Open crichardsgy opened 4 weeks ago
DavidXanatos
commented
2 weeks ago that is most certainly related to some syscall, strange that is so much better in a Hardened box, could you please test if a normal box with SysCallLockDown=y also gives you good performance?
crichardsgy
commented
2 weeks ago Hey David, thanks for the response! I just added the option and that fixed it. I tested it with Cyberpunk and the FPS is consistent with the other boxes now.
crichardsgy
commented
2 weeks ago Accidentally marked it as completed, my bad. For my own education though, what does the option do?
DavidXanatos
commented
2 weeks ago I'll have to do some testing with Cyberpunk myself, as its puzzling why SysCallLockDown=y helps, under the hood it disabled the token impersonation for most sys calls, but I wonder how/why that improves the performance, i suspect its probably just one syscall or two but there is like a thousand to try out LOL
DavidXanatos
commented
2 weeks ago I could reproduce the behavior and identify the responsible syscalls,
I don't think they need to be run with the original token in a normal sandbox, that said obviously that may be a wrong assumption.
Anyhow, to not use SysCallLockDown=y you can edit your Templates.ini, look for DisableWinNtHook=YieldExecution and add
DisableWinNtHook=WaitForSingleObject
DisableWinNtHook=ReleaseSemaphore
DisableWinNtHook=SetEvent
DisableWinNtHook=ClearEventthis gave me 90 FPS from previuosly 30
EDIT: for this to take effect you need to stop the sandboxie driver usign the maintenance menu and restart it or just reboot the PC
I am not sure yet how to proceed best the current mechanism does not allow to make this settings per box, only globally for all boxes.
And any change may break something for some users with particular edge cases and we don't want that, although as far as I can tell these particular functions only take a handle and don't do any further access checks, so if the handle is ok they should work no mater with which token they are called.
On the other hand if you don't observer any issues with SysCallLockDown=y than that's even better as then only a few dozen syscalls are detured.
Perhaps we shoudl just add a recommendation to use SysCallLockDown=y for boxes with games running in them
isaak654
commented
2 weeks ago For my own education though, what does the option do?
SysCallLockDown option is described here: https://sandboxie-plus.github.io/sandboxie-docs/PlusContent/security-mode.html
e-t-l
commented
2 weeks ago Anyhow, to not use SysCallLockDown=y you can edit your Templates.ini, look for DisableWinNtHook=YieldExecution and add
DisableWinNtHook=WaitForSingleObject DisableWinNtHook=ReleaseSemaphore DisableWinNtHook=SetEvent DisableWinNtHook=ClearEvent
After adding these lines to Templates.ini, do we have to do anything else to make them take effect in non-hardened sandboxes, like activate extra templates in those sandboxes' settings? Would it work just as well to add these lines to the default sandbox ini?
DavidXanatos
commented
2 weeks ago Anyhow, to not use SysCallLockDown=y you can edit your Templates.ini, look for DisableWinNtHook=YieldExecution and add
DisableWinNtHook=WaitForSingleObject DisableWinNtHook=ReleaseSemaphore DisableWinNtHook=SetEvent DisableWinNtHook=ClearEventAfter adding these lines to Templates.ini, do we have to do anything else to make them take effect in non-hardened sandboxes, like activate extra templates in those sandboxes' settings? Would it work just as well to add these lines to the default sandbox ini?
Unfortunately these lines must be in the Templates.ini under [SysCallPresets] and the driver loads them only when it's loaded. You can put them in [GlobalSettings].
crichardsgy
commented
2 weeks ago Perhaps we shoudl just add a recommendation to use SysCallLockDown=y for boxes with games running in them
I was thinking this actually, perhaps it could be a checkbox in the options. Next to it could have a little description such as "Fixes performance issues in certain games"
I'm not sure if it's possible or recommended, but maybe a similar GUI approach could be applied to DisableWinNtHook options too. Of course a warning should be placed that it may cause incompatibility for certain cases.
crichardsgy
commented
2 weeks ago Awesome work! I have no idea how you found them but I just tested Cyberpunk with the DisableWinNtHook options and it works just as good as unsandboxed.
Is there any way for us to find those problematic syscalls? Or to find the ones that a program is calling? I'm still having performance issues with Sons Of The Forest. I assume it'll be a case by case basis to fix this issue without SysCallLockDown=y since different programs might use different calls.
DavidXanatos
commented
2 weeks ago Actually it is quite easy to find, you enable sys call logging in the trace log options and activate the resource access monitor then switch it to Monitor not trace mode this gives you a list of all used syscalls and you can sort it by how often they are used. And that's it you want to pass those that are called the most while not requiering a proper security token. Or if you don't know if they do you try if disabling them break things if yes than don't of no than fine. All needed instrumentation and logging is part of Sandboxie already :D
DavidXanatos
commented
2 weeks ago PS: I have added a troubleshooting wizard script to enable syscalllockdown as a mitigation when a user searched for low FPS in games so i'll mark this as fixed
crichardsgy
commented
2 weeks ago Actually it is quite easy to find, you enable sys call logging in the trace log options and activate the resource access monitor then switch it to Monitor not trace mode this gives you a list of all used syscalls and you can sort it by how often they are used.
Oh great, I've been meaning to get around to learning how to use the trace log. One thing though, I'm trying to follow your steps of testing cyberpunk to see if I could find the calls you mentioned. However when I filter for Type: SysCall in the monitor mode log and run the in-game benchmark nothing shows up. Lots of IPC, File, and Key entries show up though. Is there anything specific you did? Thanks
DavidXanatos
commented
2 weeks ago you need to go to the advanced box option page there to the trace tab and enable syscall tracing
crichardsgy
commented
2 weeks ago you need to go to the advanced box option page there to the trace tab and enable syscall tracing
Is it normal for WerFault.exe to open and the program to not open when that's enabled?
crichardsgy
commented
2 weeks ago Happens for me when opening any program with the option enabled. Also happening on a fresh install of Sandboxie 1.14.1 and 1.13.7 in Windows Sandbox
shearercole
commented
10 hours ago you need to go to the advanced box option page there to the trace tab and enable syscall tracing
Is it normal for WerFault.exe to open and the program to not open when that's enabled?
On 64-bit SBIE 1.13.7, I got the same WER faults just by opening any program. (standard sandbox on Win10 22H2 10.0.19045.4412) Steps to reproduce
|Name| |Process ID| |Title| |Status| |Info| |Path / Command Line|
SandboxieRpcSs.exe 9688 Suspended 21:49:32 "C:\Program Files\Sandboxie-Plus\SandboxieRpcSs.exe"
WerFault.exe 12136 Running 21:49:32 C:\Windows\system32\WerFault.exe -u -p 9688 -s 112
Start.exe 11352 Suspended 21:49:32 "C:\Program Files\Sandboxie-Plus\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Sandboxie-Plus" /env:=Refresh explorer.exe /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
WerFault.exe 9816 Running 21:49:32 C:\Windows\system32\WerFault.exe -u -p 11352 -s 112
|Time| |Message|
05.07.2024 21:44:34.459 WerFault.exe: SBIE2204 Cannot start sandboxed service RpcSs (C0000409)
05.07.2024 21:44:34.473 WerFault.exe: SBIE2204 Cannot start sandboxed service DcomLaunch (-4)
05.07.2024 21:50:02.299 WerFault.exe: SBIE2204 Cannot start sandboxed service RpcSs (-1)
Describe what you noticed and did
A select few games that I run from within a Standard Sandbox suffers from a large FPS loss. The games I tested are Cyberpunk 2077, Dying Light 2, and Sons of the Forest. For example, when running Cyberpunk unsandboxed or within a security hardened or app compartment sandbox I get around 86fps . However, when I run it in a standard sandbox I'm limited to around 33 FPS. Perhaps I'm missing a certain configuration that is pre configured on the other sandbox types.
How often did you encounter it so far?
Every time I run the specified programs.
Expected behavior
The performance should be similar regardless of the sandbox.
Affected program
Cyberpunk 2077, Sons Of The Forest, Dying Light 2
Download link
Not relevant
Where is the program located?
The program is installed only inside a sandbox (NOT in the real system anyway).
Did the program or any related process close unexpectedly?
No, not at all.
Crash dump
No response
What version of Sandboxie are you running now?
Sandboxie Plus v1.13.7
Is it a new installation of Sandboxie?
I recently did a new clean installation.
Is it a regression from previous versions?
No response
In which sandbox type you have this problem?
In a standard isolation sandbox (yellow sandbox icon).
Can you reproduce this problem on a new empty sandbox?
I can confirm it also on a new empty sandbox.
What is your Windows edition and version?
Windows 11 Pro 23H2
In which Windows account you have this problem?
A local account (Standard user)., A local account (Administrator).
Please mention any installed security software
Microsoft Defender
Did you previously enable some security policy settings outside Sandboxie?
No response
Trace log
No response
Sandboxie.ini configuration
No response