SandboxDiff - Registry/Files changes

Utilities designed for use with Sandboxie
gyp
Posts: 0
Joined: Sat May 23, 2009 11:30 pm

Post by gyp » Sat May 23, 2009 11:44 pm

I am pretty sure I am using Sandboxie portable.

I say 'pretty sure' because it works as well as installed. But on my old pc I had a folder of my username under c:\sandbox and I think with portable I only have a DefaultBox folder there.

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Re: comp-reg error

Post by majoMo » Mon May 25, 2009 3:27 pm

gyp wrote:In comp-reg.txt I am getting

1d0
< hive path err
\ No newline at end of file

Otherwise seems to be functioning very easy
"hive path err" is related to "RegHive" file that wasn't able to be load by SandboxDiff. There are several reasons for, that you can check:

. When starting the sandbox folder is empty; so "RegHive" file didn't exist to be analyzed. You need to do a dummy action to create it: e.g. open Notepad.exe sandboxed and close it. Start SandboxDiff after.

. "RegHive" file was in use perhaps. You need to terminate all app. that are sandboxed firstly (when is asked by SandboxDiff).

Guest

Post by Guest » Mon May 25, 2009 5:47 pm

Neither of those cases are true. It is reproducible. I looked, on initiation of sandboxdiff.exe Files_before reads everything in my c:\sandbox dir, but Reg_before also declares hive path err.

Guest

Post by Guest » Mon May 25, 2009 6:01 pm

I really don't know what I'm talking about here but I was able to see when the hive.bak files were being created I could peek in one that said HKEY_USERS hive or something...my reghive created when looked at in wrr starts with \Sandbox_<MyUserName_DefaultBox.

Anyway, if I run sandboxdiff before, during, or after a sandboxed app, it is not finding any reghive file which is at C:\Sandbox\DefaultBox

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Post by majoMo » Mon May 25, 2009 10:45 pm

Anonymous wrote:but Reg_before also declares hive path err.
When you have "hive path err" SandboxDiff was unable to load "RegHive" file for some reason.
BTW, do you have "UserPath.bat" customized?
Anonymous wrote:Anyway, if I run sandboxdiff before, during, or after a sandboxed app, it is not finding any reghive file which is at C:\Sandbox\DefaultBox
Can you describe in detail the steps that you do when install an app. sandboxed with SandboxDiff? I think that can allow a clarification.
Anonymous wrote:I was able to see when the hive.bak files were being created I could peek in one that said HKEY_USERS hive or something...my reghive created when looked at in wrr starts with \Sandbox_<MyUserName_DefaultBox.
No annoyance here. I can explain better further along (it's a form issue not a content question). :wink:

BTW, WRR shows the registry status; SandboxDiff performs the registry changes between two status.

gyp
Posts: 0
Joined: Sat May 23, 2009 11:30 pm

Post by gyp » Tue May 26, 2009 3:03 pm

Well I have tried many different orders of operations now, including messing with the path declaration, but no avail.

My user path
C:\Sandbox\DefaultBox

My userpath line
copy "C:\Sandbox\DefaultBox\RegHive" hive_1.bak /v /y > NUL

1. Sandbox "delete contents"
2. SandboxDiff.exe (re-read instructions see if i'm missing something)
3. Press OK
(3.a.) Maybe look at Reg_before and see hive path err, continue anyway
4. Pick an app, right click, "run sandboxed"
5. Right click Sandboxie Control, pick "Terminate all programs"
6. SandboxDiff press "OK"

1d0
< hive path err
\ No newline at end of file

Same results if a RegHive exists or folder is empty.

But also like I said my hive file key starts with Sandbox_Username_DefaultBox even though I have not set it to use a username
My Sandboxie config is %SystemDrive%\Sandbox\%SANDBOX%


I do not see a regdump.exe anywhere on my system. I have an nlited XP install.

Thank you so much if you can explain

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Post by majoMo » Tue May 26, 2009 4:46 pm

Please try follows the sequence (notes in red):

- The "UserPath.bat" file (don't forget to rename "UserPath.bat.txt" to "UserPath.bat") needs to be in same folder that "SandboxDiff.exe". With your customized path: copy "C:\Sandbox\DefaultBox\RegHive" hive_1.bak /v /y > NUL

1. Sandbox "delete contents" --> When you do this you removes "RegHive" file also! ("C:\Sandbox\DefaultBox\RegHive") - Please add step 1A- and 1B
1A- Run Notepad.exe sandboxed. Close it after - so none app. is running sandboxed now. (this allows to create a "RegHive").
1B- Check if a "RegHive" is in "C:\Sandbox\DefaultBox". It should be.

2. SandboxDiff.exe (re-read instructions see if i'm missing something)
3. Press OK
(3.a.) Maybe look at Reg_before and see hive path err, continue anyway
4. Pick an app, right click, "run sandboxed" --> Don't do this step. For now don't run any app. sandboxed.
5. Right click Sandboxie Control, pick "Terminate all programs"
6. SandboxDiff press "OK"

Please post the text that it is in "Comp-Reg.txt" file.

Obs.: When you want work with SandboxDiff, you don't need to "delete contents". But if you do that you need to do a dummy action before (e.g. open/close Notepad), to create the "RegHive" file.

gyp
Posts: 0
Joined: Sat May 23, 2009 11:30 pm

Post by gyp » Tue May 26, 2009 8:58 pm

Still Reg_before gives hive path err
and Comp-Reg
1d0
< hive path err
\ No newline at end of file


Additionally, although these do exist, filemon reports:

SandboxDiff.exe:3252 DIRECTORY C:\SANDBOX\ NO MORE FILES FileNamesInformation

nircmd.exe:548 QUERY INFORMATION C:\Sandbox\UserPath.bat NOT FOUND Attributes: Error

gyp
Posts: 0
Joined: Sat May 23, 2009 11:30 pm

Post by gyp » Tue May 26, 2009 9:43 pm

Well like checking an alarm clock you set and already double checked 5 times, I made a new UserPath.bat and it is working now. Scratching my head, then I binary compared this new userpath.bat to the old one I deleted and they are binary = .

??? no clue what, maybe permissions or something???

Anyway, working good! Sorry to have wasted so much time.

gyp
Posts: 0
Joined: Sat May 23, 2009 11:30 pm

Post by gyp » Tue May 26, 2009 10:29 pm

I found the ***. The file name of my original UserPath.bat file had a SPACE before the U, at the beginning of the filename. lol
so sorry :)
I will learn to work this *#! netbook touchpad!

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Post by majoMo » Wed May 27, 2009 3:57 pm

gyp wrote:I found the ***. The file name of my original UserPath.bat file had a SPACE before the U, at the beginning of the filename. lol
Good to see you found the annoyance.

Because I couldn't find it never... :roll:

Thanks for your time also and feedback. I appreciated that.

:wink:

Guest

Post by Guest » Wed May 27, 2009 10:43 pm

Thanks so much for sharing your work and not getting mad at me, this functions very well and is so useful. I do think that the instructions could be written a little bit more clear for dumber users like me, that an initial RegHive must be created first, through, for example, the 'notepad sandbox'.


so now how will we save the world economy next?

Guest

Post by Guest » Fri Jul 17, 2009 3:39 am

I put both SandboxDiff.exe and UserPath.bat to the main root of sandbox folder.
I configured the path inside the UserPath.bat.
I doubled click on SandboxDiff.exe to start, running normally not being sandboxed!
I saw a dialog and clicked ok.

msgwait.exe crashed and reported the following error:
AppName: msgwait.exe AppVer: 0.0.0.0 ModName: crtdll.dll
ModVer: 4.0.1183.1 Offset: 000115ce

The error report file: http://rapidshare.com/files/256737870/d ... t.txt.html

What's up?

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Post by majoMo » Sat Jul 18, 2009 10:50 am

Something not easy to clarify. It seems that a google search for GRABMI_FILTER_PRIVACY produces tons of results. And isn't related to the app. itself like here.

Guest10
Posts: 5133
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Sat Jul 18, 2009 11:26 am

Same msgwait.exe crash here. Not encountered with an older version of SandboxDiff.

Found this during Google search, so I assume that SandboxDiff is creating the msgwait.exe process:
http://www.threatexpert.com/report.aspx ... b2263cd4e0
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Firefox, Thunderbird
Sandboxie user since March 2007

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest