Registry Hive

[john10882]

Want to share my solution to the registry hive not deleting without a reboot.

About once or twice every evening, Internet Explorer would freeze, and when forcibly terminated, the registry hive would not delete until after a reboot.

This was resolved, for my situation, by changing the settings in Internet Explorer to delete the temporary Internet cache when Internet Explorer is closed.

The problem has not happened since so there is a possibility that the large sized cache was in some way causing this condition.

[Buster]

Want to share my solution to the registry hive not deleting without a reboot.

About once or twice every evening, Internet Explorer would freeze, and when forcibly terminated, the registry hive would not delete until after a reboot.

This was resolved, for my situation, by changing the settings in Internet Explorer to delete the temporary Internet cache when Internet Explorer is closed.

The problem has not happened since so there is a possibility that the large sized cache was in some way causing this condition.

In theory if Sandboxie is forced to terminate programs it should not matter if the sandboxed program freezed or not, Sandboxie should be able to unload the reghive so you can remove sandboxed contents.

I reported several programs (malwares, but I guess it doesn´t matter) that were causing Sandboxie to don´t unload the reghive and in last releases tzuk has been fixing the reghive unloading bug but it´s obvious that there are still situations where reghive is not unloaded properly.

The problem to solve this issue is to find a reliable way to reproduce such situation so tzuk can look at it.

[tzuk]

The problem to solve this issue is to find a reliable way to reproduce such situation so tzuk can look at it.

First, I agree.

Second, I want to add, it could be a bug in Sandboxie, but it could also be something else. I've seen some rare cases where a third party security software was "curious" about the registry hive that Sandboxie introduces into the system, so it opened the hive to look into it, but then forgot to close that hive, preventing it from being ever unloaded.

[Ruhe]

What if an application opens a registry key but does not close it, so the application will be closed with still open key.

[xellos]

im also experiancing this problem sandbox wont unlod the registry hive on one of my boxes, nor can i unload it from regedit, looking at what program locks it, it just says "system" twice (one for the .log and one for the hive)

all programs are closed in sandbox (also tried killing) but still refuses to unload the hive, i even tried stopping the sandboxie service and was still unable to remove it..


not sure what could be accesing it , i cant kill the process system either (it doesnt do anything)..

any ideas?

[MitchE323]

any ideas?

A long while back, when I was just getting familiar with Sandboxie I used to interact quite a bit with the sandbox and Windows Explorer. I would look in there and poke around, just to see what was going on. Anyway, on XP I would often get hangups and spinning hourglasses and sandboxes that would not delete. Then I disabled Dr Watson and no problems since then. (But also I no longer poke around as much either). Also the next time it happens, see if you can shut down the computer - it might say "XYZ Program is trying to close" just maybe.

[xellos]

no no normal program was using it (i checked in process explorer) and only "System" was using it (had the file handles open) but couldnt release/close the handles either for some reason, anyways i think it has something to do with the sound card (was messing around with games in the sandbox and maybe windows or the game changed a setting on the sound card (maybe from 5.1 speakers to 2 speakers .etc) and could be possible system locked the registry hive (im not sure how this could happen but maybe a leak or bug?) i didnt have any allow drivers or anything checked so it was just a basic box ...
this is my asumtion since sound didnt work when i used that box anyways rebooted and it works again ...but im still curious what would cause that since sandboxie should control that file.

[tzuk]

xellos were you using version 3.28 or earlier at the time?

[xellos]

nope this just happened with 3.29.25...

[tzuk]

This can happen if you use an unsandboxed Explorer (or a similar program) to access sandbox folders,
or if you use an unsandboxed RegEdit (or similar) to view the sandboxed registry.

Best way to deal with this is to make sure the Explorer/RegEdit/whatever program is terminated, and then run some sandboxed program and close it.

[xellos]

yea i tried all this even a log-off and log-on (should of killed any processes running), so far i was only able to reproduce it once so maybe its a random bug (fullscreen / audio / 3d acceleration) maybe somehow caused the main system to hook into it?

whats weird is in process explorer i searched for the hive name and it came up "system" but i couldnt close the handel it had open (file lock) so im not sure if maybe you cant kill system level handle's, i also tried "Unlocker" and that couldnt kill the locks...

anyways im not sure how but somehow the system process took over, maybe its something similar to a zombie process (in linux init will take over non responsive process and you cant kill them)...anyways it was strange

[tzuk]

It's not at all strange, it's exactly how it's supposed to be so don't worry. The Sandboxie driver is running within the System process, this is why you see System as the owner of the registry handle.

[xellos]

ah your right when sandbox has a program loaded its locked by system, i still dont understand why it didnt release the lock that one time though, no programs were using it outside of sandbox and the sandbox all programs were shutdown

maybe a memleak caused the problem (i think i might of ran out of ram, i was opening and closing alot of things)

anyways if it happens again ill see what i can do to reproduce it..seems to be working ok now..

[HarryStottle]

I've seen some rare cases where a third party security software was "curious" about the registry hive that Sandboxie introduces into the system, so it opened the hive to look into it, but then forgot to close that hive, preventing it from being ever unloaded.

hmmm... wondering if that could be what's happening on my own system. First off, I am now regularly getting the message (can't remember the exact wording but the gist is:) "Cannot Remove Registry Hive Because Something else is using it"

Two things concern me. First my system has taken (only when I'm running Sandbox) to periodic freezes (about once an hour, sometimes once every 15 minutes or so) (no message windows, no eggtimer, no mouse control, no keyboard control, nada) which last about 45 seconds for no obvious reason. Even if I have Task Manager (or Process Tamer, which I prefer) running on my second monitor (so that I can see it at all times) nothing shows up as suddenly hogging resources. Everything just becomes completely unresponsive until whatever is causing it releases the system. It clearly hasn't lost consciousness, though, because as soon as it releases, if I've wasted my time clicking mice or trying keyboard access, everything I attempted to do during the freeze suddenly gets done in a lump (which can cause further problems as we know but that's trivial)

And second, even if I reboot to clear whatever has been hogging the hive, one quick sandboxed browsing session, and the same message pops up, suggesting that whatever is grabbing the hive is now doing so routinely.

So, two questions. First how can I identify what application is responsible for grabbing the hive? and Second, how is it possible for an application outside the Sandbox to grab the hive in the first place and (er... third) can we prevent that? (and, if so, [fourth], how?)

[tzuk]

Freezes and registry locks don't seem tightly related, in the sense that I doubt one is causing the other. But both may be caused by the same thing -- for instance by a conflicting security product. Can you think of one?

In any case you can try Process Explorer from Microsoft to see what's locking the registry. Use the Find menu and search for RegHive.