SandboxDiff - Registry/Files changes

Utilities designed for use with Sandboxie
Post Reply
majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

SandboxDiff - Registry/Files changes

Post by majoMo » Sun Jul 06, 2008 7:10 pm

To tracking changes in registry and files with Sandboxie I tried to use applications like ZSoft Uninstaller (an excellent uninstaller), Regshot, System Explorer and InCtrl5 (all sandboxed). Without sucess - looping issue. I read some forum'administrator posts about, that allowed myself to do and try a utility.

I'm now using SandboxDiff to do that. How to use it?

Prior to install a program sandboxed:

1- Open 'UserPath.bat.txt'and inside it customizes only the path (RegHive path)
to something like: "C:\Sandbox\<YourUserName>\DefaultBox\RegHive".
2- Rename 'UserPath.bat.txt' to 'UserPath.bat'
3- Run 'SandboxDiff.exe' - not sandboxed.

At the end the user can to see the changes made by the application sandboxed in the files:

- Registry changes:

Comp-Reg.txt - lists registry changes (values only) in text format.
Comp-Reg.REG.txt - lists registry changes (keys and values) in .reg format (Windows Registry Editor Version 5.00).
Comp-Reg.html - lists all registry entries (values) sandboxed in text/html format (and the registry values changes).

- Files changes:

Comp-Files.txt - lists added/removed files.
Comp-FilesMOD.txt - lists added/removed files - and modified files (based in size and date/time).
Comp-Files.html - lists all files in sandbox folder - and added/removed files.

Some Sandboxie'users in the forum have asked how to check the changes made by an installation sandboxed. They can try to use SandboxDiff to do that.

Hoping for it will be useful to someone else that likes to use the excellent Sandboxie.

Some Anti Virus can detect 'SandboxDiff.exe' as suspicious. It is a false positive. SandboxDiff hasn't any harmful activity.

Regards.

SandboxDiff v. 2.3 - DOWNLOAD - MD5: AF33F8578978CCE2885505F7109D39F1
Last edited by Barb@Invincea on Wed May 24, 2017 7:07 pm, edited 29 times in total.
Reason: Updated download link.

MitchE323
Posts: 2268
Joined: Thu Nov 02, 2006 9:32 am

Post by MitchE323 » Sun Jul 06, 2008 8:27 pm

Very nice, :arrow: works just as described. :D Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ?

Oneder
Posts: 364
Joined: Tue Aug 30, 2005 8:19 am
Location: Perth,West Oz

Post by Oneder » Sun Jul 06, 2008 9:43 pm

Getting a blank page here when trying to get the download atm.

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Post by majoMo » Mon Jul 07, 2008 8:00 pm

MitchE323 wrote:Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ?
The difference between them is the registry changes view. That is to say the files "comp-hklm.txt" and "comp-hkcu.txt" in "SandboxDiff2.exe" isn't like with "SandboxDiff.exe". The output is different - but interesting the shape. The comparing process is a bit more delayed also.

The user can use each other - a user choice...

I am glad to know it's useful for someone else than me. :D
Oneder wrote:Getting a blank page here when trying to get the download atm.
You can try to copy the link in your browser' adress bar and click enter. Perhaps this help:

Code: Select all

http://www.adrive.com/public/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html
OR
http://www.adrive.com/public/view/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html
[/size]

GreyWolf
Posts: 28
Joined: Fri Jun 20, 2008 5:32 am
Location: Montreal, Qc.

Post by GreyWolf » Mon Jul 14, 2008 7:07 pm

Very Nice Program... and considering working via a dos interface for most commands definitely the best way to go without influencing the output.

Great Job.

GreyWolf

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Sat Sep 13, 2008 3:31 pm

@majoMo:

The most recent data files for Norton A/V 2008 have apparently decided that SandboxDiff2.exe contains a Trojan Horse, and automatically deleted it from the Windows Explorer window, when I opened the folder containing that file.
I've submitted the file to Symantec, since I'm sure that it's a false positive.

Just thought I'd let you know. You may have others report this too.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

SandboxDiff

Post by SandboxDiff » Wed Oct 01, 2008 9:11 pm

Can we get a repost of this? It would be very useful.

Thanks!

SnDPhoenix
Posts: 2690
Joined: Tue Dec 26, 2006 5:44 pm
Location: West Florida

Post by SnDPhoenix » Wed Oct 01, 2008 10:55 pm

Well you're in luck, I looked in my download folder and I still have SandboxDiff archive on my HDD, so I just uploaded it to my premium zone in Rapidshare (faster and reliable since you know Rapidshare will still be there tomorrow) so here you go.
http://rapidshare.com/files/150141933/SandboxDiff.rar

Btw, just as Guest10 mentioned above, yes this file does seemed to be tagged as infected with some kind of trojan, but I think it might be a false positive. I think the reason it says there is a trojan, is because the executable file actually has a couple other exe files embedded inside, so the A/Vs might be mistaking that packing technique as the file being a virus (since many viruses bind/pack many exe files together...).

Either way, I'd still say you're safe though since the tool is meant to be run sandboxed, so even if it is infected, it is sandboxed! :P

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Post by majoMo » Thu Oct 02, 2008 12:06 pm

Some AV look SandboxDiff like trojan. SnDPhoenix describes a reason; UPX compression is disliked for others AV also. SandboxDiff hasn't any harmful activity. It's a false positive.

SandboxDiff will be updated as soon as possible. In fact there are some annoyances that need to be corrected. An accurate rendering is crucial. Changes in hive file will be efective; files changes will not log "virtual" files anymore. The .exe file will be replaced by an.bat file.

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Post by majoMo » Sat Oct 04, 2008 7:14 pm

SandboxDiff updated.

Changes:

- "SandboxDiff.rar" must be extracted to Sandbox'folder where the "RegHive" file is.
- Now runs as .bat: "SandboxDiff.bat" - not sandboxed.
- While Sandboxie has applications running "RegHive" file can't be analyzed. It's why is needed "terminate all programs that are Sandboxed". SandboxDiff tell you when such action must be done.
- Changes (in Registry and Files) are saved in .txt and .html format. Output is accurate.
- The analyze'process is now noticeably faster.

Download and info in first post.

Casey44
Posts: 4
Joined: Tue Oct 21, 2008 5:44 pm

Post by Casey44 » Tue Oct 21, 2008 8:39 pm

majoMo,
Seems like a great addition! I tried it out, but ran into a problem :oops:

UnRARred files in ...\Defaultbox.
But HOW do I start "SandboxDiff.bat" not-sandboxed? As instructed.

Whatever I try, I get it in a Sandbox-window, with the [#] markings.

Maybe because of that (?), I get the errormessage:

[...]
- Analyzing Registry and Files . . .
Please wait . . . (DON'T CLOSE THE WINDOW)
Het systeem kan het opgegeven pad niet vinden.
Kan G:\Sandbox\Kees\DefaultBox\hive_2.bak niet vinden

translated from dutch:
The system can not find the specified path.
Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak.

Please help me on,
Casey

George

Same Problem

Post by George » Wed Oct 22, 2008 1:05 am

I'm having the same problem as casey.

Thanks for your help!

George

Post by George » Wed Oct 22, 2008 1:13 am

Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\.

HOWEVER, running ANYTHING inside \DefaultBox\ will run it in sandbox mode.

Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly.

Maybe this can be fixed by re-designing the batch file to be run at C:\ instead.

SnDPhoenix
Posts: 2690
Joined: Tue Dec 26, 2006 5:44 pm
Location: West Florida

Post by SnDPhoenix » Wed Oct 22, 2008 11:47 am

George wrote:Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly.
Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...?

majoMo
Posts: 14
Joined: Mon Jun 30, 2008 6:18 pm

Post by majoMo » Wed Oct 22, 2008 11:59 pm

SnDPhoenix wrote:Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...?
Exactly like that, SnDPhoenix. If a .bat file is opened in that folder it isn't sandboxed (like a .txt file e.g. also). This is the reason why "SandboxDiff" is a .bat file now - if it was a .exe file the output won't be accurate and effective.
Casey44 wrote:Whatever I try, I get it in a Sandbox-window, with the [#] markings.
Casey44, if you open "SandboxDiff.bat" (double click e.g.) in your "G:\Sandbox\Kees\DefaultBox" the SandboxDiff.bat window (cmd) runs not sandboxed (like if you open there a .txt file; try it also).
Casey44 wrote:Maybe because of that (?), I get the errormessage:
The system can not find the specified path.
Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak.
George wrote:I'm having the same problem as casey.
Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\.
Casey and George,

1. SandboxDiff.bat must to be executed in that folder (with the others files that are in the "SandboDiff.rar"). If not the output won't be accurate anymore.

2. Why the annoyance "Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak" about? If you run "SandboxDiff.bat" inside \DefaultBox\ you need to confirm that 1) you have there the RegHive file; 2) you need to TERMINATE ALL PROGRAMS sandboxed when requested by SandboxDiff'windows. Without this SandboxDiff can't do their work, because it can't analyze (if you don't terminate the programs the crucial RegHive file is locked: can't be analyzed).

Hoping for help to clarify the question. Your feedback is much appreciated. Thanks.

BTW, it will be available in the next SandboxDiff update the registry changes in .REG format (Windows Registry Editor Version 5.00).

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests