 |
Trust No Program |
| Home | Help & FAQ | Forum | Download | Buy | Search |
|
|
When sandboxed programs create (or modify) objects, such as files, some object must in fact be created. Sandboxie creates these objects out of the way, to protect the system from harmful changes. But these objects must reside somewhere in the system. This page describes where various types of sandboxed objects are placed.
Beginning with version 2.80 of Sandboxie, the layout of the sandbox is not tied to computer-specific device names and account names. See Portable Sandbox for more information.
Files are created in the sandbox folder. The hierarchy is as follows:
. File Root Path . . drive . . . C . . . D . . . Q . . user . . . all . . . current
The FileRootPath setting specifies a path to the root of a particular sandbox. In other words, if File Root Path specifies the folder C:\MySandbox, then the sub-folders drive and user are created as C:\MySandbox\drive and C:\MySandbox\user, respectively.
If the FileRootPath setting is omitted, the BoxRootFolder setting is used instead. The Box Root Folder setting specifies a path to a group of sandboxes. In other words, if Box Root Folder specifies the folder C:\MySandbox, then the sub-folders drive and user are created as C:\MySandbox\Sandbox\DefaultBox\drive and C:\MySandbox\Sandbox\DefaultBox\user, respectively, and assuming the sandbox is called DefaultBox.
As sandboxed programs create new files or modify existing files, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the file C:\NEW.TXT, it will be redirected to create instead (File Root Path)\drive\C\NEW.TXT.
If the sandboxed program was trying to create the file C:\Documents and Settings\joe\My Documents\NEW.TXT, it will be redirected to create (File Root Path)\user\current\My Documents\NEW.TXT.
Files that are created or modified in or below profile (or home) folders, such as C:\Documents and Settings\joe, are redirected into the sandboxed user\curent folder.
Files that are created or modified in or below the generic (or All Users) profile, are redirected into the sandboxed user\all folder.
Other files that don't match either of the above paths are redirected to the sandboxed drive\X folder, where X would be the drive in which the files was supposed to have been written.
Note that the sandbox folder itself resides on one particular drive, so even as sandboxed programs may create and modify files in multiple drives, all these files will end up residing physically in the same drive -- the drive where the sandbox folder resides.
Apart from the two sub-folders, drive and user, the sandbox folder itself contains the file RegHive, and typically also RegHive.LOG. These hold the sandboxed registry. See below.
Registry keys are created in a sandboxed registry hive. A registry hive is the Microsoft Windows term for a group of related registry keys that are stored in a single hive file.
Sandboxie creates the hive file in the sandbox folder, as the files RegHive and RegHive.LOG. This hive is mounted (or in other words, loaded into the registry) when a sandboxed program starts. The hive is unmounted when all sandboxed programs end.
The sandboxed hive has the following position and structure within the global struture of the Windows registry.
. HKEY_USERS . . Key Root Path . . . machine . . . user . . . . current
The KeyRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to HKEY_USERS\Sandbox_(user name)_(sandbox name). For example, if the user joe is using the sandbox DefaultBox, the default Key Root Path is HKEY_USERS\Sandbox_joe_DefaultBox.
As sandboxed programs create new registry keys or modify existing keys, Sandboxie redirects these operations to act on paths that lead into the sandbox. If the sandboxed program was trying to create the key HKEY_LOCAL_MACHINE\Software\NewKey, it will be redirected to create instead (Key Root Path)\machine\Software\NewKey.
If the sandboxed program was trying to create the key HKEY_CURRENT_USER\Software\NewKey, it will be redirected to create (Key Root Path)\user\current\Software\NewKey.
With the sandboxed registry, the rules for redirection are simpler than for sandboxed files: A registry key created or modified below the HKEY_LOCAL_MACHINE tree will be redirected below the sandboxed machine key.
A registry key created or modified below the HKEY_CURRENT_USER tree will be redirected below the sandboxed user\current key.
These objects are used by programs to share information, synchronize processing, and provide services. These objects are never written to disk and they disappear when the system shuts down.
Sandboxie isolates these objects in order to make it possible to run the same program sandboxed and un-sandboxed side-by-side. It also keeps sandboxed programs from interfering with un-sandboxed ones.
These objects are created in the NT object namespace. Their position and structure within that namespace are as follows.
. Ipc Root Path . . BaseNamedObjects . . . Global . . . Local . . . Session . . RPC Control
The IpcRootPath setting specifies a path to the root of a particular sandbox. If omitted, it defaults to \Sandbox\(user name)\(sandbox name)\Session_(session number). For example, if the user joe is running in session zero, and using the sandbox DefaultBox, the default Ipc Root Path is \Sandbox\joe\DefaultBox\Session_0.
Below the Ipc Root Path, there are object directories which comprise the NT namespace, and match the layout of existing object directories outside the sandbox area. The directories are created to be persistent; in other words, they will only disappear at system shutdown.
Objects created by sandboxed programs are created within the sandbox object directories. If the program is running un-sandboxed, it would typically create such objects in the \BaseNamedObjects object directory.
The free utility WinObj by Sysinternals (now a part of Microsoft) can be used to display the NT object namespace.
Sandboxie is Copyright © 2004-2010 by Ronen Tzur. All rights reserved.
Sandboxie.com | Contact Author
This site has been viewed 85,977,984 times since June 2004