OptionsWindow
0
0
657
449
0
0
0
0
16777215
16777215
SandboxiePlus Options
-
-
true
QTabWidget::West
9
General Options
-
2
Box Options
-
-
Qt::Horizontal
40
20
-
75
true
Appearance
-
-
1
10
1
-
Prevent change to network and firewall parameters
-
px Width
Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter
-
Sandbox Indicator in title:
Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
Sandboxed window border:
Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
-
75
true
Protect the system from sandboxed processes
Elevation restrictions
-
0
0
16
16777215
-
Block network files and folders, unless specifically opened.
-
Qt::Vertical
20
40
-
-
Make applications think thay are running elevated (allows to run installers safely)
-
75
true
Protect the system from sandboxed processes
Network restrictions
-
Drop rights from Administrators and Power Users groups
-
75
true
(Recommended)
-
75
true
Security note: Elevated applications running under the supervision of Sandboxie, with an admin token, have more opportunities to bypass isolation and modify the system outside the sandbox.
true
File Options
-
-
Auto delete content when last sandboxed process terminates
-
Copy file size limit:
-
75
true
Box Delete options
-
Qt::Horizontal
40
20
-
Protect this sandbox from deletion or emptying
-
75
true
Raw Disk access
-
75
true
File Migration
-
Allow elevated sandboxed applications to read the harddrive
-
Warn when an application opens a harddrive handle
-
kilobytes
-
75
16777215
-
Issue message 2102 when a file is too large
-
Qt::Vertical
20
40
-
20
16777215
Access Options
-
-
Remove spooler restriction, printers can be installed outside the sandbox
-
Qt::Vertical
20
40
-
75
true
Protect the system from sandboxed processes
Printing restrictions
-
Open Windows Credentials Store
-
Open System Protected Storage
-
0
0
Allow the print spooler to print to files outside the sandbox
-
Block access to the printer spooler
-
Qt::Horizontal
40
20
-
20
0
20
16777215
-
75
true
Protect the system from sandboxed processes
Other restrictions
Run Menu
-
You can configure custom entries for the sandbox run menu.
true
-
Qt::Vertical
20
40
-
Name
Command Line
-
0
0
0
23
Add program
-
0
0
0
23
Remove
Auto Start
-
Here you can specify programs and/or services that are to be started automatically in the sandbox when it is activated
true
-
Type
Program/Service
-
0
0
0
23
Remove
-
Qt::Vertical
20
40
-
0
0
0
23
Add program
-
0
0
0
23
Add service
Program Groups
-
-
Add Group
-
Add Program
-
Remove
-
Qt::Vertical
20
40
-
true
Name
-
You can group programs together and give them a group name. Program groups can be used with some of the settings instead of program names.
true
Forced Programs
9
9
9
9
-
-
Remove
-
Force Folder
-
true
Type
Path
-
Force Program
-
Qt::Vertical
20
40
-
Show Templates
-
Programs entered here, or programs started from entered locations, will be put in this sandbox automatically, unless thay are explicitly started in another sandbox.
true
Stop Behaviour
-
-
Remove Program
-
Qt::Vertical
20
40
-
Add Leader Program
-
Add Lingering Program
-
true
Type
Path
-
Show Templates
-
Lingering programs will be automatically terminated if they are still running after all other processes have been terminated.
If leader processes are defined, all others are treated as lingering processes.
true
Start Restrictions
-
-
true
Name
-
Qt::Vertical
20
40
-
Remove Program
-
Issue message 1308 when a program fails to start
-
Add Program
-
0
-
Allow only selected programs to start in this sandbox. *
-
Prevent selected programs from starting in this sandbox.
-
Allow all programs to start in this sandbox.
-
* Note: Programs installed to this sandbox won't be able to start at all.
true
Internet Restrictions
-
-
Issue message 1307 when a program is denied internet access
-
Block internet access for all programs except those added to the list.
-
true
Name
-
Note: Programs installed to this sandbox won't be able to access the internet at all.
-
Remove Program
-
Add Program
-
Qt::Vertical
20
40
-
Prompt user whether to allow an exemption from the blockade.
Resource Access
-
-
true
Type
Program
Access
Path
-
0
0
0
23
Add Reg Key
-
0
0
0
23
Add File/Folder
-
Remove
-
0
0
0
23
Add Wnd Class
-
0
0
0
23
Add COM Object
-
0
0
0
23
Add IPC Path
-
Qt::Vertical
20
40
-
Move Up
-
Move Down
-
Qt::Vertical
20
40
-
Show Templates
-
Configure which processes can access what resources. Double click on an entry to edit it.
'Direct' File and Key access only applies to program binaries located outside the sandbox.
Note that all Close...=!<program>,... exclusions have the same limitations.
For files access you can use 'Direct All' instead to make it apply to all programs.
File Recovery
-
-
Qt::Vertical
20
40
-
Add Folder
-
Ignore Extension
-
Ignore Folder
-
Show Templates
-
Enable Immediate Recovery prompt to be able to recover files as soon as thay are created.
-
Qt::Vertical
QSizePolicy::Preferred
20
40
-
Type
Name
-
Remove
-
You can exclude folders and file types (or file extensions) from Immediate Recovery.
true
-
When the Quick Recovery function is invoked, the following folders will be checked for sandboxed content.
true
Advanced Options
-
-
50
false
0
50
false
Miscellaneous
-
-
75
true
Protect the sandbox integrity itself
Sandbox isolation
-
Do not start sandboxed services using a system token (recommended)
-
Add sandboxed processes to job objects (recommended)
-
Protect sandboxed SYSTEM processes from unprivileged unsandboxed processes
-
75
true
Compatibility
-
Force usage of custom dummy Manifest files (legacy behaviour)
-
Qt::Vertical
20
40
-
Don't alter window class names created by sandboxed programs
-
Limit access to the emulated service control manager to privileged processes
-
Qt::Horizontal
40
20
-
75
true
Protect the sandbox integrity itself
Sandbox protection
Auto Exec
-
Add Command
-
Qt::Vertical
20
40
-
Remove
-
Here you can specify a list of commands that are executed every time the sandbox is initially populated.
true
-
50
false
Hide Processes
-
Qt::Vertical
20
40
-
Add Process
-
-
Hide host processes from processes running in the sandbox.
true
-
Remove
-
Don't allow sandboxed processes to see processes running in other boxes
50
false
Users
-
Restrict Resource Access monitor to administrators only
-
Add User
-
Qt::Vertical
20
40
-
-
Remove User
-
Add user accounts and user groups to the list below to limit use of the sandbox to only those accounts. If the list is empty, the sandbox can be used by all user accounts.
Note: Forced Programs and Force Folders settings for a sandbox do not apply to user accounts which cannot use the sandbox.
true
Tracing
-
-
Qt::Horizontal
40
20
-
COM Class Trace
-
IPC Trace
-
Key Trace
-
Qt::Horizontal
40
20
-
GUI Trace
-
API call trace (requirers logapi to be installed in the sbie dir)
-
Log all SetError's to Trace log (creates a lot of output)
-
File Trace
-
Pipe Trace
-
75
true
Access Tracing
-
Qt::Vertical
20
40
-
<- for this one the above does not apply
-
Log Debug Output to the Trace Log
-
Log all access events as seen by the driver to the resource access log.
This options set the event mask to "*" - All access events
You can customize the logging using the ini by specifying
"A" - Allowed accesses
"D" - Denied accesses
"I" - Ignore access requests
instead of "*".
Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop
true
-
Ntdll syscall Trace (creates a lot of output)
-
20
16777215
50
false
Debug
-
true
0
0
98
28
0
0
0
0
-
75
true
WARNING, these options can disable core security guarantees and break sandbox security!!!
true
-
These options are intended for debugging compatibility issues, please do not use them in production use.
true
App Templates
-
-
Filter Categories
Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
-
Text Filter
-
Add Template
-
This list contains a large amount of sandbox compatibility enhancing templates
true
-
-
Remove Template
-
Qt::Vertical
20
40
-
true
Category
Name
Edit ini Section
-
Edit ini
false
-
false
Cancel
-
Qt::Horizontal
40
20
-
false
Save
-
QPlainTextEdit::NoWrap
-
-
QDialogButtonBox::Apply|QDialogButtonBox::Cancel|QDialogButtonBox::Ok
tabs
tabWidget
cmbBoxIndicator
cmbBoxBorder
btnBorderColor
spinBorderWidth
chkBlockNetShare
chkBlockNetParam
treeRun
btnAddCmd
btnDelCmd
chkCopyLimit
chkNoCopyWarn
chkAutoEmpty
chkProtectBox
treeAutoStart
btnAddAutoExe
btnAddAutoSvc
btnDelAuto
treeGroups
btnAddGroup
btnAddProg
btnDelProg
treeForced
btnForceProg
btnForceDir
chkShowForceTmpl
btnDelForce
treeStop
btnAddLingering
btnAddLeader
chkShowStopTmpl
btnDelStopProg
radStartAll
radStartExcept
radStartSelected
treeStart
btnAddStartProg
btnDelStartProg
chkStartBlockMsg
chkBlockINet
chkINetBlockPrompt
treeINet
btnAddINetProg
btnDelINetProg
chkINetBlockMsg
treeAccess
btnAddFile
btnAddKey
btnAddIPC
btnAddWnd
btnAddCOM
btnMoveUp
btnMoveDown
chkShowAccessTmpl
btnDelAccess
chkAutoRecovery
treeRecovery
btnAddRecovery
btnAddRecIgnore
btnAddRecIgnoreExt
chkShowRecoveryTmpl
btnDelRecovery
tabsAdvanced
chkPreferExternalManifest
chkNoWindowRename
chkAddToJob
chkRestrictServices
chkProtectSCM
chkProtectSystem
lstAutoExec
btnAddAutoExec
btnDelAutoExec
chkHideOtherBoxes
lstProcesses
btnAddProcess
btnDelProcess
lstUsers
btnAddUser
btnDelUser
chkMonitorAdminOnly
chkFileTrace
chkPipeTrace
chkKeyTrace
chkIpcTrace
chkGuiTrace
chkComTrace
chkDbgTrace
scrollArea
treeTemplates
cmbCategories
txtTemplates
btnEditIni
txtIniSection
btnSaveIni
btnCancelEdit