Open d3bil0x opened 2 years ago
DavidXanatos
commented
2 years ago please attach the actual memdump such that i can load it with symbols in debugger
also do you get the same crash on 1.0.1 and 1.0.2 builds?
does this crash happens only when Comodo Internet Security 2020 v12.2.2.8012 is installed?
d3bil0x
commented
2 years ago please attach the actual memdump such that i can load it with symbols in debugger
https://drive.google.com/file/d/1oGAmuEihEfkIjr0taQedrNd1xvPHZzAW/view?usp=sharing
also do you get the same crash on 1.0.1 and 1.0.2 builds?
Yes, also on 1.0.1 and 1.0.2.
does this crash happens only when Comodo Internet Security 2020 v12.2.2.8012 is installed?
I don't know yet. I will test without the CIS.
d3bil0x
commented
2 years ago Hi David,
I ran further tests on another PC (Samsung R540 6GB RAM) which rules out a hardware defect as the cause of BSOD.
The link to the memory dump from that machine: https://drive.google.com/file/d/1R4KrT2GTkHP1zMkny2iIMqhWXNU8113L/view?usp=sharing
Additional files that may be useful to reproduce the error:
And a video of the test procedure: https://youtu.be/tDtntOBYt2s
DavidXanatos
commented
2 years ago Hi,
With which version of sandboxie were the dumps created?
Cheers David
Am Di., 14. Dez. 2021 um 19:24 Uhr schrieb d3bil0x @.***
:
Hi David,
I ran further tests on another PC (Samsung R540 6GB RAM) which rules out a hardware defect as the cause of BSOD.
The link to the memory dump from that machine:
https://drive.google.com/file/d/1R4KrT2GTkHP1zMkny2iIMqhWXNU8113L/view?usp=sharing
Additional files that may be useful to reproduce the error:
- CIS config: https://drive.google.com/file/d/1SvM_01D7PtmelD7mY_WJXyVtxprYRn7_/view?usp=sharing
- Vivaldi bookmarks catalyzing the BSoD: https://drive.google.com/file/d/1TCMUOW6ObrQe1GB9HGQ7JwSWw9n9FH3N/view?usp=sharing
And a video of the test procedure: https://youtu.be/tDtntOBYt2s
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sandboxie-plus/Sandboxie/issues/1427#issuecomment-993858405, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5V6AI254BA7QGWNDWWQK3UQ6DV7ANCNFSM5J3NAX7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
d3bil0x
commented
2 years ago Hi, With which version of sandboxie were the dumps created?
1.0.2
DavidXanatos
commented
2 years ago hmm... strange that its reproducable for you bit not for me, I ran the bookmarks in my test vm in vivaldi with and without CIS but did not get any crashes, i run it like 8 times 3 after instaling CIS, where/how can i import the cis config?
could you please try an other configuration: try setting the sandbox into compartment mode or if you cant you can instead add NoSysCallHooks=y OriginalToken=y
to your sandbox to get a similar effect
also could you please try older versions, use an iterative approche, i.e. try version 0.55 if thats fine version 0.7.x of its not fine 0.25 and so on, i mean half the search range with each test.
isaak654
commented
2 years ago where/how can i import the cis config
https://help.comodo.com/topic-72-1-766-9159-Personal-Configurations.html
d3bil0x
commented
2 years ago hmm... strange that its reproducable for you bit not for me, I ran the bookmarks in my test vm in vivaldi with and without CIS but did not get any crashes, i run it like 8 times 3 after instaling CIS
The frequency of the error is irregular - sometimes 10 tries are flawless, and sometimes the error occurs several times in a row. I found (perhaps a coincidence) that the error occurs more often when I start Vivaldi after a system restart than when I retry Vivaldi by merely opening and closing the browser in a loop.
could you please try an other configuration: try setting the sandbox into compartment mode or if you cant you can instead add NoSysCallHooks=y OriginalToken=y
to your sandbox to get a similar effect
also could you please try older versions, use an iterative approche, i.e. try version 0.55 if thats fine version 0.7.x of its not fine 0.25 and so on, i mean half the search range with each test.
Of course, I'll take care of it over the weekend.
Shadowized
commented
2 years ago I have CIS but with everything except the firewall turned off and don't experience the issue, however in your memory dump it mentions IMAGE_NAME: cmdcss.sys which is not from CIS, but rather "Comodo Secure Shopping" which you didn't mention in your initial report. I would be willing to bet that is where the issue stems from and has nothing to do with CIS which is also probably why @DavidXanatos couldn't replicate it.
I know in the past I've had problems with the Defense+/HIPS components(hence them being off) even outside of sandboxie, but in this case I'd suggest starting by disabling or removing that Secure shopping program until a better solution can be found, or at the very least block sandboxie and secure shopping from interfacing with each-other.
Hope that helps.
d3bil0x
commented
2 years ago Hi, Shadowized
Yes, the CIS configuration file I attached contains a deactivated part of the auto-isolation that may interfere with the Sandboxie. During the further tests, I also disconnected all modules, leaving only the firewall active and/or added Sandboxie components to exclusions. I did not mention Comodo Secure Shopping, presuming its obvious existence as the default part of the Comodo Internet Security package, by the way 5 years ago I reported BSODs in systems containing Sandboxie + CIS with Opera to Comodo (https://forums.comodo.com/format-verified-issue-reports-cis/cis10-with-secure-shopping-opera-inside-sandboxie-bsod-m2135-t117573.0.html), where I found a solution to the problem by adding to the Sandboxie configuration the Comodo Secure Shoping modul:
[GlobalSettings]
ClosedFilePath=*\cssguard64.dll
ClosedFilePath=*\cssguard32.dllbut in this case it doesn't help.
Shadowized
commented
2 years ago I did not mention Comodo Secure Shopping, presuming its obvious existence as the default part of the Comodo Internet Security package
While it does come bundled, it's more of a standalone program and not part of CIS though it does provide UI integration into it, the only reason you have it at all is because you're using the web installer, the offline Setup does not include it.
I tested your configs in a clean VM and saw both Comodo and Secure Shopping doing DLL injection into every process on the system.
I know with CIS that's because of it's stupid/broken shellcode detection module which was originally part of their sandbox that didn't play nice with some programs I used at the time (including things inside of sandboxie containers), I had filed a bug report and after a while they eventually they added a convoluted option to disable it like so...
I wouldn't be surprised if the issue was similar in nature, however I tested with the above setting and disabled Secure Shopping through the CIS UI only to find out that the Secure Shopping is still injecting itself into every process even after a reboot, so while using ClosedFilePath may help with processes inside containers, I'm fairly certain this is where the issue lies.
I spent some time digging through the settings and saw no way to control or exclude certain process from the hooks that Secure Shopping uses, nor can I think of any valid reason why it would be doing so to begin with. The only option would be to uninstall it, after doing that and the above mentioned setting, Comodo no longer injects its DLL's and everything works fine.
I reported BSODs in systems containing Sandboxie + CIS with Opera to Comodo
reading your bug report there, those BSOD's you had back then were also caused by Secure Shopping, so I would suggest trying the setting I mentioned to disable detecting shellcode injection, as well as uninstalling Comodo Secure Shopping., If that helps solve the crashes then file a bug report with Comodo and see if they can provide a means of excluding processes from its injection, without that, these kind of issues will always occur because DLL injection is the devil.
DavidXanatos
commented
2 years ago Sinse it seams to be a known issue with comodo's cmdcss.sys its up to them to fix it. if you send me the exact cmdcss.sys with which the issue happens i can take a look with a decompiler what they are doing, but imho to fix it they would need to change their code.
DavidXanatos
commented
2 years ago On an other thought: if you run your sandboxes in the new less secure compartment mode, you should avoid conflicts with other security software, so depending on your use case this may be worth a try
d3bil0x
commented
2 years ago I reported BSODs in systems containing Sandboxie + CIS with Opera to Comodo
reading your bug report there, those BSOD's you had back then were also caused by Secure Shopping, so I would suggest trying the setting I mentioned to disable detecting shellcode injection, as well as uninstalling Comodo Secure Shopping., If that helps solve the crashes then file a bug report with Comodo and see if they can provide a means of excluding processes from its injection, without that, these kind of issues will always occur because DLL injection is the devil.
I will try to test this by adding exclusions to [detect shellcode injections] option. The Comodo Secure Shopping is very useful in an insecure environment, so for now I am still testing variants without uninstalling it.
if you send me the exact cmdcss.sys with which the issue happens i can take a look with a decompiler what they are doing, but imho to fix it they would need to change their code.
The cmdcss.sys: https://drive.google.com/file/d/1Ek24jPZr8oCRKhkExVqleEmqdw_Y4tDn/view?usp=sharing
On an other thought: if you run your sandboxes in the new less secure compartment mode, you should avoid conflicts with other security software, so depending on your use case this may be worth a try
OK, I'll try all the ways.
d3bil0x
commented
2 years ago Effects of further tests:
I checked Sandboxie-plus versions from 0.7.5 to 1.0.4 - with all of them there was a BSOD 0x7F.
After uninstalling the Comodo Secure Shopping module (related to cmdcss.sys), during testing with Vivaldi there was a change from BSOD 0x7F to BSOD 0x01 (APC_INDEX_MISMATCH).
DavidXanatos
commented
2 years ago the dump does not seam to contain any references to sbiedrv.
have you tried this:
could you please try an other configuration: try setting the sandbox into compartment mode or if you cant you can instead add NoSysCallHooks=y OriginalToken=y
already?
Shadowized
commented
2 years ago After uninstalling the Comodo Secure Shopping module (related to cmdcss.sys), during testing with Vivaldi there was a change from BSOD 0x7F to BSOD 0x01 (APC_INDEX_MISMATCH).
That latest BSOD doesn't indicate anything outside of the program(Vivaldi) that triggered it, Definitely not Sandboxie related. I know this year Microsoft pushed some trash Win10 updates that caused people to have BSOD's when trying to print things that had the same stop error but personally I would start by updating your system drivers as some of them are severely out of date.
athwnx Tue Mar 1 03:39:03 2016
cmderd Fri Jan 22 07:29:06 2021
cmdguard Fri Jan 22 07:31:02 2021
cmdhlp Fri Jan 22 07:29:09 2021
dump_iaStor Tue Apr 27 19:56:56 2010
iaStor Tue Apr 27 19:56:56 2010
igdkmd64 Mon Nov 26 19:26:05 2012
isedrv Wed Aug 29 03:03:47 2018
RTKVHD64 Tue Jun 23 07:26:04 2015
SABI Thu May 28 02:38:02 2009
SbieDrv Mon Dec 20 17:08:07 2021
yk63x64 Wed Jan 9 10:46:56 2013Strange that the Comodo isedrv "Internet Security Essentials" driver hasn't been updated since 2018, maybe look into testing the removal of that module too if the problem keeps occurring after updating everything else.
d3bil0x
commented
2 years ago have you tried this:
could you please try an other configuration: try setting the sandbox into compartment mode or if you cant you can instead add NoSysCallHooks=y OriginalToken=y
already?
Today I will test in Compartment Mode. I have this functionality.
After uninstalling the Comodo Secure Shopping module (related to cmdcss.sys), during testing with Vivaldi there was a change from BSOD 0x7F to BSOD 0x01 (APC_INDEX_MISMATCH).
(...) I would start by updating your system drivers as some of them are severely out of date.
dump_iaStor Tue Apr 27 19:56:56 2010 iaStor Tue Apr 27 19:56:56 2010 igdkmd64 Mon Nov 26 19:26:05 2012 isedrv Wed Aug 29 03:03:47 2018 RTKVHD64 Tue Jun 23 07:26:04 2015 SABI Thu May 28 02:38:02 2009 yk63x64 Wed Jan 9 10:46:56 2013
Yes I know. The intel RST (dump_iaStor and iaStor) and SABI drivers are the latest available for this chipset - the newer drivers do not support it. I installed these drivers manually as more efficient in handling HDD and offering additional features, but for the purposes of the test I will try to uninstall them and in this case Windows will use the default Microsoft drivers. The other drivers the system selected automatically via Windows Update: Intel graphics (igdkmd64), Realtek audio (RTKVHD64), Marvell ethernet (yk63x64)
Strange that the Comodo isedrv "Internet Security Essentials" driver hasn't been updated since 2018, maybe look into testing the removal of that module too if the problem keeps occurring after updating everything else.
I will try to uninstall ISE completely. Earlier attempts consisted only of disabling isesrv (Comodo Internet Security Essentials) service and prior to uninstalling also - csssrv (Comodo Secure Shopping).
d3bil0x
commented
2 years ago In Compartment Mode the Vivaldi crashes with error "SBIE2205 Service not implemented: GdiInit.0000000000000001"
Sbie Messages:
|Time| |Message|
04:25:56.833 Sbie Directory: C:\Program Files\Sandboxie-Plus
04:25:56.833 Sbie+ Version: 1.0.4 (5.55.0)
04:25:56.833 Loaded Config: C:\Windows\Sandboxie.ini
04:25:57.456 Sandboxie config has been reloaded
04:26:57.076 WerFault.exe (7492): SBIE2205 Service not implemented: GdiInit.00000000C0000017
04:26:57.105 WerFault.exe (6600): SBIE2205 Service not implemented: GdiInit.00000000C0000017
04:26:57.371 WerFault.exe (5892): SBIE2205 Service not implemented: GdiInit.00000000C0000017
04:27:00.996 vivaldi.exe (7404): SBIE2205 Service not implemented: GdiInit.0000000000000001
for me vivaldi starts in compartment bix just fine, that's very strange
d3bil0x
commented
2 years ago David, I can set up remote access to this virtual machine for you or export the vm appliance to OVF or VMX.
d3bil0x
commented
2 years ago For peace of mind I also checked the health of the system:
Installed with ISO:
c90a6df8997bf49e56b9673982f3e80745058723a707aef8f22998ae6479597d *en-us_windows_10_enterprise_ltsc_2021_x64_dvd_d289cf96.iso
d3bil0x
commented
2 years ago On VM snapshot without CIS
Sbie Messages in compartment mode:
|Time| |Message|
17:13:58.982 Sbie Directory: C:\Program Files\Sandboxie-Plus
17:13:58.982 Sbie+ Version: 1.0.4 (5.55.0)
17:13:58.982 Loaded Config: C:\Windows\Sandboxie.ini
17:13:59.345 Sandboxie config has been reloaded
17:15:04.741 vivaldi.exe (3580): SBIE2205 Service not implemented: GdiInit.0000000000000001
17:15:45.409 vivaldi.exe (5820): SBIE2205 Service not implemented: GdiInit.0000000000000001
17:19:54.040 vivaldi.exe (892): SBIE2203 Failed to communicate with Sandboxie Service: *GUIPROXY_00000001; MsgId: 9 - vivaldi.exe [C0000034] Initial solution summary
After 2 days of testing, no BSOD occurred using the following settings:
In Comodo Internet Security
Advanced Settings->Advanced Protection->Miscellaneous->Don't detect shellcode injections in->All Applications
And here thanks to Shadowized who aptly suggested the potential crux of the problem.
The question remains open: should we look for more narrow exclusions than All Applications for increased security but at the cost of system stability? (comodo shellcode injection detection is famous for causing trouble)
In Sandboxie config (when CIS installed with Comodo Secure Shopping)
[GlobalSettings]
ClosedFilePath=*\cssguard64.dll
ClosedFilePath=*\cssguard32.dll
which by the way also eliminates the crash of the Vivaldi in Compartment Mode, although the following Sbie message still remains: 01:49:14.070 vivaldi.exe (15884): SBIE2205 Service not implemented: GdiInit.0000000000000001
BSOD: Unexpected Kernel Mode Trap
with Vivaldi Browser inside Sandboxie. The bugcheck was: 0x0000007f (0x0000000000000008, 0xfffff80236c8ae50, 0xffffc3028d65c000, 0xfffff80232c108e7).
To Reproduce Steps to reproduce the behavior:
System details and installed software
Additional context
Basic analysis of MEMORY.DMP
``` Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [MEMORY.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 19041 MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Edition build lab: 19041.1.amd64fre.vb_release.191206-1406 Machine Name: Kernel base = 0xfffff802`32a00000 PsLoadedModuleList = 0xfffff802`3362a2d0 Debug session time: Sat Dec 11 16:20:12.112 2021 (UTC + 1:00) System Uptime: 0 days 0:14:51.640 Loading Kernel Symbols ............................................................... ................................................................ ............................................................... Loading User Symbols PEB is paged out (Peb.Ldr = 000000eb`49193018). Type ".hh dbgerr001" for details Loading unloaded module list ...... For analysis of this file, run !analyze -v 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT Arg2: fffff80236c8ae50 Arg3: ffffc3028d65c000 Arg4: fffff80232c108e7 Debugging Details: ------------------ Unable to load image \SystemRoot\system32\drivers\cmdcss.sys, Win32 error 0n2 Unable to load image \??\C:\Program Files\Sandboxie-Plus\SbieDrv.sys, Win32 error 0n2 KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 4562 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 18330 Key : Analysis.Init.CPU.mSec Value: 4702 Key : Analysis.Init.Elapsed.mSec Value: 122979 Key : Analysis.Memory.CommitPeak.Mb Value: 84 Key : WER.OS.Branch Value: vb_release Key : WER.OS.Timestamp Value: 2019-12-06T14:06:00Z Key : WER.OS.Version Value: 10.0.19041.1 VIRTUAL_MACHINE: VMware BUGCHECK_CODE: 7f BUGCHECK_P1: 8 BUGCHECK_P2: fffff80236c8ae50 BUGCHECK_P3: ffffc3028d65c000 BUGCHECK_P4: fffff80232c108e7 TRAP_FRAME: fffff80236c8ae50 -- (.trap 0xfffff80236c8ae50) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff802336dbc40 rbx=0000000000000000 rcx=fffff802336ead10 rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80232c108e7 rsp=ffffc3028d65c000 rbp=fffff802336ead10 r8=ffffc3028d65c108 r9=0000000000000000 r10=ffffaf821cc27918 r11=0000000000000003 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc nt!KiAbEntryGetLockedHeadEntry+0xc7: fffff802`32c108e7 e8543f0100 call nt!ExAcquireSpinLockSharedAtDpcLevel (fffff802`32c24840) Resetting default scope BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXWINLOGON: 1 PROCESS_NAME: vivaldi.exe STACK_OVERFLOW: Stack Limit: ffffc3028d65c000. Use (kF) and (!stackusage) to investigate stack usage. STACKUSAGE_FUNCTION: The function at address 0xfffff80237fde590 was blamed for the stack overflow. It is using 8352 bytes of stack. STACK_TEXT: ffffc302`8d65c000 fffff802`32c0d99d : ffffaf82`1cc276d0 ffffc302`8d65c109 ffffc302`8d65c108 00000000`0ad4e011 : nt!KiAbEntryGetLockedHeadEntry+0xc7 ffffc302`8d65c0a0 fffff802`32dfe1d5 : 00000000`00000000 00000000`00000000 fffff802`00000000 00000000`00000000 : nt!KiAbProcessContextSwitch+0x11d ffffc302`8d65c170 fffff802`32dfd79e : 00000000`00000000 00000000`0adc4011 00000000`00000000 00000000`00000000 : nt!KxDispatchInterrupt+0xb5 ffffc302`8d65c2b0 fffff802`32ce8a46 : fffff802`32a00000 ffffc302`00000000 ffffc302`8d65c9c0 00007fff`fffeffff : nt!KiDpcInterrupt+0x2ee ffffc302`8d65c440 fffff802`32ce71ea : ffffc302`8d65d270 ffffc302`00000000 ffffc302`8d65d270 fffff802`32ad30ec : nt!RtlpxVirtualUnwind+0x276 ffffc302`8d65c4c0 fffff802`32dcce95 : fffff802`32a85f74 fffff802`00000001 ffffc302`8d65ddd0 ffffc302`8d662000 : nt!RtlUnwindEx+0x1ea ffffc302`8d65cbe0 fffff802`32e0015f : fffff802`32ad7eec ffffc302`8d65d1c0 fffff802`32dccdb0 00000000`00000000 : nt!_C_specific_handler+0xe5 ffffc302`8d65cc50 fffff802`32ce6dd7 : ffffc302`8d65d1c0 00000000`00000000 ffffc302`8d65d3d0 fffff802`32d49a86 : nt!RtlpExecuteHandlerForException+0xf ffffc302`8d65cc80 fffff802`32ce59d6 : ffffc302`8d65db98 ffffc302`8d65d8d0 ffffc302`8d65db98 ffffad3f`fa760590 : nt!RtlDispatchException+0x297 ffffc302`8d65d3a0 fffff802`32e093ac : ffffaf82`217a2a80 fffff802`32ca16f6 ffff8000`00000000 00000000`00000000 : nt!KiDispatchException+0x186 ffffc302`8d65da60 fffff802`32e05543 : 00000000`00000003 fffff802`32c84777 fffff802`3364ee00 ffffad68`4071bd30 : nt!KiExceptionDispatch+0x12c ffffc302`8d65dc40 fffff802`32d49a86 : ffffffff`00000430 ffffffff`ffffff00 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x443 ffffc302`8d65ddd0 fffff802`32c55cdd : ffffad3f`fa760590 00000000`00000018 00000000`00000000 00007ff4`ec0b2000 : nt!MiMakeProtoLeafValid+0xb2 ffffc302`8d65de50 fffff802`330078b8 : 00007ff4`ec0b2000 ffffaf82`24fbef20 ffffaf82`00000f00 ffffad3f`00000000 : nt!MiSplitPrivatePage+0x455 ffffc302`8d65df20 fffff802`3300770b : ffffaf82`24fbef48 00007ff4`ec0b2000 00000000`00000040 00007ff4`ec0b2000 : nt!MiCopyToCfgBitMap+0x158 ffffc302`8d65e000 fffff802`33006904 : ffff479c`4d11f9e7 00000000`00000000 00007ff9`e0481000 fffff802`330b352d : nt!MiPopulateCfgBitMap+0xbb ffffc302`8d65e0b0 fffff802`33002272 : 00000000`00000000 fffff802`32cfb8d7 00000000`00000000 00000000`00000003 : nt!MiMarkPrivateOpenCfgBits+0x30 ffffc302`8d65e0f0 fffff802`33002150 : 00000000`00000000 ffffc302`8d65e154 ffffc302`8d65e15c ffffc302`8d65e150 : nt!MiMarkProcessCfgBits+0x46 ffffc302`8d65e120 fffff802`32ff83ef : 00000000`00000020 ffffc302`8d65e4b0 00007ff9`e0480fff ffffaf82`1b01e300 : nt!MiCommitVadCfgBits+0x170 ffffc302`8d65e1a0 fffff802`33096f6f : ffffaf82`1b01e340 ffffaf82`217a2340 ffffc302`8d65e318 ffffc302`8d65e328 : nt!MmProtectVirtualMemory+0x53f ffffc302`8d65e2d0 fffff802`32e08cb5 : ffffffff`ffff0000 00007ff9`e0310550 ffffc302`8d65e5f0 fffff802`32dfd79e : nt!NtProtectVirtualMemory+0x1bf ffffc302`8d65e3c0 fffff802`32dfb100 : fffff802`37fdb482 00000001`00010000 00000000`00000000 ffffc302`8d65e5f0 : nt!KiSystemServiceCopyEnd+0x25 ffffc302`8d65e5c8 fffff802`37fdb482 : 00000001`00010000 00000000`00000000 ffffc302`8d65e5f0 00000000`00000a00 : nt!KiServiceLinkage ffffc302`8d65e5d0 fffff802`37fde590 : ffffffff`80003794 00007ff9`e0480000 00000000`00001000 fffff802`37fe8220 : cmdcss+0xb482 ffffc302`8d65e610 fffff802`37fde19c : 00000000`0000000f 00000000`00000000 ffffffff`80003794 00000000`00002c38 : cmdcss+0xe590 ffffc302`8d6606b0 fffff802`37fddb80 : ffffaf82`1ac07000 00000000`00000000 00000000`00002c38 00000000`00002c38 : cmdcss+0xe19c ffffc302`8d6606e0 fffff802`37fd522e : ffffaf82`1ac07010 ffffaf82`22f9f3a0 fffff802`336ec530 00000000`00000a90 : cmdcss+0xdb80 ffffc302`8d660710 fffff802`37fd7797 : ffffaf82`1ac07010 00000000`00000000 ffffaf82`1a1651d0 ffffaf82`00000000 : cmdcss+0x522e ffffc302`8d660740 fffff802`33002a91 : ffffc302`8d6607c0 ffffc302`8d6607e9 ffffaf82`00000000 ffffaf82`1a1651d0 : cmdcss+0x7797 ffffc302`8d660780 fffff802`330ae9c2 : ffffffff`00000000 ffffc302`8d661560 ffffc302`8d660e01 ffffaf82`21f042b0 : nt!PspCallProcessNotifyRoutines+0x255 ffffc302`8d660850 fffff802`3301577d : ffffaf82`2220a080 ffffaf82`217a2340 ffffc302`8d660fe0 ffffc302`8d660eac : nt!PspInsertThread+0x68e ffffc302`8d660910 fffff802`38a6b4bb : 00000000`00000000 ffffaf82`1cc27080 ffffc302`8d661c00 fffff802`38a6c593 : nt!NtCreateUserProcess+0xddd ffffc302`8d6615e0 fffff802`38a6a679 : ffff918d`7cd73000 fffff802`38a6a4d0 ffffc302`8d661cc0 ffff918d`7932b2a0 : SbieDrv+0x1b4bb ffffc302`8d6616a0 fffff802`38a51dd8 : ffff918d`7cd730d0 ffffc302`8d661cc0 ffffc302`8d661c40 00000000`00bd0f03 : SbieDrv+0x1a679 ffffc302`8d661990 fffff802`330750d2 : 00000000`00222007 fffff802`38a51c20 ffffaf82`20c92250 ffffaf82`20c92250 : SbieDrv+0x1dd8 ffffc302`8d661a20 fffff802`33074d36 : 00690056`005c0073 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x382 ffffc302`8d661b60 fffff802`32e08cb5 : 00000000`00000000 00000000`00000000 00000000`00000000 00007ff6`9e236260 : nt!NtDeviceIoControlFile+0x56 ffffc302`8d661bd0 00007ff9`e030ce4f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 00000041`c61fce58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`e030ce4f STACK_COMMAND: .trap 0xfffff80236c8ae50 ; kb SYMBOL_NAME: cmdcss+e590 MODULE_NAME: cmdcss IMAGE_NAME: cmdcss.sys BUCKET_ID_FUNC_OFFSET: e590 FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_cmdcss!unknown_function OS_VERSION: 10.0.19041.1 BUILDLAB_STR: vb_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {c4aaf988-8a8c-59e0-efbd-55c965e727f1} Followup: MachineOwner --------- ```Sandboxie configuration
My initial sandboxie.ini settings
``` [GlobalSettings] FileRootPath=\??\%SystemDrive%\Sandbox\%USER%\%SANDBOX% SeparateUserFolders=y KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX% IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION% NetworkEnableWFP=n EnableObjectFiltering=n EditAdminOnly=n ForceDisableAdminOnly=n ForgetPassword=n Template=WindowsRasMan Template=WindowsLive Template=OfficeLicensing Template=ComodoInternetSecurity ForceDisableSeconds=2000 [UserSettings_028E00D9] SbieCtrl_AutoStartAgent=SandMan.exe SbieCtrl_EnableAutoStart=y [DefaultBox] Enabled=y AutoRecover=n BlockNetworkFiles=y RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Desktop% BorderColor=#00FFFF,ttl Template=OpenBluetooth Template=SkipHook Template=FileCopy Template=qWave Template=BlockPorts Template=LingerPrograms Template=Chrome_Phishing_DirectAccess Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore ConfigLevel=9 [Vivaldi] Enabled=y AutoRecover=n BlockNetworkFiles=y RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Desktop% BorderColor=#00FFFF,ttl Template=Vivaldi_Force Template=OpenBluetooth Template=SkipHook Template=FileCopy Template=qWave Template=BlockPorts Template=LingerPrograms Template=Chrome_Phishing_DirectAccess Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore ConfigLevel=9 UsePrivacyMode=n ```