OptionsWindow 0 0 659 479 0 0 0 0 16777215 16777215 SandboxiePlus Options true QTabWidget::North 8 General Options 0 Box Options 75 true true Appearance 75 true true General Configuration Box Type Preset: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Sandbox Indicator in title: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter px Width Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter Sandboxed window border: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Box info Qt::AutoText true 1 10 1 Show this box in the 'run in box' selection prompt Qt::Horizontal 40 20 0 0 16 16777215 <b>More Box Types</b> are exclusively available to <u>project supporters</u>, the Privacy Enhanced boxes <b><font color='red'>protect user data from illicit access</font></b> by the sandboxed programs.<br />If you are not yet a supporter, then please consider <a href="https://sandboxie-plus.com/go.php?to=sbie-get-cert">supporting the project</a>, to receive a <a href="https://sandboxie-plus.com/go.php?to=sbie-cert">supporter certificate</a>.<br />You can test the other box types by creating new sandboxes of those types, however processes in these will be auto terminated after 5 minutes. Qt::RichText true Qt::Vertical 20 40 File Options Auto delete content when last sandboxed process terminates Copy file size limit: 75 true true Box Delete options Qt::Horizontal 40 20 Protect this sandbox from deletion or emptying 75 true true Raw Disk access 75 true true File Migration Allow elevated sandboxed applications to read the harddrive Warn when an application opens a harddrive handle kilobytes 75 16777215 Issue message 2102 when a file is too large Qt::Vertical 20 40 20 16777215 Prompt user for large file migration Admin Rights Qt::Vertical 20 40 Qt::Horizontal 40 20 75 true true (Recommended) 75 true true Protect the system from sandboxed processes Elevation restrictions 75 true true CAUTION: When running under the built in administrator, processes can not drop administrative privileges. true Make applications think they are running elevated (allows to run installers safely) Note: Msi Installer Exemptions should not be required, but if you encounter issues installing a msi package which you trust, this option may help the installation complete successfully. You can also try disabling drop admin rights. true Qt::Horizontal QSizePolicy::Maximum 20 20 75 true true Security note: Elevated applications running under the supervision of Sandboxie, with an admin or system token, have more opportunities to bypass isolation and modify the system outside the sandbox. true Drop rights from Administrators and Power Users groups Allow MSIServer to run with a sandboxed system token and apply other exceptions if required Access Restrictions Open Windows Credentials Store (user mode) 0 0 Allow the print spooler to print to files outside the sandbox Remove spooler restriction, printers can be installed outside the sandbox Qt::Vertical 20 40 Block read access to the clipboard Open System Protected Storage Block access to the printer spooler 75 true true Protect the system from sandboxed processes Other restrictions Qt::Horizontal 40 20 75 true true Protect the system from sandboxed processes Printing restrictions 20 0 20 16777215 75 true true Protect the system from sandboxed processes Network restrictions Block network files and folders, unless specifically opened. Prevent change to network and firewall parameters (user mode) Run Menu You can configure custom entries for the sandbox run menu. true Qt::Vertical 20 40 Name Command Line 0 0 0 23 Add program 0 0 0 23 Remove Auto Start Here you can specify programs and/or services that are to be started automatically in the sandbox when it is activated true Type Program/Service 0 0 0 23 Remove Qt::Vertical 20 40 0 0 0 23 Add program 0 0 0 23 Add service Program Groups Add Group Qt::Vertical 20 40 true Name Add Program You can group programs together and give them a group name. Program groups can be used with some of the settings instead of program names. Groups defined for the box overwrite groups defined in templates. true Remove Show Templates Forced Programs 9 9 9 9 Remove Force Folder true Type Path Force Program Qt::Vertical 20 40 Show Templates Programs entered here, or programs started from entered locations, will be put in this sandbox automatically, unless they are explicitly started in another sandbox. true Stop Behaviour Remove Program Qt::Vertical 20 40 Add Leader Program Add Lingering Program true Type Path Show Templates Lingering programs will be automatically terminated if they are still running after all other processes have been terminated. If leader processes are defined, all others are treated as lingering processes. true Start Restrictions true Name Qt::Vertical 20 40 Remove Program Issue message 1308 when a program fails to start Add Program 0 Allow only selected programs to start in this sandbox. * Prevent selected programs from starting in this sandbox. Allow all programs to start in this sandbox. * Note: Programs installed to this sandbox won't be able to start at all. true Internet Restrictions 0 Process Restrictions 3 6 3 0 Issue message 1307 when a program is denied internet access Add Program Prompt user whether to allow an exemption from the blockade. Remove Program Note: Programs installed to this sandbox won't be able to access the internet at all. Qt::Vertical 20 40 true Name Access Set network/internet access for unlisted processes: Network Firewall Rules 3 3 0 Qt::Vertical 20 40 Test Rules, Program: Port: IP: Protocol: X Remove Rule Add Rule Program Action Port IP Protocol Show Templates 75 true true CAUTION: Windows Filtering Platform is not enabled with the driver, therefore these rules will be applied only in user mode and can not be enforced!!! This means that malicious applications may bypass them. true Resource Access 0 Resource Access Rules 3 6 3 0 0 0 0 23 Add Wnd Class Configure which processes can access what resources. Double click on an entry to edit it. 'Open' File and Key access only applies to program binaries located outside the sandbox. You can use 'Open for All' instead to make it apply to all programs, or change this behaviour in the Policies tab. 0 0 0 23 Add COM Object 0 0 0 23 Add Reg Key Remove Qt::Vertical 20 40 0 0 0 23 Add IPC Path true Type Program Access Path Show Templates 0 0 0 23 Add File/Folder Resource Access Policies 9 9 9 9 Qt::Horizontal 40 20 The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard sub string. A rule which matches only file types like "*.tmp" would those have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity, it describes how a rule applies to a given process, rules applying by process name, or group, have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one, or group), the lowest match levels have global matches, i.e. rules that apply to any process. true Qt::Vertical 20 40 Priorize rules based on their Specificity and Process Match Level Privacy Mode, block file and registry access to all locations except the generic system ones 75 true true Access Mode When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled. true 75 true true Rule Policies Apply Close...=!<program>,... rules also to all binaries located in the sandboxed. Apply File and Key Open directives only to binaries located outside the sandbox. File Recovery Qt::Vertical 20 40 Add Folder Ignore Extension Ignore Folder Show Templates Enable Immediate Recovery prompt to be able to recover files as soon as they are created. Qt::Vertical QSizePolicy::Preferred 20 40 Type Name Remove You can exclude folders and file types (or file extensions) from Immediate Recovery. true When the Quick Recovery function is invoked, the following folders will be checked for sandboxed content. true Advanced Options 50 false true 0 50 false true Miscellaneous Don't alter window class names created by sandboxed programs Start the sandboxed RpcSs as a SYSTEM process (not recommended) Limit access to the emulated service control manager to privileged processes Do not start sandboxed services using a system token (recommended) 75 true true Compatibility Allow use of nested job objects (experimental, works on Windows 8 and later) Qt::Vertical 20 40 Open access to COM infrastructure (not recommended) Qt::Horizontal 40 20 Force usage of custom dummy Manifest files (legacy behaviour) Add sandboxed processes to job objects (recommended) 75 true true Protect the sandbox integrity itself COM isolation Emulate sandboxed window station for all processes Drop critical privileges from processes running with a SYSTEM token 75 true true (Security Critical) Protect sandboxed SYSTEM processes from unprivileged processes 75 true true (Security Critical) 75 true true Protect the sandbox integrity itself Sandbox isolation Isolation Security Isolation through the usage of a heavily restricted process token is Sandboxie's primary means of enforcing sandbox restrictions, when this is disabled the box is operated in the application compartment mode, i.e. it’s no longer providing reliable security, just simple application compartmentalization. true Open access to Windows Local Security Authority Allow sandboxed programs to manage Hardware/Devices Qt::Vertical 20 40 Disable Security Isolation (experimental) Various advanced isolation features can break compatibility with some applications. If you are using this sandbox <b>NOT for Security</b> but for simple application portability, by changing these options you can restore compatibility by sacrificing some security. true Qt::Horizontal 40 20 Open access to Windows Security Account Manager 75 true true Protect the sandbox integrity itself Security Isolation & Filtering Disable Security Filtering (not recommended) Security Filtering used by Sandboxie to enforce filesystem and registry access restrictions, as well as to restrict process access. true The below options can be used safely when you don't grant admin rights. true 75 true true Protect the sandbox integrity itself Access isolation Auto Exec Add Command Qt::Vertical 20 40 Remove Here you can specify a list of commands that are executed every time the sandbox is initially populated. true 50 false true Hide Processes Qt::Vertical 20 40 Add Process Hide host processes from processes running in the sandbox. true Remove Don't allow sandboxed processes to see processes running in other boxes 50 false true Users Restrict Resource Access monitor to administrators only Add User Qt::Vertical 20 40 Remove User Add user accounts and user groups to the list below to limit use of the sandbox to only those accounts. If the list is empty, the sandbox can be used by all user accounts. Note: Forced Programs and Force Folders settings for a sandbox do not apply to user accounts which cannot use the sandbox. true Tracing API call trace (requirers logapi to be installed in the sbie dir) Qt::Horizontal 40 20 Pipe Trace Qt::Vertical 20 40 Log all SetError's to Trace log (creates a lot of output) Qt::Horizontal 40 20 Log Debug Output to the Trace Log Log all access events as seen by the driver to the resource access log. This options set the event mask to "*" - All access events You can customize the logging using the ini by specifying "A" - Allowed accesses "D" - Denied accesses "I" - Ignore access requests instead of "*". Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true Ntdll syscall Trace (creates a lot of output) File Trace Disable Resource Access Monitor IPC Trace GUI Trace 75 true true Resource Access Monitor 20 16777215 75 true true Access Tracing COM Class Trace Key Trace Network Firewall 50 false true Debug true 0 0 63 16 0 0 0 0 75 true true WARNING, these options can disable core security guarantees and break sandbox security!!! true These options are intended for debugging compatibility issues, please do not use them in production use. true App Templates 0 Compatibility Templates Filter Categories Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Text Filter Add Template This list contains a large amount of sandbox compatibility enhancing templates true Remove Template Qt::Vertical 20 40 true Category Name Template Folders Configure the folder locations used by your other applications. Please note that this values are currently user specific and saved globally for all boxes. Qt::Vertical 20 40 Name Value Accessibility To compensate for the lost protection, please consult the Drop Rights settings page in the Restrictions settings group. Screen Readers: JAWS, NVDA, Window-Eyes, System Access The following settings enable the use of Sandboxie in combination with accessibility software. Please note that some measure of Sandboxie protection is necessarily lost when these settings are in effect. true Edit ini Section Edit ini false false Cancel Qt::Horizontal 40 20 false Save QPlainTextEdit::NoWrap QDialogButtonBox::Apply|QDialogButtonBox::Cancel|QDialogButtonBox::Ok tabs tabWidget cmbBoxIndicator cmbBoxBorder btnBorderColor spinBorderWidth treeRun btnAddCmd btnDelCmd chkCopyLimit chkNoCopyWarn chkAutoEmpty chkProtectBox treeAutoStart btnAddAutoExe btnAddAutoSvc btnDelAuto treeGroups btnAddGroup btnAddProg btnDelProg treeForced btnForceProg btnForceDir chkShowForceTmpl btnDelForce treeStop btnAddLingering btnAddLeader chkShowStopTmpl btnDelStopProg radStartAll radStartExcept radStartSelected treeStart btnAddStartProg btnDelStartProg chkStartBlockMsg chkINetBlockPrompt treeINet btnAddINetProg btnDelINetProg chkINetBlockMsg treeAccess btnAddFile btnAddKey btnAddIPC btnAddWnd btnAddCOM chkShowAccessTmpl btnDelAccess chkAutoRecovery treeRecovery btnAddRecovery btnAddRecIgnore btnAddRecIgnoreExt chkShowRecoveryTmpl btnDelRecovery tabsAdvanced chkPreferExternalManifest chkNoWindowRename lstAutoExec btnAddAutoExec btnDelAutoExec chkHideOtherBoxes lstProcesses btnAddProcess btnDelProcess lstUsers btnAddUser btnDelUser chkMonitorAdminOnly chkFileTrace chkPipeTrace chkKeyTrace chkIpcTrace chkGuiTrace chkComTrace chkDbgTrace scrollArea treeTemplates cmbCategories txtTemplates btnEditIni txtIniSection btnSaveIni btnCancelEdit