Sandboxie Support

When loading a browser (IE or Firefox) through DropMyRights, the sandbox shows the program has loaded and the program shows up in the task manager, but nothing ever shows up on screen.

I had run 2.64 w/o any conflict between the two programs.

Hello budfox9, I looked into the problem with DropMyRights.

posbis wrote: Could be a conflict between the two programs. Maybe SB blocks some actions of DropMyRights.

This is exactly what happens.

Up to version 2.64, Sandboxie was blocking drivers from becoming loaded, by intercepting OS calls, and denying the call. (That was the NtLoadDriver call, in case anyone cares.)

Since its the stated goal of version 2.71 to stop intercepting OS calls, this had to be done in a different way. And the different way is this:

Sandboxie now discards the "load driver" privilege from sandboxed programs, so it no longer needs to explicitly deny any requests -- the OS will deny them because the privilege is not there anymore.

This causes DropMyRights to fail, because it doesn't have all the privileges that it needs in order to function. In a way your rights are already dropped, inside the sandbox.

Other than just forgetting about DropMyRights, you can try two alternatives:

o right now you're trying DropMyRights from a sandboxed program. Try it the other way. First DropYourRights, then use Start.exe to go sandboxed.

o tell Sandboxie not to apply its privilege protection. Set BlockDrivers=no in Sandboxie.ini

Thanks Tzuk, I will give your ideas a try over the weekend.

I wanted to bring another issue to your attention.

Some components in a Windows system decide whether you are allowed to carry out some operation, or not, based on whether your account is a member of the built in local Administrators group.

That is, not if your account, or that Admin group, have any particular privilege enabled, or any particular access allowed or denied through access-control lists. But merely whether your account is a member of that group, or not.

I don't think DropMyRights takes you out of that group, because in many cases, the Admin group is the only group an account has to begin with!

So I think, if you're concerned about security while browsing, running with a non-Admin account is more secure than running as a 'disabled' Admin.

Tzuk,

I run some trading software that doesnt allow me to run as limited user. I have no doubt that what you say is true about XP accounts, but I do know that when I have accidentally run IE with dropmyrights for a activeX type install, the install will fail.

For me the prefect, low footprint browser security is dropmyrights+ sandboxie. On a sidenote, I have beta tested some of you competitors, and your program in my opinion is still the best.

Happy New Year in Bezerkly..