search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.9k stars 1.54k forks source link

Unable run some apps as Administrator when it is using WebView2 #4349

Open MisakaMikoto-35c5 opened 2 weeks ago

MisakaMikoto-35c5 commented 2 weeks ago

Describe what you noticed and did

  1. Download this sample: https://github.com/MicrosoftEdge/WebView2Samples/releases/tag/1.0.902-prerelease
  2. Execute WebView2APISample.exe as not privileged user
  3. You can see the web page is load successfully
  4. Right-click WebView2APISample.exe, and select "Run as Administrator"
  5. The program prompt me: Failed to create webview: 0x80070490

How often did you encounter it so far?

No response

Expected behavior

The web page loads

Affected program

Any program that using WebView2

Download link

https://github.com/MicrosoftEdge/WebView2Samples/releases/tag/1.0.902-prerelease

Where is the program located?

Not relevant to my request.

Did the program or any related process close unexpectedly?

No, not at all.

Crash dump

No response

What version of Sandboxie are you running now?

Sandboxie Plus 1.14.10

Is it a new installation of Sandboxie?

I have been using the same version for some time.

Is it a regression from previous versions?

No response

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

Windows 11 23H2 Enterprise

In which Windows account you have this problem?

A Microsoft account (Administrator).

Please mention any installed security software

Microsoft Defender

Did you previously enable some security policy settings outside Sandboxie?

No response

Trace log

No response

Sandboxie.ini configuration

[GlobalSettings]
Template=7zipShellEx
Template=Edge_Fix
Template=NotepadPlusPlus_fix
Template=OfficeClickToRun
Template=OfficeLicensing
Template=Proxifier
Template=WindowsLive
Template=WindowsRasMan
DefaultBox=DefaultBox
FileRootPath=\??\%SystemDrive%\Sandbox\%USER%\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
NetworkEnableWFP=y

[UserSettings_08DA01C0]
SbieCtrl_AutoStartAgent=SandMan.exe -autorun
SbieCtrl_EnableAutoStart=y

[DefaultBox]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00ffff,ttl,6
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
AutoDelete=y
DropAdminRights=n
FakeAdminRights=n
ExternalManifestHack=msedgewebview2.exe,y
offhub commented 2 weeks ago

https://github.com/MicrosoftEdge/WebView2Feedback/discussions/3997#discussioncomment-7244453

MisakaMikoto-35c5 commented 2 weeks ago

MicrosoftEdge/WebView2Feedback#3997 (comment)

I see, does sandboxie provide any option to disable admin rights for specific exe file? When I install SolidWorks 2024 the admin right is required by the installer but seems conflict with WebView2.

offhub commented 2 weeks ago

does sandboxie provide any option to disable admin rights for specific exe file?

Sandboxie doesn’t offer an option to DropAdminRights for specific executable files. If it's not an issue encountered during installation, you can try running it without admin rights after the installation is complete.

MisakaMikoto-35c5 commented 2 weeks ago

No, this issue is encountered during installation. I have tested run the WebView2APISample.exe as Administrator outside of sandbox and it also works, so I guess maybe the EdgeWebView2 will try to revoke admin rights by itself when admin privilege detected but sandboxie have something hinder this step?

DavidXanatos commented 5 days ago

does sandboxie provide any option to disable admin rights for specific exe file?

Sandboxie doesn’t offer an option to DropAdminRights for specific executable files. If it's not an issue encountered during installation, you can try running it without admin rights after the installation is complete.

that is not quite right you can use DropAdminRights=program.exe,y to specify this setting per application, you could try this

offhub commented 5 days ago

that is not quite right you can use DropAdminRights=program.exe,y to specify this setting per application, you could try this

You're right, I hadn't looked into it in detail because it shows as "elevated" in the interface. Upon reviewing the tokens, it seems that it drops the admin group when it's set.