Xbox Gamepad controller not working in hardened security sandbox

[bwayan]

Describe what you noticed and did

Hello guys

I just subscribed to the support and I wanted to activate security enforcement protection on my sandboxes for my games. However, when I switch from "standard" (yellow color) to orange/red ones ... it is impossible to play with my controller anymore.

If I go back to standard or blue one, working again.

I do not know on what additional information I shall share. Windows 11 64 bits Sandboxie v1.3.2

I get this error in the logs

SBIE2112 Non accessible object : \Device\Afd\Endpoint, call CreateFile (C0000022) access=0016019F initialized=1

How often did you encounter it so far?

No response

Affected program

Any programs which requires the controlpad

Download link

N/A

Where is the program located?

Not relevant to my request.

Expected behavior

N/A

What is your Windows edition and version?

Windows 11 64 bit

In which Windows account you have this problem?

I use the built-in Administrator account.

Please mention any installed security software

N/A

What version of Sandboxie are you running?

1.3.2

Is it a new installation of Sandboxie?

I have been using the same version for some time.

Is it a regression?

No response

In which sandbox type you have this problem?

In a Hardened sandbox (red sandbox icon).

Can you reproduce this problem on an empty sandbox?

I can confirm it also on an empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response

[Luro223]

@bwayan as you're using the hardened sandbox, you need to add Xbox Gamepad controller manually in [sandbox]

[bwayan]

Thanks @Luro223

I tried to add IPC Path \Device\Afd\Endpoint* but it did not work. Do you have any reference on how to add a controller to hardened sandbox?

Thanks

[Simba98]

Thanks @Luro223

I tried to add IPC Path \Device\Afd\Endpoint* but it did not work. Do you have any reference on how to add a controller to hardened sandbox?

Thanks

\Device\Afd\Endpoint* is for network, so it may not solve the Gamepad issue.

I think the needed sandboxie config is related to if you connect the Xbox Gamepad via Bluetooth or USB cable. Compare with normal sandbox (Yellow box), I think some IPC is all the yellow box needed.

And you may refer to use Trace Log to Debug it by yourself.

[Luro223]

@bwayan Have you tried Kernel Mode Object Filtering?

[bwayan]

Hello @Simba98

The gamepad is on USB only. As requested I activated it, but there is no many logs (registry, etc) that I do not know exactly where to look at I filtered on RtClass and found these:

|Type| |Status| |Value| |Count|

RtClass Windows.Gaming.Input.RawGameController 1
RtClass Windows.ApplicationModel.Core.CoreApplication 2
RtClass Windows.Gaming.Input.Custom.GameControllerFactoryManager 2
RtClass Windows.Gaming.Input.Gamepad 2
RtClass Windows.UI.Core.CoreWindow 2

Key \registry\machine\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\OEM\VID_045E&PID_028E 1 Ipc \GLOBAL??\USB#VID_045E&PID_028E#0F98F1A#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} 160 ==> found that one after checking properties of my controller in controlpanel (USB#VID_045E&PID_028E)

But I have no idea on what to do

edit: tried to open IPC on path \GLOBAL??\USB#VID_045E&PID_028E#0F98F1A#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} but it did not make a change

[Luro223]

@bwayan I don't have similar issue with my USB gamepad so I don't know how I can reproduce the issue

[Luro223]

I think we need the same model of gamepad and same drivers as well

[Luro223]

You can try to post the gamepad's driver here, maybe Isaak knows what to do with him.

[Luro223]

@bwayan how are the results?

[bwayan]

Hello @Luro223

Sorry for the late reply, busy days at work :) I have a Xbox 360 USB controller for PC Windows.

Connected to Port#0003.Hub#0002

[Luro223]

@bwayan Try to enable monitoring mode for tracelog and com, gui, ipc, reg-keys, pipe, file access checked and post tracelog here then and show

[bwayan]

log.log

Hello @Luro223

Please find the logs as requested. Many thanks again for your kind help.

[isaak654]

I think you could try to add OpenIpcPath=\Device\USBPDO-* in the sandbox section of your Sandboxie.ini file.

[Luro223]

@bwayan if your main driver for your XBOX gamepad is \Device\USBPDO-3 then add OpenIpcPath=\Device\USBPDO-* as isaak described above. If you still having issues you need to post your gamepad driver here.

[bwayan]

Hello guys @Luro223 and @isaak654

Added the line, but unfortunately it did not have any effect.

@Luro223 I am sorry to sound dumb, but where to find the gamepad driver? I have that info: xusb22.inf:db04a16ccd17f2b6:CC_Install:10.0.22000.653:USB\VID_045E&PID_028E

[Luro223]

@bwayan installation package for your gamepad driver. You can post it here, I will unpack and check driver.

[bwayan]

Hello @Luro223

As these drivers are part of Windows, the only way I found was via techspot and it is digitally signed by Microsoft

Link here: https://www.techspot.com/drivers/downloadnow/11300/?evp=f14c505783a8b2c7738057292ee18a0e&file=13189

[Luro223]

@bwayan hmm, you're trying to use the win7 driver on win11 if your xbox controller works fine even though these drivers for win7 then try to add following: OpenIpcPath=\GLOBAL??\USB#VID_045E* if still does not work then add this next to above : OpenIpcPath=\Device\USBPDO-*

[bwayan]

Hello @Luro223

Sorry again for the late reply; I was travelling. I tried both beloz but it is still KO unfortunately.

OpenIpcPath=\GLOBAL??\USB#VID_045E if still does not work then add this next to above : OpenIpcPath=\Device\USBPDO- (that one was already active as per @isaak654 recommendation above)

Note: I did not use the installer above as the drivers are already part of Windows 10 /11 natively. I just shared "an installer" if you needed to find the same in there.

[Luro223]

@bwayan

OpenIpcPath=*VID_045E*
OpenIpcPath=\Device\USBPDO-*

[bwayan]

Hello @Luro223

sorry for the late reply, on travel again (now no more travels so I shall reply way faster)

Unfortunately your last proposal did not work. Is there anything else I can do to give you clues?

[Luro223]

@bwayan I don't think I can help you in this case. I don't have the compatible xbox controller and I can't emulate the controller. I can't reproduce the issue in any way. Try to do OpenIpcPath=* as a check, if this does not work, then there is no workaround for your case.

[bwayan]

Hello @Luro223

Unfortunately, even that one does not work. Would it mean it does not use IPC but something else?

[DavidXanatos]

There must be a workaround we only need to figure out what path to open, hardened boxes don't lock down IPC much more, but the general driver endpoint access, try, instead of opting for hardened box, to use the individual options, syscall lockdown and driver/device restrictions. I think driver/device restrictions is what breaks it, but you need to test it for us to know.

[isaak654]

I think driver/device restrictions is what breaks it, but you need to test it for us to know.

@bwayan In a nutshell, David's suggestion is to disable the "Enable all security enhancements" feature in the hardened sandbox and play with the remaining two sub options in the following screenshot:

[bwayan]

Hello guys @isaak654 and @DavidXanatos

Since first post:

• I have updated from 1.4.2 to 1.5.1
• I have updated Windows 11 to latest patch

Here are my findinds;

• IPC: Authorizing * ==> No effect
• Disabling Enable all (cf screenshot above) but leaving 2 below checked ==> No effect (Sandbox moves from Hardened Red to Sandbox with Data protection BLUE)
• .... buuuuuuuut, If I stay in BLUE (work also in YELLOW) and I only check the first one (second one unchecked) ==> then the xBOX controller is working again

[isaak654]

David just pushed a fix for hardened sandboxes to be released as 1.5.3 / 5.60.3: https://github.com/sandboxie-plus/Sandboxie/commit/52abe8986ec4a175dd54028c7760e15deb080866

Out of curiosity, do you have Smart App Control set as enabled or in evaluation mode?

[DavidXanatos]

I don't think this fix will do aynthing for the xbox controller the SRP device sit for software restriction policies only.

To solve the controller issue please try this how to: https://youtu.be/4k2XoT7VQuc find out which "\device\" path is used by your controller by trying setting the blocked devices to normal until the one is found which is required.

[isaak654]

It can also be reproduced on Windows 10 21H2 x64 as well.

The following lines work for me even after enabling the option Restrict driver/device access to only approved ones:

NormalFilePath=\Device\00000054
NormalFilePath=\Device\USBPDO-*

I had to discard a dozen other devices, so it would probably be better to improve this part in the Trace Log.

[bwayan]

OMG !!!

@isaak654 and @DavidXanatos

NormalFilePath=\Device\00000054
NormalFilePath=\Device\USBPDO-*

Yes it it working with hardened sandbox !!! You rock it.

Will I have to add it manually to all my sandboxes that require my Xbox controller?

[DavidXanatos]

Do you need \Device\00000054 or only \Device\USBPDO-* ?

[isaak654]

They're both needed at the same time (at least on Win 10). About the first entry, wouldn't it be possible to associate it in the Trace Log with the Hardware ID shown in Device manager?

[bwayan]

Hello @DavidXanatos and @isaak654

on my PC:

NormalFilePath=\Device\00000054 ==> KO if alone
NormalFilePath=\Device\USBPDO-* ==> OK if alone: Xbox controller is working

[isaak654]

So in Windows 10 I need both, while in Windows 11 you only need the last one. Just in case, are you sure that you've already cleaned the previous attempts made here?

[bwayan]

@isaak654

Just in case, are you sure that you've already cleaned the previous attempts made here?

Yes, I rollbacked everytime I was making a new change.

[bwayan]

@isaak654 and @DavidXanatos

Thanks for your time on this. Im closing this issue as it has been Id'd and to keep your github clean ;)

[bwayan]

Hello guys, @isaak654 and @DavidXanatos

Sorry to be a mood killer but I changed my USB controller for a Bluetooth one, and the settings we found before are not working anymore.

I tried to find some workaround, but impossible ...

Btw, I am now running SBP v1.7.2 Rest is the same as above (Windows 11, etc ...)

[isaak654]

Unfortunately, I don't own a Bluetooth controller to test it out.

[bwayan]

Unfortunately, I don't own a Bluetooth controller to test it out.

Is there a way I could search on my own like you found for the wired xbox controller? I tried to run the logs with all settings on, but it is like searching for a needle... unless we know what specifics I should look at

Let me know on how I could help :)

Based on some google search, the path name should be something like that: NormalFilePath=\Device\BTHLE\DEV_14*

But It is not working (same issue as above, working only in Blue and Yellow sandbox)

edit found the right parameter through PIPE logs: NormalFilePath=\Device\000000d*

@DavidXanatos FYI if you want to add an option for wireless Xbox to be used in hardened box

[DavidXanatos]

I am not sure if that wil fork on all systems a so generic path sounds like when you change the USB port or move to an otehr PC it will have a different number.

[bwayan]

I am not sure if that wil fork on all systems a so generic path sounds like when you change the USB port or move to an otehr PC it will have a different number.

You are right, the path "slightly" change everytime I disconnect / reconnect by Bluetooth pad.

After many attempts, this is the path that is working on a more generic way: NormalFilePath=\Device\00000???

(moved from 6 zero to 5)

[NewKidOnTheBlock]

I've ran into the same problem as @bwayan I'm using an Xbox One controller @ Windows 10 22H2 64bit via USB cable.

Once the option "Restrict driver/device access to only approved ones" is checked, my controller stops working. So I've added these three lines to my box's config:

OpenIpcPath=\Device\USBPDO-*
NormalFilePath=\Device\00000054
NormalFilePath=\Device\USBPDO-*

But no avail :/

[NewKidOnTheBlock]

@bwayan You might be re-inventing the wheel here. There already exists a template for Bluetooth: https://github.com/sandboxie-plus/Sandboxie/issues/799#issuecomment-853983805 Question is why it doesn't work in orange boxes.

[bwayan]

Hello @NewKidOnTheBlock

I only play in hardened box with secured data, hence I have to use these (new lines) in the config.ini:

NormalFilePath=\Device\000000d9 NormalFilePath=\Device\USBPDO-*

I am sure if it works in hardened (red box), it would work in orange box.

What you need to check (if it still does not work) are the PIP logs :)

[NewKidOnTheBlock]

Is there a less painful method to find out the device IDs? Like e.g. in the Hardware Manager? I guess this is being covered by NormalFilePath=\Device\USBPDO-* How do I find out the other device ID?

[bwayan]

Is there a less painful method to find out the device IDs? Like e.g. in the Hardware Manager? I guess this is being covered by NormalFilePath=\Device\USBPDO-* How do I find out the other device ID?

To find the second line, you need to enable logs + filter by IPC (cf my screenshot) Then you need to look for a specific line (starting with \device\ ...

For some programs, it is the same number coming along, for others it varies and you look to find the lowest value (ex: here it would be 00000*)

==> NormalFilePath=\Device\00000*

[NewKidOnTheBlock]

Thanks, that did the trick!

NormalFilePath=\Device\00000073
NormalFilePath=\Device\USBPDO-*

There is a huge problem with this approach, though: The device number changes if you plug your controller into a different USB port. In my case it went from Device 00000073 to 00000075. I half-way expected that, so I plugged the controller back into its original USB port, but now it is known as Device 00000077 (sic!) It's hard to write a rule that consistently works if the device number keep changing every time you plug in the controller.

That's why I modified the code:

NormalFilePath=\Device\0000007*
NormalFilePath=\Device\USBPDO-*

[Cthululz]

Hello guys @isaak654 and @DavidXanatos

Since first post:

* I have updated from 1.4.2 to 1.5.1

* I have updated Windows 11 to latest patch

Here are my findinds;

* IPC: Authorizing * ==> No effect

* Disabling Enable all (cf screenshot above) but leaving 2 below checked ==> No effect (Sandbox moves from Hardened Red to Sandbox with Data protection BLUE)

* .... buuuuuuuut, If I stay in BLUE (work also in YELLOW) and I only check the first one (second one unchecked) ==> then the xBOX controller is working again

omg.. i've never been able to get my dualshock controller to work, but this did the trick! thank you so much!

[NewKidOnTheBlock]

The actual range is larger than I expected. Today, the Xbox Controller had the ID Device\00000060 Funny enough, the USBPDO-* line proved to be unnecessary for reasons I don't comprehend.

So this is my config now to make the USB-driven Xbox Controller work with an Orange Security Box: NormalFilePath=\Device\000000*

[eadmaster]

i'm having a similar issue with Sandboxie Classic v5.69.9, but only with some games (e.g. the recently-released Iron Meat).

where can i add these?

NormalFilePath=\Device\0000007*
NormalFilePath=\Device\USBPDO-*

I've tried in the [DefaultBox] section of Sandboxie.ini, but it seems to have no effect.