www.sandboxie.com :: View topic - SandboxDiff

Posted: Sun May 24, 2009 3:44 am

I am pretty sure I am using Sandboxie portable.

I say 'pretty sure' because it works as well as installed. But on my old pc I had a folder of my username under c:\sandbox and I think with portable I only have a DefaultBox folder there.

Posted: Mon May 25, 2009 7:27 pm

gyp wrote:

In comp-reg.txt I am getting

1d0
< hive path err
\ No newline at end of file

Otherwise seems to be functioning very easy

"hive path err" is related to "RegHive" file that wasn't able to be load by SandboxDiff. There are several reasons for, that you can check:

. When starting the sandbox folder is empty; so "RegHive" file didn't exist to be analyzed. You need to do a dummy action to create it: e.g. open Notepad.exe sandboxed and close it. Start SandboxDiff after.

. "RegHive" file was in use perhaps. You need to terminate all app. that are sandboxed firstly (when is asked by SandboxDiff).

Posted: Mon May 25, 2009 9:47 pm

Neither of those cases are true. It is reproducible. I looked, on initiation of sandboxdiff.exe Files_before reads everything in my c:\sandbox dir, but Reg_before also declares hive path err.

Posted: Mon May 25, 2009 10:01 pm

I really don't know what I'm talking about here but I was able to see when the hive.bak files were being created I could peek in one that said HKEY_USERS hive or something...my reghive created when looked at in wrr starts with \Sandbox_<MyUserName_DefaultBox.

Anyway, if I run sandboxdiff before, during, or after a sandboxed app, it is not finding any reghive file which is at C:\Sandbox\DefaultBox

Posted: Tue May 26, 2009 2:45 am

Anonymous wrote:

but Reg_before also declares hive path err.

When you have "hive path err" SandboxDiff was unable to load "RegHive" file for some reason.
BTW, do you have "UserPath.bat" customized?

Anonymous wrote:

Anyway, if I run sandboxdiff before, during, or after a sandboxed app, it is not finding any reghive file which is at C:\Sandbox\DefaultBox

Can you describe in detail the steps that you do when install an app. sandboxed with SandboxDiff? I think that can allow a clarification.

Anonymous wrote:

I was able to see when the hive.bak files were being created I could peek in one that said HKEY_USERS hive or something...my reghive created when looked at in wrr starts with \Sandbox_<MyUserName_DefaultBox.

No annoyance here. I can explain better further along (it's a form issue not a content question). Wink

BTW, WRR shows the registry status; SandboxDiff performs the registry changes between two status.

Posted: Tue May 26, 2009 7:03 pm

Well I have tried many different orders of operations now, including messing with the path declaration, but no avail.

My user path
C:\Sandbox\DefaultBox

My userpath line
copy "C:\Sandbox\DefaultBox\RegHive" hive_1.bak /v /y > NUL

1. Sandbox "delete contents"
2. SandboxDiff.exe (re-read instructions see if i'm missing something)
3. Press OK
(3.a.) Maybe look at Reg_before and see hive path err, continue anyway
4. Pick an app, right click, "run sandboxed"
5. Right click Sandboxie Control, pick "Terminate all programs"
6. SandboxDiff press "OK"

1d0
< hive path err
\ No newline at end of file

Same results if a RegHive exists or folder is empty.

But also like I said my hive file key starts with Sandbox_Username_DefaultBox even though I have not set it to use a username
My Sandboxie config is %SystemDrive%\Sandbox\%SANDBOX%

I do not see a regdump.exe anywhere on my system. I have an nlited XP install.

Thank you so much if you can explain

Posted: Tue May 26, 2009 8:46 pm

Please try follows the sequence (notes in red):

- The "UserPath.bat" file (don't forget to rename "UserPath.bat.txt" to "UserPath.bat") needs to be in same folder that "SandboxDiff.exe". With your customized path: copy "C:\Sandbox\DefaultBox\RegHive" hive_1.bak /v /y > NUL

1. Sandbox "delete contents" --> When you do this you removes "RegHive" file also! ("C:\Sandbox\DefaultBox\RegHive") - Please add step 1A- and 1B
1A- Run Notepad.exe sandboxed. Close it after - so none app. is running sandboxed now. (this allows to create a "RegHive").
1B- Check if a "RegHive" is in "C:\Sandbox\DefaultBox". It should be.
2. SandboxDiff.exe (re-read instructions see if i'm missing something)
3. Press OK
(3.a.) Maybe look at Reg_before and see hive path err, continue anyway
4. Pick an app, right click, "run sandboxed" --> Don't do this step. For now don't run any app. sandboxed.
5. Right click Sandboxie Control, pick "Terminate all programs"
6. SandboxDiff press "OK"

Please post the text that it is in "Comp-Reg.txt" file.

Obs.: When you want work with SandboxDiff, you don't need to "delete contents". But if you do that you need to do a dummy action before (e.g. open/close Notepad), to create the "RegHive" file.

Posted: Wed May 27, 2009 12:58 am

Still Reg_before gives hive path err
and Comp-Reg
1d0
< hive path err
\ No newline at end of file

Additionally, although these do exist, filemon reports:

SandboxDiff.exe:3252 DIRECTORY C:\SANDBOX\ NO MORE FILES FileNamesInformation

nircmd.exe:548 QUERY INFORMATION C:\Sandbox\UserPath.bat NOT FOUND Attributes: Error

Posted: Wed May 27, 2009 1:43 am

Well like checking an alarm clock you set and already double checked 5 times, I made a new UserPath.bat and it is working now. Scratching my head, then I binary compared this new userpath.bat to the old one I deleted and they are binary = .

??? no clue what, maybe permissions or something???

Anyway, working good! Sorry to have wasted so much time.

Posted: Wed May 27, 2009 2:29 am

I found the ***. The file name of my original UserPath.bat file had a SPACE before the U, at the beginning of the filename. lol
so sorry Smile

I will learn to work this *#! netbook touchpad!

Posted: Wed May 27, 2009 7:57 pm

gyp wrote:

I found the ***. The file name of my original UserPath.bat file had a SPACE before the U, at the beginning of the filename. lol

Good to see you found the annoyance.

Because I couldn't find it never... Rolling Eyes

Thanks for your time also and feedback. I appreciated that.

Wink

Posted: Thu May 28, 2009 2:43 am

Thanks so much for sharing your work and not getting mad at me, this functions very well and is so useful. I do think that the instructions could be written a little bit more clear for dumber users like me, that an initial RegHive must be created first, through, for example, the 'notepad sandbox'.

so now how will we save the world economy next?

Posted: Fri Jul 17, 2009 7:39 am

I put both SandboxDiff.exe and UserPath.bat to the main root of sandbox folder.
I configured the path inside the UserPath.bat.
I doubled click on SandboxDiff.exe to start, running normally not being sandboxed!
I saw a dialog and clicked ok.

msgwait.exe crashed and reported the following error:
AppName: msgwait.exe AppVer: 0.0.0.0 ModName: crtdll.dll
ModVer: 4.0.1183.1 Offset: 000115ce

The error report file: http://rapidshare.com/files/256737870/d098_appcompat.txt.html

What's up?

Posted: Sat Jul 18, 2009 2:50 pm

Something not easy to clarify. It seems that a google search for GRABMI_FILTER_PRIVACY produces tons of results. And isn't related to the app. itself like here.

Posted: Sat Jul 18, 2009 3:26 pm

Same msgwait.exe crash here. Not encountered with an older version of SandboxDiff.

Found this during Google search, so I assume that SandboxDiff is creating the msgwait.exe process:
http://www.threatexpert.com/report.aspx?md5=077a9baf847b97696c9f82b2263cd4e0