Trust No Program

Home

Help & FAQ

Forum

Download

Buy

Search

Windows Vista 64

Sandboxie cannot be installed on 64-bit Editions of Windows. Specifically, 64-bit versions of Windows XP, Windows Server 2003, Windows Vista, and Windows 7. The reasons are described below.

Driver Signing

With Windows Vista x64, Microsoft has introduced mandatory code signing for drivers. Since Sandboxie relies on a driver component to ensure software isolation, it cannot be loaded into Windows Vista x64 without compromising the integrity of the system.

Acquiring the code signature is not in itself an insurmountable task. However, the next reason will show why this is pointless at this time.

Kernel Patch Protection (PatchGuard)

In 64-bit editions of the Windows platform, Microsoft has extended the core of the operating system, the kernel, in such a way that it routinely performs self-checks to detect any tampering. This enhancement is officially called Kernel Patch Protection and commonly referred to as PatchGuard.

The software isolation provided by Sandboxie is not supported by the Windows kernel, so Sandboxie must make some changes to the kernel to implement the isolation features. This is detected by PatchGuard as tampering, and so the system crashes soon after Sandboxie is installed.

PatchGuard APIs

New "PatchGuard APIs" introduced with Windows Vista Service Pack 1 are not an adequate replacement for the lost flexibility in kernel programming. These APIs do not allow Sandboxie to guarantee isolation on 64-bit Windows Vista.

Sandboxie needs to be able to monitor requests issued by a program in the sandbox to communicate with a program or service outside the sandbox, and discard these requests where they are inappropriate. Please see the section below for some examples that show how this relates to Sandboxie.

Windows, 32-bit or 64-bit, offers no official Windows kernel interfaces to monitor such accesses. However, on 32-bit Windows, Sandboxie can dynamically inject itself (in memory, not on disk) into the Windows kernel, and get a foothold in the procedure that connects one program to another. In 64-bit Windows, this injection is considered malicious and causes PatchGuard to crash the system. And yet, there are no official interfaces to supplement the lost flexibility in kernel programming.

Thus in 64-bit Windows, Sandboxie can only "recommend" a program to not go out of the sandbox, but cannot mandate this. A malicious program could easily circumvent Sandboxie by simply ignoring these recommendations. Rather than release a 64-bit version of Sandboxie that can only offer a false sense of security, I have decided to cancel support for 64-bit editions of Sandboxie.

Summary: The 32-bit edition of Sandboxie can both provide and guarantee software isolation. A 64-bit edition can provide, but cannot guarantee, the same isolation. For this reason, a 64-bit edition of Sandboxie is not offered at all.

Some Examples

Here are a few examples why Sandboxie has to be able to prevent programs in the sandbox from making requests to Windows services outside the sandbox.

• Terminal Services: A program can launch a new program or terminate programs in the same logon session.

• Windows Management and Instrumentation (WMI): A service that offers a large collection of Windows functionality, designed primarily for use by scripts like VBScript and Javascript. Can modify files and registry, launch and terminate programs, and more on behalf of the calling program.

• The COM framework: Connects a client program to a server program, launching the desired server program where necessary.

In all cases, as far as Windows is concerned this is not a vulnerability because the program is merely taking an indirect route (through Terminal Services, for example) to accomplish some operation that it could do directly, like launch a new program.

But where Sandboxie is concerned, a program running under the supervision of Sandboxie is able to send some potentially malicious request to be processed by another program running outside the supervision of Sandboxie.

In effect, a 64-bit version of Sandboxie would be similar to a 32-bit version of Sandboxie with a permanent setting of OpenIpcPath=*. This would be a very big security hole in the concept of Sandboxie, that would be open to exploit at any time by any malicious program that would be aware of Sandboxie.

Windows XP

Note that the PatchGuard used in initial (* see below) versions of Windows x64, specifically Windows XP 64-bit Edition, is less aggressive than the PatchGuard used in Windows Vista x64, and version 3.01 of 64-bit Sandboxie did work in earlier editions of Windows x64.

Howevever, on August 14, 2007, Microsoft has issued Windows Update KB932596 to Windows XP 64-bit which brings the Windows XP PatchGuard up to par with the Windows Vista PatchGuard. Effectively this Windows Update will cause an incompatibility between Sandboxie and Windows XP 64-bit, which will manifest as the occasional system crash. To use Sandboxie 3.01 on Windows XP 64-bit, you must first remove Windows Update KB932596. Please note that Sandboxie 3.01 is no longer supported.

Your Complaints

By supporting 64-bit Windows, and the arbitrary limitations it places on innovation in computer security, you give up the right to demand a 64-bit edition of Sandboxie. Please do not post complaints to the forum, and do not send private messages or email about it.