Page 1 of 1


Posted: Thu Sep 08, 2016 8:08 pm
by Syrinx
So here's something I came across last month. I'm going to modify a PM I sent someone else and try to expand upon it so that others know what happened.

When I was using SbieCtrl and selecting Menu > Configure > Edit Configuration I would see a cmd window pop up but the sandboxie.ini was never opened in notepad. It went by in a flash so I didn't know what was going on at first.

I eventually used procmon and saw that instead of launching notepad, sbiectrl was instead using a key from
which was a key I added a long time (1 year+) ago for taking ownership of files

Code: Select all

Windows Registry Editor Version 5.00

@="Take Ownership"

@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

@="Take Ownership"

@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
Instead of opening the sandboxie.ini via notepad, it was taking ownership of the ini via that key!

The Why:
I finally tracked the cause down to another key (HKCR\exefile\shell\runas) for which I had removed read/write rights to (say that 10x fast), I can't say for sure but I think it was when I started restricting runas, 'runas other user' and 'run as admin' from the context menu for L/SUAs.

The problem/bug (maybe):
If it couldn't read the key shouldn't it just do nothing instead of randomly using another key in its place or does it just fallback to another runas (* ='s all after all) it finds? Maybe it's a quirk with the way windows interacts with the registry keys and some type of fallback but for the life of me I can't figure out for sure why it happened.

Why does removing read/write access to an EXE key mess with the way sandboxie opens the INI?

My workaround for now was to undo the read/write restrictions but I don't really think that's a suitable long-term fix either. I guess if it's Windows related there's not much that can be done and I'll have to live with it...but I'd like to know if that's the case!

This occurred on Windows 7 x64.