tzuk:

Today during my daily malware unpacking process I noticed a problem in Sandboxie.

Details:

Sandboxie 3.45.10 32bit
Windows XP SP3 (I tried on Windows 7 (32bit too) and the bug is not present)

The problem is that after sandboxing this program:

http://www.yousendit.com/download/dXFYTkFpTk04Q1N4dnc9PQ (Caution: malware! - Password: infected)

the reghive gets locked and the sandbox folder can not be deleted.

Trying to manually unload reghive doesn´t help.

I hope that information helps to solve similar problems reported by other users.

Just checking that you have tried

Start
Run
regedt32

HKEY_USERS
click on sandbox
Go to "Registry" tab
"Unload Hive"

best wishes

paddyt

Yes, that´s what I mean with "manually unload reghive"

I can reproduce the bug consistently in main computer.

I have tried with Unlocker and Mark Russinovich´s Handle and both tell me that the responsible of the lock of the file is process: System (PID 4).

Unlocker is unable to unlock the files.

I'll look into this and post an update.

Were you able to reproduce the problem?

Not yet.

I'm going to c:\sandbox. (shows as sandboxie icon. when open, shows me a sandbox for admin & each user, plus desktop.ini & dontuse.txt.) & highlighting;rt-clicking the sandbox for the locked user sandbox.
Is this where I am supposed to be applying unlocker?

When I do this, unlocker shows me 2 system processes: reghive (PID 4 Handle 144) & reghive.log (PID 4; handle 560. Choosing unlock doesn't unlock them.

Rebooting doesn't work. What has worked is deleting this from within safemode, but after that, sometimes I find the sandboxie service doesn't start any more & I have to reinstall Sandboxie to get it going. which is why I wonder if I'm deleting the wrong thing. if it's just an instance of a sandbox, the service should continue to work, right?

I hoped after reading on the forum that unlocker would be the solution, but seems not to be.

Using Sandboxie (paid version) 3.442. & this has happened on more than 1 sandbox. besides Sandboxie, I use winpatrol & Microsoft Security Essentials. Win XP pro Service Pac 3.

thank you!

Tzuk: any updates yet? using Sandboxie 3.46 - still same issue - Sandboxie randomly remains in use & only way to delete sandbox when that happens is by going into safe mode.

bump!!

i hoped the latest version finally would correct this, but it happened again. no idea what triggers the block of the reghive - often no reghive issues and then all of a sudden I can't delete a sandbox cause of an open reghive.

I still have the problem from time to time.

I never see this problem occuring "by itself". It may happen if I have RegEdit open and focused on the sandboxed registry, when I am stopping the last program in the sandbox. In this case the registry hive remains in use. But it's easy to fix, I just move the focus in RegEdit to somewhere else, and then start and stop a program in the sandbox, so this time the registry hive gets released properly.

1 thing I am sure of is that I very seldom open regedit when I do, i know I'm fiddling with the computer, which is not when this issue occurs.

issue doesn't happen every time i use firefox, but it only happens when firefox has been open, not thunderbird or foxit reader alone (all forced to run in this sandbox) without having used firefox as well. things I think don't make a difference to when it happens: whether or not more apps than just firefox are running in sandbox. # tabs used in firefox. whether or not flash was allowed. length of the session (can be quickly checking 1 thing online or hours-long session), whether I save the session & don't delete the sandbox, or delete it upon closing, updating add-ons.

I'm wondering if its the way i have set up my default sandbox? (I have other sandboxes: a game, a specific application, ie only sandboxes -- but they don't run simultaneously, & the others always would be cleared at closing, so shouldn't be interfering). maybe something in my setup accesses the reghive and i need to make an adjustment?

this is what generally appears running firefox:
Default box active

firefox.exe PID 3968 #Defaultbox www.sandboxie.com;;\viewtopic-RegHi...

SandboxieRrpcSs.exe PID 3088

SandboxieDcoomlaunch.exe pid 1804

Immediate recovery enabled. i havent' edited the omissions.
quickrecovery lists locations most frequently dl to.
Delete invocation off & no special delete commands.

No program groups created.
Forced folders: D;\ and program files: thunderbird, firefox, foxit software
Forced programs: foxitr^1.exe, foxit reader.exe, thunde^1.exe; thunderbird.exe, [firefox.exe]


I haven't edited lingering programs, nor added any leader programs.

all programs can access internet; all programs can start and run;

Drop Rights enabled. No low level access or hardware access permitted.

All programs only choice available in dropdown for full access, blocked access, & read-only access. Nothing in all cases.

Direct Access: different selections depending on dropdown box
all programs [%mpl.roboform%] [%mpl.roboform%\*] firefox.exe tmpl.firefox\bookmark* [tmpl.firefox\places*] [*\urlclassifier*.sqlite*]

thunderbird.exe & thunde^1.exe [%tmtpl.thunderbuird%]
[%appData%\thunderbird] [%Local appData%\thunderbird]

Registy Access

Direct Registry Access:
all programs: nothing listed
thunderbird.exe and thunde^1.exe:
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\*\Mozilla thunderbird*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla thunderbird*]

no firefox additions

Blocked Access
all progs nothing listed

Read Only Access
all programs {\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{numberer string}
{\REGISTRY\MACHINE\SOFTWARE\Synaptics\SynTP]

Direct IPC access
all programs - long list. if important, I can try to copy it.
no blocked access.

Window access all programs NONE added
Com access all programs none added

Applications

Firefox allow direct access to fx bookmark & history database
allow direct acceess to firefox phishing database
addons: nothing added or allowed

email reader specified thunderbird

improved use of sandboxie with:
security: online armor & roboform
desktop utilities: 7-Zip shell extension, synaptics touchpad


Misc: no screenreaders, no managing hardware device config
default exclusions for immd recovry; default list for lingering programs/ blocked tcp/ip ports

I don't think this can be caused by any setting that you have in Sandboxie. (With the exception of the sandbox registry root setting, KeyRootPath, but no one ever changes this setting.)

In the past there have been a few esoteric cases where other security software got a hold on the sandbox registry and never let go of it. That of course prevented the registry hive from unloading and the sandbox from deleting. Maybe you have some conflict along this line.

thank you for looking at my Sandboxie settings, Tzuk.

I'd like to get this working if it's possible.
I've seen other people with the same realtime signatures as what I use, but maybe without this issue?
if it is a conflict, why only sometimes, with long periods with no problem, then resurfaces & can be constant?

(& I suspect MSE, I read MVPs claim MSE does it all & nothing more than Windows FW is needed & all else conflicts. not all MVPs agreed in that discussion, but left me wondering..... )

What I run realtime: Sandboxie 3.52, online armor premium 4.0.0.45 (just Program Guard & Firewall), MSE 2.0.67.0, Winpatrol Plus 17.0.2010.0 (monitors my system settings & pops up warnings, but doesn't silently block. this is the last version of Winpatrol before developer added in a lockdown of certain areas of the registry. seems unlikely to be Winpatrol?) hostsfile?

In MSE exclusions, I see I have entered Sandboxie (files & locations - program files/sandboxie AND excluded processes - SandboxieDComLaunch.exe, SandboxieRpcSs.exe, SbieCtrl.exe, Sbiesvc.exe SHOULD THESE BE EXCLUDED? something missing? or needs fine tuning?

In OA; program files, all the Sandboxie processes it finds are trusted. (Nothing 'sandboxie" shows as untrusted.)
trusted:
sbiesvc.exe, sbiedrv.sys, sbiedll.dll, sbiectrl.exe, SandboxieCrypto.exe
SandboxieDcomlaunch.exe, sandboxieRpcSS,
SANDBOXIEDCOMLAUNCH.EXE
AND:


listed twice, same exact file, could this be the issue?:
SandboxieWuau.exe both v3.46, same MD5 hash, first noted same date & second
Sandboxie COM Services (wuauserv), 3.46, (3.46)
C:\Program Files\Sandboxie\SandboxieWUAU.exe
Hash(MD5): 1F04EA2DD7642997A89064973402BC8A

and in Sandboxie, have checked "improved use of sandboxie with: security: online armor & roboform"

NO Sandboxie exclusions exist in Online Armor at all, should Sandboxie be excluded? (which processes?) or just trusted?


any idea from here?if not, is there a way to figure this out?