I installed Sandboxie 3.34 today on a Vista32 system, and I cannot get a sandboxed explorer in sandboxes created with the new version.

Steps to reproduce:
1. In Sandboxie Control, use Sandbox > Create New Sandbox.
2. Right-click the new sandbox and choose one of:
a) Run Sandboxed > Run Windows Explorer
b) Run Sandboxed > Run From Start Menu
c) Run Sandboxed > Run Any Program and press the Browse button
d) Run Sandboxed > Run Any Program and type "explorer.exe" and press OK

For a), I see a process Start.exe in the Sandboxie Control, replaced then by explorer.exe for about a second, but then this process disappears, and the sandbox gets inactive (no red dots). Nothing else happens.

For b), I see again Start.exe, but get the following error message (copied by pressing Ctrl-C on the box):
---------------------------
Sandboxie Start
---------------------------
Cannot instantiate IShellLink

System Error Code:

The system cannot find the file specified.

(2)
---------------------------
OK
---------------------------

When I press the OK button, I get the same error box again etc. I do not get the Sandboxie Start Menu. When I right-click Start.exe in the Sandboxie Control and select "Terminate Program", the message box disappears, and the sand box gets inactive.

For c), I see Start.exe in the Sandboxie Control, and I do get the Run Sandboxed dialog, but when I press the Browse button, nothing happens except for two rotations of the Vista ring. I do not get a browse window.

For d), the same happens as for a).


When I use one of the sandboxes created with Sandboxie 3.32, all operations (executed in version 3.34) work perfectly.

The problem does not seem to be related to the sandbox settings, because I have some old (3.32) sandboxes using the default options, and for the new sandboxes I also kept the default settings.


There is (maybe?) also a difference in old and new sandboxes when running other processes than explorer. When I use Run Sandboxed > Run Any Program from the context menu of a sandbox created with version 3.34 and type in a different program name (e.g. notepad.exe or cmd.exe), everything works fine, but when I look in the Sandbox directory there appears a file Drive\C\Windows\SbiePst.dat at the same time the program is started. I did not find that file in the sandboxes created and used since I started with SB 3.32 a week ago. (But maybe this is not related to the version change, because I mostly used "Forced Programs" and might not have used Run Any Program on my old sandboxes.)

I wonder why Sandboxie itself tries to write a file into C:\Windows, and I speculated that Sandboxie's methods could interfere with Vista's file virtualization (http://msdn.microsoft.com/en-us/library/bb756960.aspx). (I use an Administrator account with UAC/Admin Approval Mode enabled.) However, I did not see a Compatibility files button on the Explorer toolbar, and I did not find a %LOCALAPPDATA%\VirtualStore folder (I even booted from a Knoppix CD to investigate the hard disk but did not find anything), although I did see some virtualization entried in the registry (not related to Sandboxie).

I am new to both Vista and Sandboxie, and I don't know how to analyze the probelm any further. I hope there is enough information so that the specialists can take over.

SbiePst is probably not related to any of this.

I think the relevant change in version 3.34 is that Sandboxie no longer modifies a particular registry value inside the sandbox.

The registry key is HKEY_LOCAL_MACHINE\software\microsoft\com3
Using a sandboxed regedit, try to change the value Com+Enabled to 0. (zero)

Then try to restart Windows Explorer in this sandbox where you've just "customized" the registry.

Yes, this fixes the problem. I created a .reg file setting that value. When I execute this file on a new sandbox with Run Sandboxed > Run Any Program, everything works well afterwards.

Thanks very much, Tzuk.

That's not a very good long term solution. "Disabling" COM+ this way has a negative effect on the performance of tabbing in IE 7 and creates some errors in the Flash plugin. Which is why this changed in version 3.34. I'd like to be able to reproduce this. Do you know if you use any third-party (non-Microsoft) extensions to Explorer?

I use the TortoiseSVN client for the Subversion source control. This client integrates into Windows Explorer as a shell extension, see http://tortoisesvn.net/.

I'm having the same issue as well. I also have TortoiseSVN installed, but also many others as well.

Short list (I know there is more):
WinZip
Dropbox
Stardock Fences
Stardock Deskscapes
Ultramon

Is there a way to get a list of installed add-ins?

jjlucsy are you using Windows Vista?

I installed TortoiseSVN on both XP and Vista and in both cases Windows Explorer is still starting successfully in the sandbox.

Are you reporting this problem for a computer connected to a domain?

Tzuk, my computer is on a domain. I deinstalled TortoiseSVN, but the problem still exists. I am not aware of other shell extensions on my system.

Maybe it doesn't have to do with shell extensions at all. Maybe it's a domain thing -- for instance, suppose Active Directory functions require COM+, and because COM+ is now enabled, Windows Explorer tries to contact AD but fails.

So my request is this. Can you delete the sandbox and don't do the registry thing, in order to keep COM+ enabled. Then start Resource Access Monitor, from Sandboxie Control > File menu. Leave the monitor on, and start Windows Explorer. Then close the monitor, which will copy data to the clipboard, and paste it here please.

At this point I'm primarily interested in those lines at the top, which should have a Clsid prefix.

This is what I got (just crossed out my login name):

(Drive) \Device\CdRom0
(Drive) \Device\CdRom1
(Drive) \Device\HarddiskVolume2
(Drive) \Device\HarddiskVolume3
(Unk) 00000022 \Device\SandboxieDriverApi
(Unk) 00000039 \Device\KsecDD
Clsid -------------------------------
Ipc -------------------------------
Ipc \Sessions\1\BaseNamedObjects\SbieDllDummyEvent_5228
Ipc \Sessions\1\BaseNamedObjects\SbieDllDummyEvent_5952
Ipc \Sessions\1\BaseNamedObjects\UrlZonesSM_XXXXXXXX
Ipc \Sessions\1\BaseNamedObjects\windows_shell_global_counters
Ipc \Sessions\1\BaseNamedObjects\ZoneAttributeCacheCounterMutex
Ipc \Sessions\1\BaseNamedObjects\ZonesCacheCounterMutex
Ipc \Sessions\1\BaseNamedObjects\ZonesCounterMutex
Ipc \Sessions\1\BaseNamedObjects\ZonesLockedCacheCounterMutex
Ipc O \BaseNamedObjects\Sandboxie_DeviceIdList
Ipc O \BaseNamedObjects\Sandboxie_DeviceSetupClasses
Ipc O \KnownDlls\advapi32.dll
Ipc O \KnownDlls\clbcatq.dll
Ipc O \KnownDlls\gdi32.dll
Ipc O \KnownDlls\IERTUTIL.dll
Ipc O \KnownDlls\IMM32.dll
Ipc O \KnownDlls\kernel32.dll
Ipc O \KnownDlls\LPK.dll
Ipc O \KnownDlls\MSCTF.dll
Ipc O \KnownDlls\MSVCRT.dll
Ipc O \KnownDlls\NSI.dll
Ipc O \KnownDlls\ole32.dll
Ipc O \KnownDlls\OLEAUT32.dll
Ipc O \KnownDlls\PSAPI.DLL
Ipc O \KnownDlls\rpcrt4.dll
Ipc O \KnownDlls\Setupapi.dll
Ipc O \KnownDlls\SHELL32.dll
Ipc O \KnownDlls\SHLWAPI.dll
Ipc O \KnownDlls\user32.dll
Ipc O \KnownDlls\USP10.dll
Ipc O \KnownDlls\WLDAP32.dll
Ipc O \KnownDlls\WS2_32.dll
Ipc O \LsaAuthenticationPort
Ipc O \RPC Control\SbieSvcPort
Ipc O \Security\LSA_AUTHENTICATION_INITIALIZED
Ipc O \Sessions\1\Windows\ApiPort
Ipc O \Sessions\1\Windows\SharedSection
Ipc O \ThemeApiPort
Ipc X \BaseNamedObjects\__ComCatalogCache__
Ipc X \BaseNamedObjects\windows_shell_global_counters
Pipe -------------------------------
Pipe X \Device\NamedPipe\lsarpc
WinCls -------------------------------
WinCls X Progman

First I want to confirm something -- are you sure you started Windows Explorer for the monitor run and not Internet Explorer?

I also have another idea that I'd like you to try. Starting with an empty sandbox, follow these steps:

1. Run Any Program -> Notepad

2. Run Any Program -> C:\Program Files\Sandboxie\SandboxieRpcSs.exe
--> Do both SandboxieRpcSs.exe and SandboxieDcomLaunch.exe start as a result of this?
--> Do both remain running?

In case they do:

3. Run Windows Explorer

Does it come up ok now?

Yes, it was explorer, not IE. I right-clicked on "Computer" on my desktop and used Ran Sandboxed.

Just continuing with the tests you suggested...

This works. Notepad keeps the sandbox running, SandboxieRpcSs.exe causes also SandboxieDcomLaunch.exe to start, both remain open, and Windows Explorer comes up now.

Yes

No, simple workgroup.

I did try your test of running Notepad, then SanboxieRpcSS, then Explorer. This works, all remain open and explorer launches fine. Results are just like sb88's.

That's very good news. Thanks for following through with this experiment.

jjlucsy can you also do the experiment? (Edit -- I see you already did.)

I can speculate that the reason for the problem is this. When COM+ is enabled, something in Explorer tries to access COM services before Sandboxie realizes that SandboxieRpcSs needs to start. And before SandboxieRpcSs comes up, there are no COM services in the sandbox. With no COM -- which is a really fundamental part of Windows that is reasonable to assume will always be there -- Explorer just gives up and exits.

I won't be able to look into this at any more depth right now, but I'm content that I have a general idea to work with, once I get around to starting development on the next version.

I would appreciate it if you check back in a couple of weeks for a follow-up on this problem.