To tracking changes in registry and files with Sandboxie I tried to use applications like ZSoft Uninstaller (an excellent uninstaller), Regshot, System Explorer and InCtrl5 (all sandboxed). Without sucess - looping issue. I read some forum'administrator posts about, that allowed myself to do and try a utility.

I'm now using SandboxDiff to do that. How to use it?

Prior to install a program sandboxed:

1- Open 'UserPath.bat.txt'and inside it customizes only the path (RegHive path)
to something like: "C:\Sandbox\<YourUserName>\DefaultBox\RegHive".
2- Rename 'UserPath.bat.txt' to 'UserPath.bat'
3- Run 'SandboxDiff.exe' - not sandboxed.

At the end the user can to see the changes made by the application sandboxed in the files:

- Registry changes:

Comp-Reg.txt - lists registry changes (values only) in text format.
Comp-Reg.REG.txt - lists registry changes (keys and values) in .reg format (Windows Registry Editor Version 5.00).
Comp-Reg.html - lists all registry entries (values) sandboxed in text/html format (and the registry values changes).

- Files changes:

Comp-Files.txt - lists added/removed files.
Comp-FilesMOD.txt - lists added/removed files - and modified files (based in size and date/time).
Comp-Files.html - lists all files in sandbox folder - and added/removed files.

Some Sandboxie'users in the forum have asked how to check the changes made by an installation sandboxed. They can try to use SandboxDiff to do that.

Hoping for it will be useful to someone else that likes to use the excellent Sandboxie.

Some Anti Virus can detect 'SandboxDiff.exe' as suspicious. It is a false positive. SandboxDiff hasn't any harmful activity.

Regards.

SandboxDiff v. 2.3 - DOWNLOAD - MD5: AF33F8578978CCE2885505F7109D39F1

Very nice, works just as described. Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ?

Getting a blank page here when trying to get the download atm.

The difference between them is the registry changes view. That is to say the files "comp-hklm.txt" and "comp-hkcu.txt" in "SandboxDiff2.exe" isn't like with "SandboxDiff.exe". The output is different - but interesting the shape. The comparing process is a bit more delayed also.

The user can use each other - a user choice...

I am glad to know it's useful for someone else than me.


You can try to copy the link in your browser' adress bar and click enter. Perhaps this help:

Code:

http://www.adrive.com/public/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html OR http://www.adrive.com/public/view/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html

Very Nice Program... and considering working via a dos interface for most commands definitely the best way to go without influencing the output.

Great Job.

GreyWolf

@majoMo:

The most recent data files for Norton A/V 2008 have apparently decided that SandboxDiff2.exe contains a Trojan Horse, and automatically deleted it from the Windows Explorer window, when I opened the folder containing that file.
I've submitted the file to Symantec, since I'm sure that it's a false positive.

Just thought I'd let you know. You may have others report this too.

Can we get a repost of this? It would be very useful.

Thanks!

Well you're in luck, I looked in my download folder and I still have SandboxDiff archive on my HDD, so I just uploaded it to my premium zone in Rapidshare (faster and reliable since you know Rapidshare will still be there tomorrow) so here you go.
http://rapidshare.com/files/150141933/SandboxDiff.rar

Btw, just as Guest10 mentioned above, yes this file does seemed to be tagged as infected with some kind of trojan, but I think it might be a false positive. I think the reason it says there is a trojan, is because the executable file actually has a couple other exe files embedded inside, so the A/Vs might be mistaking that packing technique as the file being a virus (since many viruses bind/pack many exe files together...).

Either way, I'd still say you're safe though since the tool is meant to be run sandboxed, so even if it is infected, it is sandboxed!

Some AV look SandboxDiff like trojan. SnDPhoenix describes a reason; UPX compression is disliked for others AV also. SandboxDiff hasn't any harmful activity. It's a false positive.

SandboxDiff will be updated as soon as possible. In fact there are some annoyances that need to be corrected. An accurate rendering is crucial. Changes in hive file will be efective; files changes will not log "virtual" files anymore. The .exe file will be replaced by an.bat file.

SandboxDiff updated.

Changes:

- "SandboxDiff.rar" must be extracted to Sandbox'folder where the "RegHive" file is.
- Now runs as .bat: "SandboxDiff.bat" - not sandboxed.
- While Sandboxie has applications running "RegHive" file can't be analyzed. It's why is needed "terminate all programs that are Sandboxed". SandboxDiff tell you when such action must be done.
- Changes (in Registry and Files) are saved in .txt and .html format. Output is accurate.
- The analyze'process is now noticeably faster.

Download and info in first post.

majoMo,
Seems like a great addition! I tried it out, but ran into a problem

UnRARred files in ...\Defaultbox.
But HOW do I start "SandboxDiff.bat" not-sandboxed? As instructed.

Whatever I try, I get it in a Sandbox-window, with the [#] markings.

Maybe because of that (?), I get the errormessage:

[...]
- Analyzing Registry and Files . . .
Please wait . . . (DON'T CLOSE THE WINDOW)
Het systeem kan het opgegeven pad niet vinden.
Kan G:\Sandbox\Kees\DefaultBox\hive_2.bak niet vinden

translated from dutch:
The system can not find the specified path.
Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak.

Please help me on,
Casey

I'm having the same problem as casey.

Thanks for your help!

Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\.

HOWEVER, running ANYTHING inside \DefaultBox\ will run it in sandbox mode.

Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly.

Maybe this can be fixed by re-designing the batch file to be run at C:\ instead.

Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...?

Exactly like that, SnDPhoenix. If a .bat file is opened in that folder it isn't sandboxed (like a .txt file e.g. also). This is the reason why "SandboxDiff" is a .bat file now - if it was a .exe file the output won't be accurate and effective.


Casey44, if you open "SandboxDiff.bat" (double click e.g.) in your "G:\Sandbox\Kees\DefaultBox\" the SandboxDiff.bat window (cmd) runs not sandboxed (like if you open there a .txt file; try it also).



Casey and George,

1. SandboxDiff.bat must to be executed in that folder (with the others files that are in the "SandboDiff.rar"). If not the output won't be accurate anymore.

2. Why the annoyance "Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak" about? If you run "SandboxDiff.bat" inside \DefaultBox\ you need to confirm that 1) you have there the RegHive file; 2) you need to TERMINATE ALL PROGRAMS sandboxed when requested by SandboxDiff'windows. Without this SandboxDiff can't do their work, because it can't analyze (if you don't terminate the programs the crucial RegHive file is locked: can't be analyzed).

Hoping for help to clarify the question. Your feedback is much appreciated. Thanks.

BTW, it will be available in the next SandboxDiff update the registry changes in .REG format (Windows Registry Editor Version 5.00).