Software Restriction Policies - path weirdness

[slbox]

I have the latest version of Sandboxie and created a sandbox called "TestingBox" that I will use for installing and evaluating software.

Now I am trying to set up Software Restriction Policies in Windows 7 (64 bit) to allow my limited user to run only programs in the Program Files and Windows directories, as well as the TestingBox's download and Program Files directories. So I set up the following path rules to allow unrestricted access:

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
C:\Program Files (x86)
C:\Sandbox\limiteduser\TestingBox\user\current\Downloads
C:\Sandbox\limiteduser\TestingBox\drive\C\Program Files

Then I downloaded an installation file for some software to test my SRP, and it got saved into C:\Sandbox\limiteduser\TestingBox\user\current\Downloads. I tried to run it, but got a popup saying that it was blocked by group policy. It turns out the installer extracts some files into C:\Sandbox\limiteduser\TestingBox\user\current\AppData\Local\Temp and then tries to run those files. So then I added that temp directory to my SRP paths, and tried to run the installer again. But I got the same error about it being blocked by group policy.

The solution was to not add C:\Sandbox\limiteduser\TestingBox\user\current\AppData\Local\Temp to my SRP paths, but to add C:\Users\limited\AppData\Local\Temp instead. So now I'm wondering why that works, since it doesn't really make sense to me. Is it because when I run the installer program, it asks the OS to run a file inside C:\Users\limited\AppData\Local\Temp and that's when Windows checks the path against the SRP paths? And then after Windows does the check, then Sandboxie translates the C:\Users\limited\AppData\Local\Temp request into C:\Sandbox\limiteduser\TestingBox\user\current\AppData\Local\Temp?

[DR_LaRRY_PEpPeR]

Yeah, anything running in a sandbox, doesn't see its paths that way (AFAIK), but as they're "supposed to be if Sandboxie wasn't involved." That applies for SRP too, since it's not done at like the Windows level, but from user mode, in programs themselves before they try to create a new process.

BTW, if you were trying to launch these things from an UNsandboxed Explorer (I don't think you are), this may be of interest: Run Sandboxed + SRP doesn't work? (That's fixed for now in the latest 4.01 beta version.) Of course the "Basic User" SRP level doesn't function in Windows 7 (which is more why I created the topic), but same thing applies for what should be blocked; totally ignored/bypassed in 3.x. I have now done some quick testing on 64-bit Win 7, and everything works the same as XP, which is what I expected, so I still can see no reasoning for tzuk's explanation...

[slbox]

BTW, if you were trying to launch these things from an UNsandboxed Explorer (I don't think you are), this may be of interest: Run Sandboxed + SRP doesn't work? (That's fixed for now in the latest 4.01 beta version.) Of course the "Basic User" SRP level doesn't function in Windows 7 (which is more why I created the topic), but same thing applies for what should be blocked; totally ignored/bypassed in 3.x. I have now done some quick testing on 64-bit Win 7, and everything works the same as XP, which is what I expected, so I still can see no reasoning for tzuk's explanation...

I don't see the problem with SRP that you mentioned. I tried to run a program in a directory under C:\Sandbox that was supposed to be blocked, and I tried it from both an unsandboxed Explorer and a sandboxed Explorer - both times I got the popup saying that it was blocked by group policy. So SRP seems to be working for me.