UI: Setting "Allow MSIServer..." reverts on Apply in Sandbox Options dialog

[typpos]

Describe what you noticed and did

Unable to check and apply "Drop rights" and "Allow MSIServer to run with a sandboxed system token". On clicking Apply, the dialog reverts "Allow MSIServer..." to unchecked. The ini section is does not contain "MsiInstallerExemptions=y".

Repro:

• sb+ 1.13.4
• New box (unchecked drop rights; make applications think; Allow MSI Installer)
• Sandbox Options Dialog > Security Options > Security Hardening
• Check "Allow MSIServer..."
• Check "Drop Rights"
• Click Apply

Actual:

• "Allow MSI" reverts to unchecked; setting not applied to INI

Expected:

• "Allow MSI" checked; setting saved to INI

Workaround:

• Check "Allow MSI"
• "OK" to close Options dialog
• Open Options dialog
• Check "Drop rights"
• Apply

How often did you encounter it so far?

Always

Expected behavior

Both settings are applied.

Affected program

n/a

Download link

n/a

Where is the program located?

Not relevant to my request.

Did the program or any related process close unexpectedly?

No, not at all.

Crash dump

No response

What version of Sandboxie are you running now?

1.13.4

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression from previous versions?

No response

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

Win 11 Pro

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

MS Defender only

Did you previously enable some security policy settings outside Sandboxie?

no

Trace log

No response

Sandboxie.ini configuration

BEFORE:

Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#02f6f6,ttl,6
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UseFileDeleteV2=y
UseRegDeleteV2=y
AllowNetworkAccess=!<InternetAccess>,n
BlockInterferePower=n
ForceProtectionOnMount=n

AFTER:

Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#02f6f6,ttl,6
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UseFileDeleteV2=y
UseRegDeleteV2=y
AllowNetworkAccess=!<InternetAccess>,n
BlockInterferePower=n
ForceProtectionOnMount=n
DropAdminRights=y

[typpos]

https://github.com/sandboxie-plus/Sandboxie/assets/28550406/32985a66-3e66-4f49-9f5a-1a172a0fd9df

[offhub]

Bug or intentional behavior? https://github.com/sandboxie-plus/Sandboxie/blob/0492d8bf29ce60ea3e889a600a4826d22ecb6923/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp#L827

[typpos]

The repro and the workaround are in conflict, so at least one is a bug.

Topaz Gigapixel trial does not install when "Drop rights" and "Make applications think.." are checked. It also needs "Allow MSI..", so my take is that the repro-case is the bug.

[DavidXanatos]

its intentional to not be able to enable "MsiInstallerExemptions=y" together with "DropAdminRights=y" If Msi Installer Excemptions are required Drop Admin rights should be disabled first

[typpos]

its intentional

Ok. Helps me understand it better, and it turns out to be suffiicient to uncheck "Drop Rights" for "Topaz Gigapixel Trial" to install successfully. Thank you.

As this is intentional, it might be helpful to address these..

1. Create New Box dialog creates inconsistent ini:

   • Create new box dialog
   • "Standard Box"; "Configure Advanced"; ... next .. next .. check "Make applications think" as well as "Allow MSI..." .. next .. finish
   • Open Sandbox Options > Security
   • All 3 values are checked (That's actually why I thought it should be ok)

2. Sandbox option dlg > Security lets me set all 3 options if I save "Allow MSIInstaller" and afterwards check and save "drop rights". (the workaround above).

3. If I edit the ini (Sandbox Options > Edit ini Section), I can set all 3 options and nothing will complain or clean up the settings to make them consistent later and the dialog happily accepts the inconsistency.

I'm fine with as it is, so this could be closed.