MemProtect+SbieSvc

[Syrinx]

I've been testing MemProtect on my system and have finally isolated the cause of some lag I've noticed at times.

It seems to involve two security programs and one media player with a particular option selected.
The two security programs are Sandboxie 5.14 and MemProtect
The other software is called GomPlayer and disabling this option
Preferences > General > Display GOM icon in the notification area instead of in the taskbar.
prevents the lag though I have no idea why but at least I have a workaround for now.


The MemProtect.ini I used for my final tests were this:

Code: Select all

[#LETHAL]
[LOGGING]
[DEFAULTALLOW]
[WHITELIST]
[BLACKLIST]
[EOF]

The [#LETHAL] option means that it is not actually applying any blocking but is still evaluating and with the [LOGGING] option it will add anything that would have been blocked to it's log. In this case [DEFAULTALLOW] also means nothing would normally be blocked.

Therefore I can only assume that the potential conflict must be with the way one or the other program handles something as nothing is being blocked.

MemProtect works by using Protected Processes according to what I've read:

Protected Processes

Windows Vista introduces protected processes to enhance support for Digital Rights Management. The system restricts access to protected processes and the threads of protected processes.

The following standard access rights are not allowed from a process to a protected process:

DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER

The following specific access rights are not allowed from a process to a protected process:

PROCESS_ALL_ACCESS
PROCESS_CREATE_PROCESS
PROCESS_CREATE_THREAD
PROCESS_DUP_HANDLE
PROCESS_QUERY_INFORMATION
PROCESS_SET_INFORMATION
PROCESS_SET_QUOTA
PROCESS_VM_OPERATION
PROCESS_VM_READ
PROCESS_VM_WRITE

The PROCESS_QUERY_LIMITED_INFORMATION right was introduced to provide access to a subset of the information available through PROCESS_QUERY_INFORMATION.

As for the lag, it only occurs in GomPlayer with the option I spoke of before and particularly when the window of the player is being moved. The CPU spike happens in the primary (original/system) SbieSvc.exe [SbieSvc.exe+0x155f0 (5.14 x64)] which in turn seems to cause anything I currently have sandboxed to experience some very annoying lag as well.

SbieSvc.jpg

Procmon didn't help much and it shows 30k entries of the sbiesvc going in circles trying to access sbiesvc.exe and gom.exe

Code: Select all

2:11:26.1904004 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1904925 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1905105 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1906600 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1907314 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1907462 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1910086 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1911107 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1911323 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1913095 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1913986 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1914183 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1916025 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1916931 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1917128 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1918880 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1919782 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1919983 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1921879 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1922625 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1922778 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1924136 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1925001 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1925152 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1926634 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1927336 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1927489 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1928833 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1929528 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1929676 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1932147 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1933185 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1933387 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1935292 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1936667 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1936871 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1939131 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1940079 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1940280 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1942071 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1942977 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1943174 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1944958 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1945920 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1946139 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1947181 PM	SbieSvc.exe	588	CreateFile	C:\Program Files (x86)\GomPlayer\GOM.EXE	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1948522 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files (x86)\GomPlayer\GOM.EXE	SUCCESS	Name: \Program Files (x86)\GomPlayer\GOM.EXE
2:11:26.1948688 PM	SbieSvc.exe	588	CloseFile	C:\Program Files (x86)\GomPlayer\GOM.EXE	SUCCESS	
2:11:26.1950313 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1951137 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1951310 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1953030 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1953832 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1953999 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1955790 PM	SbieSvc.exe	588	CreateFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1956490 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	Name: \Program Files\Sandboxie\SbieSvc.exe
2:11:26.1956638 PM	SbieSvc.exe	588	CloseFile	C:\Program Files\Sandboxie\SbieSvc.exe	SUCCESS	
2:11:26.1957430 PM	SbieSvc.exe	588	CreateFile	C:\Program Files (x86)\GomPlayer\GOM.EXE	SUCCESS	Desired Access: None 0x0, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:11:26.1958230 PM	SbieSvc.exe	588	QueryNameInformationFile	C:\Program Files (x86)\GomPlayer\GOM.EXE	SUCCESS	Name: \Program Files (x86)\GomPlayer\GOM.EXE
2:11:26.1958371 PM	SbieSvc.exe	588	CloseFile	C:\Program Files (x86)\GomPlayer\GOM.EXE	SUCCESS	

Then it loops over and over....

It's not a show stopper to start with, eg no crashing yet. I also have a workaround by disabling that option in the mediaplayer but I'm still confused to how or what is going on to cause this. I know you have plenty of *actually important* stuff to work on but if you get a chance down the line maybe you could investigate and see if there's something that can be done in that area of SbieSvc to solve the cpu spike/lag circle. I'd certainly appreciate it!

[Syrinx]

I decided to test MemProtect again since it is out of beta. This time I did it alongside Sandoxie 5.16 x64, still on Windows 7.

I used MPC-HC x64 for this round. The SbieSvc CPU usage spike didn't occur (though there was a marked increase it was within acceptable ranges) for a couple of programs, PaleMoon, Steam, Origin, even when watching videos fullscreen but for some reason with the media player when I set a video to full screen the SbieSvc would eat 7-13% cpu constantly. Immediately after stopping the MemProtect driver it would return to the normal 0.50 - <0.01 range

I also found that Skype seemed to only cause slight cpu usage when minimized to the notification area but when a message box was opened it also showed this 7-13% cpu spike in the SbieSvc.

Even more confusing was at first a game like Dragon Age Inquisition also didn't cause this spike. However the instant I switched from Windowed to fullscreen the SbieSvc had this constant CPU usage again.

Sandoxie 5.16 x64
SbieSvc.exe+0x15800 (Original NT AUTHORITY\System instance only)

Maybe these observations will help you to recreate or isolate the root of the cpu usage?

[Syrinx]

I created a new Windows 7 x86 VM to try and see if this was just a x64 issue but it appears to occur there as well. I went ahead and captured a procmon log and did a step recording of how to see the cpu usage increase.
http://www.mediafire.com/file/yo4am1ifk ... Protect.7z
This VM was a straight SP1 fresh iso install, no other updates so I did enable testsigning mode and self-sign the memprotect driver because windows couldn't handle the sha2 signature and I didn't want to go through the entire update process just to test this one thing. Aside from that and the VMTools there is nothing else changed or tweaked. As you'll see in the logs I enabled and disabled the memprotect driver twice each, switching to fullscreen each time.

Installed:
SBIE 5.17.2
MemProtect 1.05.37 (#Lethal, so it's not blocking anything- just processing rules)
MPC-HC 1.7.10.0

Update: Just tested it with older versions. It seems to occur on all 4.x-5.x ones but of course not with the super old 3.76
I know that doesn't help any but I was hoping it might've just started along the way. I'll assume it has to do with how 4.x+ handles memory protection, maybe OpenProcess and all that jazz.

I'd appreciate it if you can eventually look at it and see what's going on even if the final answer is they aren't compatible. As SBIE doesn't have options for blocking memory reads, I'd love to use memprotect for this. For the most part they seem to play nicely together but there is something in particular with video and fullscreen or perhaps I should say 'rendering' (since it happens with skype chat boxes as well) that seems to trigger this unusual sbiesvc.exe cpu usage only while the memprotect is started [even if not actually blocking anything]

[Peter2150]

As a FIDES user I chuckled at this post. You don't have a prayer that anyone here will have a clue. First question you will be asked is where is the GUI

[Syrinx]

Tested again with SBIE 5.19.1 and MemProtect 1.07.1 on Windows 7 x64. Same as before =(
All these months and not even a confirmed 'attempt' to reproduce.
/me cries.
Why oh why do you hate this combo?

[Syrinx]

Here we are a few months later without a peep from either end! So, I decided to test the August builds of SBIE & MemProtect again. Saw the same exact CPU issue(s) with the SbieSvc.exe as before regarding fullscreen (and a cpl other 'rendering' scenarios) so long as the MemProtect driver is loaded ~ even if it's not enforcing anything.

On a whim I also tested MemProtect with ReHIPS and it doesn't have any such CPU waste issues alongside MemProtect. I don't see it replacing SBIE just yet but at least it IS fully compatible and constantly moving, if not exactly quickly, in the right direction. I *really* like and want to use MemProtect on my system so now I must start pondering what might be needed to make this a reality if it is not going to be investigated from this end (or even acknowledged with an explanation as to why they just won't work together).

Just a bit longer to go [&several bumps] then it'll have been a year without a single @Invincea response.
Instead it was PETER who responded, rather nicely considering, the one time I wasn't talking to myself.

/sigh /cry /rage /drink another beer

I finally forgive you for the icon stuff, Peter2150 sir ,and thanks for your amusingly correct input/chuckle there.
Doh now I have nothing to hold over you but your name!

[Barb@Invincea]

Hi Syrinx,

You mentioned different software and steps on your posts, let me know which ones to try and I'll test them.

Sometimes security software doesn't play well with Sandboxie and there is not much we can do. However, if I can repro the issue I will send it over to the devs for a review and will update this thread as soon as I get a chance (or as soon as new info becomes available ).

Regards,
Barb.-

[Syrinx]

Latest test scenario
OS:
Windows 7x64

Programs used:
MemProtect
https://excubits.com/content/files/memprotect_demo.exe
MPC-HC
https://binaries.mpc-hc.org/MPC%20HomeC ... .13.x64.7z
SBIE
http://www.sandboxie.com/SandboxieInstall64-521-2.exe
7Zip (To extract MPC)
http://www.7-zip.org/a/7z1604-x64.exe

Other requirements:
A Video file. I chose an .mp4

Optional: Process Explorer
https://download.sysinternals.com/files ... plorer.zip
Optional: Use a setup with at least two monitors for an easier time creating the issue and viewing cpu usage at the same time.

Instructions:
Install Sandboxie
Extract MPC-HC
Run MemProtect_demo.exe to extract the contents
Move the MemProtect_Demo folder to C:\Program Files
Navigate to C:\Program Files\MemProtect_Demo\64-bit
Right click on MemProtect.inf and choose install
Navigate back to C:\Program Files\MemProtect_Demo
Copy the MemProtect.ini
Navigate to C:\Windows
Paste the MemProtect.ini in C:\Windows [eg same location as Sandboxie.ini]
Navigate back to C:\Program Files\MemProtect_Demo\

Optional: Create shortcuts for "start driver.cmd" "stop driver.cmd" "mpc-hc64.exe" on the desktop
Optional: Keep Process Explorer opened and minimized on the main monitor

Run MPC-HC64 in the sandbox, no tweaks or specific settings are required to reproduce

Optional: Move MPC-HC onto a secondary monitor
Open the Video file and set mpc-hc to run fullscreen (alt-enter by default)
Keep the video file playing

Open the Process Explorer window and note the SbieSvc.exe usage
In my latest test it averaged about 0.50 during the video

Run the Start driver.cmd for MemProtect

Watch in Process Explorer as SbieSvc.exe spikes then 'calms down' to an average around 10x higher, eg an entire decimal point shift to 5.00 average

Run the stop driver.cmd and note how SbieSvc returns to normal

Optional: Repeat running start and stop driver cmds as desired

Optional: For more real-world scenarios try it while also running a browser sandboxed in its own box at the same time and surfing the web or playing a game full-screen in its own box all while Skype is opened sandboxed in its own box. It can be quite jerky and nearly unusable the more things you try to run that render.

Hopefully I didn't miss any steps. oh and thanks for taking a look!

[Barb@Invincea]

Hello Syrinx,

I followed your steps to the letter, minus the 2 monitor setup.
I noticed the spikes and experienced some lag issues inside portal (full screen) and Firefox.

I made the devs aware. Any new information will be posted here. No ETA .

Regards,
Barb.-