Failed to communicate with Sandboxie Service: *GUIPROXY_00000001 Error!

[kimpurcell]

Hi, I keep getting these errors whenever I hit the keyboard or move the mouse in a Sandboxed window.

SBIE2203 Failed to communicate with Sandboxie Service: *GUIPROXY_00000001 -

I get multiple of these errors. Please help!

[DavidXanatos]

do you have any other security software installed that ma interferer?

[kimpurcell]

No I don't have any other security software installed. It happens whenever I move the mouse or hit the keyboard after launching a game. The message doesn't happen when I'm using a gamepad.

[typpos]

I get this error with some Unity and Unreal-based games. Application runs and shows strange behaviour: Mouse/keyboard actions work on UI-elements like buttons and menus, but not on "main game area", eg, objects on maps. Example: Torchlight III. Unable to get past "select class" intro screen because unable to select a class from map, but able to select menu options to start of exit game.

Win 10 Pro. Sandboxie version 5.33.1 (64 bit)

Edit: correction: Torchlight III is Unreal-based, not Unity-based. Got mixed up with another app.

[kimpurcell]

yes, that's exactly what I"m facing. It's a 3D game, and mouse doesn't respond. Moving the mouse or hitting the keyboard triggers the GUIPROXY error.

[typpos]

@kimpurcell do you find that at app-startup in full-screen your mouse cursor is at the top-left corner and not responding until you either click the mouse or ALT-TAB out then back?

I wonder if the issue is related to user input or actually the result of screen coordinate mapping to world space. From distant memory, the Game APIs have different pathways for determining mouse positions in world space vs UI elements. Either way, many other games work just fine, so it's confusing (and frustrating).

Another one that does not work is Tropico 6. Game starts fine; can click around on menus to configure and start a game; but once the world map shows it's impossible to select buildings. Popup dialogs work fine. Zooming in/out works fine.

[kimpurcell]

For me it's Cyberpunk 2077. I have my scaling set at 150% since I have a huge monitor. I have to ALT-TAB out of that annoying Sandboxie window and use my gamepad for it to work.

[typpos]

Same. Can't even "press space to continue" during intro video.

[kimpurcell]

Yeah ☹️

[isaak654]

@DavidXanatos I think you can remove the "more info needed" label, as the info was effectively provided by the author of the issue.

[DavidXanatos]

For me it's Cyberpunk 2077. I have my scaling set at 150% since I have a huge monitor. I have to ALT-TAB out of that annoying Sandboxie window and use my gamepad for it to work.

So... to get rid of the annoying window you should be able to set the message to be always ignored.
The message is related to cursor position clipping and does not seam to cause any other problems.

The not working input is a unrelated issue, it is caused by the sandbox isolation,
you can work that around by adding NoAddProcessToJob=y to the particular box in which you are running the game,
but WARNING that will weaken the sandbox isolation!!!

Is that an workable solution for you?

[typpos]

you can work that around by adding NoAddProcessToJob=y to the particular box in which you are running the game,
but WARNING that will weaken the sandbox isolation!!!

I can't find any documentation for that setting. It's noted as a new debug-option for v.0.3.5, but what does it do and how does it lower security? The apps I run tend to be fully dis/untrusted.

[kimpurcell]

For me it's Cyberpunk 2077. I have my scaling set at 150% since I have a huge monitor. I have to ALT-TAB out of that annoying Sandboxie window and use my gamepad for it to work.

So... to get rid of the annoying window you should be able to set the message to be always ignored.
The message is related to cursor position clipping and does not seam to cause any other problems.

The not working input is a unrelated issue, it is caused by the sandbox isolation,
you can work that around by adding NoAddProcessToJob=y to the particular box in which you are running the game,
but WARNING that will weaken the sandbox isolation!!!

Is that an workable solution for you?

Thanks, David! I’m afraid I need the sandbox isolation. May I know how NoAddProcessToJob weakens the isolation?

[kimpurcell]

you can work that around by adding NoAddProcessToJob=y to the particular box in which you are running the game,
but WARNING that will weaken the sandbox isolation!!!

I can't find any documentation for that setting. It's noted as a new debug-option for v.0.3.5, but what does it do and how does it lower security? The apps I run tend to be fully dis/untrusted.

I have the same question and concerns. I hope Sandboxie is secure, so many hacking incidents nowadays can’t trust any executable. Malware can be hidden so well it’s 99% undetectable.

[DavidXanatos]

Having the process in a job adds the following restrictions:
info.UIRestrictionsClass = JOB_OBJECT_UILIMIT_EXITWINDOWS
| JOB_OBJECT_UILIMIT_HANDLES
| JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS
| JOB_OBJECT_UILIMIT_READCLIPBOARD;

EXITWINDOWS and READCLIPBOARD is quite self explanatory
these are user handles: https://docs.microsoft.com/en-us/windows/win32/sysinfo/user-objects this restriction primarily prevents processes from sending window messages across the sandbox boundary
and those are the system parameters https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-systemparametersinfoa

Now, being in a job is not the only thing that prevents processes from sending window messages to un sandboxed processes, the UIPI mechanism https://en.wikipedia.org/wiki/User_Interface_Privilege_Isolation also prevents sending messages to most un sandboxed processes, except when they have the integrity level set to un-trusted.

So the job object isolates here mostly one sandbox from an other, as all sandboxed processes have un-trusted integrity level.

I think for running games it in a dedicated sandbox it is fairly reasonable to specify NoAddProcessToJob=y for that game box.

[typpos]

Thanks, @DavidXanatos. Interesting details.

I can confirm Tropico 6 works with Sandboxie v5.45.0 x64 if "NoAddProcessToJob=y" is set. The GUI Proxy errors still pop up but can seemingly be ignored. Tropico 6 does not work without this setting.

@kimpurcell: I now got Cyberpunk to work in v5.45.0 WITHOUT the "NoAddProcessToJob" setting. Puzzling because it didn't work previously when I tried a new version of sandboxie.

[DavidXanatos]

I suspect the issue is related to #176 the proper fix for it will be to hook the troublesome functions and proxy all the requests through the helper service.

[DavidXanatos]

It indeed was related to #176 I have fixed it and now i.e. with the next build you will be able to have working space bar, and other input without "NoAddProcessToJob=y"

also since a minor error i will remove the error message related to clip cursor, it seals that most calls to that function work fine, an it just sometimes randomly fails.

[kimpurcell]

That’s excellent news David! Thank you!

[Rocha015]

Ter o processo em um trabalho adiciona as seguintes restrições:
info.UIRestrictionsClass = JOB_OBJECT_UILIMIT_EXITWINDOWS
| JOB_OBJECT_UILIMIT_HANDLES
| JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS
| JOB_OBJECT_UILIMIT_READCLIPBOARD;

EXITWINDOWS e READCLIPBOARD são bastante autoexplicativos.
Estes são os identificadores de usuário: https://docs.microsoft.com/en-us/windows/win32/sysinfo/user-objects esta restrição impede principalmente que os processos enviem mensagens de janela através do limite da sandbox
e aqueles são os parâmetros do sistema https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-systemparametersinfoa

Agora, estar em um trabalho não é a única coisa que impede os processos de enviar mensagens de janela para processos fora da área restrita, o mecanismo UIPI https://en.wikipedia.org/wiki/User_Interface_Privilege_Isolation também impede o envio de mensagens para a maioria dos processos fora da área restrita, exceto quando eles têm o nível de integridade definido como não confiável.

Portanto, o objeto de trabalho isola aqui principalmente uma área restrita de outra, já que todos os processos em área restrita têm um nível de integridade não confiável.

Acho que, para rodar jogos em uma caixa de areia dedicada, é bastante razoável especificar NoAddProcessToJob=ypara essa caixa de jogo.

Please explain to me what are the procedures for me to add this command correctly.

I am very layman in matters related to Sandbox. And I'm facing this same problem from the author of the topic and the others who commented.

My game doesn't recognize keyboard and mouse input when I run it in the sandbox.