OptionsWindow 0 0 787 575 0 0 0 0 16777215 16777215 SandboxiePlus Options true QTabWidget::North 1 General Options 0 Box Options 0 0 16 16777215 Always show this sandbox in the systray list (Pinned) Sandbox Indicator in title: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Sandboxed window border: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Qt::Horizontal 40 0 1 10 1 <b>More Box Types</b> are exclusively available to <u>project supporters</u>, the Privacy Enhanced boxes <b><font color='red'>protect user data from illicit access</font></b> by the sandboxed programs.<br />If you are not yet a supporter, then please consider <a href="https://sandboxie-plus.com/go.php?to=sbie-get-cert">supporting the project</a>, to receive a <a href="https://sandboxie-plus.com/go.php?to=sbie-cert">supporter certificate</a>.<br />You can test the other box types by creating new sandboxes of those types, however processes in these will be auto terminated after 5 minutes. Qt::RichText true true Show this box in the 'run in box' selection prompt Box info Qt::AutoText true true Qt::Vertical 20 0 Box Type Preset: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter px Width Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter 75 true true General Configuration 75 true true Appearance Double click action: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter true File Options Virtualization scheme Force protection on mount Qt::Horizontal 40 0 Warn when an application opens a harddrive handle Store the sandbox content in a Ram Disk Auto delete content changes when last sandboxed process terminates Use volume serial numbers for drives, like: \drive\C~1234-ABCD Partially checked means prevent box removal but not content deletion. Protect this sandbox from deletion or emptying true The box structure can only be changed when the sandbox is empty 20 16777215 Qt::Vertical 20 0 75 true true Box Structure Set Password 75 true true Box Delete options When <a href="sbie://docs/boxencryption">Box Encryption</a> is enabled the box's root folder, including its registry hive, is stored in an encrypted disk image, using <a href="https://diskcryptor.org">Disk Cryptor's</a> AES-XTS implementation. true true <a href="addon://ImDisk">Install ImDisk</a> driver to enable Ram Disk and Disk Image support. Encrypt sandbox content Separate user folders false 75 true true Disk/File access Allow elevated sandboxed applications to read the harddrive File Migration 9 9 9 9 Copy file size limit: Prompt user for large file migration 75 true true File Migration 2113: Content of migrated file was discarded 2114: File was not migrated, write access to file was denied 2115: File was not migrated, file will be opened read only Issue message 2113/2114/2115 when a file is not fully migrated 100 16777215 kilobytes Add Pattern Remove Pattern Qt::Horizontal 40 20 Qt::Vertical 20 40 Show Templates true Action Program Pattern Sandboxie does not allow writing to host files, unless permitted by the user. When a sandboxed application attempts to modify a file, the entire file must be copied into the sandbox, for large files this can take a significate amount of time. Sandboxie offers options for handling these cases, which can be configured on this page. true Using wildcard patterns file specific behavior can be configured in the list below: Issue message 2102 when a file is too large When a file cannot be migrated, open it in read-only mode instead Restrictions 75 true true Protect the system from sandboxed processes Printing restrictions Block access to the printer spooler Remove spooler restriction, printers can be installed outside the sandbox 0 0 Allow the print spooler to print to files outside the sandbox 75 true true Protect the system from sandboxed processes Other restrictions Open System Protected Storage 20 0 20 16777215 Open Windows Credentials Store (user mode) Block read access to the clipboard Allow to read memory of unsandboxed processes (not recommended) Issue message 2111 when a process access is denied Prevent sandboxed processes from interfering with power operations (Experimental) Prevent move mouse, bring in front, and similar operations, this is likely to cause issues with games. Prevent interference with the user interface (Experimental) Allow sandboxed windows to cover the taskbar This feature does not block all means of obtaining a screen capture, only some common ones. Prevent sandboxed processes from capturing window images (Experimental, may cause UI glitches) Qt::Vertical 20 43 Qt::Horizontal 556 20 Isolation The below options can be used safely when you don't grant admin rights. true Open access to Windows Local Security Authority Open access to Windows Security Account Manager Allow sandboxed programs to manage Hardware/Devices 75 true true Protect the sandbox integrity itself Access Isolation Qt::Horizontal 40 20 Qt::Vertical 20 40 Run Menu 3 6 3 3 0 0 0 23 Remove 0 0 0 23 Add program Qt::Vertical 20 40 true Name Command Line 0 0 0 23 Move Up 0 0 0 23 Move Down You can configure custom entries for the sandbox run menu. true Qt::Vertical 20 40 Security Options 4 Security Hardening Use the original token only for approved NT system calls Enable all security enhancements (make security hardened box) 75 true true Protect the system from sandboxed processes Elevation restrictions Make applications think they are running elevated (allows to run installers safely) 75 true true (Recommended) Restrict driver/device access to only approved ones 75 true true Protect the system from sandboxed processes Security enhancements Allow MSIServer to run with a sandboxed system token and apply other exceptions if required Qt::Horizontal 40 20 Qt::Vertical 20 40 Drop rights from Administrators and Power Users groups 75 true true CAUTION: When running under the built in administrator, processes can not drop administrative privileges. true Note: Msi Installer Exemptions should not be required, but if you encounter issues installing a msi package which you trust, this option may help the installation complete successfully. You can also try disabling drop admin rights. true 75 true true Security note: Elevated applications running under the supervision of Sandboxie, with an admin or system token, have more opportunities to bypass isolation and modify the system outside the sandbox. true 20 0 20 16777215 Security Isolation Disable Security Filtering (not recommended) Qt::Vertical 20 5 Security Filtering used by Sandboxie to enforce filesystem and registry access restrictions, as well as to restrict process access. true Various isolation features can break compatibility with some applications. If you are using this sandbox <b>NOT for Security</b> but for application portability, by changing these options you can restore compatibility by sacrificing some security. true Disable Security Isolation 75 true true Protect the sandbox integrity itself Security Isolation & Filtering Qt::Horizontal 40 5 Security Isolation through the usage of a heavily restricted process token is Sandboxie's primary means of enforcing sandbox restrictions, when this is disabled the box is operated in the application compartment mode, i.e. it's no longer providing reliable security, just simple application compartmentalization. true Box Protection Allow Process Sandboxie-Plus is able to create confidential sandboxes that provide robust protection against unauthorized surveillance or tampering by host processes. By utilizing an encrypted sandbox image, this feature delivers the highest level of operational confidentiality, ensuring the safety and integrity of sandboxed processes. true Qt::Vertical 20 76 Protect processes within this box from host processes 20 0 20 16777215 Remove Issue message 1318/1317 when a host process tries to access a sandboxed process/the box root Show Templates Qt::Vertical 20 40 Qt::Horizontal 471 20 75 true true Protect the sandbox integrity itself Box Protection Allow useful Windows processes access to protected processes true Process Action Prevent processes from capturing window images from sandboxed windows Deny Process Protect processes in this box from being accessed by specified unsandboxed host processes. false Only Administrator user accounts can make changes to this sandbox Job Object Qt::Vertical 20 40 75 true true Protect the system from sandboxed processes Limit restrictions 125 16777215 Leave it blank to disable the setting unlimited 0 0 16 0 Total Processes Number Limit: 125 16777215 Leave it blank to disable the setting unlimited Allow use of nested job objects (works on Windows 8 and later) Add sandboxed processes to job objects (recommended) 75 true true Protect the sandbox integrity itself Other isolation Single Process Memory Limit: Qt::Horizontal 40 20 bytes 125 16777215 Leave it blank to disable the setting unlimited Total Processes Memory Limit: bytes 50 false true Advanced Security 75 true true (Security Critical) 75 true true (Security Critical) Allow only privileged processes to access the Service Control Manager Protect sandboxed SYSTEM processes from unprivileged processes 75 true true Protect the sandbox integrity itself Sandboxie token Using a custom Sandboxie Token allows to isolate individual sandboxes from each other better, and it shows in the user column of task managers the name of the box a process belongs to. Some 3rd party security solutions may however have problems with custom tokens. true Drop critical privileges from processes running with a SYSTEM token Qt::Horizontal 40 20 75 true true Protect the sandbox integrity itself Privilege isolation Start the sandboxed RpcSs as a SYSTEM process (not recommended) Use a Sandboxie login instead of an anonymous token Do not start sandboxed services using a system token (recommended) Qt::Vertical 20 5 Checked: A local group will also be added to the newly created sandboxed token, which allows addressing all sandboxes at once. Would be useful for auditing policies. Partially checked: No groups will be added to the newly created sandboxed token. Create a new sandboxed token instead of stripping down the original token true Drop ConHost.exe Process Integrity Level Program Groups Show Templates Qt::Vertical 20 40 Add Group Add Program You can group programs together and give them a group name. Program groups can be used with some of the settings instead of program names. Groups defined for the box overwrite groups defined in templates. true true Name Remove Program Control 9 9 9 9 0 Force Programs 3 6 3 3 Programs entered here, or programs started from entered locations, will be put in this sandbox automatically, unless they are explicitly started in another sandbox. true Show Templates Remove 0 0 0 23 Force Program true Type Name Disable forced Process and Folder for this sandbox Qt::Vertical 20 40 0 0 0 23 Force Folder 0 0 0 23 Force Children Breakout Programs 3 6 3 3 <b><font color='red'>SECURITY ADVISORY</font>:</b> Using <a href="sbie://docs/breakoutfolder">BreakoutFolder</a> and/or <a href="sbie://docs/breakoutprocess">BreakoutProcess</a> in combination with Open[File/Pipe]Path directives can compromise security. Please review the security section for each option in the documentation before use. true true true Type Name Programs entered here will be allowed to break out of this sandbox when they start. It is also possible to capture them into another sandbox, for example to have your web browser always open in a dedicated box. true Remove Qt::Vertical 20 40 0 0 0 23 Breakout Program Show Templates 0 0 0 23 Breakout Folder Stop Behaviour 2 Lingering Programs 3 6 3 3 Add Program true Name Show Templates Lingering programs will be automatically terminated if they are still running after all other processes have been terminated. true Remove Qt::Vertical 20 40 Leader Programs 3 6 3 3 true Name Qt::Vertical 20 40 Add Program Remove Show Templates If leader processes are defined, all others are treated as lingering processes. true Stop Options 75 true true Stop Behaviour Use Linger Leniency Don't stop lingering processes with windows Qt::Horizontal 40 0 Qt::Vertical 20 40 Start Restrictions 0 * Note: Programs installed to this sandbox won't be able to start at all. true Allow all programs to start in this sandbox. Allow only selected programs to start in this sandbox. * Prevent selected programs from starting in this sandbox. Add Program Qt::Vertical 20 299 Show Templates Remove Issue message 1308 when a program fails to start This setting can be used to prevent programs from running in the sandbox without the user's knowledge or consent. Display a pop-up warning before starting a process in the sandbox from an external source true Name Resource Access 5 Files 3 6 3 3 Show Templates Remove true Type Program Access Path 0 0 0 23 Add File/Folder Qt::Vertical 20 40 Configure which processes can access Files, Folders and Pipes. 'Open' access only applies to program binaries located outside the sandbox, you can use 'Open for All' instead to make it apply to all programs, or change this behavior in the Policies tab. true Registry 3 6 3 3 Show Templates true Type Program Access Path Remove 0 0 0 23 Add Reg Key Qt::Vertical 20 40 Configure which processes can access the Registry. 'Open' access only applies to program binaries located outside the sandbox, you can use 'Open for All' instead to make it apply to all programs, or change this behavior in the Policies tab. true IPC 3 6 3 3 0 0 0 23 Add IPC Path Show Templates Remove true Type Program Access Path Qt::Vertical 20 40 Configure which processes can access NT IPC objects like ALPC ports and other processes memory and context. To specify a process use '$:program.exe' as path. true Wnd 3 6 3 3 Remove Show Templates 0 0 0 23 Add Wnd Class Qt::Vertical 20 40 true Type Program Access Wnd Class Don't alter window class names created by sandboxed programs Configure which processes can access Desktop objects like Windows and alike. true COM 3 6 3 3 Remove true Type Program Access Class Id Show Templates 0 0 0 23 Add COM Object Qt::Vertical 20 40 Configure which processes can access COM objects. true Don't use virtualized COM, Open access to hosts COM infrastructure (not recommended) Access Policies Apply File and Key Open directives only to binaries located outside the sandbox. Apply Close...=!<program>,... rules also to all binaries located in the sandbox. When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled. true Prioritize rules based on their Specificity and Process Match Level Qt::Vertical 20 81 75 true true Access Mode Qt::Horizontal 638 20 Privacy Mode, block file and registry access to all locations except the generic system ones 75 true true Rule Policies The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like "*.tmp" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. true Network Options 3 Process Restrictions 3 6 3 3 Issue message 1307 when a program is denied internet access Add Program Prompt user whether to allow an exemption from the blockade. Remove Note: Programs installed to this sandbox won't be able to access the internet at all. Qt::Vertical 20 40 true Name Access Set network/internet access for unlisted processes: Network Firewall 3 3 3 Qt::Vertical 20 40 Test Rules, Program: Port: IP: Protocol: X Remove Add Rule true Program Action Port IP Protocol Show Templates 75 true true CAUTION: Windows Filtering Platform is not enabled with the driver, therefore these rules will be applied only in user mode and can not be enforced!!! This means that malicious applications may bypass them. true DNS Filter 3 3 3 Add Filter Qt::Vertical 20 40 With the DNS filter individual domains can be blocked, on a per process basis. Leave the IP column empty to block or enter an ip to redirect. true Remove true Program Domain IP Internet Proxy 3 3 3 Sandboxed programs can be forced to use a preset SOCKS5 proxy. true Resolve hostnames via proxy Test Proxy Remove Qt::Vertical 20 40 Add Proxy false Program IP Port Auth Login Password Bypass IPs 2 Move Up Move Down Qt::Vertical 20 40 Other Options Block common SAMBA ports Block network files and folders, unless specifically opened. Block DNS, UDP port 53 Qt::Vertical 20 40 75 true true Port Blocking Qt::Horizontal 40 20 75 true true Protect the system from sandboxed processes Network restrictions Prevent change to network and firewall parameters (user mode) File Recovery 1 Quick Recovery 3 6 3 3 true Name When the Quick Recovery function is invoked, the following folders will be checked for sandboxed content. true Qt::Vertical 20 40 Show Templates Remove Add Folder Immediate Recovery 3 6 3 3 You can exclude folders and file types (or file extensions) from Immediate Recovery. true Ignore Extension Enable Immediate Recovery prompt to be able to recover files as soon as they are created. Qt::Vertical 20 40 true Name Remove Ignore Folder Show Templates Various Options 50 false true 0 Compatibility Apply ElevateCreateProcess Workaround (legacy behaviour) When the global hotkey is pressed 3 times in short succession this exception will be ignored. Exclude this sandbox from being terminated when "Terminate All Processes" is invoked. Disable the use of RpcMgmtSetComTimeout by default (this may resolve compatibility issues) Use desktop object workaround for all processes Restart force process before they begin to execute Qt::Vertical 20 40 75 true true Compatibility Force usage of custom dummy Manifest files (legacy behaviour) Emulate sandboxed window station for all processes Qt::Horizontal 40 20 Dlls && Extensions Qt::Vertical 20 40 75 true true Protect the sandbox integrity itself Image Protection 0 0 Name Description Sandboxie's resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. 'ClosedFilePath=!iexplore.exe,C:Users*' will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the "Access policies" page. This is done to prevent rogue processes inside the sandbox from creating a renamed copy of themselves and accessing protected resources. Another exploit vector is the injection of a library into an authorized process to get access to everything it is allowed to access. Using Host Image Protection, this can be prevented by blocking applications (installed on the host) running inside a sandbox from loading libraries from the sandbox itself. Prevent sandboxed programs installed on the host from loading DLLs from the sandbox Issue message 1305 when a program tries to load a sandboxed dll 0 0 Sandboxie's functionality can be enhanced by using optional DLLs which can be loaded into each sandboxed process on start by the SbieDll.dll file, the add-on manager in the global settings offers a couple of useful extensions, once installed they can be enabled here for the current box. true Qt::Horizontal 40 20 Qt::Vertical 20 40 Advanced Options 50 false true 2 Miscellaneous 3 6 3 0 0 0 0 23 Add Option Remove Here you can configure advanced per process options to improve compatibility and/or customize sandboxing behavior. true Option Program Value Show Templates Qt::Vertical 20 40 Triggers 3 6 3 3 0 0 0 23 Remove These commands are run UNBOXED just before the box content is deleted On File Recovery Qt::AlignCenter 0 0 0 23 Run Command These commands are executed only when a box is initialized. To make them run again, the box content must be deleted. On Box Init Qt::AlignCenter Qt::Vertical 20 40 These commands are run UNBOXED just before the box content is deleted On Delete Content Qt::AlignCenter true Event Action These commands are run UNBOXED after all processes in the sandbox have finished. On Box Terminate Qt::AlignCenter Here you can specify actions to be executed automatically on various box events. true 0 0 0 23 This command will be run before a file is being recovered and the file path will be passed as the first argument. If this command returns anything other than 0, the recovery will be blocked Run File Checker These events are executed each time a box is started On Box Start Qt::AlignCenter 0 0 0 23 This command will be run before the box content will be deleted Run Command Show Templates 0 0 0 23 Start Service 0 0 0 23 Run Command 0 0 0 23 Run Command 50 false true Privacy 75 true true Data Protection Hide Firmware Information Dump the current Firmware Tables to HKCU\System\SbieCustom Dump FW Tables Use a custom Locale/LangID Qt::Horizontal 40 20 Hide Disk Serial Number Obfuscate known unique identifiers in the registry 75 true true Process Hiding Don't allow sandboxed processes to see processes running in other boxes Don't allow sandboxed processes to see processes running outside any boxes Hide host processes from processes running in the sandbox. true Add Process Qt::Vertical 20 40 Show Templates Remove Some programs read system details through WMI (a Windows built-in database) instead of normal ways. For example, "tasklist.exe" could get full processes list through accessing WMI, even if "HideOtherBoxes" is used. Enable this option to stop this behaviour. Prevent sandboxed processes from accessing system details through WMI (see tooltip for more info) 258 200 true Process 50 false true Users 3 6 3 3 Restrict Resource Access monitor to administrators only Add User Qt::Vertical 20 40 Remove Add user accounts and user groups to the list below to limit use of the sandbox to only those accounts. If the list is empty, the sandbox can be used by all user accounts. Note: Forced Programs and Force Folders settings for a sandbox do not apply to user accounts which cannot use the sandbox. true Tracing Pipe Trace API call Trace (traces all SBIE hooks) Log all SetError's to Trace log (creates a lot of output) 75 true true Resource Access Monitor 20 16777215 Key Trace File Trace IPC Trace Log Debug Output to the Trace Log Qt::Horizontal 40 0 Qt::Horizontal 40 0 Network Firewall DNS Request Logging GUI Trace Log all access events as seen by the driver to the resource access log. This options set the event mask to "*" - All access events You can customize the logging using the ini by specifying "A" - Allowed accesses "D" - Denied accesses "I" - Ignore access requests instead of "*". Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true Disable Resource Access Monitor 75 true true Access Tracing Qt::Vertical 20 0 COM Class Trace Syscall Trace (creates a lot of output) 50 false true Debug 3 6 3 3 true 0 0 92 16 0 0 0 0 75 true true WARNING, these options can disable core security guarantees and break sandbox security!!! true These options are intended for debugging compatibility issues, please do not use them in production use. true App Templates 0 Templates 3 6 3 3 Filter Categories Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 0 0 0 23 Remove QAbstractItemView::ExtendedSelection true Category Name 0 0 0 23 Add Template Text Filter 0 0 Open Template This list contains a large amount of sandbox compatibility enhancing templates true Qt::Vertical 20 40 Qt::Vertical 20 40 Template Folders 3 6 3 3 Configure the folder locations used by your other applications. Please note that this values are currently user specific and saved globally for all boxes. Qt::Vertical 20 40 true Name Value Accessibility 3 6 3 3 Screen Readers: JAWS, NVDA, Window-Eyes, System Access Qt::Horizontal 40 20 Qt::Horizontal 40 20 The following settings enable the use of Sandboxie in combination with accessibility software. Please note that some measure of Sandboxie protection is necessarily lost when these settings are in effect. true Qt::Horizontal 40 20 Qt::Horizontal 40 20 To compensate for the lost protection, please consult the Drop Rights settings page in the Restrictions settings group. true Edit ini Section Edit ini false false Cancel Qt::Horizontal 40 20 false Save QPlainTextEdit::NoWrap QDialogButtonBox::Apply|QDialogButtonBox::Cancel|QDialogButtonBox::Ok tabs tabsGeneral cmbBoxIndicator cmbBoxBorder btnBorderColor spinBorderWidth treeRun btnAddCmd btnDelCmd chkAutoEmpty chkProtectBox treeTriggers btnDelAuto treeGroups btnAddGroup btnAddProg btnDelProg treeStop btnAddLingering chkShowStopTmpl btnDelStopProg radStartAll radStartExcept radStartSelected treeStart btnAddStartProg btnDelStartProg chkStartBlockMsg chkINetBlockPrompt treeINet btnAddINetProg btnDelINetProg chkINetBlockMsg treeRecovery btnAddRecovery chkShowRecoveryTmpl btnDelRecovery tabsAdvanced chkHideOtherBoxes btnAddProcess btnDelProcess lstUsers btnAddUser btnDelUser chkMonitorAdminOnly chkFileTrace chkPipeTrace chkKeyTrace chkIpcTrace chkGuiTrace chkComTrace chkDbgTrace scrollArea treeTemplates cmbCategories txtTemplates btnEditIni txtIniSection btnSaveIni btnCancelEdit