Can't run npm inside security hardened sandbox on Windows 11

[Zeblote]

Describe what you noticed and did

1. Install the current version of node.js outside the sandbox
2. Create a normal sandbox and open sandboxed command prompt
3. Run node --version, it works
4. Run npm --version, it works
5. Create a security hardened sandbox and open sandboxed command prompt
6. Run node --version, it works
7. Run npm --version, nothing happens, as if I had typed an empty command

How often did you encounter it so far?

Always

Affected program

npm

Download link

https://nodejs.org/dist/v20.10.0/node-v20.10.0-x64.msi

Where is the program located?

The program is installed only outside the sandbox.

Expected behavior

It should print the version number inside the security hardened sandbox, too

What is your Windows edition and version?

Windows 11 Pro 23H2

In which Windows account you have this problem?

A Microsoft account (Administrator).

Please mention any installed security software

Windows Defender

What version of Sandboxie are you running?

Sandboxie-Plus v1.12.4

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

I did not have this problem on Windows 10 running an earlier version of v1.12

In which sandbox type you have this problem?

In a security hardened sandbox (orange sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No

Crash dump

It didn't crash

Trace log

Not sure if related to resource access

Sandboxie.ini configuration

It's a default security hardened sandbox on a default new install

[offhub]

Can you try with this setting:

NormalFilePath=\Device\BootDevice\Windows\System32\AppLocker\SCRIPT.AppLocker

[Zeblote]

Thanks, can confirm that works!

[DavidXanatos]

@offhub how did you find its SCRIPT.AppLocker also since C:\Windows should be normal file path already I wonder why this extra directive is needed.
Could you advice how to create such a test case, my windows 11 VM does not have SCRIPT.AppLocker and works with node npm just fine without the directive.

[offhub]

1. First, I figured out which setting was causing the problem.
2. When I found out that there was a problem with RestrictDevices=y, I filtered the paths containing \Device\ from the trace log and tried the ones I found as NormalFilePath (the first result was AppLocker).

Could you advice how to create such a test case, my windows 11 VM does not have SCRIPT.AppLocker

That file does not exist on my system either. This is a fresh Windows 11 23H2 installation with Core Isolation/Memory Integrity, UAC always notify, and local admin account.

sbie3505applckr01.mp4

[DavidXanatos]

hmm... with a cmean VM i can reproduce it not sure what I disabled in my regular dev vm that the SRP is not there, I will add
NormalFilePath=\Device\BootDevice\Windows*
NormalFilePath=\Device\BootPartition\Windows*
to the default templates for SMod

[offhub]

There was another similar case. #2449