Open Tragen opened 4 years ago
I haven't looked into it yet, but I would assume that Windows's own file/registry virtualization used for UWP Apps may be an issue.
To be honest the entire modern side of windows 10 is something I try to avoid as much as possible, hence it kinda have negative priority. And we have enough windows 10 bugs not related to UWP.
But that said, it surly can be added just idk. when there will be free time to spent on that.
But that said, it surly can be added just idk. when there will be free time to spent on that.
Could you please add a feature to apply to every UWP app without repeatedly adding ForceProcess or ForceFolder?
Sandboxie Plus 1.0.6 added the ability to run Win32 store apps in App Compartment mode, but it doesn't cover UWP apps yet.
@DavidXanatos do you have an estimation when we will have this feature?
There is no ETA on this its not high priority
A contributor certificate in exchange for a pull request to provide initial UWP compatibility would definitely be helpful.
Right-click options in Windows 11 are missing
Any updates on this? I saw somewhere that you could possibly install through PowerShell but I can’t find it now. Would be incredibly helpful to install or run UWP apps in this.
I wonder why this is low priority, as more and more programs are moving to Microsoft Store Apps. This is especially frustrating for more and more programs that can't be installed without the Store and therefore cannot be sandboxed at all (pretty famous example: Xodo PDF Reader, running the .exe in a Sandbox get's me a SharedLibrary.dll Error)
I'm surprised this hasn't been explored in more depth already, seeing as how much overlap there is in both goal and execution of Sandboxie and UWPs. The reason UWPs don't work sandboxed is because they are built around the AppContainer format, which itself is a Windows sandbox (https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation). I'm guessing there's something about the AppContainer sandbox that doesn't like to run inside another software sandbox like SBIE.
On a related note, Adobe Acrobat has a setting under Preferences > Security (Enhanced) > Sandbox Protection > Run in AppContainer. If you enabled this setting, then try to open a PDF in Protected View in Sandboxie, you should get an error. Opening it outside of Sandboxie should not throw an error.
It would be cool if AppContainers/UWPs were supported, especially since Microsoft is pushing for this to be the standard format for executables moving forward. Older Win32 apps can be recompiled to operate inside AppContainers with relatively little effort, so I expect them to become more and more ubiquitous as time goes on.
EDIT: I know Sandboxie has configs like dropAppContainerToken
and fakeAppContainerToken
, but it was unclear to me from the documentation whether the term was actually referring to MS AppContainers, or whether it was being used as an alias for SBIE App Compartments...
its fully store app support??, i wanna clone whatsapp / game from windows store
Wait... UWP apps are mostly sandboxed by windows already.
A contributor certificate in exchange for a pull request to provide initial UWP compatibility would definitely be helpful.
I don't know if it's worth a contributor cert, but I think I required a workaround for MSIX Store apps, a workaround which doesn't necessarily require a PR or any code changes...
I definitely think UWP apps fail due to some conflict with MS AppContainers, but not all programs that are packaged with MSIX are containerized. However, many of them will still fail. This is because the MSIX package installer installs programs in the WindowsApps directory, which only privileged system processes can access; not even local admin accounts can access it (admins can forcibly grant themselves access permission, but changing the ICACLS permissions for WindowsApps can cause major system instability.
Since Sandboxie can't access WindowsApps, it returns System error code: Access is denied. (5)
The simple solution is to run Sandboxie with system-user privileges. (I believe this is different than running it in the system-user context like a scheduled task could do. In that scenario, the program would not be visible or interactable!)
The easiest way to do this is to download PSEXEC and run psexec -i -s "C:\Program Files\Sandboxie-Plus\SandMan.exe"
Voila, system-privileged Sandman!
(I tested this on Zenbreak, but it should work for any Windows Store app that can't be sandboxed due to an Access Denied error.)
@DavidXanatos @offhub Here's the thing, though. I have NO idea what the unintended consequences might be of running Sandboxie with system privileges instead of admin or standard user. I think every user here trusts Sandboxie to be safe, otherwise we wouldn't be using it, but I don't have a clue whether these elevated privileges might make Sandboxie a vector for some sort of attack. If it's safe, then I think my workaround could be recommended. (If it isn't, well, I offer it as inspiration - idk maybe you senior folks can figure out how to make a "system privileged sandbox token" or something that doesn't require elevating the entire app.)
Anyway, what do you think?
I don't know if it's worth a contributor cert, but I think I required a workaround for MSIX Store apps, a workaround which doesn't necessarily require a PR or any code changes...
I would like to clarify one thing once and for all: I'm not interested, nor will I be in the future, in any of your requests, as you tend to use personal mentions quite often than I would prefer (and for which I have modified your comment accordingly).
once and for all: I'm not interested, nor will I be in the future, in any of your requests
Really sorry man, I didn't know it bugged you. Just trying to help out a community project..
Really need this feature, especially for communication apps like WhatsApp, Facebook, Messenger, etc.
Really need this feature, especially for communication apps like WhatsApp, Facebook, Messenger, etc.
kinda offtopic: all those can be run in web browser and i'd recommended so to minimize the access they have to your computer (even with sandboxie, they still have access to all your files). i recommend a different browser profile for meta apps so that they don't track you cross-site.. or at least block 3rd party cookies with a combination of extensions: ublock+ privacy badger or even noscript/umatrix. Browsers nowadays have this option as well in their settings.
those can run in web browser and it's recommended to run them so
I consider this as a workaround, not an actual solution. This is also not a universal solution and only works for some apps. I have some communication apps; they don't support web browsers. This is also quite inconvenient, now I need to manage many browser profiles and confusing which account on which profile. Dual app and second space features on Android are so cool. I cannot leave without it. If Android device is so powerful as a PC/laptop, I even want to remove the limitation of "dual app" to "unlimited app".
those can run in web browser and it's recommended to run them so
I consider this as a workaround, not an actual solution. This is also not a universal solution and only works for some apps. I have some communication apps; they don't support web browsers. This is also quite inconvenient, now I need to manage many browser profiles and confusing which account on which profile. Dual app and second space features on Android are so cool. I cannot leave without it. If Android device is so powerful as a PC/laptop, I even want to remove the limitation of "dual app" to "unlimited app".
you can name the profiles and set colors (eg. in brave) you can even pin the profiles to task bar to quickly open them (eg. one profile for all Meta related apps). on android there is no multiple profiles currently (only work profile as set by the OS). There is a workaround https://gist.github.com/Akianonymus/1fb3c040080f79e7a015c7948e874499 and a tracking issue https://github.com/oasisfeng/island/issues/107
I can give you a hint if you want on how to pin the profiles to task bar like a pro in brave.
you can name the profiles and set colors (eg. in brave) you can even pin the profiles to task bar to quickly open them (eg. one profile for all Meta related apps).
Thank you for the help offer. I know how to do all with browser profiles. But as I wrote, I have some apps, which don't work with browsers, so this workaround will not work anyway.
On android, I have dual app and second space feature natively, so I neither need workaround with browser profiles.
What's the current development of UWP support
Is it planned?
Remember, if you successfuly implement UWP support, potentially we could achieve cross-platform UWP support on any OS since Wine could also be updated to install and use sandboxie to execute modern Windows Apps ✨
It's like a dream come true
And discontinued versions of Windows could also execute appx in that case ✨
Since Sandboxie can't access WindowsApps, it returns System error code: Access is denied. (5)
The simple solution is to run Sandboxie with system-user privileges. (I believe this is different than running it in the system-user context like a scheduled task could do. In that scenario, the program would not be visible or interactable!)
The easiest way to do this is to download PSEXEC and run
psexec -i -s "C:\Program Files\Sandboxie-Plus\SandMan.exe"
...
I don't have a clue whether these elevated privileges might make Sandboxie a vector for some sort of attack. If it's safe, then I think my workaround could be recommended. (If it isn't, well, I offer it as inspiration - idk maybe you senior folks can figure out how to make a "system privileged sandbox token" or something that doesn't require elevating the entire app.)
Can anyone clarify if running Sandboxie with System privileges is a safe/viable option here?
What's the current development of UWP support
Is it planned?
A link to the roadmap is available in the project history.
More specifically:
What is the reason that Sandboxie isn't working with apps from the Microsoft Store? Is it possible to improve Sandboxie so that it also works with Store apps?