Page 1 of 1

Forced Programs to "Run as UAC Administrator"?

Posted: Sat Jun 10, 2017 12:42 pm
by Tridens
I have a program (Mailbird) that will not run correctly unless I check "Run as UAC Administrator" via the "Run Sandboxed..." menu item. Is there a way to have a Forced Program set to automatically "Run as UAC Administrator" so I don't have to do this manually each time? I can't find an option like that in Sandbox Settings.

Thanks!

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Mon Jun 12, 2017 11:09 am
by Barb@Invincea
Hello Tridens,

Have you tried changing the program's compatibility settings in order to run it as administrator?
Right-click on the program --> Properties
Compatibility --> Run this program as administrator.

You can also create a Shortcut with the "/elevate" parameter (but this means you will have to use that specific shortcut to launch the application)
Configure --> Windows Shell Integration --> Add Shortcut icons
Select the desired Sandbox and program .
Once you have created the shortcut, right click on it--> properties
Find Target and add "/elevate" (no quotation marks) right after the Sandbox's name
For example:
"C:\Program Files\Sandboxie\Start.exe" /elevate cmd.exe

Regards,
Barb.-

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Mon Jun 12, 2017 11:27 am
by RooJ
Be aware that It's possible for programs running as UAC admin under sandboxie to view files in "blocked access" folders as I believe the extra rights allow disk level reading. Shouldn't be a huge issue for the mail app but worth considering for less trusted programs.

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Mon Jun 12, 2017 11:48 am
by Brummelchen
its a bug in mailbird, need admin rights. dont know why, same here, when i reduce rights in sandbox it wont start and throw a message.

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Wed Jun 14, 2017 1:00 pm
by Tridens
Brummelchen wrote:
Mon Jun 12, 2017 11:48 am
its a bug in mailbird, need admin rights. dont know why, same here, when i reduce rights in sandbox it wont start and throw a message.
Thanks, Brummelchen. I'll contact Mailbird Support and see if we can shed some light on this.

MERGED POST 1 -
RooJ wrote:
Mon Jun 12, 2017 11:27 am
Be aware that It's possible for programs running as UAC admin under sandboxie to view files in "blocked access" folders as I believe the extra rights allow disk level reading. Shouldn't be a huge issue for the mail app but worth considering for less trusted programs.
Rooj, thanks for this head's up. Yes, that certainly compromises the sandbox.

@Invincea, can you confirm that what RooJ is saying is the case ?

Thanks!

MERGED POST 2 - -
Barb@Invincea wrote:
Mon Jun 12, 2017 11:09 am
Hello Tridens,

Have you tried changing the program's compatibility settings in order to run it as administrator?
...
Regards,
Barb.-
@Barb, thanks, I've set this up this way for now, but am concerned about what RooJ mentions about what running a program Elevated in Sandboxie opens up in terms of disk reading. Looking forward to hearing back from @Invincea on this. Thanks!

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Wed Jun 14, 2017 4:40 pm
by Barb@Invincea
Hello Tridens,

Not sure if this'll work for your particular scenario, but have you seen this contribution?:
viewtopic.php?f=22&t=24038&p=126492&hilit=runas#p126474

Regarding access, please see this:
https://www.sandboxie.com/index.php?ClosedFilePath

You can test it by creating a folder, blocking it from Sandboxie then running a program as Administrator and trying to access its contents (you can try to navigate to it via Internet Explorer, for example).

If you want to tweak your Sandbox settings to make it more secure, you may want to create separate Sandboxes for different tasks. This thread has some ideas regarding how to go about that:
viewtopic.php?f=17&t=24305#p127477

Can I please get exact repro steps for your Mail issue?

Regards,
Barb.-

PS: Moving forward, please use the Edit function to update your existing post, do not double (or triple) post.

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Wed Jun 14, 2017 8:43 pm
by RooJ
Barb@Invincea wrote:
Wed Jun 14, 2017 4:40 pm
You can test it by creating a folder, blocking it from Sandboxie then running a program as Administrator and trying to access its contents (you can try to navigate to it via Internet Explorer, for example).
This would trigger sandboxie to block access to the folder, as would be expected.

Now download a low level disk reader like winhex from x-ways (free version). Block access to a folder via sandboxie and add a textfile with some text. Run winhex as admin in the sandbox. In winhex drop down menu click tools > open disk > select the drive and click OK. You'll find you can now browse the blocked folder and read the textfile without restrictions, even though the path is blocked in the sandbox winhex is currently running in. You can also see any folders hidden by write-only access etc.

This functionality actually comes in useful when running data recovery tools in sandboxie (which I do sometimes), so I'm not complaining. The ability to somehow block this low level reading would be nice though.

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Thu Jun 15, 2017 11:46 am
by Barb@Invincea
Hi RooJ,
Now download a low level disk reader like winhex from x-ways (free version). Block access to a folder via sandboxie and add a textfile with some text. Run winhex as admin in the sandbox. In winhex drop down menu click tools > open disk > select the drive and click OK. You'll find you can now browse the blocked folder and read the textfile without restrictions, even though the path is blocked in the sandbox winhex is currently running in. You can also see any folders hidden by write-only access etc.
I haven't tested that scenario, but it seems that it would require for a user to already have the software installed in their host, and then executing it as admin via Sandbox. If the user is running the email app Sandboxed (and maybe downloading files from emails), unless they purposely recover a file, install it on their host and then run it as Admin, there are little chances of that behavior affecting them.
However, it would be a good idea to use separate Sandboxes with restrictions (blocking execution of any other executable files via Restrictions --> Start/Run Access, for example) to perform different tasks.

Regards,
Barb.-

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Thu Jun 15, 2017 12:29 pm
by RooJ
Barb@Invincea wrote:
Thu Jun 15, 2017 11:46 am
I haven't tested that scenario, but it seems that it would require for a user to already have the software installed in their host, and then executing it as admin via Sandbox.
Or I guess a vulnerability in mailbird allowing it to be used as a malicious platform. I agree though, I don't think it's a huge risk for the OP. It was more a heads up about running less trusted software as admin.

Re: Forced Programs to "Run as UAC Administrator"?

Posted: Fri Jun 16, 2017 4:26 pm
by Tridens
Barb@Invincea wrote:
Wed Jun 14, 2017 4:40 pm

Can I please get exact repro steps for your Mail issue?

Regards,
Barb.-
Hi, Barb. Basically, without running as Admin, Sandboxie prompts multiple times for Admin rights (every time you switch tabs between, say, Mail, Facebook, Whatsapp, etc.). And even after providing them, any program in the secondary pane (Facebook, Google Calendar, or WhatsApp) never load. Changing Compatibility Settings --> Run as an Administrator under Windows 10 resolves the problems. I have reached out to Mailbird support to see if they can help.

I'll post anything I learn here.

Thanks!

Tridens