[.06] Could not execute SandboxieRpcSs.exe

Listing issues addressed in beta version 4.01
0strodamus
Posts: 24
Joined: Mon Jul 05, 2010 2:24 pm
Location: Death Star aka USA

[.06] Could not execute SandboxieRpcSs.exe

Post by 0strodamus » Tue Feb 26, 2013 3:35 pm

I tried posting in the beta forum, but it said only administrators could start topics there.

Beta version 4.01.02 fixed the printing issues that I was experiencing in Firefox, which is great. I'm stoked to be able to now run this beta on x64!

The only issue I'm having is that Applocker is blocking SANDBOXIERPCSS.EXE from launching. The only way I have found so far to allow SANDBOXIERPCSS.EXE to launch is to place the EXE rules in auditing mode. This is on Windows 7 x64.

I don't understand the applocker eventlog entry (posted below), but I do notice that the {value} following EXE as well as the user SID (S-1-5-7) are different than all the other entries. All of the others have {random values (not all 0s)} and the full SID noted. I'm not sure if this is what is causing the problem or not. I tried creating an EXE rule to allow Guests (it was the only thing I could find that sounded like it would let anyone launch besides the Everyone group which also failed) to launch SANDBOXIERPCSS.EXE, but that didn't work.

I will keep running in Audit mode in Applocker because I think Sandboxie affords me more valuable security, but it would be nice to be able to put my rules back to Enforce. If I find a solution, I'll post back. Thanks in advance for any help and my apologies if I've placed this in the wrong forum section.

The event log details are as follows:

The description for Event ID ( 8004 ) in Source ( Microsoft-Windows-AppLocker ) could not be found.
Either the component that raises this event is not installed on the computer or the installation is corrupted.You can install or repair the component or try to change Description Server.

The following information was included with the event (insertion strings):
3
EXE
{00000000-0000-0000-0000-000000000000}
1
-
1
-
S-1-5-7
3140
43
%PROGRAMFILES%\SANDBOXIE\SANDBOXIERPCSS.EXE
0

1
-
Sandboxie | NOD32 | Jetico Personal Firewall | MBAM Pro | SuRun | Acrylic DNS
OS: Windows 7 x64

abcde1

Post by abcde1 » Tue Feb 26, 2013 9:23 pm

I've come across the same problem. As 0strodamus mentioned, setting EXE and DLL rules to audit allows Sandboxie 4.01 to run.

With only EXE rules in audit mode, I get the error: %SYSTEM32%\RPCEPMAP.DLL was prevented from running.

The odd thing is that there are default AppLocker rules which allow Everyone to run EXE's from the Program Files folders, and DLL's from The Windows folder (and below).

0strodamus
Posts: 24
Joined: Mon Jul 05, 2010 2:24 pm
Location: Death Star aka USA

[.05] [.04] Could not execute SandboxieRpcSs.exe

Post by 0strodamus » Sun Mar 10, 2013 3:58 pm

Still getting these errors with Applocker enabled on Windows 7 x64:

SBIE2313 Could not execute SandboxieRpcSs.exe (1260)
SBIE2204 Cannot start sandboxed service RpcSs (1260)
Sandboxie | NOD32 | Jetico Personal Firewall | MBAM Pro | SuRun | Acrylic DNS
OS: Windows 7 x64

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Mar 11, 2013 4:39 pm

I think you reported this before but I haven't looked into this. It's on my list, but there are a lot of things on my list. I will post when I have an update, so you might want to keep an eye on an existing topic, for example this one.
tzuk

0strodamus
Posts: 24
Joined: Mon Jul 05, 2010 2:24 pm
Location: Death Star aka USA

Post by 0strodamus » Mon Mar 11, 2013 7:12 pm

Yes, I did. I just wanted to let you know I was still seeing the error with the latest beta. Thanks for the reply!
Sandboxie | NOD32 | Jetico Personal Firewall | MBAM Pro | SuRun | Acrylic DNS
OS: Windows 7 x64

0strodamus
Posts: 24
Joined: Mon Jul 05, 2010 2:24 pm
Location: Death Star aka USA

Post by 0strodamus » Mon Mar 18, 2013 7:11 pm

This issue is resolved with .04 beta. Thanks tzuk!
Sandboxie | NOD32 | Jetico Personal Firewall | MBAM Pro | SuRun | Acrylic DNS
OS: Windows 7 x64

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Mar 19, 2013 6:27 am

Thanks for the update! Good to know.
tzuk

barny
Posts: 42
Joined: Mon Mar 25, 2013 2:08 pm

Post by barny » Mon Mar 25, 2013 2:12 pm

Not fixed for me in .04 - still seeing same errors in Win 7 x64 with AppLocker enabled:

SBIE2313 Could not execute SandboxieRpcSs.exe (1260)
SBIE2204 Cannot start sandboxed service RpcSs (1260)


Was anything done to address this bug in .04 ?

barny
Posts: 42
Joined: Mon Mar 25, 2013 2:08 pm

Post by barny » Mon Mar 25, 2013 6:04 pm

A bit more info: In 0strodamus' original thread here, they mentioned the user id as S-1-5-7, which was different from all the others. After setting AppLocker EXE and DLL rules to audit only, Sandboxie .04 beta runs fine but task manager shows the user who launched firefox.exe, SandboxieDcomLaunch.exe and SandboxieRpcSs.exe as "NT AUTHORITY\ANONYMOUS LOGON".


Unrelated to .04 beta, in 3.76, if I save a file in Sandboxied Firefox and try to create a new folder on the file save dialog, the new folder is not visible in the save dialog, but it is actually created in the Sandbox.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Mar 26, 2013 4:08 pm

Task manager will show the user as anonymous, that is how things work in version 4.

As for AppLocker, can you explain how you configure it so I can try to reproduce the problem? I'm not familiar with AppLocker so please take that into account in your explanation.
tzuk

barny
Posts: 42
Joined: Mon Mar 25, 2013 2:08 pm

Post by barny » Fri Mar 29, 2013 4:54 pm

You need to be running Windows 7 Ultimate to have access to AppLocker. Make sure Application Identity service is running and set to Automatic. Type gpedit.msc, then navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies and then click on “Configure rule enforcement”. Under Advanced tab, enable DLL rule collection, and under Enforcement tab make sure all rules are enabled/configured and set to "Enforce rules". On the left hand tree, select "Executable Rules", and then right-click it and select "Create Default Rules". Repeat for "Windows Installer Rules", "Script Rules" and "DLL Rules".

Log in as a Standard User account, and try to run Firefox sandboxied wiht 4.01.04 beta. You will get the errors mentioned in this topic. If you set "Executable Rules" and "DLL Rules" to "Audit only" instead of "Enforce rules", Firefox runs without problems as it makes AppLocker only log Allow/block attempts, rather than actually block them.

Check under Event Viewer->Applications and Services Logs->Microsoft->Windows->Applocker to see when something is allowed/blocked from running by AppLocker.

http://www.howtogeek.com/howto/6317/blo ... applocker/

Let me know if you need more info.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Wed Apr 10, 2013 9:50 am

Due to some other problem, I changed SandboxieRpcSs to not start directly by the program in the sandbox, but instead start through SbieSvc (which is a component of Sandboxie that is outside the sandbox).

This means the AppLocker check would occur in the context of the SbieSvc component outside the sandbox, rather than inside the sandbox.

I think this should work around the problem described here, although I haven't experimented or tested this myself.

Please check if it makes a difference.
tzuk

barny
Posts: 42
Joined: Mon Mar 25, 2013 2:08 pm

Post by barny » Thu Apr 11, 2013 3:26 am

With .05, I no longer get the errors: SBIE2313 Could not execute SandboxieRpcSs.exe (1260) and SBIE2204 Cannot start sandboxed service RpcSs (1260).

However, I still get an error dialog - title "Sandboxie RpcSs", message "Could not load service DLL - rpcepmap.dll".

No problem if AppLocker DLL Rules are set to audit, rather than enforce.

Sadeghi85

[0.5]

Post by Sadeghi85 » Sat Apr 13, 2013 11:32 am

Same problem as previous poster mentioned. Screenshots in this post: http://www.wilderssecurity.com/showpost ... ostcount=1

What I don't get is, the default rules allow dlls in system32 to run, but RPCEPMAP.DLL was blocked! :shock:

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sun Apr 14, 2013 2:22 pm

I'm glad to see there's some improvement. I'll check out the remaining problems.
tzuk

Locked

Who is online

Users browsing this forum: No registered users and 1 guest