Msi file creates item to registry with wrong path, if run in sandboxie.

[RisingYoung-Learn]

Describe what you noticed and did

I made a TestService.msi installer (download address: https://github.com/RisingYoung-Learn/TestShare/blob/main/TestService.msi) writing items to registry with path as below:

HKEY_CURRENT_USER\Software\ABC\Test1
HKEY_LOCAL_MACHINE\Software\ABC\Test2

(1) When I ran TestService.msi out of sandboxie, items were written in the registry as follow:

HKEY_CURRENT_USER\Software\ABC\Test1
HKEY_LOCAL_MACHINE\Software\ABC\Test2

(2) Ran TestService.msi in the sandboxie, items were written in the registry is as follows:

HKEY_USERS\Sandbox_Administrator_DefaultBox\user\.DEFAULT\Software\ABC\Test1
HKEY_USERS\Sandbox_Administrator_DefaultBox\machine\software\ABC\Test2

According to the conversion rules, right items paths should be as follows:

HKEY_USERS\Sandbox_Administrator_DefaultBox\user\current\Software\ABC\Test1
HKEY_USERS\Sandbox_Administrator_DefaultBox\machine\software\ABC\Test2

Advanced Installer msi code： https://github.com/RisingYoung-Learn/TestShare/blob/main/TestService.aip

How often did you encounter it so far?

Appears every time you use.

Affected program

Not relevant

Download link

https://github.com/RisingYoung-Learn/TestShare/blob/main/TestService.msi

Where is the program located?

The program is installed only inside a sandbox (NOT in the real system anyway).

Expected behavior

According to the conversion rules, right items paths should be as follows:

HKEY_USERS\Sandbox_Administrator_DefaultBox\user\current\Software\ABC\Test1
HKEY_USERS\Sandbox_Administrator_DefaultBox\machine\software\ABC\Test2

What is your Windows edition and version?

Windows Server 2016 Standard [Version 1607 (OS Build 14393.5006)]

In which Windows account you have this problem?

A local or Microsoft account without special changes.

Please mention any installed security software

Windows Defender

What version of Sandboxie are you running?

Sandboxie plus 1.8.3 64

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

No response

In which sandbox type you have this problem?

In an Application Compartment sandbox with no isolation (green sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

#
# Sandboxie configuration file
#

[GlobalSettings]
DefaultBox=DefaultBox
FileRootPath=\??\%SystemDrive%\Sandbox\%USER%\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
#Template=WindowsRasMan
#Template=WindowsLive
#Template=OfficeLicensing
#Template=OfficeClickToRun
#Template=AdobeLicensing
#Template=7zipShellEx
Template=WindowsRasMan
Template=WindowsLive
Template=OfficeLicensing
Template=AdobeLicensing
Template=7zipShellEx

[UserSettings_4BC00582]
SbieCtrl_AutoStartAgent=SandMan.exe
SbieCtrl_EnableAutoStart=y

[DefaultBox]
Enabled=y
BlockNetworkFiles=y
BorderColor=#00FFFF,ttl
Template=OpenProtectedStorage
Template=RpcPortBindingsExt
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
#UseFileDeleteV2=y
#UseRegDeleteV2=y
BoxNameTitle=n
BlockNetParam=n
NotifyProcessAccessDenied=y
CopyLimitKb=-1
MsiInstallerExemptions=y
UnrestrictedSCM=y
RunServicesAsSystem=y
ExposeBoxedSystem=y
StripSystemPrivileges=n
OpenDevCMApi=y
OpenSamEndpoint=y
OpenLsaEndpoint=y
DontOpenForBoxed=n
ClosedFilePath=<BlockNetDevices>,InternetAccessDevices
RpcMgmtSetComTimeout=n
AlwaysCloseForBoxed=n

[isaak654]

https://github.com/sandboxie-plus/Sandboxie/issues/2373#issuecomment-1434859024

[RisingYoung-Learn]

#2373 (comment)

Hello! I have read #2373 and I understand the registry isolation feature. Now the problem is after registry isolation, the path in RegHive file is wrong.

Wrong path:

HKEY_USERS\Sandbox_Administrator_DefaultBox\user\.DEFAULT\Software\ABC\Test1
HKEY_USERS\Sandbox_Administrator_DefaultBox\machine\software\ABC\Test2

Right path:

HKEY_USERS\Sandbox_Administrator_DefaultBox\user\current\Software\ABC\Test1
HKEY_USERS\Sandbox_Administrator_DefaultBox\machine\software\ABC\Test2

[RisingYoung-Learn]

I suspect this is an error when the msi installs the app in the sandboxie.

[DavidXanatos]

Well HKEY_USERS\.DEFAULT corresponds to \REGISTRY\USER\.DEFAULT its a reg hive of its own and not related to HKEY_CURRENT_USER so putting .DEFAULT stuff to HKEY_USERS\Sandbox_Administrator_DefaultBox\user\current\ would be wrong as well. Sandboxie maps the .DEFAULT path under its user path, as long as the mapping works its not relevant where the key physically resides. Or am I missing some faulty edge case?

[RisingYoung-Learn]

Sorry, I didn't express clearly.

Run TestService.msi outside Sandboxie (PS: not run in Sandboxie, run directly on the operating system), the registry path written is: HKEY_CURRENT_USER\Software\ABC\Test1 HKEY_LOCAL_MACHINE\Software\ABC\Test2

According to the Sandboxie registry isolation function, when running TestService.msi in Sandboxie, the registry path written should be: HKEY_USERS\Sandbox_Administrator_DefaultBox\user\current\Software\ABC\Test1 HKEY_USERS\Sandbox_Administrator_DefaultBox\machine\software\ABC\Test2

However, running TestService.msi in Sandboxie 1.8.2, the registry path actually written is: HKEY_USERS\Sandbox_Administrator_DefaultBox\user\.DEFAULT\Software\ABC\Test1 HKEY_USERS\Sandbox_Administrator_DefaultBox\machine\software\ABC\Test2

So, I don't think there should be a .DEFAULT item.

[DavidXanatos]

I see Will check this out, asap, this indeed does not look right on a first glace

[DavidXanatos]

Sorry for taking so long to check this out, when testing with 1.10.x and your msi file i get the result as expected HKEY_USERS\Sandbox_DefaultBox\user\current\Software\ABC\Test1 HKEY_USERS\Sandbox_DefaultBox\machine\software\ABC\Test2

could you please re test if the issue is still present.