Sandboxie Support

Sandboxie 4.01.06 beta
Win 7 SP1 x64

If Firefox 20.0.1 is running sanboxed and I click a hyperlink in an unsandboxed program, like Thunderbird, two unsandboxed instances of Firefox launch with the link opened in it. The link does not open in the sandboxed version of Firefox.

In Sandboxie 3.76 there was a workaround that could allow an unsandboxed program to open a tab in a running instance of sandboxed Firefox, but that workaround does not work in 4.01.
I don't see why you would have 2 unsandboxed instances of Firefox open, though.
If that happens when running Firefox unsandboxed, you might try deleting the sessionstore.js and sessionstore.bak files in the Firefox profile folder, then restarting Firefox unsandboxed.

I was using the .reg workaround tzuk mentioned here, with the addition of changing permissions on those registry keys, to stop Firefox from changing those registry keys every time it started (which undid the fix). Without the permissions change, the .reg solution did not work.

This was working fine for me in 3.x, but with 4.x betas this is not longer working. I tried Mike's workaround here, and while that allows unsandboxed programs to open links in sandboxed Firefox, it has a couple of problems:

1) I can no longer open an unsandboxed version of Firefox when a sandboxed version is already open.
2) If I click on a URL in KeePass password manager, the link opens in sandboxed Firefox fine, but KeePass displays an eror dialog saying "An error occurred in sending the command to the application."

Any ideas why the previous .reg fix with my additional permissions modification no longer works with 4.x betas ?

My mistake - I wasn't using tzuk's .reg workaround, but was using a similar workaround which made the same changes but to different keys:

HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\shell\open\ddeexec
HKEY_CURRENT_USER\Software\Classes\FirefoxURL\shell\open\ddeexec

I then changed permissions for these keys (and subkeys), for the standard user account that Firefox runs under when running in the sandbox, to Deny "Set Value" and "Delete". All other permissions were left the same (ie. Effective permissions on these keys for standard user account were Full control, apart from these two which were denied). This stopped Firefox from deleting the relevant keys on startup. NOTE: As you can't change permissions from the standard user account, you have to run regedit as admin, and then determine which key under HKEY_USERS corresponds to the standard user account. If you have one admin account and one standard user account, you should probably have two keys which look like S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN (where N are different digits) - one of these is for the admin account and the other for the satndard user account. When you find out which one mirrors the standard user account, just make the changes to the above two keys (but substituing HKEY_CURRENT_USER with HKEY_USERS\S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN)

My solution above with the permissions was preferable to Mike's as there were no side-effects.

One of the problems with Sandboxie 4.01.xx betas is that sandboxed Firefox no longer runs under standard user account, but instead runs under the user account, "NT AUTHORITY\ANONYMOUS LOGON". I'm guessing that this means Firefox is using different registry path to the above two keys, but I haven't been able to work out what they are.

If I can find out which keys relate to "NT AUTHORITY\ANONYMOUS LOGON", I'm hopeful that the same trick may work with Sandboxie 4.01.xx betas

My fix ended up working perfectly on Win 7 x64 SP1 once tzuk had made some further changes to DDE in the SB 4 release. However, I've been testing out Windows 8.1 and the my fix no longer works. Even when using an older version of Firefox (eg. 3, 10, 13), I am unable to get links outside the sandbox open within the sandbox, unless I use the fix provided by Mike (which isn't ideal as it has a couple of downsides).

For anyone on Windows 8.1 (or possibly 8 ), has anyone managed to get links outside the sandbox to open within a sandboxied Firefox (even old versions of FF) without using Mike's fix ?

If not, could the new devs look into this again as I'd like to get the old behaviour back.

Just confirmed that Windows 8.1 (and possibly 8 ) have affected the changes (work arounds) made to Sandboxie 4 (after 4.02 I believe) to get DDE working on Win 7 x64 SP1.

I installed fresh Windows 7 x64, Thunderbird, Firefox 4, Sandboxie 4.08, and clicking on URL in Thunderbird opened it in running Sanboxied Firefox 4. I was also able to open a non-sandboxed Firefox at the same time, and external links would still open in sandboxied FF (essentially it would open in whatever FF was launched first).

I then upgraded to Firefox 27 beta 7 and the installer broke the DDE, but after applying my fixes everything was working fine, as above.

After that I installed fresh Windows 8.1 x64 and did the same as above, and even with Firefox 4, the DDE was broken and external links opened in a new unsandboxed instance of Firefox, instead of the already running sandboxied FF. After installing Firefox 27 beta 7 and applying my fixes, the same happened, but this time two instances of an unsandboxied Firefox were launched with the external link.

Can you fix/change Sandboxie so DDE works again on Win 8.1, like it does on Win 7 x64 ?

Not fixed in 4.09.01 beta

Hi barny,

Looks like the Security Identifier (sid) for Anonymous is S-1-5-7, here's an article that lists out well known sids: http://support.microsoft.com/kb/243330.

Hope that helps...


BTW, I'll be trying out the reg fix myself on Monday...

Thanks for the info on the SID, but it doesn't help since no user registry branch appears for that SID.

As mentioned, something definitely seems to have changed to the way DDE is handled in Windows 8.1 x64 (and 8 ?) compared to Win 7 x64. The fix/change that tzuk made to one of the SBIE 4 betas that made it work again on Win 7 x64 (with my registry fix method) no longer works on 8.1 x64.

I really need to switch to Windows 8.1 x64 but use SBIE all the time, so I'm caught in a trap as, although it works, it doesn't work the way I'm used to.

Hoping this can be made to work in the near future on 8.1 x64 as it does on Win 7 x64.

@joohwan@invincea - did you manage to test out the reg fix (ie. my fix, not the ones mentioned by tzuk or Mike) and reproduce the issue ?

joohwan@invincea wrote:BTW, I'll be trying out the reg fix myself on Monday...

barny wrote:As mentioned, something definitely seems to have changed to the way DDE is handled in Windows 8.1 x64 (and 8 ?) compared to Win 7 x64. The fix/change that tzuk made to one of the SBIE 4 betas that made it work again on Win 7 x64 (with my registry fix method) no longer works on 8.1 x64.

I really need to switch to Windows 8.1 x64 but use SBIE all the time, so I'm caught in a trap as, although it works, it doesn't work the way I'm used to.

Hoping this can be made to work in the near future on 8.1 x64 as it does on Win 7 x64.

@joohwan@invincea - did you manage to test out the reg fix (ie. my fix, not the ones mentioned by tzuk or Mike) and reproduce the issue ?

You mentioned you were going to try it out - Any update on this ?

I know changelog for 4.09.04 beta doesn't mention any fix related to this issue, but I tested it out anyway 4.09.04 beta still has this DDE issue.