OptionsWindow 0 0 659 498 0 0 0 0 16777215 16777215 SandboxiePlus Options true QTabWidget::North 0 General Options 0 Box Options Box Type Preset: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Sandboxed window border: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter 75 true true General Configuration 1 10 1 More Box Types are exclusively available to project supporters, the Privacy Enhanced boxes protect user data from illicit access by the sandboxed programs. If you are not yet a supporter, then please consider <a href="https://sandboxie-plus.com/go.php?to=sbie-get-cert">supporting the project</a>, to receive a <a href="https://sandboxie-plus.com/go.php?to=sbie-cert">supporter certificate</a>. You can test the other box types by creating new sandboxes of those types, however processes in these will be auto terminated after 5 minutes. Qt::RichText true px Width Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter Box info Qt::AutoText true 0 0 16 16777215 75 true true Appearance Sandbox Indicator in title: Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Qt::Vertical 20 40 Qt::Horizontal 40 20 Show this box in the 'run in box' selection prompt Always show this sandbox in the systray list (Pinned) File Options Auto delete content when last sandboxed process terminates Copy file size limit: 75 true true Box Delete options Qt::Horizontal 40 20 Protect this sandbox from deletion or emptying 75 true true Raw Disk access 75 true true File Migration Allow elevated sandboxed applications to read the harddrive Warn when an application opens a harddrive handle kilobytes 75 16777215 Issue message 2102 when a file is too large Qt::Vertical 20 40 20 16777215 Prompt user for large file migration Security Drop rights from Administrators and Power Users groups 75 true true (Recommended) Qt::Horizontal QSizePolicy::Maximum 20 20 Qt::Vertical 20 40 75 true true Protect the system from sandboxed processes Elevation restrictions 75 true true Security note: Elevated applications running under the supervision of Sandboxie, with an admin or system token, have more opportunities to bypass isolation and modify the system outside the sandbox. true 75 true true Protect the system from sandboxed processes Security enhancements Use the original token only for approved NT system calls Note: Msi Installer Exemptions should not be required, but if you encounter issues installing a msi package which you trust, this option may help the installation complete successfully. You can also try disabling drop admin rights. true Qt::Horizontal 40 20 75 true true CAUTION: When running under the built in administrator, processes can not drop administrative privileges. true Make applications think they are running elevated (allows to run installers safely) Allow MSIServer to run with a sandboxed system token and apply other exceptions if required Restrict driver/device access to only approved ones Enable all security enhancements (make security hardened box) Access Restrictions Open Windows Credentials Store (user mode) 75 true true Protect the system from sandboxed processes Other restrictions Qt::Horizontal 40 20 Block read access to the clipboard Qt::Vertical 20 40 75 true true Protect the system from sandboxed processes Printing restrictions Prevent change to network and firewall parameters (user mode) Allow to read memory of unsandboxed processes (not recommended) 75 true true Protect the system from sandboxed processes Network restrictions Block access to the printer spooler 20 0 20 16777215 0 0 Allow the print spooler to print to files outside the sandbox Block network files and folders, unless specifically opened. Remove spooler restriction, printers can be installed outside the sandbox Open System Protected Storage Issue message 2111 when a process access is denied Run Menu You can configure custom entries for the sandbox run menu. true Qt::Vertical 20 40 Name Command Line 0 0 0 23 Add program 0 0 0 23 Remove Program Groups Add Group Qt::Vertical 20 40 true Name Add Program You can group programs together and give them a group name. Program groups can be used with some of the settings instead of program names. Groups defined for the box overwrite groups defined in templates. true Remove Show Templates Forced Programs 9 9 9 9 Remove Force Folder true Type Path Force Program Qt::Vertical 20 40 Show Templates Programs entered here, or programs started from entered locations, will be put in this sandbox automatically, unless they are explicitly started in another sandbox. true Stop Behaviour Remove Program Qt::Vertical 20 40 Add Leader Program Add Lingering Program true Type Path Show Templates Lingering programs will be automatically terminated if they are still running after all other processes have been terminated. If leader processes are defined, all others are treated as lingering processes. true Start Restrictions true Name Qt::Vertical 20 40 Remove Program Issue message 1308 when a program fails to start Add Program 0 Allow only selected programs to start in this sandbox. * Prevent selected programs from starting in this sandbox. Allow all programs to start in this sandbox. * Note: Programs installed to this sandbox won't be able to start at all. true Internet Restrictions 0 Process Restrictions 3 6 3 0 Issue message 1307 when a program is denied internet access Add Program Prompt user whether to allow an exemption from the blockade. Remove Program Note: Programs installed to this sandbox won't be able to access the internet at all. Qt::Vertical 20 40 true Name Access Set network/internet access for unlisted processes: Network Firewall Rules 3 3 0 Qt::Vertical 20 40 Test Rules, Program: Port: IP: Protocol: X Remove Rule Add Rule Program Action Port IP Protocol Show Templates 75 true true CAUTION: Windows Filtering Platform is not enabled with the driver, therefore these rules will be applied only in user mode and can not be enforced!!! This means that malicious applications may bypass them. true Resource Access 0 Resource Access Rules 3 6 3 0 0 0 0 23 Add Wnd Class Configure which processes can access what resources. Double click on an entry to edit it. 'Open' File and Key access only applies to program binaries located outside the sandbox. You can use 'Open for All' instead to make it apply to all programs, or change this behaviour in the Policies tab. 0 0 0 23 Add COM Object 0 0 0 23 Add Reg Key Remove Qt::Vertical 20 40 0 0 0 23 Add IPC Path true Type Program Access Path Show Templates 0 0 0 23 Add File/Folder Resource Access Policies 9 9 9 9 Qt::Horizontal 40 20 The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like "*.tmp" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. true Qt::Vertical 20 40 Prioritize rules based on their Specificity and Process Match Level Privacy Mode, block file and registry access to all locations except the generic system ones 75 true true Access Mode When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled. true 75 true true Rule Policies Apply Close...=!<program>,... rules also to all binaries located in the sandboxed. Apply File and Key Open directives only to binaries located outside the sandbox. File Recovery Qt::Vertical 20 40 Add Folder Ignore Extension Ignore Folder Show Templates Enable Immediate Recovery prompt to be able to recover files as soon as they are created. Qt::Vertical QSizePolicy::Preferred 20 40 Type Name Remove You can exclude folders and file types (or file extensions) from Immediate Recovery. true When the Quick Recovery function is invoked, the following folders will be checked for sandboxed content. true Advanced Options 50 false true 0 50 false true Miscellaneous Emulate sandboxed window station for all processes Drop critical privileges from processes running with a SYSTEM token Add sandboxed processes to job objects (recommended) Do not start sandboxed services using a system token (recommended) Protect sandboxed SYSTEM processes from unprivileged processes Open access to COM infrastructure (not recommended) Allow only privileged processes to access the Service Control Manager Force usage of custom dummy Manifest files (legacy behaviour) 75 true true (Security Critical) Qt::Horizontal 40 20 Start the sandboxed RpcSs as a SYSTEM process (not recommended) Don't alter window class names created by sandboxed programs 75 true true Compatibility Qt::Vertical 20 40 75 true true (Security Critical) 75 true true Protect the sandbox integrity itself Sandbox isolation 75 true true Protect the sandbox integrity itself COM/RPC Allow use of nested job objects (works on Windows 8 and later) Disable the use of RpcMgmtSetComTimeout by default (this may resolve compatibility issues) Isolation Security Isolation through the usage of a heavily restricted process token is Sandboxie's primary means of enforcing sandbox restrictions, when this is disabled the box is operated in the application compartment mode, i.e. it’s no longer providing reliable security, just simple application compartmentalization. true Open access to Windows Local Security Authority Allow sandboxed programs to manage Hardware/Devices Qt::Vertical 20 40 Disable Security Isolation (experimental) Various advanced isolation features can break compatibility with some applications. If you are using this sandbox NOT for Security but for simple application portability, by changing these options you can restore compatibility by sacrificing some security. true Qt::Horizontal 40 20 Open access to Windows Security Account Manager 75 true true Protect the sandbox integrity itself Security Isolation & Filtering Disable Security Filtering (not recommended) Security Filtering used by Sandboxie to enforce filesystem and registry access restrictions, as well as to restrict process access. true The below options can be used safely when you don't grant admin rights. true 75 true true Protect the sandbox integrity itself Access isolation Triggers Qt::Vertical 20 40 Qt::Vertical 20 40 0 0 0 23 Remove Event Action 0 0 0 23 Run Command 0 0 0 23 Start Service These events are executed each time a box is started On Box Start Qt::AlignCenter 0 0 0 23 Run Command Qt::Vertical 20 40 These commands are run UNBOXED just before the box content is deleted On Box Delete Qt::AlignCenter 0 0 0 23 Run Command These commands are executed only when a box is initialized. To make them run again, the box content must be deleted. On Box Init Qt::AlignCenter Here you can specify actions to be executed automatically on various box events. true Show Templates 50 false true Hide Processes Qt::Vertical 20 40 Add Process Hide host processes from processes running in the sandbox. true Remove Don't allow sandboxed processes to see processes running in other boxes 50 false true Users Restrict Resource Access monitor to administrators only Add User Qt::Vertical 20 40 Remove User Add user accounts and user groups to the list below to limit use of the sandbox to only those accounts. If the list is empty, the sandbox can be used by all user accounts. Note: Forced Programs and Force Folders settings for a sandbox do not apply to user accounts which cannot use the sandbox. true Tracing API call trace (requires LogAPI to be installed in the Sbie directory) Qt::Horizontal 40 20 Pipe Trace Qt::Vertical 20 40 Log all SetError's to Trace log (creates a lot of output) Qt::Horizontal 40 20 Log Debug Output to the Trace Log Log all access events as seen by the driver to the resource access log. This options set the event mask to "*" - All access events You can customize the logging using the ini by specifying "A" - Allowed accesses "D" - Denied accesses "I" - Ignore access requests instead of "*". Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop true Ntdll syscall Trace (creates a lot of output) File Trace Disable Resource Access Monitor IPC Trace GUI Trace 75 true true Resource Access Monitor 20 16777215 75 true true Access Tracing COM Class Trace Key Trace Network Firewall 50 false true Debug true 0 0 98 28 0 0 0 0 75 true true WARNING, these options can disable core security guarantees and break sandbox security!!! true These options are intended for debugging compatibility issues, please do not use them in production use. true App Templates 0 Compatibility Templates Filter Categories Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter Text Filter Add Template This list contains a large amount of sandbox compatibility enhancing templates true Remove Template Qt::Vertical 20 40 true Category Name Template Folders Configure the folder locations used by your other applications. Please note that this values are currently user specific and saved globally for all boxes. Qt::Vertical 20 40 Name Value Accessibility To compensate for the lost protection, please consult the Drop Rights settings page in the Restrictions settings group. Screen Readers: JAWS, NVDA, Window-Eyes, System Access The following settings enable the use of Sandboxie in combination with accessibility software. Please note that some measure of Sandboxie protection is necessarily lost when these settings are in effect. true Edit ini Section Edit ini false false Cancel Qt::Horizontal 40 20 false Save QPlainTextEdit::NoWrap QDialogButtonBox::Apply|QDialogButtonBox::Cancel|QDialogButtonBox::Ok tabs tabsGeneral cmbBoxIndicator cmbBoxBorder btnBorderColor spinBorderWidth treeRun btnAddCmd btnDelCmd chkCopyLimit chkNoCopyWarn chkAutoEmpty chkProtectBox treeTriggers btnAddAutoRun btnAddAutoSvc btnDelAuto treeGroups btnAddGroup btnAddProg btnDelProg treeForced btnForceProg btnForceDir chkShowForceTmpl btnDelForce treeStop btnAddLingering btnAddLeader chkShowStopTmpl btnDelStopProg radStartAll radStartExcept radStartSelected treeStart btnAddStartProg btnDelStartProg chkStartBlockMsg chkINetBlockPrompt treeINet btnAddINetProg btnDelINetProg chkINetBlockMsg treeAccess btnAddFile btnAddKey btnAddIPC btnAddWnd btnAddCOM chkShowAccessTmpl btnDelAccess chkAutoRecovery treeRecovery btnAddRecovery btnAddRecIgnore btnAddRecIgnoreExt chkShowRecoveryTmpl btnDelRecovery tabsAdvanced chkPreferExternalManifest chkNoWindowRename chkHideOtherBoxes lstProcesses btnAddProcess btnDelProcess lstUsers btnAddUser btnDelUser chkMonitorAdminOnly chkFileTrace chkPipeTrace chkKeyTrace chkIpcTrace chkGuiTrace chkComTrace chkDbgTrace scrollArea treeTemplates cmbCategories txtTemplates btnEditIni txtIniSection btnSaveIni btnCancelEdit