"The Windows Installer Service could not be accessed."

[DavidBerdik]

It appears that the "Windows Installer Service could not be accessed" error is still present in this release.

The good news is that now, we can fix it ourselves! That is, we can fix it ourselves if we understand the code. I've been reading through the code trying to get a sense of how it works, but have admittedly made little to no progress. Do you have any idea how to fix this? Or at least some pointers as to where I should be looking?

Reproducing the issue is very simple: try to run an MSI installer inside a sandbox, and you will get this error.

[DavidXanatos]

From 1809 to 1903 MSFT changed something around the "msiServer" service. On 1809 when trying to install a msi file inside a sandbox, Start.exe starts an sandbox internal instance of that service. On 1903 it does not even try to start the msiServer.

You can use a tool like TaskExplorer with enabled ETW Monitoring and use the "hold" option (snow flake icon on toolbar) to view all processes running as well as started and terminated.

Anyhow, the fact that Start.exe does not even try to start "C:\Windows\system32\msiexec.exe /V", tells me that most likely a trigger for the service to be started has changed, or is missing entirely, and we need to find an other one.

The way it seams to be supposed to work is that the SbieSvc.exe, from RunHandler2, invokes: "C:\Program Files\Sandboxie\Start.exe" /box:-1688 /env:00000000_SBIE_DEVICE_MAP="\Sessions\0\DosDevices\00000000-0004f782" /env:00000000_SBIE_SERVICE_NAME="MSIServer" /hide_window C:\Windows\system32\msiexec.exe /V btw 1688 is the pid of your SandboxieDcomLauchner.exe this does its thing and causes SbieSvc.exe run "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh C:\Windows\system32\msiexec.exe /V and this is the process that in turn starts "C:\Windows\system32\msiexec.exe /V"

What fails is the trigger for the first command.

If I run the first command with the right pid and dosdevice it triggers the second one and causes the service to start briefly. Unfortunately not long enough to be usefull...

A good point to start looking is Sandboxie\core\dll\scm.c as it's responsible for services and contains stuff related to MSIServer.

EDIT: A thing I find strange is that when you start services.msc from inside a sandbox you can start services and they start outside the sand box, ok, you cant stop them and i guess not access them, but still its an unexpected behavior. Services Sbie intents to be run inside the sandbox fail to start this way, these are trustedinstaller, cryptsvc, msiserver, bits, wuauserv, that is also unexpected if we could start msiserver this way any than try to install a msi file we could validate that only a trigger is missing and that the rest isn't broken.

[DavidXanatos]

Fixed on build 5.40.1

[DavidBerdik]

Wow! You are amazingly good at this. I am so lost right now reading everything you've done.

If I may ask, where did you find the leaked signing certificate? I am interested in playing with compiling Sandboxie from source and would like to sign it as you have. I'm also going to take a look through your changes to see if I can get a sense for how this project works.

[DavidXanatos]

I don't think its great if it spreads too much, MSFT may at some point decide to do something against it. But its easy enough to find it was part of a very data leak that was quite prominent in the media.

[DavidBerdik]

Yeah, that's fair. I am sure I can find it with a little hunting. I can understand your position.

But its easy enough to find it was part of a very data leak that was quite prominent in the media.

Unfortunately, this hint encompasses many data leaks. 😂

[DavidBerdik]

I have found the signing certificate, but I am having issues with using it. Would you be willing to share instructions for making use of it?

When I try to install a driver signed with it, I get the following error using pnputil. The error is:

Error 0x800b0101: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

[DavidXanatos]

Try changing the system clock to something 2011

[DavidBerdik]

Okay I will. Why is this necessary though? Why can the Sandboxie installer work without without doing this? Also, does the installer add any certificates to the trust store? It seems that unless I add the code signing certificate as a root certificate authority, it does not work.

[DavidXanatos]

No, I meant have the date changed while signing the file and may be drop /t http://timestamp.verisign.com/scripts/timestamp.dll from the command line of the sign tool.

When the file is signed the right way it loads on any windows 10 I tried it on without any issues or additional tricks needed.

[DavidXanatos]

And I'm not using pnputil, sandboxie has some own tool to install the driver and in my other projects the driver installation is also "manual" i.e. the tools are creating a service entry pointing to the sys file.

Possibly pnputil has some additional checks which are not present in the windows kernel itself.

[DavidBerdik]

I'm not using the timestamp command either. I'm using this.

signtool.exe sign /debug /v /a /f "HT Srl.pfx" /p password /n "HT Srl" file.cat

[DavidXanatos]

don't sign the *.cat file, sign the SbieDrv.sys file directly

[DavidBerdik]

Understood. Thank you.

[ecoeficiente]

Hi, thanks for the fix. Unfortunately it does not seem to work when the installer tries to launch a second instance of msiec service. I have a installer which launches with the fix (did not before) but at the end of the installation the error window gets displayed again.

[ecoeficiente]

Well, this problem of launching a second instance of the msiexec service is also present in 1809, so it may be another different issue.

[deflock]

@DavidXanatos

But its easy enough to find it was part of a very data leak that was quite prominent in the media.

Our asian friends, as always? 😂 Can you write CRC32 of your cert file? I think it's plenty safe if google shows no results for it. Just to be sure that certs are the same.

[DavidBerdik]

@deflock Here's the MD5 of my pfx 95a91373d774f17f6eedf0850e365c87.

[deflock]

@DavidBerdik hmm, interesting... Mine starts with 94eabd08... :)

[DavidBerdik]

@deflock Well there are several leaked keys floating around on the internet. So we may all be using different ones, but it should not matter. ☺️

[DavidXanatos]

The not starting a second instance issue is indeed a separate problem from it not starting at all, and it seams much more difficult to fix unfortunately.

PS: mine is also the 95a91373d774f17f6eedf0850e365c87 one

[DavidXanatos]

Its a pitty that github does not have any sort of private messaging to talk about these things.

[DavidXanatos]

@deflock is stuf signed with your cert detected by viristotal?

[DavidXanatos]

To expand on the second MSI issue a bit: the second MSI instance is needed for so called "custom actions" that is Code snippets that do something non standard written by the user. Like in case of the mumble installer at the very end starting the installed mumble client, for example.

This mechanism uses inter process communication to communicate an that is where it all fails. On older version of windows this communication used static names, but microsoft is changing more and more to use dynamic port naming and as far as I understood the issue this mechanism is missing entirely. So we need to understand it and implement a own copy in the sbie driver. That is unfortunately its seams quite an advanced task.

[deflock]

@DavidXanatos I dont have compile/sign setup yet. I've got your SbieDrv.sys 5.40 from releases and tried to sign it in linux VM.

Not sure I've done it right, but my results:

HT: https://www.virustotal.com/gui/file/34bf4bb484b6df931e498b9efebfe96a6b452ff4651b45b06392bbdbcb44365b/detection

HT + MS cross-certificate file: https://www.virustotal.com/gui/file/ba6083f83f0ae34b2fd961b33e98870f20788b85b6e33baa14b783f27519e60e/detection

MYCERT: https://www.virustotal.com/gui/file/ebf6a84e6ae597207cac604443fc6f7fd5ee778f4dfa7aadd7b1c9eb928e0d4a/detection

MYCERT + MS cross-certificate file: https://www.virustotal.com/gui/file/027b9f2619f8d58f131eb940944a1508b26c14ab826fcfdd72cc6538c246dba8/detection

[DavidXanatos]

your cert seams to work much better substantially less positives. what is "MS cross-certificate"?

[deflock]

MSCV-XXX.cer file. Found it in HT archive

[DavidXanatos]

ah the one with the md5 starting with ce27078.... hehe.... is did not occurred to me to use this also

so your last test was with the asian + the MS cert form the HT leak? that seams surprisingly successful.

does the asian has a thumbprint starting with 31e5380e1.... I saw that one on some signed patched drivers but don't have the pfx file

[deflock]

ah the one with the md5 starting with ce27078....

Yes

does the asian has a thumbprint starting with 31e5380e1....

No, wrote it above already 94eabd08...

Just google for two words: this repo name and pfx, each in own quotes. There are a lot of chinese sites, look for keyword: Asia in cert's password 😂 And it's not easy to find valid download link, most of them seem broken.

UPD. When I found and downloaded asian archive Windows removed it as a threat. Then I downloaded it in linux and extracted the cert only 😁

[DavidXanatos]

found it 😁

but when I try to use the MS cert I get "Signtool Error: The provided cross certificate would not be present in the certificate chain."

[deflock]

but when I try to use the MS cert I get "Signtool Error: The provided cross certificate would not be present in the certificate chain."

I've used linux's sign tool. Even more it seems it doesn't require to set date to 2011.

[DavidXanatos]

but when I try to use the MS cert I get "Signtool Error: The provided cross certificate would not be present in the certificate chain."

I've used linux's sign tool. Even more it seems it doesn't require to set date to 2011.

HaHa!!!

is there a windows port of it?

[deflock]

Not sure it's linux only. Here it is: https://sourceforge.net/projects/osslsigncode/

[DavidXanatos]

Not sure it's linux only. Here it is: https://sourceforge.net/projects/osslsigncode/

thanks, it says it uses openssl and its opensource so imho with some effort it should compile on windows to...

[DavidXanatos]

PS: ah great there is even a guide: https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md will try that tomorrow, having to change my clock each time is really annoying....

[DavidBerdik]

@DavidXanatos @deflock

ah the one with the md5 starting with ce27078.... hehe.... is did not occurred to me to use this also

The source from which I got the certificate that I am using has a copy of the ce27078.... certificate with it. I did not think you could sign directly with it though. Is it possible to do so then?

found it 😁

but when I try to use the MS cert I get "Signtool Error: The provided cross certificate would not be present in the certificate chain."

What command are you using? I was having this same issue previously. Unfortunately, I do not have any recollection of how I solved it. I will try to go through my browsing history and hard drive to see if I can find how I did it.

PS: ah great there is even a guide: https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md will try that tomorrow, having to change my clock each time is really annoying....

Have you had a chance to try this? I currently do all my signing (not just for Sandboxie), using a dedicated VM. I do not like this "using a sledgehammer to crack a nut" approach. I would really like to use something more lightweight.

[ecoeficiente]

To expand on the second MSI issue a bit: the second MSI instance is needed for so called "custom actions" that is Code snippets that do something non standard written by the user. Like in case of the mumble installer at the very end starting the installed mumble client, for example.

This mechanism uses inter process communication to communicate an that is where it all fails. On older version of windows this communication used static names, but microsoft is changing more and more to use dynamic port naming and as far as I understood the issue this mechanism is missing entirely. So we need to understand it and implement a own copy in the sbie driver. That is unfortunately its seams quite an advanced task.

Thanks for the info @DavidXanatos

[fakuivan]

I'm having this exact problem with Adobe DC.

[DavidBerdik]

@fakuivan Are you using an old version of Sandboxie? I haven't had this issue in any releases for well over a year now, and that includes installing Acrobat DC inside Sandboxie.

[fakuivan]

@DavidBerdik I'm using Sandboxie Classic v5.53.3 on a Windows Sandbox VM.

[DavidBerdik]

@DavidBerdik I'm using Sandboxie Classic v5.53.3 on a Windows Sandbox VM.

You might want to file a new bug report, then. This one has been marked as resolved for quite a while, so it's unlikely that you will get any attention here.