Deleted files/regkeys info?

[DocMAX]

Hi,
where does Sandboxie store deleted files information?
Recently i deleted some registry entries but need the original entries from host system back.
U know what i mean?

Thx,
DocMAX

[Guest10]

where does Sandboxie store deleted files information?
Recently i deleted some registry entries but need the original entries from host system back.

Files that are deleted from sandboxes, using "Delete Contents", bypass the Windows Recycle Bin and should be considered as unrecoverable.
It's true that there are some undelete utilities out there, that might be used to recover deleted files, but you need to have one of them installed in advance because it's possible that installing the utility might overwrite the very files that you are trying to recover.
My install of Recuva says that I have 36,000 + deleted files, and only a few of those look like they might have been deleted from one of my C:\Sandbox folders:
TempWmicBatchFile.bat ........ C:\?\drive\C\Program Files\Java\jre7\
Many, many other deleted files from sandboxes have apparently been overwritten.

System Restore says backups of some files that are deleted from the hard drive, but by no means all of them.

[DocMAX]

Hi you didn't understand.

Sandboxie does NOT delete files outside the sandbox (else sandboxing wouldn't make any sense).
My question is, how does Sandbox "mark" files deleted.

I did some research and found out, if a file is in the same location INSIDE the sandbox and also exists OUTSIDE the sandbox same location the file INSIDE the sandbox is not there (thus, as if its deleted).

But how does it work in the registry?

tzuk?

BR,
DocMAX

[doktornotor]

My question is, how does Sandbox "mark" files deleted.

It doesn't mark anything, deleted is deleted.

I did some research and found out, if a file is in the same location INSIDE the sandbox and also exists OUTSIDE the sandbox same location the file INSIDE the sandbox is not there (thus, as if its deleted).

Pretty annoying bug.

[DocMAX]

The files i delete in sandbox are not deleted outside the box!!!

[Guest10]

First of all, files in the sandbox that DO NOT exist in the corresponding folder that's outside of the sandbox, are truly deleted.

Files in the sandbox, that DO exist in the corresponding folder that's outside of the sandbox, are normally set to 0 bytes and are given an illegal date/time stamp. The date that is used is prior to the introduction of DOS, and therefore it is treated by Windows as an invalid file.

This is what I have recorded. I think this is still correct:
"Deleted files in the sandbox:
The file creation date is changed to a special magic number for deleted files. In a file properties dialogs, it shows Friday, May 23, 1986, 15:47:02."

Run Windows Explorer sandboxed, and if you find a file like that it will have the effect of hiding a file by the same name that's outside of the sandbox, as far as sandboxed programs are concerned.
If it's a Registry change, you can look at the contents of the Reghive file while it's mounted (while the sandbox is *in use*), and possibly delete or modify a key. You can use the UNsandboxed Registry Editor program and look under the "HKEY_USERS\Sandbox_...." key.

[DR_LaRRY_PEpPeR]

There's no such thing as an illegal/invalid timestamp, AFAIK. (They can go back to 1600 I think.)

Files are marked as "deleted" in the sandbox with an empty file, as Guest 10 said, as well as the time that Sandboxie treats as "special." (Probably just some Unix timestamp like 0x123456789, etc. -- arbitrary, something unique to check for.)

Same thing with registry keys -- an empty key with a "special" creation (??) and/or last write time. You have to use some other program to see the registry timestamp stuff (available with Registry API, but not shown in Regedit, etc.).

There was some other topic I saw about this once, and then I saw the registry timestamps with one of the registry "diff" programs...

[Guest10]

Just a "magic number", is all:
http://www.sandboxie.com/phpbb/viewtopic.php?t=1313