When browsing a sandbox in an unsandboxed Explorer, Sandboxie states: "You may open programs or documents that reside within the sandbox. The program or document will start under the supervision of Sandboxie."

However, when opening sandboxed videos from an unsandboxed Explorer, Windows Media Player 12 (WMP) runs unsandboxed. Why? If, in the same Explorer instance, I launch the sandboxed videos in Media Player Classic (MPC), MPC launches properly sandboxed.

When launching sandboxed videos from a sandboxed Explorer, WMP runs sandboxed, as expected. However, WMP is completely unresponsive and must be terminated from Sandboxie Control. This is perhaps similar to the issue discussed in Fullscreen Windows 7 programs; for me, however, WMP is always unresponsive when sandboxed, whether or not it's fullscreen.

I'm running Win7 and Sandboxie 3.40. I tested the above using a clean sandbox with default settings.

the "Explore contents" option allows the user to easily cut and paste contents from the
'unsandboxed'sandbox window to the real sys. If you are going to run programs or files in the "unsandboxed" window then they will run UNSANDBOXED.
However if you use the sandboxed windows explorer then you shouldn't have that happen.
this is ine of the few simple imporatnt things you should understand when using SB.

Except when the files reside in a sandbox. Sandboxed files normally open sandboxed, whether or not Explorer is sandboxed. This should be easy for you to verify.

I think that your WMP 12 is also running sandboxed but you just can't see "#". Try to use File->Is Window Sandboxed? option from Sandboxie Control

WMP 12 appears to be unsandboxed because:
1. The "Is Window Sandboxed?" function reports that "The selected window is not running as part of any sandboxed program."
2. Sandboxie Control doesn't list wmplayer.exe.
3. The WMP window lacks the Sandboxie colored border that is normally visible.
4. Process Explorer shows that the wmplayer.exe process launch is not accompanied by SandboxieRpcSs.exe and SandboxieDcomLaunch.exe.

UPDATE: Found the same behavior on both Win7 and WinXP. Also, Windows Photo Viewer behaves exactly the same as Windows Media Player - it opens sandboxed pictures unsandboxed when launched from an unsandboxed Explorer. I suppose this has to do with the way WMP and Photo Viewer (an instance of dllhost.exe) interact with Explorer...

Anyway, it's not a big deal; as Sandboxie recommends, I generally sandbox Explorer when browsing sandboxes. Still, this behavior is unexpected and may cause user confusion because:
1. Sandboxie's pop-up notification upon launching an unsandboxed Explorer states that "The program or document will start under the supervision of Sandboxie."
2. Other programs - Internet Explorer, Notepad, Media Player Classic, etc. - automatically run sandboxed in the same situation.

This is known behavior. The problem is that WMPlayer.exe (in this example) is a program that is installed outside the sandbox. And it's not always possible for Sandboxie, which is only looking at WMPlayer, to know that Windows is running WMPlayer.exe because you clicked a WMV file in the sandbox.

I think there were some posts from ssj100 (a forum member) about this a few months ago. You might try to search for those.

There are some vagaries in Windows launching behavior - that's for sure. If you force those applications properly, they should be sandboxed when launched. I examined the Windows Picture and Fax Viewer in XP, and for me at least, it seems to be managed by rundll32.exe.

WEIRD ISSUES arose for me after reading your posts and testing. I have my download folder (C:\downloads) forced. When I launch a jpg file from that folder, it is opened by my default viewer, ACDSee Classic, and the file and app are sandboxed. But if I change the default viewer to Windows Picture and Fax, the launched file opens for a quick second in the viewer and immediately crashes. (Edit; If I don't attempt to change the default viewer first and just launch in the Windows Viewer, no crash)

Further weirdness occurs when I changed the default pic viewer to Paint Shop Pro.. All works as it should for the initial launching. Everything is sandboxed when launched by PSP. But when I go back to the same file and launch again, Paint Shop Pro (set as default moments before) does not launch, it launches in Windows Picture and Fax Viewer and in this case, the Windows viewer doesn't crash at all! Jeez..

I'm not even going to mess with it.. I'll just disable Sandboxie temporarily, set the default viewer back to ACDsee and pretend this never happened.

Hi tzuk, thanks for the reply.


But perhaps not known to the average user, even after a reasonable search of the forums.

I'm completely confident that Sandboxie does exactly what you designed it to do. However, this may differ from what the user reasonably thinks it will do, and may lead to files unintentionally being opened unsandboxed. Perhaps, when displaying the notification that "The program or document will start under the supervision of Sandboxie", it would help to add a small caveat?

@tzuk: Thanks for referring me to ssj100's posts, which I hadn't found in previous searches. If this behavior surprised a regular forum contributor like ssj100, surely it will surprise others? The thread is here: Windows Picture and Fax Viewer.

@Cadillakin: Thanks for testing this out!

This issue is rather interesting. Sandboxie, DefenseWall, and GeSWall all have this same issue.

For example, if you try to open a .jpg file, and Windows Picture and Fax Viewer is your default picture viewer:
1. Forced sandboxed folder (Sandboxie): the file opens unsandboxed (that is, no protection).
2. Untrusted file (DefenseWall): the file opens trusted (that is, no protection).
3. Isolated file (GeSWall): the file opens unisolated (that is, no protection).

The same goes for certain video file types and if Windows Media Player is your default video player.

As Tzuk has explained, Sandboxie (and others) isn't always able to recognise that an executable has run and capture it to run sandboxed (or untrusted or isolated).

For me, this isn't a (security) issue anymore - the concern is if an exploit is found in Windows Picture and Fax Viewer (eg. those .wmf exploits discovered back in 2005/06) or Windows Media Player, malware may be able to execute via remote code (on simply opening a .jpg file for example) and harm your system. However, in my search to achieve "100%" security with the minimum of security programs, I devised a rather simple method:
1. Force sandbox all malware threat-gates (eg. web browsers, chat messenger programs, online games, P2P programs)
2. When recovering a file (from an unknown/untrusted source) out of the sandbox and on to the REAL system, browse and open it with a sandboxed explorer.exe. Doing this ensures that ALL files will open sandboxed. As described above, relying on a forced sandboxed folder instead does not give "100%" protection.

I think the simplest way of opening newly introduced files on your REAL system with a sandboxed explorer.exe would be as follows:
http://www.wilderssecurity.com/showpost.php?p=1566867&postcount=146

For me, I (almost) always recover newly introduced files on to my desktop, so it's just a matter of creating a shortcut (as described in the above link) to open my desktop sandboxed with a single click - I simply put the shortcut in my Quick Launch bar for extremely easy access.

Right! In Explorer, this is true. But in my explorer replacement, XYPlorer, the file opens sandboxed - as intended. There are no file associations set in XYPlorer, so it's using Windows associations.I guess if Tzuk used the disclaimer that Mike suggested a few posts back, he might have to add, "unless opened by third party explorer replacements like XYPlorer.. then everything works as it's supposed to."

Just kidding - sort of.. It's a bit of a mess.

And for good reason, I trust. I don't object to Sandboxie's behavior, but I think the pop-up message can easily be misinterpreted. There's no hint that anything will run unsandboxed, absent some exploit.


When opening sandboxed files from an unsandboxed Explorer, WMP will open unsandboxed, regardless of whether it's your default player. Just try right-click > "Open with".


It's counterintuitive that this applies to explicitly forced folders... but I guess I can see why. I think the Forced Folders documentation could be clarified, since it states that "if any program from that folder starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox."

I don't think it has anything to do with associations. The behavior seems specific to the way explorer.exe integrates and interacts with WMP and Windows Photo Viewer (aka Picture and Fax Viewer).

Yeah, I know.. I just added that so that there wouldn't be any thought given that XYPlorer was somehow configured to launch the files differently than Explorer. (For instance, XYplorer will bypass Windows defaults and launch using its own associations.. It also can utilize a scripting language to launch with complex parameters - but none of those are in effect) It's just a file manager that works in launching and sandboxing files from forced folders.. whereas Windows own file manager, explorer.exe, sometimes doesn't - as per this thread.