Some questions about Sandoxie(-Plus) force file/folder exceptions

[Nick768]

Hello,

first of all some things about my setup: I use a convertible with Windows 10 x64 build 19041.1 and Sandboxie-Plus v0.7.4 in portable mode on D: partition. Sandboxie is configured to run everything from desktop, download folder, removable devices and every other place which isn't C:\Windows in a Sandbox. This configuration isn't very nice, because on C: drive I had to assign every single folder to a sandbox. I have some Realtek programs in C:\program files which run sandboxed too and create lots of "service not implemented" errors. That can't be my solution. Now the question is: Is there a way to tell Sandboxie, that this specific folders in C:\program files shouldn't be sandboxed; something like an exception? I've noticed that I can force a folder a to run in Sandbox 1 and force a subfolder of a to run in sandbox 2 if sandbox 1 is below sandbox 2 in sanboxie.ini... I thought of making a sandbox without any restriction and add these folders to this sandbox, but the problem is the same. Am I missing some configs or isn't there a way to configure it this way? In my tests I found out that the installation directory of Sandboxie can't be sandboxed at all. If I force this folder to be in a sandbox, every file in this folder does run unsandboxed (as expected). Therefore it should be possible to have exceptions at all, or not? If it is useful i could attach my sandboxie.ini file...

Best regards Nick768

[macruspareto]

Now the question is: Is there a way to tell Sandboxie, that this specific folders in C:\program >> files shouldn't be sandboxed; something like an exception?

If I get your question correctly, you'd want a direct access to specified directories?

Try "Sandbox Options" - "Resource Access" - "Add File/Folder" - and set the "Direct" flag.

Is that what you wanted?

[Nick768]

Thanks for your response. I will give this option a try. Actually my question was related to exceptions. I want to sandbox my whole C drive with some exceptions. But I guess if I sandbox everything (through [Sandbox Options] -> [Forced Programs] option) and add direct access to C:\windows for example, there could be some trouble with "service not implemented" messages.

EDIT: While writing my response i've tried to set up a vm to test the direct access option, but it seems to behave exactly as expected: lots of errors when processes start from C:\windows folder. And when I reboot the vm, explorer (and perhaps the windows shell) is not able to start untill I change my settings to not force my whole C drive. Then i've tested a sandbox configuration with direct ressource access to everything and changed everything to be nearly not restrictive, but nothing changed... I think without exceptions for programs and folders it isn't possible to sandbox the C drive. But perhaps there are some settings which are only changeable through editing the .ini?

[macruspareto]

Nah, I guess you can't virtualize the whole C:\WINDOWS because other low-level drivers would compete with it for read-write permissions and system calls. (Thats more like a rootkit/bootkit when it gets loaded the very earliest and has full control of the OS) ....

But if you find the way, pls share your thoughts!

[Nick768]

That's the reason I wanted to add an exceptions for C:\windows ;-). I know that I can't virtualize my C:\windows directory. Therefore I want to virtualize my whole C: drive, except my windows directory... Of course I will give an explanation if I find a way, but I guess there is no way yet. But I found out that the installation directory of Sandboxie(-Plus) is never forced to be virtualized. If you try to force the Sandboxie directory, Sandboxie ignores it and doesn't virtualize this directory.