When browsing a sandbox from an unsandboxed Windows Explorer, Sandboxie states that "You may open programs or documents that reside within the sandbox. The program or document will start under the supervision of Sandboxie" (emphasis added). What are the caveats?

In addition to the exceptions reported for Windows Media Player and Windows Photo Viewer, I'm finding that a sandboxed .reg (registry) file always opens unsandboxed from an unsandboxed Explorer.

Steps to reproduce:
1) Create an empty .reg file on your sandboxed desktop.
2) From an unsandboxed Explorer, double-click the .reg file. Confirm that regedit.exe launched unsandboxed using Sandboxie Control's "Is Window Sandboxed?".

Tested on Win7 x86 with Sandboxie 3.43.14 and a sandbox with default settings. I did not observe this issue when testing on WinXP with Sandboxie 3.34.

I'm also finding that sandboxed files that normally do open sandboxed from an unsandboxed Windows Explorer don't open sandboxed when launched from a search result listing.

Steps to reproduce:

1) Create a text file on your sandboxed desktop. For kicks, give it a .js (JavaScript) extension and insert some code, for example: WScript.Echo("Boo!");
2) Open an unsandboxed Windows Explorer. Use the search box to find your file; double-click to run it. For me, the file opens unsandboxed - it shouldn't.
3) Confirm that the same file runs sandboxed, as expected, when browsing to it normally, not through a search. (Note that "#" indicators are missing for Windows Script Host even when it is sandboxed.)

I reproduced the issue with .js, .bat, and .txt files; the issue did not occur with .exe files, such as copies of notepad.exe or calc.exe. Tested on Win7 x86 with Sandboxie 3.43.14 in a sandbox with default settings. I did not observe this issue on WinXP with Sandboxie 3.34.

Workaround: Use a sandboxed Explorer, as tzuk recommends. But this isn't always convenient since a program in one sandbox can't start anything in a different sandbox.

Mike, I can confirm all of the above running Sandboxie 3.43.14 on Windows 7 32-bit.

I think there is nothing to add over what we discussed in that other topic:

http://www.sandboxie.com/phpbb/viewtopic.php?t=6672

In fact if you don't mind I would like to merge these posts with that other topic.

Is bug? Or why Sandboxie message say it will protect?

The problem is the same, but the threat is no longer theoretical. The examples above show that random code created in the sandbox can readily execute unsandboxed. This means direct, unfettered access to the files and registry of the real system - no tricks or exploits required.

Needless to say, this behavior directly contradicts Sandboxie's message quoted above. Tzuk, I think it would be helpful for you to disclose known caveats so that we can make informed decisions about how we work. For the same reason many users don't bother using a limited user account, many of us may not bother sandboxing Windows Explorer unless we understand the risks.


Sure. For the merged thread, could you use the title of this thread, "Explorer - Sandboxed files launch unsandboxed", instead of the WMP-specific title?

Thanks, Nick!

Mike, I believe I already agreed with you on the principle of the issue. In due time, I will give this issue some consideration, and see if there is anything I can do to improve this, and if not, I will reword the message.

Win 7 (32), A2 paid, PC Tools FW, IE8.

I recently upgraded from XP Pro to Win 7 (4days ago).
I imported my IE7 cookies (145), into Win 7's IE8 (you can't run IE7 in Win 7).

- I "can" auto-open any web sites that have a saved login (i.e. Hotmail, Gmail, sbie forum...) "in regular IE8".
Problem- When I try to open them from favorites in sbie- I have to enter the username/password (does not remember after session closed)?

I've tried several different ways of deleting/importing cookies, but didn't help?- I've even cut/pasted...
I've also tried deleting all cookies, and making new ones- didn't help.

I've also tried removing & replacing IE8 in Windows Features.

One thing I noticed that you may be able to easily duplicate?
When I change Google default "Search Settings" in regular IE8 to-

show 30 pages
Do not filter search results
Then Save Preferences
The cookie changes do not carry over to sbie, and remain default!?

Scott ?

Fair enough.

I'm not a dev so this probably sounds stupid, but I'm still curious. When opening an "unsandboxed" Explorer from Sandboxie Control, would it be possible to treat that Explorer as a program running in a completely open sandbox (managed by Sandboxie and invisible to the user)? That way, maybe Explorer would have normal access to the system, but Sandboxie could catch new processes such as Windows Script Host and start them in a normal, restricted sandbox...

I don't think that's a good idea. For me, the point of Explore Contents is that it does not involve Sandboxie functionality at all, and that's something I want to preserve.

I thought I'd give an update using Sandboxie 3.49.10, after seeing a few similar problem reports (e.g., Sandboxie 3.46 - 3.49b partial fails on Windows 7 64 bit).

On Windows 7 x86:
Behavior hasn't changed since my OP using 3.43.14. Sandboxed .reg files do NOT open sandboxed from an unsandboxed Explorer, and neither do .js, .bat, and .txt files when they are search results.

On Windows 7 x64:
Sandboxed .exe files do open sandboxed from an unsandboxed Explorer. However, it seems that other common extensions do NOT open sandboxed at all, including .js, .bat, .doc, and even .txt files in Notepad.

The x64 behavior is surprising since Sandboxie still states that "The program or document will start under the supervision of Sandboxie." But anyway, those of us that hang around here know that we should just use a sandboxed Explorer.

Well I am on Win7 x86, using Sandboxie v3.49.10.
Performing the test you mentioned in your first post works perfectly fine for me.
I browsed to the sandboxes Desktop folder, dropped my "Test.reg" file there and then double clicking the "Test.reg" file in an unsandboxed Explorer opens a sandboxed version of regedit.exe.
Am I doing it right?

Thanks for checking this, SnD. It sounds like you're doing it exactly right.

I have no idea why we're getting different results here on x86. I've now tried this at least 10 times with a default sandbox, and regedit always opens unsandboxed, as verified by Sandboxie's "Is Window Sandboxed?" command. My only other security software is Kaspersky, which I exited before testing.

Any ideas? Anyone else able to test this?

As I implied in that other topic,

http://www.sandboxie.com/phpbb/viewtopic.php?t=9090

This is not exactly determinstic. It mostly has to do with what would be the "current directory" value for the new process. And only Windows knows when "current directory" is going to be the directory of the document file and when it is going to be C:\Windows or the My Documents folder or just about anything else.