Sandbox Exclusion/AutoCloseExec [persistent boxes]

Ideas for enhancements to the software
Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by Syrinx » Fri May 20, 2016 3:28 pm

I understand that it's contrary to the popular, intended use of SBIE to maintain persistent sandboxes. This request isn't about a snapshot type feature but rather different approaches that might be a bit easier to add and could still be of great help to those of us who use some persistent boxes.

Currently the sandbox is an all or nothing box. It either gets deleted when all programs in the box close or it retains everything. So I'm wondering if it's possible/feasible to

A) Either add options that allow users to exclude certain keys (I myself am thinking of a few audio related entries that tend to break once in a while across new SBIE versions) or files from the default behavior when not set to auto delete so that any selected/excluded entries would still get deleted within when the box closes.

or

B) Similar to AutoExec adding an AutoCloseExec key that could be checked just as sbie prepares to close the box where users could point to a bat file which can be run inside. This would allow users to automate things such as removing specific keys or files (via the bat) prior to the actual closing of the box.

Either one could aid those of who do use a persistent box to keep them a bit cleaner without having to dig in them manually as often and clean any problematic keys/files.

I know just another crazy thought, I'll go back to the corner and talk to myself again.
Goo.gl/p8qFCf

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by rpljhun » Fri May 20, 2016 3:58 pm

Syrinx wrote: I know just another crazy thought, I'll go back to the corner and talk to myself again.
LOL...
Seriously, you can use DeleteCommand and run your batch file.

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by Syrinx » Fri May 20, 2016 4:07 pm

rpljhun wrote:
Syrinx wrote: I know just another crazy thought, I'll go back to the corner and talk to myself again.
LOL...
Seriously, you can use DeleteCommand and run your batch file.
Using the current delete option and pointing it to a custom bat, that's for when auto delete is set or manually deleting the box (after the box is closed)...I hadn't considered that for files. I'm talking about situations where auto delete is off. So I suppose that *could work* in some situations (files only) but I'd have to test that out after making a backup of the box first in case it removes more than I'd like and it certainly would not cover the internal registry (eg REGHIVE) removals I am most interested in doing for MMDevices...

Update: unless I set the bat to remount the reghive, remove the key(s), then unmount. Good point, that might work after all! Thanks, will test that soon.

About B) I thought a bit more and I realized I can prolly just use the current AutoExec option to accomplish the same thing and achieve the desired results [at a different point] so that really leaves only A) as a potential improvement but thanks to rpljhuns comment I think I can accomplish what I want with what SBIE already offers so this request might be moot aside from just making it easier on the user.
Goo.gl/p8qFCf

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by rpljhun » Fri May 20, 2016 4:21 pm

You use DeleteCommand and yes, mount and unmount reghive or you can make a program to accomplish all these task.

AutoExec is somehow differrent. The command will not be executed if it was already recorded in the sandboxed registry. Thus, deleting the sandbox clears all recorded AutoExec commands, so they are executed again the next time any sandboxed program starts in that sandbox whereas DeleteCommand will invoke every time the last program ends.

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by Syrinx » Fri May 20, 2016 4:44 pm

OK well I'm out of time for now. My kid will be ready to play soon so I'll have to continue trying again later. I've run into two problems so far.
One, using AutoExec I have specifically disallowed access to users to reg, regedit and many other files (both within sbie as blocked files & outside with no NTFS read or execute permissions since I use runas to launch sandboxed programs as a limited user. I really don't want to generally allow reg to run even in a box :-/) so I'll have to test that option within sandboxie but it doesn't seem likely to work with my setup.

As for the delete command, I created a bat that did all the reg stuff but when adding it to sbie in place of delete it wants a %sandbox% pointer which I don't need as I'm not trying to remove the folder or files but rather just mess with the internal registry. I'll do more to see if I can work around it later but so far it's not going as well as I had expected it to. =(

Update: yup, the delete option is off the table, it only attempts to execute the 'delete command' (in this case a bat set to remove a reg entry) after it has renamed the sandbox folder [which appears to be why it requires the "%sandbox% variable" so it won't work for persistent boxes. =(

Update2: The AutoExec function doesn't help because of the user/NTFS options I mentioned before along with requiring me to enable reg or regedit within the runas list inside the box. Don't like that option much... I was hoping more for something that could be executed by sandboxie (at the same user integrity level as sbiectrl or maybe even sbiesvc) to preform the operation. Right now it throws up 2314 errors and I really don't like the idea of allowing reg even inside a box. Looks like I may just be stuck doing it manually or making a bat to run manually once in a while outside of sandboxie for now.
Goo.gl/p8qFCf

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by rpljhun » Fri May 20, 2016 5:34 pm

Well, you can have a workaround. %SANDBOX% argument is pass in your batch file. You can do such "ren %1 mysandbox" which rename the renamed folder back to mysandbox then you do all you want after that.

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by Syrinx » Fri May 20, 2016 5:40 pm

rpljhun wrote:Well, you can have a workaround. %SANDBOX% argument is pass in your batch file. You can do such "ren %1 mysandbox" which rename the renamed folder back to mysandbox then you do all you want after that.
OK maybe I'm just being dumb but how would cmd understand the variable %sandbox% without first setting it and how do you set it with the random rename? I believe that's something sandboxie handles internally so the bat would have no clue what location I am intending to rename back and as such I don't see how that would work but I might try it later anyway with a wildcard or something.

The bat seems to fail to run entirely because of the %sandbox% variable and even adding it to the bat path results in an "incorrect function" error alert being thrown by sbie so I didn't yet see if naming it back was possible at this point. I'm afraid using the delete command option to remove registry entries inside automatically still seems to be a no go as sbie is intent on passing the renamed sandbox variable which disrupts the launch of the bat in the first place. Any ideas how to overcome this?
Last edited by Syrinx on Fri May 20, 2016 5:56 pm, edited 1 time in total.
Goo.gl/p8qFCf

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by rpljhun » Fri May 20, 2016 5:51 pm

Don't use the %SANDBOX% variable use %1. %1 is the path of the rename folder. Don't use random name, you need to rename it back to the original sandbox name.

Let say MySandbox is the name of the sandbox then use this "ren %1 MySandbox"

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by rpljhun » Fri May 20, 2016 6:02 pm

I tried it. I successfully managed to rename it back.

You have this setting under your sandbox not global

DeleteCommand=C:\Users\xxx\Desktop\delsample.bat "%SANDBOX%"

All you need to do inside your batch file is to use %1 variable.

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by Syrinx » Fri May 20, 2016 6:23 pm

Thanks for continuing in your attempts to assist me but it just won't launch my bat! It's likely something stupid I've overlooked. Not really good with cmd lines these days.

This is my bat

Code: Select all

ren %1 MediaPlayer
reg load HKCU\zMP "Drive:\Path\RegHive"
reg delete HKEY_LOCAL_MACHINE\zMP\machine\software\microsoft\Windows\CurrentVersion\MMDevices /f
reg unload HKCU\zMP
This is my delete command inside sbie

Code: Select all

Drive:\Path\AutoRun.bat "%SANDBOX%"
What am I missing?
Goo.gl/p8qFCf

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by rpljhun » Fri May 20, 2016 6:38 pm

Code: Select all

Drive:\Path\AutoRun.bat "%SANDBOX%"
Is this the real one? You need to specify the absolute path of your batch file.

There something wrong with your reg delete.

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by Syrinx » Fri May 20, 2016 6:45 pm

rpljhun wrote:

Code: Select all

Drive:\Path\AutoRun.bat "%SANDBOX%"
Is this the real one? You need to specify the absolute path of your batch file.
No drive:\ and path\ are just placeholders like xxxx in your example (we could also say C:\AutoRun.bat "%SANDBOX%") but I may have figured it out, there was a change I made while testing the AutoExec feature and didn't fix inside the bat.

HKEY_LOCAL_MACHINE\zMP\machine\software\microsoft\Windows\CurrentVersion\MMDevices /f

I decided to put it on HKCU so I had two errors in there so I guess that's the error being returned. Changing them all back to HKU stops the darn error and I checked with regedit, it does the trick!

Many thanks for the tips!!!!!
Goo.gl/p8qFCf

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by rpljhun » Fri May 20, 2016 6:57 pm

You're welcome :D
Btw, how are you going to accomplish it with AutoExec. It is executed once in the life-time of a particular sandbox until you delete it.

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by Syrinx » Fri May 20, 2016 7:02 pm

Well, I hadn't really messed with either option before now so I can't say I was familiar with either. I never got far enough along with autoexec to realize that limit because it couldn't launch reg.exe inside due to the many limits I have imposed on users and within sandboxie but that's a good point as well. Thankfully you were patient enough to guide me to an answer that allows me to do what I want with the delete command so no need to mess with AutoExec any more! :D
Goo.gl/p8qFCf

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Sandbox Exclusion/AutoCloseExec [persistent boxes]

Post by rpljhun » Fri May 20, 2016 7:05 pm

Ya' right.

Regarding the reghive, you can only mount it in HKU. Sandboxie mount it there as well.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests