deprecated setting. As sandboxed programs create new files or modify existing files, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the file C:\\NEW.TXT , it will be redirected to create instead ( FileRootPath )\\drive\\C\\NEW.TXT . If the sandboxed program was trying to create the file C:\\Users\\joe\\Documents\\NEW.TXT , it will be redirected to create ( FileRootPath )\\user\\current\\Documents\\NEW.TXT . Files that are created or modified in or below profile (or home ) folders, such as C:\\Users\\joe (on Windows Vista and later) are redirected into the sandboxed user\\current folder. Files that are created or modified in or below the generic (or All Users ) profile, are redirected into the sandboxed user\\all folder. Other files that don't match either of the above paths are redirected to the sandboxed drive\\X folder, where X would be the drive in which the files were supposed to have been written. Files that are created or modified on a remote network share are redirected into the sandboxed share\\servername\\sharename folder. When a program tries to open a file for which a copy already exists in the sandbox, Sandboxie will redirect the program to the copy of the file that was previously stored in the sandbox. On the other hand, if a copy for the file does not exist in the sandbox, and if the program does not try to modify the file, then Sandboxie will permit read-only access on the original file outside the sandbox. This behavior can be affected with the file-related settings OpenFilePath , ReadFilePath , and ClosedFilePath . Note that the Sandbox folder itself resides on one particular drive, so even as sandboxed programs may create and modify files in multiple drives, all these files will end up residing physically in the same drive -- the drive where the Sandbox folder resides. Apart from the two sub-folders, drive and user , the Sandbox folder itself contains the file RegHive , and typically also RegHive.LOG . These hold the sandboxed registry. See below.","title":"Files"},{"location":"Content/SandboxHierarchy/#registry","text":"Registry keys are created in a sandboxed registry hive. A registry hive is the Microsoft Windows term for a group of related registry keys that are stored in a single hive file . Sandboxie creates the hive file in the Sandbox folder, as the files RegHive and RegHive.LOG . This hive is mounted (or in other words, loaded into the registry) when a sandboxed program starts. The hive is unmounted when all sandboxed programs end. The sandboxed hive has the following position and structure within the global structure of the Windows registry. . HKEY_USERS . . KeyRootPath . . . machine . . . user . . . . current The KeyRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to HKEY_USERS\\Sandbox (user name) (sandbox name) . For example, if the user joe is using the sandbox DefaultBox, the default KeyRootPath is HKEY_USERS\\Sandbox_joe_DefaultBox . As sandboxed programs create new registry keys or modify existing keys, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the key HKEY_LOCAL_MACHINE\\Software\\NewKey , it will be redirected to create instead ( KeyRootPath )\\machine\\Software\\NewKey . If the sandboxed program was trying to create the key HKEY_CURRENT_USER\\Software\\NewKey , it will be redirected to create ( KeyRootPath )\\user\\current\\Software\\NewKey . With the sandboxed registry, the rules for redirection are simpler than for sandboxed files: A registry key created or modified below the HKEY_LOCAL_MACHINE tree will be redirected below the sandboxed machine key. A registry key created or modified below the HKEY_CURRENT_USER tree will be redirected below the sandboxed user\\current key. A registry key created or modified below the HKEY_CLASSES_ROOT tree will be redirected below the sandboxed user\\current_classes key. Note that the sandboxed user\\current\\software\\classes key is a symbolic link to the user\\current_classes key which means and the keys are effectively synonyms and share the same content in the sandboxed Windows registry. As with files, access to a key which has a copy in the sandboxed registry will be redirected to use the copy in the sandbox. Read-only access to a key which does not have a copy in the sandboxed registry will be permitted to access the key outside the sandbox. This behavior can be affected with the registry-related settings OpenKeyPath , ReadKeyPath , and ClosedKeyPath .","title":"Registry"},{"location":"Content/SandboxHierarchy/#inter-process-objects","text":"These objects are used by programs to share information, synchronize processing, and provide services. These objects are never written to disk and they disappear when the system shuts down. Sandboxie isolates these objects in order to make it possible to run the same program sandboxed and un-sandboxed side-by-side. It also keeps sandboxed programs from interfering with un-sandboxed ones. These objects are created in the NT object namespace. Their position and structure within that namespace are as follows. . IpcRootPath . . BaseNamedObjects . . . Global . . . Local . . . Session . . RPC Control The IpcRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to \\Sandbox(user name)(sandbox name)\\Session (session number) . For example, if the user joe is running in session zero, and using the sandbox DefaultBox, the default IpcRootPath is \\Sandbox\\joe\\DefaultBox\\Session_0_. Below the IpcRootPath , there are object directories which comprise the NT namespace, and match the layout of existing object directories outside the sandbox area. The directories are created with a persistent attribute, which means they will only disappear at system shutdown. Objects created by sandboxed programs are created within the sandbox object directories. If the program is running outside the supervision of Sandboxie, it would typically create such objects in the \\BaseNamedObjects object directory. Note that objects may be created without a name, in which case the object is effectively isolated to the particular program which created it. However, a program can access the internals of another program in order to locate and use such nameless objects. To mitigate this, Sandboxie prevents a program in the sandbox from accessing a program outside the sandbox in this way. The free utility WinObj by Sysinternals (now a part of Microsoft) can be used to display the NT object namespace. Unlike the case with files or registry keys, sandboxed programs are never permitted to access IPC objects outside the sandbox namespace, not even for read-only access. This behavior can be affected with the registry-related settings OpenIpcPath and ClosedIpcPath . Note that Sandboxie includes a number of built-in OpenIpcPath settings to allow programs to function correctly, and in a typical system, more OpenIpcPath settings are applied through compatibility settings for third-party software.","title":"Inter-Process Objects"},{"location":"Content/SandboxMenu/","text":"Sandbox Menu Sandboxie Control > Sandbox Menu Sandbox Sub-Menu One or more sub-menus appear for each sandbox defined. The default configuration includes only one sandbox named DefaultBox , but more can be added using the Create New Sandbox command. Each sub-menu contains the following commands: The Run Sandboxed sub-sub-menu is used to start programs under the supervision of Sandboxie: The Web Browser command starts the system (default) Web browser. (Note: If the wrong program starts, see Frequently Asked Questions to fix this.) The Email Reader command starts the system (default) email reader The Any Program command displays the Run Any Program dialog box which is similar to the standard Windows Run... dialog box. It can be used to start programs, open documents, and browse folders, all under the supervision of Sandboxie. The From Start Menu command displays the Sandboxie Start menu, similar to the standard Windows Start menu. It can be used to start programs and other shortcuts that appear in the start menu and on the desktop. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation. The Windows Explorer command starts a sandboxed instance of the Windows Explorer. It can be used to navigate folders and start programs, all under the supervision of Sandboxie. The Terminate Running Programs command stops all programs running in the sandbox. The Quick Recovery command shows the Quick Recovery window. The Delete Contents command shows the Delete Sandbox window. The Explore Contents command opens an unsandboxed folder view for the contents of the sandbox outside the supervision of Sandboxie . If possible, use the Files And Folders View to browse the contents of the sandbox. The Sandbox Settings command opens the Sandbox Settings window. The Rename Sandbox command changes the name of the sandbox. The Remove Sandbox command removes a sandboxed created using the Create New Sandbox command. These commands, except for Rename Sandbox and Remove Sandbox, are also available in the Tray Icon Menu . Create New Sandbox The Create New Sandbox command defines a new sandbox in Sandboxie. A dialog box window will be displayed asking for the name of the new sandbox. The name can be any combination of digits and letters, and its maximum length is 32 characters. A combo box button can specify some existing sandbox, from which settings will be copied into the new sandbox. If such an existing sandbox has not been selected, the new sandbox will initially have a default set of settings. Once the sandbox is created, the Sandbox Settings window can be used to alter sandbox settings. Set Container Folder The Set Container Folder command selects the container (or master, or parent) folder which will contain all other sandboxes. The default location is X:\\Sandbox\\%USER%\\%SANDBOX% , where X: stands for the drive where Windows is installed, typically C: . The special variable %SANDBOX% is replaced by the name of the sandbox. The special variable %USER% is replaced by the name of whichever user account (or logon) is using that sandbox. Note that a sandbox created in one user account is visible and can be used by other accounts in the system. However, if the container folder includes the %USER% special variable, then the user accounts don't actually share the same sandbox. Each account has a separate instance of the sandbox. Related Sandboxie Ini setting: FileRootPath . Set Layout and Groups The Set Layout and Groups command permits ordering sandboxes within a hierarchy of groups, when displayed in menus and lists. This does not have any effect on how programs behave within a sandbox. This feature is useful when more than a few sandboxes are defined, as it permits easier menu access to a specific sandbox. Once any groups have been defined, the main Programs View in Sandboxie Control will include a combo box button which can be used to restrict the list of sandboxes that are displayed. Related Sandboxie Ini setting: BoxDisplayOrder. Reveal Hidden Sandbox The Reveal Hidden Sandbox command appears in the menu only if some sandboxes are not visible to or usable by the current user account. A sandbox can be restricted to specific user accounts using the User Accounts Settings settings page in the Sandbox Settings window. The Reveal Hidden Sandbox command can restore visibility of a sandbox that has been made unavailable the current user account. Go to Sandboxie Control , Help Topics .","title":"Sandbox Menu"},{"location":"Content/SandboxMenu/#sandbox-menu","text":"Sandboxie Control > Sandbox Menu","title":"Sandbox Menu"},{"location":"Content/SandboxMenu/#sandbox-sub-menu","text":"One or more sub-menus appear for each sandbox defined. The default configuration includes only one sandbox named DefaultBox , but more can be added using the Create New Sandbox command. Each sub-menu contains the following commands: The Run Sandboxed sub-sub-menu is used to start programs under the supervision of Sandboxie: The Web Browser command starts the system (default) Web browser. (Note: If the wrong program starts, see Frequently Asked Questions to fix this.) The Email Reader command starts the system (default) email reader The Any Program command displays the Run Any Program dialog box which is similar to the standard Windows Run... dialog box. It can be used to start programs, open documents, and browse folders, all under the supervision of Sandboxie. The From Start Menu command displays the Sandboxie Start menu, similar to the standard Windows Start menu. It can be used to start programs and other shortcuts that appear in the start menu and on the desktop. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation. The Windows Explorer command starts a sandboxed instance of the Windows Explorer. It can be used to navigate folders and start programs, all under the supervision of Sandboxie. The Terminate Running Programs command stops all programs running in the sandbox. The Quick Recovery command shows the Quick Recovery window. The Delete Contents command shows the Delete Sandbox window. The Explore Contents command opens an unsandboxed folder view for the contents of the sandbox outside the supervision of Sandboxie . If possible, use the Files And Folders View to browse the contents of the sandbox. The Sandbox Settings command opens the Sandbox Settings window. The Rename Sandbox command changes the name of the sandbox. The Remove Sandbox command removes a sandboxed created using the Create New Sandbox command. These commands, except for Rename Sandbox and Remove Sandbox, are also available in the Tray Icon Menu .","title":"Sandbox Sub-Menu"},{"location":"Content/SandboxMenu/#create-new-sandbox","text":"The Create New Sandbox command defines a new sandbox in Sandboxie. A dialog box window will be displayed asking for the name of the new sandbox. The name can be any combination of digits and letters, and its maximum length is 32 characters. A combo box button can specify some existing sandbox, from which settings will be copied into the new sandbox. If such an existing sandbox has not been selected, the new sandbox will initially have a default set of settings. Once the sandbox is created, the Sandbox Settings window can be used to alter sandbox settings.","title":"Create New Sandbox"},{"location":"Content/SandboxMenu/#set-container-folder","text":"The Set Container Folder command selects the container (or master, or parent) folder which will contain all other sandboxes. The default location is X:\\Sandbox\\%USER%\\%SANDBOX% , where X: stands for the drive where Windows is installed, typically C: . The special variable %SANDBOX% is replaced by the name of the sandbox. The special variable %USER% is replaced by the name of whichever user account (or logon) is using that sandbox. Note that a sandbox created in one user account is visible and can be used by other accounts in the system. However, if the container folder includes the %USER% special variable, then the user accounts don't actually share the same sandbox. Each account has a separate instance of the sandbox. Related Sandboxie Ini setting: FileRootPath .","title":"Set Container Folder"},{"location":"Content/SandboxMenu/#set-layout-and-groups","text":"The Set Layout and Groups command permits ordering sandboxes within a hierarchy of groups, when displayed in menus and lists. This does not have any effect on how programs behave within a sandbox. This feature is useful when more than a few sandboxes are defined, as it permits easier menu access to a specific sandbox. Once any groups have been defined, the main Programs View in Sandboxie Control will include a combo box button which can be used to restrict the list of sandboxes that are displayed. Related Sandboxie Ini setting: BoxDisplayOrder.","title":"Set Layout and Groups"},{"location":"Content/SandboxMenu/#reveal-hidden-sandbox","text":"The Reveal Hidden Sandbox command appears in the menu only if some sandboxes are not visible to or usable by the current user account. A sandbox can be restricted to specific user accounts using the User Accounts Settings settings page in the Sandbox Settings window. The Reveal Hidden Sandbox command can restore visibility of a sandbox that has been made unavailable the current user account. Go to Sandboxie Control , Help Topics .","title":"Reveal Hidden Sandbox"},{"location":"Content/SandboxSettings/","text":"Sandbox Settings The Sandbox Settings window in Sandboxie Control displays and changes the configuration and options associated with a single sandbox. The Sandbox Settings window can be accessed in two ways: From the menu bar: Access the Sandbox Menu , select one of the sandboxes listed, then select the Sandbox Settings command: From the context menu: In the main window area, right-click (or press Shift+F10) on the name of a sandbox, then select the Sandbox Settings command. (See the discussion about Context Menus in Programs View or Files And Folders View for more information.) Note that unless new sandboxes are added, Sandboxie lists only one sandbox: DefaultBox. In the Sandbox Settings window, the individual settings are organized into settings pages, and some pages are organized into groups, as shown below. The left part of the window contains the pages and groups. When a settings page is selected (clicked) in the left part of the window, the right part of the window shows the related settings. When a change has been made in a particular page, the change must be applied to Sandboxie before moving to any other settings page. This can be done manually using the Apply button, or automatically by marking the checkbox at the bottom of the window (\"Apply changes when switching to another page\"). The sections below describe each settings page. Configuration changes do not apply to programs that are already running sandboxed at the time the configuration is changed. To keep things simple, you are advised to make configuration changes when no programs are running in the sandbox. For information about the settings, see these pages: Appearance Settings Recovery Settings Delete Settings Program Start Settings Program Stop Settings File Migration Settings Restrictions Settings Resource Access Settings Applications Settings User Accounts Settings","title":"Sandbox Settings"},{"location":"Content/SandboxSettings/#sandbox-settings","text":"The Sandbox Settings window in Sandboxie Control displays and changes the configuration and options associated with a single sandbox. The Sandbox Settings window can be accessed in two ways: From the menu bar: Access the Sandbox Menu , select one of the sandboxes listed, then select the Sandbox Settings command: From the context menu: In the main window area, right-click (or press Shift+F10) on the name of a sandbox, then select the Sandbox Settings command. (See the discussion about Context Menus in Programs View or Files And Folders View for more information.) Note that unless new sandboxes are added, Sandboxie lists only one sandbox: DefaultBox. In the Sandbox Settings window, the individual settings are organized into settings pages, and some pages are organized into groups, as shown below. The left part of the window contains the pages and groups. When a settings page is selected (clicked) in the left part of the window, the right part of the window shows the related settings. When a change has been made in a particular page, the change must be applied to Sandboxie before moving to any other settings page. This can be done manually using the Apply button, or automatically by marking the checkbox at the bottom of the window (\"Apply changes when switching to another page\"). The sections below describe each settings page. Configuration changes do not apply to programs that are already running sandboxed at the time the configuration is changed. To keep things simple, you are advised to make configuration changes when no programs are running in the sandbox. For information about the settings, see these pages: Appearance Settings Recovery Settings Delete Settings Program Start Settings Program Stop Settings File Migration Settings Restrictions Settings Resource Access Settings Applications Settings User Accounts Settings","title":"Sandbox Settings"},{"location":"Content/Sandboxie/","text":"Sandboxie Tired of dealing with rogue software, spyware and malware? Spent too many hours removing unsolicited software? Worried about clicking unfamiliar Web links? Introducing Sandboxie Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox , depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once. Benefits of the Isolated Sandbox Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially. Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows. Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system. Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox. Download Sandboxie now and give it a try! Check out the Help Topics for Sandboxie, or visit the Support Page Index .","title":"Sandboxie"},{"location":"Content/Sandboxie/#sandboxie","text":"Tired of dealing with rogue software, spyware and malware? Spent too many hours removing unsolicited software? Worried about clicking unfamiliar Web links?","title":"Sandboxie"},{"location":"Content/Sandboxie/#introducing-sandboxie","text":"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox , depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once.","title":"Introducing Sandboxie"},{"location":"Content/Sandboxie/#benefits-of-the-isolated-sandbox","text":"Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially. Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows. Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system. Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox. Download Sandboxie now and give it a try! Check out the Help Topics for Sandboxie, or visit the Support Page Index .","title":"Benefits of the Isolated Sandbox"},{"location":"Content/SandboxieControl/","text":"Sandboxie Control Overview Sandboxie Control is the graphical front end to Sandboxie Classic, and can control most aspects of Sandboxie. These are some of the things that you can do with it: Start and stop programs under the supervision of Sandboxie View files inside the sandbox Recover desired files out of the sandbox Delete the contents of sandboxes, purging all undesired files Create, remove and configure sandboxes Menus Main Menu: File Menu View Menu Sandbox Menu Configure Menu Help Menu See Also: Tray Icon Menu Visibility Sandboxie is primarily a mechanism to run other programs, not an interactive tool. You will typically hide the main window of Sandboxie Control, and the program will only be visible as a tray icon in your system notification area, typically at the lower-right corner of the screen: (Note the yellow Sandboxie Control icon near the clock.) To toggle the hidden state, double-click the tray icon, or right-click it and select the Show Window or Hide Window commands. (See Tray Icon Menu .) Additionally, you can hide the window by clicking the close button (X) at the upper-right corner of the window. To quit Sandboxie Control and remove its tray icon from the system notification area, right-click the tray icon and select Exit . Views Programs View Files And Folders View Quick Links to More Topics Quick Recovery , Immediate Recovery and Delete Sandbox Sandbox Settings Disable Forced Programs Shell Integration Is Window Sandboxed? Go to Help Topics .","title":"Sandboxie Control"},{"location":"Content/SandboxieControl/#sandboxie-control","text":"","title":"Sandboxie Control"},{"location":"Content/SandboxieControl/#overview","text":"Sandboxie Control is the graphical front end to Sandboxie Classic, and can control most aspects of Sandboxie. These are some of the things that you can do with it: Start and stop programs under the supervision of Sandboxie View files inside the sandbox Recover desired files out of the sandbox Delete the contents of sandboxes, purging all undesired files Create, remove and configure sandboxes","title":"Overview"},{"location":"Content/SandboxieControl/#menus","text":"Main Menu: File Menu View Menu Sandbox Menu Configure Menu Help Menu See Also: Tray Icon Menu","title":"Menus"},{"location":"Content/SandboxieControl/#visibility","text":"Sandboxie is primarily a mechanism to run other programs, not an interactive tool. You will typically hide the main window of Sandboxie Control, and the program will only be visible as a tray icon in your system notification area, typically at the lower-right corner of the screen: (Note the yellow Sandboxie Control icon near the clock.) To toggle the hidden state, double-click the tray icon, or right-click it and select the Show Window or Hide Window commands. (See Tray Icon Menu .) Additionally, you can hide the window by clicking the close button (X) at the upper-right corner of the window. To quit Sandboxie Control and remove its tray icon from the system notification area, right-click the tray icon and select Exit .","title":"Visibility"},{"location":"Content/SandboxieControl/#views","text":"Programs View Files And Folders View","title":"Views"},{"location":"Content/SandboxieControl/#quick-links-to-more-topics","text":"Quick Recovery , Immediate Recovery and Delete Sandbox Sandbox Settings Disable Forced Programs Shell Integration Is Window Sandboxed? Go to Help Topics .","title":"Quick Links to More Topics"},{"location":"Content/SandboxieIni/","text":"Sandboxie Ini Some aspects of the operation of Sandboxie can be altered or fine-tuned through the use of a human-readable textual configuration file called Sandboxie.ini. This section describes the structure and contents of the file. As a general rule, manual editing of the configuration file is discouraged. You are advised to use Sandboxie Control to make configuration changes. See Sandbox Settings . Location Sandboxie looks for the file Sandboxie.ini in the following folders, in this order: * In the Windows folder: C:\\Windows on most Windows installations * In the Sandboxie installation folder: typically C:\\Program Files\\Sandboxie or C:\\Program Files\\Sandboxie-Plus The search for Sandboxie.ini ends when an instance of the file is found, and all other instances are ignored. When Sandboxie Control updates the configuration, it rewrites the file Sandboxie.ini file in the folder from which the configuration was last read. Thus, if the file is manually moved, Sandboxie configuration must be manually reloaded . (Restarting the computer would have the same effect.) Note: Sandboxie does not support any other custom location for the Sandboxie.ini file. Structure Configuration settings in the file are split into groups, or sections. A section begins with a line that specifies its name enclosed within square brackets. For example: [SomeSectionName]. The section continues to the end of the file, or until another section begins. There are three types of sections: The Global Settings section contains settings global to Sandboxie. These apply in one way or another to all sandboxes and all user accounts. There can be only one Global Settings section, typically at the top of the configuration file. One Sandbox Settings section for each sandbox known to Sandboxie. A valid sandbox name is a string of letters and digits, and has a maximum length of 32 characters. The Sandbox Settings section should contain the setting Enabled =y. One User Settings section for each user account. These settings record the state of Sandboxie Control for a particular user account, and include such information as the size of the window. These settings are not documented here, but see a brief discussion below. A simple Sandboxie.ini file may look like this. # Sample Sandboxie Configuration File [GlobalSettings] FileRootPath=C:\\Sandbox\\%USER%\\%SANDBOX% # Settings for sandbox DefaultBox [DefaultBox] Enabled=y # Settings for sandbox InstallBox [InstallBox] Enabled=y FileRootPath=D:\\Sandbox\\Install # Sandboxie Control settings for some user [UserSettings_054A02CE] SbieCtrl_UserName=tzuk The example shows four sections: The global section (GlobalSettings), two sandbox sections (DefaultBox and InstallBox), and one user account section (UserSettings_054A02CE). Lines that begin with a hash sign (#) are comments. These lines are skipped. Note: During its operation, Sandboxie Control regularly rewrites the Sandboxie.ini file, and this rewrite loses all comments. However, unrecognized settings are not lost during the rewrite, so one workaround is to write comments in the form Comment=text. The configuration file can contain up to 30,000 lines of text. Each line can be up to 1000 characters long. The file is UNICODE-encoded, which means each character is composed of two bytes. Many text file editors, including the system Notepad, handle this encoding properly. Settings Global Settings: Listed in the navigation bar on the right under the heading Global Settings. Settings apply to the general operation of Sandboxie, not to any particular sandbox. Global settings must be placed in the GlobalSettings section, and cannot be overridden by also including them in a sandbox section. Sandbox settings may appear in the GlobalSettings section, and can be overridden by also including them in a sandbox section. Sandbox Settings: Listed in the navigation bar on the right under the heading Sandbox Settings. Settings apply to a particular sandbox when specified in the associated sandbox section. Settings apply to all sandboxes when specified in the [GlobalSettings] section. Settings in the sandbox section override corresponding settings from [GlobalSettings]. In the example above, the sandbox setting FileRootPath appears in [GlobalSettings] and applies to all sandboxes, but note that it is overridden in section [InstallBox]. Sandbox settings can be applied to a specific program. See Program Name Prefix . Some sandbox settings are Yes Or No Settings . Sandbox settings may specify Expandable Variables that Sandboxie recognizes. User Settings Settings record the state of Sandboxie Control , for instance the position of the window. Each user account is directed to a different [UserSettings_XXXXXXXX] section. When a new [UserSettings_XXXXXXXX] is created, default values are taken from the [UserSettings_Default] section, if it exists. If the section [UserSettings_Portable] exists, all user accounts are directed to use this section. Automation Sandboxie includes a command-line utility to query or update the Sandboxie.ini configuration file. The utility is suitable for direct command-line interaction as well as invocation from a script or a program. The utility can be found as SbieIni.exe in the Sandboxie installation directory. For further details, see Create a sandbox by command line and SbieIni.exe usage section.","title":"Sandboxie Ini"},{"location":"Content/SandboxieIni/#sandboxie-ini","text":"Some aspects of the operation of Sandboxie can be altered or fine-tuned through the use of a human-readable textual configuration file called Sandboxie.ini. This section describes the structure and contents of the file. As a general rule, manual editing of the configuration file is discouraged. You are advised to use Sandboxie Control to make configuration changes. See Sandbox Settings .","title":"Sandboxie Ini"},{"location":"Content/SandboxieIni/#location","text":"Sandboxie looks for the file Sandboxie.ini in the following folders, in this order: * In the Windows folder: C:\\Windows on most Windows installations * In the Sandboxie installation folder: typically C:\\Program Files\\Sandboxie or C:\\Program Files\\Sandboxie-Plus The search for Sandboxie.ini ends when an instance of the file is found, and all other instances are ignored. When Sandboxie Control updates the configuration, it rewrites the file Sandboxie.ini file in the folder from which the configuration was last read. Thus, if the file is manually moved, Sandboxie configuration must be manually reloaded . (Restarting the computer would have the same effect.) Note: Sandboxie does not support any other custom location for the Sandboxie.ini file.","title":"Location"},{"location":"Content/SandboxieIni/#structure","text":"Configuration settings in the file are split into groups, or sections. A section begins with a line that specifies its name enclosed within square brackets. For example: [SomeSectionName]. The section continues to the end of the file, or until another section begins. There are three types of sections: The Global Settings section contains settings global to Sandboxie. These apply in one way or another to all sandboxes and all user accounts. There can be only one Global Settings section, typically at the top of the configuration file. One Sandbox Settings section for each sandbox known to Sandboxie. A valid sandbox name is a string of letters and digits, and has a maximum length of 32 characters. The Sandbox Settings section should contain the setting Enabled =y. One User Settings section for each user account. These settings record the state of Sandboxie Control for a particular user account, and include such information as the size of the window. These settings are not documented here, but see a brief discussion below. A simple Sandboxie.ini file may look like this. # Sample Sandboxie Configuration File [GlobalSettings] FileRootPath=C:\\Sandbox\\%USER%\\%SANDBOX% # Settings for sandbox DefaultBox [DefaultBox] Enabled=y # Settings for sandbox InstallBox [InstallBox] Enabled=y FileRootPath=D:\\Sandbox\\Install # Sandboxie Control settings for some user [UserSettings_054A02CE] SbieCtrl_UserName=tzuk The example shows four sections: The global section (GlobalSettings), two sandbox sections (DefaultBox and InstallBox), and one user account section (UserSettings_054A02CE). Lines that begin with a hash sign (#) are comments. These lines are skipped. Note: During its operation, Sandboxie Control regularly rewrites the Sandboxie.ini file, and this rewrite loses all comments. However, unrecognized settings are not lost during the rewrite, so one workaround is to write comments in the form Comment=text. The configuration file can contain up to 30,000 lines of text. Each line can be up to 1000 characters long. The file is UNICODE-encoded, which means each character is composed of two bytes. Many text file editors, including the system Notepad, handle this encoding properly.","title":"Structure"},{"location":"Content/SandboxieIni/#settings","text":"","title":"Settings"},{"location":"Content/SandboxieIni/#global-settings","text":"Listed in the navigation bar on the right under the heading Global Settings. Settings apply to the general operation of Sandboxie, not to any particular sandbox. Global settings must be placed in the GlobalSettings section, and cannot be overridden by also including them in a sandbox section. Sandbox settings may appear in the GlobalSettings section, and can be overridden by also including them in a sandbox section.","title":"Global Settings:"},{"location":"Content/SandboxieIni/#sandbox-settings","text":"Listed in the navigation bar on the right under the heading Sandbox Settings. Settings apply to a particular sandbox when specified in the associated sandbox section. Settings apply to all sandboxes when specified in the [GlobalSettings] section. Settings in the sandbox section override corresponding settings from [GlobalSettings]. In the example above, the sandbox setting FileRootPath appears in [GlobalSettings] and applies to all sandboxes, but note that it is overridden in section [InstallBox]. Sandbox settings can be applied to a specific program. See Program Name Prefix . Some sandbox settings are Yes Or No Settings . Sandbox settings may specify Expandable Variables that Sandboxie recognizes.","title":"Sandbox Settings:"},{"location":"Content/SandboxieIni/#user-settings","text":"Settings record the state of Sandboxie Control , for instance the position of the window. Each user account is directed to a different [UserSettings_XXXXXXXX] section. When a new [UserSettings_XXXXXXXX] is created, default values are taken from the [UserSettings_Default] section, if it exists. If the section [UserSettings_Portable] exists, all user accounts are directed to use this section.","title":"User Settings"},{"location":"Content/SandboxieIni/#automation","text":"Sandboxie includes a command-line utility to query or update the Sandboxie.ini configuration file. The utility is suitable for direct command-line interaction as well as invocation from a script or a program. The utility can be found as SbieIni.exe in the Sandboxie installation directory. For further details, see Create a sandbox by command line and SbieIni.exe usage section.","title":"Automation"},{"location":"Content/SandboxieLogon/","text":"Sandbox SID","title":"Sandbox SID"},{"location":"Content/SandboxieLogon/#sandbox-sid","text":"","title":"Sandbox SID"},{"location":"Content/SandboxieTrace/","text":"Sandboxie Trace Please see Resource Access Monitor for Sandboxie Classic. Please see Trace Logging for Sandboxie Plus. Overview In some cases, a program may not function correctly within the sandbox, because it needs access to a system resource which is, by default, protected by Sandboxie, and access to that resource is denied. Note that in this case, the sandboxed program is not creating the resource itself; rather, it expects the resource to already be available for access and use. The trace displays access attempts and makes it possible to somewhat easily identify which resources that are needed for correct operation, have been blocked. Enable the Trace The trace can be activated through different Sandboxie Ini settings: FileTrace logs access to files, folders, and filesystem volumes; KeyTrace logs access to registry keys (but not values within keys); PipeTrace logs access to named pipes and mail slot objects which are used for inter-process communication; IpcTrace logs access to other objects used for inter-process communication, and also logs access attempts by one process to another process; GuiTrace logs window-to-window communications; ClsidTrace logs COM communications; NetFwTrace traces the actions of the firewall components (since version 0.9.0 / 5.51.0); LogAPI library to get additional trace output (see this thread for more information). Each setting accepts a sequence of characters which specifies what to log. The character a logs requests which were allowed; the character d logs requests which were denied. For the FileTrace and PipeTrace settings, the character i logs requests which were allowed because they access a device which is ignored by Sandboxie, such as a CD-ROM. The settings PipeTrace , IpcTrace and GuiTrace are more relevant to the discussion in this page. FileTrace and KeyTrace will usually not be able to provide insight as to why a sandboxed program is malfunctioning. Thus, typically you enable the trace by making this change in Sandboxie Ini : [GlobalSettings] IpcTrace=ad PipeTrace=ad GuiTrace=ad Then use Sandboxie to reload the configuration: * Configure menu -> Reload Configuration on Sandboxie Classic * Options menu -> Reload ini file on Sandboxie Plus Trace options can be set on a per box basis such that only the boxes you need will generate trace logs. You can also adjust the buffer size by adding TraceBufferPages=2560 that will increase it tenfold. Review the Trace for NetFwTrace , IpcTrace and PipeTrace Since version 0.9.0 / 5.51.0, a new option NetFwTrace=* was added to trace the actions of the firewall components. Please note that the driver only logs to the kernel debug output, which you can view with DbgView.exe . On Windows Vista and later, output from the system debugger log is disabled by default. This blog post and this thread explain how to enable it. The following trace will display output in the following format. (Assuming IpcTrace , and PipeTrace enabled.) ... (001404) SBIE (FA) 00120116.01.00000000 \\Device\\NamedPipe\\ShimViewer ... (001404) SBIE (IA) 001F0001 \\ThemeApiPort ... (001404) SBIE (PD) 00000040 001136 (001404) SBIE (PA) 00020400 001136 ... (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd\\Endpoint (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd ... (001404) SBIE (ID) 001F0001 \\RPC Control\\protected_storage ... The format is this: (pid) SBIE (ca) (access) (resource) pid identifies the process attempting the access; c indicates the Sandboxie class for the resource -- more on this later; a indicates if the access was allowed (A) or denied (D); access indicates the access requested to the object, and is typically not interesting or important; resource identifies the resource to which access is desired; in the case of process-to-process access, where ca is (PA) or (PD), the resource name is the process id of the process being accessed. Some examples: (001404) SBIE (IA) 001F0001 \\ThemeApiPort Here the process making the request is process id 1404, and was allowed to access the resource named ThemeApiPort . The resource class is I, so this is an inter-process object. The access was allowed because by default, Sandboxie allows this specific access. (001404) SBIE (ID) 001F0001 \\RPC Control\\protected_storage Here the access to the resource protected_storage was denied. By default Sandboxie does not allow this access; however the OpenProtectedStorage setting changes this behavior. (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd\\Endpoint Here the access is allowed to the resource Endpoint . The resource class is F, so this is a named pipe or a mail slot resource. The access is allowed by default, because the \\Device\\Afd prefix names resources needed for Internet access. Review GuiTrace Entries When GuiTrace is enabled, the trace also produces entries like the following: ... (001404) SBIE (GA) WinHook 0002 on tid=001484 pid=001960 (001404) SBIE (GA) AccHook on tid=000000 pid=000000 ... (001404) SBIE (GD) PostMessage 01224 (04C8) to hwnd=00050060 pid=001324 DDEMLMom (001404) SBIE (GD) SendMessage 49376 (C0E0) to hwnd=00010014 pid=000804 #32769 ... (001404) SBIE (GD) SendInput (001404) SBIE (GA) SendInput These entries have a few formats. The first word after (GA) or (GD) identifies the type of the entry. When the first word is WinHook or AccHook , the entry indicates installation of a hook. Its installation is permitted for (GA) entries, and denied for (GD) entries. WinHook is a standard Windows hook, followed by the type of the hook (see SetWidowsHookEx in MSDN ). AccHook is an accessibility hook (see SetWinEventHook in MSDN ). Both entries identify the thread number (tid) process number (pid) into which the hook was to be installed. When the first word is PostMessage , SendMessage or ThrdMessage , the entry shows denied window communication. The following two numbers indicate the window message number, in decimal and hexadecimal. The entry also indicates the window handle (hwnd) of the target window, the process number (pid) which owns this window, and finally, the internal window class name for the window. Analyze the Trace The point of using the trace is usually to identify the resource that is keeping the sandboxed program from functioning correctly. Consider for example the following trace record: (001404) SBIE (ID) 001F0001 \\BaseNamedObjects\\Xyzzy This shows that access to some Xyzzy resource was denied. Sandboxie does not know this resource, and by default, it denies access to unknown resources. If a sandboxed program begins to malfunction (it may lock up, or it may end abruptly, or just complain about something) soon after this record appears in the trace, it stands to reason that the program was expecting the resource to be accessible. The next step is to add an OpenIpcPath setting for this resource: OpenIpcPath=\\BaseNamedObjects\\Xyzzy This setting tells Sandboxie that access to the Xyzzy resource should not be blocked. Then reload the Sandboxie configuration, clear the old contents of the trace display, and restart the sandboxed program. If the program now performs better, Xyzzy was indeed the problematic resource. But if the program still fails, the trace log can be inspected again for later (or possibly earlier) failed access attempts. Resource Class The trace record shows the Sandboxie resource class of the object. This indicates which OpenXxxPath setting is needed to allow access to the object. When resource class is F, as in (FA) or (FD), the relevant settings are OpenFilePath and ClosedFilePath . When resource class is K, as in (KA) or (KD), the relevant settings are OpenKeyPath and ClosedKeyPath . When resource class is I, as in (IA) or (ID), the relevant settings are OpenIpcPath and ClosedIpcPath . When resource class is G, as in (GA) or (GD), the relevant setting is OpenWinClass . For COM objects displayed by ClsidTrace, the relevant setting is OpenClsid .","title":"Sandboxie Trace"},{"location":"Content/SandboxieTrace/#sandboxie-trace","text":"","title":"Sandboxie Trace"},{"location":"Content/SandboxieTrace/#please-see-resource-access-monitor-for-sandboxie-classic","text":"","title":"Please see Resource Access Monitor for Sandboxie Classic."},{"location":"Content/SandboxieTrace/#please-see-trace-logging-for-sandboxie-plus","text":"","title":"Please see Trace Logging for Sandboxie Plus."},{"location":"Content/SandboxieTrace/#overview","text":"In some cases, a program may not function correctly within the sandbox, because it needs access to a system resource which is, by default, protected by Sandboxie, and access to that resource is denied. Note that in this case, the sandboxed program is not creating the resource itself; rather, it expects the resource to already be available for access and use. The trace displays access attempts and makes it possible to somewhat easily identify which resources that are needed for correct operation, have been blocked.","title":"Overview"},{"location":"Content/SandboxieTrace/#enable-the-trace","text":"The trace can be activated through different Sandboxie Ini settings: FileTrace logs access to files, folders, and filesystem volumes; KeyTrace logs access to registry keys (but not values within keys); PipeTrace logs access to named pipes and mail slot objects which are used for inter-process communication; IpcTrace logs access to other objects used for inter-process communication, and also logs access attempts by one process to another process; GuiTrace logs window-to-window communications; ClsidTrace logs COM communications; NetFwTrace traces the actions of the firewall components (since version 0.9.0 / 5.51.0); LogAPI library to get additional trace output (see this thread for more information). Each setting accepts a sequence of characters which specifies what to log. The character a logs requests which were allowed; the character d logs requests which were denied. For the FileTrace and PipeTrace settings, the character i logs requests which were allowed because they access a device which is ignored by Sandboxie, such as a CD-ROM. The settings PipeTrace , IpcTrace and GuiTrace are more relevant to the discussion in this page. FileTrace and KeyTrace will usually not be able to provide insight as to why a sandboxed program is malfunctioning. Thus, typically you enable the trace by making this change in Sandboxie Ini : [GlobalSettings] IpcTrace=ad PipeTrace=ad GuiTrace=ad Then use Sandboxie to reload the configuration: * Configure menu -> Reload Configuration on Sandboxie Classic * Options menu -> Reload ini file on Sandboxie Plus Trace options can be set on a per box basis such that only the boxes you need will generate trace logs. You can also adjust the buffer size by adding TraceBufferPages=2560 that will increase it tenfold.","title":"Enable the Trace"},{"location":"Content/SandboxieTrace/#review-the-trace-for-netfwtrace-ipctrace-and-pipetrace","text":"Since version 0.9.0 / 5.51.0, a new option NetFwTrace=* was added to trace the actions of the firewall components. Please note that the driver only logs to the kernel debug output, which you can view with DbgView.exe . On Windows Vista and later, output from the system debugger log is disabled by default. This blog post and this thread explain how to enable it. The following trace will display output in the following format. (Assuming IpcTrace , and PipeTrace enabled.) ... (001404) SBIE (FA) 00120116.01.00000000 \\Device\\NamedPipe\\ShimViewer ... (001404) SBIE (IA) 001F0001 \\ThemeApiPort ... (001404) SBIE (PD) 00000040 001136 (001404) SBIE (PA) 00020400 001136 ... (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd\\Endpoint (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd ... (001404) SBIE (ID) 001F0001 \\RPC Control\\protected_storage ... The format is this: (pid) SBIE (ca) (access) (resource) pid identifies the process attempting the access; c indicates the Sandboxie class for the resource -- more on this later; a indicates if the access was allowed (A) or denied (D); access indicates the access requested to the object, and is typically not interesting or important; resource identifies the resource to which access is desired; in the case of process-to-process access, where ca is (PA) or (PD), the resource name is the process id of the process being accessed. Some examples: (001404) SBIE (IA) 001F0001 \\ThemeApiPort Here the process making the request is process id 1404, and was allowed to access the resource named ThemeApiPort . The resource class is I, so this is an inter-process object. The access was allowed because by default, Sandboxie allows this specific access. (001404) SBIE (ID) 001F0001 \\RPC Control\\protected_storage Here the access to the resource protected_storage was denied. By default Sandboxie does not allow this access; however the OpenProtectedStorage setting changes this behavior. (001404) SBIE (FA) 00000001.0F.FFFFFFFF \\Device\\Afd\\Endpoint Here the access is allowed to the resource Endpoint . The resource class is F, so this is a named pipe or a mail slot resource. The access is allowed by default, because the \\Device\\Afd prefix names resources needed for Internet access.","title":"Review the Trace for NetFwTrace, IpcTrace and PipeTrace"},{"location":"Content/SandboxieTrace/#review-guitrace-entries","text":"When GuiTrace is enabled, the trace also produces entries like the following: ... (001404) SBIE (GA) WinHook 0002 on tid=001484 pid=001960 (001404) SBIE (GA) AccHook on tid=000000 pid=000000 ... (001404) SBIE (GD) PostMessage 01224 (04C8) to hwnd=00050060 pid=001324 DDEMLMom (001404) SBIE (GD) SendMessage 49376 (C0E0) to hwnd=00010014 pid=000804 #32769 ... (001404) SBIE (GD) SendInput (001404) SBIE (GA) SendInput These entries have a few formats. The first word after (GA) or (GD) identifies the type of the entry. When the first word is WinHook or AccHook , the entry indicates installation of a hook. Its installation is permitted for (GA) entries, and denied for (GD) entries. WinHook is a standard Windows hook, followed by the type of the hook (see SetWidowsHookEx in MSDN ). AccHook is an accessibility hook (see SetWinEventHook in MSDN ). Both entries identify the thread number (tid) process number (pid) into which the hook was to be installed. When the first word is PostMessage , SendMessage or ThrdMessage , the entry shows denied window communication. The following two numbers indicate the window message number, in decimal and hexadecimal. The entry also indicates the window handle (hwnd) of the target window, the process number (pid) which owns this window, and finally, the internal window class name for the window.","title":"Review GuiTrace Entries"},{"location":"Content/SandboxieTrace/#analyze-the-trace","text":"The point of using the trace is usually to identify the resource that is keeping the sandboxed program from functioning correctly. Consider for example the following trace record: (001404) SBIE (ID) 001F0001 \\BaseNamedObjects\\Xyzzy This shows that access to some Xyzzy resource was denied. Sandboxie does not know this resource, and by default, it denies access to unknown resources. If a sandboxed program begins to malfunction (it may lock up, or it may end abruptly, or just complain about something) soon after this record appears in the trace, it stands to reason that the program was expecting the resource to be accessible. The next step is to add an OpenIpcPath setting for this resource: OpenIpcPath=\\BaseNamedObjects\\Xyzzy This setting tells Sandboxie that access to the Xyzzy resource should not be blocked. Then reload the Sandboxie configuration, clear the old contents of the trace display, and restart the sandboxed program. If the program now performs better, Xyzzy was indeed the problematic resource. But if the program still fails, the trace log can be inspected again for later (or possibly earlier) failed access attempts.","title":"Analyze the Trace"},{"location":"Content/SandboxieTrace/#resource-class","text":"The trace record shows the Sandboxie resource class of the object. This indicates which OpenXxxPath setting is needed to allow access to the object. When resource class is F, as in (FA) or (FD), the relevant settings are OpenFilePath and ClosedFilePath . When resource class is K, as in (KA) or (KD), the relevant settings are OpenKeyPath and ClosedKeyPath . When resource class is I, as in (IA) or (ID), the relevant settings are OpenIpcPath and ClosedIpcPath . When resource class is G, as in (GA) or (GD), the relevant setting is OpenWinClass . For COM objects displayed by ClsidTrace, the relevant setting is OpenClsid .","title":"Resource Class"},{"location":"Content/SbieCtrl_HideMessage/","text":"SbieCtrl_HideMessage SbieCtrl_HideMessage is a user setting in Sandboxie Ini . It specifies which of the SBIE Messages should be hidden from popping up. . . . [UserSettings_054A02CE] SbieCtrl_HideMessage=1101 SbieCtrl_HideMessage=1102,Example Message The first parameter is mandatory and specifies the ID number of the SBIE Messages to be hidden. The second parameter is optional. If specified in Sandboxie Plus, only messages that match the text will be hidden, otherwise all occurrences of the message will be hidden. Related Sandboxie Plus setting: Global Settings > General Config > Notifications > SBIE Messages Related Sandboxie Control setting: Messages From Sandboxie pop-up window","title":"SbieCtrl_HideMessage"},{"location":"Content/SbieCtrl_HideMessage/#sbiectrl_hidemessage","text":"SbieCtrl_HideMessage is a user setting in Sandboxie Ini . It specifies which of the SBIE Messages should be hidden from popping up. . . . [UserSettings_054A02CE] SbieCtrl_HideMessage=1101 SbieCtrl_HideMessage=1102,Example Message The first parameter is mandatory and specifies the ID number of the SBIE Messages to be hidden. The second parameter is optional. If specified in Sandboxie Plus, only messages that match the text will be hidden, otherwise all occurrences of the message will be hidden. Related Sandboxie Plus setting: Global Settings > General Config > Notifications > SBIE Messages Related Sandboxie Control setting: Messages From Sandboxie pop-up window","title":"SbieCtrl_HideMessage"},{"location":"Content/SecureDeleteSandbox/","text":"Secure Delete Sandbox Typical file deletion makes data inaccessible to the operating system and programs, but the data is not physically wiped from the hard drive storage medium, and may be recovered by by a data recovery technician. To make this recovery more difficult, third-party software exists that can perform a secure deletion. This is typically accomplished by overwriting the data multiple times before deleting it. For more information, see Data remanence in Wikipedia . By default, Sandboxie deletes the sandbox using a standard Windows command to delete folders -- RMDIR . This makes sure the contents of the sandbox (including malicious software) are properly removed from the operating system. But as mentioned above, it leaves the data vulnerable to inspection and recovery by forensics experts. People who are concerned about the privacy of their sensitive data can plug a third-party secure deletion utility into Sandboxie, to be used instead of the standard command. You can configure a custom delete command through Sandboxie Control or by manually editing the Sandboxie Ini configuration file. In Sandboxie Control Use Sandbox Settings > Delete > Command . A couple of examples for the Delete Command: Invoke Eraser by Heidi Computers to delete the contents securely: %SystemRoot%\\System32\\eraserl.exe -folder \"%SANDBOX%\" -subfolders -method DoD_E -resultsonerror -queue Invoke SDelete by SysInternals/Microsoft to delete the contents securely. \"C:\\Program Files\\Sysinternals\\SDelete\\sdelete.exe\" -p 3 -s -q \"%SANDBOX%\" In the Sandboxie.ini Configuration File To configure a custom delete command for a particular sandbox, edit or insert the DeleteCommand setting in the sandbox section of Sandboxie Ini . To configure a global custom delete command, edit or insert the DeleteCommand setting in the [GlobalSettings] section of Sandboxie Ini . When specifying this setting, make sure to include \"%SANDBOX%\" (with quote marks) in the command. Before launching the delete command, Sandboxie scans the sandbox to make sure all files can be properly deleted, as described in Delete Contents of Sandbox . Go to Help Topics .","title":"Secure Delete Sandbox"},{"location":"Content/SecureDeleteSandbox/#secure-delete-sandbox","text":"Typical file deletion makes data inaccessible to the operating system and programs, but the data is not physically wiped from the hard drive storage medium, and may be recovered by by a data recovery technician. To make this recovery more difficult, third-party software exists that can perform a secure deletion. This is typically accomplished by overwriting the data multiple times before deleting it. For more information, see Data remanence in Wikipedia . By default, Sandboxie deletes the sandbox using a standard Windows command to delete folders -- RMDIR . This makes sure the contents of the sandbox (including malicious software) are properly removed from the operating system. But as mentioned above, it leaves the data vulnerable to inspection and recovery by forensics experts. People who are concerned about the privacy of their sensitive data can plug a third-party secure deletion utility into Sandboxie, to be used instead of the standard command. You can configure a custom delete command through Sandboxie Control or by manually editing the Sandboxie Ini configuration file. In Sandboxie Control Use Sandbox Settings > Delete > Command . A couple of examples for the Delete Command: Invoke Eraser by Heidi Computers to delete the contents securely: %SystemRoot%\\System32\\eraserl.exe -folder \"%SANDBOX%\" -subfolders -method DoD_E -resultsonerror -queue Invoke SDelete by SysInternals/Microsoft to delete the contents securely. \"C:\\Program Files\\Sysinternals\\SDelete\\sdelete.exe\" -p 3 -s -q \"%SANDBOX%\" In the Sandboxie.ini Configuration File To configure a custom delete command for a particular sandbox, edit or insert the DeleteCommand setting in the sandbox section of Sandboxie Ini . To configure a global custom delete command, edit or insert the DeleteCommand setting in the [GlobalSettings] section of Sandboxie Ini . When specifying this setting, make sure to include \"%SANDBOX%\" (with quote marks) in the command. Before launching the delete command, Sandboxie scans the sandbox to make sure all files can be properly deleted, as described in Delete Contents of Sandbox . Go to Help Topics .","title":"Secure Delete Sandbox"},{"location":"Content/SeparateUserFolders/","text":"Separate User Folders SeparateUserFolders is a sandbox setting in Sandboxie Ini available since v0.2.2 / 5.41.2. It specifies whether user profile files will be stored separately in the sandbox. . . . [DefaultBox] SeparateUserFolders=n The setting in the example will result in user profile files no longer being stored separately in the sandbox. Related Sandboxie Plus setting: Sandbox Options > File Options > Separate user folders","title":"Separate User Folders"},{"location":"Content/SeparateUserFolders/#separate-user-folders","text":"SeparateUserFolders is a sandbox setting in Sandboxie Ini available since v0.2.2 / 5.41.2. It specifies whether user profile files will be stored separately in the sandbox. . . . [DefaultBox] SeparateUserFolders=n The setting in the example will result in user profile files no longer being stored separately in the sandbox. Related Sandboxie Plus setting: Sandbox Options > File Options > Separate user folders","title":"Separate User Folders"},{"location":"Content/ServicePrograms/","text":"Service Programs Overview A Windows computers includes several service programs which are designed to accept requests from application programs. Many service programs run inside special svchost.exe processes (programs), although some others run as standalone processes. Programs running under Sandboxie are not allowed to reach those system service programs, due to the isolation of the sandbox. Instead, Sandboxie provides its own service programs, which run in the same sandbox as the program requesting the service. The Sandboxie service programs are started on demand. It is not an error or a problem if any of the service programs listed below are not running at any given moment. Remote Procedure Call (RPC) Program Name: SandboxieRpcSs.exe Service Name: rpcss The Component Object Model (COM) main service. This service provides a wide range of services to applications in the sandbox, including mechanisms for one application to start another application. Depending on the programs you run sandboxed, the service may or may not need to start. This service, along with the DCOM Server Process Launcher (see below) makes it possible for other service programs to start in the sandbox. DCOM Server Process Launcher Program Name: SandboxieDcomLaunch.exe Service Name: dcomlaunch This service, along with the Remote Procedure Call (RPC) (see above) makes it possible for other service programs to start in the sandbox. Note that this service is available on Windows XP Service Pack 2 and later operating systems. Cryptographic Services Program Name: SandboxieCrypto.exe Service Name: cryptsvc Manages software signing, security certificates and software catalogs.. This service manages and stores in the sandbox any digital certificates or catalog information that was installed by other programs running in the same sandbox. This service occasionally connects to the Internet address mscrl.microsoft.com . This connection is initiated by Microsoft code running within SandboxieCrypto.exe and it is part of the procedure which verifies or revokes digital certificates for Web sites and programs. This connection is not unique to SandboxieCrypto.exe and is initiated also by the \"real\" service program running under one of the svchost.exe processes. It is possible to block this connection through Restrictions > Internet Access or through a firewall. However, this is not recommended. Please see Certificate revocation list on Wikipedia for more information about certificate revocation. Background Intelligent Transfer Service Program Name: SandboxieBITS.exe Service Name: bits Downloads files in the background on behalf of a requesting applications. Some installation programs (most commonly for Microsoft and Google products) ask this service to download additional resource files on their behalf. The service downloads these files into the sandbox. Automatic Updates Program Name: SandboxieWUAU.exe Service Name: wuauserv Checks for Windows updates and downloads them using the Background Intelligent Transfer Service (see above). Once the updates are downloaded into the sandbox, this service will try to install them into the sandbox. Note that in some cases, updates to Windows involve the modification of core system files. Such modification might fail or have no effect, when carried out under the supervision of Sandboxie. Windows Installer Program Name: msiexec.exe Service Name: msiserver Installs software packages that were prepared using Windows Installer technology. The software will be installed into the sandbox. It is typical to see several instances of msiexec.exe start and stop during software installation.","title":"Service Programs"},{"location":"Content/ServicePrograms/#service-programs","text":"","title":"Service Programs"},{"location":"Content/ServicePrograms/#overview","text":"A Windows computers includes several service programs which are designed to accept requests from application programs. Many service programs run inside special svchost.exe processes (programs), although some others run as standalone processes. Programs running under Sandboxie are not allowed to reach those system service programs, due to the isolation of the sandbox. Instead, Sandboxie provides its own service programs, which run in the same sandbox as the program requesting the service. The Sandboxie service programs are started on demand. It is not an error or a problem if any of the service programs listed below are not running at any given moment.","title":"Overview"},{"location":"Content/ServicePrograms/#remote-procedure-call-rpc","text":"Program Name: SandboxieRpcSs.exe Service Name: rpcss The Component Object Model (COM) main service. This service provides a wide range of services to applications in the sandbox, including mechanisms for one application to start another application. Depending on the programs you run sandboxed, the service may or may not need to start. This service, along with the DCOM Server Process Launcher (see below) makes it possible for other service programs to start in the sandbox.","title":"Remote Procedure Call (RPC)"},{"location":"Content/ServicePrograms/#dcom-server-process-launcher","text":"Program Name: SandboxieDcomLaunch.exe Service Name: dcomlaunch This service, along with the Remote Procedure Call (RPC) (see above) makes it possible for other service programs to start in the sandbox. Note that this service is available on Windows XP Service Pack 2 and later operating systems.","title":"DCOM Server Process Launcher"},{"location":"Content/ServicePrograms/#cryptographic-services","text":"Program Name: SandboxieCrypto.exe Service Name: cryptsvc Manages software signing, security certificates and software catalogs.. This service manages and stores in the sandbox any digital certificates or catalog information that was installed by other programs running in the same sandbox. This service occasionally connects to the Internet address mscrl.microsoft.com . This connection is initiated by Microsoft code running within SandboxieCrypto.exe and it is part of the procedure which verifies or revokes digital certificates for Web sites and programs. This connection is not unique to SandboxieCrypto.exe and is initiated also by the \"real\" service program running under one of the svchost.exe processes. It is possible to block this connection through Restrictions > Internet Access or through a firewall. However, this is not recommended. Please see Certificate revocation list on Wikipedia for more information about certificate revocation.","title":"Cryptographic Services"},{"location":"Content/ServicePrograms/#background-intelligent-transfer-service","text":"Program Name: SandboxieBITS.exe Service Name: bits Downloads files in the background on behalf of a requesting applications. Some installation programs (most commonly for Microsoft and Google products) ask this service to download additional resource files on their behalf. The service downloads these files into the sandbox.","title":"Background Intelligent Transfer Service"},{"location":"Content/ServicePrograms/#automatic-updates","text":"Program Name: SandboxieWUAU.exe Service Name: wuauserv Checks for Windows updates and downloads them using the Background Intelligent Transfer Service (see above). Once the updates are downloaded into the sandbox, this service will try to install them into the sandbox. Note that in some cases, updates to Windows involve the modification of core system files. Such modification might fail or have no effect, when carried out under the supervision of Sandboxie.","title":"Automatic Updates"},{"location":"Content/ServicePrograms/#windows-installer","text":"Program Name: msiexec.exe Service Name: msiserver Installs software packages that were prepared using Windows Installer technology. The software will be installed into the sandbox. It is typical to see several instances of msiexec.exe start and stop during software installation.","title":"Windows Installer"},{"location":"Content/ShellFolders/","text":"Shell Folders In Windows, each user account has associated personal folders, typically known as Documents , Music and so on. The Windows shell records each user's personal folders, in the following registry keys. HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ . . . User Shell Folders . . . Shell Folders This key contains several registry values , each identifies a specific personal folder, and contains its absolute folder path. Most registry values in this key are named the same as the \"friendly\" name of the folder: Desktop , Favorites , Music , and so on. However, in some cases, the registry value differs: Personal stands for the Documents folder. AppData stands for the primary Application Data folder. Local AppData stands for the secondary Application Data folder, located below the Local Settings folder. Please see the registry key noted above for a complete list of possible folder names. For example, for the user joe, the registry value Personal (which identifies the Documents folder), may specify: C:\\Users\\joe\\Documents Configuration settings in Sandboxie that specify folder paths generally accept references to registry values in the Shell Folders key. This is more useful than specifying explicit folder locations. For example: [DefaultBox] RecoverFolder=%Desktop% Indicates that Quick Recovery should look for sandboxed items in the desktop folder of whichever user is making the request.","title":"Shell Folders"},{"location":"Content/ShellFolders/#shell-folders","text":"In Windows, each user account has associated personal folders, typically known as Documents , Music and so on. The Windows shell records each user's personal folders, in the following registry keys. HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ . . . User Shell Folders . . . Shell Folders This key contains several registry values , each identifies a specific personal folder, and contains its absolute folder path. Most registry values in this key are named the same as the \"friendly\" name of the folder: Desktop , Favorites , Music , and so on. However, in some cases, the registry value differs: Personal stands for the Documents folder. AppData stands for the primary Application Data folder. Local AppData stands for the secondary Application Data folder, located below the Local Settings folder. Please see the registry key noted above for a complete list of possible folder names. For example, for the user joe, the registry value Personal (which identifies the Documents folder), may specify: C:\\Users\\joe\\Documents Configuration settings in Sandboxie that specify folder paths generally accept references to registry values in the Shell Folders key. This is more useful than specifying explicit folder locations. For example: [DefaultBox] RecoverFolder=%Desktop% Indicates that Quick Recovery should look for sandboxed items in the desktop folder of whichever user is making the request.","title":"Shell Folders"},{"location":"Content/ShowForRunIn/","text":"Show For Run in ShowForRunIn is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will show this box in \"run in box\" selection prompt. . . . [DefaultBox] ShowForRunIn=n Specifying n indicates that this sandbox will not be shown as a candidate in \"run in sandbox\" selection window. Related Sandboxie Plus setting: Sandbox Options > General Options > Box Options > Show this box in the 'run in box' selection prompt","title":"Show For Run in"},{"location":"Content/ShowForRunIn/#show-for-run-in","text":"ShowForRunIn is a sandbox setting in Sandboxie Ini . It specifies whether Sandboxie will show this box in \"run in box\" selection prompt. . . . [DefaultBox] ShowForRunIn=n Specifying n indicates that this sandbox will not be shown as a candidate in \"run in sandbox\" selection window. Related Sandboxie Plus setting: Sandbox Options > General Options > Box Options > Show this box in the 'run in box' selection prompt","title":"Show For Run in"},{"location":"Content/StartCommandLine/","text":"Start Command Line The Sandboxie Start program can do any of the following, depending on command line parameters specified to it. Start programs under the supervision of Sandboxie Stop sandboxed programs List sandboxed programs Delete the contents of a sandbox Reload Sandboxie configuration Initiate the Disable Forced Programs mode Related reading material Start Programs This is the default behavior. By specifying a full or partial path to a program's executable file, Sandboxie Start will launch that program under the supervision of Sandboxie: \"C:\\Program Files\\Sandboxie\\Start.exe\" c:\\windows\\system32\\notepad.exe \"C:\\Program Files\\Sandboxie\\Start.exe\" notepad.exe Two special program names are allowed: \"C:\\Program Files\\Sandboxie\\Start.exe\" default_browser \"C:\\Program Files\\Sandboxie\\Start.exe\" mail_agent Sandboxie Start can also display the Run Any Program dialog window, or the Sandboxie Start Menu, depending on parameters specified: \"C:\\Program Files\\Sandboxie\\Start.exe\" run_dialog \"C:\\Program Files\\Sandboxie\\Start.exe\" start_menu In all forms, the parameter /box:SandboxName is applicable, and may be specified between Start.exe and the parameter, to indicate a sandbox name other than the default of DefaultBox . For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox run_dialog A special form of the /box parameter is /box:__ask__ and causes Start.exe to display the sandbox selection dialog box. The parameter /silent can be used to eliminate some pop-up error messages. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /silent no_such_program.exe In both silent and normal operation, Start.exe exits with a zero exit code on success, or non-zero on failure. In batch files, the exit code can be examined using the IF ERRORLEVEL condition. The parameter /elevate can be used to run a program with Administrator privileges on a system where User Account Control (UAC) is enabled. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /elevate cmd.exe The parameter /env can be used to pass an environment variable: \"C:\\Program Files\\Sandboxie\\Start.exe\" /env:VariableName=VariableValueWithoutSpace \"C:\\Program Files\\Sandboxie\\Start.exe\" /env:VariableName=\"Variable Value With Spaces\" The parameter /hide_window can be used to signal that the starting program should not display its window: \"C:\\Program Files\\Sandboxie\\Start.exe\" /hide_window cmd.exe /c automated_script.bat The parameter /wait can be used to run a program, wait for it to finish, and return the exit status from the program: \"C:\\Program Files\\Sandboxie\\Start.exe\" /wait cmd.exe Note that Start.exe is a Win32 application and not a console application, so the system \"start\" command is useful here to force the system to wait for Start.exe to finish: start /wait \"C:\\Program Files\\Sandboxie\\Start.exe\" /wait cmd /c exit 9 echo %ERRORLEVEL% 9 The system waits for Start.exe to finish, which in turn waits for \"cmd /c exit 9\" to finish, and then the exit status 9 is returned all the way back. Parameters can be combined in any order. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:CustomBox /silent MyProgram.exe Stop Programs Terminate all programs running in a particular sandbox. Note that the request is transmitted to the Sandboxie service SbieSvc, which actually carries out the termination. \"C:\\Program Files\\Sandboxie\\Start.exe\" /terminate \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox /terminate \"C:\\Program Files\\Sandboxie\\Start.exe\" /terminate_all If the parameter /box:SandboxName is omitted, programs running in the default sandbox, DefaultBox , will be stopped. The form /terminate_all terminates all programs in all sandboxes. Unmount Box Images These commands unmount encrypted box images or RAM disks created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /unmount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /unmount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /unmount_all If the parameter /box:SandboxName is omitted, default sandbox, DefaultBox image, will be unmounted. The form /unmount_all terminates all programs in all encrypted sandboxes and unmounts all encrypted box images, including RAM disks created by Sandboxie Plus. Mount Box Images These commands mount encrypted box images created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /key:[box image password] /mount_protected \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /key:[box image password] /mount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /key:[box image password] /mount_protected \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /key:[box image password] /mount If the parameter /box:SandboxName is omitted, default sandbox, DefaultBox image, will be mounted. The form /mount_protected mounts encrypted box images with the Box Root Protection . Box Root Protection prevents processes running outside the sandbox from accessing the root folder of the encrypted box. List Programs List the system process ID numbers for all programs running in a particular sandbox. \"C:\\Program Files\\Sandboxie\\Start.exe\" /listpids \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox /listpids If the parameter /box:SandboxName is omitted, programs running in the default sandbox, DefaultBox , will be listed. The output is formatted as one number per line. The first line contains the number of programs, followed by one process ID per line. Example output: \"C:\\Program Files\\Sandboxie\\Start.exe\" /listpids | more 3 3036 2136 384 Note that Start.exe is not a console applications, so the output does not appear in a command prompt window unless you pipe the output using a construct such as | more . Delete Contents of Sandbox \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent The /box:SandboxName parameter may be specified between Start.exe and the delete command. The __silent_ suffix on the delete command, indicates Sandboxie Start should silently ignore any errors and not display any error messages. The delete operation occurs in two phases: Phase 1 scans the contents of the sandbox and processes files which could pose a problem during the second phase: Junctions (also known as reparse points) are removed. Read-only files and directories are made fully accessible. Files and directories that have very long names are renamed to shorter names. Renames the sandbox to the format __Delete_(sandbox name)_(some random number) . For example, if the sandbox is DefaultBox, it could be renamed to __Delete_DefaultBox_01C4012345678912 . Phase 2 deletes any sandboxes that were processed in phase 1. Sandboxes that were processed in phase 1 are those that have been renamed as described above. More than one sandbox may be deleted in phase 2. By default, the standard system command RMDIR is used to delete the renamed sandbox folder. Alternatively, a third-party delete utility may used. See Secure Delete Sandbox . Issuing the delete_sandbox command causes Start.exe to invoke phase 1 followed by phase 2. Start.exe also accepts these commands to invoke a specific phase: \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_phase1 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_phase2 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent_phase1 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent_phase2 Reload Configuration This command reloads the Sandboxie configuration in SandboxieIni into the active Sandboxie driver. Typically useful after manually editing the Sandboxie.ini file. \"C:\\Program Files\\Sandboxie\\Start.exe\" /reload Note that reloading the configuration does not take effect on sandboxed programs that are already running when this command is issued. Disable Forced Programs The following command runs a program outside the sandbox, even if the program is forced. It is similar to using the Run Outside Sandbox option from the sandbox selection window of the Run Sandboxed command. \"C:\\Program Files\\Sandboxie\\Start.exe\" /dfp c:\\path\\to\\program.exe \"C:\\Program Files\\Sandboxie\\Start.exe\" /disable_force c:\\path\\to\\program.exe Note that /dfp and /disable_force are identical. You can also select this option by holding the Ctrl and Shift keys down when you click the Run Sandboxed command. An older form of this command can temporarily disable the forced programs mode, for all programs. It is similar in function to using the Disable Forced Programs command from the Tray Icon Menu in Sandboxie Control (and not the File Menu ). \"C:\\Program Files\\Sandboxie\\Start.exe\" disable_force Note the missing slash in this command syntax. Note also that this command is not a toggle. It always puts the Disable Forced Programs mode into effect and always restarts the countdown timer. At this time, Start.exe does not offer a way to request the cancellation of this mode. Related Reading Material See also: InjectDll and SBIE DLL API Go to Help Topics .","title":"Command Line Usage"},{"location":"Content/StartCommandLine/#start-command-line","text":"The Sandboxie Start program can do any of the following, depending on command line parameters specified to it. Start programs under the supervision of Sandboxie Stop sandboxed programs List sandboxed programs Delete the contents of a sandbox Reload Sandboxie configuration Initiate the Disable Forced Programs mode Related reading material","title":"Start Command Line"},{"location":"Content/StartCommandLine/#start-programs","text":"This is the default behavior. By specifying a full or partial path to a program's executable file, Sandboxie Start will launch that program under the supervision of Sandboxie: \"C:\\Program Files\\Sandboxie\\Start.exe\" c:\\windows\\system32\\notepad.exe \"C:\\Program Files\\Sandboxie\\Start.exe\" notepad.exe Two special program names are allowed: \"C:\\Program Files\\Sandboxie\\Start.exe\" default_browser \"C:\\Program Files\\Sandboxie\\Start.exe\" mail_agent Sandboxie Start can also display the Run Any Program dialog window, or the Sandboxie Start Menu, depending on parameters specified: \"C:\\Program Files\\Sandboxie\\Start.exe\" run_dialog \"C:\\Program Files\\Sandboxie\\Start.exe\" start_menu In all forms, the parameter /box:SandboxName is applicable, and may be specified between Start.exe and the parameter, to indicate a sandbox name other than the default of DefaultBox . For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox run_dialog A special form of the /box parameter is /box:__ask__ and causes Start.exe to display the sandbox selection dialog box. The parameter /silent can be used to eliminate some pop-up error messages. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /silent no_such_program.exe In both silent and normal operation, Start.exe exits with a zero exit code on success, or non-zero on failure. In batch files, the exit code can be examined using the IF ERRORLEVEL condition. The parameter /elevate can be used to run a program with Administrator privileges on a system where User Account Control (UAC) is enabled. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /elevate cmd.exe The parameter /env can be used to pass an environment variable: \"C:\\Program Files\\Sandboxie\\Start.exe\" /env:VariableName=VariableValueWithoutSpace \"C:\\Program Files\\Sandboxie\\Start.exe\" /env:VariableName=\"Variable Value With Spaces\" The parameter /hide_window can be used to signal that the starting program should not display its window: \"C:\\Program Files\\Sandboxie\\Start.exe\" /hide_window cmd.exe /c automated_script.bat The parameter /wait can be used to run a program, wait for it to finish, and return the exit status from the program: \"C:\\Program Files\\Sandboxie\\Start.exe\" /wait cmd.exe Note that Start.exe is a Win32 application and not a console application, so the system \"start\" command is useful here to force the system to wait for Start.exe to finish: start /wait \"C:\\Program Files\\Sandboxie\\Start.exe\" /wait cmd /c exit 9 echo %ERRORLEVEL% 9 The system waits for Start.exe to finish, which in turn waits for \"cmd /c exit 9\" to finish, and then the exit status 9 is returned all the way back. Parameters can be combined in any order. For example: \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:CustomBox /silent MyProgram.exe","title":"Start Programs"},{"location":"Content/StartCommandLine/#stop-programs","text":"Terminate all programs running in a particular sandbox. Note that the request is transmitted to the Sandboxie service SbieSvc, which actually carries out the termination. \"C:\\Program Files\\Sandboxie\\Start.exe\" /terminate \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox /terminate \"C:\\Program Files\\Sandboxie\\Start.exe\" /terminate_all If the parameter /box:SandboxName is omitted, programs running in the default sandbox, DefaultBox , will be stopped. The form /terminate_all terminates all programs in all sandboxes.","title":"Stop Programs"},{"location":"Content/StartCommandLine/#unmount-box-images","text":"These commands unmount encrypted box images or RAM disks created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /unmount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /unmount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /unmount_all If the parameter /box:SandboxName is omitted, default sandbox, DefaultBox image, will be unmounted. The form /unmount_all terminates all programs in all encrypted sandboxes and unmounts all encrypted box images, including RAM disks created by Sandboxie Plus.","title":"Unmount Box Images"},{"location":"Content/StartCommandLine/#mount-box-images","text":"These commands mount encrypted box images created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /key:[box image password] /mount_protected \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /key:[box image password] /mount \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /key:[box image password] /mount_protected \"C:\\Program Files\\Sandboxie-Plus\\Start.exe\" /box:EncryptedBox /key:[box image password] /mount If the parameter /box:SandboxName is omitted, default sandbox, DefaultBox image, will be mounted. The form /mount_protected mounts encrypted box images with the Box Root Protection . Box Root Protection prevents processes running outside the sandbox from accessing the root folder of the encrypted box.","title":"Mount Box Images"},{"location":"Content/StartCommandLine/#list-programs","text":"List the system process ID numbers for all programs running in a particular sandbox. \"C:\\Program Files\\Sandboxie\\Start.exe\" /listpids \"C:\\Program Files\\Sandboxie\\Start.exe\" /box:TestBox /listpids If the parameter /box:SandboxName is omitted, programs running in the default sandbox, DefaultBox , will be listed. The output is formatted as one number per line. The first line contains the number of programs, followed by one process ID per line. Example output: \"C:\\Program Files\\Sandboxie\\Start.exe\" /listpids | more 3 3036 2136 384 Note that Start.exe is not a console applications, so the output does not appear in a command prompt window unless you pipe the output using a construct such as | more .","title":"List Programs"},{"location":"Content/StartCommandLine/#delete-contents-of-sandbox","text":"\"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent The /box:SandboxName parameter may be specified between Start.exe and the delete command. The __silent_ suffix on the delete command, indicates Sandboxie Start should silently ignore any errors and not display any error messages. The delete operation occurs in two phases: Phase 1 scans the contents of the sandbox and processes files which could pose a problem during the second phase: Junctions (also known as reparse points) are removed. Read-only files and directories are made fully accessible. Files and directories that have very long names are renamed to shorter names. Renames the sandbox to the format __Delete_(sandbox name)_(some random number) . For example, if the sandbox is DefaultBox, it could be renamed to __Delete_DefaultBox_01C4012345678912 . Phase 2 deletes any sandboxes that were processed in phase 1. Sandboxes that were processed in phase 1 are those that have been renamed as described above. More than one sandbox may be deleted in phase 2. By default, the standard system command RMDIR is used to delete the renamed sandbox folder. Alternatively, a third-party delete utility may used. See Secure Delete Sandbox . Issuing the delete_sandbox command causes Start.exe to invoke phase 1 followed by phase 2. Start.exe also accepts these commands to invoke a specific phase: \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_phase1 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_phase2 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent_phase1 \"C:\\Program Files\\Sandboxie\\Start.exe\" delete_sandbox_silent_phase2","title":"Delete Contents of Sandbox"},{"location":"Content/StartCommandLine/#reload-configuration","text":"This command reloads the Sandboxie configuration in SandboxieIni into the active Sandboxie driver. Typically useful after manually editing the Sandboxie.ini file. \"C:\\Program Files\\Sandboxie\\Start.exe\" /reload Note that reloading the configuration does not take effect on sandboxed programs that are already running when this command is issued.","title":"Reload Configuration"},{"location":"Content/StartCommandLine/#disable-forced-programs","text":"The following command runs a program outside the sandbox, even if the program is forced. It is similar to using the Run Outside Sandbox option from the sandbox selection window of the Run Sandboxed command. \"C:\\Program Files\\Sandboxie\\Start.exe\" /dfp c:\\path\\to\\program.exe \"C:\\Program Files\\Sandboxie\\Start.exe\" /disable_force c:\\path\\to\\program.exe Note that /dfp and /disable_force are identical. You can also select this option by holding the Ctrl and Shift keys down when you click the Run Sandboxed command. An older form of this command can temporarily disable the forced programs mode, for all programs. It is similar in function to using the Disable Forced Programs command from the Tray Icon Menu in Sandboxie Control (and not the File Menu ). \"C:\\Program Files\\Sandboxie\\Start.exe\" disable_force Note the missing slash in this command syntax. Note also that this command is not a toggle. It always puts the Disable Forced Programs mode into effect and always restarts the countdown timer. At this time, Start.exe does not offer a way to request the cancellation of this mode.","title":"Disable Forced Programs"},{"location":"Content/StartCommandLine/#related-reading-material","text":"See also: InjectDll and SBIE DLL API Go to Help Topics .","title":"Related Reading Material"},{"location":"Content/StartProgram/","text":"Start Program StartProgram is a sandbox setting in Sandboxie Ini . It provides an automatic start for the specified program. For example: . . . [DefaultBox] StartProgram=%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe The example specifies that Google Chrome (chrome.exe) will be forced to run sandboxed in the sandbox DefaultBox . Technical Details StartProgram is processed by SandboxieRpcSs , which runs just once in every sandbox. Like the AutoExec setting, it is processed when the first program begins to run in a sandbox. Note that StartProgram launches the specified application in hidden mode, if supported. For services, see StartService .","title":"Start Program"},{"location":"Content/StartProgram/#start-program","text":"StartProgram is a sandbox setting in Sandboxie Ini . It provides an automatic start for the specified program. For example: . . . [DefaultBox] StartProgram=%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe The example specifies that Google Chrome (chrome.exe) will be forced to run sandboxed in the sandbox DefaultBox . Technical Details StartProgram is processed by SandboxieRpcSs , which runs just once in every sandbox. Like the AutoExec setting, it is processed when the first program begins to run in a sandbox. Note that StartProgram launches the specified application in hidden mode, if supported. For services, see StartService .","title":"Start Program"},{"location":"Content/StartService/","text":"Start Service StartService is a sandbox setting in Sandboxie Ini . It allows to run a service program in the sandbox. This setting expects a service name (identifier), which is defined outside the sandbox. For example: . . . [DefaultBox] StartService=Adguard Service The example specifies that the service name Adguard Service will be forced to run sandboxed in the sandbox DefaultBox . Technical Details StartService is processed by SandboxieRpcSs , which runs just once in every sandbox. Like the AutoExec setting, it is processed when the first program begins to run in a sandbox. For applications, see StartProgram .","title":"Start Service"},{"location":"Content/StartService/#start-service","text":"StartService is a sandbox setting in Sandboxie Ini . It allows to run a service program in the sandbox. This setting expects a service name (identifier), which is defined outside the sandbox. For example: . . . [DefaultBox] StartService=Adguard Service The example specifies that the service name Adguard Service will be forced to run sandboxed in the sandbox DefaultBox . Technical Details StartService is processed by SandboxieRpcSs , which runs just once in every sandbox. Like the AutoExec setting, it is processed when the first program begins to run in a sandbox. For applications, see StartProgram .","title":"Start Service"},{"location":"Content/SystemEventLog/","text":"System Event Log The System Event Log is a Windows component that collects informational and error messages issued by Windows itself and other third-party software. Sandboxie issues some messages to the System Event Log. The messages are listed with a Source value of SbieDrv. To access the log and view messages, use the Event Viewer tool: Windows Start Menu > Control Panel > Administrative Tools > Event Viewer For more information about the System Event Log, see Event Viewer in Wikipedia . If any Sandboxie messages are issued due to an error which prevents successful initialization, Sandboxie Control will display a flashing exclamation mark icon. Right-click the flashing icon and select Show Errors to view any related messages. Messages From Sandboxie are not stored in the Windows Event Log , a workaround is available to store the logs in a flat file . See also: SBIE Messages .","title":"System Event Log"},{"location":"Content/SystemEventLog/#system-event-log","text":"The System Event Log is a Windows component that collects informational and error messages issued by Windows itself and other third-party software. Sandboxie issues some messages to the System Event Log. The messages are listed with a Source value of SbieDrv. To access the log and view messages, use the Event Viewer tool: Windows Start Menu > Control Panel > Administrative Tools > Event Viewer For more information about the System Event Log, see Event Viewer in Wikipedia . If any Sandboxie messages are issued due to an error which prevents successful initialization, Sandboxie Control will display a flashing exclamation mark icon. Right-click the flashing icon and select Show Errors to view any related messages. Messages From Sandboxie are not stored in the Windows Event Log , a workaround is available to store the logs in a flat file . See also: SBIE Messages .","title":"System Event Log"},{"location":"Content/TechnicalAspects/","text":"Technical Aspects Sandboxie is now open source, hence no more secrets. To help interested developers to get an insight into Sandboxie's inner workings, this page provides various in-depth discussions of the employed mechanisms and security guaranties utilized. Topics Isolation Mechanism Code Injection","title":"Technical Aspects"},{"location":"Content/TechnicalAspects/#technical-aspects","text":"Sandboxie is now open source, hence no more secrets. To help interested developers to get an insight into Sandboxie's inner workings, this page provides various in-depth discussions of the employed mechanisms and security guaranties utilized.","title":"Technical Aspects"},{"location":"Content/TechnicalAspects/#topics","text":"Isolation Mechanism Code Injection","title":"Topics"},{"location":"Content/TestEmailConfiguration/","text":"Test Email Configuration Test and Confirm Configuration Sandboxie offers quick configuration for most email programs. Please see Sandbox Settings > Applications > Email Reader for more information. After completing the email configuration, you may want to test it to make sure that new emails will not be lost when you delete the sandbox. To do that, follow these steps: Disable Internet access in the sandbox. This is a precaution measure, to make sure that your sandboxed email program cannot retrieve new mail messages before you confirm the configuration is correct: Open Sandbox Settings > Restrictions > Internet Access , then click Block All Programs , and finally click OK . Run your email program sandboxed under Sandboxie. (You can use the Run Email Reader command from the Tray Icon Menu of Sandboxie Control .) Compose a test draft message to yourself. Don't send it. Quit your email program. If your email program suggests to send the test message, disregard the suggestion. Delete the sandbox. (See Delete Sandbox .) Run your email program normally, that is, outside the supervision of Sandboxie. Confirm that you can use the normal (unsandboxed) instance of the mail program to see and edit the test message you created. If the email message that you created in a sandboxed instance of your email program is also accessible in the normal (unsandboxed) instance, even after the sandbox has been deleted, then the configuration is correct. When done, re-enable Internet access in the sandbox: Open Sandbox Settings > Restrictions > Internet Access , then click Remove (to remove the restriction), and finally click OK . For more information, see Email Protection and FAQ Email .","title":"Test Email Configuration"},{"location":"Content/TestEmailConfiguration/#test-email-configuration","text":"","title":"Test Email Configuration"},{"location":"Content/TestEmailConfiguration/#test-and-confirm-configuration","text":"Sandboxie offers quick configuration for most email programs. Please see Sandbox Settings > Applications > Email Reader for more information. After completing the email configuration, you may want to test it to make sure that new emails will not be lost when you delete the sandbox. To do that, follow these steps: Disable Internet access in the sandbox. This is a precaution measure, to make sure that your sandboxed email program cannot retrieve new mail messages before you confirm the configuration is correct: Open Sandbox Settings > Restrictions > Internet Access , then click Block All Programs , and finally click OK . Run your email program sandboxed under Sandboxie. (You can use the Run Email Reader command from the Tray Icon Menu of Sandboxie Control .) Compose a test draft message to yourself. Don't send it. Quit your email program. If your email program suggests to send the test message, disregard the suggestion. Delete the sandbox. (See Delete Sandbox .) Run your email program normally, that is, outside the supervision of Sandboxie. Confirm that you can use the normal (unsandboxed) instance of the mail program to see and edit the test message you created. If the email message that you created in a sandboxed instance of your email program is also accessible in the normal (unsandboxed) instance, even after the sandbox has been deleted, then the configuration is correct. When done, re-enable Internet access in the sandbox: Open Sandbox Settings > Restrictions > Internet Access , then click Remove (to remove the restriction), and finally click OK . For more information, see Email Protection and FAQ Email .","title":"Test and Confirm Configuration"},{"location":"Content/TokenMagic/","text":"SandboxieDrv use of undocumented kernel exports to do its token magic Sandboxie implements isolation by running sandboxed processes with a heavily restricted primary token. As most applications cannot function this way, it hooks all NTDLL.dll calls redirecting them through an interface in the SbieDrv. The driver then can inspect the call arguments, makes the calling thread impersonate the original unrestricted token, execute the system call, and de-impersonate the thread before returning control to user mode. This way, a process running under the supervision of Sandboxie cannot issue syscalls with the original token, even if it would undo the ntdll.dll hooks. For this mechanism to work, Sandboxie utilizes a couple of undocumented operations: To create the restricted token, it uses currently the unexported function SepFilterToken as well as a couple of offsets (RestrictedSidCount, RestrictedSids, UserAndGroups, UserAndGroupCount). This mechanism could be replaced by calling CreateToken or CreateTokenEx, however these functions are not exported in the kernel either. To eliminate the dependencies on unexported symbols, for this part of the process ZwCreateTokenEx should be exported and utilized. To be able to invoke any syscall on the behalf of the sandboxed process, the driver must know the function address and argument count for each syscall index. Sandboxie currently obtains those by finding the address of the unexported syscall table by analyzing the KeAddSystemServiceTable function. To eliminate the dependencies on unexported symbols, it is required to export KeServiceDescriptorTableShadow. Due to limitations in PsImpersonateClient (starting with Windows XP SP2), it is required to call it with impersonation level SecurityIdentification and then change that in the opaque thread object to SecurityImpersonation. To eliminate the dependencies on unexported symbols, it would be required to provide a documented mechanism for a driver to achieve any desired impersonation level. To replace a sandboxed processes primary token, it is required to clear the PrimaryTokenFrozen bit in the EPROCESS structure, this operation is triggered from a callback registered with PsSetLoadImageNotifyRoutine. I have not investigated if it would be feasible to do the token replacement before it gets officially frozen. Other than the above essential dependencies, Sandboxie gets the Clipboard object from the window station object in order to adjust the integrity level for the stored items such that they can be accessed by the sandboxed applications.","title":"SandboxieDrv use of undocumented kernel exports to do its token magic"},{"location":"Content/TokenMagic/#sandboxiedrv-use-of-undocumented-kernel-exports-to-do-its-token-magic","text":"Sandboxie implements isolation by running sandboxed processes with a heavily restricted primary token. As most applications cannot function this way, it hooks all NTDLL.dll calls redirecting them through an interface in the SbieDrv. The driver then can inspect the call arguments, makes the calling thread impersonate the original unrestricted token, execute the system call, and de-impersonate the thread before returning control to user mode. This way, a process running under the supervision of Sandboxie cannot issue syscalls with the original token, even if it would undo the ntdll.dll hooks. For this mechanism to work, Sandboxie utilizes a couple of undocumented operations: To create the restricted token, it uses currently the unexported function SepFilterToken as well as a couple of offsets (RestrictedSidCount, RestrictedSids, UserAndGroups, UserAndGroupCount). This mechanism could be replaced by calling CreateToken or CreateTokenEx, however these functions are not exported in the kernel either. To eliminate the dependencies on unexported symbols, for this part of the process ZwCreateTokenEx should be exported and utilized. To be able to invoke any syscall on the behalf of the sandboxed process, the driver must know the function address and argument count for each syscall index. Sandboxie currently obtains those by finding the address of the unexported syscall table by analyzing the KeAddSystemServiceTable function. To eliminate the dependencies on unexported symbols, it is required to export KeServiceDescriptorTableShadow. Due to limitations in PsImpersonateClient (starting with Windows XP SP2), it is required to call it with impersonation level SecurityIdentification and then change that in the opaque thread object to SecurityImpersonation. To eliminate the dependencies on unexported symbols, it would be required to provide a documented mechanism for a driver to achieve any desired impersonation level. To replace a sandboxed processes primary token, it is required to clear the PrimaryTokenFrozen bit in the EPROCESS structure, this operation is triggered from a callback registered with PsSetLoadImageNotifyRoutine. I have not investigated if it would be feasible to do the token replacement before it gets officially frozen. Other than the above essential dependencies, Sandboxie gets the Clipboard object from the window station object in order to adjust the integrity level for the stored items such that they can be accessed by the sandboxed applications.","title":"SandboxieDrv use of undocumented kernel exports to do its token magic"},{"location":"Content/TrayIconMenu/","text":"Tray Icon Menu To invoke commands from the tray icon menu, right-click the Sandboxie tray icon that appears in your system notification area, typically at the lower-right corner of the screen. Hide Window / Show Window The first command is Hide Window when the main window of Sandboxie Control is visible. It changes to Show Window when the main window is hidden. This command shows or hides the main window of Sandboxie Control. Sandbox Sub-Menu One or more sub-menus appear for each sandbox defined. The default configuration includes only one sandbox named DefaultBox , but more can be added using the Sandbox Menu . Each sub-menu contains the following commands: The Run Web Browser command starts the system (default) Web browser. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Web Browser. (Note: If the wrong program starts, see Frequently Asked Questions to fix this.) The Run Email Reader command starts the system (default) email reader. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Email Reader. The Run Any Program command displays the Run Any Program dialog box which is similar to the standard Windows Run... dialog box. It can be used to start programs, open documents, and browse folders, all under the supervision of Sandboxie. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Any Program. The Run From Start Menu command displays the Sandboxie Start menu, similar to the standard Windows Start menu. It can be used to start programs and other shortcuts that appear in the start menu and on the desktop. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> From Start Menu. The Run Windows Explorer command starts a sandboxed instance of the Windows Explorer. It can be used to navigate folders and start programs, all under the supervision of Sandboxie. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Windows Explorer. The Terminate Programs command stops all programs running in the sandbox. Same as Sandbox Menu -> (sandbox) -> Terminate Running Programs. The Quick Recovery command shows the Quick Recovery window. Same as Sandbox Menu -> (sandbox) -> Quick Recovery. The Delete Contents command shows the Delete Sandbox window. Same as Sandbox Menu -> (sandbox) -> Delete Contents. The Explore Contents command opens an unsandboxed folder view for the contents of the sandbox outside the supervision of Sandboxie . If possible, use the Files And Folders View to browse the contents of the sandbox. Same as Sandbox Menu -> (sandbox) -> Explore Contents. Terminate All Programs The Terminate All Programs command stops all programs running in all sandboxes. Same as File Menu -> Terminate All Programs. See also: Terminate All Programs in File Menu . Disable Forced Programs The Disable Forced Programs toggle command temporarily disables and re-enables forced sandboxing. See the associated command in the File Menu . Note that unlike the File Menu command, the tray icon command does not show a dialog box to alter the duration of the command. Instead, forced sandboxing will be suspended for the last duration specified, or the default of 10 seconds. Same as File Menu -> Disable Forced Programs. See also: Disable Forced Programs in File Menu . Run As UAC Administrator The Run As UAC Administrator (not shown in the picture; see File Menu ) toggle command tells Sandboxie to ask for elevation to Administrative privileges before starting any programs. This command is only available on Windows when User Account Control (UAC) is in effect, and the user account is not already elevated. If this command is available in the menu, then it is typically necessary to enable it before installing programs into the sandbox, and it is recommended to disable it when that installation is complete. Same as File Menu -> Run As UAC Administrator. See also: Run As UAC Administrator in File Menu . Exit The Exit command quits Sandboxie Control . Note that merely closing the window (or selecting the Hide Window command) does not quit Sandboxie Control. Same as File Menu -> Exit. Go to Sandboxie Control , Help Topics .","title":"Tray Icon Menu"},{"location":"Content/TrayIconMenu/#tray-icon-menu","text":"To invoke commands from the tray icon menu, right-click the Sandboxie tray icon that appears in your system notification area, typically at the lower-right corner of the screen.","title":"Tray Icon Menu"},{"location":"Content/TrayIconMenu/#hide-window-show-window","text":"The first command is Hide Window when the main window of Sandboxie Control is visible. It changes to Show Window when the main window is hidden. This command shows or hides the main window of Sandboxie Control.","title":"Hide Window / Show Window"},{"location":"Content/TrayIconMenu/#sandbox-sub-menu","text":"One or more sub-menus appear for each sandbox defined. The default configuration includes only one sandbox named DefaultBox , but more can be added using the Sandbox Menu . Each sub-menu contains the following commands: The Run Web Browser command starts the system (default) Web browser. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Web Browser. (Note: If the wrong program starts, see Frequently Asked Questions to fix this.) The Run Email Reader command starts the system (default) email reader. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Email Reader. The Run Any Program command displays the Run Any Program dialog box which is similar to the standard Windows Run... dialog box. It can be used to start programs, open documents, and browse folders, all under the supervision of Sandboxie. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Any Program. The Run From Start Menu command displays the Sandboxie Start menu, similar to the standard Windows Start menu. It can be used to start programs and other shortcuts that appear in the start menu and on the desktop. Note that if any programs were installed into the sandbox, the Sandboxie Start menu will include the shortcuts created during the installation. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> From Start Menu. The Run Windows Explorer command starts a sandboxed instance of the Windows Explorer. It can be used to navigate folders and start programs, all under the supervision of Sandboxie. Same as Sandbox Menu -> (sandbox) -> Run Sandboxed -> Windows Explorer. The Terminate Programs command stops all programs running in the sandbox. Same as Sandbox Menu -> (sandbox) -> Terminate Running Programs. The Quick Recovery command shows the Quick Recovery window. Same as Sandbox Menu -> (sandbox) -> Quick Recovery. The Delete Contents command shows the Delete Sandbox window. Same as Sandbox Menu -> (sandbox) -> Delete Contents. The Explore Contents command opens an unsandboxed folder view for the contents of the sandbox outside the supervision of Sandboxie . If possible, use the Files And Folders View to browse the contents of the sandbox. Same as Sandbox Menu -> (sandbox) -> Explore Contents.","title":"Sandbox Sub-Menu"},{"location":"Content/TrayIconMenu/#terminate-all-programs","text":"The Terminate All Programs command stops all programs running in all sandboxes. Same as File Menu -> Terminate All Programs. See also: Terminate All Programs in File Menu .","title":"Terminate All Programs"},{"location":"Content/TrayIconMenu/#disable-forced-programs","text":"The Disable Forced Programs toggle command temporarily disables and re-enables forced sandboxing. See the associated command in the File Menu . Note that unlike the File Menu command, the tray icon command does not show a dialog box to alter the duration of the command. Instead, forced sandboxing will be suspended for the last duration specified, or the default of 10 seconds. Same as File Menu -> Disable Forced Programs. See also: Disable Forced Programs in File Menu .","title":"Disable Forced Programs"},{"location":"Content/TrayIconMenu/#run-as-uac-administrator","text":"The Run As UAC Administrator (not shown in the picture; see File Menu ) toggle command tells Sandboxie to ask for elevation to Administrative privileges before starting any programs. This command is only available on Windows when User Account Control (UAC) is in effect, and the user account is not already elevated. If this command is available in the menu, then it is typically necessary to enable it before installing programs into the sandbox, and it is recommended to disable it when that installation is complete. Same as File Menu -> Run As UAC Administrator. See also: Run As UAC Administrator in File Menu .","title":"Run As UAC Administrator"},{"location":"Content/TrayIconMenu/#exit","text":"The Exit command quits Sandboxie Control . Note that merely closing the window (or selecting the Hide Window command) does not quit Sandboxie Control. Same as File Menu -> Exit. Go to Sandboxie Control , Help Topics .","title":"Exit"},{"location":"Content/UsageTips/","text":"Usage Tips Learn more about Quick Recovery and Immediate Recovery . Tips specific to a browser: Internet Explorer Tips and Firefox Tips . Run your email program sandboxed, for better Email Protection . See also FAQ Email . Learn how to use Sandboxie to defend against keyloggers . Use the Add Shortcut Icons button to create shortcuts to run your programs sandboxed. Identify sandboxed windows and programs using the File Menu -> Is Window Sandboxed? command. Force Programs , such as your Web browser, to always run sandboxed. Disable Forced Programs when you need to run a \"forced\" program not under the supervision of Sandboxie. Use Sandbox Settings > Forced Folders to protect CDROM and DVD drives. Create more sandboxes for better isolation of separate programs. Note: To run a program sandboxed means to invoke it under the supervision of Sandboxie.","title":"Usage Tips"},{"location":"Content/UsageTips/#usage-tips","text":"Learn more about Quick Recovery and Immediate Recovery . Tips specific to a browser: Internet Explorer Tips and Firefox Tips . Run your email program sandboxed, for better Email Protection . See also FAQ Email . Learn how to use Sandboxie to defend against keyloggers . Use the Add Shortcut Icons button to create shortcuts to run your programs sandboxed. Identify sandboxed windows and programs using the File Menu -> Is Window Sandboxed? command. Force Programs , such as your Web browser, to always run sandboxed. Disable Forced Programs when you need to run a \"forced\" program not under the supervision of Sandboxie. Use Sandbox Settings > Forced Folders to protect CDROM and DVD drives. Create more sandboxes for better isolation of separate programs. Note: To run a program sandboxed means to invoke it under the supervision of Sandboxie.","title":"Usage Tips"},{"location":"Content/UsePrivacyMode/","text":"Privacy Mode UsePrivacyMode is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. Usage: . . . [DefaultBox] UsePrivacyMode=y See Privacy Mode for more information.","title":"Privacy Mode"},{"location":"Content/UsePrivacyMode/#privacy-mode","text":"UsePrivacyMode is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. Usage: . . . [DefaultBox] UsePrivacyMode=y See Privacy Mode for more information.","title":"Privacy Mode"},{"location":"Content/UseRuleSpecificity/","text":"Use Rule Specificity UseRuleSpecificity is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. Usage: . . . [DefaultBox] UseRuleSpecificity=y See Rule Specificity for more information.","title":"Use Rule Specificity"},{"location":"Content/UseRuleSpecificity/#use-rule-specificity","text":"UseRuleSpecificity is a sandbox setting in Sandboxie Ini available since v1.0.0 / 5.55.0. Usage: . . . [DefaultBox] UseRuleSpecificity=y See Rule Specificity for more information.","title":"Use Rule Specificity"},{"location":"Content/UseSbieDeskHack/","text":"Use SbieDesk Hack UseSbieDeskHack is a sandbox setting in Sandboxie Ini . . . . [DefaultBox] UseSbieDeskHack=y A desktop object solution that is now enabled by default for all processes. Technical Details This is a desktop object solution that is used for all processes. It was initially implemented to address the issue of infinite callback problems caused by delayed loading (the infinite recursion problem has been resolved in version 0.4.0 / 5.43). It is now enabled by default. This allows Electron applications to run without the need to set the 'SpecialImage=chrome,program.exe' option. Related Sandboxie Plus setting: Sandbox Options > Various Options > Compatibility > Use desktop object workaround for all processes","title":"Use SbieDesk Hack"},{"location":"Content/UseSbieDeskHack/#use-sbiedesk-hack","text":"UseSbieDeskHack is a sandbox setting in Sandboxie Ini . . . . [DefaultBox] UseSbieDeskHack=y A desktop object solution that is now enabled by default for all processes. Technical Details This is a desktop object solution that is used for all processes. It was initially implemented to address the issue of infinite callback problems caused by delayed loading (the infinite recursion problem has been resolved in version 0.4.0 / 5.43). It is now enabled by default. This allows Electron applications to run without the need to set the 'SpecialImage=chrome,program.exe' option. Related Sandboxie Plus setting: Sandbox Options > Various Options > Compatibility > Use desktop object workaround for all processes","title":"Use SbieDesk Hack"},{"location":"Content/UseSecurityMode/","text":"Use Security Mode UseSecurityMode is a sandbox setting in Sandboxie Ini available since v1.3.0 / 5.58.0. Usage: . . . [DefaultBox] UseSecurityMode=y See Security Mode for more information.","title":"Use Security Mode"},{"location":"Content/UseSecurityMode/#use-security-mode","text":"UseSecurityMode is a sandbox setting in Sandboxie Ini available since v1.3.0 / 5.58.0. Usage: . . . [DefaultBox] UseSecurityMode=y See Security Mode for more information.","title":"Use Security Mode"},{"location":"Content/UserAccountsSettings/","text":"User Accounts Settings Sandboxie Control > Sandbox Settings > User Accounts: This settings page can restrict use of this sandbox to specific user accounts. The Add User button opens a standard Windows user account selection dialog box which can be used to find and select specific user accounts. User account groups may also be specified. A sandbox that has been restricted to specific users is considered hidden to all other user accounts. Those other user accounts will not see the sandbox listed in Sandboxie Control , and Forced Programs and Forced Folders settings will not apply to those user accounts. A user account to which any sandboxes are hidden will have the Reveal Hidden Sandbox command appear in the Sandbox Menu in Sandboxie Control . Related Sandboxie Ini setting: Enabled","title":"User Accounts Settings"},{"location":"Content/UserAccountsSettings/#user-accounts-settings","text":"Sandboxie Control > Sandbox Settings > User Accounts: This settings page can restrict use of this sandbox to specific user accounts. The Add User button opens a standard Windows user account selection dialog box which can be used to find and select specific user accounts. User account groups may also be specified. A sandbox that has been restricted to specific users is considered hidden to all other user accounts. Those other user accounts will not see the sandbox listed in Sandboxie Control , and Forced Programs and Forced Folders settings will not apply to those user accounts. A user account to which any sandboxes are hidden will have the Reveal Hidden Sandbox command appear in the Sandbox Menu in Sandboxie Control . Related Sandboxie Ini setting: Enabled","title":"User Accounts Settings"},{"location":"Content/ViewMenu/","text":"View Menu Programs The Programs command selects Programs View , which displays the programs running in each sandbox. This is the default view. Files and Folders The Files and Folders selects Files And Folders View , which displays the files and folders in each sandbox. Context Menu The Context Menu commands displays the context menu associated with the item that is highlighted (selected). The context menu can also be displayed by clicking the right mouse button on an item. An item is a sandbox, a program, a file or a folder. Not all items appear in all views.","title":"View Menu"},{"location":"Content/ViewMenu/#view-menu","text":"","title":"View Menu"},{"location":"Content/ViewMenu/#programs","text":"The Programs command selects Programs View , which displays the programs running in each sandbox. This is the default view.","title":"Programs"},{"location":"Content/ViewMenu/#files-and-folders","text":"The Files and Folders selects Files And Folders View , which displays the files and folders in each sandbox.","title":"Files and Folders"},{"location":"Content/ViewMenu/#context-menu","text":"The Context Menu commands displays the context menu associated with the item that is highlighted (selected). The context menu can also be displayed by clicking the right mouse button on an item. An item is a sandbox, a program, a file or a folder. Not all items appear in all views.","title":"Context Menu"},{"location":"Content/Windows8/","text":"Windows 8 Starting with version 4.02, Sandboxie fully supports Windows 8 without qualifications on both 32-bit and 64-bit editions. Please visit the Download Sandboxie web page. With version 3.76 and earlier, Windows warns that Sandboxie v3 is not compatible with Windows 8. This warning applies to versions of Sandboxie before 3.72. When using Sandboxie version 3.74 or later, you can safely disregard the warning message from Windows 8.","title":"Windows 8"},{"location":"Content/Windows8/#windows-8","text":"Starting with version 4.02, Sandboxie fully supports Windows 8 without qualifications on both 32-bit and 64-bit editions. Please visit the Download Sandboxie web page. With version 3.76 and earlier, Windows warns that Sandboxie v3 is not compatible with Windows 8. This warning applies to versions of Sandboxie before 3.72. When using Sandboxie version 3.74 or later, you can safely disregard the warning message from Windows 8.","title":"Windows 8"},{"location":"Content/WindowsXPMode/","text":"Windows XP Mode With Windows 7, Microsoft offers Windows XP Mode , which is a virtualized installation of 32-bit Windows XP Service Pack 3 running side-by-side with the primary Windows 7 operating system. Windows XP Mode is only available on the Professional, Enterprise, and Ultimate editions of Windows 7. The 32-bit edition of Sandboxie can be installed into the 32-bit Windows XP running within the 64-bit Windows 7. Thanks to the seamless integration of Windows XP Mode into the Windows 7 environment, 32-bit Sandboxie can function reasonably well within a 64-bit Windows 7. Windows XP Mode is easier to use than a stand-alone virtual machine running Windows XP, as it is better integrated into Windows 7. It also includes a licensed copy of Windows XP. However, this improved integration also exposes your Windows 7 system and documents to malicious changes originating in the Windows XP Mode operating system. With Sandboxie, you can have a web browser which is isolated within its own sandbox, making it more secure than your web browser running directly on Windows 7. Windows XP Mode - Install and Setup Once Windows XP Mode is installed into your Windows 7, here are step-by-step instructions to install Sandboxie and Firefox: Open the Windows XP Mode operating system. Optionally, download and install Firefox. Make sure to let Firefox designate itself as the default web browser during its installation process. Optionally, also tweak Firefox preferences, and install any add-ons you wish to use. Download and install Sandboxie. Optionally download and install an anti-virus for your Windows XP Mode operating system. Log out of the Windows XP Mode operating system. In your Windows 7 Start Menu, you should now find the Sandboxie program group: Windows 7 Start Menu > All Programs > Windows Virtual PC > Windows XP Mode Applications > Sandboxie Select Run Web browser sandboxed to run Firefox within Sandboxie.","title":"Windows XP Mode"},{"location":"Content/WindowsXPMode/#windows-xp-mode","text":"With Windows 7, Microsoft offers Windows XP Mode , which is a virtualized installation of 32-bit Windows XP Service Pack 3 running side-by-side with the primary Windows 7 operating system.","title":"Windows XP Mode"},{"location":"Content/WindowsXPMode/#windows-xp-mode-is-only-available-on-the-professional-enterprise-and-ultimate-editions-of-windows-7","text":"The 32-bit edition of Sandboxie can be installed into the 32-bit Windows XP running within the 64-bit Windows 7. Thanks to the seamless integration of Windows XP Mode into the Windows 7 environment, 32-bit Sandboxie can function reasonably well within a 64-bit Windows 7. Windows XP Mode is easier to use than a stand-alone virtual machine running Windows XP, as it is better integrated into Windows 7. It also includes a licensed copy of Windows XP. However, this improved integration also exposes your Windows 7 system and documents to malicious changes originating in the Windows XP Mode operating system. With Sandboxie, you can have a web browser which is isolated within its own sandbox, making it more secure than your web browser running directly on Windows 7. Windows XP Mode - Install and Setup Once Windows XP Mode is installed into your Windows 7, here are step-by-step instructions to install Sandboxie and Firefox: Open the Windows XP Mode operating system. Optionally, download and install Firefox. Make sure to let Firefox designate itself as the default web browser during its installation process. Optionally, also tweak Firefox preferences, and install any add-ons you wish to use. Download and install Sandboxie. Optionally download and install an anti-virus for your Windows XP Mode operating system. Log out of the Windows XP Mode operating system. In your Windows 7 Start Menu, you should now find the Sandboxie program group: Windows 7 Start Menu > All Programs > Windows Virtual PC > Windows XP Mode Applications > Sandboxie Select Run Web browser sandboxed to run Firefox within Sandboxie.","title":"Windows XP Mode is only available on the Professional, Enterprise, and Ultimate editions of Windows 7."},{"location":"Content/WriteFilePath/","text":"Write File Path WriteFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will hide any files or folders outside the sandbox, while allowing new files and folders to be created in the sandbox. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] WriteFilePath=%Cookies% This example means that program in the sandbox will not be able to see any files within the Internet Explorer cookies folder outside the sandbox, but may create files in the corresponding folder in the sandbox. In other words, existing cookies outside the sandbox will not be visible, but the program may create new cookies as if the cookie folder was empty. This setting is not applicable to files. If the path specified in the setting matches a file, the file will be treated as if it matches a ClosedFilePath setting. Note: WriteFilePath is implemented internally as an enhanced form of ClosedFilePath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Write-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Box Only (Write Only)","title":"Write File Path"},{"location":"Content/WriteFilePath/#write-file-path","text":"WriteFilePath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will hide any files or folders outside the sandbox, while allowing new files and folders to be created in the sandbox. Shell Folders may be specified. Program Name Prefix may be specified. Examples: . . . [DefaultBox] WriteFilePath=%Cookies% This example means that program in the sandbox will not be able to see any files within the Internet Explorer cookies folder outside the sandbox, but may create files in the corresponding folder in the sandbox. In other words, existing cookies outside the sandbox will not be visible, but the program may create new cookies as if the cookie folder was empty. This setting is not applicable to files. If the path specified in the setting matches a file, the file will be treated as if it matches a ClosedFilePath setting. Note: WriteFilePath is implemented internally as an enhanced form of ClosedFilePath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > File Access > Write-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Files > Add File/Folder > Access column > Box Only (Write Only)","title":"Write File Path"},{"location":"Content/WriteKeyPath/","text":"Write Key Path WriteKeyPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will hide any registry keys outside the sandbox, while allowing new registry keys and registry values to be created in the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] WriteKeyPath=HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths This example hides any data which exists outside the sandbox within the TypedPaths registry key, while allowing a program to create new keys and values within the corresponding TypedPaths registry key in the sandbox. This means that Windows Explorer running in the sandbox will not be able to display the history of paths that were typed into Windows Explorer outside the sandbox. But the Windows Explorer running in the sandbox will be able to record and store new paths as they are typed. Note: WriteKeyPath is implemented internally as an enhanced form of ClosedKeyPath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Write-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Box Only (Write Only)","title":"Write Key Path"},{"location":"Content/WriteKeyPath/#write-key-path","text":"WriteKeyPath is a sandbox setting in Sandboxie Ini . It specifies path patterns for which Sandboxie will hide any registry keys outside the sandbox, while allowing new registry keys and registry values to be created in the sandbox. Program Name Prefix may be specified. Example: . . . [DefaultBox] WriteKeyPath=HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths This example hides any data which exists outside the sandbox within the TypedPaths registry key, while allowing a program to create new keys and values within the corresponding TypedPaths registry key in the sandbox. This means that Windows Explorer running in the sandbox will not be able to display the history of paths that were typed into Windows Explorer outside the sandbox. But the Windows Explorer running in the sandbox will be able to record and store new paths as they are typed. Note: WriteKeyPath is implemented internally as an enhanced form of ClosedKeyPath . Related Sandboxie Control setting: Sandbox Settings > Resource Access > Registry Access > Write-Only Access Related Sandboxie Plus setting: Sandbox Options > Resource Access > Registry > Add Reg Key > Access column > Box Only (Write Only)","title":"Write Key Path"},{"location":"Content/YesOrNoSettings/","text":"Yes Or No Settings Some settings Sandboxie Ini are boolean settings. That is, they indicate whether something is or isn't; they answer a Yes/No question. To indicate the setting is enabled (or selected, or yes), specify Y. To indicate the setting is disabled (or unselected, or no), specify N. A boolean setting which not specified, or specifies some other value other than Y or N will silently revert to a default value which depends on the particular setting. For example, the default value for the OpenProtectedStorage setting is N.","title":"Yes Or No Settings"},{"location":"Content/YesOrNoSettings/#yes-or-no-settings","text":"Some settings Sandboxie Ini are boolean settings. That is, they indicate whether something is or isn't; they answer a Yes/No question. To indicate the setting is enabled (or selected, or yes), specify Y. To indicate the setting is disabled (or unselected, or no), specify N. A boolean setting which not specified, or specifies some other value other than Y or N will silently revert to a default value which depends on the particular setting. For example, the default value for the OpenProtectedStorage setting is N.","title":"Yes Or No Settings"},{"location":"PlusContent/BoxEncryption/","text":"Encrypted Sandboxes Encrypted Box Image support The Encrypted Box Image support empowers you to establish safeguarded sandboxed environments, fostering a level of protection that goes above and beyond to shield your confidential data. In the pursuit of unassailable data security, the integration of Encrypted Box Image support represents a monumental leap forward. This technology grants you the capacity to construct sandboxed environments fortified by AES-XTS encrypted box images. This advanced methodology leverages the well-established cryptography implementation used in DiskCryptor , to create an impervious barrier around your sensitive data. Sandboxie Driver for Uncompromised Security: A vital cornerstone in the security architecture is the SbieDrv driver. This guardian sentinel stands guard over the mounted encrypted box root folder, thwarting any unauthorized attempts by unsanctioned applications to access it. By ensuring that no data can escape the confines of the sandbox and preventing any exfiltration attempts by host applications, the sbiedrv driver establishes a watertight barrier. Secure Data Exchange and Inherent Confidentiality: Root protection being activated mandates the definition of OpenFilePath paths for seamless data exchange between the host system and the encrypted sandbox. This method guarantees that file transfers occur within controlled parameters, maintaining the integrity of your data. Furthermore, the default setting of ConfidentialBox=y within an encrypted sandbox preserves the sanctity of your data by inhibiting host processes from accessing the memory of processes operating within the confines of the sandbox.","title":"Encrypted Sandboxes"},{"location":"PlusContent/BoxEncryption/#encrypted-sandboxes","text":"","title":"Encrypted Sandboxes"},{"location":"PlusContent/BoxEncryption/#encrypted-box-image-support","text":"The Encrypted Box Image support empowers you to establish safeguarded sandboxed environments, fostering a level of protection that goes above and beyond to shield your confidential data. In the pursuit of unassailable data security, the integration of Encrypted Box Image support represents a monumental leap forward. This technology grants you the capacity to construct sandboxed environments fortified by AES-XTS encrypted box images. This advanced methodology leverages the well-established cryptography implementation used in DiskCryptor , to create an impervious barrier around your sensitive data.","title":"Encrypted Box Image support"},{"location":"PlusContent/BoxEncryption/#sandboxie-driver-for-uncompromised-security","text":"A vital cornerstone in the security architecture is the SbieDrv driver. This guardian sentinel stands guard over the mounted encrypted box root folder, thwarting any unauthorized attempts by unsanctioned applications to access it. By ensuring that no data can escape the confines of the sandbox and preventing any exfiltration attempts by host applications, the sbiedrv driver establishes a watertight barrier.","title":"Sandboxie Driver for Uncompromised Security:"},{"location":"PlusContent/BoxEncryption/#secure-data-exchange-and-inherent-confidentiality","text":"Root protection being activated mandates the definition of OpenFilePath paths for seamless data exchange between the host system and the encrypted sandbox. This method guarantees that file transfers occur within controlled parameters, maintaining the integrity of your data. Furthermore, the default setting of ConfidentialBox=y within an encrypted sandbox preserves the sanctity of your data by inhibiting host processes from accessing the memory of processes operating within the confines of the sandbox.","title":"Secure Data Exchange and Inherent Confidentiality:"},{"location":"PlusContent/BoxSnapshots/","text":"Box Snapshots (for Sandboxie Plus) A snapshot saves the current state of a sandbox. You can create multiple snapshots of a box at different times and make one of the snapshots the default. To get started, open the Sandman GUI, right-click on the desired sandbox and click 'Snapshots Manager' from the drop-down list. See image below. Note that you cannot create a snapshot if the box is empty (an error message is displayed). Note that you cannot create a snapshot if there are running processes in the box. Caveat: Snapshots must be created with box AutoDelete disabled. To do so, open the Sandman GUI and double-click on the desired box to bring up the box options window. Then, click on 'File Options' and, under 'Box Delete Options', uncheck the option to AutoDelete content, and press OK (bottom right) to apply any changes. See image below. Installing Software to a Box and Creating a Snapshot: Select a box, disable AutoDelete, install the software to this box, set it up just the way you like. Then, close the box, create a snapshot and enable box AutoDelete. Now, this box will revert to the snapshot you created whenever it is closed. Updating Software Installed to a Box: Create a pre-update snapshot (for a baseline you can revert to, if need be). Disable box AutoDelete, update the software and test. If all is well, create a post-update snapshot, enable box AutoDelete. This automatically makes the last (post-update) snapshot the default. If there are problems, you can revert to the pre-update snapshot. You can always revert to any of the snapshots that you create for a box! You have the ability to create a snapshot, remove a snapshot, revert to a snapshot or (starting with Sandboxie Plus v1.0.9 ) revert to an empty box while retaining all snapshots. Caveat: It is wise to use the snapshot features only for boxes whose location is on a real disk (and not on a ramdisk). Additional Details: Each snapshot is created its own folder, labeled snapshot-n, where the number n is the snapshot id. You can change this label. All snapshot folders for a given box are inside the box folder. The snapshot layout and information on the current (default) snapshot are saved in the file snapshot.ini in the box folder. The File-System snapshots are incremental. Files are duplicated only when changed (just as with real files on the host). The Registry snapshots are NOT incremental. Each snapshot has a full copy and only the most recent reg hive file is used.","title":"Box Snapshots (for Sandboxie Plus)"},{"location":"PlusContent/BoxSnapshots/#box-snapshots-for-sandboxie-plus","text":"A snapshot saves the current state of a sandbox. You can create multiple snapshots of a box at different times and make one of the snapshots the default. To get started, open the Sandman GUI, right-click on the desired sandbox and click 'Snapshots Manager' from the drop-down list. See image below. Note that you cannot create a snapshot if the box is empty (an error message is displayed). Note that you cannot create a snapshot if there are running processes in the box. Caveat: Snapshots must be created with box AutoDelete disabled. To do so, open the Sandman GUI and double-click on the desired box to bring up the box options window. Then, click on 'File Options' and, under 'Box Delete Options', uncheck the option to AutoDelete content, and press OK (bottom right) to apply any changes. See image below. Installing Software to a Box and Creating a Snapshot: Select a box, disable AutoDelete, install the software to this box, set it up just the way you like. Then, close the box, create a snapshot and enable box AutoDelete. Now, this box will revert to the snapshot you created whenever it is closed. Updating Software Installed to a Box: Create a pre-update snapshot (for a baseline you can revert to, if need be). Disable box AutoDelete, update the software and test. If all is well, create a post-update snapshot, enable box AutoDelete. This automatically makes the last (post-update) snapshot the default. If there are problems, you can revert to the pre-update snapshot. You can always revert to any of the snapshots that you create for a box! You have the ability to create a snapshot, remove a snapshot, revert to a snapshot or (starting with Sandboxie Plus v1.0.9 ) revert to an empty box while retaining all snapshots. Caveat: It is wise to use the snapshot features only for boxes whose location is on a real disk (and not on a ramdisk). Additional Details: Each snapshot is created its own folder, labeled snapshot-n, where the number n is the snapshot id. You can change this label. All snapshot folders for a given box are inside the box folder. The snapshot layout and information on the current (default) snapshot are saved in the file snapshot.ini in the box folder. The File-System snapshots are incremental. Files are duplicated only when changed (just as with real files on the host). The Registry snapshots are NOT incremental. Each snapshot has a full copy and only the most recent reg hive file is used.","title":"Box Snapshots (for Sandboxie Plus)"},{"location":"PlusContent/DNSFilter/","text":"DNS Filter In the dynamic landscape of digital security and network management, Sandboxie-Plus strides forward with a groundbreaking addition to its repertoire \u2013 DNS Query Logging, Filtering, and Redirection. This feature emerges as a pivotal enhancement within the realm of sandboxing, offering users an unparalleled level of control over network interactions. Empowering users with the ability to monitor, filter, and redirect DNS queries initiated by sandboxed programs for specific domains, this innovation revolutionizes the way network activities are managed within sandboxed environments. A Deeper Look into DNS Query Control The introduction of DNS Query Logging, Filtering, and Redirection signifies a remarkable advancement in the capabilities of Sandboxie-Plus. This feature is the embodiment of precision control, allowing users to influence how sandboxed applications interact with the Domain Name System (DNS). By delving into DNS activities, users can effectively manage and tailor network access, resulting in heightened security, granular oversight, and enhanced privacy. The Power of Control DNS Query Control shifts the balance of power towards users, granting them unprecedented control over how sandboxed programs interact with DNS servers. This control manifests in a multitude of benefits: 1. Security Reinforcement: With the ability to filter and block DNS queries for specific domains, users can mitigate potential security risks. Malicious domains or known threat vectors can be preemptively blocked, shielding the system from potential hazards. 2. Privacy Enhancement: By redirecting certain DNS queries, users can ensure that sensitive information remains confidential. This redirection curtails instances where sandboxed applications inadvertently reveal confidential data through DNS queries. 3. Content Control: DNS Query Control allows users to manage content access. Unwanted domains or inappropriate content can be blocked, ensuring that sandboxed applications are limited to approved and safe online resources. 4. Network Analysis: The logging component of this feature offers users the opportunity to monitor DNS activities. This data can provide insights into the behavior of sandboxed applications, potentially revealing any anomalous or suspicious network activity. How DNS Query Control Works The mechanics of DNS Query Control are elegantly intricate. Users can selectively block or redirect DNS queries made by sandboxed programs for specific domains. This process involves defining rules within the sandbox configuration, dictating how DNS queries to certain domains should be handled. This level of granularity empowers users to tailor the DNS experience within the sandboxed environment according to their security and privacy preferences. Embrace the Future of Network Control DNS Query Logging, Filtering, and Redirection transcends traditional sandboxing capabilities. It introduces an unprecedented level of network oversight, effectively placing users at the helm of their sandboxed network interactions. In an age where data security, privacy, and control are paramount, this feature stands as a beacon of innovation. Join us in embracing the dawn of network control with DNS Query Logging, Filtering, and Redirection \u2013 where every DNS interaction is precisely managed to align with your security vision.","title":"DNS Filter"},{"location":"PlusContent/DNSFilter/#dns-filter","text":"In the dynamic landscape of digital security and network management, Sandboxie-Plus strides forward with a groundbreaking addition to its repertoire \u2013 DNS Query Logging, Filtering, and Redirection. This feature emerges as a pivotal enhancement within the realm of sandboxing, offering users an unparalleled level of control over network interactions. Empowering users with the ability to monitor, filter, and redirect DNS queries initiated by sandboxed programs for specific domains, this innovation revolutionizes the way network activities are managed within sandboxed environments.","title":"DNS Filter"},{"location":"PlusContent/DNSFilter/#a-deeper-look-into-dns-query-control","text":"The introduction of DNS Query Logging, Filtering, and Redirection signifies a remarkable advancement in the capabilities of Sandboxie-Plus. This feature is the embodiment of precision control, allowing users to influence how sandboxed applications interact with the Domain Name System (DNS). By delving into DNS activities, users can effectively manage and tailor network access, resulting in heightened security, granular oversight, and enhanced privacy.","title":"A Deeper Look into DNS Query Control"},{"location":"PlusContent/DNSFilter/#the-power-of-control","text":"DNS Query Control shifts the balance of power towards users, granting them unprecedented control over how sandboxed programs interact with DNS servers. This control manifests in a multitude of benefits:","title":"The Power of Control"},{"location":"PlusContent/DNSFilter/#1-security-reinforcement","text":"With the ability to filter and block DNS queries for specific domains, users can mitigate potential security risks. Malicious domains or known threat vectors can be preemptively blocked, shielding the system from potential hazards.","title":"1. Security Reinforcement:"},{"location":"PlusContent/DNSFilter/#2-privacy-enhancement","text":"By redirecting certain DNS queries, users can ensure that sensitive information remains confidential. This redirection curtails instances where sandboxed applications inadvertently reveal confidential data through DNS queries.","title":"2. Privacy Enhancement:"},{"location":"PlusContent/DNSFilter/#3-content-control","text":"DNS Query Control allows users to manage content access. Unwanted domains or inappropriate content can be blocked, ensuring that sandboxed applications are limited to approved and safe online resources.","title":"3. Content Control:"},{"location":"PlusContent/DNSFilter/#4-network-analysis","text":"The logging component of this feature offers users the opportunity to monitor DNS activities. This data can provide insights into the behavior of sandboxed applications, potentially revealing any anomalous or suspicious network activity.","title":"4. Network Analysis:"},{"location":"PlusContent/DNSFilter/#how-dns-query-control-works","text":"The mechanics of DNS Query Control are elegantly intricate. Users can selectively block or redirect DNS queries made by sandboxed programs for specific domains. This process involves defining rules within the sandbox configuration, dictating how DNS queries to certain domains should be handled. This level of granularity empowers users to tailor the DNS experience within the sandboxed environment according to their security and privacy preferences.","title":"How DNS Query Control Works"},{"location":"PlusContent/DNSFilter/#embrace-the-future-of-network-control","text":"DNS Query Logging, Filtering, and Redirection transcends traditional sandboxing capabilities. It introduces an unprecedented level of network oversight, effectively placing users at the helm of their sandboxed network interactions. In an age where data security, privacy, and control are paramount, this feature stands as a beacon of innovation. Join us in embracing the dawn of network control with DNS Query Logging, Filtering, and Redirection \u2013 where every DNS interaction is precisely managed to align with your security vision.","title":"Embrace the Future of Network Control"},{"location":"PlusContent/Plus-Features/","text":"Sandboxie Plus user interface offers a multitude of new functionality which improves security, compatibility and the overall sandboxing experience. Some of these features (*) are however only available to users with a Support Certificate which can be obtained by contributing to the Sandboxie project or purchased in our online shop . Some more features (**) are available to participants of the Sandboxie-Insider program. Rule Specificity * With this option rules are prioritized based on their specificity (see changelog/docs for details) this way sub paths can be readable/writeable while parent parts are still protected. Security enhanced sandboxes * Restrict syscall elevation to approved known safe / filtered syscalls Limit access to device endpoints to known safe / filtered endpoints Privacy enhanced sandboxes * With this feature, by applying a preset rule collection, all locations potentially containing personal data can be protected. Applications running in boxes with personal data protection will see an empty PC with no user data on it. Compartment Mode * This mode is intended to optimize compatibility at the cost of security, here Sandboxie\u2019s token-based isolation scheme is not used. Isolation is limited to the FS minifilter as well as registry and object callbacks. This has the potential to greatly improve compatibility with various applications. Virtual Disk Integration ** RamDisk support , available since the latest insider build, allows you to create a virtual disk in your system's memory, using the ImDisk driver, which can speed up file access and increase confidentiality as all box contents will be discarded when the disk is unmounted (manually or automatically on reboot). Encrypted Box Image support is currently in development and allows you to create encrypted sandboxed environments for an even greater protection of your confidential data. With this feature the box file root is being mounted from an AES-XTS encrypted box image, other ciphers are available as well. Upcoming additions to this root functionality will contain secure box passphrase handling and a driver extension to prevent applications not running in the encrypted sandbox from accessing the sandboxed files. Enhanced network filtering and redirection ** Proxy injection is yet another feature which has been added in the insider builds, it allows to force any application to use a Socks 5 proxy instead of a direct connection. DNS query logging, filtering and redirection feature allows you to block, or redirect DNS queries made by sandboxed programs for selected domains. WFP (Windows Filtering Platform) support With this feature, Sandboxie can be like an application firewall which applies the rules on a per-sandbox basis, allowing the same application access to Internet in one box while blocking it in another. Windows 11 context menu integration Process/Thread handle filtering (obCallbacks) Using this mechanism greatly improves on isolation of processes and provides enhanced security. Win32 syscall hooking With this feature, Win32 syscalls can get the same treatment as NT syscalls, which helps with graphics and HW acceleration. New UI with dark mode and much more Sandboxie-Plus bring an entirely new Qt based UI sandman.exe Customizable per box run menu Global hotkey to terminate all boxes INI section editor for easy configuration of advanced options Box event triggers/scripts Ability to stop selected applications from running globally, regardless of box presets Snapshots Sandboxie-Plus can create box snapshots, with them it is possible to easily revert a box to a defined previous state. Box set to auto delete will auto-revert when available to the last snapshot allowing to benefit from a fresh clean box each time but with some preset configuration Enhanced debug/trace monitor Fake admin privileges Allows to make all processes in a box think they have admin permissions and act accordingly, without the potential drawbacks of granting them admin permissions Box size monitor Monitor and list box size in an own column Start Menu integration Integrate start menu entries from sandboxes into the host start menu Sandbox SID isolation Instead of using anonymous login SID, it uses custom SIDs per-sandbox like Sandboxie/DefaultBox. This way, processes from separate sandboxes won\u2019t be able accessing each other\u2019s resources. Breakout Process Allows to specify which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. Document Breakout is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandboxed instance of the associated application. ** USB drive sandboxing ** This feature allows you to automatically sandbox any USB drive that you plug into your computer, which adds an extra layer of protection to your system. EFS Support ** Support for EFS (Encrypted File System) protected files. ARM64 support for Windows 11 * Support ARM64 natively Support emulated x86 Support emulated x64 (ARM64EC)","title":"Plus Features"},{"location":"PlusContent/Plus-Features/#rule-specificity","text":"With this option rules are prioritized based on their specificity (see changelog/docs for details) this way sub paths can be readable/writeable while parent parts are still protected.","title":"Rule Specificity *"},{"location":"PlusContent/Plus-Features/#security-enhanced-sandboxes","text":"Restrict syscall elevation to approved known safe / filtered syscalls Limit access to device endpoints to known safe / filtered endpoints","title":"Security enhanced sandboxes *"},{"location":"PlusContent/Plus-Features/#privacy-enhanced-sandboxes","text":"With this feature, by applying a preset rule collection, all locations potentially containing personal data can be protected. Applications running in boxes with personal data protection will see an empty PC with no user data on it.","title":"Privacy enhanced sandboxes *"},{"location":"PlusContent/Plus-Features/#compartment-mode","text":"This mode is intended to optimize compatibility at the cost of security, here Sandboxie\u2019s token-based isolation scheme is not used. Isolation is limited to the FS minifilter as well as registry and object callbacks. This has the potential to greatly improve compatibility with various applications.","title":"Compartment Mode *"},{"location":"PlusContent/Plus-Features/#virtual-disk-integration","text":"RamDisk support , available since the latest insider build, allows you to create a virtual disk in your system's memory, using the ImDisk driver, which can speed up file access and increase confidentiality as all box contents will be discarded when the disk is unmounted (manually or automatically on reboot). Encrypted Box Image support is currently in development and allows you to create encrypted sandboxed environments for an even greater protection of your confidential data. With this feature the box file root is being mounted from an AES-XTS encrypted box image, other ciphers are available as well. Upcoming additions to this root functionality will contain secure box passphrase handling and a driver extension to prevent applications not running in the encrypted sandbox from accessing the sandboxed files.","title":"Virtual Disk Integration **"},{"location":"PlusContent/Plus-Features/#enhanced-network-filtering-and-redirection","text":"Proxy injection is yet another feature which has been added in the insider builds, it allows to force any application to use a Socks 5 proxy instead of a direct connection. DNS query logging, filtering and redirection feature allows you to block, or redirect DNS queries made by sandboxed programs for selected domains.","title":"Enhanced network filtering and redirection **"},{"location":"PlusContent/Plus-Features/#wfp-windows-filtering-platform-support","text":"With this feature, Sandboxie can be like an application firewall which applies the rules on a per-sandbox basis, allowing the same application access to Internet in one box while blocking it in another.","title":"WFP (Windows Filtering Platform) support"},{"location":"PlusContent/Plus-Features/#windows-11-context-menu-integration","text":"","title":"Windows 11 context menu integration"},{"location":"PlusContent/Plus-Features/#processthread-handle-filtering-obcallbacks","text":"Using this mechanism greatly improves on isolation of processes and provides enhanced security.","title":"Process/Thread handle filtering (obCallbacks)"},{"location":"PlusContent/Plus-Features/#win32-syscall-hooking","text":"With this feature, Win32 syscalls can get the same treatment as NT syscalls, which helps with graphics and HW acceleration.","title":"Win32 syscall hooking"},{"location":"PlusContent/Plus-Features/#new-ui-with-dark-mode-and-much-more","text":"Sandboxie-Plus bring an entirely new Qt based UI sandman.exe Customizable per box run menu Global hotkey to terminate all boxes INI section editor for easy configuration of advanced options Box event triggers/scripts Ability to stop selected applications from running globally, regardless of box presets","title":"New UI with dark mode and much more"},{"location":"PlusContent/Plus-Features/#snapshots","text":"Sandboxie-Plus can create box snapshots, with them it is possible to easily revert a box to a defined previous state. Box set to auto delete will auto-revert when available to the last snapshot allowing to benefit from a fresh clean box each time but with some preset configuration","title":"Snapshots"},{"location":"PlusContent/Plus-Features/#enhanced-debugtrace-monitor","text":"","title":"Enhanced debug/trace monitor"},{"location":"PlusContent/Plus-Features/#fake-admin-privileges","text":"Allows to make all processes in a box think they have admin permissions and act accordingly, without the potential drawbacks of granting them admin permissions","title":"Fake admin privileges"},{"location":"PlusContent/Plus-Features/#box-size-monitor","text":"Monitor and list box size in an own column","title":"Box size monitor"},{"location":"PlusContent/Plus-Features/#start-menu-integration","text":"Integrate start menu entries from sandboxes into the host start menu","title":"Start Menu integration"},{"location":"PlusContent/Plus-Features/#sandbox-sid-isolation","text":"Instead of using anonymous login SID, it uses custom SIDs per-sandbox like Sandboxie/DefaultBox. This way, processes from separate sandboxes won\u2019t be able accessing each other\u2019s resources.","title":"Sandbox SID isolation"},{"location":"PlusContent/Plus-Features/#breakout-process","text":"Allows to specify which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. Document Breakout is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandboxed instance of the associated application. **","title":"Breakout Process"},{"location":"PlusContent/Plus-Features/#usb-drive-sandboxing","text":"This feature allows you to automatically sandbox any USB drive that you plug into your computer, which adds an extra layer of protection to your system.","title":"USB drive sandboxing **"},{"location":"PlusContent/Plus-Features/#efs-support","text":"Support for EFS (Encrypted File System) protected files.","title":"EFS Support **"},{"location":"PlusContent/Plus-Features/#arm64-support-for-windows-11","text":"Support ARM64 natively Support emulated x86 Support emulated x64 (ARM64EC)","title":"ARM64 support for Windows 11 *"},{"location":"PlusContent/ProxySupport/","text":"Proxy Support In the ever-evolving landscape of network security and control, Sandboxie-Plus brings forth a powerful addition to its arsenal of features \u2013 Proxy Injection. As a testament to our commitment to providing advanced sandboxing solutions, Proxy Injection emerges as a game-changing capability within the new builds of Sandboxie-Plus. This cutting-edge feature empowers users with an unprecedented level of control over network connectivity, enabling the forceful redirection of application traffic through a Socks 5 proxy instead of relying on direct connections. A Glimpse into Proxy Injection Proxy Injection stands as a pioneering addition to the Sandboxie-Plus suite, designed to elevate the security and manageability of application interactions within sandboxed environments. This feature redefines how users can influence network behavior by seamlessly injecting a Socks 5 proxy mechanism into applications, ensuring that all network-bound activities are routed through a designated proxy server. The Power of Control At its core, Proxy Injection embodies the concept of control. With this feature, users wield a newfound ability to enforce the use of a Socks 5 proxy for any application, regardless of its inherent network settings. This degree of control translates into numerous tangible advantages: 1. Enhanced Privacy: By channeling application traffic through a Socks 5 proxy, users can obscure their IP addresses and enhance their online privacy. This becomes particularly crucial in scenarios where applications might inadvertently expose sensitive information. 2. Network Segmentation: Proxy Injection enables the isolation of application traffic, ensuring that interactions are confined to the proxy server. This isolation adds an extra layer of security by minimizing direct communication between applications and external servers. 3. Bypassing Geo-Restrictions: Users can strategically utilize Proxy Injection to bypass geo-restricted content or access region-specific services by routing their traffic through proxies located in desired regions. 4. Network Monitoring and Control: For security-conscious users, Proxy Injection becomes a vital tool for observing and regulating application network activity. By centralizing network traffic through a proxy server, users can closely monitor data exchanges and potentially thwart malicious activity. How Proxy Injection Works The mechanics of Proxy Injection are elegantly simple, yet profoundly effective. Users can designate specific applications (or entire boxes) to undergo proxy injection, effectively compelling these applications to establish their network connections through the selected Socks 5 proxy. The result is a controlled network environment that aligns with security and privacy preferences, effectively mitigating potential vulnerabilities that might arise from direct connections. Embrace the Future of Network Control Proxy Injection emerges as a visionary feature that redefines network interaction paradigms within sandboxed environments. It transforms the sandboxing experience by offering users granular control over how applications access external resources. As we forge ahead in an era where digital security is paramount, Proxy Injection emerges as a powerful tool that empowers users to safeguard their interactions, maintain privacy, and proactively manage application behavior. Join us in embracing the future of network control with Proxy Injection \u2013 where every connection is made on your terms.","title":"Proxy Support"},{"location":"PlusContent/ProxySupport/#proxy-support","text":"In the ever-evolving landscape of network security and control, Sandboxie-Plus brings forth a powerful addition to its arsenal of features \u2013 Proxy Injection. As a testament to our commitment to providing advanced sandboxing solutions, Proxy Injection emerges as a game-changing capability within the new builds of Sandboxie-Plus. This cutting-edge feature empowers users with an unprecedented level of control over network connectivity, enabling the forceful redirection of application traffic through a Socks 5 proxy instead of relying on direct connections.","title":"Proxy Support"},{"location":"PlusContent/ProxySupport/#a-glimpse-into-proxy-injection","text":"Proxy Injection stands as a pioneering addition to the Sandboxie-Plus suite, designed to elevate the security and manageability of application interactions within sandboxed environments. This feature redefines how users can influence network behavior by seamlessly injecting a Socks 5 proxy mechanism into applications, ensuring that all network-bound activities are routed through a designated proxy server.","title":"A Glimpse into Proxy Injection"},{"location":"PlusContent/ProxySupport/#the-power-of-control","text":"At its core, Proxy Injection embodies the concept of control. With this feature, users wield a newfound ability to enforce the use of a Socks 5 proxy for any application, regardless of its inherent network settings. This degree of control translates into numerous tangible advantages:","title":"The Power of Control"},{"location":"PlusContent/ProxySupport/#1-enhanced-privacy","text":"By channeling application traffic through a Socks 5 proxy, users can obscure their IP addresses and enhance their online privacy. This becomes particularly crucial in scenarios where applications might inadvertently expose sensitive information.","title":"1. Enhanced Privacy:"},{"location":"PlusContent/ProxySupport/#2-network-segmentation","text":"Proxy Injection enables the isolation of application traffic, ensuring that interactions are confined to the proxy server. This isolation adds an extra layer of security by minimizing direct communication between applications and external servers.","title":"2. Network Segmentation:"},{"location":"PlusContent/ProxySupport/#3-bypassing-geo-restrictions","text":"Users can strategically utilize Proxy Injection to bypass geo-restricted content or access region-specific services by routing their traffic through proxies located in desired regions.","title":"3. Bypassing Geo-Restrictions:"},{"location":"PlusContent/ProxySupport/#4-network-monitoring-and-control","text":"For security-conscious users, Proxy Injection becomes a vital tool for observing and regulating application network activity. By centralizing network traffic through a proxy server, users can closely monitor data exchanges and potentially thwart malicious activity.","title":"4. Network Monitoring and Control:"},{"location":"PlusContent/ProxySupport/#how-proxy-injection-works","text":"The mechanics of Proxy Injection are elegantly simple, yet profoundly effective. Users can designate specific applications (or entire boxes) to undergo proxy injection, effectively compelling these applications to establish their network connections through the selected Socks 5 proxy. The result is a controlled network environment that aligns with security and privacy preferences, effectively mitigating potential vulnerabilities that might arise from direct connections.","title":"How Proxy Injection Works"},{"location":"PlusContent/ProxySupport/#embrace-the-future-of-network-control","text":"Proxy Injection emerges as a visionary feature that redefines network interaction paradigms within sandboxed environments. It transforms the sandboxing experience by offering users granular control over how applications access external resources. As we forge ahead in an era where digital security is paramount, Proxy Injection emerges as a powerful tool that empowers users to safeguard their interactions, maintain privacy, and proactively manage application behavior. Join us in embracing the future of network control with Proxy Injection \u2013 where every connection is made on your terms.","title":"Embrace the Future of Network Control"},{"location":"PlusContent/RamDiskSupport/","text":"RamDiskSandboxes RAM Disk Support By seamlessly interfacing with the ImDisk Driver , Sandboxie Plus introduces a transformative way to allocate a portion of your system RAM for dynamic RAM Disks. This mechanism revolutionizes the speed and efficiency of your sandboxes, while also conferring distinct privacy advantages. Performance Amplification The hallmark benefit of RAM Disk Support is the remarkable performance boost it offers. Sandboxes configured with a RAM Disk can harness the lightning-fast data access and processing capabilities of your system's RAM. This means that operations within the sandbox occur at unprecedented speeds, without the constraints of traditional storage mediums. Privacy Enhancement Beyond the performance gains, RAM Disk Support lends an added layer of privacy to your sandboxing endeavors. Data stored in a RAM Disk is inherently volatile \u2013 once the system is powered off or the sandbox is closed, the data vanishes. This ephemeral nature of a RAM Disk significantly reduces the potential for data leaks, as there's no persistent storage where sensitive information could inadvertently reside. Integrating RAM Disk Support: Step by Step To fully embrace the potential of RAM Disk Support, follow these straightforward steps: Updating Sandbox Configuration: Open the Sandboxie Ini configuration file for the sandbox you wish to enhance. To enable the RAM Disk for this sandbox, include the following line within the respective sandbox's section: UseRamDisk=y Configuring Global Settings: To enable RAM Disk Support across all your sandboxes, navigate to the [GlobalSettings] section within the Sandboxie Ini file. Allocate the appropriate memory for the RAM Disk by adding this line: RamDiskSizeKb=2097152 This value designates the maximum size of the RAM Disk in Kilobytes. For optimal results, allocate at least 1GB of RAM to the RAM Disk. A key point to remember is the dynamic allocation of memory by RAM Disk Support. Unlike conventional storage, memory is utilized on-demand, ensuring optimal resource management. This intelligent allocation means you can allocate up to half of your system's physical RAM without encountering issues.","title":"RamDiskSandboxes"},{"location":"PlusContent/RamDiskSupport/#ramdisksandboxes","text":"","title":"RamDiskSandboxes"},{"location":"PlusContent/RamDiskSupport/#ram-disk-support","text":"By seamlessly interfacing with the ImDisk Driver , Sandboxie Plus introduces a transformative way to allocate a portion of your system RAM for dynamic RAM Disks. This mechanism revolutionizes the speed and efficiency of your sandboxes, while also conferring distinct privacy advantages.","title":"RAM Disk Support"},{"location":"PlusContent/RamDiskSupport/#performance-amplification","text":"The hallmark benefit of RAM Disk Support is the remarkable performance boost it offers. Sandboxes configured with a RAM Disk can harness the lightning-fast data access and processing capabilities of your system's RAM. This means that operations within the sandbox occur at unprecedented speeds, without the constraints of traditional storage mediums.","title":"Performance Amplification"},{"location":"PlusContent/RamDiskSupport/#privacy-enhancement","text":"Beyond the performance gains, RAM Disk Support lends an added layer of privacy to your sandboxing endeavors. Data stored in a RAM Disk is inherently volatile \u2013 once the system is powered off or the sandbox is closed, the data vanishes. This ephemeral nature of a RAM Disk significantly reduces the potential for data leaks, as there's no persistent storage where sensitive information could inadvertently reside.","title":"Privacy Enhancement"},{"location":"PlusContent/RamDiskSupport/#integrating-ram-disk-support-step-by-step","text":"To fully embrace the potential of RAM Disk Support, follow these straightforward steps:","title":"Integrating RAM Disk Support: Step by Step"},{"location":"PlusContent/RamDiskSupport/#updating-sandbox-configuration","text":"Open the Sandboxie Ini configuration file for the sandbox you wish to enhance. To enable the RAM Disk for this sandbox, include the following line within the respective sandbox's section: UseRamDisk=y","title":"Updating Sandbox Configuration:"},{"location":"PlusContent/RamDiskSupport/#configuring-global-settings","text":"To enable RAM Disk Support across all your sandboxes, navigate to the [GlobalSettings] section within the Sandboxie Ini file. Allocate the appropriate memory for the RAM Disk by adding this line: RamDiskSizeKb=2097152 This value designates the maximum size of the RAM Disk in Kilobytes. For optimal results, allocate at least 1GB of RAM to the RAM Disk. A key point to remember is the dynamic allocation of memory by RAM Disk Support. Unlike conventional storage, memory is utilized on-demand, ensuring optimal resource management. This intelligent allocation means you can allocate up to half of your system's physical RAM without encountering issues.","title":"Configuring Global Settings:"},{"location":"PlusContent/RuleSpecificity/","text":"Rule Specificity Sandboxie prior to build 5.55.0 handled rules exclusively in a very simple way, a path may be Closed , Read Only , Write Only , or Open and the priority of rule application was the same, when a closed rule matched a particular path it overruled all other rules. Starting with build 1.0.0, Sandboxie-Plus has introduced a new mechanism to evaluate and apply rules, based on how specific they are and which match level they have. The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like \"*.tmp\" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. For this feature, a new type of path directive has been introduced Normal , which allows to restore default sandboxing behaviour for a path whose parent have been set to one of the prior 4 types.","title":"Rule Specificity"},{"location":"PlusContent/RuleSpecificity/#rule-specificity","text":"Sandboxie prior to build 5.55.0 handled rules exclusively in a very simple way, a path may be Closed , Read Only , Write Only , or Open and the priority of rule application was the same, when a closed rule matched a particular path it overruled all other rules. Starting with build 1.0.0, Sandboxie-Plus has introduced a new mechanism to evaluate and apply rules, based on how specific they are and which match level they have. The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like \"*.tmp\" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. For this feature, a new type of path directive has been introduced Normal , which allows to restore default sandboxing behaviour for a path whose parent have been set to one of the prior 4 types.","title":"Rule Specificity"},{"location":"PlusContent/Sandboxie-Insider/","text":"The Sandboxie Plus Insider Program provides early access to new features and functionality that are not yet available to the public. To become a participant in the Insider Program and gain access to the private GitHub repository with new releases, you must contribute to the project in a meaningful way, such as by helping with documentation, development, providing translations, or by submitting exceptional bug reports. Alternatively, you can support the project on Patreon at the GREAT tier or above. All users with CONTRIBUTOR or HUGE certificates are automatically eligible. The insider builds introduce several new features that are designed to improve the Sandboxie experience and enhance the security of your system: RamDisk support , available since the latest insider build, allows you to create a virtual disk in your system's memory, using the ImDisk driver, which can speed up file access and increase confidentiality as all box contents will be discarded when the disk is unmounted (manually or automatically on reboot). Encrypted Box Image support is currently in development and allows you to create encrypted sandboxed environments for an even greater protection of your confidential data. With this feature the box file root is being mounted from an AES-XTS encrypted box image, other ciphers are available as well. Upcoming additions to this core functionality will contain secure box passphrase handling and a driver extension to prevent applications not running in the encrypted sandbox from accessing the sandboxed files. Proxy injection is yet another feature which has been added in the insider builds, it allows to force any application to use a Socks 5 proxy instead of a direct connection. DNS query logging, filtering and redirection feature allows you to block, or redirect DNS queries made by sandboxed programs for selected domains. USB drive sandboxing is yet another new feature that has been added to the Insider builds. This feature allows you to automatically sandbox any USB drive that you plug into your computer, which adds an extra layer of protection to your system. Insider builds include support for EFS, which is a feature in Windows that allows you to encrypt files and folders to protect them from unauthorized access. Document Breakout is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandbox instance of the associated application. Please note that: The Sandboxie Plus insider builds are not like the Windows insider builds which are buggy and rushed. The new things in the insider builds are limited to new functionality and new features. Experimental things that may impact compatibility are tested in the public GitHub preview channel. The Sandboxie Plus insider builds are based on stable final releases, with new functionality added on top. The insider builds are compiled with Qt6 and provided as a unified x64/ARM64 installer.","title":"Sandboxie Insider"},{"location":"PlusContent/Sandboxie-Live/","text":"Sandboxie-Live is a fast update service (stable channel) for project supporters (users with a supporter certificate) and/or adventurous people (preview channel) wanting to try out the latest fixes and discover the newest bugs. In the \"Support & Updates\" tab in the \"Global Options\", the user can now choose from the following release channels: Stable - GitHub Releases Preview - GitHub Pre-Releases There the user can also select how to behave when a \"New Version\" (where an installer is available) or a \"Version Update\" (where only individual files of the existing installation will be updated) is found. For a \"New Version\", the following options are available: Notify Download & Notify Download & Install For a \"Version Update\", the following options are available: Ignore Notify Download & Notify Download & Install There is no \"Ignore\" option for \"New Version\", as that is covered by disabling the update check. In the \"Stable\" channel, a check for \"Version Update\" is only available to supporters with a valid certificate. In this channel, all updates are signed and consist of the latest compatibility templates and urgent bug-fixes and translations. In the \"Preview\" channel, the \"Version Update\" consists of unsigned test builds (except the signed driver) released every few days (like 1.6.0, 1.6.1a and 1.6.1b), as here the updates contain not only half-tested fixes but also new functionality which may not yet be free of bugs.","title":"Sandboxie Live"},{"location":"PlusContent/TraceLog/","text":"Trace logging (for Sandboxie Plus) The Trace Log tool displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie Plus. Designed to make it easy to identify those system resources which should be excluded from sandboxing, this tool can be used with the Sandboxie Trace options. Important: Please consider to use the Trace Log before opening a new issue. Using the Trace Log 1. Enable Trace Log tab by opening View menu -> Trace Logging . 2. When the Trace Log tab is activated, it immediately starts to collect and display resource access information from all sandboxed programs that are running. 3. At this point, perform any specific tasks that fail when done under the supervision of Sandboxie Plus. 4. Finally, right click on the collected data and select the entry named Copy Panel . This copies the collected data into the clipboard. 5. You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis. 6. Optionally, the keyboard shortcut CTRL+F can be used to search for specific entries within the Trace Log tab. Performance Impact When inactive, the Trace Log does not use any system resources and does not have any performance impact on any running programs. When active, the Trace Log has a small performance penalty on sandboxed programs. Additional Improvements Sandboxie Plus v0.7.0 adds the ability to adjust the buffer size with TraceBufferPages=2560 . Sandboxie Plus v0.8.0 adds the ability to disable resource access monitor for selected sandboxes with DisableResourceMonitor=y . Sandboxie Plus v0.9.8b adds the ability to save the trace log output into a new .log file (via the floppy disk icon). Sandboxie Plus v0.9.8d adds the ability to select multiple access types at once. Sandboxie Plus v1.0.16 adds a monitor mode to the resource access trace. Sandboxie Plus v1.9.6 adds a full stack trace to all trace messages. Note that activating the Trace Log also turns on the Keep Terminated feature. This is not a bug, but a new intended behaviour. Without it, the stack trace in the Trace Log would not work properly, as it uses the process objects to cache the symbols. Sandboxie Plus v1.10.1 adds an auto scroll functionality (enabled by default in the monitor mode).","title":"Trace logging (for Sandboxie Plus)"},{"location":"PlusContent/TraceLog/#trace-logging-for-sandboxie-plus","text":"The Trace Log tool displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie Plus. Designed to make it easy to identify those system resources which should be excluded from sandboxing, this tool can be used with the Sandboxie Trace options. Important: Please consider to use the Trace Log before opening a new issue.","title":"Trace logging (for Sandboxie Plus)"},{"location":"PlusContent/TraceLog/#using-the-trace-log","text":"1. Enable Trace Log tab by opening View menu -> Trace Logging . 2. When the Trace Log tab is activated, it immediately starts to collect and display resource access information from all sandboxed programs that are running. 3. At this point, perform any specific tasks that fail when done under the supervision of Sandboxie Plus. 4. Finally, right click on the collected data and select the entry named Copy Panel . This copies the collected data into the clipboard. 5. You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis. 6. Optionally, the keyboard shortcut CTRL+F can be used to search for specific entries within the Trace Log tab.","title":"Using the Trace Log"},{"location":"PlusContent/TraceLog/#performance-impact","text":"When inactive, the Trace Log does not use any system resources and does not have any performance impact on any running programs. When active, the Trace Log has a small performance penalty on sandboxed programs.","title":"Performance Impact"},{"location":"PlusContent/TraceLog/#additional-improvements","text":"Sandboxie Plus v0.7.0 adds the ability to adjust the buffer size with TraceBufferPages=2560 . Sandboxie Plus v0.8.0 adds the ability to disable resource access monitor for selected sandboxes with DisableResourceMonitor=y . Sandboxie Plus v0.9.8b adds the ability to save the trace log output into a new .log file (via the floppy disk icon). Sandboxie Plus v0.9.8d adds the ability to select multiple access types at once. Sandboxie Plus v1.0.16 adds a monitor mode to the resource access trace. Sandboxie Plus v1.9.6 adds a full stack trace to all trace messages. Note that activating the Trace Log also turns on the Keep Terminated feature. This is not a bug, but a new intended behaviour. Without it, the stack trace in the Trace Log would not work properly, as it uses the process objects to cache the symbols. Sandboxie Plus v1.10.1 adds an auto scroll functionality (enabled by default in the monitor mode).","title":"Additional Improvements"},{"location":"PlusContent/USBSandboxing/","text":"USB Sandboxing Sandboxie-Plus introduces USB Drive Sandboxing, a new and impactful feature within our Insider builds. This innovative addition enhances your system's defense by automatically sandboxing any connected USB drive. This proactive layer of security isolates potential threats, safeguarding your system from malware and unauthorized access. Key Benefits: Instant Isolation: When you plug in a USB drive, Sandboxie-Plus automatically forces all applications on the volume to be confined to a preset sandbox. Malware Defense: USB Drive Sandboxing guards against malicious content, ensuring that harmful elements remain contained within the sandbox. Effortless Protection: With automated sandboxing, there's no need for manual intervention. Your workflow remains uninterrupted while your system's security is bolstered. Data Integrity: Even in the presence of a potentially unsafe USB drive, your data remains intact while the malicious process is confined to the sandboxed environment. Embrace a more secure future with USB Drive Sandboxing \u2013 a feature that revolutionizes your approach to external storage security, mitigating risks and reinforcing your system's defense mechanisms.","title":"USB Sandboxing"},{"location":"PlusContent/USBSandboxing/#usb-sandboxing","text":"Sandboxie-Plus introduces USB Drive Sandboxing, a new and impactful feature within our Insider builds. This innovative addition enhances your system's defense by automatically sandboxing any connected USB drive. This proactive layer of security isolates potential threats, safeguarding your system from malware and unauthorized access.","title":"USB Sandboxing"},{"location":"PlusContent/USBSandboxing/#key-benefits","text":"Instant Isolation: When you plug in a USB drive, Sandboxie-Plus automatically forces all applications on the volume to be confined to a preset sandbox. Malware Defense: USB Drive Sandboxing guards against malicious content, ensuring that harmful elements remain contained within the sandbox. Effortless Protection: With automated sandboxing, there's no need for manual intervention. Your workflow remains uninterrupted while your system's security is bolstered. Data Integrity: Even in the presence of a potentially unsafe USB drive, your data remains intact while the malicious process is confined to the sandboxed environment. Embrace a more secure future with USB Drive Sandboxing \u2013 a feature that revolutionizes your approach to external storage security, mitigating risks and reinforcing your system's defense mechanisms.","title":"Key Benefits:"},{"location":"PlusContent/WFPSupport/","text":"WFP (Windows Filtering Platform) support Sandboxie Plus v0.9.3 introduced a unique approach to manage network connectivity by implementing not only a kernel mode (using a driver) \"per box\" firewall built on Windows Filtering Platform (WFP) but also a user mode , outbound rule-based packet filter. WFP implementation To enable WFP functionality, add NetworkEnableWFP=y to the [GlobalSettings] section of the configuration file Sandboxie Ini and reboot the machine or reload the driver for it to take effect. WFP filtering works for both inbound and outbound traffic. To enable blocking globally, add AllowNetworkAccess=n to the [GlobalSettings] section. To enable WFP blocking for a box, such as DefaultBox, add AllowNetworkAccess=n to the [DefaultBox] section. To exempt blocking for a box, such as DefaultBox, add AllowNetworkAccess=y to the [DefaultBox] section. To allow a selected program in a box, such as DefaultBox, add AllowNetworkAccess=program.exe,y to the [DefaultBox] section. To block a selected program in a box, such as DefaultBox, add AllowNetworkAccess=program.exe,n to the [DefaultBox] section. Limitations of the WFP implementation: WFP will filter only TCP/UDP protocols. The WFP filter rules can be implemented by restricting communication only to specified IP addresses or selected port numbers by using a rule based hierarchy based on \"NetworkAccess=...\" (as described later). Restricted boxed processes will still be able to resolve domain names using the system service but will not be able to send or receive data packets directly. User Mode Packet Filter implementation Sandboxie Plus v0.9.3 also added a fully functional rule-based packet filter in user mode for the case when NetworkEnableWFP=y is not set. This mechanism also replaces the primitive \"BlockPort=...\" functionality of older versions. Limitations of the user mode filter: If WFP support is not enabled, the same rules can still be set and used, but they will be applied only by means of user mode hooks. Unlike the WFP implementation, they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application. Caveat: For reliable isolation, the use of kernel mode WFP-based filtering is strongly recommended . The rationale for two filtering modes: The rationale for implementing network functionality in both user mode and kernel mode (driver) is twofold. First, it allows for easier debugging of the rule processing code (simpler to debug in user mode) as both modes use the same code to make decisions based on the preset rules. Second, the WFP callouts are global i.e. they are triggered for any process on the system whether sandboxed or not. In the latter case they don't do anything and the use of a hash map to identify sandboxed programs that require action can provide optimal performance. Combining WFP with user mode filtering: If you set \"block internet access\" for a given process and have the driver (for WFP) enabled, you can select for that box which method to apply: using WFP or blocking network devices. Even though the approach of blocking the network device endpoints is more absolute, it has been known to cause some applications to crash. WFP and multiple firewalls Commercially available firewalls implement the Windows Filtering Platform (WFP) by installing a provider of filter rules. Some use the standard Windows Firewall's provider, while others create their own. Some use WFP at the user mode level (no drivers), while others use WFP in kernel mode (based on their own driver). If several firewalls are installed and active at the same time, each driver installs its own callout functions at the positions in the network stack it wants to control and all those functions are then called by the kernel for ALL the drivers (providers). This results in an amalgamation of rules set by each firewall. An inbuilt arbitration mechanism in WFP then decides which rules take precedence. Some firewalls recommend turning off the native Windows firewall in order to work effectively, while others can work even with the Windows firewall active. Users who have found a firewall they like are typically very reluctant to switch. Does Sandboxie Plus conflict with other firewalls? Another firewall installed on a system (including the Windows firewall) does not conflict with Sandboxie Plus and can be used to block programs (sandboxed or not), but its rules are typically global and based on absolute program paths. The WFP implementation in Sandboxie Plus, on the other hand, offers the added advantage of \"per box\" rules which affect only processes within a given sandbox (without specifying program paths). For example, Box1 may allow network access for Program1, while in Box2 the same Program1 may be blocked or even allowed but with a different set of rules for network access. Implementing network access rules in Sandboxie Plus The Sandman UI provides us with a method for editing and testing network rules. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Then click on Network Options in the left panel and select the Network Firewall tab. The Test Rules row appears at the bottom, below the rule list (which may or may not be already populated). One can enter program name, port number, IP address and protocol to see which rules are in play and which rule will be applied in the end. The choice of blocking (using WFP or by denying access to network devices) is selected in the Process Restrictions tab. The attributes at our disposal (with some examples of syntax) are: Action = Allow | Block (selected from the Network Restrictions tab) Program = program.exe Port = 80,443,1000-2000 Address = 111.222.333.444,0.0.0.0-255.255.255.255 Protocol = TCP | UDP The following rules precedence scheme determines rule hierarchy: A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs. A rule with a Port number or IP address trumps a rule without: 2a. A rule with an IP address and Port number trumps a rule with an IP address only or Port number only. 2b. A rule with one IP address trumps a rule with an IP address range that is besides that on the same level. Block rules trump Allow rules. A rule without a Protocol means all protocols. 4a. A rule with a Protocol trumps a rule without, if it is the only difference. Some examples: NetworkAccess=*,Block;Port=80,443 - block rule for selected port numbers NetworkAccess=*,Block;Port=80,443;Protocol=TCP - block rule for all TCP connections NetworkAccess=*,Block;Port=80,443;Address=0.0.0.0-255.255.255.255 - block rule to deny network access NetworkAccess=*,Allow;Port=80,443;Address=111.222.333.444 - allow any program to access this IP address NetworkAccess=chrome.exe,Allow;Port=80,443 - allow chrome.exe to access any IP address NetworkAccess=chrome.exe,Allow;Port=80,443;Address=111.222.333.444 - allow chrome.exe to access one IP address BlockPorts template: NetworkAccess=*,Block;Port=137,138,139,445 - enabled by default since version 1.3.4 / 5.58.4","title":"WFP (Windows Filtering Platform) support"},{"location":"PlusContent/WFPSupport/#wfp-windows-filtering-platform-support","text":"Sandboxie Plus v0.9.3 introduced a unique approach to manage network connectivity by implementing not only a kernel mode (using a driver) \"per box\" firewall built on Windows Filtering Platform (WFP) but also a user mode , outbound rule-based packet filter.","title":"WFP (Windows Filtering Platform) support"},{"location":"PlusContent/WFPSupport/#wfp-implementation","text":"To enable WFP functionality, add NetworkEnableWFP=y to the [GlobalSettings] section of the configuration file Sandboxie Ini and reboot the machine or reload the driver for it to take effect. WFP filtering works for both inbound and outbound traffic. To enable blocking globally, add AllowNetworkAccess=n to the [GlobalSettings] section. To enable WFP blocking for a box, such as DefaultBox, add AllowNetworkAccess=n to the [DefaultBox] section. To exempt blocking for a box, such as DefaultBox, add AllowNetworkAccess=y to the [DefaultBox] section. To allow a selected program in a box, such as DefaultBox, add AllowNetworkAccess=program.exe,y to the [DefaultBox] section. To block a selected program in a box, such as DefaultBox, add AllowNetworkAccess=program.exe,n to the [DefaultBox] section. Limitations of the WFP implementation: WFP will filter only TCP/UDP protocols. The WFP filter rules can be implemented by restricting communication only to specified IP addresses or selected port numbers by using a rule based hierarchy based on \"NetworkAccess=...\" (as described later). Restricted boxed processes will still be able to resolve domain names using the system service but will not be able to send or receive data packets directly.","title":"WFP implementation"},{"location":"PlusContent/WFPSupport/#user-mode-packet-filter-implementation","text":"Sandboxie Plus v0.9.3 also added a fully functional rule-based packet filter in user mode for the case when NetworkEnableWFP=y is not set. This mechanism also replaces the primitive \"BlockPort=...\" functionality of older versions. Limitations of the user mode filter: If WFP support is not enabled, the same rules can still be set and used, but they will be applied only by means of user mode hooks. Unlike the WFP implementation, they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application. Caveat: For reliable isolation, the use of kernel mode WFP-based filtering is strongly recommended . The rationale for two filtering modes: The rationale for implementing network functionality in both user mode and kernel mode (driver) is twofold. First, it allows for easier debugging of the rule processing code (simpler to debug in user mode) as both modes use the same code to make decisions based on the preset rules. Second, the WFP callouts are global i.e. they are triggered for any process on the system whether sandboxed or not. In the latter case they don't do anything and the use of a hash map to identify sandboxed programs that require action can provide optimal performance. Combining WFP with user mode filtering: If you set \"block internet access\" for a given process and have the driver (for WFP) enabled, you can select for that box which method to apply: using WFP or blocking network devices. Even though the approach of blocking the network device endpoints is more absolute, it has been known to cause some applications to crash.","title":"User Mode Packet Filter implementation"},{"location":"PlusContent/WFPSupport/#wfp-and-multiple-firewalls","text":"Commercially available firewalls implement the Windows Filtering Platform (WFP) by installing a provider of filter rules. Some use the standard Windows Firewall's provider, while others create their own. Some use WFP at the user mode level (no drivers), while others use WFP in kernel mode (based on their own driver). If several firewalls are installed and active at the same time, each driver installs its own callout functions at the positions in the network stack it wants to control and all those functions are then called by the kernel for ALL the drivers (providers). This results in an amalgamation of rules set by each firewall. An inbuilt arbitration mechanism in WFP then decides which rules take precedence. Some firewalls recommend turning off the native Windows firewall in order to work effectively, while others can work even with the Windows firewall active. Users who have found a firewall they like are typically very reluctant to switch. Does Sandboxie Plus conflict with other firewalls? Another firewall installed on a system (including the Windows firewall) does not conflict with Sandboxie Plus and can be used to block programs (sandboxed or not), but its rules are typically global and based on absolute program paths. The WFP implementation in Sandboxie Plus, on the other hand, offers the added advantage of \"per box\" rules which affect only processes within a given sandbox (without specifying program paths). For example, Box1 may allow network access for Program1, while in Box2 the same Program1 may be blocked or even allowed but with a different set of rules for network access.","title":"WFP and multiple firewalls"},{"location":"PlusContent/WFPSupport/#implementing-network-access-rules-in-sandboxie-plus","text":"The Sandman UI provides us with a method for editing and testing network rules. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Then click on Network Options in the left panel and select the Network Firewall tab. The Test Rules row appears at the bottom, below the rule list (which may or may not be already populated). One can enter program name, port number, IP address and protocol to see which rules are in play and which rule will be applied in the end. The choice of blocking (using WFP or by denying access to network devices) is selected in the Process Restrictions tab. The attributes at our disposal (with some examples of syntax) are: Action = Allow | Block (selected from the Network Restrictions tab) Program = program.exe Port = 80,443,1000-2000 Address = 111.222.333.444,0.0.0.0-255.255.255.255 Protocol = TCP | UDP The following rules precedence scheme determines rule hierarchy: A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs. A rule with a Port number or IP address trumps a rule without: 2a. A rule with an IP address and Port number trumps a rule with an IP address only or Port number only. 2b. A rule with one IP address trumps a rule with an IP address range that is besides that on the same level. Block rules trump Allow rules. A rule without a Protocol means all protocols. 4a. A rule with a Protocol trumps a rule without, if it is the only difference. Some examples: NetworkAccess=*,Block;Port=80,443 - block rule for selected port numbers NetworkAccess=*,Block;Port=80,443;Protocol=TCP - block rule for all TCP connections NetworkAccess=*,Block;Port=80,443;Address=0.0.0.0-255.255.255.255 - block rule to deny network access NetworkAccess=*,Allow;Port=80,443;Address=111.222.333.444 - allow any program to access this IP address NetworkAccess=chrome.exe,Allow;Port=80,443 - allow chrome.exe to access any IP address NetworkAccess=chrome.exe,Allow;Port=80,443;Address=111.222.333.444 - allow chrome.exe to access one IP address BlockPorts template: NetworkAccess=*,Block;Port=137,138,139,445 - enabled by default since version 1.3.4 / 5.58.4","title":"Implementing network access rules in Sandboxie Plus"},{"location":"PlusContent/applying-supporter-certificate/","text":"Applying a Supporter Certificate using the Modern SandMan UI To apply a supporter certificate, please start Sandboxie Plus and open the global settings: In the global options, please go to the \"Support & Updates\" page: Enter your entire certificate starting with NAME: up to and including the last two equal signs == , then press Apply (or OK): Then you will be prompted to grant administrative privileges, you will need to allow them for the certificate to be installed: Depending on your OS preset, you may also need to confirm an UAC prompt: Once the certificate is accepted, the entry field should become green: And a notification popup window should appear.","title":"Applying a Supporter Certificate using the Modern SandMan UI"},{"location":"PlusContent/applying-supporter-certificate/#applying-a-supporter-certificate-using-the-modern-sandman-ui","text":"To apply a supporter certificate, please start Sandboxie Plus and open the global settings: In the global options, please go to the \"Support & Updates\" page: Enter your entire certificate starting with NAME: up to and including the last two equal signs == , then press Apply (or OK): Then you will be prompted to grant administrative privileges, you will need to allow them for the certificate to be installed: Depending on your OS preset, you may also need to confirm an UAC prompt: Once the certificate is accepted, the entry field should become green: And a notification popup window should appear.","title":"Applying a Supporter Certificate using the Modern SandMan UI"},{"location":"PlusContent/black-box/","text":"Black Box TODO","title":"Black Box"},{"location":"PlusContent/black-box/#black-box","text":"TODO","title":"Black Box"},{"location":"PlusContent/box-preset-comparison/","text":"Sandboxie Plus offers a bunch of different box configuration presets. A sandbox typically isolates your host system from processes running within the box, it prevents them from making permanent changes to other programs and data in your computer. The level of isolation impacts your security as well as the compatibility with applications. Sandboxie Plus can protect your personal data from being accessed by processes running under its supervision. Sandboxie Plus can also be used to protect confidential data by creating an encrypted sandbox and restricting access to the root folder for processes running within the sandbox. Box Preset Security Hardened Data Protection Compatibility Encrypted Confidential Red Box YES YES NO NO NO Orange Box YES NO NO NO NO Blue Box NO YES NO NO NO Yellow Box NO NO NO NO NO Cyan Box NO YES YES NO NO Green Box NO NO YES NO NO Black Box NO NO YES YES YES","title":"Box preset comparison"},{"location":"PlusContent/compartment-mode/","text":"Compartment Mode NOTE: This feature requires a supporter certificate . The concept of an \"Application Compartment\" mode was introduced in Sandboxie Plus v1.0.0 . This mode disables the normally used token-based security isolation in order to significantly improve compatibility while still retaining a level of security comparable to that of other available sandboxing products. It avoids many of the typical Sandboxie issues caused by processes running with a heavily restricted token. The setting for a compartment box can be enabled by adding NoSecurityIsolation=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Application Compartment (NO Isolation)\" (with a green box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Application Compartment . In compartment mode, file system and registry filtering are still in place to enforce any access rules. So, processes do run without administrative privileges. This filtering can be disabled by adding NoSecurityFiltering=y to the box settings section of Sandboxie Ini in order to provide a greater degree of compatibility. A new object access filter, enabled by default for new installations since Sandboxie Plus v1.0.16 , replaces the Sandboxie's old process/thread handle filter to facilitate process isolation. For previous versions starting with Sandboxie Plus v1.0.0 , it can be enabled by adding EnableObjectFiltering=y to the [GlobalSettings] section of Sandboxie Ini . Caveat: Even though an application compartment virtualizes the file system and registry, it does not change the process token or apply other more limiting restrictions. As a result, a process could potentially escape the virtualization. Because of this reduced security (even though it is only a slight reduction), this mode should be avoided for untrusted applications . Recent Changes: Token based workarounds were added in subsequent Sandboxie Plus versions to facilitate even greater compatibility with the more commonly used programs. They used DropAppContainerToken=y for such workarounds and FakeAppContainerToken=program.exe,n to disable their use for a specific program. In Sandboxie Plus v1.8.2a and above, such workarounds are disabled when in compartment mode. In case of issues with some programs (primarily browsers), they can be re-enabled by using DeprecatedTokenHacks=y . Sandboxie Plus v1.8.0 moved the built-in access rules for an application compartment box to a dedicated template (included in the file Templates.ini under the [TemplateAppCPaths] section) for easier management. Sandboxie Plus v1.10.1 addressed and fixed various long-standing bugs affecting application compartment boxes. Fun Fact (for any box type): If you add OpenFilePath=* to the box settings section of Sandboxie Ini (or disable the isolation in some other way), the status column in the Sandman UI displays OPEN Root Access as a warning that this box is no longer really a \"sandbox\"! Starting with Sandboxie Plus v1.3.2 , the box icon also changes its default color.","title":"Compartment Mode"},{"location":"PlusContent/compartment-mode/#compartment-mode","text":"NOTE: This feature requires a supporter certificate . The concept of an \"Application Compartment\" mode was introduced in Sandboxie Plus v1.0.0 . This mode disables the normally used token-based security isolation in order to significantly improve compatibility while still retaining a level of security comparable to that of other available sandboxing products. It avoids many of the typical Sandboxie issues caused by processes running with a heavily restricted token. The setting for a compartment box can be enabled by adding NoSecurityIsolation=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Application Compartment (NO Isolation)\" (with a green box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Application Compartment . In compartment mode, file system and registry filtering are still in place to enforce any access rules. So, processes do run without administrative privileges. This filtering can be disabled by adding NoSecurityFiltering=y to the box settings section of Sandboxie Ini in order to provide a greater degree of compatibility. A new object access filter, enabled by default for new installations since Sandboxie Plus v1.0.16 , replaces the Sandboxie's old process/thread handle filter to facilitate process isolation. For previous versions starting with Sandboxie Plus v1.0.0 , it can be enabled by adding EnableObjectFiltering=y to the [GlobalSettings] section of Sandboxie Ini . Caveat: Even though an application compartment virtualizes the file system and registry, it does not change the process token or apply other more limiting restrictions. As a result, a process could potentially escape the virtualization. Because of this reduced security (even though it is only a slight reduction), this mode should be avoided for untrusted applications . Recent Changes: Token based workarounds were added in subsequent Sandboxie Plus versions to facilitate even greater compatibility with the more commonly used programs. They used DropAppContainerToken=y for such workarounds and FakeAppContainerToken=program.exe,n to disable their use for a specific program. In Sandboxie Plus v1.8.2a and above, such workarounds are disabled when in compartment mode. In case of issues with some programs (primarily browsers), they can be re-enabled by using DeprecatedTokenHacks=y . Sandboxie Plus v1.8.0 moved the built-in access rules for an application compartment box to a dedicated template (included in the file Templates.ini under the [TemplateAppCPaths] section) for easier management. Sandboxie Plus v1.10.1 addressed and fixed various long-standing bugs affecting application compartment boxes. Fun Fact (for any box type): If you add OpenFilePath=* to the box settings section of Sandboxie Ini (or disable the isolation in some other way), the status column in the Sandman UI displays OPEN Root Access as a warning that this box is no longer really a \"sandbox\"! Starting with Sandboxie Plus v1.3.2 , the box icon also changes its default color.","title":"Compartment Mode"},{"location":"PlusContent/imdisk/","text":"ImDisk TODO","title":"ImDisk"},{"location":"PlusContent/imdisk/#imdisk","text":"TODO","title":"ImDisk"},{"location":"PlusContent/privacy-mode/","text":"Privacy Mode NOTE: This feature requires a supporter certificate . The concept of privacy mode and privacy enhanced (or Data Protection) boxes was introduced in Sandboxie Plus v1.0.0 . In this mode, most of the locations on a PC are set to be treated like a Write[File/Key]Path, which means the sandboxed locations are writable, but the unsandboxed locations are not readable. In addition, the registry does not allow reading of user root keys. In other words, even though sandboxed processes can continue to work, they cannot access private user data. The setting for a privacy enhanced box can be enabled by adding UsePrivacyMode=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Sandbox with Data Protection\" (with a blue box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Privacy Enhanced . What is User Space? AppGuard refers to user space as \"computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives.\" Think of \"user space\" as everything outside the system (where the core operating system and programs live), in other words, outside the C:\\Windows , C:\\Program Files , and C:\\Program Files (x86) folders! Internally, a privacy enhanced box is based on three defaults: Allow read access to system resources: C:\\Windows C:\\Program Files C:\\Program Files (x86) C:\\ProgramData\\Microsoft (since Sandboxie Plus v1.12.7 ) Registry resources under HKLM (but not HKCU) are readable and can be sandboxed. Note: The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using Write[File/Key]Path ) if desired. Hide (and block access to) user space: In user space, a privacy box works in default block mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking Rule Specificity . Enable Rule Specificity: Internally, rule specificity is always enabled in privacy mode. It uses the Normal path directive ( Normal[File/Ipc/Key]Path ) to open selected locations to be readable and sandboxed . Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for blue boxes (based on privacy mode) but also for red boxes (with both privacy mode and security mode enabled). Recent Changes: Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with Sandboxie Plus v1.8.0 , all built-in access rules have been moved to a set of default templates (included in the file Templates.ini under the [TemplatePModPaths] section) for easier management.","title":"Privacy Mode"},{"location":"PlusContent/privacy-mode/#privacy-mode","text":"NOTE: This feature requires a supporter certificate . The concept of privacy mode and privacy enhanced (or Data Protection) boxes was introduced in Sandboxie Plus v1.0.0 . In this mode, most of the locations on a PC are set to be treated like a Write[File/Key]Path, which means the sandboxed locations are writable, but the unsandboxed locations are not readable. In addition, the registry does not allow reading of user root keys. In other words, even though sandboxed processes can continue to work, they cannot access private user data. The setting for a privacy enhanced box can be enabled by adding UsePrivacyMode=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Sandbox with Data Protection\" (with a blue box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Privacy Enhanced . What is User Space? AppGuard refers to user space as \"computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives.\" Think of \"user space\" as everything outside the system (where the core operating system and programs live), in other words, outside the C:\\Windows , C:\\Program Files , and C:\\Program Files (x86) folders! Internally, a privacy enhanced box is based on three defaults: Allow read access to system resources: C:\\Windows C:\\Program Files C:\\Program Files (x86) C:\\ProgramData\\Microsoft (since Sandboxie Plus v1.12.7 ) Registry resources under HKLM (but not HKCU) are readable and can be sandboxed. Note: The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using Write[File/Key]Path ) if desired. Hide (and block access to) user space: In user space, a privacy box works in default block mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking Rule Specificity . Enable Rule Specificity: Internally, rule specificity is always enabled in privacy mode. It uses the Normal path directive ( Normal[File/Ipc/Key]Path ) to open selected locations to be readable and sandboxed . Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for blue boxes (based on privacy mode) but also for red boxes (with both privacy mode and security mode enabled). Recent Changes: Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with Sandboxie Plus v1.8.0 , all built-in access rules have been moved to a set of default templates (included in the file Templates.ini under the [TemplatePModPaths] section) for easier management.","title":"Privacy Mode"},{"location":"PlusContent/sandboxie-plus/","text":"Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. It is being developed by David Xanatos since it became open source, before that it was developed by Sophos (which acquired it from Invincea, which acquired it earlier from the original author Ronen Tzur). It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying the local or mapped drive. An isolated virtual environment allows controlled testing of untrusted programs and web surfing. Since the open sourcing, Sandboxie is being released in two flavors: the Classic build with a MFC -based UI and a Plus build that incorporates new features with an entirely new Qt -based UI. All newly added features target the Plus branch, but can often be utilized in the Classic edition by manually editing the Sandboxie Ini file. The full Sandboxie documentation can be found through the Support Page Index , or you can start directly with the Help Topics overview.","title":"Sandboxie plus"},{"location":"PlusContent/sandboxie-portable/","text":"Sandboxie-Portable TODO","title":"Sandboxie-Portable"},{"location":"PlusContent/sandboxie-portable/#sandboxie-portable","text":"TODO","title":"Sandboxie-Portable"},{"location":"PlusContent/security-mode/","text":"Security Hardened Mode NOTE: This feature requires a supporter certificate . The security hardened box and the concept of security hardened mode was introduced in Sandboxie Plus v1.3.0 . It restricts NT syscall elevation to approved known safe/filtered syscalls. It also provides device security by restricting device access to known safe/filtered endpoints. The setting for a security hardened box can be enabled by adding UseSecurityMode=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Security Hardened Sandbox\" (with an orange box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Enhanced Isolation . Internally, the security hardened mode is based on four settings: DropAdminRights=y RestrictDevices=y SysCallLockDown=y UseRuleSpecificity=y DropAdminRights : Prior to Sandboxie Plus v1.3.0 , any box with DropAdminRights=y was considered hardened and labeled \"Enhanced Isolation\" in the Sandman UI status column. Starting with Sandboxie Plus v1.3.0 , only boxes with UseSecurityMode=y have their status listed as \"Enhanced Isolation\". SysCallLockDown: The setting SysCallLockDown=y limits the use of NT system calls. Only those calls that are included as defaults in the file Templates.ini or calls configured in the [GlobalSettings] section of Sandboxie Ini as ApproveWinNtSysCall=... or ApproveWin32SysCall=... are executed with the original token. Any NT syscalls that are not approved are executed with the sandboxed token and may break compatibility in certain scenarios. To find which syscalls may be needed to make a particular program work is tedious and involves trial and error. But once these syscalls are found, they can be added to the [GlobalSettings] section of Sandboxie Ini . Note that the configuration must be reloaded using \"Options -> Reload configuration\" for these settings to take effect . RestrictDevices: An earlier \"DeviceSecurity\" template was replaced by a dedicated setting RestrictDevices=y in Sandboxie Plus v1.3.0 to harden box security even further. A security enhanced sandbox does not have access to drivers installed on the host. However, the use of appropriate Normal path directives can allow one to open specific devices as needed. Rule Specificity : The setting UseRuleSpecificity=y allows rules to be prioritized based on their \"specificity\". When rule specificity is combined with Normal[File/Key/Ipc]Path entries, selected subpaths can be made readable/writeable while parent paths are still protected. A security hardened box works in a default allow mode: every path is a Normal[File/Key/Ipc]Path (which allows read/write changes to a sandbox) unless specifically blocked by an overriding rule. Comparison with Other Box Types: RuleSpecificity along with Normal[File/Key/Ipc]Path entries is also used in blue ( privacy enhanced ) boxes and in red boxes (that combine enhanced privacy and enhanced security). These two box types work in a default block mode: all drive paths are set to WriteFilePath . This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Recent Changes: Starting with Sandboxie Plus v1.8.0 , all built-in access rules for a security hardened box have been moved to a dedicated template (included in the file Templates.ini under the [TemplateSModPaths] section) for easier management.","title":"Security Hardened Mode"},{"location":"PlusContent/security-mode/#security-hardened-mode","text":"NOTE: This feature requires a supporter certificate . The security hardened box and the concept of security hardened mode was introduced in Sandboxie Plus v1.3.0 . It restricts NT syscall elevation to approved known safe/filtered syscalls. It also provides device security by restricting device access to known safe/filtered endpoints. The setting for a security hardened box can be enabled by adding UseSecurityMode=y to the box settings section of Sandboxie Ini . It can also be enabled in the Sandman UI. Right-click on a box and select \"Sandbox Options\" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as \"Security Hardened Sandbox\" (with an orange box icon) and click OK to apply changes. The status column of Sandman UI labels this box as Enhanced Isolation . Internally, the security hardened mode is based on four settings: DropAdminRights=y RestrictDevices=y SysCallLockDown=y UseRuleSpecificity=y DropAdminRights : Prior to Sandboxie Plus v1.3.0 , any box with DropAdminRights=y was considered hardened and labeled \"Enhanced Isolation\" in the Sandman UI status column. Starting with Sandboxie Plus v1.3.0 , only boxes with UseSecurityMode=y have their status listed as \"Enhanced Isolation\". SysCallLockDown: The setting SysCallLockDown=y limits the use of NT system calls. Only those calls that are included as defaults in the file Templates.ini or calls configured in the [GlobalSettings] section of Sandboxie Ini as ApproveWinNtSysCall=... or ApproveWin32SysCall=... are executed with the original token. Any NT syscalls that are not approved are executed with the sandboxed token and may break compatibility in certain scenarios. To find which syscalls may be needed to make a particular program work is tedious and involves trial and error. But once these syscalls are found, they can be added to the [GlobalSettings] section of Sandboxie Ini . Note that the configuration must be reloaded using \"Options -> Reload configuration\" for these settings to take effect . RestrictDevices: An earlier \"DeviceSecurity\" template was replaced by a dedicated setting RestrictDevices=y in Sandboxie Plus v1.3.0 to harden box security even further. A security enhanced sandbox does not have access to drivers installed on the host. However, the use of appropriate Normal path directives can allow one to open specific devices as needed. Rule Specificity : The setting UseRuleSpecificity=y allows rules to be prioritized based on their \"specificity\". When rule specificity is combined with Normal[File/Key/Ipc]Path entries, selected subpaths can be made readable/writeable while parent paths are still protected. A security hardened box works in a default allow mode: every path is a Normal[File/Key/Ipc]Path (which allows read/write changes to a sandbox) unless specifically blocked by an overriding rule. Comparison with Other Box Types: RuleSpecificity along with Normal[File/Key/Ipc]Path entries is also used in blue ( privacy enhanced ) boxes and in red boxes (that combine enhanced privacy and enhanced security). These two box types work in a default block mode: all drive paths are set to WriteFilePath . This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Recent Changes: Starting with Sandboxie Plus v1.8.0 , all built-in access rules for a security hardened box have been moved to a dedicated template (included in the file Templates.ini under the [TemplateSModPaths] section) for easier management.","title":"Security Hardened Mode"},{"location":"PlusContent/supporter-certificate/","text":"A supporter certificate is like a license key, but for awesome people using and supporting open source software. :-) Keeping Sandboxie up to date with the rolling releases of Windows and compatible with all web browsers is a never-ending endeavor. Please consider supporting this work with a PayPal donation or by purchasing a Sandboxie Plus Supporter Certificate , you can also provide continuous support with a Patreon subscription . A support certificate enables the use of new supporter exclusive features, like Privacy Mode or App Compartment Boxes , see the Feature Comparison Table for more details and certificate options. Please note that a Business Certificate is required to use Sandboxie Plus in a business or educational setting! Patreon certificates are valid for as long as the subscription is active and unlock all features. Patreons who have ended their subscription are entitled to a residual certificate corresponding to the total amount of their support. Contributor certificates are available to all people that help by contributing to the project, these certificates do not expire. If you are a contributor, please get in touch by email or alike to get your certificate.","title":"Supporter certificate"},{"location":"PlusContent/translations/","text":"Language Classic Plus Albanian Yes Arabic Yes Bulgarian Yes Croatian Yes Czech Yes Danish Yes Dutch Yes Yes English Yes Yes Estonian Yes Farsi Yes Finnish Yes French Yes Yes German Yes Yes Greek Yes Hebrew Yes Hungarian Yes Yes Indonesian Yes Italian Yes Yes Japanese Yes Korean Yes Yes Macedonian Yes Polish Yes Yes Portuguese Yes Yes PortugueseBr Yes Yes Russian Yes Yes SimpChinese Yes Yes Slovak Yes Spanish Yes Yes Swedish Yes Yes TradChinese Yes Yes Turkish Yes Yes Ukrainian Yes Yes Vietnamese Yes","title":"Translations"}]}
\ No newline at end of file
diff --git a/sitemap.xml.gz b/sitemap.xml.gz
index 7ea1b575f..63cf250c0 100644
Binary files a/sitemap.xml.gz and b/sitemap.xml.gz differ