diff --git a/Content/AdvancedTopics.md b/Content/AdvancedTopics.md index 2f3a48277..6cad9adce 100644 --- a/Content/AdvancedTopics.md +++ b/Content/AdvancedTopics.md @@ -1,5 +1,7 @@ # Advanced Topics +Some advanced topics: + [Sandbox Hierarchy](SandboxHierarchy.md) discusses how Sandboxie isolates programs. [Privacy Concerns](PrivacyConcerns.md) for programs running under Sandboxie. diff --git a/Content/AlertProcess.md b/Content/AlertProcess.md index 04d4ec37f..5ff682225 100644 --- a/Content/AlertProcess.md +++ b/Content/AlertProcess.md @@ -1,18 +1,19 @@ # Alert Process -_AlertProcess_ is a global setting in [Sandboxie Ini](SandboxieIni.md). It specifies names of programs that, if started outside the sandbox, will cause Sandboxie to issue message [SBIE1301](SBIE1301.md). +The _AlertProcess_ setting in [Sandboxie Ini](SandboxieIni.md) is a global configuration that specifies the names of programs triggering message [SBIE1301](SBIE1301.md) when started outside the sandbox. -Usage: -``` - . - . - . - [GlobalSettings] - AlertProcess=iexplore.exe - AlertProcess=firefox.exe + +To utilize this setting, add program names to the [GlobalSettings] section, as demonstrated: + +```ini +[GlobalSettings] +AlertProcess=iexplore.exe +AlertProcess=firefox.exe ``` +This example would trigger an alert if Internet Explorer or Firefox is initiated outside the sandbox. + +### Additional References: -See also: * [Program Settings](ProgramSettings.md). * [Configure Menu > Alert Programs](ConfigureMenu.md#program-alerts). diff --git a/Content/AllPages.md b/Content/AllPages.md index 200ec2c7f..034205ede 100644 --- a/Content/AllPages.md +++ b/Content/AllPages.md @@ -1,4 +1,4 @@ -# All Pages +# Table of Contents ### A diff --git a/Content/AppearanceSettings.md b/Content/AppearanceSettings.md index ec97cbc09..e9c9744ea 100644 --- a/Content/AppearanceSettings.md +++ b/Content/AppearanceSettings.md @@ -1,6 +1,6 @@ # Appearance Settings -Sandboxie Control > Sandbox Settings > Appearance: +Sandbox > Sandbox Options > General Options > Box Options ![](../Media/AppearanceSettings.png) diff --git a/Content/AutoExec.md b/Content/AutoExec.md index 2e58acbf7..c349fb548 100644 --- a/Content/AutoExec.md +++ b/Content/AutoExec.md @@ -4,20 +4,17 @@ _AutoExec_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It specifie Examples: -``` - . - . - . - [DefaultBox] - AutoExec=regedit /s c:\defaultbox.reg - AutoExec=cmd /c del /f "%windir%\system32\someExploitableDLL.dll" +```ini +[DefaultBox] +AutoExec=regedit /s c:\defaultbox.reg +AutoExec=cmd /c del /f "%windir%\system32\someExploitableDLL.dll" ``` -The first example shows using _AutoExec_ to populate the sandboxed registry in some way. The second example shows using _AutoExec_ to delete an undesirable DLL file. In both cases the customization takes place only within the sandbox. +The first example shows using _AutoExec_ to populate the sandboxed registry in some way. The second example shows using _AutoExec_ to delete an undesirable DLL file. In both cases, the customization takes place only within the sandbox. -Multiple _AutoExec_ settings may be specified for a single sandbox. The commands listed are executed one by one. The commands (whether one or any number of them) are executed _once_ in the life-time of a particular sandbox. To get Sandboxie to execute these commands again, the sandbox must be deleted. +Multiple _AutoExec_ settings may be specified for a single sandbox. The commands listed are executed one by one. The commands (whether one or any number of them) are executed _once_ in the lifetime of a particular sandbox. To get Sandboxie to execute these commands again, the sandbox must be deleted. -This is true even if the command execution fails -- it will not be executed again, unless the sandbox is deleted. +This is true even if the command execution fails -- it will not be executed again unless the sandbox is deleted. At this time, there is no corresponding [Sandboxie Control](SandboxieControl.md) configuration for this setting. @@ -25,4 +22,4 @@ At this time, there is no corresponding [Sandboxie Control](SandboxieControl.md) Each _AutoExec_ command, as it is executed by Sandboxie, is recorded in the registry of that sandbox, in the key _HKEY_CURRENT_USER\Software\SandboxieAutoExec_. -The command will not be executed if it was already recorded in the sandboxed registry. Thus, deleting the sandbox clears all recorded _AutoExec_ commands, so they are executed again the next time any sandboxed program starts in that sandbox. But it is also possible to get them to execute again, by manually deleting the command from that sandboxed registry key. +The command will not be executed if it was already recorded in the sandboxed registry. Thus, deleting the sandbox clears all recorded _AutoExec_ commands, so they are executed again the next time any sandboxed program starts in that sandbox. But it is also possible to get them to execute again by manually deleting the command from that sandboxed registry key. diff --git a/Content/AutoRecover.md b/Content/AutoRecover.md index 65d9e73d8..e8a30ff0f 100644 --- a/Content/AutoRecover.md +++ b/Content/AutoRecover.md @@ -1,15 +1,12 @@ # Auto Recover -_AutoRecover_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It is typically specified as _AutoRecover=y_, and enables the Immediate Recovery extension of [Quick Recovery](QuickRecovery.md). +_AutoRecover_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). Typically specified as _AutoRecover=y_, it enables the Immediate Recovery extension of [Quick Recovery](QuickRecovery.md). Usage: -``` - . - . - . - [DefaultBox] - AutoRecover=y +```ini +[DefaultBox] +AutoRecover=y ``` Related [Sandboxie Control](SandboxieControl.md) setting: [Sandbox Settings > Recovery > Immediate Recovery](RecoverySettings.md#immediate-recovery) diff --git a/Content/BoxRootFolder.md b/Content/BoxRootFolder.md index 320db2249..14f4e5088 100644 --- a/Content/BoxRootFolder.md +++ b/Content/BoxRootFolder.md @@ -1,6 +1,6 @@ # Box Root Folder -**This setting is deprecated. Please use [FileRootPath](FileRootPath.md) instead.** +**This setting is deprecated and may be removed in the future. To prevent Sandboxie from breaking in the future, please use [FileRootPath](FileRootPath.md) instead.** _BoxRootFolder_ is a global setting in [Sandboxie Ini](SandboxieIni.md). It specifies the folder containing all sandboxes. One sub-folder is created within the container folder for each sandbox in active use. diff --git a/Content/ClosedClsid.md b/Content/ClosedClsid.md index 6dc215184..2ea3ab4d8 100644 --- a/Content/ClosedClsid.md +++ b/Content/ClosedClsid.md @@ -1,18 +1,16 @@ # Closed Clsid -_ClosedClsid_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md) available since v0.5.3a / 5.45.2. It specifies the COM class identifiers for unsandboxed COM objects that should not be accessible by a sandboxed program. +The _ClosedClsid_ setting in [Sandboxie Ini](SandboxieIni.md) (available since v0.5.3a / 5.45.2) is employed to specify COM class identifiers for unsandboxed COM objects that should be restricted from access by sandboxed programs. -Usage: -``` - . - . - . - [DefaultBox] - ClosedClsid={8BC3F05E-D86B-11D0-A075-00C04FB68820} +To utilize this setting, you can include it in the [DefaultBox] section, as shown below: + +```ini +[DefaultBox] +ClosedClsid={8BC3F05E-D86B-11D0-A075-00C04FB68820} ``` -This example makes the _Windows Management and Instrumentation_ not accessible to sandboxed programs. +In this example, the _Windows Management and Instrumentation_ is designated as not accessible to sandboxed programs. -Related Sandboxie Plus setting: +Additionally, it is related to the Sandboxie Plus setting found under: Sandbox Options > Resource Access > COM diff --git a/Content/Description.md b/Content/Description.md index b7a86e20c..59937010e 100644 --- a/Content/Description.md +++ b/Content/Description.md @@ -1,20 +1,17 @@ # Description -_Description_ is a sandbox settings in [Sandboxie Ini](SandboxieIni.md). It specifies free text, which can explain, for example, the purpose of the sandbox. +The _Description_ setting in [Sandboxie Ini](SandboxieIni.md) allows you to provide explanatory text about the purpose of a specific sandbox. This information is displayed in a balloon pop-up within the _Run Sandboxed_ sandbox selection dialog box. -``` - . - . - . - [DefaultBox] - Description=Example
text. - . - . - . - [PrivateBox] - Description=Access denied to sensitive file locations - ClosedFilePath=%Personal% - ClosedFilePath=D:\MyDocs +To set the description, include it in the sandbox section, such as [DefaultBox] or [PrivateBox], and add the desired free text. You can use the `
` sequence for line breaks, as illustrated below: + +```ini +[DefaultBox] +Description=Example
text. + +[PrivateBox] +Description=Access denied to sensitive file locations +ClosedFilePath=%Personal% +ClosedFilePath=D:\MyDocs ``` -The `
` sequence in the text is used to indicate a line break. The free text is displayed in a balloon pop-up in the _Run Sandboxed_ sandbox selection dialog box. +In this example, the text "Example text" will be displayed for the [DefaultBox] sandbox, and for the [PrivateBox] sandbox, it informs about access denial to specific file locations with the associated closed file paths. diff --git a/Content/DetectingKeyLoggers.md b/Content/DetectingKeyLoggers.md index 8dde593aa..f2b4dcf26 100644 --- a/Content/DetectingKeyLoggers.md +++ b/Content/DetectingKeyLoggers.md @@ -1,94 +1,52 @@ # Detecting Key Loggers -Go to [Help Topics](HelpTopics.md), [Usage Tips](UsageTips.md). +For more detailed information, please refer to [Help Topics](HelpTopics.md) and [Usage Tips](UsageTips.md). -* * * +--- -### Overview +## Overview -It is very difficult to reliably detect all classes of key-loggers. This section first explains why this is so, and concludes by offering a possible defense against them. - -First, a distinction must be made between several classes of key-loggers: - -* external key-loggers -* rootkit key-loggers -* windows hook key-loggers -* windows message key-loggers -* scripted key-loggers +Detecting all classes of key-loggers poses a significant challenge. This section categorizes key-loggers into various classes and explores potential defenses against them. ### External Key-Loggers -External (or hardware) key-loggers are devices that connect to your computer in some way. Two examples are a small device plugged between the keyboard and the computer, or a device that snoops on radio signals transmitted by a wireless keyboard. - -The common principle of key-loggers in this class is that they are _external_ to the Windows system on which they are spying. Software running within Windows cannot detect, remove or protect against external key-loggers. - -The other classes of key-loggers described here are software key-loggers which do operate within Windows. +External (hardware) key-loggers, such as devices connected to the computer, are beyond the reach of software running within Windows. Sandboxie cannot detect or protect against these devices. ### Rootkit Key-Loggers -Rootkit key-loggers record keystrokes at the lowest software level, typically by positioning themselves as a second keyboard hardware driver (a _filter_ driver, in Windows terminology). - -Once installed, this class of key-loggers may provide the best logging facilities, and may be difficult to get rid of. But to be installed in the first place, this key-logger needs the explicit help of the operating system, and so is easily blocked by Sandboxie. - -~~If such a key-logger attempts to install, Sandboxie should report an informational message [SBIE2103](SBIE2103.md), unless the [BlockDrivers](BlockDrivers.md) setting (see also [Sandbox Settings > Restrictions > Low-Level Access](RestrictionsSettings.md#low-level-access--removed)) was explicitly used to disable this protection.~~ +Rootkit key-loggers operate at a low software level, often as secondary keyboard hardware drivers. Sandboxie effectively blocks their installation, as they require explicit help from the operating system. ### Windows Hook Key-Loggers -These key-loggers don't masquerade as hardware drivers, but they still have to ask the operating system to load them (or _hook them_) into every program executing on the desktop. - -It is not uncommon for applications to install such hooks as part of normal operation, and blocking all of them would prevent some programs from running successfully inside the sandbox. - -~~**Removed From Sandboxie - Block Hooks Command**~~ - -~~The approach Sandboxie takes is to honor the hook request partially, by applying the hook only to applications in the same sandbox as the requesting application.~~ - -~~The [BlockWinHooks](BlockWinHooks.md) setting (see also [Sandbox Settings > Restrictions > Low-Level Access](RestrictionsSettings.md#low-level-access--removed)) may be used to explicitly disable this protection.~~ +These key-loggers request the operating system to load or "hook" them into every program executing on the desktop. Sandboxie partially honors these requests, applying the hook only to applications in the same sandbox. ### Windows Message Key-Loggers -This class of key-loggers doesn't need any assistance from the operating system, and can only reliably record activity within one program. However, from the point of view of a supervisory program like Sandboxie, they don't do anything suspicious, and so cannot be stopped. - -In order for a program running on the desktop to actually process the keyboard input, the operating system sends that program a message describing the input. The message key-logger, which is likely running in the same process space as the program being logged, can snoop on these messages in a variety of ways, which don't raise suspicion. - -Typically this key-logger will be a secret Web browser plugin (or a secret component of a plugin), so it can easily record keyboard activity related to the Web browser. +Operating within the same process space as the logged program, these key-loggers intercept keyboard input messages sent by the operating system to the program. Detecting them is challenging for a supervisory program like Sandboxie. ### Scripted Key-Loggers -This class of key-loggers target and compromise the Web site you will be visiting. This is in contrast to the three other forms of key-loggers discussed here, which target and compromise your own computer. - -The JavaScript and VBScript languages offer facilities for a Web page to react to keystrokes. Legitimate uses of these facilities enable the creation of sophisticated Web pages. For example, consider how Google and Yahoo! searches react to the keys you type in order to suggest a possible search string. - -Exploiting security weaknesses in a Web site, a spy embeds a scripted key-logger into one of the pages in the site. These key-logger are practically indistinguishable from other scripts on the same site, and can use the same script facilities to react to your keystrokes, record them or transmit them to a third-party site. - -### Defending Against Key-Logger - -Sandboxie is not designed to detect or disable key-loggers, but it is designed to make sure that sandboxed software stays in the sandbox, that such software can't integrate into Windows, and that it can be completely discarded when you delete the sandbox. - -This means that if you take care to carry out all untrusted activity in the sandbox, you can always delete the sandbox to undo the effects of that activity, and restore your computer to a trusted state. - -The first step is to make sure your system is not infected by malicious key-loggers, prior to using Sandboxie. A system scan by an anti-virus or anti-malware tool should help here. - -Then carry out all untrusted activity -- such as browsing the Web, reading email, and testing unknown programs -- only in the restricted area of the sandbox. This doesn't mean you won't be infected by key-loggers, but it does mean you can get rid of them: - -* You can make sure you stop all of them, by telling Sandboxie to stop all activity in all sandboxes. - * See also the **Terminate All Programs** command in the [File Menu](FileMenu.md#terminate-all-programs) and the [Tray Icon Menu](TrayIconMenu.md#terminate-all-programs). -* Once stopped, you can discard the traces of their program code, by deleting the contents of the sandbox. - * See also [Delete Sandbox](DeleteSandbox.md). - -Once discarded, they can no longer record your keyboard activity, and you are safe to browse to trusted sites and enter your passwords. +Scripted key-loggers target and compromise websites, reacting to keystrokes using languages like JavaScript or VBScript. They are challenging to distinguish from legitimate scripts on the site. -Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. +## Defending Against Key-Loggers -* * * +Sandboxie is not designed to detect or disable key-loggers but ensures sandboxed software stays within the sandbox. By confining untrusted activities to the sandbox, users can delete the sandbox to undo any potential effects and restore their system to a trusted state. -Another protection measure against a key-logger is to configure Sandboxie to deny access to the Internet for anything other than your Web browser, in an attempt to prevent the key-logger from sending out the recorded information. See the setting for "the only program that can access the Internet" in [Program Settings](ProgramSettings.md#internet). +1. **Pre-Sandboxie Steps:** + - Scan your system with an anti-virus or anti-malware tool to ensure it's not infected by key-loggers. -Note two caveats: +2. **Sandboxed Activity:** + - Perform untrusted activities (e.g., browsing, email, testing unknown programs) only in the sandbox. -* The Internet access feature is neither a replacement for a proper firewall, nor was it designed as a mechanism to counter or hinder key-loggers. +3. **Termination and Deletion:** + - Stop all sandboxed activity using the **Terminate All Programs** command. + - Delete the sandbox to discard traces of key-loggers' program code. -* Some key-loggers could possibly circumvent the Internet access restriction by hijacking the Web browser to be used as a vehicle through which to send out the recorded information. +4. **Internet Access Restriction:** + - Configure Sandboxie to deny internet access for anything other than your web browser. This aims to prevent key-loggers from sending out recorded information. -* * * +**Important Notes:** +- Internet access restriction is not a replacement for a firewall and was not designed as a primary defense against key-loggers. +- Some key-loggers may attempt to bypass internet access restrictions by exploiting the web browser to transmit recorded information. -Go to [Help Topics](HelpTopics.md), [Usage Tips](UsageTips.md). +For additional details, refer to [Help Topics](HelpTopics.md) and [Usage Tips](UsageTips.md). diff --git a/Content/FileRootPath.md b/Content/FileRootPath.md index c5393bf59..75b5452b4 100644 --- a/Content/FileRootPath.md +++ b/Content/FileRootPath.md @@ -1,34 +1,27 @@ # File Root Path -_FileRootPath_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It specifies the root folder for a particular sandbox. +The _FileRootPath_ setting in [Sandboxie Ini](SandboxieIni.md) is crucial for defining the root folder in your system for a specific sandbox. This setting can be specified globally or within a sandbox section, providing flexibility. -As with all sandbox settings, it may also be specified in the global section, and in that case will apply for all sandboxes where the setting is not also specified in the sandbox section. +To configure this setting, you can use the following example: -See [Sandbox Hierarchy](SandboxHierarchy.md) for more information. - -Usage: - -``` - . - . - . - [DefaultBox] - FileRootPath=C:\Sandbox\MySandbox +```ini +[DefaultBox] +FileRootPath=C:\Sandbox\MySandbox ``` -The following substitution variables may be useful in this path. +Additionally, you can employ substitution variables in the path for dynamic configurations: -* [Shell Folders](ShellFolders.md) variables such as %Personal% which expands to the user's Documents folder -* The variable %SBIEHOME% which expands to the root of the Sandboxie installation -* The variable %SANDBOX% which expands to the name of the sandbox -* The variable %USER% which expands to the user name -* The variable %SID% which expands to the user security ID (SID) -* The variable %SESSION% which expands to the Terminal Services session number +- `%Personal%`: User's Documents folder +- `%SBIEHOME%`: Root of the Sandboxie installation +- `%SANDBOX%`: Name of the sandbox +- `%USER%`: User name +- `%SID%`: User security ID (SID) +- `%SESSION%`: Terminal Services session number -If _FileRootPath_ is not specified, its default value is constructed using the _deprecated_ [BoxRootFolder](BoxRootFolder.md) setting, thus: +If _FileRootPath_ is not specified, the default value is generated using the _deprecated_ [BoxRootFolder](BoxRootFolder.md) setting: -* `BoxRootFolder\Sandbox\%SANDBOX%` +- `BoxRootFolder\Sandbox\%SANDBOX%` -If _BoxRootFolder_ is also not specified, then the default setting is: +If _BoxRootFolder_ is also absent, the fallback is: -* `C:\Sandbox\%USER%\%SANDBOX%` +- `C:\Sandbox\%USER%\%SANDBOX%` diff --git a/Content/FirefoxTips.md b/Content/FirefoxTips.md index 3dc1360be..a79e54476 100644 --- a/Content/FirefoxTips.md +++ b/Content/FirefoxTips.md @@ -4,100 +4,66 @@ [Sandboxie Control](SandboxieControl.md) > [Sandbox Settings](SandboxSettings.md) > [Applications > Web Browser > Firefox](ApplicationsSettings.md#firefox) -![](../Media/WebBrowserSettings2.png) +![Web Browser Settings](../Media/WebBrowserSettings2.png) -* * * +### Always Run In Sandbox -**Always Run In Sandbox** +**Setting:** Force Firefox to run in this sandbox -* Setting: Force Firefox to run in this sandbox +This option instructs Sandboxie to automatically supervise any instance of Firefox, even if not initiated directly through a Sandboxie facility or command. -This setting tells Sandboxie to automatically supervise any instance of Firefox as it starts, even if it was not started directly through a Sandboxie facility or command. +### Updating Firefox and its Add-ons -* * * +In the default configuration, Firefox and add-on updates occur only within the sandbox. To retain updates after sandbox deletion, run Firefox outside the sandbox when updates are available. Let Firefox complete updating, including necessary restarts, and then restart it under Sandboxie. -**Updating Firefox and its Add-ons** +If Firefox is forced to always run under Sandboxie (as discussed above), use the [Disable Forced Programs](FileMenu.md#disable-forced-programs) command to temporarily disable forced sandboxing. Follow the update procedure mentioned earlier and then use the _Disable Forced Programs_ command again to resume forced sandboxing. -In the default configuration, any updates to Firefox or its add-ons will happen only within the sandbox. When the sandbox is deleted, all such updates will be deleted as well. To avoid this problem, you should run Firefox outside the sandbox when you recognize that any updates are available. Let the normal Firefox finish updating, including any necessary restarts of Firefox. Finally, exit Firefox and restart it under Sandboxie. +### Bookmarks, History, and Favorites -If Firefox is forced to always run under Sandboxie (as discussed above), use the [Disable Forced Programs](FileMenu.md#disable-forced-programs) command to disable forced sandboxing for a duration of several minutes. Then follow the procedure in the preceding paragraph. Finally, use the _Disable Forced Programs_ command again to resume forced sandboxing. +**Setting:** Allow direct access to Firefox bookmarks and history database -* * * +This setting enables Firefox under Sandboxie to store bookmarks outside the sandbox, ensuring persistence even after sandbox deletion. If unselected, bookmarks are stored only in the sandbox and are deleted along with it. -**Bookmarks, History and Favorites** +*Note:* Starting from Firefox 3, the same file (_places.sqlite_) stores both bookmarks and the history of visited sites. -* Setting: Allow direct access to Firefox bookmarks and history database +### Cookies -This setting allows Firefox running under Sandboxie to store bookmarks outside the sandbox, so they can persist even after the sandbox is deleted. When this option is not set, bookmarks are stored only in the sandbox, and will be deleted when the sandbox is deleted. +**Setting:** Allow direct access to Firefox cookies -Please note that, starting from Firefox 3, the same file (called _places.sqlite_) stores both bookmarks and the history of visited sites. Therefore this setting will cause Firefox to also store the history of visited outside the sandbox. +Enabling this setting lets Firefox under Sandboxie store cookies outside the sandbox (_cookies.sqlite_), ensuring persistence after sandbox deletion. If unselected, cookies are stored only in the sandbox and are deleted with it. -~~One approach to this is to install the [PlainOldFavorites](https://www.iosart.com/firefox/plainoldfavorites) add-on, which lets Firefox create and manage Internet Explorer-style Favorites in addition to Mozilla-style bookmarks. Then consult the discussion on favorites in [Internet Explorer Tips](InternetExplorerTips.md#favorites).~~ +An alternative approach is to visit your favorite sites once with a normal Firefox, allowing them to remember you in their cookies. Then switch to a Firefox under Sandboxie to keep any new cookies in the sandbox until deletion. -**Bottom line:** +### Phishing Database -~~* If you don't mind the extra add-on, install PlainOldFavorites to enhance Firefox with Internet Explorer-style favorites, then read the recommendations for handling favorites in [Internet Explorer Tips](InternetExplorerTips.md).~~ -* If you are happy with Firefox bookmarks, then select this setting. +**Setting:** Allow direct access to Firefox phishing database -* * * +Keep this setting selected to allow Firefox under Sandboxie to efficiently update and maintain the phishing database (_urlclassifier*.sqlite_). If unselected, Firefox might need to spend time copying the potentially large file into the sandbox whenever it's deleted. -**Cookies** +### Full Profile Access -* Setting: Allow direct access to Firefox cookies +**Setting:** Allow direct access to the entire Firefox profile folder -This setting allows Firefox running under Sandboxie to store cookies outside the sandbox (in a file called _cookies.sqlite_), so they can persist even after the sandbox is deleted. When this option is not set, cookies are stored only in the sandbox, and will be deleted when the sandbox is deleted. - -An alternative approach is to this setting is to visit your favorite sites once with a normal Firefox, to get these sites to remember you in their cookies. Then switch to a Firefox under Sandboxie, so any new cookies are kept the sandbox until you delete the sandbox. - -**Bottom line:** - -* If you regularly delete cookies, and plan to start regularly using Sandboxie, then you can keep this setting unselected, and you will not have to keep regularly deleting cookies. -* If you need web sites that you visit in a sandboxed Firefox to remember you, then select this setting. - -* * * - -**Phishing Database** - -* Setting: Allow direct access to Firefox phishing database - -This setting allows Firefox running under Sandboxie to update and maintain the database of phishing web sites (a file called _urlclassifier*.sqlite_). When this option is not set, then whenever the sandbox is deleted, Firefox might have to spend time to copy the phishing database (potentially a very large file) into the sandbox, and then download updates to the database. The setting is enabled by default. - -**Bottom line:** Keep the setting selected. - -* * * - -**Full Profile Access** - -* Setting: Allow direct access to entire Firefox profile folder - -This setting allows Firefox running under Sandboxie to have access to any data file within the entire Firefox profile. This setting includes any other Firefox data file mentioned above, and overrides all other "direct access" setting discussed earlier. - -**Bottom line:** Do not select this setting. - -* * * +Avoid selecting this setting, as it grants unrestricted access to all Firefox profile data, overriding other "direct access" settings. ## General Tips -**Automatic Delete Sandbox** +### Automatic Delete Sandbox [Sandboxie Control](SandboxieControl.md) > [Sandbox Settings](SandboxSettings.md) > [Delete](DeleteSettings.md) > [Invocation](DeleteSettings.md#invocation) -![](../Media/DeleteInvocationSettings.png) +![Delete Invocation Settings](../Media/DeleteInvocationSettings.png) -* Setting: Automatically delete contents of sandbox +**Setting:** Automatically delete contents of the sandbox -This setting tells Sandboxie to delete the sandbox whenever all programs in the sandbox stop running. +Enable this setting to automatically delete the sandbox contents when all programs within it stop running. -* * * - -**Highlight Windows of Programs Running Under Sandboxie** +### Highlight Windows of Programs Running Under Sandboxie [Sandboxie Control](SandboxieControl.md) > [Sandbox Settings](SandboxSettings.md) > [Appearance Settings](AppearanceSettings.md) -![](../Media/AppearanceSettings.png) - -* Setting: Display a border around the window +![Appearance Settings](../Media/AppearanceSettings.png) -This setting tells Sandboxie to draw a color border around windows that belong to programs running in this sandbox. The default color is yellow, but you can select a different color for every sandbox. +**Setting:** Display a border around the window -Alternatively, if you wish to blur the distinction between programs running under the supervision of Sandboxie and those that are not, select the setting "Don't show Sandboxie indicator in the window title." +This setting adds a color border around windows of programs running in the sandbox, facilitating visual identification. Optionally, blur the distinction by selecting "Don't show Sandboxie indicator in the window title." diff --git a/Content/ForceDisableSeconds.md b/Content/ForceDisableSeconds.md index 5166d286a..b1d75dfec 100644 --- a/Content/ForceDisableSeconds.md +++ b/Content/ForceDisableSeconds.md @@ -1,12 +1,8 @@ -# Force Disable Seconds +# Force Disable Seconds in Sandboxie -_ForceDisableSeconds_ is a global setting in [Sandboxie Ini](SandboxieIni.md). It specifies the time, in seconds, that the [Disable Forced Programs](FileMenu.md#disable-forced-programs) mode will stay in effect. +**ForceDisableSeconds** is a global setting in [Sandboxie Ini](SandboxieIni.md) that specifies the time, in seconds, for which the [Disable Forced Programs](FileMenu.md#disable-forced-programs) mode will stay in effect. Here is an example of its usage: -Usage: -``` - . - . - . +```ini [GlobalSettings] ForceDisableSeconds=25 ForceDisableSeconds=0 diff --git a/Content/ForceProcess.md b/Content/ForceProcess.md index 4d2a83e86..a3f61e9b4 100644 --- a/Content/ForceProcess.md +++ b/Content/ForceProcess.md @@ -1,11 +1,8 @@ -# Force Process +# Force Process in Sandboxie -_ForceProcess_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It specifies names of programs. If any of these programs are started outside any sandbox, they will be automatically sandboxed in a particular sandbox. For example: +**ForceProcess** is a sandbox setting in [Sandboxie Ini](SandboxieIni.md), allowing the specification of program names. If any of these programs are initiated outside any sandbox, they will be automatically sandboxed in a specified sandbox. Here is an example configuration: -``` - . - . - . +```ini [DefaultBox] ForceProcess=iexplore.exe ForceProcess=firefox.exe @@ -14,15 +11,14 @@ _ForceProcess_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It spec [MailBox] ForceProcess=outlook.exe ForceProcess=cl?cke?.exe - ``` -- `*` defines any character. -- `?` defines one character. +- `*` represents any character. +- `?` represents one character. -The example specifies that Internet Explorer (iexplore.exe), Firefox (firefox.exe), App* (Appga, App03 and etc.). and App? (App1, Appg, Appa and etc.). will be forced to run sandboxed in the sandbox _DefaultBox_. Outlook.exe and cl?cke? (clicker, clicked and etc.). will be forced to run sandboxed in the sandbox _MailBox_. +In this example, Internet Explorer (iexplore.exe), Firefox (firefox.exe), App* (Appga, App03, etc.), and App? (App1, Appg, Appa, etc.) will be forced to run sandboxed in the _DefaultBox_ sandbox. Outlook.exe and cl?cke? (clicker, clicked, etc.) will be forced to run sandboxed in the _MailBox_ sandbox. -Note that the _ForceProcess_ settings only apply to programs that start unsandboxed. If a program is specifically started in a sandbox, or started by a program that is already sandboxed, then _ForceProcess_ settings are not applied. +Note that the _ForceProcess_ settings only apply to programs that start unsandboxed. If a program is specifically started in a sandbox or started by a program that is already sandboxed, then _ForceProcess_ settings are not applied. See also: [ForceFolder](ForceFolder.md). If both a _ForceFolder_ and a _ForceProcess_ are applicable to a program that is starting, the ForceFolder setting takes precedence. diff --git a/Content/HowitWorks.md b/Content/HowitWorks.md index 47d253377..d11d39ed3 100644 --- a/Content/HowitWorks.md +++ b/Content/HowitWorks.md @@ -1,11 +1,11 @@ -# How it Works +# How Sandboxie Works -Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. +Sandboxie runs your programs in an isolated space, preventing them from making permanent changes to other programs and data on your computer. The process is illustrated below: -![](../Media/FrontPageAnimation.gif) +![Sandboxie Animation](../Media/FrontPageAnimation.gif) -![](../Media/FrontPageLegend.png) +![Sandboxie Legend](../Media/FrontPageLegend.png) -The red arrows indicate changes flowing from a running program into your computer. The box labeled _Hard disk (no sandbox)_ shows changes by a program running normally. The box labeled _Hard disk (with sandbox)_ shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a **sandbox**, depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once. +The red arrows indicate changes flowing from a running program into your computer. The box labeled _Hard disk (no sandbox)_ shows changes by a program running normally, while the box labeled _Hard disk (with sandbox)_ shows changes by a program running under Sandboxie. The animation demonstrates that Sandboxie can intercept and isolate these changes within a **sandbox**, represented as a yellow rectangle. Grouping the changes together in this sandbox makes it easy to delete all of them at once. **[Download Sandboxie](https://github.com/sandboxie-plus/Sandboxie/releases) now and give it a try!** diff --git a/Content/InjectDll.md b/Content/InjectDll.md index de740a7a9..9cb5282bc 100644 --- a/Content/InjectDll.md +++ b/Content/InjectDll.md @@ -1,48 +1,42 @@ # Inject Dll +The _InjectDll_ setting in [Sandboxie Ini](SandboxieIni.md) allows Sandboxie to inject a specified DLL into every program within the sandbox. This can be useful for extending functionality or implementing custom behavior. -_InjectDll_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It tells Sandboxie to "inject" some DLL into every program in the sandbox. "Inject" means the DLL is -``` - . - . - . - [DefaultBox] - InjectDll=c:\Program Files\Sandboxie Utilities\Sample.dll +To implement this setting, you should include it in the [DefaultBox] section, providing the full path to the DLL, as demonstrated below: + +```ini +[DefaultBox] +InjectDll=c:\Program Files\Sandboxie Utilities\Sample.dll ``` -You should specify a full path to the DLL. If the DLL file itself resides within the sandbox, specify the full path inside the sandbox. +Ensure that the full path is specified, and if the DLL resides within the sandbox, use the full path inside the sandbox. -**Note:** The InjectDll setting specifies 32-bit DLLs, and will be ignored in a 64-bit process on 64-bit Windows. Use the [InjectDll64](InjectDll64.md) setting to specify 64-bit DLLs. +**Note:** The InjectDll setting is for 32-bit DLLs and won't affect 64-bit processes on 64-bit Windows. For 64-bit DLLs, use the [InjectDll64](InjectDll64.md) setting. -* * * +### DLL Loading Order: -The order of DLLs loaded into the sandboxed program is thus: +1. Ntdll.dll +2. KernelBase.dll (only on Windows 7) +3. Kernel32.dll +4. SbieDll.dll (64-bit SbieDll or 32-bit SbieDll on 64-bit Windows) +5. _InjectDlls_ (loaded in order specified in Sandboxie.ini) +6. Optionally, ShimEng (or AppHelp on Windows 7) and related DLLs +7. All [statically-linked](https://msdn.microsoft.com/en-us/library/ms684184(VS.85).aspx) DLLs -Ntdll.dll -KernelBase.dll (only on Windows 7) -Kernel32.dll -SbieDll.dll (on 64-bit Windows, this can be either the 64-bit SbieDll or the 32-bit SbieDll) -_InjectDlls_ (loaded in the order specified in Sandboxie.ini) -Optionally, ShimEng (or AppHelp on Windows 7) and related DLLs -All [statically-linked](https://msdn.microsoft.com/en-us/library/ms684184(VS.85).aspx) DLLs +This behavior is applicable from Sandboxie version 3.46 onwards. Earlier versions had a different loading behavior, explained below: -The behavior described above applies to Sandboxie version 3.46 and later. Earlier versions of Sandboxie implemented a different behavior which is described below: +The injected DLL loads into the sandboxed process after the initialization of statically-linked DLLs but before the program execution starts at its entry point. -The injected DLL is loaded into the sandboxed process (or program) after all the statically-linked DLLs are loaded and initialized, but before the program itself begins to execute at its entry point. +### DLL Interaction: -* * * +If the DLL exports **InjectDllMain** or **InjectDllMain@8**, Sandboxie will call this procedure after loading. Declare InjectDllMain in your code as follows: -If the DLL exports the symbol **InjectDllMain** or **InjectDllMain@8**, Sandboxie will call this procedure after the DLL is loaded, and pass the address of the SbieDll module. Declare InjectDllMain in your code: -``` - __declspec(dllexport) void __stdcall InjectDllMain( - HINSTANCE hSbieDll, ULONG_PTR UnusedParameter); +```c +__declspec(dllexport) void __stdcall InjectDllMain(HINSTANCE hSbieDll, ULONG_PTR UnusedParameter); ``` -It is recommended to use the **hSbieDll** parameter as the module instance handle for SbieDll.Dll, instead of relying on GetModuleHandle("SbieDll.dll"). This makes it possible for the injected DLL to interact with SbieDll.dll regardless of the actual name used for SbieDll.dll. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine. +It's recommended to use the **hSbieDll** parameter as the module instance handle for SbieDll.Dll for interaction. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also acceptable. -* * * - -At this time, this setting cannot be manipulated from [Sandboxie Control](SandboxieControl.md). You have to manually edit it into [Sandboxie Ini](SandboxieIni.md). +**Note:** This setting is not adjustable from [Sandboxie Control](SandboxieControl.md) at this time; manual editing of [Sandboxie Ini](SandboxieIni.md) is required. See also: [InjectDll64](InjectDll64.md), [SBIE DLL API](SBIEDLLAPI.md), [Start Command Line](StartCommandLine.md). - diff --git a/Content/LingerProcess.md b/Content/LingerProcess.md index 4753b36b1..7f154dff1 100644 --- a/Content/LingerProcess.md +++ b/Content/LingerProcess.md @@ -1,22 +1,20 @@ # Linger Process -_LingerProcess_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It specifies names of programs that will be automatically terminated, when they are the last programs that remain in execution in a particular sandbox. This is useful as some programs occasionally launch _helper programs_ to carry out a specific task, and the helper program remains in execution even after the original program has ended. For example: +_LingerProcess_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It specifies names of programs that will be automatically terminated when they are the last programs that remain in execution in a particular sandbox. This is useful as some programs occasionally launch _helper programs_ to carry out a specific task, and the helper program remains in execution even after the original program has ended. For example: -``` - . - . - . - [DefaultBox] - LingerProcess=jusched.exe +```ini +[DefaultBox] +LingerProcess=jusched.exe ``` _jusched.exe_ is part of the Sun Java framework. It is occasionally launched when Internet Explorer starts the Java framework. This _LingerProcess_ example setting specifies that if _jusched.exe_ remains the last program running in the sandbox DefaultBox, then it should be terminated. -LingerProcess will not terminate a process, if that process was the first process launched in the sandbox. +LingerProcess will not terminate a process if that process was the first process launched in the sandbox. -For example, the default configuration includes Adobe Acrobat Reader as a LingerProcess, because it is typically launched when viewing PDF files through the Web browser, and remains running even after the browser has closed. -``` - LingerProcess=acrord32.exe +For example, the default configuration includes Adobe Acrobat Reader as a LingerProcess because it is typically launched when viewing PDF files through the Web browser and remains running even after the browser has closed. + +```ini +LingerProcess=acrord32.exe ``` However, if you manually start Adobe Acrobat Reader sandboxed, for example by running it from the Sandboxie Start Menu, then the LingerProcess setting will not apply to that process. diff --git a/Content/MessagesFromSandboxie.md b/Content/MessagesFromSandboxie.md index 36c5bb42a..4abade860 100644 --- a/Content/MessagesFromSandboxie.md +++ b/Content/MessagesFromSandboxie.md @@ -4,26 +4,29 @@ The _Messages From Sandboxie_ window is displayed automatically whenever Sandbox The window displays one message per line, as in the example below. -![](../Media/MessagesFromSandboxie.png) +![Messages From Sandboxie](../Media/MessagesFromSandboxie.png) -Clicking the _Help_ button opens the Web browser and navigates to the documentation page for the highlighted message. +Clicking the _?_ button opens the Web browser and navigates to the documentation page for the highlighted message. -Clicking the _Hide_ button indicates that you don't wish to receive this message again. If the message contains an information detail, the _Hide_ button hides the message only in combination with that particular detail. +Clicking the _Dismiss > Hide all such message_ button indicates that you don't wish to receive this message again. If the message contains an information detail, the _Hide all such message_ button hides the message only in combination with that particular detail. -For example, the [SBIE1304](SBIE1304.md) message shown above has the detail _osk.exe_. In this case, the _Hide_ button will hide future occurrences of [SBIE1304](SBIE1304.md) for _osk.exe_. If [SBIE1304](SBIE1304.md) is issued for some other program name, it will still be displayed. +For example, the [SBIE2313](SBIE2313.md) message shown above has the detail _SandboxieCrypto.exe_. In this case, the _Hide all such message_ button will hide future occurrences of [SBIE2313](SBIE2313.md) for _SandboxieCrypto.exe_. If [SBIE2313](SBIE2313.md) is issued for some other program name, it will still be displayed. Clicking the _Close_ button closes the window. ## Log Messages To A File It's possible to log _Messages From Sandboxie_ to a file with a simple configuration inside the registry: + ```cmd reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v LogFile /d "2;C:\Windows\System32\LogFiles\Sandboxie.log" /f ``` + The `LogFile` value consists of two pieces of information: - `2` is the log level. Only two values are correct: `2` (classic log) or `3` (log with process SID) - `C:\Windows\System32\LogFiles\Sandboxie.log` is the full path of the log Example of output for a log level of 2: + ``` 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] @@ -33,17 +36,20 @@ Example of output for a log level of 2: Since version 1.3.3 / 5.58.3, it is possible to pass logs in verbose mode to have the SID of the account used by the target process. Example of output for a log level of 3: + ``` 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - powershell.exe [ChromeBox] (DESKTOP-RZ4242\administrator) 2022-09-02 01:04:18 SBIE1308 Program cannot start due to restrictions - HelpPane.exe [ChromeBox] (DESKTOP-RZ4242\administrator) ``` -Another registry key allows to filter and split logs on specific messages: +Another registry key allows filtering and splitting logs on specific messages: + ```cmd reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v LogFile /d "2;C:\Windows\System32\LogFiles\Sandboxie.log" /f reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v MultiLog /d "1308,1307" /f ``` + This simple configuration will: -- put all logs without filter inside `C:\Windows\System32\LogFiles\Sandboxie.log` -- create _one file per box_ (ie: `C:\Windows\System32\LogFiles\Sandboxie_DefaultBox.log`) with only event 1308 and 1307 +- put all logs without a filter inside `C:\Windows\System32\LogFiles\Sandboxie.log` +- create _one file per box_ (i.e., `C:\Windows\System32\LogFiles\Sandboxie_DefaultBox.log`) with only events 1308 and 1307 diff --git a/Content/NormalKeyPath.md b/Content/NormalKeyPath.md index 32b12295a..aa2c15b44 100644 --- a/Content/NormalKeyPath.md +++ b/Content/NormalKeyPath.md @@ -1,24 +1,22 @@ # Normal Key Path -_Normal Key Path_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It specifies path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is most useful in combination with [Rule Specificity](../PlusContent/RuleSpecificity.md) where it allows to restore default sandboxing behaviour for paths whose parents have been configured as Open, WriteOnly, or even Closed. +The _Normal Key Path_ setting in [Sandboxie Ini](SandboxieIni.md) defines path patterns for which Sandboxie will apply the default sandboxing scheme. This setting is particularly useful when combined with [Rule Specificity](../PlusContent/RuleSpecificity.md), allowing the restoration of default sandboxing behavior for paths whose parents have been configured as Open, WriteOnly, or even Closed. [Program Name Prefix](ProgramNamePrefix.md) may be specified. -Example: +### Example: +```ini +[DefaultBox] +NormalIpcPath=*BaseNamedObjects*\__ComCatalogCache__ +NormalIpcPath=*BaseNamedObjects*\ComPlusCOMRegTable +NormalIpcPath=*BaseNamedObjects*\RotHintTable +NormalIpcPath=*BaseNamedObjects*\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5} +NormalIpcPath=*BaseNamedObjects*\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9} +NormalIpcPath=\RPC Control\actkernel +NormalIpcPath=\RPC Control\epmapper +NormalIpcPath=\RPC Control\OLE* +NormalIpcPath=\RPC Control\LRPC* ``` - . - . - . - [DefaultBox] - NormalIpcPath=*BaseNamedObjects*\__ComCatalogCache__ - NormalIpcPath=*BaseNamedObjects*\ComPlusCOMRegTable - NormalIpcPath=*BaseNamedObjects*\RotHintTable - NormalIpcPath=*BaseNamedObjects*\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5} - NormalIpcPath=*BaseNamedObjects*\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9} - NormalIpcPath=\RPC Control\actkernel - NormalIpcPath=\RPC Control\epmapper - NormalIpcPath=\RPC Control\OLE* - NormalIpcPath=\RPC Control\LRPC* -``` \ No newline at end of file +In this example, the _NormalIpcPath_ setting defines specific inter-process communication (IPC) paths that adhere to the default sandboxing scheme. This helps maintain the default behavior for these paths even if their parent paths have custom sandboxing configurations. diff --git a/Content/NotifyInternetAccessDenied.md b/Content/NotifyInternetAccessDenied.md index dfbf170b9..010f8ae71 100644 --- a/Content/NotifyInternetAccessDenied.md +++ b/Content/NotifyInternetAccessDenied.md @@ -1,16 +1,17 @@ # Notify Internet Access Denied -_NotifyInternetAccessDenied_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It is typically specified as _NotifyInternetAccessDenied=y_, and indicates that Sandboxie should issue message [SBIE1307](SBIE1307.md) when programs are denied access to the Internet. +_NotifyInternetAccessDenied_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md), typically specified as _NotifyInternetAccessDenied=y_. It signals that Sandboxie should issue message [SBIE1307](SBIE1307.md) when programs are denied access to the Internet. -Usage: -``` - . - . - . - [DefaultBox] - NotifyInternetAccessDenied=y +### Usage: + +```ini +[DefaultBox] +NotifyInternetAccessDenied=y ``` -Related [Sandboxie Control](SandboxieControl.md) setting: [Sandbox Settings > Restrictions > Internet Access](RestrictionsSettings.md#internet-access) +This setting is added to the [DefaultBox] section to enable notifications for Internet access denials within the sandbox. + +### Related Settings: -Related [Sandboxie Control](SandboxieControl.md) setting: [Program Settings](ProgramSettings.md#page-2) +- [Sandboxie Control](SandboxieControl.md) setting: [Sandbox Settings > Restrictions > Internet Access](RestrictionsSettings.md#internet-access) +- [Sandboxie Control](SandboxieControl.md) setting: [Program Settings](ProgramSettings.md#page-2) diff --git a/Content/OpenClsid.md b/Content/OpenClsid.md index 78d4ccb1a..816280f9f 100644 --- a/Content/OpenClsid.md +++ b/Content/OpenClsid.md @@ -1,6 +1,6 @@ # Open Clsid -_OpenClsid_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It specifies the COM class identifiers for unsandboxed COM objects that should be accessible by a sandboxed program. +_OpenClsid_ is a sandbox setting in [Sandboxie Ini](SandboxieIni.md). It specifies the COM class identifiers for unsandboxed COM objects that should be accessible by a sandboxed program. This allows unsandboxed COM ports to be accessed by sandboxed apps. Examples: ``` diff --git a/Content/PortableSandbox.md b/Content/PortableSandbox.md index 60a663d37..a724b8c7b 100644 --- a/Content/PortableSandbox.md +++ b/Content/PortableSandbox.md @@ -1,11 +1,21 @@ # Portable Sandbox -The revised [layout of the sandbox](SandboxHierarchy.md) that is introduced in version 2.80 allows for greater portability of the sandbox across computers. By redirecting programs to create sandboxed objects which have a nonspecific path, it is possible to populate a sandbox on one computer, then carry this sandbox to another computer and keep using it. +Version 2.80 introduces a revised layout for the sandbox, enhancing portability across computers. This is achieved by redirecting programs to create sandboxed objects with nonspecific paths, allowing users to create a sandbox on one computer and seamlessly transfer it to another. -For example, consider installing a game program to a portable device such as a USB memory stick which is mounted as drive P. The game may install its files to a folder on drive P, but any menu shortcuts it creates will be installed in the Windows Start menu of the local computer, outside drive P. And any registry keys it creates will also be created in the Windows registry, also outside the USB device. +**Example Scenario:** +Imagine installing a game program on a USB memory stick mounted as drive P. If the game installs files to a folder on drive P, but creates shortcuts in the local computer's Start menu and registry keys outside the USB device, portability becomes challenging. -By contrast, if you set the [container folder](SandboxMenu.md#set-container-folder) to drive P (for instance _P:\Sandbox_), then install the game into the (sandboxed) drive C, then _all_ objects created by the installation will be redirected to drive P. +**Sandboxie Solution:** +By setting the [container folder](SandboxMenu.md#set-container-folder) to drive P (e.g., _P:\Sandbox_), installing the game into the sandboxed drive C ensures that all objects created during installation are redirected to drive P. -You can then carry the USB drive to another computer where Sandboxie is installed, and set the container folder on that other computer to drive P. Through the Sandboxie Start menu, you will see the menu shortcuts installed by the game, and when you start it, the game will find its settings as they were recorded in the sandboxed registry. +**Portability Steps:** +1. Install the game into the (sandboxed) drive C. +2. Carry the USB drive to another computer with Sandboxie installed. +3. Set the container folder on the other computer to drive P. -Note that Sandboxie itself is not portable software, but it facilitates the portability of a large number of applications. +**Benefits:** +- Menu shortcuts installed by the game are accessible through the Sandboxie Start menu. +- The game retrieves its settings from the sandboxed registry, maintaining consistency across different computers. + +**Note:** +Sandboxie itself is not portable software, but it significantly enhances the portability of numerous applications. diff --git a/Content/PrivacyConcerns.md b/Content/PrivacyConcerns.md index 7cfb8a52f..0bea8c560 100644 --- a/Content/PrivacyConcerns.md +++ b/Content/PrivacyConcerns.md @@ -1,122 +1,48 @@ # Privacy Concerns -This is an advanced topic, which explains that even after running a program under Sandboxie, your computer may still record _which_ programs were executed or what they did. It is important to emphasize that this is not a security breach as it will never allow sandboxed programs to infect or otherwise abuse your computer. However, this may be interesting reading for those concerned with the privacy aspects of using Sandboxie. +**Overview:** +This advanced topic delves into the privacy implications of running a program under Sandboxie. While Sandboxie's primary goal is isolating and containing program actions for system cleanliness, it doesn't prevent Windows from keeping records of your computer activities. This explanation clarifies the privacy aspects and various mechanisms that may record information about the programs you run. +**Prefetch and SuperFetch:** +- Prefetch and SuperFetch in Windows store copies of program files in the Prefetch folder, even for programs executed under Sandboxie. +- Configurable behavior: [Enable Prefetcher](https://www.ghacks.net/2008/01/13/enableprefetcher-in-prefetchparameters), [Customize SuperFetch](https://www.howtogeek.com/998/change-superfetch-to-only-cache-system-boot-files-in-vista), [Disable SuperFetch](https://www.howtogeek.com/989/how-to-disable-superfetch-on-windows-vista). -**Overview** +**MUI Cache:** +- Windows Explorer records launched programs in the registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache). +- Information within the sandbox is kept in the sandbox registry. +- Third-party registry clearing tools can erase this information. -The guiding principle of Sandboxie is to isolate and contain any actions taken by programs that Sandboxie supervises, for the purpose of keeping your computer and operating system in a clean and healthy state. +**Windows 7 Taskbar:** +- Windows Explorer stores taskbar icon information in specific folders. +- Sandbox Settings > Applications > Miscellaneous includes a setting for taskbar jump lists. -Most of the side effects of running a program under Sandboxie are in fact caused by the very program that is running under Sandboxie, and are gone when the sandbox is deleted. For example, a Web browser running under Sandboxie will record your browsing history in the sandbox, and this history will be completely erased when you delete the sandbox. +**Windows Page File:** +- Memory contents of sandboxed and normal programs may coexist in the Windows page file. +- Possible configurations: [Clear Page File at Shutdown](https://winaero.com/clear-pagefile-shutdown-windows-10), [Encrypt Page File in Windows Vista](https://www.vistax64.com/threads/virtual-memory-paging-file-clear-at-shutdown.157323). -Thus it is easy to make a small leap of logic from the guiding principle above, and assume that a principle of Sandboxie is to protect your privacy and clean any all traces caused directly or indirectly by any program running under its supervision. However, this assumption would not be correct. +**Windows Hibernate File:** +- Similar to the page file, the hibernate file may contain memory bits used by sandboxed programs. -Sandboxie puts a great deal of effort into containing the actions taken by the program it supervises, however Sandboxie makes no effect at all to prevent your own Windows operating system from keeping records of what you do in your computer. +**System Restore:** +- System Restore may create backup copies in its folders for sandboxed files/programs. +- Moving the sandbox to C:\TEMP\SANDBOX can make System Restore ignore it. -One who makes the incorrect assumption of extreme concern for privacy on the part of Sandboxie might be surprised to find several kinds of traces and logs in Windows that record which programs have been running, even inside the sandbox. +**System, Audit, and Other Event Logs:** +- Windows Event Viewer records information about running programs. +- Security auditing may log details of actions by a program under Sandboxie. -This page will explain the various known mechanisms that record information about the programs you run, either inside or outside the supervision of Sandboxie. +**Windows System Tray Icons:** +- Programs running under Sandboxie place icons in the real system tray. +- Manual clearing of tray icon history in Windows. -**Prefetch and SuperFetch** +**Disk Defragmentation:** +- Sandboxie's isolation occurs at the file level, unaffected by disk defragmentation. -Prefetch, introduced in Windows XP, and SuperFetch, introduced in Windows Vista, make up the [prefetcher](https://en.wikipedia.org/wiki/Prefetcher) component in Windows. +**IP Privacy:** +- Sandboxie's isolation is local, not visible to remote computers. +- Internet access appears the same, and third-party solutions offer anonymous web browsing. -This component is designed to improve application start up time by keeping copies of program files in a location that can be quickly accessed. The copies are kept in a folder called _Prefetch_ that resides within the main Windows folder; typically that is _C:\Windows\Prefetch_. +**Windows DNS Host Cache:** +- Sandboxie doesn't prevent logging and storage of DNS Hosts files on the Windows machine. -Windows may store copies of programs files in this Prefetch folder even when the programs were executed under Sandboxie. - -Prefetch behavior can be reduced to caching only programs using during the boot sequence, or to not cache anything at all. Follow these links for more information: - -[https://www.ghacks.net/2008/01/13/enableprefetcher-in-prefetchparameters](https://www.ghacks.net/2008/01/13/enableprefetcher-in-prefetchparameters) -[https://www.howtogeek.com/998/change-superfetch-to-only-cache-system-boot-files-in-vista](https://www.howtogeek.com/998/change-superfetch-to-only-cache-system-boot-files-in-vista) -[https://www.howtogeek.com/989/how-to-disable-superfetch-on-windows-vista](https://www.howtogeek.com/989/how-to-disable-superfetch-on-windows-vista) - -**MUI Cache** - -Windows Explorer records in the registry the names of programs that are launched directly through it. This includes launching programs through the Start menu, the desktop, the quick launch area, or any folder views. It is true even if the right-click "Run Sandboxed" action is used to launch the program under Sandboxie. - -The recorded information is kept in this registry key: -``` - HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache -``` - -If launch a program through a Sandboxie facility (such as the Sandboxie Start menu) or through a program which is already running under Sandboxie, then this information is kept in the registry inside the sandbox. - -There are various third-party registry clearing tools that can erase this information. - -**Windows 7 Taskbar** - -On Windows 7 and later, Windows Explorer stores information associated with icons on the taskbar. This information includes the icon for the program and the command used to launch it. The information is stored in files in the following folder, within the user profile folder. -``` - %Appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts -``` - -The [Sandbox Settings > Applications > Miscellaneous](ApplicationsSettings.md#miscellaneous) settings page includes the setting "Permit programs to update jump lists in the Windows 7 taskbar". If this setting is enabled, additional files are created in the following folders, within the user profile folder. -``` - %Appdata%\Microsoft\Windows\Recent\CustomDestinations - %Appdata%\Microsoft\Windows\Recent\AutomaticDestinations -``` - -**Windows Page File** - -During its normal course of operation, Windows sometimes needs to put away the contents of memory used by one program in order to make room for another program. The memory contents are stored in the Windows [page file](https://www.howtogeek.com/126430/what-is-the-windows-page-file). - -Programs that run under Sandboxie are still running in the same Windows operating system as any other program in the computer, so portions of sandboxed and normal programs may end up sitting side by side in the same page file. - -It is possible to configure Windows to clear the contents of the page file at shutdown. More information [here](https://winaero.com/clear-pagefile-shutdown-windows-10) and [here](https://www.vistax64.com/threads/virtual-memory-paging-file-clear-at-shutdown.157323). - -It is possible to configure Windows Vista to encrypt the contents of the page file: -``` - * Run _secpol.msc_ to open the Local Security Policy editor - * Expand the group labeled _Public Key Policies_ - * Right-click _Properties_ on the item labeled _Encrypting File System_ - * Select _Allow_ to enable Encrypting File System - * Check the box to _Enable pagefile encryption_. - * Click OK and reboot to put the new setting into effect. -``` - -**Windows Hibernate File** - -Similar to the Windows Page File, the hibernate file stores a copy of the memory and state of the system before the computer is turned off as part of the hibernate process. Thus the hibernate file may contain bits of memory that were used by a sandboxed program. - -**System Restore** - -Restore points are snapshots of the state of the operating system at some points in time. The System Restore components in Windows XP and later versions of Windows records and restores these snapshots. - -Snapshots are recorded in the (typically inaccessible) folder called _System Volume Information_ and may include [many types of files](https://docs.microsoft.com/en-us/windows/win32/sr/monitored-file-extensions) found throughout the system, including within the folders of the sandbox. - -Thus it is possible that System Restore will create backup copies in its folders for files or programs that exist only in the sandbox. - -The System Restore component ignores files and folders in temporary folders, so [moving the sandbox](SandboxMenu.md) to C:\TEMP\SANDBOX instead of the default C:\SANDBOX should cause System Restore to ignore the sandbox when creating a snapshot. - -**System, Audit and Other Event Logs** - -Windows sometimes records bits of information about running programs in its various [event logs](https://en.wikipedia.org/wiki/Event_Viewer). Typically, very little if any information is logged about a program. However, if security auditing has been enabled for some aspects of the system, Windows will have no trouble logging the details of any actions taken by a program running under Sandboxie. - -Windows has an Event Viewer program which can be used to view and delete the event logs. [More information here](https://www.howtogeek.com/123646/htg-explains-what-the-windows-event-viewer-is-and-how-you-can-use-it). - -**Windows System Tray Icons** - -When a programs which is running under Sandboxie asks to place an icon in the [system tray area](https://www.computerhope.com/issues/chsys.htm), Sandboxie lets the program place the icon in the real system tray, which is typically located at the bottom right corner of the display. - -This has the advantage that interaction with the tray icon of the sandboxed program is as easy as interacting with any other tray icon. However, it also means that Windows will record this icon and its description in the history of all tray icons it has ever displayed. - -It is possible to manually clear this history in [Windows](https://www.howtogeek.com/739/clean-up-past-notification-icons-in-windows-vista). There may also be third-party registry clearing tools that can erase this information. - -**Disk Defragmentation** - -Disk defragmenter software can be used to organize the contents of the hard disk at the level of data blocks, so that files may be accessed faster by the operating system. - -Although this is not a privacy concern, the issue of sandboxed programs being able to defragment the disk has been raised and should be addressed. - -Sandboxie isolation occurs at the higher file level rather than the lower level of data blocks. Moving data blocks around on the disk has no impact on the isolation of the sandbox, and cannot be used by a malicious program to somehow "move" its data out of the sandbox. - -**IP Privacy** - -Sandboxie isolation and protection occurs entirely within the local computer and is not visible to any other remote computer. Thus accessing the Internet using a sandboxed program looks the same as accessing the Internet using a program that is not running under Sandboxie. In both cases the remote computer identifies the accessing computer by its IP address. - -There are various third-party solutions for anonymous Web access. More information [here](https://en.wikipedia.org/wiki/Anonymous_web_browsing). - -**Windows DNS Host Cache** - -Sandboxie does not prevent the logging and storage of DNS Hosts files (Your DNS cache) on your Windows machine. This is written to C:\Windows\System32\drivers\etc in Windows. +Note: While Sandboxie prioritizes isolation, user awareness of additional Windows mechanisms is crucial for a comprehensive understanding of privacy implications. diff --git a/Content/StartCommandLine.md b/Content/StartCommandLine.md index 48ea4134b..390f7e0c7 100644 --- a/Content/StartCommandLine.md +++ b/Content/StartCommandLine.md @@ -1,217 +1,136 @@ # Start Command Line -The Sandboxie Start program can do any of the following, depending on command line parameters specified to it. +The Sandboxie Start program can perform various actions based on the command line parameters specified to it. Here are the available options: -* [Start](#start-programs) programs under the supervision of Sandboxie -* [Stop](#stop-programs) sandboxed programs -* [List](#list-programs) sandboxed programs -* [Delete](#delete-contents-of-sandbox) the contents of a sandbox -* [Reload](#reload-configuration) Sandboxie configuration -* Initiate the [Disable Forced Programs](#disable-forced-programs) mode -* [Related](#related-reading-material) reading material - -* * * -### Start Programs +## Start Programs This is the default behavior. By specifying a full or partial path to a program's executable file, Sandboxie Start will launch that program under the supervision of Sandboxie: -``` - "C:\Program Files\Sandboxie\Start.exe" c:\windows\system32\notepad.exe - "C:\Program Files\Sandboxie\Start.exe" notepad.exe -``` -Two special program names are allowed: -``` - "C:\Program Files\Sandboxie\Start.exe" default_browser - "C:\Program Files\Sandboxie\Start.exe" mail_agent +```plaintext +"C:\Program Files\Sandboxie\Start.exe" c:\windows\system32\notepad.exe +"C:\Program Files\Sandboxie\Start.exe" notepad.exe ``` -Sandboxie Start can also display the Run Any Program dialog window, or the Sandboxie Start Menu, depending on parameters specified: -``` - "C:\Program Files\Sandboxie\Start.exe" run_dialog - "C:\Program Files\Sandboxie\Start.exe" start_menu -``` +Two special program names are allowed: -In all forms, the parameter _/box:SandboxName_ is applicable, and may be specified between Start.exe and the parameter, to indicate a sandbox name other than the default of _DefaultBox_. For example: -``` - "C:\Program Files\Sandboxie\Start.exe" /box:TestBox run_dialog +```plaintext +"C:\Program Files\Sandboxie\Start.exe" default_browser +"C:\Program Files\Sandboxie\Start.exe" mail_agent ``` -A special form of the /box parameter is _/box:_**_ask_**__ and causes Start.exe to display the sandbox selection dialog box. +Sandboxie Start can also display the Run Any Program dialog window or the Sandboxie Start Menu, depending on parameters specified: -The parameter _/silent_ can be used to eliminate some pop-up error messages. For example: -``` - "C:\Program Files\Sandboxie\Start.exe" /silent no_such_program.exe +```plaintext +"C:\Program Files\Sandboxie\Start.exe" run_dialog +"C:\Program Files\Sandboxie\Start.exe" start_menu ``` -In both silent and normal operation, Start.exe exits with a zero exit code on success, or non-zero on failure. In batch files, the exit code can be examined using the _IF ERRORLEVEL_ condition. +In all forms, the parameter `/box:SandboxName` is applicable and may be specified between Start.exe and the parameter to indicate a sandbox name other than the default of `DefaultBox`. For example: -The parameter _/elevate_ can be used to run a program with Administartor privileges on a system where User Account Control (UAC) is enabled. For example: -``` - "C:\Program Files\Sandboxie\Start.exe" /elevate cmd.exe +```plaintext +"C:\Program Files\Sandboxie\Start.exe" /box:TestBox run_dialog ``` -The parameter _/env_ can be used to pass an environment variable: -``` - "C:\Program Files\Sandboxie\Start.exe" /env:VariableName=VariableValueWithoutSpace - "C:\Program Files\Sandboxie\Start.exe" /env:VariableName="Variable Value With Spaces" -``` - -The parameter _/hide_window_ can be used to signal that the starting program should not display its window: -``` - "C:\Program Files\Sandboxie\Start.exe" /hide_window cmd.exe /c automated_script.bat -``` +Other parameters include `/silent` to eliminate some pop-up error messages, `/elevate` to run a program with Administrator privileges, `/env` to pass an environment variable, `/hide_window` to signal that the starting program should not display its window, and `/wait` to run a program, wait for it to finish, and return the exit status from the program. -The parameter _/wait_ can be used to run a program, wait for it to finish, and return the exit status from the program: -``` - "C:\Program Files\Sandboxie\Start.exe" /wait cmd.exe -``` +Example with multiple parameters: -Note that Start.exe is a Win32 application and not a console application, so the system "start" command is useful here to force the system to wait for Start.exe to finish: -``` - start /wait "C:\Program Files\Sandboxie\Start.exe" /wait cmd /c exit 9 - echo %ERRORLEVEL% - 9 -``` - -The system waits for Start.exe to finish, which in turn waits for "cmd /c exit 9" to finish, and then the exit status 9 is returned all the way back. - -Parameters can be combined in any order. For example: -``` - "C:\Program Files\Sandboxie\Start.exe" /box:CustomBox /silent MyProgram.exe +```plaintext +"C:\Program Files\Sandboxie\Start.exe" /box:CustomBox /silent MyProgram.exe ``` -### Stop Programs +## Stop Programs Terminate all programs running in a particular sandbox. Note that the request is transmitted to the Sandboxie service SbieSvc, which actually carries out the termination. -``` - "C:\Program Files\Sandboxie\Start.exe" /terminate - "C:\Program Files\Sandboxie\Start.exe" /box:TestBox /terminate - "C:\Program Files\Sandboxie\Start.exe" /terminate_all -``` - -If the parameter _/box:SandboxName_ is omitted, programs running in the default sandbox, _DefaultBox_, will be stopped. - -The form _/terminate_all_ terminates all programs in all sandboxes. - -* * * - -### Unmount Box Images -These commands unmount encrypted box images or RAM disks created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. +```plaintext +"C:\Program Files\Sandboxie\Start.exe" /terminate +"C:\Program Files\Sandboxie\Start.exe" /box:TestBox /terminate +"C:\Program Files\Sandboxie\Start.exe" /terminate_all ``` - "C:\Program Files\Sandboxie-Plus\Start.exe" /unmount - "C:\Program Files\Sandboxie-Plus\Start.exe" /box:EncryptedBox /unmount - "C:\Program Files\Sandboxie-Plus\Start.exe" /unmount_all -``` - -If the parameter _/box:SandboxName_ is omitted, default sandbox, _DefaultBox_ image, will be unmounted. -The form _/unmount_all_ terminates all programs in all encrypted sandboxes and unmounts all encrypted box images, including RAM disks created by Sandboxie Plus. +## Unmount Box Images -### Mount Box Images +Unmount encrypted box images or RAM disks created by Sandboxie Plus. -These commands mount encrypted box images created by Sandboxie Plus. These parameters are available since v1.11.0 / 5.66.0. -``` - "C:\Program Files\Sandboxie-Plus\Start.exe" /key:[box image password] /mount_protected - "C:\Program Files\Sandboxie-Plus\Start.exe" /key:[box image password] /mount - "C:\Program Files\Sandboxie-Plus\Start.exe" /box:EncryptedBox /key:[box image password] /mount_protected - "C:\Program Files\Sandboxie-Plus\Start.exe" /box:EncryptedBox /key:[box image password] /mount +```plaintext +"C:\Program Files\Sandboxie-Plus\Start.exe" /unmount +"C:\Program Files\Sandboxie-Plus\Start.exe" /box:EncryptedBox /unmount +"C:\Program Files\Sandboxie-Plus\Start.exe" /unmount_all ``` -If the parameter _/box:SandboxName_ is omitted, default sandbox, _DefaultBox_ image, will be mounted. +## Mount Box Images -The form _/mount_protected_ mounts encrypted box images with the _Box Root Protection_. _Box Root Protection_ prevents processes running outside the sandbox from accessing the root folder of the encrypted box. +Mount encrypted box images created by Sandboxie Plus. -* * * +```plaintext +"C:\Program Files\Sandboxie-Plus\Start.exe" /key:[box image password] /mount_protected +"C:\Program Files\Sandboxie-Plus\Start.exe" /key:[box image password] /mount +"C:\Program Files\Sandboxie-Plus\Start.exe" /box:EncryptedBox /key:[box image password] /mount_protected +"C:\Program Files\Sandboxie-Plus\Start.exe" /box:EncryptedBox /key:[box image password] /mount +``` -### List Programs +## List Programs List the system process ID numbers for all programs running in a particular sandbox. -``` - "C:\Program Files\Sandboxie\Start.exe" /listpids - "C:\Program Files\Sandboxie\Start.exe" /box:TestBox /listpids -``` -If the parameter _/box:SandboxName_ is omitted, programs running in the default sandbox, _DefaultBox_, will be listed. - -The output is formatted as one number per line. The first line contains the number of programs, followed by one process ID per line. Example output: -``` - "C:\Program Files\Sandboxie\Start.exe" /listpids | more - 3 - 3036 - 2136 - 384 +```plaintext +"C:\Program Files\Sandboxie\Start.exe" /listpids +"C:\Program Files\Sandboxie\Start.exe" /box:TestBox /listpids ``` -Note that Start.exe is not a console applications, so the output does not appear in a command prompt window unless you pipe the output using a construct such as `| more`. +If the parameter `/box:SandboxName` is omitted, programs running in the default sandbox, `DefaultBox`, will be listed. -* * * +## Delete Contents of Sandbox -### Delete Contents of Sandbox -``` - "C:\Program Files\Sandboxie\Start.exe" delete_sandbox - "C:\Program Files\Sandboxie\Start.exe" delete_sandbox_silent +```plaintext +"C:\Program Files\Sandboxie\Start.exe" delete_sandbox +"C:\Program Files\Sandboxie\Start.exe" delete_sandbox_silent ``` -The _/box:SandboxName_ parameter may be specified between Start.exe and the delete command. +The `/box:SandboxName` parameter may be specified between Start.exe and the delete command. The `silent` suffix on the delete command indicates Sandboxie Start should silently ignore any errors and not display any error messages. -The __silent_ suffix on the delete command, indicates Sandboxie Start should silently ignore any errors and not display any error messages. +The delete operation occurs in two phases: Phase 1 scans the contents of the sandbox and processes files that could pose a problem during the second phase. Phase 2 deletes any sandboxes that were processed in phase 1. -The delete operation occurs in two phases: +Example commands for specific phases: -* Phase 1 scans the contents of the sandbox and processes files which could pose a problem during the second phase: - * Junctions (also known as reparse points) are removed. - * Read-only files and directories are made fully accessible. - * Files and directories that have very long names are renamed to shorter names. - * Renames the sandbox to the format `__Delete_(sandbox name)_(some random number)`. For example, if the sandbox is DefaultBox, it could be renamed to `__Delete_DefaultBox_01C4012345678912`. - -* Phase 2 deletes any sandboxes that were processed in phase 1\. - * Sandboxes that were processed in phase 1 are those that have been renamed as described above. - * More than one sandbox may be deleted in phase 2\. - * By default, the standard system command RMDIR is used to delete the renamed sandbox folder. - * Alternatively, a third-party delete utility may used. See [Secure Delete Sandbox](SecureDeleteSandbox.md). - -Issuing the _delete_sandbox_ command causes Start.exe to invoke phase 1 followed by phase 2\. Start.exe also accepts these commands to invoke a specific phase: -``` - "C:\Program Files\Sandboxie\Start.exe" delete_sandbox_phase1 - "C:\Program Files\Sandboxie\Start.exe" delete_sandbox_phase2 - "C:\Program Files\Sandboxie\Start.exe" delete_sandbox_silent_phase1 - "C:\Program Files\Sandboxie\Start.exe" delete_sandbox_silent_phase2 +```plaintext +"C:\Program Files\Sandboxie\Start.exe" delete_sandbox_phase1 +"C:\Program Files\Sandboxie\Start.exe" delete_sandbox_phase2 +"C:\Program Files\Sandboxie\Start.exe" delete_sandbox_silent_phase1 +"C:\Program Files\Sandboxie\Start.exe" delete_sandbox_silent_phase2 ``` -* * * +## Reload Configuration -### Reload Configuration +Reload the Sandboxie configuration in SandboxieIni into the active -This command reloads the Sandboxie configuration in SandboxieIni into the active Sandboxie driver. Typically useful after manually editing the Sandboxie.ini file. -``` - "C:\Program Files\Sandboxie\Start.exe" /reload + Sandboxie driver. Typically useful after manually editing the Sandboxie.ini file. + +```plaintext +"C:\Program Files\Sandboxie\Start.exe" /reload ``` Note that reloading the configuration does not take effect on sandboxed programs that are already running when this command is issued. -* * * +## Disable Forced Programs -### Disable Forced Programs +Run a program outside the sandbox, even if the program is forced. Similar to using the Run Outside Sandbox option from the sandbox selection window of the Run Sandboxed command. -The following command runs a program outside the sandbox, even if the program is forced. It is similar to using the Run Outside Sandbox option from the sandbox selection window of the Run Sandboxed command. -``` - "C:\Program Files\Sandboxie\Start.exe" /dfp c:\path\to\program.exe - "C:\Program Files\Sandboxie\Start.exe" /disable_force c:\path\to\program.exe +```plaintext +"C:\Program Files\Sandboxie\Start.exe" /dfp c:\path\to\program.exe +"C:\Program Files\Sandboxie\Start.exe" /disable_force c:\path\to\program.exe ``` -Note that /dfp and /disable_force are identical. You can also select this option by holding the Ctrl and Shift keys down when you click the Run Sandboxed command. +An older form of this command can temporarily disable the forced programs mode, for all programs. -An older form of this command can temporarily disable the forced programs mode, for all programs. It is similar in function to using the Disable Forced Programs command from the [Tray Icon Menu](TrayIconMenu.md#disable-forced-programs) in Sandboxie Control (and not the [File Menu](FileMenu.md#disable-forced-programs)). +```plaintext +"C:\Program Files\Sandboxie\Start.exe" disable_force ``` - "C:\Program Files\Sandboxie\Start.exe" disable_force -``` - -Note the missing slash in this command syntax. Note also that this command is not a toggle. It always puts the Disable Forced Programs mode into effect and always restarts the countdown timer. At this time, Start.exe does not offer a way to request the cancellation of this mode. -* * * +Note that `/dfp` and `/disable_force` are identical. The command `/dfp` can also be selected by holding the Ctrl and Shift keys down when you click the Run Sandboxed command. -### Related Reading Material +## Related Reading Material See also: [InjectDll](InjectDll.md) and [SBIE DLL API](SBIEDLLAPI.md) diff --git a/Content/ViewMenu.md b/Content/ViewMenu.md index bbcbde44b..0fcd27e84 100644 --- a/Content/ViewMenu.md +++ b/Content/ViewMenu.md @@ -1,18 +1,24 @@ # View Menu -![](../Media/ViewMenu.png) +![View Menu](../Media/ViewMenu.png) -## Programs +## Views +Choose from three view options: +- **Simple View (for beginners)** +- **Advanced View (for advanced users seeking advanced options)** +- **Vintage View (TODO: ChatGPT, please fill in)** -The Programs command selects [Programs View](ProgramsView.md), which displays the programs running in each sandbox. -This is the default view. +## Always on Top +Enables keeping the Sandboxie window on top of all applications. -## Files and Folders +## Show hidden boxes +Shows hidden sandboxes. + +## Programs +Selecting the Programs command activates the [Programs View](ProgramsView.md), displaying the programs running in each sandbox. This is the default view. -The Files and Folders selects [Files And Folders View](FilesAndFoldersView.md), which displays the files and folders in each sandbox. +## Files and Folders +Selecting Files and Folders activates the [Files And Folders View](FilesAndFoldersView.md), providing a display of the files and folders in each sandbox. ## Context Menu - -The Context Menu commands displays the context menu associated with the item that is highlighted (selected). -The context menu can also be displayed by clicking the right mouse button on an item. -An item is a sandbox, a program, a file or a folder. Not all items appear in all views. \ No newline at end of file +The Context Menu command displays the context menu associated with the highlighted (selected) item. It can also be accessed by right-clicking on an item, such as a sandbox, program, file, or folder. Not all items appear in all views. diff --git a/Content/WindowsXPMode.md b/Content/WindowsXPMode.md index 3bf1ee4a5..04d705864 100644 --- a/Content/WindowsXPMode.md +++ b/Content/WindowsXPMode.md @@ -1,31 +1,31 @@ -# Windows XP Mode +# Windows XP Mode and Sandboxie Integration -With Windows 7, Microsoft offers _Windows XP Mode_, which is a virtualized installation of 32-bit Windows XP Service Pack 3 running side-by-side with the primary Windows 7 operating system. +With Windows 7, Microsoft introduced **Windows XP Mode**, a virtualized installation of 32-bit Windows XP Service Pack 3 running side-by-side with the primary Windows 7 operating system. -#### Windows XP Mode is only available on the Professional, Enterprise, and Ultimate editions of Windows 7. +**Windows XP Mode** is exclusively available on the Professional, Enterprise, and Ultimate editions of Windows 7. -The 32-bit edition of Sandboxie can be installed into the 32-bit Windows XP running within the 64-bit Windows 7. Thanks to the seamless integration of _Windows XP Mode_ into the Windows 7 environment, 32-bit Sandboxie can function reasonably well within a 64-bit Windows 7. +The 32-bit edition of Sandboxie can be installed into the 32-bit Windows XP running within the 64-bit Windows 7. Due to the seamless integration of **Windows XP Mode** into the Windows 7 environment, 32-bit Sandboxie can function reasonably well within a 64-bit Windows 7 system. -_Windows XP Mode_ is easier to use than a stand-alone virtual machine running Windows XP, as it is better integrated into Windows 7. It also includes a licensed copy of Windows XP. However, this improved integration also exposes your Windows 7 system and documents to malicious changes originating in the _Windows XP Mode_ operating system. +While **Windows XP Mode** is easier to use than a stand-alone virtual machine running Windows XP, as it is better integrated into Windows 7, it exposes your Windows 7 system and documents to potential malicious changes originating in the **Windows XP Mode** operating system. -With Sandboxie, you can have a web browser which is isolated within its own sandbox, making it more secure than your web browser running directly on Windows 7. +Sandboxie offers a solution by providing isolation for applications, including web browsers, within their own sandboxes. This enhances security by preventing potential threats from affecting the host system. -> [Windows XP Mode - Install and Setup](https://www.sevenforums.com/tutorials/8247-windows-xp-mode-install-setup.html) +Here are step-by-step instructions to install Sandboxie and Firefox within **Windows XP Mode**: -Once _Windows XP Mode_ is installed into your Windows 7, here are step-by-step instructions to install Sandboxie and Firefox: +1. Open the **Windows XP Mode** operating system. -* Open the _Windows XP Mode_ operating system. +2. Optionally, download and install Firefox. Ensure that Firefox designates itself as the default web browser during its installation process. Additionally, tweak Firefox preferences and install any desired add-ons. -* Optionally, download and install Firefox. Make sure to let Firefox designate itself as the default web browser during its installation process. Optionally, also tweak Firefox preferences, and install any add-ons you wish to use. +3. Download and install Sandboxie within the **Windows XP Mode** environment. -* Download and install Sandboxie. +4. Optionally, download and install an antivirus program for your **Windows XP Mode** operating system. -* Optionally download and install an anti-virus for your _Windows XP Mode_ operating system. +5. Log out of the **Windows XP Mode** operating system. -* Log out of the _Windows XP Mode_ operating system. +6. In your Windows 7 Start Menu, you should find the Sandboxie program group: -* In your Windows 7 Start Menu, you should now find the Sandboxie program group: + `Windows 7 Start Menu > All Programs > Windows Virtual PC > Windows XP Mode Applications > Sandboxie` -Windows 7 Start Menu > All Programs > Windows Virtual PC > Windows XP Mode Applications > Sandboxie +7. Select "Run Web browser sandboxed" to launch Firefox within the Sandboxie environment, providing an added layer of security. -* Select _Run Web browser sandboxed_ to run Firefox within Sandboxie. +For more detailed information on installing and setting up **Windows XP Mode**, you can refer to the [Windows XP Mode - Install and Setup](https://www.sevenforums.com/tutorials/8247-windows-xp-mode-install-setup.html) tutorial. diff --git a/Media/AlertPrograms.png b/Media/AlertPrograms.png index 285948f9a..1194a42ad 100644 Binary files a/Media/AlertPrograms.png and b/Media/AlertPrograms.png differ diff --git a/Media/AppearanceSettings.png b/Media/AppearanceSettings.png index 16ffebb24..87149e27c 100644 Binary files a/Media/AppearanceSettings.png and b/Media/AppearanceSettings.png differ diff --git a/Media/Box_AutoDelete.png b/Media/Box_AutoDelete.png index cbf4669df..720c81139 100644 Binary files a/Media/Box_AutoDelete.png and b/Media/Box_AutoDelete.png differ diff --git a/Media/Box_CompartmentMode.png b/Media/Box_CompartmentMode.png index c7c09b234..d066c6785 100644 Binary files a/Media/Box_CompartmentMode.png and b/Media/Box_CompartmentMode.png differ diff --git a/Media/Box_PrivacyMode.png b/Media/Box_PrivacyMode.png index a52f50b83..2d748015a 100644 Binary files a/Media/Box_PrivacyMode.png and b/Media/Box_PrivacyMode.png differ diff --git a/Media/Box_SecurityMode.png b/Media/Box_SecurityMode.png index e05cb8b26..49b0aa083 100644 Binary files a/Media/Box_SecurityMode.png and b/Media/Box_SecurityMode.png differ diff --git a/Media/ForcedProgramsSettings.png b/Media/ForcedProgramsSettings.png index 0688e9636..91a718c6b 100644 Binary files a/Media/ForcedProgramsSettings.png and b/Media/ForcedProgramsSettings.png differ diff --git a/Media/InternetAccessSettings.png b/Media/InternetAccessSettings.png index c8a52c001..07f2b41cc 100644 Binary files a/Media/InternetAccessSettings.png and b/Media/InternetAccessSettings.png differ diff --git a/Media/MessagesFromSandboxie.png b/Media/MessagesFromSandboxie.png index 0e3fb1b1a..313b440ba 100644 Binary files a/Media/MessagesFromSandboxie.png and b/Media/MessagesFromSandboxie.png differ diff --git a/Media/RunAnyNotepad.png b/Media/RunAnyNotepad.png index e92434ca1..7ec687611 100644 Binary files a/Media/RunAnyNotepad.png and b/Media/RunAnyNotepad.png differ diff --git a/Media/SandboxedTitle.png b/Media/SandboxedTitle.png index 1703a928e..1770d9bbb 100644 Binary files a/Media/SandboxedTitle.png and b/Media/SandboxedTitle.png differ diff --git a/Media/ViewMenu.png b/Media/ViewMenu.png index 39e44f4fd..8510f7357 100644 Binary files a/Media/ViewMenu.png and b/Media/ViewMenu.png differ diff --git a/PlusContent/DNSFilter.md b/PlusContent/DNSFilter.md index 86799ac35..b6a0097f5 100644 --- a/PlusContent/DNSFilter.md +++ b/PlusContent/DNSFilter.md @@ -24,4 +24,4 @@ The logging component of this feature offers users the opportunity to monitor DN The mechanics of DNS Query Control are elegantly intricate. Users can selectively block or redirect DNS queries made by sandboxed programs for specific domains. This process involves defining rules within the sandbox configuration, dictating how DNS queries to certain domains should be handled. This level of granularity empowers users to tailor the DNS experience within the sandboxed environment according to their security and privacy preferences. ## Embrace the Future of Network Control -DNS Query Logging, Filtering, and Redirection transcends traditional sandboxing capabilities. It introduces an unprecedented level of network oversight, effectively placing users at the helm of their sandboxed network interactions. In an age where data security, privacy, and control are paramount, this feature stands as a beacon of innovation. Join us in embracing the dawn of network control with DNS Query Logging, Filtering, and Redirection – where every DNS interaction is precisely managed to align with your security vision. \ No newline at end of file +DNS Query Logging, Filtering, and Redirection transcends traditional sandboxing capabilities. It introduces an unprecedented level of network oversight, effectively placing users at the helm of their sandboxed network interactions. In an age where data security, privacy, and control are paramount, this feature stands as a beacon of innovation. Join us in embracing the dawn of network control with DNS Query Logging, Filtering, and Redirection – where every DNS interaction is precisely managed to align with your security vision. diff --git a/PlusContent/Plus-Features.md b/PlusContent/Plus-Features.md index ba1a8ef89..71a936858 100644 --- a/PlusContent/Plus-Features.md +++ b/PlusContent/Plus-Features.md @@ -1,99 +1,80 @@ -Sandboxie Plus offers a multitude of new functionality which improves security, compatibility and the overall sandboxing experience. +# Features in Sandboxie Plus + +Sandboxie Plus offers a multitude of new functionality which improves security, compatibility, and the overall sandboxing experience. Some of these features (*) are however only available to users with a [Support Certificate](../PlusContent/supporter-certificate.md) which can be obtained by [contributing to the Sandboxie project](https://github.com/sandboxie-plus/Sandboxie/blob/master/CONTRIBUTING.md) or purchased in our [online shop](https://xanasoft.com/shop/). Some more features (**) are available to participants of the [Sandboxie-Insider](../PlusContent/Sandboxie-Insider.md) program. -#### [Rule Specificity](../PlusContent/RuleSpecificity.md) * +### Rule Specificity (*) - With this option rules are prioritized based on their specificity (see changelog/docs for details) this way sub paths can be readable/writeable while parent parts are still protected. - -#### [Security enhanced sandboxes](../PlusContent/security-mode.md) * +### Security enhanced sandboxes (*) - Restrict syscall elevation to approved known safe / filtered syscalls - Limit access to device endpoints to known safe / filtered endpoints - -#### [Privacy enhanced sandboxes](../PlusContent/privacy-mode.md) * +### Privacy enhanced sandboxes (*) - With this feature, by applying a preset rule collection, all locations potentially containing personal data can be protected. Applications running in boxes with personal data protection will see an empty PC with no user data on it. - -#### [Compartment Mode](../PlusContent/compartment-mode.md) * +### Compartment Mode (*) - This mode is intended to optimize compatibility at the cost of security, here Sandboxie’s token-based isolation scheme is not used. Isolation is limited to the FS minifilter as well as registry and object callbacks. This has the potential to greatly improve compatibility with various applications. - -#### Virtual Disk Integration ** +### Virtual Disk Integration (**) - [RamDisk support](../PlusContent/RamDiskSupport.md), available since the latest insider build, allows you to create a virtual disk in your system's memory, using the ImDisk driver, which can speed up file access and increase confidentiality as all box contents will be discarded when the disk is unmounted (manually or automatically on reboot). - [Encrypted Box Image support](../PlusContent/BoxEncryption.md) is currently in development and allows you to create encrypted sandboxed environments for an even greater protection of your confidential data. With this feature the box file root is being mounted from an AES-XTS encrypted box image, other ciphers are available as well. Upcoming additions to this root functionality will contain secure box passphrase handling and a driver extension to prevent applications not running in the encrypted sandbox from accessing the sandboxed files. - -#### Enhanced network filtering and redirection ** +### Enhanced network filtering and redirection (**) - [Proxy injection](../PlusContent/ProxySupport.md) is yet another feature which has been added in the insider builds, it allows to force any application to use a Socks 5 proxy instead of a direct connection. - [DNS query logging, filtering and redirection](../PlusContent/DNSFilter.md) feature allows you to block, or redirect DNS queries made by sandboxed programs for selected domains. - -#### [WFP (Windows Filtering Platform) support](../PlusContent/WFPSupport.md) +### [WFP (Windows Filtering Platform) support](../PlusContent/WFPSupport.md) - With this feature, Sandboxie can be like an application firewall which applies the rules on a per-sandbox basis, allowing the same application access to Internet in one box while blocking it in another. +### Windows 11 context menu integration -#### Windows 11 context menu integration - - -#### Process/Thread handle filtering (obCallbacks) +### Process/Thread handle filtering (obCallbacks) - Using this mechanism greatly improves on isolation of processes and provides enhanced security. - -#### Win32 syscall hooking +### Win32 syscall hooking - With this feature, Win32 syscalls can get the same treatment as NT syscalls, which helps with graphics and HW acceleration. - -#### New UI with dark mode and much more - - Sandboxie-Plus bring an entirely new Qt based UI sandman.exe +### New UI with dark mode and much more + - Sandboxie-Plus brings an entirely new Qt based UI sandman.exe - Customizable per box run menu - Global hotkey to terminate all boxes - INI section editor for easy configuration of advanced options - Box event triggers/scripts - Ability to stop selected applications from running globally, regardless of box presets - -#### [Snapshots](../PlusContent/BoxSnapshots.md) +### [Snapshots](../PlusContent/BoxSnapshots.md) - Sandboxie-Plus can create box snapshots, with them it is possible to easily revert a box to a defined previous state. - Box set to auto delete will auto-revert when available to the last snapshot allowing to benefit from a fresh clean box each time but with some preset configuration +### [Enhanced debug/trace monitor](../PlusContent/TraceLog.md) -#### [Enhanced debug/trace monitor](../PlusContent/TraceLog.md) - - -#### Fake admin privileges +### Fake admin privileges - Allows to make all processes in a box think they have admin permissions and act accordingly, without the potential drawbacks of granting them admin permissions - -#### Box size monitor +### Box size monitor - Monitor and list box size in an own column - -#### Start Menu integration +### Start Menu integration - Integrate start menu entries from sandboxes into the host start menu - -#### Sandbox SID isolation +### Sandbox SID isolation - Instead of using anonymous login SID, it uses custom SIDs per-sandbox like Sandboxie/DefaultBox. This way, processes from separate sandboxes won’t be able accessing each other’s resources. - -#### [Breakout Process](../Content/BreakoutProcess.md) +### [Breakout Process](../Content/BreakoutProcess.md) - Allows to specify which applications shall run unsandboxed when launched within the sandbox. A combination of this and ForceProcess allows for a simple priority system. - [Document Breakout](../Content/BreakoutDocument.md) is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandboxed instance of the associated application. ** - -#### [USB drive sandboxing](../PlusContent/USBSandboxing.md) ** +### [USB drive sandboxing](../PlusContent/USBSandboxing.md) ** - This feature allows you to automatically sandbox any USB drive that you plug into your computer, which adds an extra layer of protection to your system. - -#### EFS Support ** +### EFS Support ** - Support for EFS (Encrypted File System) protected files. - -#### ARM64 support for Windows 11 * +### ARM64 support for Windows 11 (*) - Support ARM64 natively - Support emulated x86 - Support emulated x64 (ARM64EC) - diff --git a/PlusContent/ProxySupport.md b/PlusContent/ProxySupport.md index 2473d8c6c..33f5434be 100644 --- a/PlusContent/ProxySupport.md +++ b/PlusContent/ProxySupport.md @@ -24,4 +24,4 @@ For security-conscious users, Proxy Injection becomes a vital tool for observing The mechanics of Proxy Injection are elegantly simple, yet profoundly effective. Users can designate specific applications (or entire boxes) to undergo proxy injection, effectively compelling these applications to establish their network connections through the selected Socks 5 proxy. The result is a controlled network environment that aligns with security and privacy preferences, effectively mitigating potential vulnerabilities that might arise from direct connections. ## Embrace the Future of Network Control -Proxy Injection emerges as a visionary feature that redefines network interaction paradigms within sandboxed environments. It transforms the sandboxing experience by offering users granular control over how applications access external resources. As we forge ahead in an era where digital security is paramount, Proxy Injection emerges as a powerful tool that empowers users to safeguard their interactions, maintain privacy, and proactively manage application behavior. Join us in embracing the future of network control with Proxy Injection – where every connection is made on your terms. \ No newline at end of file +Proxy Injection emerges as a visionary feature that redefines network interaction paradigms within sandboxed environments. It transforms the sandboxing experience by offering users granular control over how applications access external resources. As we forge ahead in an era where digital security is paramount, Proxy Injection emerges as a powerful tool that empowers users to safeguard their interactions, maintain privacy, and proactively manage application behavior. Join us in embracing the future of network control with Proxy Injection – where every connection is made on your terms. diff --git a/PlusContent/RuleSpecificity.md b/PlusContent/RuleSpecificity.md index 2570dbcf7..96e83faf3 100644 --- a/PlusContent/RuleSpecificity.md +++ b/PlusContent/RuleSpecificity.md @@ -1,11 +1,11 @@ # Rule Specificity -Sandboxie prior to build 5.55.0 handled rules exclusively in a very simple way, a path may be [Closed](../Content/ClosedFilePath.md), [Read Only](../Content/ReadFilePath.md), [Write Only](../Content/WriteFilePath.md), or [Open](../Content/OpenFilePath.md) and the priority of rule application was the same, when a closed rule matched a particular path it overruled all other rules. +Sandboxie prior to build 5.55.0 handled rules exclusively in a very simple way: a path may be [Closed](../Content/ClosedFilePath.md), [Read Only](../Content/ReadFilePath.md), [Write Only](../Content/WriteFilePath.md), or [Open](../Content/OpenFilePath.md). The priority of rule application was the same, and when a closed rule matched a particular path, it overruled all other rules. -Starting with build 1.0.0, Sandboxie-Plus has introduced a new mechanism to evaluate and apply rules, based on how specific they are and which match level they have. +Starting with build 1.0.0, Sandboxie-Plus has introduced a new mechanism to evaluate and apply rules based on how specific they are and which match level they have. -The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like "*.tmp" would have the highest specificity as it would always match the entire file path. +The rule specificity is a measure of how well a given rule matches a particular path. Simply put, specificity is the length of characters from the beginning of the path up to and including the last matching non-wildcard substring. A rule that matches only file types like "*.tmp" would have the highest specificity, as it would always match the entire file path. -The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. +The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e., rules applying to all processes but the given one), while the lowest match levels have global matches, i.e., rules that apply to any process. -For this feature, a new type of path directive has been introduced [Normal](../Content/NormalFilePath.md), which allows to restore default sandboxing behaviour for a path whose parent have been set to one of the prior 4 types. +For this feature, a new type of path directive has been introduced: [Normal](../Content/NormalFilePath.md), which allows restoring default sandboxing behavior for a path whose parent has been set to one of the prior 4 types. diff --git a/PlusContent/USBSandboxing.md b/PlusContent/USBSandboxing.md index b584951a2..ad9c80eed 100644 --- a/PlusContent/USBSandboxing.md +++ b/PlusContent/USBSandboxing.md @@ -13,4 +13,3 @@ Sandboxie-Plus introduces USB Drive Sandboxing, a new and impactful feature with - Data Integrity: Even in the presence of a potentially unsafe USB drive, your data remains intact while the malicious process is confined to the sandboxed environment. Embrace a more secure future with USB Drive Sandboxing – a feature that revolutionizes your approach to external storage security, mitigating risks and reinforcing your system's defense mechanisms. - diff --git a/PlusContent/applying-supporter-certificate.md b/PlusContent/applying-supporter-certificate.md index 6957e10f2..5126a6c68 100644 --- a/PlusContent/applying-supporter-certificate.md +++ b/PlusContent/applying-supporter-certificate.md @@ -1,28 +1,29 @@ # Applying a Supporter Certificate using the Modern SandMan UI -To apply a supporter certificate, please start Sandboxie Plus and open the global settings: +To apply a supporter certificate, follow these steps: -![](../Media/PlusCert1.png) +1. Start Sandboxie Plus and open the global settings. -In the global options, please go to the "Support & Updates" page: + ![Step 1](../Media/PlusCert1.png) -![](../Media/PlusCert2.png) +2. In the global options, navigate to the "Support & Updates" page. -Enter your entire certificate starting with `NAME:` up to and including the last two equal signs `==`, then press Apply (or OK): + ![Step 2](../Media/PlusCert2.png) -![](../Media/PlusCert3b.png) +3. Enter your entire certificate starting with `NAME:` up to and including the last two equal signs `==`, then press Apply (or OK). -Then you will be prompted to grant administrative privileges, you will need to allow them for the certificate to be installed: + ![Step 3](../Media/PlusCert3b.png) -![](../Media/PlusCert4.png) +4. You will be prompted to grant administrative privileges. Allow them for the certificate to be installed. -Depending on your OS preset, you may also need to confirm an UAC prompt: + ![Step 4](../Media/PlusCert4.png) -![](../Media/PlusCert5b.png) +5. Depending on your OS preset, you may also need to confirm a UAC prompt. -Once the certificate is accepted, the entry field should become green: + ![Step 5](../Media/PlusCert5b.png) -![](../Media/PlusCert6.png) +6. Once the certificate is accepted, the entry field should become green. -And a notification popup window should appear. + ![Step 6](../Media/PlusCert6.png) +7. A notification popup window should appear. diff --git a/PlusContent/imdisk.md b/PlusContent/imdisk.md index 5e5947b2c..562c8aac2 100644 --- a/PlusContent/imdisk.md +++ b/PlusContent/imdisk.md @@ -1,4 +1,3 @@ # ImDisk -TODO - +__ImDisk__ creates a fake hard drive called RAM disk from your computer's memory, so after you terminate the sandbox, everything in the RAM disk will be deleted. diff --git a/PlusContent/privacy-mode.md b/PlusContent/privacy-mode.md index 0a5c3eee8..7e5fb920c 100644 --- a/PlusContent/privacy-mode.md +++ b/PlusContent/privacy-mode.md @@ -2,29 +2,25 @@ **NOTE: This feature requires a [supporter certificate](https://sandboxie-plus.com/supporter-certificate/).** -The concept of privacy mode and privacy enhanced (or Data Protection) boxes was introduced in **Sandboxie Plus v1.0.0**. -In this mode, most of the locations on a PC are set to be treated like a Write[File/Key]Path, which means the sandboxed locations are writable, but the unsandboxed locations are not readable. -In addition, the registry does not allow reading of user root keys. In other words, even though sandboxed processes can continue to work, they cannot access private user data. +The concept of privacy mode and privacy-enhanced (or Data Protection) boxes was introduced in **Sandboxie Plus v1.0.0**. In this mode, most locations on a PC are treated like a Write[File/Key]Path, making sandboxed locations writable, but unsandboxed locations not readable. Additionally, the registry does not allow reading of user root keys, preventing access to private user data by sandboxed processes. -The setting for a privacy enhanced box can be enabled by adding `UsePrivacyMode=y` to the box settings section of **[Sandboxie Ini](../Content/SandboxieIni.md)**. It can also be enabled in the Sandman UI. Right-click on a box and select "Sandbox Options" from the drop-down menu (or simply double-click on a box) to bring up the Box Options UI. Select the box type preset as "Sandbox with Data Protection" (with a **blue** box icon) and click OK to apply changes. The status column of Sandman UI labels this box as **Privacy Enhanced**. +To enable privacy mode, add `UsePrivacyMode=y` to the box settings section of **[Sandboxie Ini](../Content/SandboxieIni.md)**. Alternatively, in Sandboxie Plus, right-click on a box, select "Sandbox Options" from the drop-down menu (or double-click on a box), bring up the Box Options UI, choose the box type preset as "Sandbox with Data Protection" (with a **blue** box icon), and click OK. The Sandman UI status column labels this box as **Privacy Enhanced**. -![](../Media/Box_PrivacyMode.png) +![Privacy Enhanced Box](../Media/Box_PrivacyMode.png) -**What is User Space?** AppGuard refers to [user space](https://malwaretips.com/threads/run-by-smartscreen-utility.65145/post-561364) as "computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives." Think of "user space" as everything outside the **system** (where the core operating system and programs live), in other words, outside the `C:\Windows`, `C:\Program Files`, and `C:\Program Files (x86)` folders! +**What is User Space?** AppGuard refers to [user space](https://malwaretips.com/threads/run-by-smartscreen-utility.65145/post-561364) as "computer storage space accessible by non-admin Windows users, including the user's profile directory, removable storage devices, network shares, and non-system hard drives." Think of "user space" as everything outside the **system** (core operating system and programs) in `C:\Windows`, `C:\Program Files`, and `C:\Program Files (x86)` folders! -Internally, a privacy enhanced box is based on three defaults: +Internally, a privacy-enhanced box is based on three defaults: 1. **Allow read access to system resources:** -- `C:\Windows` -- `C:\Program Files` -- `C:\Program Files (x86)` -- Registry resources under HKLM (but not HKCU) are readable and can be sandboxed. -- **Note:** The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using `Write[File/Key]Path`) if desired. + - `C:\Windows` + - `C:\Program Files` + - `C:\Program Files (x86)` + - Registry resources under HKLM (but not HKCU) are readable and sandboxed. 2. **Hide (and block access to) user space:** -- In user space, a privacy box works in **default block** mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking [Rule Specificity](../PlusContent/RuleSpecificity.md). + - In user space, a privacy box works in **default block** mode, setting all drive paths to WriteFilePath. This hides files and folders outside the sandbox but allows new ones to be created inside (unless specifically allowed by an overriding rule). Access to selected paths is enabled using [Rule Specificity](../PlusContent/RuleSpecificity.md). 3. **Enable [Rule Specificity:](../PlusContent/RuleSpecificity.md)** -- Internally, rule specificity is **always enabled** in privacy mode. It uses the **[Normal](../Content/NormalFilePath.md)** path directive (`Normal[File/Ipc/Key]Path`) to open selected locations to be **readable and sandboxed**. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for **blue** boxes (based on privacy mode) but also for **red** boxes (with both privacy mode **and** [security mode](../PlusContent/security-mode.md) enabled). - -**Recent Changes:** Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with **Sandboxie Plus v1.8.0**, all built-in access rules have been moved to a set of default templates (included in the file **Templates.ini** under the `[TemplatePModPaths]` section) for easier management. + - Rule specificity is **always enabled** in privacy mode, using the **[Normal](../Content/NormalFilePath.md)** path directive (`Normal[File/Ipc/Key]Path`) to open selected locations for **readable and sandboxed** access. +**Recent Changes:** Starting with **Sandboxie Plus v1.8.0**, all built-in access rules have been moved to default templates (included in the **Templates.ini** file under the `[TemplatePModPaths]` section) for easier management. diff --git a/PlusContent/supporter-certificate.md b/PlusContent/supporter-certificate.md index 1b0af302b..d713a5efb 100644 --- a/PlusContent/supporter-certificate.md +++ b/PlusContent/supporter-certificate.md @@ -1,16 +1,12 @@ A supporter certificate is like a license key, but for awesome people using and supporting open source software. :-) -Keeping Sandboxie up to date with the rolling releases of Windows and compatible with all web browsers is a never-ending endeavor. Please consider supporting this work with a PayPal donation or by purchasing a [Sandboxie Plus Supporter Certificate](https://sandboxie-plus.com/go.php?to=sbie-get-cert), you can also provide continuous support with a [Patreon subscription](https://sandboxie-plus.com/go.php?to=patreon). +Your support keeps Sandboxie up to date with the rolling releases of Windows and compatible with all web browsers is a never-ending endeavor. Please consider supporting this work with a [PayPal donation](https://sandboxie-plus.com/go.php?to=donate) or by purchasing a [Sandboxie Plus Supporter Certificate](https://sandboxie-plus.com/go.php?to=sbie-get-cert). You can also provide continuous support with a [Patreon subscription](https://sandboxie-plus.com/go.php?to=patreon). -A support certificate enables the use of new supporter exclusive Plus features, like [Privacy Mode](../PlusContent/privacy-mode.md) or [App Compartment Boxes](../PlusContent/compartment-mode.md), see the [Feature Comparison Table](https://sandboxie-plus.com/feature-comparison/) for more details and certificate options. +A support certificate enables the use of new supporter exclusive Plus features, like [Privacy Mode](../PlusContent/privacy-mode.md) or [App Compartment Boxes](../PlusContent/compartment-mode.md). See the [Feature Comparison Table](https://sandboxie-plus.com/feature-comparison/) for more details and certificate options. +Certificate validity: **Please note that a [Business Certificate](https://xanasoft.com/product/sandboxie-plus-business/) is required to use Sandboxie Plus in a business or educational setting!** **Patreon certificates** are valid for as long as the subscription is active and unlock all features. Patreons who have ended their subscription are entitled to a residual certificate corresponding to the total amount of their support. -**Contributor certificates** are available to all people that help by contributing to the project, these certificates do not expire. If you are a contributor, please get in touch by email or alike to get your certificate. - - - +**Contributor certificates** are available to all people that help by contributing to the project, and these certificates do not expire. If you are a contributor, please get in touch by email or alike to get your certificate.