Sandboxie under Windows XP

[mina7601]

13 hours ago, Multibooter said:

Thanks, I had forgotten about the size 2MB limitation. I am also reducing the size of the screenshots to be uploaded.

You're welcome. Yeah, the limitation is the reason why I upload to an external site instead. I mainly use https://imgbb.com for that purpose.

[Guest]

On 8/5/2024 at 10:08 PM, Multibooter said:

Sandboxie - Compatibility (operating systems and CPU)

The following are the last versions of Sandboxie working OK under:
Windows XP SP2 and SP3 - SSE2 CPU (Pentium 4, AMD Athlon 64, Intel Atom, all x64-capable CPUs, and later)
Sandboxie v5.40 (9Apr2020)

Windows XP SP2 and SP3 - SSE-only CPU (Pentium 3)
Sandboxie v5.22 (30Oct2017)

Windows XP x64 - ??

Windows Vista 32bit - ??

Windows Vista 64bit - ??

It is unclear which version of Sandboxie is the last/best version to run under Windows Vista.

I had missed this topic.
The latest version compatible with Windows Vista x64 is. 

[0.4.3 / 5.43.7] - 2020-11-03

So the Classic version of interest in this thread is:

5.43.7

you can verify it from the Changelog:

https://github.com/sandboxie-plus/Sandboxie/blob/master/CHANGELOG.md

 

Quote

 

[0.4.4 / 5.44.0] - 2020-11-03

Added

added SbieLdr (experimental)

Changed

moved code injection mechanism from SbieSvc to SbieDll

moved function hooking mechanism from SbieDrv to SbieDll

introduced a new driverless method to resolve wow64 ntdll base address

Removed

removed support for Windows Vista x64

 

 

_______________________________________________________________________________________________

 

It is certain that SBIE 5.22 works in Windows Vista SP2 x32 you can check it here:

https://sandboxie-plus.github.io/sandboxie-docs/Content/FrequentlyAskedQuestions/

Quote

 

What are the requirements to run Sandboxie?

Sandboxie works on

Windows XP SP3 (Up until Sandboxie 5.22 and solely in v5.40)

Windows Vista SP2 (Up until Sandboxie 5.22)

 

 

Edited August 12, 2024 by Sampei.Nihira

[Multibooter]

19 hours ago, Sampei.Nihira said:

The latest version compatible with Windows Vista x64 is. 

[0.4.3 / 5.43.7] - 2020-11-03

So the Classic version of interest in this thread is:

5.43.7

you can verify it from the Changelog:

https://github.com/sandboxie-plus/Sandboxie/blob/master/CHANGELOG.md

 

 

_______________________________________________________________________________________________

 

It is certain that SBIE 5.22 works in Windows Vista SP2 x32 you can check it here:

https://sandboxie-plus.github.io/sandboxie-docs/Content/FrequentlyAskedQuestions/

 

The information about the last version of Sandboxie for Windows Vista 32bit and 64bit is contradictory.

1) David Xanatos has indicated in his changelog for v5.44 of 3Nov2020, as you noted correctly: "removed support for Windows Vista x64". I initially also assumed that the preceding build, v5.43.7 (3Nov2020) was the last version working OK under Windows Vista x64. Windows Vista 32bit is not mentioned in the changelog.
https://github.com/sandboxie-plus/Sandboxie/releases?page=16

BUT: When I test-ran the subsequent v5.44 installer under WinXP I got the following err msg:

Maybe David Xanatos wanted to indicate in the changelog that he wasn't supporting Vista after v5.43.7 anymore? Or did he just forget to remove "Vista" from the err msg? The last build where the installer err msg displays "Windows Vista" is v5.64.1 Classic, v5.64.2 does not display Vista anymore.

2) WinClient5270 indicated in his topic https://msfn.org/board/topic/175262-last-versions-of-software-for-windows-vista-and-windows-server-2008/

the last version for Windows Vista is "Sandboxie 5.33 (FREE, CS, UNS) Download here" "List (valid as of Oct. 9, 2022 [i.e. 2 years after the changelog posting above for v5.43.7 by David Xanatos])", "[Unsupported UNS - Not officially supported on Vista, but still works]"

 

3) David Xanatos also indicated the requirements to run Sandboxie:

"Windows XP SP3 (Up until Sandboxie 5.22 and solely in v5.40)

Windows Vista SP2 (Up until Sandboxie 5.22)"

https://sandboxie-plus.com/sandboxie/frequentlyaskedquestions/

Does the not-mentioning of v5.40 for Vista mean that v5.22 is the last version for Vista?

Wikipedia indicates "Windows XP SP3 and Windows Vista SP2 were supported   [=by Sophos] up to version 5.22, after which their support  [=by Sophos] was dropped."
https://en.wikipedia.org/wiki/Sandboxie

v5.22? v5.33? v5.43.7? v5.64.1? or maybe v5.40.1 [the corrected 32bit and 64bit versions, not the special XP version v5.40]? for both Vista 32bit and 64bit? Unfortunately, I don't have Windows Vista on my computers (yet). Do we have any users of Sandboxie under Vista? As I mentioned at the beginning of this topic "Postings about Sandboxie under other older operating systems (e.g. Windows Vista) are also welcome."

 

Edited August 13, 2024 by Multibooter

[modnar]

Just a quick comment on Kaspersky - never run 2 instances (same or different) of antivirus or firewall on one machine. Kaspersky AV is already bogging down the PC with so many mini-filter drivers it's running.

[Guest]

16 hours ago, Multibooter said:

The information about the last version of Sandboxie for Windows Vista 32bit and 64bit is contradictory.

1) David Xanatos has indicated in his changelog for v5.44 of 3Nov2020, as you noted correctly: "removed support for Windows Vista x64". I initially also assumed that the preceding build, v5.43.7 (3Nov2020) was the last version working OK under Windows Vista x64. Windows Vista 32bit is not mentioned in the changelog.
https://github.com/sandboxie-plus/Sandboxie/releases?page=16

BUT: When I test-ran the subsequent v5.44 installer under WinXP I got the following err msg:

Maybe David Xanatos wanted to indicate in the changelog that he wasn't supporting Vista after v5.43.7 anymore? Or did he just forget to remove "Vista" from the err msg? The last build where the installer err msg displays "Windows Vista" is v5.64.1 Classic, v5.64.2 does not display Vista anymore.

2) WinClient5270 indicated in his topic https://msfn.org/board/topic/175262-last-versions-of-software-for-windows-vista-and-windows-server-2008/

the last version for Windows Vista is "Sandboxie 5.33 (FREE, CS, UNS) Download here" "List (valid as of Oct. 9, 2022 [i.e. 2 years after the changelog posting above for v5.43.7 by David Xanatos])", "[Unsupported UNS - Not officially supported on Vista, but still works]"

 

3) David Xanatos also indicated the requirements to run Sandboxie:

"Windows XP SP3 (Up until Sandboxie 5.22 and solely in v5.40)

Windows Vista SP2 (Up until Sandboxie 5.22)"

https://sandboxie-plus.com/sandboxie/frequentlyaskedquestions/

Does the not-mentioning of v5.40 for Vista mean that v5.22 is the last version for Vista?

Wikipedia indicates "Windows XP SP3 and Windows Vista SP2 were supported   [=by Sophos] up to version 5.22, after which their support  [=by Sophos] was dropped."
https://en.wikipedia.org/wiki/Sandboxie

v5.22? v5.33? v5.43.7? v5.64.1? or maybe v5.40.1 [the corrected 32bit and 64bit versions, not the special XP version v5.40]? for both Vista 32bit and 64bit? Unfortunately, I don't have Windows Vista on my computers (yet). Do we have any users of Sandboxie under Vista? As I mentioned at the beginning of this topic "Postings about Sandboxie under other older operating systems (e.g. Windows Vista) are also welcome."

 

Yes.
A forum member using Vista is required.
Probably better Vista x32.
It would also be interesting to see if SBIE works with r3dfox:

https://github.com/Eclipse-Community/r3dfox/releases/tag/v129.0-4
Which in the x32 version has no sandbox.

[Multibooter]

16 hours ago, Sampei.Nihira said:

A forum member using Vista is required.
Probably better Vista x32.

Here some good sites for downloading old versions of Sandboxie:
https://web.archive.org/web/20170601000000*/http://www.sandboxie.com:80/SandboxieInstall.exe [best, only combined 32+64bit versions]
https://web.archive.org/web/*/https://www.sandboxie.com/attic/* [32bit, 64bit and combined versions]
https://sandboxie-website-archive.github.io/www.sandboxie.com/AllVersions.html [seems to be the same as https://web.archive.org/web/20200310035403/https://www.sandboxie.com/AllVersions ]

Maybe this helps identifying the last good versions for various old operating systems.

Edited August 14, 2024 by Multibooter

[Multibooter]

On 8/13/2024 at 9:35 AM, modnar said:

Just a quick comment on Kaspersky - never run 2 instances (same or different) of antivirus or firewall on one machine. Kaspersky AV is already bogging down the PC with so many mini-filter drivers it's running.

Yes, running 2 instances of Kaspersky simultaneously was for experimenting.

I have, for example, also experimented with Registry Trash Keys Finder and ran v3.9.2 and v3.9.4 simultaneously in 2 different sandboxes of Sandboxie v5.40, side-by-side.
The purpose of running the 2 versions side-by-side was to compare v3.9.2 vs v3.9.4, because the two versions indicate a slightly different number of trash keys when run normally (i.e. outside of a sandbox).

By chance I noticed that v3.9.4, when run normally (i.e. outside of a sandbox), displays 167 trash keys (see bottom left corner of screen shot), but when the same v3.9.4 is run in my Default sandbox 210 trash keys are displayed. Maybe the additional trash keys in the Default sandbox were leftovers of previous test-runs in the Default sandbox. These additional trash keys in the Default sandbox show that it may be useful to empty a sandbox. When run in a 2nd, rarely used sandbox, 168 trash keys were displayed.

[The screenshots of Registry Trash Keys Finder were deleted, to make space for other image uploads
The posting with the screenshots, before the images were deleted, can be viewed at
http://web.archive.org/web/20240904132535/https://msfn.org/board/topic/186405-sandboxie-under-windows-xp/page/3/#comments ]

 

 

Edited September 4, 2024 by Multibooter

[Multibooter]

Registry Trash Keys Finder is a tool which can find registry entries left behind after the un-installation of a program. Some programs, e.g. Total Uninstall, leave flags behind to make the re-installation of the same build past the trial period more difficult. Registry Trash Keys Finder also lists MUICache entries.

Where did all these trash keys come from?
About 43 trash keys (=210 minus 167) were MUICache log entries created in the sandbox when I was test-running sandboxed 43 different .exe files. For each .exe file run in a sandbox, Windows creates a MUICache entry in the sandbox. Running these 43 .exe files in a sandbox did not leave trails and junk in the normal registry.

One of the uses of Sandboxie is to avoid trails and bloating of the registry with MUICache log entries.

When Registry Trash Key Finder is run in a particular sandbox, it can quickly list the .exe files which were run in the sandbox, until the sandbox is deleted.

[The screenshot was deleted, see note above]

 

Edited September 4, 2024 by Multibooter

[Guest]

Usually we are led to believe that the virtual sandbox environment,applied to the browser and/or e-mail client protects against everything.

It doesn't.

Phishing that is usually carried out through social engineering is unprotected by the virtual sandbox environment.

Modern malwares that today have only one purpose the theft of sensitive data,remaining as invisible as possible in the pc,can be eliminated when the sandbox is closed,but this does not mean that the theft of some sensitive data has already taken place,obviously if it is present in the PC.

 

Edited August 24, 2024 by Sampei.Nihira

[dmiranda]

Hi @Multibooter, thanks for this thread. It's maybe a placebo thing, but I feel mypal68 and serpent52 (both with e10s) run more stably in a sandbox than without it. I still grant them access to my RAM profiles and usual download places, and sandboxie (restrictions-star/run access) allows me to approve specific programs to run (pdf printer, batch files I use to build my profiles, etc) them.

With the settings posted by @XP++ AND the reg files suggested in the first post by you and @modnar (including reboot) I can run supermium fine (I agree in that granting IPC access is a big no, but that is the case running said program without a sandbox, anyway). In my case, the reason why the chrome sandbox remains active is because chrome.exe keeps running after closing the browser, and then two core sandboxie items remain active, even after killing chrome.exe (I do it through a batch file).

Cheers!

 

Edited August 25, 2024 by dmiranda
update

[dmiranda]

I confirm mui cache is touched, sandoxie no matter. To see what else is touched I will later on test with RegistryChangesView and update this post. I tested a few programs, but beyond mui cache, couldn't find anything else.  I wonder what causes this (and if there may be other registry items that can be touched).

In terms of causes, configuring sandboxie [GlobalSettings] automatically asks you if you want to grant access to stuff like virtuawin, 7zipShellEx, fontchache, LogitechSetPoint and similar processes that may touch on every windows process. Of those, 7zipShellEx and fontchache have direct IPC direct access (if you aid yes to the previous question) and virtuawin, strokeit and others have IPC Windows Access [by the way, I see here a strange [#] itemI can't recognize and will get rid of to see what breaks or doesn.t].

For my use I have set up a mozilla sandbox that, after granting access to apps I do use in normal browsing and profile manipulation works fine (in fact, more stably than out of the sandbox as per my perception), except for the openwith extension when trying to connect to chrome, which I run in a separate sandbox. That is cool to me, but may be an inconvenience to others.

I have finally a generic restrictive sandbox to test new versions of already tried software - for trying new stuff I always use a VM.

Overall, it is a great addition. It ain't perfect, but surely reduces attack surface.

Cheers again.

 

Edited August 27, 2024 by dmiranda

[modnar]

An update regarding SCSI Class from GroupOrderList - turns out that the shorter version for this group can be added, works just fine (programs with minifilters, e.g. Diskeeper may need to be reinstalled after this change - I have observed Serpent 52.9 browser throwing errors of "mozjs.dll" on videocardz.com which is typical of filter traffic conflicts - after DK12 reinstall - not anymore).

Update: Removed the file - shortened version is not good over all - in some situations it may cause slight $Secure:$SDS metadata fragmentation. It's either factory (03 01 02 03) or the long version all 45 entries (2d 01 02...2c 2d) but the long ver. is not necessary.

While SbieDrv Group setting "File system" is mentioned in Sandboxie source it is not needed for normal XP filesystem (without edits of CCS/Control/FileSystem). File also deleted.

 

 

Edited March 7 by modnar
Update

[modnar]

The most important update for FltMgr (minifilter manager) that got updated with XP SP3 (from SP2 when it was introduced to Windows XP), this is the driver that all minifilters talk to in order to reach the system/kernel.

Thing is that when introduced FltMgr (service) had a "Tag" of 4, however when XPSP3 was introduced they changed its "Tag" value to 1. The fine folks at M$ of course did not delete 04 00 00 00 from FSFilter_Infrastructure GroupOrderList entry so it would look as 03 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 (as all other unused minifilter entries or for use with Tag of 1).

Turns out this "small" mistake was the reason for funky behaviour/disk traffic slowdowns that are especially felt when Diskeeper 12 (the best and the last version for XP) is used with WinXP (SP3). Not because DK12 is the problem but being that precise it pointed out that GroupOrderList was flawed.

So here I am attaching the most important fix/.reg file for the whole minifilter mechanism that especially shows when you use 4k (modern) HDD's and SSD's with WindowsXP SP3. Consistent good results at long last.

GroupOrderList_FSFilter_Infrastructure_03_XP_USP4.reg

Edited August 30, 2024 by modnar

[modnar]

Primary disk is better left factory (05, as in newer Windows) - nothing problematic, just overall behaviour.

 

GroupOrderList_Primary_Disk_05_XP_USP4.reg

Edited September 11, 2024 by modnar
update

[Multibooter]

@modnar I have added your registry fixes to the download links near the beginning of this topic

This posting incl.screenshots was archived at http://web.archive.org/web/20240909175949/https://msfn.org/board/topic/186405-sandboxie-under-windows-xp/page/3/

The screenshots in this posting were subsequently deleted, to preserve image posting space - 9Sep2024

I have also tested both of your SCSI fixes (initial and revised) with two different SCSI devices under Sandboxie v5.22 on an old Inspiron 7500 laptop (650Mhz Pentium 3, SSE-only, 512MB RAM).

SCSI device 1: an Iomega 1GB jaz drive, connected with an Adaptec 1480 SCSI CardBus PC Card

 

SCSI device 2: a 2TB laptop HDD, WD20 SPZX 5400 rpm SATA, inside an eSATA+USB 2.0 Sharkoon docking station connected via eSATA to an eSATA PC Card

 

The test results of the two SCSI fixes (I refer only to the SCSI fixes!) were a big surprise:

1) The Iomega SCSI jaz drive actually performed slower with your SCSI fixes than without the fixes, against all logical expectations.
Without a SCSI fix: 13:34 mins
With the initial SCSI fix 13:53 mins [GroupOrderList_SCSI_Class_2d_XP_USP4.reg]
With the revised SCSI fix: 15:06 mins [GroupOrderList_SCSI_Class_03-2d_XP_USP4.reg] without a SCSI fix

with the revised SCSI fix

 

2) The second SCSI device (the 2TB SATA HDD connected via an eSATA card), on the other hand, performed faster with the revised SCSI fix, as expected.
Without a SCSI fix: 15:02 mins
With the initial SCSI fix: 15:58 mins
With the revised SCSI fix: 13:55 mins [subsequent 2nd attempt with the revised SCSI fix: 13:16mins]

Given these contradictory test results, the speed improvements of the SCSI fixes seem to depend on the specific SCSI devices used.

What is also interesting is that the virus-checking was faster on an old Jaz drive+Adaptec 1480 SCSI PC Card (13:34 mins) than on a more recent 5400 rpm SATA HDD+eSATA PC Card.(15:02 mins).
Tentative explanation: Kaspersky Anti-Virus had signaled several read errors on the initial test attempts with the old Jaz drive, but after repeating the test 2 or 3 times, no more read errors were signaled by Kaspersky Anti-Virus.

Also interesting is the substantial time difference when repeating a test with the same SCSI fix, e.g. repeating the test with the revised SCSI fix (13:55 mins with the 1st attempt, 13:16 mins with the 2nd attempt), under identical conditions. No idea whether the time difference was caused by Sandboxie, by Kaspersky Anti-Virus, or by something cached outside of the sandbox.

Below is the methodology used for the tests:

A sample of 10 infected files, on two different SCSI devices, was virus-checked with my sandboxed ancient version of Kaspersky. Six virus-checks were made, on two different SCSI devices, without a SCSI fix, with the initial SCSI fix and with the revised SCSI fix. The time required by the virus-checks indicates the efficiency gained when running a sandboxed program with modnar's SCSI fixes.

Step 1) Creation of sandbox "Kaspersky"
I had installed my ancient version of Kaspersky into a new sandbox called "Kaspersky" [i.e. -> right-click on the installer .exe -> Run Sandboxed -> select the previously created, empty sandbox "Kaspersky"]

Step 2) After the installation and customization of my ancient version of Kaspersky I created in the Sandboxie Control Panel a desktop shortcut to I:\Sandboxie\Start.exe /box:Kaspersky "I:\Documents and Settings\All Users\Start Menu\Programs\...lnk

Step 3) I then ran Kaspersky with this shortcut into the sandbox and updated Kaspersky Anti-Virus online

Step 4) In the sandbox folder M:\Sandbox\ I created a copy of the sandbox M:\Sandbox\Kaspersky\ and renamed it to \Kaspersky_ori\

Step 5) I then ran the sandboxed Kaspersky Anti-Virus on the sandboxed sample of 10 infected files.

Step 5 was repeated for the six combinations of two SCSI devices with/without SCSI fix. After each test run I deleted the previously used sandbox \Kaspersky\ and then restored the original sandbox by copying  \Kaspersky_ori\ to \Kaspersky\.

The reason for restoring the original sandbox \Kaspersky\ before the next test was that Sandboxie would create a copy of the infected files, log files, registry entries etc in the sandbox \Kaspersky\ during the running of sandboxed Kaspersky Anti-Virus. In other words, each of the 6 efficiency tests of modnar's SCSI fixes started in an identical sandbox \Kaspersky\

Edited September 9, 2024 by Multibooter