Release v1.0.3 / 5.55.3

This build introduced a new major feature, system call hooking for Win32k system calls, it is used only for a hand full of calls currently, and is currently not working for 32 bit applications running on a 64 bit host, that limitation is being worked on.

This feature resolves the Hardware Acceleration issues with Chromium based browsers, it can be enabled like this:

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added mechanism to hook Win32k system calls on Windows 10 and later, this should resolve the issue with Chromium HW acceleration
  -- Note: this mechanism does not, yet, work for 32 bit applications running under WoW64
  -- to enable it, add "EnableWin32kHooks=y" to the global ini section, this feature is highly experimental (!)
  -- the hooks will be automatically applied to Chromium GPU processes
  -- to force Win32k hooks for all processes in a selected box, add "AlwaysUseWin32kHooks=program.exe,y" #1261 #1395

Fixed

• fixed bug in GetVersionExW making "OverrideOsBuild=..." not working #605 #1426
• fixed issue with some UTF-8 characters when used in the ini file
• fixed isolation issue with Virtual Network Editor #1102

Release v1.0.2 / 5.55.2

This build fixes bugs introduced recently

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[1.0.2 / 5.55.2] - 2021-12-08

Fixed

• fixed recovery window not refreshing count on reload #1402
• fixed printing issue introduced in 1.0.0 #1397
• fixed issues with CreateProcess function #1408

Release v1.0.1 / 5.55.1

This build fixes bugs introduced in the last pre-release build

Known Issues

• printing does not work, will be fixed in the next release

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added checkboxes to most major box options lists
• added SumatraPDF templates (by Dyras) #1391

Changed

• rolled back change to "OpenClsid=..." handling
• made all major lists in the box options editable

Fixed

• fixed issue with read only paths introduced in 1.0.0
• fixed BSOD issue introduced in the 1.0.0 build #1389
• fixed multiple BITS notifications while running sandboxed Chromium browsers (by isaak654) ca320ec #1081
• fixed executables selection for "Run Menu" entries (by isaak654) #1379
• fixed SetCursorPos and ClipCursor ignoring DPI awareness (by alvinhochun) #1394

Removed

• removed Virtual Desktop Manager template (by isaak654) d775807 #1326

Release v1.0.0 / 5.55.0

Version 1.0.0 is here and brings a lot of new major features, hence its a pre release, test it and expect new bugs as well, at least in the new features. I expect the final being 1.1.0 or so

The first major feature is Privacy Mode, here most of the PC is set to be treated like a Write[File/Key]Path meaning the sandbox locations are writable but the unsandboxed locations are not readable. The Hard disk appears empty except for C:\Windows and C:\Program Files and the registry only allows reading of the machine but not user root keys. This way sandboxed processes can work but can not access private user data.

To make this mode useful an other feature has been implemented called “Rule Specificity” it can be enabled independently but is always enabled in Privacy enhanced boxes. It allows to specify rules to override other rules, this is not based on specifying an order or priority, but instead by measuring how specific a rule is and always attributing the highest priority to the most specific rule.
Here the specificity is measures by the path length that matches the rule, except the last wildcard.

So for example the built in privacy rules plus a custom one
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles*
NormalFilePath=C:\Program Files*
NormalFilePath=C:\Windows*
WriteFilePath=C:*
Here the rules are ordered by their specificity.
Also there is a new type Normal[File/Key/Ipc]Path which defines a default sandbox behavior for a path.

The next major feature is "App Compartment" mode "NoSecurityIsolation=y", this is a new mode of operation which disables the token based security isolation, which brings the security down to the level of other sand boxing solutions, but by doing so greatly improves compatibility. For all use cases where the goal is only compartmentalization, running multiple instances, etc, but not hard core security this mode is preferable as it should avoid many typical sandboxie issues caused by processes running with a heavily restricted token.
In this mode file system and registry accesses are still being filtered to enforce the access rules, this filtering can be disabled with "NoSecurityFiltering=y"

To ensure this “unsecure” mode is at least as secure as the sandboxing offered by other sandboxing products, a new object access filter was added that can be enabled with "EnableObjectFiltering=y" in the global settings.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added Privacy enhanced mode, sandboxes with "UsePrivacyMode=y" will not allow read access to locations containing user data
  -- all locations except generic Windows system paths will need to be opened explicitly for read and/or write access
  -- using "NormalFilePath=...", "NormalKeyPath=...", "NormalIpcPath=..." allows to open locations to be readable and sandboxed

• added new "App Compartment" mode of operation, it's enabled by adding "NoSecurityIsolation=y" to the box configuration
  -- in this mode, security is traded in for compatibility, it should not be used for untrusted applications
  -- note: in this mode, file and registry filtering are still in place, hence processes run without administrative privileges
  -- it is reasonably safe, all filtering can be disabled with "NoSecurityFiltering=y"

• added experimental use of ObRegisterCallbacks to filter object creation and duplication
  -- this filtering is independent from the regular SbieDrv's syscall-based filtering, hence it also applies to App Compartments
  -- with it enabled, an application running in a compartment will not be able to manipulate processes running outside the sandbox
  -- Note: this feature improves the security of unisolated App Compartment boxes
  -- to enable this feature, set "EnableObjectFiltering=y" in the global section and reload the driver
  -- when globally activated, the filtering can be disabled for individual boxes with "DisableObjectFilter=y"

• added "DontOpenForBoxed=n", this option disables the discrimination of boxed processes for open file and open key directives
  -- this behaviour does not really improve security anyways, but may be annoying, also app compartments always disable this

• added setting to entirely open access to the COM infrastructure

Changed

• reworked the resource access path matching mechanism to optionally apply more specific rules over less specific ones
  -- for example "OpenFilePath=C:\User\Me\AppData\Firefox takes precedence over "WriteFilePath=C:\User\Me"
  -- to enable this new behaviour, add "UseRuleSpecificity=y" to your Sandboxie.ini, this behaviour is always enabled in Privacy enhanced mode
  -- added "NormalFilePath=..." to restore default Sandboxie behaviour on a given path
  -- added "OpenConfPath=...", which similarly to "OpenPipePath=..." is a "OpenKeyPath=..." variant which applies to executables located in the sandbox
• removed option to copy a box during creation, instead the box context menu offers a duplication option
• reworked the box creation dialog to offer new box types

Fixed

• fixed SBIE1401 notification during Sandboxie Plus uninstall (by mpheath) 68fa37d
• fixed memory leak in driver handling FLT_FILE_NAME_INFORMATION (by Therzok) #1371

Release v0.9.8d / 5.53.3

This build fixes many bugs.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added checkbox if the user wants SandMan.exe to be started after installation #1318
• added template for Windows 10 virtual desktop manager #1326

Changed

• "OpenClsid=..." is no longer restricted to CLSCTX_LOCAL_SERVER execution contexts only
  -- this allows to run objects with the CLSCTX_INPROC_SERVER flag in the COM helper service
• in the trace view, now multiple types can be selected at once
• a few Plus UI entries were made translatable (by gexgd0419) #1320
• changed default "terminate all boxed processes" key to Shift+Pause (by isaak654) #1337

Fixed

• fixed ini writing issue with SbieCtrl and the new ini handling mechanism #1331
• fixed issue with trace log filtering
• fixed space issue about German language on Plus installer (by mpheath) #1333
• restored Waterfox phishing template entries with a proper fix (by APMichael) #1334

Release v0.9.8c / 5.53.2

This build fixes many bugs.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added explicit lines on Plus installer to delete empty shell registry keys at uninstall time (by mpheath) 3f661a8

Fixed

• fixed template sections not showing in editor #1287
• fixed autodelete box content broken in the previous build #1296 #1324
• fixed crash in "Browse Content" window #1313
• fixed issue with icon resolution on Windows 7 #1310
• fixed invalid "No Inet" status in the status column #1312
• fixed Windows Explorer search box not working (by isaak654) #1002
• fixed Waterfox phishing template (by Dyras) #1309
• fixed issue with Chinese translation files on Plus installer (by mpheath) #1317
• fixed autorun registry key path on Plus installer (by mpheath) abd2d44
• fixed memory corruption in SbieSvc.exe

Release v0.9.8b / 5.53.1

This build fixes many bugs.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added ability to save trace log to file on Plus UI
• added French language on Plus UI (by clexanis) #1155

Changed

• network traffic trace is now properly logged to the driver log instead of to the kernel debug log
• Plus installer will autostart SandMan.exe after install to fix a taskbar icon issue #3040211
• Classic installer will show the license agreement when updating #1187

Fixed

• fixed template sections not showing in editor #1287
• fixed issue with app ID resulting in some apps showing two button groups in the taskbar #1101
• fixed issue with maximum ini value length on Plus UI #1293
• fixed issue handling an empty Sandboxie.ini that got introduced recently #1292
• fixed issue with "SpecialImages" template (by Coverlin) #1288 #1289
• fixed issue with box emptying #1296
• fixed issues wich some languages #1304
• fixed issue with mounted directories #1302
• added missing translation for qt libraries #1305
• fixed issue with Windows compatibility assistant #1265
• fixed issue with process image specific settigns #1307

Release v0.9.8 / 5.53.0

This build fixes many bugs and add some new features.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added debug switch to disable Sbie console redirection "NoSandboxieConsole=y"
  -- note that this was previously part of "NoSandboxieDesktop=y"
• added Sbie+ version to the log #1277
• added uninstall cleanup of extra files for the Plus installer (by mpheath) #1235
• added set language for Sandman for the Plus installer (by mpheath) #1241
• added EventLog messages with SbieMsg.dll for the Plus installer (by mpheath)
• group expansion state is now saved
• added additional filters to the trace tab
• added a new section [DefaultTemplates] in Templates.ini which contains mandatory templates that are always applied 0c9ecb0

Changed

• reworked and extended RPC logging
• reintroduced the "UseRpcMgmtSetComTimeout=some.dll,n" setting to be used when no "RpcPortBinding" entry is specified
  --- this allows to enable/disable out of box RPC binding independently from the timeout setting
• the "BoxNameTitle" value can now be set explicitly on a per image name basis #1190

Fixed

• fixed inability to delete read-only files from sandboxed explorer #1237
• fixed wrong recovery target in Plus UI #1274
• fixed SBIE2101 issue introduced with 0.9.7a #1279
• fixed sorting in the box picker window #1269
• fixed tray refresh issue #1250
• fixed tray activity display #1221
• fixed recovery window not displaying in taskbar #1195
• fixed dark theme preset not updating in real time #1270
• fixed Microsoft Edge complaining about "FakeAdminRights=y" #1271
• fixed issue with using local template in the global section #1212
• fixed issue with git.exe from MinGW freezing #1238
• fixed issue with search highlighting when using in dark mode

Removed

• removed the ability to sort the trace log as it took too much CPU

Release v0.9.7e / 5.52.5

This is a test build which includes a lot of internal changes, required for future features and improvements.
This build changes how the sandboxie.ini is handled, hence it is recommended to create a backup just in case.

This build fixes two issues handling sandboxie.ini introduced in the 0.9.7 build

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.9.7e / 5.52.5] - 2021-10-09

Changed

• reworked the settings handling once again, now the driver mainteains teh order when enumerating,
  -- but for good performance there is a hash map held in paralell for quick exact lookups

[0.9.7d / 5.52.4] - 2021-10-06

Fixed

• fixed yet another ini issue with the sbiectrl

[0.9.7c / 5.52.3] - 2021-10-05

Fixed

• fixed yet another handling bug with SbieApi_EnumBoxesEx

[0.9.7b / 5.52.2] - 2021-10-04

Fixed

• fixed issue about loading not Unicode Sandboxie.ini introduced with the previous build

[0.9.7 / 5.52.1] - 2021-10-02

Added

• added forced process indicator to process status column #1174
• added "SbieTrace=y" option to trace the interaction between Sandboxie processes and the Sandboxie core components
• when initializing an empty sandbox, MSI debug keys are set to generate the debug output of MSI installer service
• added "DisableComProxy=y" allowing to disable COM proxying through the service
• added "ProcessLimit=..." that allows to limit the max count of processes in a sandbox #1230
• added missing IPC logging

Changed

• reworked SbieSvc ini server to allow settings caching and greatly improve performance
  -- Now comments in the Sandboxie.ini are being preserved as well as the order of all entries
• enabled configuration section list replacement with a hash map to improve configuration performance
• improved progress and status messages for the Plus installer (by mpheath) #1168
• reworked RpcSs start mechanics, sandboxed RpcSs and DcomLaunch can now be run as system, use "RunRpcssAsSystem=y"
  -- note: this is generally not recommended for security reasons but may be needed for compatibility in some scenarios
• reworked WTSQueryUserToken handling to work properly in all scenarios
• reworked configuration value list to use a hash table for better performance

Fixed

• fixed Plus upgrade install in Windows 7 (by mpheath) #1194
• fixed custom autoexec commands being executed on each box start instead of only on the initialization
• fixed a design issue limiting the maximal amount of processes in one box to 511
• fixed handle leaks in the lingering process monitor mechanism
• fixed issue with opening device paths like "\??\FltMgr"
• fixed build issue with an explicit FileDigestAlgorithm option for driver sign (by isaak654) #1210
• fixed issue with resource access log sometimes getting corrupted
• fixed issue with Microsoft Office Click-to-Run #428 #882

removed

• removed support for Microsoft EMET (Enhanced Mitigation Experience Toolkit), as it was EOL in 2018
• removed support for Messenger Plus! Live, as MSN Messenger is EOL since 2013
• disabled Turkish language on Plus UI for inactivity (by isaak654) #1215

Release v0.9.7 / 5.52.1

This is a test build which includes a lot of internal changes, required for future features and improvements.
This build changes how the sandboxie.ini is handled, hence it is recommended to create a backup just in case.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Added

• added forced process indicator to process status column #1174
• added "SbieTrace=y" option to trace the interaction between Sandboxie processes and the Sandboxie core components
• when initializing an empty sandbox, MSI debug keys are set to generate the debug output of MSI installer service
• added "DisableComProxy=y" allowing to disable COM proxying through the service
• added "ProcessLimit=..." that allows to limit the max count of processes in a sandbox #1230
• added missing IPC logging

Changed

• reworked SbieSvc ini server to allow settings caching and greatly improve performance
  -- Now comments in the Sandboxie.ini are being preserved as well as the order of all entries
• enabled configuration section list replacement with a hash map to improve configuration performance
• improved progress and status messages for the Plus installer (by mpheath) #1168
• reworked RpcSs start mechanics, sandboxed RpcSs and DcomLaunch can now be run as system, use "RunRpcssAsSystem=y"
  -- note: this is generally not recommended for security reasons but may be needed for compatibility in some scenarios
• reworked WTSQueryUserToken handling to work properly in all scenarios
• reworked configuration value list to use a hash table for better performance

Fixed

• fixed Plus upgrade install in Windows 7 (by mpheath) #1194
• fixed custom autoexec commands being executed on each box start instead of only on the initialization
• fixed a design issue limiting the maximal amount of processes in one box to 511
• fixed handle leaks in the lingering process monitor mechanism
• fixed issue with opening device paths like "\??\FltMgr"
• fixed build issue with an explicit FileDigestAlgorithm option for driver sign (by isaak654) #1210
• fixed issue with resource access log sometimes getting corrupted
• fixed issue with Microsoft Office Click-to-Run #428 #882

removed

• removed support for Microsoft EMET (Enhanced Mitigation Experience Toolkit), as it was EOL in 2018
• removed support for Messenger Plus! Live, as MSN Messenger is EOL since 2013
• disabled Turkish language on Plus UI for inactivity (by isaak654) #1215