I´m testing Portable Sandboxie. My idea is use this soft to safely use USB on any computer without making modification to host computer.
www.sandboxie.com and download the file.
My Batch files wich run browser in sandboxed
The idea is starting PSTart so any app runned by this menu, is sandboxed.
Is a very primitive idea of implementing...but it works.
Try and tell me opinions
start.cmd
--------------------------------
regedit /s Sanboxie+.reg
copy Sandboxie.ini %SystemRoot%\
sandboxieinstall.exe /install /S /D=C:\temp
sc.exe create Sandbox binpath= C:\temp\Sandbox.sys type= kernel start= auto error= normal DisplayName= Sandbox
sc.exe start sandbox
C:\temp\Start.exe default_browser
stop.cmd
----------------------------------
sc.exe stop Sandbox
sc.exe delete Sandbox
pskill.exe Control.exe
sandboxieinstall.exe /remove /S /D=C:\temp
rd /s /q "%APPDATA%\Sandbox"
del %SystemRoot%\Sandboxie.ini
clean.cmd
-----------------------------------
rd /s /q "%APPDATA%\Sandbox"
Sandboxie.ini
--------------------------------------
# Sandboxie Configuration File
# Automatically generated whenever the configuration changes.
# Set ConfigLevel to 99 to prevent the overwriting of this file.
[GlobalSettings]
ConfigLevel=1
BoxRootFolder=%AppData%
CopyLimitKb=32768
[DefaultBox]
Enabled=yes
OpenFilePath=msimn.exe,%AppData%\Identities
OpenFilePath=msimn.exe,%Local AppData%\Identities
OpenKeyPath=msimn.exe,HKEY_CURRENT_USER\Identities
OpenKeyPath=msimn.exe,HKEY_CURRENT_USER\Software\Microsoft\Outlook Express
RecoverFolder=%Favorites%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
This is a really neat idea. Would it be possible to do it from the VB Script from this topic: https://portableapps.com/node/639#comment-2238? This might provide a little bit cleaner solution, although it does require scripting to be enabled on the host computer.
I'm using a version of this script on my key at the moment, although I'm running bblean instead of PStart. It works really well for me. What do you think?
Tappet
Tappet
__________________
"I am still learning."
--Socrates
Yes, using vbs is more clean...i already started making it. But i´m out of time. BBlean is good, i will try it.
If you make the vbs post it please
I have installed it and copied to a dir wich i use for sandobxie
Then i have uninstalled it and start it with this batch
Note that runs Notepad with # just to note its started in sandbox.
PSKILL.exe http://www.sysinternals.com/Utilities/PsKill.html
REG.exe http://www.softpanorama.org/Unixification/Registry/microsoft_registry_to...
The need is to convert this to VBS or anything more clean, but this way it works for me.
Thanks
start.cmd--------------------------------------------
cmdow @ /hid
SET sandboxdir=%~dp0
cd %sandboxdir%
REG.exe HKLM\Software\tzuk\Sandboxie\Home=%sandboxdir%
REG.exe UPDATE HKLM\Software\tzuk\Sandboxie\Home=%sandboxdir%
regedit /s Sandboxie+.reg
copy Sandboxie.ini %SystemRoot%\
sc.exe create Sandbox binpath= "%sandboxdir%Sandbox.sys" type= kernel start= auto error= normal DisplayName= Sandbox
sc.exe start sandbox
%sandboxdir%Start.exe notepad.exe
stop.cmd--------------------------------------------------
cmdow @ /hid
sc.exe stop Sandbox
sc.exe delete Sandbox
pskill.exe Control.exe
pskill.exe SandboxieDcomLaunch.exe
pskill.exe SandboxieRpcSs.exe
rd /s /q "%APPDATA%\Sandbox"
del %SystemRoot%\Sandboxie.ini
REG.exe DELETE HKCU\Sandbox\ /FORCE
REG.exe DELETE HKLM\SOFTWARE\tzuk /FORCE
REG.exe DELETE HKCU\Software\tzuk /FORCE
sanboxie.ini---------------------------------------------
# Sandboxie Configuration File
# Automatically generated whenever the configuration changes.
# Set ConfigLevel to 99 to prevent the overwriting of this file.
[GlobalSettings]
ConfigLevel=1
BoxRootFolder=%AppData%
CopyLimitKb=32768
[DefaultBox]
Enabled=yes
OpenFilePath=msimn.exe,%AppData%\Identities
OpenFilePath=msimn.exe,%Local AppData%\Identities
OpenKeyPath=msimn.exe,HKEY_CURRENT_USER\Identities
OpenKeyPath=msimn.exe,HKEY_CURRENT_USER\Software\Microsoft\Outlook Express
RecoverFolder=%Favorites%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
Sandboxie+.reg-------------------------------------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\tzuk]
[HKEY_CURRENT_USER\Software\tzuk\Sandboxie]
[HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control]
"Window_Top"=dword:0000000e
"Window_Left"=dword:00000007
"Window_Bottom"=dword:0000016c
"Window_Right"=dword:0000012e
"Column 0 Width"=dword:00000097
"Column 1 Width"=dword:0000002f
"Column 2 Width"=dword:00000050
"Show_All_Processes"=dword:00000000
"FirstRun"=dword:00000000
"Last_Version_Check"=hex:46,02,cc,30,d7,43,c6,01
OK, I'm just trying to see if I understand how to use this. If I have any of this wrong, let me know:
Do I have that sequence right?
Oh, and just to clarify, is everything that I do between running start.cmd and stop.cmd in the sandbox, or just the program that is run from start.cmd (in your example, notepad)?
Thanks for the work on this. I think it could really solve some of the security concerns that arise with portable apps.
Tappet
__________________
"I am still learning."
--Socrates
Tappet
__________________
"I am still learning."
--Socrates
Yes, you are right...
Any other soft yo need sandboxed start with "%sandboxdir%Start.exe app.exe"
Use only the start.exe that is on sandbox dir.
I use PStart sandboxed, so any other soft that runs from it has the sandbox.
My english is not so good, so excuse me for my litle explanation in my posts.
You need this too wich cleans the sandbox...BUT BE CAREFULL if you saved something important.
CLEAN.cmd----------------------------------------
cmdow @ /hid
rd /s /q "%APPDATA%\Sandbox"
We need to convert this scripts to something more clean (VBS, NSIS, AutoIT)...
Good luck...and sandbox ALL...
Are BAT files "dirty"?
I'll take a look and see what I can do about NSIS-izing it. Shouldn't be too hard. (Except that the "remove" function doesn't always work right...)
See my blog post on the matter: https://portableapps.com/node/1320
~nm35
a.k.a. Mark
looking forward to the nsis script
btw anyone know whats causing this error i get with start.cmd
http://img159.imageshack.us/img159/7787/47es.png
This Line in start.cmd
REG HKLM\Software\tzuk\Sandboxie\Home=%sandboxdir%
Should Be
REG ADD HKLM\Software\tzuk\Sandboxie\Home=%sandboxdir%
Sorry, my mistake.
I´´m happy to see some people interested in this.
thank you, yet i still get a error about control.exe
http://img49.imageshack.us/img49/9175/sandboxie2b5dx.png
fyi iam using the 2.31 beta version posted over in the forums there.
i solved another issue by adding (") around two lines in start.cmd
SET sandboxdir=%~dp0cd %sandboxdir%
REG ADD "HKLM\Software\tzuk\Sandboxie\Home=%sandboxdir%"
REG UPDATE "HKLM\Software\tzuk\Sandboxie\Home=%sandboxdir%"
regedit /s Sandboxie+.reg
copy Sandboxie.ini %SystemRoot%\
sc.exe create Sandbox binpath= "%sandboxdir%Sandbox.sys" type= kernel start= auto error= normal DisplayName= Sandbox
sc.exe start sandbox
%sandboxdir%Start.exe mplayerc.exe
if i manually start control.exe and then run start.cmd it works but the 'sandbox' is stored in the default %APPDATA% folder.
Its MPLAYERC.exe on path or sandboxdir?
i put mplayerc.exe in D:\Sandboxie which contains start.cmd , start.exe , etc.
I had similar problems. To fix I had to:
- get the specific version of reg.exe mentioned at the top. I could not get it working with the XP version of reg.exe
- removed the "" marks I added based on a previous post. While this got me past the first error, it gave me a new similar error about control.exe
- the program to be run has to be in the Sandboxie folder OR use the full path to it.
Here's my working version:
Now if I could only get it to stop asking me upbout checking for updates.
I have made an AutoIt script to make Sandboxie work...i currently use 2.30 to make this. Have anyone interest on this?
I'd like to see your script
1-Install
2-Copy all files to a folder of your choice
3-Copy sandbox.ini on your c:\windows to the folder
4-Uninstall all
5-Reboot
6-Put the au3 code compiled on the folder
7-Run It
You can pass other soft on command line parameters. It run calc when nothing its specified only to show it works
#NoTrayIcon
$exefile=("start.exe")
If FileExists($exefile) Then
FileCopy("sandboxie.ini",@WindowsDir,1)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Window_Top',"REG_DWORD",0x0000000e)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Window_Left',"REG_DWORD",0x00000007)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Window_Bottom',"REG_DWORD",0x0000016c)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Window_Right',"REG_DWORD",0x0000012e)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Column 0 Width',"REG_DWORD",0x00000097)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Column 1 Width',"REG_DWORD",0x0000002f)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Column 2 Width',"REG_DWORD",0x00000050)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Show_All_Processes',"REG_DWORD",0x00000000)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','FirstRun',"REG_DWORD",0x00000000)
RegWrite('HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control','Last_Version_Check',"REG_BINARY","36085aa35457c601")
RegWrite('HKEY_LOCAL_MACHINE\SOFTWARE\tzuk\Sandboxie','Home',"REG_SZ",@ScriptDir)
$PID = Run("sc.exe create Sandbox binpath= " & Chr(34) & @ScriptDir & "\Sandbox.sys" & chr(34) & " type= kernel start= auto error= normal DisplayName= Sandbox", @ScriptDir,@SW_HIDE)
ProcessWaitClose($PID)
$PID = Run("sc.exe start sandbox", "", @SW_HIDE)
ProcessWaitClose($PID)
Select
Case $CmdLine[0] = 0
$PID = Run("control.exe")
Sleep(2000)
Run($exefile & " calc.exe")
ProcessWaitClose($PID)
Case Else
$PID = Run("control.exe")
Sleep(2000)
Run($exefile & " " & $CmdLine[1])
ProcessWaitClose($PID)
EndSelect
ProcessClose("SandboxieDcomLaunch.exe")
ProcessClose("SandboxieRpcSs.exe")
$PID = Run("sc.exe stop Sandbox", "", @SW_HIDE)
ProcessWaitClose($PID)
$PID = Run("sc.exe delete Sandbox", "", @SW_HIDE)
ProcessWaitClose($PID)
DirRemove(@AppDataDir & "\Sandbox",1)
FileDelete(@WindowsDir & "\sandboxie.ini")
RegDelete("HKEY_CURRENT_USER\Sandbox")
RegDelete("HKEY_CURRENT_USER\Software\tzuk")
RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\tzuk")
Exit
EndIf
MsgBox(0, "Error", "Put on Sandbox Folder -> " & $exefile )
Exit
Tzuk says in his forum:
"If you set the value Last_Version_Check in the key HKEY_CURRENT_USER\Software\tzuk\Sandboxie\Control to REG_BINARY containing exactly eight zero bytes, then this is treated as "never check for updates automatically"
http://sandboxie.com/phpbb/viewtopic.php?p=1161#1161
Anyone interested on this?
It´s working, it will solve most of the problems with portable software, but no one has saw it...It will intercept all the modifications to the host system.
I hope some see this..
http://sandboxie.com/phpbb/viewtopic.php?t=198&postdays=0&postorder=asc&...
Thank You listaspablo for your effort!
I am having a little error, so let me explain what I did.
1) I used UniExtract to unpack the NSIS installer for v2.43. That way I could get the sandboxie files without needing to install it. I suspect this may have something to do with it.
2) I copied your code into txt file and renamed the extension to au3 and compiled with Aut2Exe. No problems there, Ive used Aut2Exe before.
3) I created an ini file with the code from here and put it in the Sandboxie folder:
http://sandboxie.com/phpbb/viewtopic.php?t=198&start=27
4) I copied my compiled au3 file to the Sandboxie folder and ran it. I get this error:
http://img92.imageshack.us/img92/7993/error3ou.png
*) this is what my Sandboxie folder looks like:
http://img108.imageshack.us/img108/1059/folder3bo.png
Any Idea?
Hi.
I didnt tried 2.43, it´s beta.
You need to rename SandboxieHelper32.dll to SandboxieHelper.dll, its been done
on installing buy not on extracting.
Save the ini file in unicode format with notepad.
Keep me informed if it works for you..
ah i just needed to rename that dll and its working perfect.
Huge thanks, this is very awesome.
Little update to make script use less cpu.
http://sandboxie.com/phpbb/viewtopic.php?t=198&postdays=0&postorder=asc&...
Thanks again listaspablo! I am using it as a Limited User with RunAs and it works perfect
Sandboxie to be portable, the best way is to ASK the developers to make it portable. Launchers will not work under limited users because they have to edit registry keys and install the service, then take it out again. Launchers aren't good at services anyway.
I don't know if services can do something normal apps can't, but I can't see why the code for the Sandboxie Service can't be moved into the normal app.
Thank you for listening.