I was playing with the matousec leaktests for firewalls and found sss.exe able to logout from sandbox. Please check:

http://www.matousec.com/downloads/ssts.zip - bin\level 4\sss.exe

I checked. The logoff is permitted because unlike poweroff/shutdown/reboot requests, Windows does not consider logoff a privileged (or administrative) operation. That's very reasonable -- you would not expect to have to be administrator just to logoff your session.

I could possibly add more system hooks to prevent this, but that would be new code in Sandboxie, because the poweroff/shutdown/reboot protection at this time is done by simply discarding the needed privilege, not by hooking anything.

Thanks for answer. I though the log out protection is already implemented just not perfect,
because when i ran shutdown -l or logoff from sandboxed cmd i got "denied attempt" message from Sandboxie.