Hello,
I use Sandboxie to isolate potentially dangerous programs in windows 10
I noticed that some programs need to be run ad administrator in order to work properly.
There can be 2 different "administrative rights" scenarios:
A) Use "run as administrator" checkbox in the Sandboxie shell extension (for example when running a program installed outside the SB in a SB, or when installing a program in a SB)
B) Use "run as administrator" command in the windows shell (for example when running a program installed in a SB, or copied inside it)
I assume that:
- Scenario A is safe since it is embedded in the software and it should create an "administrative sandbox", where all files on the rest of the HDD are left untouched
- Scenario B is unsafe because it could bypass Sandboxie isolation by giving administrative privileges before sandboxing
but I really do not know.
Could someone with a more deep technical understanding (maybe an admin) help me resolve this issue so I can know how not to break sandboxing?
Thanks a lot.
Kind Regards.
Davide Bassi
Run as administrator
Re: Run as administrator
Scenario A) possibly gives the Sandboxie driver a heads-up - could even lend a part in initiating the process, while B) must rely on kernel event hooks of the officially supported sort.
Have no fear of A versus B way of launching Sandboxed leading to a program running elevated and unsandboxed for any duration of time, that's just not done.
Sandboxie never, like, delay-loads into a process, its dll can perhaps, but SbieDll is for functionality not Sandbox security . I would say a process is Sandboxed from even before it kicks off its EntryPoint.
Although if it is about the confidence level you hold in Sandboxie's different mechanisms for "capturing" a process, then today you know a bit more.
ForceProcess or ForceFolder lets some OS environment things take, like the Application Compatibility layer shims. Not sure what's behind that but it's something to ponder.
I make a habit of keeping a [#] positively [#] Sandboxed Command Prompt (Admin) open to launch stuff (via \Command Processor\AutoRun maintained %aliases% and of course %PATH%), so that I don't accidentally execute something unsandboxed from Explorer.
TL;DR, you're not supposed to worry about this, developer's are required to think of everything, and Sandboxie has got you covered here.
Have no fear of A versus B way of launching Sandboxed leading to a program running elevated and unsandboxed for any duration of time, that's just not done.
Sandboxie never, like, delay-loads into a process, its dll can perhaps, but SbieDll is for functionality not Sandbox security . I would say a process is Sandboxed from even before it kicks off its EntryPoint.
Although if it is about the confidence level you hold in Sandboxie's different mechanisms for "capturing" a process, then today you know a bit more.
ForceProcess or ForceFolder lets some OS environment things take, like the Application Compatibility layer shims. Not sure what's behind that but it's something to ponder.
I make a habit of keeping a [#] positively [#] Sandboxed Command Prompt (Admin) open to launch stuff (via \Command Processor\AutoRun maintained %aliases% and of course %PATH%), so that I don't accidentally execute something unsandboxed from Explorer.
TL;DR, you're not supposed to worry about this, developer's are required to think of everything, and Sandboxie has got you covered here.
-
Curt@invincea
- Sandboxie Lead Developer
- Posts: 1638
- Joined: Fri Jan 17, 2014 5:21 pm
- Contact:
Re: Run as administrator
BUCKAROO is correct. You can't break Sbie by running something as admin. Applications are sandboxed before they ever start. So, don't worry about it.
Who is online
Users browsing this forum: No registered users and 1 guest
