Sandboxie under Windows XP

[Multibooter]

Sandboxie is a must-have utility with many security and non-security uses. This topic will focus on the compatibility and the uses of Sandboxie under WinXP. Postings about Sandboxie under other older operating systems (e.g. Windows Vista) are also welcome.

Download links:
1) Windows XP 32bit (SP2 and SP3), SSE2
Sandboxie v5.40 (WinXP, SSE2, 9Apr2020) is the last version for Windows XP 32bit (SP2 and SP3), SSE2. It can be downloaded from:
https://github.com/sandboxie-plus/Sandboxie/releases/download/v5.40/SandboxieInstall32_xp.exe
v5.40 is freeware and was created by David Xanatos, based on the source code of v5.40 released by Sophos.
v5.40 does not require registration or activation.

v5.40 (9Apr2020) is of special interest because many Windows XP users may think that v5.22 (30Oct2017) is the last version of Sandboxie for Windows XP, maybe based on the info at Wikipedia:
"Windows XP SP3 and Windows Vista SP2 were supported   [=by Sophos] up to version 5.22, after which their support  [=by Sophos] was dropped."
https://en.wikipedia.org/wiki/Sandboxie

The subsequent developer David Xanatos, however, had created in April 2020 the above special edition v5.40 for Windows XP, which is a little gem.

v5.40 by David Xanatos works great under Windows XP (32-bit) on computers with an SSE2 CPU  (= Pentium 4 and higher). Do NOT attempt to install v5.40 on an SSE-only CPU (e.g. Pentium 3).

2) Windows XP SP2 and SP3, SSE-only
Sandboxie v5.22 (30Oct2017) is the last version for Windows XP SP2 and SP3, SSE-only (e.g. Pentium 3).
32-bit installer: https://web.archive.org/web/20180107162521if_/https://www.sandboxie.com/attic/SandboxieInstall32-522.exe
32+64-bit-installer [but not for Windows XP x64]: https://web.archive.org/web/20171109032037if_/https://www.sandboxie.com/SandboxieInstall.exe
64-bit installer: https://web.archive.org/web/20180107162355if_/https://www.sandboxie.com/attic/SandboxieInstall64-522.exe

v5.22 is a limited trial version by Sophos, with the following limitations of the trial version:
  - it does not expire, but a nag screen will appear after 30 days
  - you may create several sandboxes, but you cannot use several sandboxes at the same time
  - you cannot use the Forced Programs and Forced Folders features
  - registration was for a time-limited subscription, requiring re-activation
  - you cannot register or activate v5.22 at Sophos anymore

[Multibooter]

Sandboxie - Compatibility (operating systems and CPU)

The following are the last versions of Sandboxie working OK under:
Windows XP SP2 and SP3 - SSE2 CPU (Pentium 4, AMD Athlon 64, Intel Atom, all x64-capable CPUs, and later)
Sandboxie v5.40 (9Apr2020)

Windows XP SP2 and SP3 - SSE-only CPU (Pentium 3)
Sandboxie v5.22 (30Oct2017)

Windows XP x64 - ??

Windows Vista 32bit - ??

Windows Vista 64bit - ??

It is unclear which version of Sandboxie is the last/best version to run under Windows Vista.

Edited August 8, 2024 by Multibooter

[Multibooter]

Sandboxie - Compatibility (applications)

The following applications do NOT run OK in a sandbox under Windows XP:

1) 360Chrome 86 v13.5.1030 by NotHereToPlayGames [SSE2] loads very slowly and the websites appear strange

The following applications require special settings in Sandboxie:

1) Supermium 121 (2Feb2024) [SSE2]  runs OK in a sandbox if all * IPC Access is granted to chrome.exe: in window Sandbox Settings -> Resource Access -> IPC Access -> click on Add Program button -> select chrome.exe -> OK -> click on Add button -> in msg window Add Resource Name: * This will create a big hole in the sandbox. Screenshots are in the posting by XP++ of 11Aug2024. Without the * chrome.exe setting: red dots appear in the Sandboxie icon in the System Tray, then disappear]. ISSUE: After exiting Supermium 1he red dots remain in the Sandboxie icon in the System Tray.
The granting of * IPC Access to chrome.exe may be a workaround of an issue of Sandboxie v5.40, since the changelog of subsequent Sandboxie v5.43.6 indicates: "fixed chrome 86+ compatybility bug with chroms own sandbox" https://github.com/sandboxie-plus/Sandboxie/releases?page=16

The following applications run OK in a sandbox under Windows XP:
The minimum operating system and minimum CPU are indicated in parentheses.
The indicated application versions work OK in a sandbox,
but are not necessarily the last/best version to run OK in a sandbox.

- Mypal68 v68.14.0b by feodor2 (WinXP SP3, 32bit, SSE2)
- Mypal68 v68.13.8b by feodor2 (WinXP SP3, SSE-only)
- Serpent 52 by roytam1 (WinXP SP3, SSE-only)
- New Moon 28 by roytam1 [WinXP SP2, SSE-only]
- Tor Browser v7.5.6 [time and timezone must be set correctly, last version for WinXP, WinXP SP2, SSE-only]
- Firefox 45ESR

- Jasc Paint Shop Pro v7.04 (Anniversary Edition) [WinXP SP2, SSE-only]
- Foxit Phantom v2.2.3.1112 (WinXP SP2, SSE-only)
- Random House Webster's Unabridged Ditionary v3.0 [WinXP SP2, SSE-only]
- Registry Trash Keys Finder v3.9.2 and v3.9.4 (WinXP SP2, SSE-only [probably also Win98, not tested]) postings with screenshots are at http://web.archive.org/web/20240904132535/https://msfn.org/board/topic/186405-sandboxie-under-windows-xp/page/3/#comments

Edited September 4, 2024 by Multibooter

[Multibooter]

Sandboxie - Uses (not security-related)

1) For test-installing software inside the sandbox folder, without modifying the remainder of the HDD. Programs like Total Uninstall could be used, but are more time-consuming for a test-install and may still leave stuff on the computer after uninstall. To get rid of a test-installed program, you only need to delete the content of the sandbox.

2) To run multiple instances of a program simultaneously, each instance in its own sandbox. In this way you can run a program simultaneously in 2 or more windows.

Examples: you can have a pdf program (e.g. Foxit Phantom) open in 2 or more windows at the same time, visually comparing 2 pdf files side-by-side (e.g. original vs translation, draft1 vs draft2, text1 vs text2 ), or viewing side-by-side various pages of the same pdf file.

You can have a Hex editor (e.g. Hex Workshop) open in 2 or more windows, for viewing different code sections of a file side-by-side.

(more uses and examples will be added)

Edited August 5, 2024 by Multibooter

[Multibooter]

Sandboxie - Uses (security-related)

(uses and examples will be added)

Edited August 5, 2024 by Multibooter

[Multibooter]

Version history

up to v5.30: [Ronen Tzur, Invincea and Sophos, last capture on 23Apr2020]
https://web.archive.org/web/20200423140308/https://www.sandboxie.com/VersionChanges

from v5.40.1 onwards [David Xanatos]
https://github.com/xanasoft/Sandboxie-Plus/blob/master/CHANGELOG.md

Registry fixes by modnar for Sandboxie v5.22 and v5.40 (WinXP special edition):
1) Rename in registry HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv "DependsOnService" to "DependOnService" [no "s"]
2) Registry fixes to improve compatibility and efficiency, revised on 10Nov2024:

GroupOrderList_FSFilter_Infrastructure_03_XP_USP4.regGroupOrderList_Filter_07-0b_XP_USP4.reg

GroupOrderList_Primary_Disk_05_XP_USP4.reg   GroupOrderList_SCSI_Class_03-2d_XP_USP4.reg

NtfsDisableLastAccessUpdate_1.reg to reduce the stress on the disk.

Restart Windows after running the registry fixes.

Source - old versions
https://web.archive.org/web/20170601000000*/http://www.sandboxie.com:80/SandboxieInstall.exe [best, only combined 32+64bit versions]
https://web.archive.org/web/*/https://www.sandboxie.com/attic/* [32bit, 64bit and combined versions]
https://sandboxie-website-archive.github.io/www.sandboxie.com/AllVersions.html [seems to be the same as https://web.archive.org/web/20200310035403/https://www.sandboxie.com/AllVersions ]

Temporary postings:

 

Edited November 10, 2024 by Multibooter

[modnar]

My findings to add:

By default Sandboxie driver (HKLM/Sys/CurrCtrlSet/Services/sbiedrv) registry entry is flawed from way back when v4.20 was released - instead of "DependsOnService" it should have "DependOnService" (FltMgr) - I have contacted David Xanatos about it and he acknowlegded my observation.

The second thing was observed in installing XP with harkaz's USP4 - again in registry - Control/GroupOrderList: for "Filter" group tags should go up to "0b" and not only "06", so 07 00 00 00, 08..., 09..., 0a..., 0b... should be added to that group or Sandboxie (at least 5.22) complains it cannot hook in its driver at system boot (with other minifilters installed, such as diskeeper's or perfectdisk's).

Tags (component load order monikers) are very important especially in older Windows systems - even if services containing them are not loaded.

The other group lacking mention in GroupOrderList is SCSI Class - should go up to 2d 00 00 00 because there is one driver containing such a Tag. While it may seem superficial, when Tag-problems are corrected, the whole system is much more responsive and also faster to boot.

This way Sandboxie functions very well in my install of XP_USP4 with Avast, Privatefirewall, SBie and Diskeeper12 (all programs that use low-level drivers with XP_SP3's limited fltmgr).

[Multibooter]

On 8/6/2024 at 8:42 AM, modnar said:

By default Sandboxie driver (HKLM/Sys/CurrCtrlSet/Services/sbiedrv) registry entry is flawed ... instead of "DependsOnService" it should have "DependOnService" (FltMgr) - I have contacted David Xanatos about it and he acknowlegded my observation.

The second thing ... again in registry - Control/GroupOrderList: for "Filter" group tags should go up to "0b" and not only "06", so 07 00 00 00, 08..., 09..., 0a..., 0b... should be added to that group or Sandboxie (at least 5.22) complains it cannot hook in its driver at system boot (with other minifilters installed, such as diskeeper's or perfectdisk's).

Tags (component load order monikers) are very important especially in older Windows systems - even if services containing them are not loaded.

The other group lacking mention in GroupOrderList is SCSI Class - should go up to 2d 00 00 00 because there is one driver containing such a Tag. While it may seem superficial, when Tag-problems are corrected, the whole system is much more responsive and also faster to boot.

This way Sandboxie functions very well in my install of XP_USP4 with Avast, Privatefirewall, SBie and Diskeeper12 (all programs that use low-level drivers with XP_SP3's limited fltmgr).

Thanks for your suggestions.

1) I have changed the registry:
-> renamed in HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv the value from "DependsOnService" to "DependOnService" [no "s"]

2) I didn't quite get on what to change in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList for Filter and SCSI Class. Below are screen shots under WinXP SP3 of GroupOrderList on a desktop (SSE2 dual core, Sandboxie v5.40) and on my old Inspiron 7500 laptop (SSE-only Pentium 3, Sandboxie v5.22).

Could you upload a .reg patch or a screenshot with the recommended changes for Filter and SCSI Class for v5.22 and v5.40?

Sandboxie before registry fixes - GroupOrderList - Filter

Sandboxie v5.40 SSE2 on top

Sandboxie v5.22 SSE-only at bottom

[Pictures were deleted since problem was RESOLVED with registry fixes by modnar,
see under posting: Version history
Page with pictures was archived at
https://web.archive.org/web/20240808195712/https://msfn.org/board/topic/186405-sandboxie-under-windows-xp/#comments ]

 

 

 

Edited August 8, 2024 by Multibooter

[Multibooter]

Sandboxie before registry fixes - GroupOrderList - SCSI Class

Sandboxie v5.40 SSE2 on top

Sandboxie v5.22 SSE-only at bottom

[Pictures were deleted since problem was RESOLVED with registry fixes by modnar,
see under posting: Version history
Page with pictures was archived at
https://web.archive.org/web/20240808195712/https://msfn.org/board/topic/186405-sandboxie-under-windows-xp/#comments ]

 

 

Edited August 8, 2024 by Multibooter

[Sampei.Nihira]

Yes,I have been working with Tzuk on issues regarding SBIE security,not with Xanatos to whom you can ask direct questions in WSF.

In a Windows XP OS SBIE has significant limitations.
Those still using a FAT32 File System consider that SBIE has, like Chrome's sandbox, (and thus other Chromium-based forks as well) almost zero protective effectiveness.
TCP/IP socket protection is also almost nil.
Obviously, the most important limitation in the system is the absence of ILs (Integrity Levels), which contributes to stronger security.
ILs obviously present in Operating Systems from Vista onward.

Consider that the sandbox has a robustness equal to that of the OS it relies on.
So in OSs where bugs are present,especially,at the Kernel level,exploitable with Exploit remotely,the sandbox can be bypassed:

https://www.cvedetails.com/version-list/26/739/1/Microsoft-Windows-Xp.html

https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-739/Microsoft-Windows-Xp.html

So my advice would be to use SBIE + an Anti-Exploit software.

 

https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/design/sandbox.md

 

Edited August 6, 2024 by Sampei.Nihira

[Multibooter]

1 hour ago, Sampei.Nihira said:

Yes,I have been working with Tzuk on issues regarding SBIE security,not with Xanatos to whom you can ask direct questions in WSF.

In a Windows XP OS SBIE has significant limitations.
Those still using a FAT32 File System consider that SBIE has, like Chrome's sandbox, (and thus other Chromium-based forks as well) almost zero protective effectiveness.
TCP/IP socket protection is also almost nil.
Obviously, the most important limitation in the system is the absence of ILs (Integrity Levels), which contributes to stronger security.
ILs obviously present in Operating Systems from Vista onward.

Consider that the sandbox has a robustness equal to that of the OS it relies on.
So in OSs where bugs are present,especially,at the Kernel level,exploitable with Exploit remotely,the sandbox can be bypassed.

So my advice would be to use SBIE + an Anti-Exploit software.

 

https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/design/sandbox.md

 

Thanks for the info about issues of Sandboxie under WinXP and with FAT32. I have installed WinXP on a FAT32 partition  for compatibility with Win98 and because I prefer the folder dates of FAT32 to the folder dates of NTFS.

My main security-related use of a sandbox is for checking out/test-running malware etc, to see whether it is really malware or something useful. Avast Antivirus 2015 v10.3.2225 Premium (28Jul2015) works OK under WinXP and SSE-only and has a HDD-based sandbox feature, i.e. no major RAM requirement. If you had to run malware under WinXP, with no Anti-Exploit software running in the background, would the Avast Antivirus 2015 sandbox be safer or the Sandboxie sandbox?

Edited August 6, 2024 by Multibooter

[Sampei.Nihira]

With the security limitations I have already outlined I assume with good probability (but for certainty would require testing perhaps in VM) that it would be better to use SBIE from Xanatos.
For 2 reasons.

• It is more recently developed 
• It relies on the original SBIE project by tzuk.

I personally always prefer specific software.
SBIE example over other softwares that incorporate features of SBIE as well.

 

P.S.

If you can find the MBAE Build 1.13.1.257/8  it should (still ?) work well in Windows XP.
I remember that I had done some preview tests:

https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-159

On the other hand, I do not remember if there were some incompatibilities with SBIE (but it was obviously not the Xanatos version) and the browser I was using before........

Edited August 6, 2024 by Sampei.Nihira

[mina7601]

2 hours ago, Multibooter said:

Sorry - ran out of upload space for images, only the 1st image got posted.

Hello, you can free up some space here: https://msfn.org/board/attachments/

Edited August 6, 2024 by mina7601

[Multibooter]

3 hours ago, Sampei.Nihira said:

With the security limitations I have already outlined I assume with good probability (but for certainty would require testing perhaps in VM) that it would be better to use SBIE from Xanatos.
For 2 reasons.

• It is more recently developed 
• It relies on the original SBIE project by tzuk.

I personally always prefer specific software.
SBIE example over other softwares that incorporate features of SBIE as well.

Thanks for your tentative recommendation. It is very reasonable to assume that the sandbox of a specialized sandbox software is better than a sandbox added as another feature to a general anti-malware program. Also, Sandboxie v5.22 (by Sophos, last version for SSE-only) is of 30Oct2017 and Sandboxie v5.40 (by David Xanatos, SSE2) is of 9Apr2020, while Avast Antivirus 2015 v10.3.2225 Premium is of 28Jul2015.

The actual testing of the effective protection provided by a sandbox, by actually running a huge amount of infected files in the sandbox, looks like a major project.

Edited August 6, 2024 by Multibooter

[Sampei.Nihira]

Obviously I recommend in such cases the use of a VM.

SBIE might be of interest if you want to increase security in Windows XP when using a browser,such as MyPal 68, that lacks a sandbox.
Of course, it needs to be verified whether this works.
And for better performance it would be to convert the FS Fat32 to NTFS.

But this is my personal point of view.....tu do not fall into my "trap" of influencing others with my ideas .

I wish you a good continuation of this thread of yours.

Edited August 6, 2024 by Sampei.Nihira