Sandboxie Forum - SandboxDiff - Registry/Files changes (3606)

majoMo:

Mon Mar 05, 2012 7:12 pm

]]>Quoting Grim: ]]> ( ... ) the program is running a file named wbox.exe whic is also the same tool called win spybox created by WT Software ( ... ) ]]> It is not. Please see SandboxDiff help file [SandboxDiff.chm] to be clarified.

Grim:

Sat Mar 03, 2012 3:10 pm

Is this safe? I'm getting false positives on my end and the program is running a file named wbox.exe whic is also the same tool called win spybox created by WT Software, which is a program designed to record keystrokes (keylogger) so I am a bit iffy about how legit this program really is.

guest14789:

Tue Jan 03, 2012 2:27 pm

]]>Quoting Buster: ]]> ]]>Quoting guest14789: ]]>::TO THE USER: You need to CUSTOMIZE THE NEXT PATH (inside and between quotes: " ") for your PC, e.g.: copy "C:\Sandbox\\DefaultBox\RegHive" hive_1.bak /v /y > NUL exit ]]> Sandbox NOTEPAD.EXE and then right-click Sandboxie Control. Click "DefaultBox > Explore Contents". A Windows Explorer window will be opened in the defaultbox sandbox folder. Copy and paste that path and replace it for "C:\Sandbox\\DefaultBox". That�s all. ]]> thnx man....i did that but as soon as i copy paste that link i get an 'Open With' dialog box.What to do after that??

Buster:

Tue Jan 03, 2012 8:50 am

]]>Quoting guest14789: ]]>::TO THE USER: You need to CUSTOMIZE THE NEXT PATH (inside and between quotes: " ") for your PC, e.g.: copy "C:\Sandbox\\DefaultBox\RegHive" hive_1.bak /v /y > NUL exit ]]> Sandbox NOTEPAD.EXE and then right-click Sandboxie Control. Click "DefaultBox > Explore Contents". A Windows Explorer window will be opened in the defaultbox sandbox folder. Copy and paste that path and replace it for "C:\Sandbox\\DefaultBox". That�s all.

guest14789:

Tue Jan 03, 2012 5:30 am

i just cant understand the first customising step itself.Can that be explainded in simple words plz????????????Currently i only downloaded the file and have kept it on my desktop.On opening it i see the Userpath.bat.txt file and 2 other files.I opened the .txt file and it gives this message: ::TO THE USER: You need to CUSTOMIZE THE NEXT PATH (inside and between quotes: " ") for your PC, e.g.: copy "C:\Sandbox\\DefaultBox\RegHive" hive_1.bak /v /y > NUL exit What the hell is this supposed to mean???I have been searching this for more than an hour and i just cant find any simple instructions.

majoMo:

Thu Nov 03, 2011 5:53 pm

@ dhorch , firstly try to clean temp files before use "SandboxDiff" again. If the issue resumes please send me by PM a download link with your "RegHive" file (zipped e.g.) to check, if you can do that.

dhorch: Regdump crash; empty

Thu Nov 03, 2011 4:27 am

The programs used in Sandboxdiff have crashed several times today: regdump.exe and regdiff.exe Comp-Reg.REG.txt is empty

grr:

Tue Aug 02, 2011 3:10 am

I registered to specially say a BIG THANKS to you. :D :D :D :D :D :D :D :D :D :D It is a great utility...let me spread a word abt it :mrgreen:

majoMo: SandboxDiff updated

Mon Jan 10, 2011 6:36 pm

SandboxDiff updated to version 2.3.. Download in [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]first post[/url].

Buster:

Fri Dec 31, 2010 7:05 pm

]]>Quoting ieshae2: ]]>link doesn't work ? please update the link thanks ]]> It works for me.

ieshae2:

Fri Dec 31, 2010 11:53 am

link doesn't work ? please update the link thanks

majoMo:

Thu Sep 16, 2010 12:19 am

Hi, sorry for the annoyance. And thanks for the info!

Scelerisque Pellentesque: Re: SandboxDiff v. 2.2 - Updated

Wed Sep 15, 2010 1:24 pm

]]>Quoting majoMo: ]]>SandboxDiff updated to version 2.2.. SandboxDiff doesn't need to run in a Administrator account anymore. Download in [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]first post[/url] . ]]> [size=18:5a46c599ab] The link given to download SandboxDiff V2.2 doesn't work. [/size:5a46c599ab] The Message is "[color=red:5a46c599ab]In order to directly link to files in your online backup account at MyOtherDrive, upgrade to a Pro account[/color:5a46c599ab]." Follow link for image http://awesomescreenshot.com/0c21d7546 [size=18:5a46c599ab][color=darkblue:5a46c599ab]Thank you the new link works now.[/color:5a46c599ab][/size:5a46c599ab]

majoMo: SandboxDiff v. 2.2 - Updated

Fri Sep 10, 2010 3:55 pm

SandboxDiff updated to version 2.2.. SandboxDiff doesn't need to run in a Administrator account anymore. Download in [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]first post[/url] .

Mark_: Re: Malware?

Sun Aug 15, 2010 2:53 pm

]]>Quoting Petal: ]]>http://www.virustotal.com/file-scan/report.html?id=cb8b193ae31680f186dfa7833a94310a0b32445f782482af3f299ef19a0523b0-1281881946 Jiangmin 13.0.900 2010.08.15 [color=red:05960c5286]Trojan/Vilsel.lhi[/color:05960c5286] Kaspersky 7.0.0.125 2010.08.15 - McAfee 5.400.0.1158 2010.08.15 [color=red:05960c5286]Suspect-D!13C28009A57C[/color:05960c5286] A trojan " is a harmful piece of software that looks legitimate . Users are typically tricked into loading and executing it on their systems ". Is this really safe? :?: :idea: ]]> never scan an archive, scan binary files each on his own.

Petal: Malware?

Sun Aug 15, 2010 2:34 pm

http://www.virustotal.com/file-scan/report.html?id=cb8b193ae31680f186dfa7833a94310a0b32445f782482af3f299ef19a0523b0-1281881946 Jiangmin 13.0.900 2010.08.15 [color=red:7b39d3d098]Trojan/Vilsel.lhi[/color:7b39d3d098] Kaspersky 7.0.0.125 2010.08.15 - McAfee 5.400.0.1158 2010.08.15 [color=red:7b39d3d098]Suspect-D!13C28009A57C[/color:7b39d3d098] A trojan " is a harmful piece of software that looks legitimate . Users are typically tricked into loading and executing it on their systems ". Is this really safe? :?: :idea:

majoMo:

Wed Jun 02, 2010 8:18 pm

Hi Lardu , Thanks for reporting, that will let us to handle this path'character issue. It will be fixed in the next 'SandboxDiff' update version. Thanks again! EDIT: Done.

Lardu:

Tue May 25, 2010 6:45 pm

Hi. Just to let you know if the username of Windows user has NORDIC letters in it, (��) (the path in sandbox dir then too..) Your app won't start and gives the error box about it being not able to load the reghive file..

majoMo: SandboxDiff v. 2.0 - Updated

Thu May 13, 2010 2:17 pm

SandboxDiff updated to version 2.0.. Fixed an issue when running the analysis process. Some minor changes. Download in [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]first post[/url].

noise:

Thu Mar 11, 2010 2:31 pm

I did not even think of running SandboxDiff as an admin. doh! I even read on here that you suggested another user run it with admin rights, it should have clicked! I can confirm that it works correctly when you run it as an admin. Here is a snippet of the .REG file: [code:1:be5ad12641]Windows Registry Editor Version 5.00 [HKEY_USERS\hive\machine\System\CurrentControlSet\Control] [HKEY_USERS\hive\machine\System\CurrentControlSet\Control\NetworkProvider] [HKEY_USERS\hive\machine\System\CurrentControlSet\Control\NetworkProvider\HwOrder] [HKEY_USERS\hive\machine\software\Wow6432Node] [HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft] [HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows] [HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion] [HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall] [/code:1:be5ad12641] Thanks noise

majoMo:

Thu Mar 11, 2010 2:00 pm

@ noise , thanks for your feedback. :wink: It seems you are running in a limited user account. Please check if you are in a Administrator account when running SandboxDiff (or you can run it with "Run as Administrator" successfully perhaps).

noise:

Thu Mar 11, 2010 10:21 am

Hi again. I always seem to get the following error message: --------------------------- RegDiff --------------------------- File open error:[hive_1.reg.txt] --------------------------- OK --------------------------- I run SandboxDiff from outside the Sandbox folder. Before I run SandboxDiff I make sure there is a RegHive file in C:\Sandbox\noise\DefaultBox. I ran the UserPath.bat which successfully copied. When I close the error box I have the following files: Comp-Files.html Comp-Files.txt Comp-FilesCRC.txt Comp-Reg.html Comp-Reg.txt Thanks noise

noise:

Thu Mar 11, 2010 7:52 am

I can confirm that the new version is working correctly with Windows 7 x64 Professional. Thanks :)

majoMo:

Wed Mar 10, 2010 2:50 pm

@ noise , Thanks for your information. :wink: Once I can't test it in a x64 OS, can you download and try the newer version? Thanks. Download Link In: [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]FIRST POST[/url]

noise: Not for x64

Wed Mar 10, 2010 11:08 am

It appears the program will not run under an x64 operating system :( --------------------------- Unsupported 16-Bit Application --------------------------- The program or feature "\??\C:\Users\noise\AppData\Local\REPLACE.EXE" cannot start or run due to incompatibity with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available. --------------------------- OK ---------------------------

majoMo:

Mon Dec 14, 2009 12:35 am

]]>Quoting Buster: ]]>After removing a value key from there in Comp-Reg.html does not appear any reference to it. ]]> You are right. When a value key is emptied does not appear any reference to it in "Comp-Reg.html" and "Comp-Reg.txt". SandboxDiff uses 'regdump.exe' by Ladislav Nevery (that did an excellent tool); it has some bugs - e.g. crashes when loading some hive files also. SandboxDiff allows users to have an accurate result; any 'regdump.exe' bug is surpassed: "Comp-Reg.REG.txt" records all registry changes in .reg format (Windows Registry Editor Version 5.00). DOWNLOAD LINK IN [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]FIRST POST[/url]

Buster:

Sun Dec 13, 2009 2:28 pm

Majomo: SandboxDiff and Buster SandBox Analyzer work in a similar way in some aspects: looking for file and registry differences. Since I released Buster Sandbox Analyzer I knew the registry part was not fully accurate. I thought it was pretty accurate most of the time but after spending some time debugging code and making intensive tests I understood I was wrong. I know many people use SandboxDiff and I don�t pretend to create a polemic reaction, I just pretend to inform: SandboxDiff has the same problems Buster Sandbox Analyzer had and this makes it doesn�t show accurate results. An example will better illustrate the problem. I have mIRC installed and registry settings are under HKEY_CURRENT_USER\Software\mIRC After removing a value key from there in Comp-Reg.html does not appear any reference to it. If you need help to reproduce the test let me know.

majoMo: SandboxDiff 1.7 - Updated

Thu Oct 29, 2009 7:48 pm

SandboxDiff 1.7 updated. Changes: - Listed modified files - used CRC32'checksum algorithm, simple file verification (SFV). Thanks to Todd Sandboxie'user for the suggestion. - SandboxDiff.exe doesn't need to stay in sandbox folder anymore. The changes made by the application sandboxed are in the files: - [u:3a4b7f28f2]Registry changes[/u:3a4b7f28f2]: Comp-Reg.txt - lists registry changes ([u:3a4b7f28f2]values[/u:3a4b7f28f2] only) in text format. Comp-Reg.REG.txt - lists registry changes ([u:3a4b7f28f2]keys[/u:3a4b7f28f2] and [u:3a4b7f28f2]values[/u:3a4b7f28f2]) in .reg format (Windows Registry Editor Version 5.00). Comp-Reg.html - lists [u:3a4b7f28f2]all[/u:3a4b7f28f2] registry entries ([u:3a4b7f28f2]values[/u:3a4b7f28f2]) sandboxed in text/html format (and the registry values changes). - [u:3a4b7f28f2]Files changes[/u:3a4b7f28f2]: Comp-Files.txt - lists added/removed [u:3a4b7f28f2]files[/u:3a4b7f28f2] and [u:3a4b7f28f2]folders[/u:3a4b7f28f2]. Comp-FilesCRC.txt - lists added/removed [u:3a4b7f28f2]files[/u:3a4b7f28f2] - and [u:3a4b7f28f2]modified files[/u:3a4b7f28f2] (used CRC32'checksum algorithm, simple file verification (SFV)). Comp-Files.html - lists [u:3a4b7f28f2]all[/u:3a4b7f28f2] files and folders in sandbox folder - and added/removed [u:3a4b7f28f2]files[/u:3a4b7f28f2] and [u:3a4b7f28f2]folders[/u:3a4b7f28f2]. Download in: [url=http://www.sandboxie.com/index.php?ContributedUtilities#SandboxDiff]Contributed Utilities[/url] page.

tzuk: SandboxDiff - Registry/Files changes

Sat Oct 03, 2009 7:45 pm

Oopsie. There was a spam/silly post as the first/only post of the last page of the old "SandboxDiff - Registry/Files changes" topic, and I accidentally deleted the entire topic instead of just the one post. Edit: The original topic is now restored.

majoMo:

Sat Sep 26, 2009 11:40 pm

@ slatester , Good to know you didn't lose the registry entries'changes. Glad you found it helpful. :wink: Regards

slatester:

Tue Sep 22, 2009 4:54 pm

Hi, thanks for this, very helpful. I also get a regdump.exe crash, but like you said the changes are still visible in Comp-Reg.REG.txt.

majoMo: Re: File Comparison: More than Filename/Presence of File?

Sat Aug 15, 2009 2:05 pm

]]>Quoting Todd: ]]>Does SandboxDiff check any other file attributes? ]]> No, it doesn't do that. I'll check if it's easy to do something like that. I appreciated your feedback and your question/suggestion. Thanks.

Todd: File Comparison: More than Filename/Presence of File?

Thu Aug 13, 2009 4:49 am

Much thanks for this SBie add-on; works great! Regarding the file comparison, does SandboxDiff compare any more than the filename--or simply the presence of the file(s)--in the sandbox? For example, if a file already present in the sandbox was updated (but filename remained the same) during a sandboxed program session, would SandboxDiff detect the difference and highlight it green in the results? Or would the before and after entries remain un-highlighted? The reason I ask is after testing it on a program installation, I thought it would be interesting to test it on a subsequent update to that program (weeks later). Prior to the update test, I ran a sandboxed session of the program to pre-populate the sandbox with files already installed and used by the program (so those that didn't change after the update wouldn't show up highlighted green in the results [they would if they weren't in the sandbox already]). I then started SandboxDiff, started the sandboxed program, then updated it in the sandbox. SandboxDiff worked just fine. But what I'm not sure is whether one or more files that were updated (but no change to filename) were recognized by SandboxDiff as having changed. Does SandboxDiff check any other file attributes? One way to be sure would be to compare a before and after hash (such as SHA1) of the files, but not sure how that would impact comparison speed (runs pretty zippy on my XP SP3 quad-core CPU). Thanks!

majoMo:

Fri Jul 24, 2009 8:03 pm

[quote:4ff4a8e347][size=9:4ff4a8e347]1. Right-click the program and select 'Run as...'. Specify a non-limited account. 2. As a workaround, you can use an Administrator account to run the program by performing the following steps: Right-click the program shortcut, then select Properties. From the Shortcut tab, click Advanced. Select the "Run with different credentials" check box, as this figure shows, then click OK. Click OK to close the Properties dialog box. Now, when you execute the program shortcut, XP will prompt you to enter the user context in which you want to run the program. Select "The following user" and specify a non-limited account.[/size:4ff4a8e347][/quote:4ff4a8e347] Hope this help. :wink:

:

Fri Jul 24, 2009 5:16 am

My account is a limited user account I guess it's the cause of the problem. 1. It cannot run even though the account has "read" and "read and run" rights on reg.exe The message complains: Error: The client has no special rights to run it System couldn't find specific registry key Error: The client has no special rights to run it 2. I copied the reg.exe using the admin account. I added my account into the group. Set "read" and "read and run" rights. Same error message: file open error:[hive_1.reg.txt] What should I configure to allow a limited user account to run it successfully?

majoMo:

Wed Jul 22, 2009 1:02 pm

Yes it should works. BTW is your Windows folder'path in another drive, other than C? 1. Can you try this?: to do the bat file e.g. 'name.bat' in your text editor with: [size=9:32e188b15f]@echo off reg.exe load HKU\hive hive_1.bak reg.exe export HKU\hive hive_1.reg.txt reg.exe unload HKU\hive pause[/size:32e188b15f] Run it; some warnings? did it create a 'hive_1.reg.txt' file? 2. Copy 'reg.exe' to where 'SandboxDiff.exe' is. Run 'SandboxDiff.exe'. Same message yet?

:

Wed Jul 22, 2009 4:44 am

]]>Quoting majoMo: ]]>Humm. What is your OS? Do you have a 'reg.exe' file in 'WINDOWS\system32' folder? ]]> Windows XP Yes Did you hardcode the default path of Windows? In other words does it still work if people installs Windows in other drives (drive letter other than C)?

majoMo:

Tue Jul 21, 2009 3:40 pm

Humm. What is your OS? Do you have a 'reg.exe' file in 'WINDOWS\system32' folder?

:

Tue Jul 21, 2009 9:04 am

Thanks for the update. It fixed the msgwait.exe problem. I have configured the path: copy "C:\Sandbox\Superman\DefaultBox\RegHive" hive_1.bak /v /y > NUL Every time I run the sandboxdiff I encounter this error message: [code:1:980b5e85c0]file open error:[hive_1.reg.txt][/code:1:980b5e85c0] What is this? What could cause such a problem?

majoMo: SandboxDiff updated

Mon Jul 20, 2009 2:52 pm

SandboxDiff updated. Changes: - Fixed: an issue when the RegHive file size is bigger that 6 MB. - Added: when RegHive file can't be load for some reason, the user is advised - and SandboxDiff closed. - Fixed: get around the 'msgwait.exe' file crash issue in some users'systems. Download in: [url=http://www.sandboxie.com/index.php?ContributedUtilities#SandboxDiff]Contributed Utilities page[/url].

majoMo:

Mon Jul 20, 2009 2:00 pm

]]>Quoting Anonymous: ]]>So is there any fix? msgwait.exe keeps crashing when sandboxdiff is running. I need this tool very much. Any alternatives? ]]> Please wait a little bit, if you can... :wink:

:

Mon Jul 20, 2009 4:38 am

So is there any fix? msgwait.exe keeps crashing when sandboxdiff is running. I need this tool very much. Any alternatives?

Guest10:

Sat Jul 18, 2009 10:16 pm

]]>Quoting wraithdu: ]]>... and what version do you all have installed? ]]>msvcp60.dll is apparently a part of the C++ Run-time package. Mine is: Microsoft (R) C++ Runtime Library, V 6.2.3104.0, Date Modified 4/13/2008.

wraithdu:

Sat Jul 18, 2009 5:39 pm

Sounds like a C++ runtime problem maybe? What version of the runtime was the app compiled against, and what version do you all have installed?

Guest10:

Sat Jul 18, 2009 3:26 pm

Same msgwait.exe crash here. Not encountered with an older version of SandboxDiff. Found this during Google search, so I assume that SandboxDiff is creating the msgwait.exe process: http://www.threatexpert.com/report.aspx?md5=077a9baf847b97696c9f82b2263cd4e0

majoMo:

Sat Jul 18, 2009 2:50 pm

Something not easy to clarify. It seems that a google search for GRABMI_FILTER_PRIVACY produces tons of results. And isn't related to the app. itself like [url=http://www.smartftp.com/forums/index.php?/topic/11657-loading-problems/]here[/url].

:

Fri Jul 17, 2009 7:39 am

I put both SandboxDiff.exe and UserPath.bat to the main root of sandbox folder. I configured the path inside the UserPath.bat. I doubled click on SandboxDiff.exe to start, running normally not being sandboxed! I saw a dialog and clicked ok. msgwait.exe crashed and reported the following error: AppName: msgwait.exe AppVer: 0.0.0.0 ModName: crtdll.dll ModVer: 4.0.1183.1 Offset: 000115ce The error report file: http://rapidshare.com/files/256737870/d098_appcompat.txt.html What's up?

:

Thu May 28, 2009 2:43 am

Thanks so much for sharing your work and not getting mad at me, this functions very well and is so useful. I do think that the instructions could be written a little bit more clear for dumber users like me, that an initial RegHive must be created first, through, for example, the 'notepad sandbox'. so now how will we save the world economy next?

majoMo:

Wed May 27, 2009 7:57 pm

]]>Quoting gyp: ]]>I found the ***. The file name of my original UserPath.bat file had a SPACE before the U, at the beginning of the filename. lol ]]> Good to see you found the annoyance. Because I couldn't find it never... :roll: Thanks for your time also and feedback. I appreciated that. :wink:

gyp:

Wed May 27, 2009 2:29 am

I found the ***. The file name of my original UserPath.bat file had a SPACE before the U, at the beginning of the filename. lol so sorry :) I will learn to work this *#! netbook touchpad!

gyp:

Wed May 27, 2009 1:43 am

Well like checking an alarm clock you set and already double checked 5 times, I made a new UserPath.bat and it is working now. Scratching my head, then I binary compared this new userpath.bat to the old one I deleted and they are binary = . ??? no clue what, maybe permissions or something??? Anyway, working good! Sorry to have wasted so much time.

gyp:

Wed May 27, 2009 12:58 am

Still Reg_before gives hive path err and Comp-Reg 1d0 < hive path err \ No newline at end of file Additionally, although these do exist, filemon reports: SandboxDiff.exe:3252 DIRECTORY C:\SANDBOX\ NO MORE FILES FileNamesInformation nircmd.exe:548 QUERY INFORMATION C:\Sandbox\UserPath.bat NOT FOUND Attributes: Error

majoMo:

Tue May 26, 2009 8:46 pm

Please try follows the sequence (notes in red): - The "UserPath.bat" file (don't forget to rename "UserPath.bat.txt" to "UserPath. bat ") needs to be in same folder that "SandboxDiff.exe". With your customized path: copy "C:\Sandbox\DefaultBox\RegHive" hive_1.bak /v /y > NUL 1. Sandbox "delete contents" [color=red:31d5bb7c7f]--> When you do this you removes "RegHive" file also! ("C:\Sandbox\DefaultBox\RegHive") - Please add step 1A- and 1B 1A- Run Notepad.exe sandboxed. Close it after - so none app. is running sandboxed now. (this allows to create a "RegHive"). 1B- Check if a "RegHive" is in "C:\Sandbox\DefaultBox". It should be.[/color:31d5bb7c7f] 2. SandboxDiff.exe (re-read instructions see if i'm missing something) 3. Press OK (3.a.) Maybe look at Reg_before and see hive path err, continue anyway 4. [color=darkred:31d5bb7c7f]Pick an app, right click, "run sandboxed"[/color:31d5bb7c7f] [color=red:31d5bb7c7f]--> Don't do this step. For now [u:31d5bb7c7f]don't run[/u:31d5bb7c7f] any app. sandboxed.[/color:31d5bb7c7f] 5. Right click Sandboxie Control, pick "Terminate all programs" 6. SandboxDiff press "OK" Please post the text that it is in "[u:31d5bb7c7f]Comp-Reg.txt[/u:31d5bb7c7f]" file. Obs.: When you want work with SandboxDiff, you don't need to "delete contents". But if you do that you need to do a dummy action before (e.g. open/close Notepad), to create the "RegHive" file.

gyp:

Tue May 26, 2009 7:03 pm

Well I have tried many different orders of operations now, including messing with the path declaration, but no avail. My user path C:\Sandbox\DefaultBox My userpath line copy "C:\Sandbox\DefaultBox\RegHive" hive_1.bak /v /y > NUL 1. Sandbox "delete contents" 2. SandboxDiff.exe (re-read instructions see if i'm missing something) 3. Press OK (3.a.) Maybe look at Reg_before and see hive path err, continue anyway 4. Pick an app, right click, "run sandboxed" 5. Right click Sandboxie Control, pick "Terminate all programs" 6. SandboxDiff press "OK" 1d0 < hive path err \ No newline at end of file Same results if a RegHive exists or folder is empty. But also like I said my hive file key starts with Sandbox_Username_DefaultBox even though I have not set it to use a username My Sandboxie config is %SystemDrive%\Sandbox\%SANDBOX% I do not see a regdump.exe anywhere on my system. I have an nlited XP install. Thank you so much if you can explain

majoMo:

Tue May 26, 2009 2:45 am

]]>Quoting Anonymous: ]]>but Reg_before also declares hive path err. ]]> When you have "hive path err" SandboxDiff was unable to load "RegHive" file for some reason. BTW, do you have "UserPath.bat" customized? ]]>Quoting Anonymous: ]]>Anyway, if I run sandboxdiff before, during, or after a sandboxed app, it is not finding any reghive file which is at C:\Sandbox\DefaultBox ]]> Can you describe in detail the steps that you do when install an app. sandboxed with SandboxDiff? I think that can allow a clarification. ]]>Quoting Anonymous: ]]>I was able to see when the hive.bak files were being created I could peek in one that said HKEY_USERS hive or something...my reghive created when looked at in wrr starts with \Sandbox_ ]]> No annoyance here. I can explain better further along (it's a form issue not a content question). :wink: BTW, WRR shows the registry status; SandboxDiff performs the registry changes between two status.

:

Mon May 25, 2009 10:01 pm

I really don't know what I'm talking about here but I was able to see when the hive.bak files were being created I could peek in one that said HKEY_USERS hive or something...my reghive created when looked at in wrr starts with \Sandbox_

:

Mon May 25, 2009 9:47 pm

Neither of those cases are true. It is reproducible. I looked, on initiation of sandboxdiff.exe Files_before reads everything in my c:\sandbox dir, but Reg_before also declares hive path err.

majoMo: Re: comp-reg error

Mon May 25, 2009 7:27 pm

]]>Quoting gyp: ]]>In comp-reg.txt I am getting 1d0 < hive path err \ No newline at end of file Otherwise seems to be functioning very easy ]]> "hive path err" is related to "RegHive" file that wasn't able to be load by SandboxDiff. There are several reasons for, that you can check: . When starting the sandbox folder is empty; so "RegHive" file didn't exist to be analyzed. You need to do a dummy action to create it: e.g. open Notepad.exe sandboxed and close it. Start SandboxDiff after. . "RegHive" file was in use perhaps. You need to terminate all app. that are sandboxed firstly (when is asked by SandboxDiff).

gyp:

Sun May 24, 2009 3:44 am

I am pretty sure I am using Sandboxie portable. I say 'pretty sure' because it works as well as installed. But on my old pc I had a folder of my username under c:\sandbox and I think with portable I only have a DefaultBox folder there.

gyp: comp-reg error

Sun May 24, 2009 3:34 am

In comp-reg.txt I am getting 1d0 < hive path err \ No newline at end of file Otherwise seems to be functioning very easy

majoMo:

Sat Apr 25, 2009 1:05 pm

SandboxDiff updated. Changes: - Analyzing/Comparing process far faster now. Download in: [url=http://www.sandboxie.com/index.php?ContributedUtilities#SandboxDiff]Contributed Utilities[/url] page.

majoMo:

Wed Apr 22, 2009 6:41 pm

Hi t-max , thanks for your reporting. I was able to reproduce that error with same app.. In fact the file "regdump.exe", used by SandboxDiff, crashed when loading the hive file; there is a bug in that executable indeed (it's an unusual bug with it). It seems that when loading some hive files "regdump.exe" crashes. Consequences? The registries changes in "Comp-Reg.txt" file isn't complete; it record the changes until the crash time. Tip: when "regdump.exe" crashes the reliable and accurate registry changes are in the file "Comp-Reg.REG.txt" (in .reg format). In the next release I'll reenforce SandboxDiff to check the reliableness in "Comp-Reg.REG.txt" record. At least we can have one trusty registry changes file if occur a crash in that file.

t-max: regdump.exe error

Fri Apr 17, 2009 2:24 pm

Hi, I get an error with regdump.exe, after making an installation of MS Office 2003. Does anybody know what can be causing it?

majoMo:

Sun Mar 01, 2009 11:59 pm

The files used by SandboxDiff in that folder (temporarily) are listed in help file.

MrZ: How do I safely uninstall this?

Fri Feb 27, 2009 9:02 pm

The program after install in Vista seems to put files in different places, for example I found "wait.exe" and "regdiff.exe" in my c:\users\myname\appdata\local folder. Later they disappeared from that folder! I know they were there at one time, then they disappeared. Can you explain where these various executables are? Where else would your program put them?

majoMo:

Mon Feb 09, 2009 7:39 pm

@ tzuk , to host in that server it's well. When any update comes out I'll inform you firstly. Regards.

tzuk:

Thu Feb 05, 2009 2:00 pm

My pleasure. Let me know if you don't me to host the file on this server. Or if you're ok with it, let me know when I should update the copy that I host here. http://www.sandboxie.com/index.php?ContributedUtilities

majoMo:

Thu Feb 05, 2009 3:23 am

@ tzuk , very interesting the "Contributed Utilities page". It seems useful for SandboxIE'users really. Like requested, the answer is affirmative: I want. Thanks for your kindly information.

tzuk:

Mon Feb 02, 2009 10:40 pm

majoMo, I can add this utility here if you want: http://www.sandboxie.com/index.php?ContributedUtilities

raid:

Sun Feb 01, 2009 4:28 am

Thanks for the update regarding this program. Another program I've found useful is the Mitec Windows Registry Recovery Tool. You can mount the reghive after you run your sandboxed application and see exactly what it's added to the "registry" as far as it knows. :) So if it's added policies, you will know. Any entries in the sandboxed registry can be viewed with ease using this tool. http://www.mitec.cz/wrr.html

~tmp:

Tue Jan 27, 2009 1:21 pm

Some antivirs don't like the techniques you use in the subj. Comodo, NOD32, AViRA... say something like: TrojWare.Win32.Qhost.~AR@1639959 and possible dangerous packer-cruncher blah-blah-blah. Take it easy, even Kaspersky says SBie is a really very dangerous thing too. Just make a note saying the program analyzes both real and virtual registry plus both real and virtual filesystem then compares the results. It is intended for this.

MFS:

Sun Jan 25, 2009 1:18 am

Thank you. I'll test it. :D

majoMo: SandboxDiff Updated

Fri Jan 23, 2009 6:43 pm

SandboxDiff updated. Changes: - Added Registry changes in .reg format (Windows Registry Editor Version 5.00) Thus the Registry and Files changes are avaliable in text, .reg (registry) and .html (here you can see all files and registry entries created by sandbox'process). * Download and info in [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]first post[/url]. *

Shield:

Sat Dec 13, 2008 1:43 am

Thanks majoMo, this will be quite handy! Happy holidays!

majoMo:

Fri Dec 12, 2008 6:27 pm

Glad to know it's useful to you. :wink: I'm testing registry changes in .reg format to add in next update. Merry Christmas.

MFS: afin

Sat Dec 06, 2008 10:28 pm

Thanks for your utility that is a great help :D Do you keep working on it in order to improve it ? Best regards

Grumpus:

Wed Nov 12, 2008 4:33 pm

I apologise if I'm doing something very obviously wrong here, but I simply do not seem able to run *anything* from C:\sandbox. Cannot open a txt file from there with a double click, can't run an exe without getting the message 'Windows cannot access the specified path, device or file. You may not have the appropriate permissions to access the item'. I'm logged in as administrator, and can obviously run programs and files from any other location on my computer. This problem happens when I have Sandboxie both running and not running. Is there some kind of protection option that I need to turn off? Thanks in advance to whoever is able to point out just where in this process I am being a dolt ;)

majoMo: Re: RegDiff not working

Sun Nov 09, 2008 11:04 pm

@ Casey, Like you noticed it's needed that preexist a reghive file before SandboxDiff start their analyze. Your suggestion is adviced: to do "a sort of dummy action" when sandbox folder is empty: e.g. to open/close any .txt file sandboxed is enough. It will be included in helpfile. I'll see if to test the dummy action is easy to do... :roll: I don't know yet. Until now I didn't see any "strange results" in "Comp-" files. It had been accurate in my tests; if for some reason you did a sandboxed analyze action, something like 'virtual' files are recorded... I don't know if it was this kind of annoyance... And yes: "SandboxDiff.exe" is a compiled .bat file: run it sandboxed in "C:\Sandbox" is enough (with "UserPath.bat" customized ). In next update SandboxDiff will support reg-compare; yes, all reg-changes are recorded from Sandboxie'process. BTW: Your "Dummy.bat" was executed sandboxed in fact: when reghive is created the file was opened sandboxed (even without "# title"). You can test their windows'status in Sandboxie Control Panel: File > Is Windows Sandeboxed? (put a "pause" command in your .bat can help). ]]>Quoting Casey44: ]]>In Step 3 of RegDiff.exe I get error notice "Can not find ..\hive_1.bak"Edit: No now it's OK again. Seems to happen 1 in ... times. ]]> I think you got this error because you didn't terminate all programs sandboxed (after install) - inadvertent. It's when I get that error. o Thanks.

Casey44: RegDiff not working

Fri Nov 07, 2008 12:49 pm

majoMo In Step 3 of RegDiff.exe I get error notice "Can not find ..\hive_1.bak" Looking in the map (Explorer, F5-ing) I see hive_1.bak present, but disappearing when Step 3 starts. Being deleted an instruction step too soon?? Casey Edit: No now it's OK again. Seems to happen 1 in ... times. Maybe a delay before the delete. Is possible (exec queues) the step before delete is not finished when delete is done?

Casey44:

Tue Nov 04, 2008 1:55 pm

]]>Quoting majoMo: ]]>SandboxDiff updated. Download and additional info in [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]first post[/url]. P.S.: Thanks again Casey44 and George for your useful information and feedback. ]]> majoMo you beat me to it :wink: I played around with your former .BAT file. Found following important(?): 1. Comp-Reg.html must be placed outside/higher than Defaultbox area. Otherwise I can't open it. 2. If no sandboxed activity has taken place beforehand, there is no file RegHive file! So copying to hive_1.bak fails! Following I did: Placed your files in separate folder C:\SandboxDif I adapted the BAT with a SET BoxPath=C:\Sandbox\\Defaultbox SET DiffPath=C:\SandboxDif and used %BoxPath% and %DiffPath% everywhere in the BAT Seemd to work ok. Guess that is about what you did now. Have to check the new EXE out further. Problem 2. still stands. With your new SandboxDiff.exe I get "hive path err" as content of the file Reg_Before.txt Your helpfile could suggest a sort of dummy action in the sandbox to create the first Reghive file... Or better maybe your pgm could test for the situation, and execute that dummy action? I made a "Dummy.bat" (echo Hello World; exit) Doing R-mouse | Run sandboxed runs it UN-Sandboxed (No # in title. Help! Tzuk?) but DOES create a first RegHive file. So far my observations. I must say I do have some problems interpreting the "Comp-" files. I see (first glance only) some strange results. Must be the DIFF and DIFF1 progs. Is your SandboxDiff.exe a (sort of) compiled BAT file? With the same DIFF progs as before? Maybe they need some looking in to. Thanks so far, great work :D :D :D I'd LOVE to have a good reg-compare for installs! BTW: Are ALL regchanges recorded? Casey

wraithdu:

Tue Oct 28, 2008 1:19 pm

Huh, nevermind I guess. Works fine today. But yes, I meant only in C:\Sandbox. Launching from subfolders was fine. But yeah, today it all works ok. Not sure what changed, oh well.

majoMo:

Mon Oct 27, 2008 11:50 pm

wraithdu , tested under Win XP. I can't run anything from "C:\Sandbox\\DefaultBox\". I can run normally from "C:\Sandbox\" and "C:\Sandbox\\" . 'SandboxDiff.exe' (with the customized 'UserPath.bat') is capable of being executed normally inside "C:\Sandbox\".

tzuk:

Mon Oct 27, 2008 4:07 pm

wraithdu, do you mean just C:\Sandbox, or do you mean C:\Sandbox and anything below it?

wraithdu:

Mon Oct 27, 2008 1:37 pm

I'm curious if you tested this. On my system, Vista SP1 32-bit, I cannot run anything from C:\Sandbox. I cannot even open a text file. SB has this folder under some sort of protection.

majoMo:

Mon Oct 27, 2008 12:46 am

SandboxDiff updated. Download and additional info in [url=http://sandboxie.com/phpbb/viewtopic.php?p=23711#23711]first post[/url]. P.S.: Thanks again Casey44 and George for your useful information and feedback.

majoMo:

Fri Oct 24, 2008 12:42 am

George , thanks a lot for the info. It will be update as soon as possible. The wraithdu 'solution is interesting.

wraithdu:

Thu Oct 23, 2008 1:24 pm

Easy solution. Copy the files to their locations as instructed. Now start a cmd prompt via Start -> Run... -> cmd.exe 'cd' to your sandbox directory, ie 'cd C:\Sandbox\DefaultBox' Now type SandboxDiff.bat You can thank me later ;)

George:

Thu Oct 23, 2008 8:24 am

[quote:e941d6bed4]Version 3.30 Released on 2 September 2008. These are the changes to Sandboxie since version 3.28. * New features: * Forced Folders [b:e941d6bed4]protection extended to apply to documents as well as programs[/b:e941d6bed4]. ... [/quote:e941d6bed4] That probably explains it.

George:

Thu Oct 23, 2008 8:19 am

I did exactly as you said, yet it still runs in sandbox mode. Try using this with the latest version of sandboxie. I have the exact same error as casey too. Thanks

majoMo:

Thu Oct 23, 2008 3:59 am

]]>Quoting SnDPhoenix: ]]>Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...? ]]> Exactly like that, SnDPhoenix . If a .bat file is opened in that folder it isn't sandboxed (like a .txt file e.g. also). This is the reason why "SandboxDiff" is a .bat file now - if it was a .exe file the output won't be accurate and effective. ]]>Quoting Casey44: ]]>Whatever I try, I get it in a Sandbox-window, with the [#] markings. ]]> Casey44 , if you open "SandboxDiff.bat" (double click e.g.) in your "G:\Sandbox\Kees\DefaultBox\" the SandboxDiff.bat window (cmd) runs not sandboxed (like if you open there a .txt file; try it also). ]]>Quoting Casey44: ]]>Maybe because of that (?), I get the errormessage: The system can not find the specified path. Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak. ]]> ]]>Quoting George: ]]>I'm having the same problem as casey. Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\. ]]> Casey and George , 1. SandboxDiff.bat [u:5fc2d532c3]must to be executed[/u:5fc2d532c3] in that folder (with the others files that are in the "SandboDiff.rar"). If not the output won't be accurate anymore. 2. Why the annoyance "Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak" about? If you run "SandboxDiff.bat" inside \DefaultBox\ you need to confirm that 1) you have there the RegHive file; 2) you need to TERMINATE ALL PROGRAMS sandboxed when requested by SandboxDiff'windows. Without this SandboxDiff can't do their work, because it can't analyze (if you don't terminate the programs the crucial RegHive file is locked: can't be analyzed). Hoping for help to clarify the question. Your feedback is much appreciated. Thanks. BTW, it will be available in the next SandboxDiff update the registry changes in .REG format (Windows Registry Editor Version 5.00).

SnDPhoenix:

Wed Oct 22, 2008 3:47 pm

]]>Quoting George: ]]>Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly. ]]> Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...?

George:

Wed Oct 22, 2008 5:13 am

Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\. HOWEVER, running ANYTHING inside \DefaultBox\ will run it in sandbox mode. Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly. Maybe this can be fixed by re-designing the batch file to be run at C:\ instead.

George: Same Problem

Wed Oct 22, 2008 5:05 am

I'm having the same problem as casey. Thanks for your help!

Casey44:

Wed Oct 22, 2008 12:39 am

majoMo, Seems like a great addition! I tried it out, but ran into a problem :oops: UnRARred files in ...\Defaultbox. But HOW do I start "SandboxDiff.bat" not-sandboxed? As instructed. Whatever I try, I get it in a Sandbox-window, with the [#] markings. Maybe because of that (?), I get the errormessage: [...] - Analyzing Registry and Files . . . Please wait . . . (DON'T CLOSE THE WINDOW) Het systeem kan het opgegeven pad niet vinden. Kan G:\Sandbox\Kees\DefaultBox\hive_2.bak niet vinden translated from dutch: The system can not find the specified path. Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak. Please help me on, Casey

majoMo:

Sat Oct 04, 2008 11:14 pm

SandboxDiff updated. Changes: - "SandboxDiff.rar" must be extracted to Sandbox'folder where the "RegHive" file is. - Now runs as .bat: "SandboxDiff.bat" - not sandboxed. - While Sandboxie has applications running "RegHive" file can't be analyzed. It's why is needed "terminate all programs that are Sandboxed". SandboxDiff tell you when such action must be done. - Changes (in Registry and Files) are saved in .txt and .html format. Output is accurate. - The analyze'process is now noticeably faster. Download and info in first post.

majoMo:

Thu Oct 02, 2008 4:06 pm

Some AV look SandboxDiff like trojan. SnDPhoenix describes a reason; UPX compression is disliked for others AV also. SandboxDiff hasn't any harmful activity. It's a false positive. SandboxDiff will be updated as soon as possible. In fact there are some annoyances that need to be corrected. An accurate rendering is crucial. Changes in hive file will be efective; files changes will not log "virtual" files anymore. The .exe file will be replaced by an.bat file.

SnDPhoenix:

Thu Oct 02, 2008 2:55 am

Well you're in luck, I looked in my download folder and I still have SandboxDiff archive on my HDD, so I just uploaded it to my premium zone in Rapidshare (faster and reliable since you know Rapidshare will still be there tomorrow) so here you go. http://rapidshare.com/files/150141933/SandboxDiff.rar Btw, just as Guest10 mentioned above, yes this file does seemed to be tagged as infected with some kind of trojan, but I think it might be a false positive. I think the reason it says there is a trojan, is because the executable file actually has a couple other exe files embedded inside, so the A/Vs might be mistaking that packing technique as the file being a virus (since many viruses bind/pack many exe files together...). Either way, I'd still say you're safe though since the tool is meant to be run sandboxed, so even if it is infected, it is sandboxed! :P

SandboxDiff:

Thu Oct 02, 2008 1:11 am

Can we get a repost of this? It would be very useful. Thanks!

Guest10:

Sat Sep 13, 2008 7:31 pm

@majoMo: The most recent data files for Norton A/V 2008 have apparently decided that SandboxDiff2.exe contains a Trojan Horse, and automatically deleted it from the Windows Explorer window, when I opened the folder containing that file. I've submitted the file to Symantec, since I'm sure that it's a false positive. Just thought I'd let you know. You may have others report this too.

GreyWolf:

Mon Jul 14, 2008 11:07 pm

Very Nice Program... and considering working via a dos interface for most commands definitely the best way to go without influencing the output. Great Job. GreyWolf

majoMo:

Tue Jul 08, 2008 12:00 am

]]>Quoting MitchE323: ]]>Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ? ]]> The difference between them is the registry changes view. That is to say the files "comp-hklm.txt" and "comp-hkcu.txt" in "SandboxDiff2.exe" isn't like with "SandboxDiff.exe". The output is different - but interesting the shape. The comparing process is a bit more delayed also. The user can use each other - a user choice... I am glad to know it's useful for someone else than me. :D ]]>Quoting Oneder: ]]>Getting a blank page here when trying to get the download atm. ]]> You can try to copy the link in your browser' adress bar and click enter. Perhaps this help:[size=9:e49eecb6e3][code:1:e49eecb6e3]http://www.adrive.com/public/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html OR http://www.adrive.com/public/view/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html[/code:1:e49eecb6e3][/size:e49eecb6e3]

Oneder:

Mon Jul 07, 2008 1:43 am

Getting a blank page here when trying to get the download atm.

MitchE323:

Mon Jul 07, 2008 12:27 am

Very nice, :arrow: works just as described. :D Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ?

majoMo: SandboxDiff - Registry/Files changes

Sun Jul 06, 2008 11:10 pm

To tracking changes in registry and files with Sandboxie I tried to use applications like [url=http://www.zsoft.dk/index/software_details/4]ZSoft Uninstaller[/url] (an excellent uninstaller), Regshot, [url=http://systemexplorer.mistergroup.org/]System Explorer[/url] and InCtrl5 (all sandboxed). Without sucess - looping issue. I read some forum'administrator posts about, that allowed myself to do and try a utility. I'm now using SandboxDiff to do that. How to use it? Prior to install a program sandboxed: 1- Open 'UserPath.bat.txt'and inside it customizes only the path (RegHive path) to something like: "C:\Sandbox\\DefaultBox\RegHive". 2- Rename 'UserPath.bat.txt' to 'UserPath.bat' 3- Run 'SandboxDiff.exe' - not sandboxed. At the end the user can to see the changes made by the application sandboxed in the files: - [u:cbd398dbc8]Registry changes[/u:cbd398dbc8]: Comp-Reg.txt - lists registry changes ([u:cbd398dbc8]values[/u:cbd398dbc8] only) in text format. Comp-Reg.REG.txt - lists registry changes ([u:cbd398dbc8]keys[/u:cbd398dbc8] and [u:cbd398dbc8]values[/u:cbd398dbc8]) in .reg format (Windows Registry Editor Version 5.00). Comp-Reg.html - lists [u:cbd398dbc8]all[/u:cbd398dbc8] registry entries ([u:cbd398dbc8]values[/u:cbd398dbc8]) sandboxed in text/html format (and the registry values changes). - [u:cbd398dbc8]Files changes[/u:cbd398dbc8]: Comp-Files.txt - lists added/removed [u:cbd398dbc8]files[/u:cbd398dbc8]. Comp-FilesMOD.txt - lists added/removed [u:cbd398dbc8]files[/u:cbd398dbc8] - and [u:cbd398dbc8]modified files[/u:cbd398dbc8] (based in size and date/time). Comp-Files.html - lists [u:cbd398dbc8]all[/u:cbd398dbc8] files in sandbox folder - and added/removed [u:cbd398dbc8]files[/u:cbd398dbc8]. Some Sandboxie'users in the forum have asked how to check the changes made by an installation sandboxed. They can try to use SandboxDiff to do that. Hoping for it will be useful to someone else that likes to use the excellent Sandboxie . Some Anti Virus can detect 'SandboxDiff.exe' as suspicious. It is a false positive. SandboxDiff hasn't any harmful activity. Regards. [size=14:cbd398dbc8][color=darkred:cbd398dbc8]SandboxDiff v. 2.3[/color:cbd398dbc8][/size:cbd398dbc8] - [url=http://dl.dropbox.com/u/19597465/SandboxDiff-v2.3.rar]DOWNLOAD[/url] - MD5: AF33F8578978CCE2885505F7109D39F1