Jump Lists on the Windows 7 Taskbar

[FunkTrooper]

I've just bought Sandboxie, and it's truly brilliant. Thank you, Ronen. (Btw, you have Steve Gibson from Security Now to thank for introducing me to this program.)

I've found a little thing that doesn't work properly though — jump lists. These appear to work ok for programs that are installed normally but run inside the sandbox. However, they don't seem to work for programs that are installed in a sandbox and then run in that sandbox.

For example, I'm running Steam, which is installed in a sandbox. Steam is supposed to have a jumplist like the one pictured here: http://www.addictivetips.com/windows-ti ... t-support/

However, when I right click the sandboxed Steam in my taskbar, I don't see the jump list; I only see the three options that you get for programs that don't support jump lists.

I know this isn't a very big deal really. But... it'd be a nice feature to have! Do you reckon it's possible, Ronen?

[tzuk]

Thanks for getting a license. As for your feature request, I am not sure this can work, but I might look into it at some point.

[tzuk]

I did look into this and it seems programs update the jump list by creating some temporary file somewhere below your "user profile" folder, and then Windows Explorer gets the new jump list configuration from this file and refreshes the task bar menu.

Programs in the sandbox (those installed in the sandbox and also those just running in the sandbox) will put the temporary file in the sandbox so Windows Explorer will never notice it.

It is possible to add a File Access exclusions in Sandboxie to permit the program to write that temporary file in the real folder:

%AppData%\Microsoft\Windows\Recent\CustomDestinations\

However, each entry in the jump list has to point to some file (usually a program or a document). And if the program is installed in the sandbox, the paths on the jump list won't be correct. For example in the case of Steam, it will point jump list at C:\Program Files\Steam\Steam.exe but really the Steam.exe file is somewhere in the sandbox.

In principle I could take over the jump list APIs and make sure the paths are correct but that would be quite a bit of work for what I consider a relatively minor gain.

[FunkTrooper]

That's interesting, thanks for looking into this. You're right though, it's not an especially important issue.

The only potential problem with leaving things as they are might be as follows....

Say you've installed a program outside of the sandbox, but are running it sandboxed. If you then use the jump list to select an option, the thing you click on will be run outside the sandbox, as it was invoked from Windows Explorer, which runs outside the sandbox. A new window of that sandboxed application will probabaly open, but that new window will not be sandboxed. The user may not notice this, and they could have a false sense of security, believing that what they are doing is in fact sandboxed.

I know the lack of [#] in the window's titlebar should be a giveaway about whether or not it's sandboxed. But this may not be noticed, or it may be a program (like *all* modern web browsers) that don't have titles on their windows. In this case, there'd be no way of knowing that the window isn't sandboxed.

Perhaps, it would be better to try to disable jump lists altogether.

...or perhaps I've misunderstood this entirely and this isn't an issue at all. I'm not at my Windows PC right now, so I haven't actually been able to test this.[/i]

[SnDPhoenix]

Say you've installed a program outside of the sandbox, but are running it sandboxed. If you then use the jump list to select an option, the thing you click on will be run outside the sandbox, as it was invoked from Windows Explorer, which runs outside the sandbox. A new window of that sandboxed application will probabaly open, but that new window will not be sandboxed. The user may not notice this, and they could have a false sense of security, believing that what they are doing is in fact sandboxed.

That's correct, I just tried it myself and anything launched from a jumplist executes unsandboxed.

I know the lack of [#] in the window's titlebar should be a giveaway about whether or not it's sandboxed. But this may not be noticed, or it may be a program (like *all* modern web browsers) that don't have titles on their windows. In this case, there'd be no way of knowing that the window isn't sandboxed.

Well you could use the "Is Window Sandboxed?" tool in that case, but yeah I see your point.

[tzuk]

The point you raise here is not even tied to jump lists, if you click the middle mouse button on a taskbar icon then Windows Explorer will run the program again. And if it isn't a forced program then it will start outside the sandbox.

It's not a major problem because if the program is located in the sandbox (say a downloaded malware) then it will restart sandboxed because Sandboxie always auto-forces programs that reside within the sandbox.

In a way these two issues are connected, and perhaps the only proper way to address them would be for Sandboxie to implement the APIs that let programs deal with the taskbar. But again I view this as a low priority issue so I'm not sure when I will get to this.

[SnDPhoenix]

Well just for the record, I am not concerned about this. I only posted to confirm the Funk's suspicion.

[slbox]

I've found a little thing that doesn't work properly though — jump lists. These appear to work ok for programs that are installed normally but run inside the sandbox.

The jump lists aren't working for me for programs that I have installed normally outside the sandbox. For example, when I right-click on the normal Firefox taskbar icon, I see the following items in the jump list:
- A list of my frequently visited pages
- Open new tab
- Open new window
- Enable private browsing
- Mozilla Firefox
- Unpin this program from taskbar

But when I right-click on the taskbar icon for my Firefox running inside Sandboxie, I only see the following in the jump list:
- [DefaultBox] Firefox
- Pin this program to taskbar
- Close window

So then I tried tzuk's suggestion of adding the %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ and %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\ folders to the File Access > Direct Access list in the settings. That changed the icon behavior in the taskbar - when I started up Firefox in the sandbox, the taskbar no longer showed 2 Firefox icons (a normal one and a sandboxed one). It only showed one Firefox icon for the sandboxed one. When I right-clicked on it, it showed everything in the jump list, which was good. But then when I clicked on "Open new tab" or "Open new window", it launched a new Firefox window OUTSIDE of the sandbox - that's bad. So the jump lists aren't working for me for normally installed programs, even though FunkTrooper says they should work?

[tzuk]

I re-read this topic but I don't see where FunkTrooper says that what you're trying to do should work.

If you set Firefox as a forced program, Sandboxie will not have to mess around with the taskbar button for the program, and "Open new tab" or "Open new window" will work as expected.

I don't mean this as a sales pitch, I'm just saying there is already a way for things to work as you want.

But I do agree that Sandboxie should do better emulation of the taskbar button, and I may be able to do this at some point.

[slbox]

I thought that's what he meant when he said "These appear to work ok for programs that are installed normally but run inside the sandbox."?

Hmm, I'm not sure I would set Firefox to be a forced program if I could, because there might be times I'd want to run it outside the sandbox to make settings changes that wouldn't get applied to the system if I ran it inside the sandbox. Unless I decided to install it inside the sandbox.