OptionsWindow 0 0 715 526 0 0 0 0 16777215 16777215 SandboxiePlus Options true QTabWidget::North 0 General Options 0 Box Options 0 0 16 16777215 Always show this sandbox in the systray list (Pinned) Sandbox Indicator in title: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Sandboxed window border: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Qt::Horizontal 40 0 1 10 1 <b>More Box Types</b> are exclusively available to <u>project supporters</u>, the Privacy Enhanced boxes <b><font color='red'>protect user data from illicit access</font></b> by the sandboxed programs.<br />If you are not yet a supporter, then please consider <a href="https://sandboxie-plus.com/go.php?to=sbie-get-cert">supporting the project</a>, to receive a <a href="https://sandboxie-plus.com/go.php?to=sbie-cert">supporter certificate</a>.<br />You can test the other box types by creating new sandboxes of those types, however processes in these will be auto terminated after 5 minutes. Qt::RichText true true Show this box in the 'run in box' selection prompt Box info Qt::AutoText true true Qt::Vertical 20 0 Box Type Preset: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter px Width Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter 75 true true General Configuration 75 true true Appearance Double click action: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter true File Options 75 true true Disk/File access Use volume serial numbers for drives, like: \drive\C~1234-ABCD 20 16777215 Qt::Horizontal 40 0 Encrypt sandbox content Auto delete content when last sandboxed process terminates When <a href="sbie://docs/boxencryption">Box Encryption</a> is enabled the box’s root folder, including its registry hive, is stored in an encrypted disk image, using <a href="https://diskcryptor.org">Disk Cryptor's</a> AES-XTS implementation. true true 75 true true Box Delete options Qt::Vertical 20 0 Allow elevated sandboxed applications to read the harddrive Partially checked means prevent box removal but not content deletion. Protect this sandbox from deletion or emptying true <a href="addon://ImDisk">Install ImDisk</a> driver to enable Ram Disk and Disk Image support. Separate user folders false 75 true true Box Structure Store the sandbox content in a Ram Disk Warn when an application opens a harddrive handle Set Password Virtualization scheme The box structure can only be changed when the sandbox is empty File Migration 9 9 9 9 Copy file size limit: Prompt user for large file migration 75 true true File Migration 2113: Content of migrated file was discarded 2114: File was not migrated, write access to file was denied 2115: File was not migrated, file will be opened read only Issue message 2113/2114/2115 when a file is not fully migrated 100 16777215 kilobytes Add Pattern Remove Pattern Qt::Horizontal 40 20 Qt::Vertical 20 40 Show Templates true Action Program Pattern Sandboxie does not allow writing to host files, unless permitted by the user. When a sandboxed application attempts to modify a file, the entire file must be copied into the sandbox, for large files this can take a significate amount of time. Sandboxie offers options for handling these cases, which can be configured on this page. true Using wildcard patterns file specific behavior can be configured in the list below: Issue message 2102 when a file is too large When a file cannot be migrated, open it in read-only mode instead Restrictions Open Windows Credentials Store (user mode) Qt::Horizontal 40 20 Block read access to the clipboard Qt::Vertical 20 40 Prevent change to network and firewall parameters (user mode) Allow to read memory of unsandboxed processes (not recommended) Block access to the printer spooler 0 0 Allow the print spooler to print to files outside the sandbox Block network files and folders, unless specifically opened. Remove spooler restriction, printers can be installed outside the sandbox Open System Protected Storage Issue message 2111 when a process access is denied 75 true true Protect the system from sandboxed processes Other restrictions 20 0 20 16777215 75 true true Protect the system from sandboxed processes Printing restrictions 75 true true Protect the system from sandboxed processes Network restrictions Run Menu 3 6 3 3 0 0 0 23 Remove 0 0 0 23 Add program Qt::Vertical 20 40 true Name Command Line 0 0 0 23 Move Up 0 0 0 23 Move Down You can configure custom entries for the sandbox run menu. true Qt::Vertical 20 40 Security Options 0 Security Hardening Use the original token only for approved NT system calls Enable all security enhancements (make security hardened box) 75 true true Protect the system from sandboxed processes Elevation restrictions Make applications think they are running elevated (allows to run installers safely) 75 true true (Recommended) Restrict driver/device access to only approved ones 75 true true Protect the system from sandboxed processes Security enhancements Allow MSIServer to run with a sandboxed system token and apply other exceptions if required Qt::Horizontal 40 20 Qt::Vertical 20 40 Drop rights from Administrators and Power Users groups 75 true true CAUTION: When running under the built in administrator, processes can not drop administrative privileges. true Note: Msi Installer Exemptions should not be required, but if you encounter issues installing a msi package which you trust, this option may help the installation complete successfully. You can also try disabling drop admin rights. true 75 true true Security note: Elevated applications running under the supervision of Sandboxie, with an admin or system token, have more opportunities to bypass isolation and modify the system outside the sandbox. true 20 0 20 16777215 Security Isolation Qt::Vertical 20 5 Various isolation features can break compatibility with some applications. If you are using this sandbox <b>NOT for Security</b> but for application portability, by changing these options you can restore compatibility by sacrificing some security. true Qt::Horizontal 40 5 Disable Security Isolation Open access to Windows Security Account Manager Disable Security Filtering (not recommended) Security Filtering used by Sandboxie to enforce filesystem and registry access restrictions, as well as to restrict process access. true Security Isolation through the usage of a heavily restricted process token is Sandboxie's primary means of enforcing sandbox restrictions, when this is disabled the box is operated in the application compartment mode, i.e. it’s no longer providing reliable security, just simple application compartmentalization. true Open access to Windows Local Security Authority 75 true true Protect the sandbox integrity itself Security Isolation & Filtering 75 true true Protect the sandbox integrity itself Access Isolation Allow sandboxed programs to manage Hardware/Devices The below options can be used safely when you don't grant admin rights. true Box Protection Show Templates Protect processes within this box from host processes Qt::Vertical 20 40 Qt::Vertical 20 40 Remove Qt::Horizontal 40 20 Allow Process Protect processes in this box from being accessed by specified unsandboxed host processes. false true Process Action 75 true true Protect the sandbox integrity itself Box Protection Issue message 1318/1317 when a host process tries to access a sandboxed process/the box root Sandboxie-Plus is able to create confidential sandboxes that provide robust protection against unauthorized surveillance or tampering by host processes. By utilizing an encrypted sandbox image, this feature delivers the highest level of operational confidentiality, ensuring the safety and integrity of sandboxed processes. true Deny Process 50 false true Advanced Security Use a Sandboxie login instead of an anonymous token 75 true true Protect the sandbox integrity itself Other isolation Start the sandboxed RpcSs as a SYSTEM process (not recommended) 75 true true Protect the sandbox integrity itself Privilege isolation Protect sandboxed SYSTEM processes from unprivileged processes 75 true true Protect the sandbox integrity itself Sandboxie token 75 true true (Security Critical) Drop critical privileges from processes running with a SYSTEM token Do not start sandboxed services using a system token (recommended) Qt::Vertical 20 5 Allow only privileged processes to access the Service Control Manager 75 true true (Security Critical) Qt::Horizontal 40 20 Add sandboxed processes to job objects (recommended) Using a custom Sandboxie Token allows to isolate individual sandboxes from each other better, and it shows in the user column of task managers the name of the box a process belongs to. Some 3rd party security solutions may however have problems with custom tokens. true Program Groups Show Templates Qt::Vertical 20 40 Add Group Add Program You can group programs together and give them a group name. Program groups can be used with some of the settings instead of program names. Groups defined for the box overwrite groups defined in templates. true true Name Remove Program Control 9 9 9 9 0 Force Programs 3 6 3 3 Programs entered here, or programs started from entered locations, will be put in this sandbox automatically, unless they are explicitly started in another sandbox. true Qt::Vertical 20 40 0 0 0 23 Force Folder Show Templates true Type Name 0 0 0 23 Force Program Remove Disable forced Process and Folder for this sandbox Breakout Programs 3 6 3 3 true Type Name Remove Show Templates Programs entered here will be allowed to break out of this sandbox when they start. It is also possible to capture them into another sandbox, for example to have your web browser always open in a dedicated box. true <b><font color='red'>SECURITY ADVISORY</font>:</b> Using <a href="sbie://docs/breakoutfolder">BreakoutFolder</a> and/or <a href="sbie://docs/breakoutprocess">BreakoutProcess</a> in combination with Open[File/Pipe]Path directives can compromise security, as can the use of <a href="sbie://docs/breakoutdocument">BreakoutDocument</a> allowing any * or insecure (*.exe;*.dll;*.ocx;*.cmd;*.bat;*.lnk;*.pif;*.url;*.ps1;etc…) extensions. Please review the security section for each option in the documentation before use. true true 0 0 0 23 Breakout Folder 0 0 0 23 Breakout Program Qt::Vertical 20 40 Stop Behaviour 0 Lingering Programs 3 6 3 3 Qt::Vertical 20 40 Remove Show Templates Add Program true Name Lingering programs will be automatically terminated if they are still running after all other processes have been terminated. true Leader Programs 3 6 3 3 true Name Qt::Vertical 20 40 Add Program Remove Show Templates If leader processes are defined, all others are treated as lingering processes. true Start Restrictions Issue message 1308 when a program fails to start true Name Qt::Vertical 20 40 Add Program Remove 0 Allow only selected programs to start in this sandbox. * Prevent selected programs from starting in this sandbox. Allow all programs to start in this sandbox. * Note: Programs installed to this sandbox won't be able to start at all. true Show Templates Resource Access 5 Files 3 6 3 3 Show Templates Remove true Type Program Access Path 0 0 0 23 Add File/Folder Qt::Vertical 20 40 Configure which processes can access Files, Folders and Pipes. 'Open' access only applies to program binaries located outside the sandbox, you can use 'Open for All' instead to make it apply to all programs, or change this behavior in the Policies tab. true Registry 3 6 3 3 Show Templates true Type Program Access Path Remove 0 0 0 23 Add Reg Key Qt::Vertical 20 40 Configure which processes can access the Registry. 'Open' access only applies to program binaries located outside the sandbox, you can use 'Open for All' instead to make it apply to all programs, or change this behavior in the Policies tab. true IPC 3 6 3 3 0 0 0 23 Add IPC Path Show Templates Remove true Type Program Access Path Qt::Vertical 20 40 Configure which processes can access NT IPC objects like ALPC ports and other processes memory and context. To specify a process use '$:program.exe' as path. true Wnd 3 6 3 3 Remove Show Templates 0 0 0 23 Add Wnd Class Qt::Vertical 20 40 true Type Program Access Wnd Class Don't alter window class names created by sandboxed programs Configure which processes can access Desktop objects like Windows and alike. true COM 3 6 3 3 Remove true Type Program Access Class Id Show Templates 0 0 0 23 Add COM Object Qt::Vertical 20 40 Configure which processes can access COM objects. true Don't use virtualized COM, Open access to hosts COM infrastructure (not recommended) Access Policies 9 9 9 9 75 true true Rule Policies Apply Close...=!<program>,... rules also to all binaries located in the sandbox. Prioritize rules based on their Specificity and Process Match Level Apply File and Key Open directives only to binaries located outside the sandbox. Qt::Horizontal 40 20 75 true true Access Mode The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like "*.tmp" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. true Privacy Mode, block file and registry access to all locations except the generic system ones Qt::Vertical 20 40 When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled. true Network Options 0 Process Restrictions 3 6 3 3 Issue message 1307 when a program is denied internet access Add Program Prompt user whether to allow an exemption from the blockade. Remove Note: Programs installed to this sandbox won't be able to access the internet at all. Qt::Vertical 20 40 true Name Access Set network/internet access for unlisted processes: Network Firewall 3 3 3 Qt::Vertical 20 40 Test Rules, Program: Port: IP: Protocol: X Remove Add Rule true Program Action Port IP Protocol Show Templates 75 true true CAUTION: Windows Filtering Platform is not enabled with the driver, therefore these rules will be applied only in user mode and can not be enforced!!! This means that malicious applications may bypass them. true File Recovery 0 Quick Recovery 3 6 3 3 true Name When the Quick Recovery function is invoked, the following folders will be checked for sandboxed content. true Qt::Vertical 20 40 Show Templates Remove Add Folder Immediate Recovery 3 6 3 3 You can exclude folders and file types (or file extensions) from Immediate Recovery. true Ignore Extension Enable Immediate Recovery prompt to be able to recover files as soon as they are created. Qt::Vertical 20 40 true Name Remove Ignore Folder Show Templates Various Options 50 false true 0 Compatibility Apply ElevateCreateProcess Workaround (legacy behaviour) Emulate sandboxed window station for all processes true true Compatibility Disable the use of RpcMgmtSetComTimeout by default (this may resolve compatibility issues) Force usage of custom dummy Manifest files (legacy behaviour) Use desktop object workaround for all processes Qt::Vertical 20 40 Qt::Horizontal 40 20 Allow use of nested job objects (works on Windows 8 and later) When the global hotkey is pressed 3 times in short succession this exception will be ignored. Exclude this sandbox from being terminated when "Terminate All Processes" is invoked. Dlls && Extensions Qt::Vertical 20 40 75 true true Protect the sandbox integrity itself Image Protection 0 0 Name Description Sandboxie’s resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. ‘ClosedFilePath=! iexplore.exe,C:Users*’ will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the “Access policies” page. This is done to prevent rogue processes inside the sandbox from creating a renamed copy of themselves and accessing protected resources. Another exploit vector is the injection of a library into an authorized process to get access to everything it is allowed to access. Using Host Image Protection, this can be prevented by blocking applications (installed on the host) running inside a sandbox from loading libraries from the sandbox itself. Prevent sandboxes programs installed on host from loading dll's from the sandbox Issue message 1305 when a program tries to load a sandboxed dll 0 0 Sandboxie's functionality can be enhanced by using optional DLLs which can be loaded into each sandboxed process on start by the SbieDll.dll file, the add-on manager in the global settings offers a couple of useful extensions, once installed they can be enabled here for the current box. true Qt::Horizontal 40 20 Qt::Vertical 20 40 Advanced Options 50 false true 0 Miscellaneous 3 6 3 0 0 0 0 23 Add Option Remove Here you can configure advanced per process options to improve compatibility and/or customize sandboxing behavior. true Option Program Value Show Templates Qt::Vertical 20 40 Triggers 3 6 3 3 0 0 0 23 This command will be run before the box content will be deleted Run Command 0 0 0 23 Run Command true Event Action These commands are run UNBOXED just before the box content is deleted On File Recovery Qt::AlignCenter Show Templates 0 0 0 23 This command will be run before a file is being recovered and the file path will be passed as the first argument. If this command returns anything other than 0, the recovery will be blocked Run File Checker 0 0 0 23 Remove Qt::Vertical 20 40 These commands are executed only when a box is initialized. To make them run again, the box content must be deleted. On Box Init Qt::AlignCenter Here you can specify actions to be executed automatically on various box events. true 0 0 0 23 Run Command These events are executed each time a box is started On Box Start Qt::AlignCenter 0 0 0 23 Start Service These commands are run UNBOXED just before the box content is deleted On Delete Content Qt::AlignCenter 50 false true Hide Processes 3 6 3 3 Add Process Don't allow sandboxed processes to see processes running in other boxes Qt::Vertical 20 40 Hide host processes from processes running in the sandbox. true Show Templates true Process Remove 50 false true Users 3 6 3 3 Restrict Resource Access monitor to administrators only Add User Qt::Vertical 20 40 Remove Add user accounts and user groups to the list below to limit use of the sandbox to only those accounts. If the list is empty, the sandbox can be used by all user accounts. Note: Forced Programs and Force Folders settings for a sandbox do not apply to user accounts which cannot use the sandbox. true Tracing Key Trace GUI Trace Log Debug Output to the Trace Log Log all SetError's to Trace log (creates a lot of output) Qt::Horizontal 40 0 Qt::Vertical 20 0 DNS Request Logging 75 true true Access Tracing Syscall Trace (creates a lot of output) Log all access events as seen by the driver to the resource access log. This options set the event mask to "*" - All access events You can customize the logging using the ini by specifying "A" - Allowed accesses "D" - Denied accesses "I" - Ignore access requests instead of "*". Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true 75 true true Resource Access Monitor 20 16777215 COM Class Trace Pipe Trace Qt::Horizontal 40 0 Network Firewall File Trace Disable Resource Access Monitor IPC Trace 50 false true Debug 3 6 3 3 true 0 0 657 356 0 0 0 0 75 true true WARNING, these options can disable core security guarantees and break sandbox security!!! true These options are intended for debugging compatibility issues, please do not use them in production use. true App Templates 0 Templates 3 6 3 3 This list contains a large amount of sandbox compatibility enhancing templates true Qt::Vertical 20 40 Text Filter 0 0 0 23 Add Template Filter Categories Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter QAbstractItemView::ExtendedSelection true Category Name 0 0 0 23 Remove Template Folders 3 6 3 3 Configure the folder locations used by your other applications. Please note that this values are currently user specific and saved globally for all boxes. Qt::Vertical 20 40 true Name Value Accessibility 3 6 3 3 Screen Readers: JAWS, NVDA, Window-Eyes, System Access Qt::Horizontal 40 20 Qt::Horizontal 40 20 The following settings enable the use of Sandboxie in combination with accessibility software. Please note that some measure of Sandboxie protection is necessarily lost when these settings are in effect. true Qt::Horizontal 40 20 Qt::Horizontal 40 20 To compensate for the lost protection, please consult the Drop Rights settings page in the Restrictions settings group. true Edit ini Section Edit ini false false Cancel Qt::Horizontal 40 20 false Save QPlainTextEdit::NoWrap QDialogButtonBox::Apply|QDialogButtonBox::Cancel|QDialogButtonBox::Ok tabs tabsGeneral cmbBoxIndicator cmbBoxBorder btnBorderColor spinBorderWidth treeRun btnAddCmd btnDelCmd chkAutoEmpty chkProtectBox treeTriggers btnDelAuto treeGroups btnAddGroup btnAddProg btnDelProg treeStop btnAddLingering chkShowStopTmpl btnDelStopProg radStartAll radStartExcept radStartSelected treeStart btnAddStartProg btnDelStartProg chkStartBlockMsg chkINetBlockPrompt treeINet btnAddINetProg btnDelINetProg chkINetBlockMsg treeRecovery btnAddRecovery chkShowRecoveryTmpl btnDelRecovery tabsAdvanced chkHideOtherBoxes btnAddProcess btnDelProcess lstUsers btnAddUser btnDelUser chkMonitorAdminOnly chkFileTrace chkPipeTrace chkKeyTrace chkIpcTrace chkGuiTrace chkComTrace chkDbgTrace scrollArea treeTemplates cmbCategories txtTemplates btnEditIni txtIniSection btnSaveIni btnCancelEdit