Application Compartment: Installers often hang when starting

[CookiePLMonster]

Describe what you noticed and did

First of all, apologies for a shaky bug report like this, but due to the nature of this bug I haven't been able to establish 100% reliable repro steps.

I often use Application Compartments to "isolate" games I install for testing, and unlike with normal Sandboxes, Compartments' lower security isolation usually allows DRM to work correctly. However, I've been facing issues where installers, games, and/or even explorer.exe often fail to start and their processes hang as soon as they are started in the Compartment. Changing to Sandbox type to Default (yellow box) resolves this issue, but then many games with disc-based DRM stop working.

In order to have some repro steps, I'll describe the issue on a redump-verified image of NASCAR Racing 3. However, please do note that this issue is not isolated to installing this particular game and/or to interacting with a virtual mounted ISO - I have been able to observe the same on a secondary PC with a physical disc drive.

1. Mount a game ISO outside of the Sandbox.
2. Create a new Application Compartment at default settings. In INI settings attached below, this environment is called New_Box.
3. Open Explorer inside this Compartment and doubleclick on the mounted drive to run autorun. Accept the UAC prompt. NOTE: "Make applications think they are running elevated" does not resolve this issue.
4. Click Install and notice that the Setup app does not show. Then, once it shows after around 30 seconds, it's stuck at 0%, then 100%, and not responding:
5. Terminate all programs inside the Compartment, change the sandbox type to Default (yellow box) and repeat the steps 3-4. Setup now starts instantly:
6. In the worst case, the above issue can even prevent explorer.exe from starting inside the Compartment, although I have not been able to reproduce this when writing this report.

How often did you encounter it so far?

Most of the time when running installers in a Compartment

Affected program

Many installers, explorer.exe

Download link

I am not able to provide one to avoid piracy - however this particular game image is easy to find on archival websites

Where is the program located?

I tried to install it only inside a sandbox, but I wasn't able to achieve it.

Expected behavior

Application Compartments run installers as intended, same as Default sandboxes.

What is your Windows edition and version?

Windows 10 Pro 22H2

In which Windows account you have this problem?

A local or Microsoft account without special changes.

Please mention any installed security software

Microsoft Defender

What version of Sandboxie are you running?

Sandboxie Plus v1.8.4, v1.9.1. This issue is not new and happened in 1.6.x and 1.7.x too.

Is it a new installation of Sandboxie?

I just updated Sandboxie from a previous version (to be specified).

Is it a regression?

No response

In which sandbox type you have this problem?

In an Application Compartment sandbox with no isolation (green sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

https://www.dropbox.com/s/4r4z9tlyuhnhzf2/sbie-trace.txt?dl=0

Sandboxie.ini configuration

[GlobalSettings]

TemplateReject=WindowsRasMan
TemplateReject=RTSS
TemplateReject=OfficeLicensing
TemplateReject=Logitech_G15_Keyboard
TemplateReject=InternetDownloadManager
TemplateReject=Evernote
TemplateReject=OfficeClickToRun
TemplateReject=WindowsLive
Template=Edge_Fix
Template=7zipShellEx
FileRootPath=C:\Sandbox\%USER%\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
DefaultBox=DefaultBox

[DefaultBox]

ConfigLevel=10
AutoRecover=y
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#0077ff,ttl,6
Enabled=y
BlockNetworkFiles=y
NotifyInternetAccessDenied=y
CopyLimitKb=357378
BoxNameTitle=n
DropAdminRights=y
FakeAdminRights=y
UseSecurityMode=y

[UserSettings_10E60270]

SbieCtrl_UserName=adrian
SbieCtrl_NextUpdateCheck=1658336990
SbieCtrl_UpdateCheckNotify=n
SbieCtrl_ShowWelcome=n
SbieCtrl_WindowCoords=1308,151,656,449
SbieCtrl_ActiveView=40021
SbieCtrl_ProcessViewColumnWidths=249,70,300
SbieCtrl_EnableLogonStart=n
SbieCtrl_EnableAutoStart=y
SbieCtrl_AddDesktopIcon=y
SbieCtrl_AddQuickLaunchIcon=n
SbieCtrl_AddContextMenu=y
SbieCtrl_AddSendToMenu=y
SbieCtrl_ExplorerNotify=n
SbieCtrl_AutoApplySettings=n
SbieCtrl_HideWindowNotify=n
SbieCtrl_ExplorerWarn=n
SbieCtrl_TerminateWarn=n
SbieCtrl_ShouldDeleteNotify=n
SbieCtrl_BoxExpandedView=AquaNox,DefaultBox,GameMaker81,MaxIsolation,MGS2,NESTools,TrainTown
SbieCtrl_AutoStartAgent=SandMan.exe
BoxDisplayOrder=AquaNox,DefaultBox,GameMaker81,GTA,MaxIsolation,MGS2,NESTools,TrainTown,InstallShield,Rally_Championship_Xtreme_Demo
SbieCtrl_HideMessage=2227, Screamer_4x4 (H:\Sandbox\Adrian\Screamer_4x4)
SbieCtrl_HideMessage=2227, TOCA_Race_Driver (F:\Sandbox\Adrian\TOCA_Race_Driver)
SbieCtrl_HideMessage=2203, *GUIPROXY_00000001; MsgId: 9 - explorer.exe [C0000034]

[New_Box]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00fd00,ttl,6
Template=RpcPortBindingsExt
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UseFileDeleteV2=y
UseRegDeleteV2=y
AutoRecover=y
BoxNameTitle=n
CopyLimitKb=81920
DropAdminRights=y
NoSecurityIsolation=y
FakeAdminRights=y

[isaak654]

I think #2783 is another way to reproduce this issue.

[CookiePLMonster]

Might be a superset of the same issue - since in my case dropping admin rights makes no difference, unlike in the linked issue.

[CookiePLMonster]

Updated the issue to clarify that v1.9.1 released yesterday does not resolve this issue.

[DavidXanatos]

interesting you could follow the following steps to debug it further,

Step 1 (optional): Open your Sandboxie-Plus.ini and add the following section

[DebugOptions]
Option01=OriginalToken|y|Keep the original unrestricted tocken
Option02=CreateToken|y|Create a new token
Option03=ReplicateToken|y|Replicate token from original
Option04=OpenToken|x|Use a unrestricted and unfiltered token dupliate
Option05=UnrestrictedToken|y|-Don't restrict the sandboxed toke
Option06=KeepTokenIntegrity|y|--Keep token integrity level
Option07=UnstrippedToken|y|--Don't strip the sandboxed toke
Option08=KeepUserGroup|y|---Keep user group
Option09=AnonymousLogon|n|--Don't set the anonymouse SID
Option10=UnfilteredToken|y|-Don't filter the original token
Option11=NoSysCallHooks|y|Don't hook system calls
Option12=NoSandboxieDesktop|y|Don't proxy desktop operations
Option13=NoSandboxieConsole|y|Don't proxy console creation
Option14=DisableComProxy|y|Don't proxy COM operations
Option15=DisableBoxedWinSxS|y|Disable Boxed WinSxS
Option16=NoSandboxieRpcSs|y|Disable Boxed RpcSS
Option17=NoSecurityFiltering|x|Disable Filtering
Option18=DisableFileFilter|y|-Disable File Filter
Option19=DisableKeyFilter|y|-Disable Key Filter
Option20=DisableObjectFilter|y|-Disable Object Filter

and restart sandman.exe, once you did that you shoudl get a new advanced tab

Step 2, you can set those options also in the sandboxie.ini manually but the UI makes it easier

compartment mode is roughly equivalent to the following preset

first test if with this options set on a default box the behavior improves, this would show that the issue is with some specific compartment mode optimization and not the core operation principle.

you can also test an other insecure configuration

in the UnrestrictedToken group you can instead of the top item also try selecting only selected sub items.

Please note that some of the option combination may make the box unable to run anything so its expected that some combinations are thoroughly broken.

[CookiePLMonster]

Thanks for a quick reply!

The test went as follows. All configs turned the sandbox icon purple and the type to NOT SECURE, so it's a good indicator the changes were made.

• Config 1 (first screenshot) - the test installer does work, but the startup was extremely slow (3 minutes), to the extent where it passed through at the time I was typing this very response as "does not work".
• Config 2A (second screenshot, top item selected, sub items not selected) - same as above, the installer took ~3 minutes to open.
• Config 2B (second screenshot, top item not selected, sub items selected) - same as above, the installer took ~3 minutes to open.

Having observed those results, I went back to normal Compartments - and sure enough, what I initially called "fail to start" is actually a very slow startup - just like with the above settings, the installer does eventually start, but just like with above tests, it takes around 3 minutes to spin up.

Just for a good measure and to verify a newly upgraded v1.9.1, I verified that the default yellow sandbox still works as expected, and it takes just a few seconds for this installer to spin up and go past the screen from my top post.

Those symptoms made me suspect that perhaps it's an incompatibility between Sandboxie and Macrium Reflect that installs its own filesystem filter driver - however, it's unlikely, since I can reproduce the same issue on my secondary PC that has never seen Macrium on its drive.

[DavidXanatos]

@CookiePLMonster could you please provide me a example installer by email which is affected so that i can debug this issue myself

[CookiePLMonster]

Done!

[CookiePLMonster]

Hello, is there any update regarding this issue? I'm continuously running into this issue still, this time with a msi installer. Running a v1.12.7 build at the time of writing this post.