SandboxDiff - Registry/Files changes

majoMo · Post by **majoMo** » Sun Jul 06, 2008 7:10 pm

To tracking changes in registry and files with Sandboxie I tried to use applications like ZSoft Uninstaller (an excellent uninstaller), Regshot, System Explorer and InCtrl5 (all sandboxed). Without sucess - looping issue. I read some forum'administrator posts about, that allowed myself to do and try a utility.

I'm now using SandboxDiff to do that. How to use it?

Prior to install a program sandboxed:

1- Open 'UserPath.bat.txt'and inside it customizes only the path (RegHive path)
to something like: "C:\Sandbox\<YourUserName>\DefaultBox\RegHive".
2- Rename 'UserPath.bat.txt' to 'UserPath.bat'
3- Run 'SandboxDiff.exe' - not sandboxed.

At the end the user can to see the changes made by the application sandboxed in the files:

- Registry changes:

Comp-Reg.txt - lists registry changes (values only) in text format.
Comp-Reg.REG.txt - lists registry changes (keys and values) in .reg format (Windows Registry Editor Version 5.00).
Comp-Reg.html - lists all registry entries (values) sandboxed in text/html format (and the registry values changes).

- Files changes:

Comp-Files.txt - lists added/removed files.
Comp-FilesMOD.txt - lists added/removed files - and modified files (based in size and date/time).
Comp-Files.html - lists all files in sandbox folder - and added/removed files.

Some Sandboxie'users in the forum have asked how to check the changes made by an installation sandboxed. They can try to use SandboxDiff to do that.

Hoping for it will be useful to someone else that likes to use the excellent Sandboxie.

Some Anti Virus can detect 'SandboxDiff.exe' as suspicious. It is a false positive. SandboxDiff hasn't any harmful activity.

Regards.

SandboxDiff v. 2.3 - DOWNLOAD - MD5: AF33F8578978CCE2885505F7109D39F1

MitchE323 · Post by **MitchE323** » Sun Jul 06, 2008 8:27 pm

Very nice,

works just as described.

Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ?

Oneder · Post by **Oneder** » Sun Jul 06, 2008 9:43 pm

Getting a blank page here when trying to get the download atm.

majoMo · Post by **majoMo** » Mon Jul 07, 2008 8:00 pm

MitchE323 wrote:Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ?

The difference between them is the registry changes view. That is to say the files "comp-hklm.txt" and "comp-hkcu.txt" in "SandboxDiff2.exe" isn't like with "SandboxDiff.exe". The output is different - but interesting the shape. The comparing process is a bit more delayed also.

The user can use each other - a user choice...

I am glad to know it's useful for someone else than me.

Oneder wrote:Getting a blank page here when trying to get the download atm.

You can try to copy the link in your browser' adress bar and click enter. Perhaps this help:

Code: Select all

http://www.adrive.com/public/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html
OR
http://www.adrive.com/public/view/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html

[/size]

GreyWolf · Post by **GreyWolf** » Mon Jul 14, 2008 7:07 pm

Very Nice Program... and considering working via a dos interface for most commands definitely the best way to go without influencing the output.

Great Job.

GreyWolf

Guest10 · Post by **Guest10** » Sat Sep 13, 2008 3:31 pm

@majoMo:

The most recent data files for Norton A/V 2008 have apparently decided that SandboxDiff2.exe contains a Trojan Horse, and automatically deleted it from the Windows Explorer window, when I opened the folder containing that file.
I've submitted the file to Symantec, since I'm sure that it's a false positive.

Just thought I'd let you know. You may have others report this too.

SandboxDiff · Post by **SandboxDiff** » Wed Oct 01, 2008 9:11 pm

Can we get a repost of this? It would be very useful.

Thanks!

SnDPhoenix · Post by **SnDPhoenix** » Wed Oct 01, 2008 10:55 pm

Well you're in luck, I looked in my download folder and I still have SandboxDiff archive on my HDD, so I just uploaded it to my premium zone in Rapidshare (faster and reliable since you know Rapidshare will still be there tomorrow) so here you go.
http://rapidshare.com/files/150141933/SandboxDiff.rar

Btw, just as Guest10 mentioned above, yes this file does seemed to be tagged as infected with some kind of trojan, but I think it might be a false positive. I think the reason it says there is a trojan, is because the executable file actually has a couple other exe files embedded inside, so the A/Vs might be mistaking that packing technique as the file being a virus (since many viruses bind/pack many exe files together...).

Either way, I'd still say you're safe though since the tool is meant to be run sandboxed, so even if it is infected, it is sandboxed!

majoMo · Post by **majoMo** » Thu Oct 02, 2008 12:06 pm

Some AV look SandboxDiff like trojan. SnDPhoenix describes a reason; UPX compression is disliked for others AV also. SandboxDiff hasn't any harmful activity. It's a false positive.

SandboxDiff will be updated as soon as possible. In fact there are some annoyances that need to be corrected. An accurate rendering is crucial. Changes in hive file will be efective; files changes will not log "virtual" files anymore. The .exe file will be replaced by an.bat file.

majoMo · Post by **majoMo** » Sat Oct 04, 2008 7:14 pm

SandboxDiff updated.

Changes:

- "SandboxDiff.rar" must be extracted to Sandbox'folder where the "RegHive" file is.
- Now runs as .bat: "SandboxDiff.bat" - not sandboxed.
- While Sandboxie has applications running "RegHive" file can't be analyzed. It's why is needed "terminate all programs that are Sandboxed". SandboxDiff tell you when such action must be done.
- Changes (in Registry and Files) are saved in .txt and .html format. Output is accurate.
- The analyze'process is now noticeably faster.

Download and info in first post.

Casey44 · Post by **Casey44** » Tue Oct 21, 2008 8:39 pm

majoMo,
Seems like a great addition! I tried it out, but ran into a problem

UnRARred files in ...\Defaultbox.
But HOW do I start "SandboxDiff.bat" not-sandboxed? As instructed.

Whatever I try, I get it in a Sandbox-window, with the [#] markings.

Maybe because of that (?), I get the errormessage:

[...]
- Analyzing Registry and Files . . .
Please wait . . . (DON'T CLOSE THE WINDOW)
Het systeem kan het opgegeven pad niet vinden.
Kan G:\Sandbox\Kees\DefaultBox\hive_2.bak niet vinden

translated from dutch:
The system can not find the specified path.
Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak.

Please help me on,
Casey

George · Post by **George** » Wed Oct 22, 2008 1:05 am

I'm having the same problem as casey.

Thanks for your help!

George · Post by **George** » Wed Oct 22, 2008 1:13 am

Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\.

HOWEVER, running ANYTHING inside \DefaultBox\ will run it in sandbox mode.

Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly.

Maybe this can be fixed by re-designing the batch file to be run at C:\ instead.

SnDPhoenix · Post by **SnDPhoenix** » Wed Oct 22, 2008 11:47 am

George wrote:Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly.

Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...?

majoMo · Post by **majoMo** » Wed Oct 22, 2008 11:59 pm

SnDPhoenix wrote:Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...?

Exactly like that, SnDPhoenix. If a .bat file is opened in that folder it isn't sandboxed (like a .txt file e.g. also). This is the reason why "SandboxDiff" is a .bat file now - if it was a .exe file the output won't be accurate and effective.

Casey44 wrote:Whatever I try, I get it in a Sandbox-window, with the [#] markings.

Casey44, if you open "SandboxDiff.bat" (double click e.g.) in your "G:\Sandbox\Kees\DefaultBox" the SandboxDiff.bat window (cmd) runs not sandboxed (like if you open there a .txt file; try it also).

Casey44 wrote:Maybe because of that (?), I get the errormessage:
The system can not find the specified path.
Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak.

George wrote:I'm having the same problem as casey.
Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\.

Casey and George,

1. SandboxDiff.bat must to be executed in that folder (with the others files that are in the "SandboDiff.rar"). If not the output won't be accurate anymore.

2. Why the annoyance "Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak" about? If you run "SandboxDiff.bat" inside \DefaultBox\ you need to confirm that 1) you have there the RegHive file; 2) you need to TERMINATE ALL PROGRAMS sandboxed when requested by SandboxDiff'windows. Without this SandboxDiff can't do their work, because it can't analyze (if you don't terminate the programs the crucial RegHive file is locked: can't be analyzed).

Hoping for help to clarify the question. Your feedback is much appreciated. Thanks.

BTW, it will be available in the next SandboxDiff update the registry changes in .REG format (Windows Registry Editor Version 5.00).

Sandboxie Support

SandboxDiff - Registry/Files changes

SandboxDiff - Registry/Files changes

Same Problem

Who is online