Sandbox delete command - Snapshot tool

[bassmastergg]

Hi there,

I'm not sure if this is the correct forum for this question, so please let me know.

I have been creating a little program to use as a sandbox deletion tool which in essence allows a sandbox to be loaded from an initial snapshot. It works for the most part but I am having issues with saving deletions in the snapshot. The deleted item will re-appear after the snapshot is loaded. I am assuming because sandbox deletions are stored elsewhere. How can I determine which files were deleted from the sandbox?

Again apologies if this is in the wrong place.

Thanks for any help

[Brummelchen]

you assume wrong - deleted means deleted - and not deleted in the basket. you need a good recovery program.

for more information fear the manual please, that explains it all, you dont need any other third-party program:
https://www.sandboxie.com/index.php?StartCommandLine
https://www.sandboxie.com/index.php?Del ... invocation

allows a sandbox to be loaded from an initial snapshot.

you need to create such template yourself and copy it with its new name to the place where you want to use it
(within the sandboxie root folder)

HTH

[bassmastergg]

allows a sandbox to be loaded from an initial snapshot.

you need to create such template yourself and copy it with its new name to the place where you want to use it
(within the sandboxie root folder)

Thats exactly what i am doing. I am using my own delete command to store a snapshot of the deleted sandbox. If there already is a snapshot I am copying the snapshot I saved into the sandboxie root folder. My current implementation does work except in the case where you try to load a snapshot with files that were deleted (i.e. when I have opened a sandboxed windows explorer, deleted a file and saved a snapshot). When you then browser to that location in a sandboxed windows explorer the deleted files are still there.

What I have noticed is when a sandbox is deleted a bunch of "RegHive" files are packed together in the "__Delete_(sandbox name)_(some random number)_" processed sandbox folder. Which is why I am assuming some metadata about a sandbox must be restored elsewhere.

Thanks again

[Brummelchen]

ok, i see.

still not right. when sandboxie is going to delete a box its process are going to terminated, and it is renamed with a random number to prevent access that time, there exist no status or anything else. if you delete a file in the box and it is still present in your snapshot then you have a mismatch between your snapshot tool and sandboxie deleting process or it is not in the box but outside - you can not delete files outside from inside.

thats why i pointed to the command list - you need to determine all processes (or terminate them), take a snapshot and then delete. i dont save snapshots but i can determine number of processes and start deletion when zero active. between there is no action from sandboxie.

hint: when you have a view to the mounted reghive (in registry editor) sandboxie will throw a message and sandbox is not deleted.

and again: NO meta!

[Guest10]

I have been creating a little program to use as a sandbox deletion tool which in essence allows a sandbox to be loaded from an initial snapshot. It works for the most part but I am having issues with saving deletions in the snapshot. The deleted item will re-appear after the snapshot is loaded. I am assuming because sandbox deletions are stored elsewhere.

If an file inside of the sandbox is deleted by a sandboxed program, and there is no file with that same name in the corresponding location outside of the sandbox, then that file should truly be deleted from the sandbox.
I tested that and the file was truly deleted.

If a file with the same name exists in the corresponding location outside of the sandbox, then the file is not truly deleted inside of the sandbox, but is given a file "Creation" date that pre-dates DOS: an illegal "Creation" date, which has the effect of hiding that file when a sandboxed program looks at the files in that folder:
May 23, 1986

An UNsandboxed program will still see the file in the sandbox folder, with its new (and illegal) "Creation" date and it's old "Modified" date.

If I remember correctly, Sandboxie is also supposed to make that deleted file a 0 byte file in the sandbox.
That does not appear to be happening in my test.


File outside of the sandbox:
C:\Users\(username)\Downloads\dbug.txt

File inside of a sandbox, in a corresponding location:
C:\Sandbox\(username)\TestBox\user\current\Downloads\dbug.txt

If a sandboxed program deletes dbug.txt (in the sandbox), it is marked with an illegal "Creation' date, to hide it from sandboxed programs.
However, as I said above, I seem to recall that the file inside of the sandbox should also be set to 0 bytes, but I don't see that happening in my test.

I talked about this in my second post in this old thread (from 2012), when I was still using Windows XP:
viewtopic.php?f=11&t=13353
including the part where the deleted file in the sandbox should be set to a 0 byte file.

[bassmastergg]

If a file with the same name exists in the corresponding location outside of the sandbox, then the file is not truly deleted inside of the sandbox, but is given a file "Creation" date that pre-dates DOS: an illegal "Creation" date, which has the effect of hiding that file when a sandboxed program looks at the files in that folder:
May 23, 1986

Ahh this is exactly what I am looking for, i see where my issue lies now, thanks very much

[Brummelchen]

thank you for clearfying. i did not know about but my assumption was not wrong when thinking about some file outside of the box. maybe a ican check that with the prefetch folder, that is one major routine in my programs, i ever wondered that those entries are still present, i never looked at the date.

[RooJ]

If a file with the same name exists in the corresponding location outside of the sandbox, then the file is not truly deleted inside of the sandbox, but is given a file "Creation" date that pre-dates DOS: an illegal "Creation" date, which has the effect of hiding that file when a sandboxed program looks at the files in that folder:
May 23, 1986

Ahh this is exactly what I am looking for, i see where my issue lies now, thanks very much

Just to add to this, the date doesn't actually predate DOS, initial release of DOS was 1981 apparently and the date sandboxie uses looks legal.

The date sandboxie uses is actually 23/05/1986 04:47:02.25 pm (note the .25 at the end). If you manually set a date just to 23/05/1986 it won't be hidden by sandboxie. I believe the reasoning for using this date is the following:

Date: 23/05/1986 04:47:02.25 pm
Filetime: 121617208222500000
Filetime in Hex: 01B01234DEAD44A0

Notice 1234DEAD

Edit: The date may be affected by UK daylight saving time so could be out an hour (03:47:02.25 pm) but filetime should be accurate.

[Guest10]

My memory was wrong about the meaning of the Creation date.
I have found how the program's creator worded it:

The file creation date is changed to a special magic number for deleted files. In a file properties dialogs, it shows Friday, May 23, 1986, 15:47:02.

I also found another post from a forum member who stated that the deleted file should be set to 0 bytes.

Before we put this problem to bed, could someone please try to explain to me what happened to cause this.

If you open Windows Explorer sandboxed and delete a file, of course the real file is not going to be deleted. Sandboxie creates a zero-byte file corresponding to the deleted file, in that sandbox. That sandboxed file will have a creation date of 1986.

At some point Sandboxie stopped setting the deleted file to 0 bytes.

[RooJ]

I believe sandboxie only creates a 0 byte file if there's no matching file already in the sandbox. If the file exists both on the system and in the sandbox (in the same path) then only the creation date is changed and the file is otherwise unchanged. Not sure if it's always been this way.

[bassmastergg]

I put in the fix for my tool to ensure the creation date is maintained when copying files and folders from the snapshot into the Sandboxie root and I can confirm that it works as expected , thanks for all the help guys.

The question now stands is do I improve the tool to truncate file size and empty folders that are "deleted" to save on snapshot space

[Brummelchen]

i wont do that - neither those files affect sandboxie usage nor can you evaluate if those files are still needed, in special 0-byte files. empty folders same. if you zip your box it is waste of time to do a full analysis of files before.