How to hide the instances of a program, which are running inside Sandboxes

[boxinator]

Hi, I mainly use Sandboxie for just one tool, called GnuCash portable.

I need several separate instances, since I do voluntary accounting for several nonprofits (and for different years of course). It is great that I can run two different years next to each other to compare details.

GnuCash, even portable, cannot run in several instances, they disturb each other's settings and maybe more. So Sandboxie is helpful for months already. Today I wanted to install another fresh portable copy and I get this:

"Please close all instances of Gnucash Portable and then click OK. The portable app can not be upgraded while it is running."

At that time I had two instances running, but both were in Sandboxes.

So I realized that the instances I am using so far, are not disturbing each other, but GnuCash running inside a Sandbox is still visible to other programs. I had naively assumed "total isolation" from the term Sandbox. Sorry. Now I am worried that - appart from the installer blocking itself - there might be more hidden side-effects, if my instances can still see each other while running in Sandboxes.

Now I searched the documentation and forum for terms like "hide" or "invisible" or "isolation" and could not find instructions how to hide the programs inside my Sandboxes from each other and from programs outside all Sandboxes. My instances are not dangerous at all, GnuCash is a friendly and helpful open source tool. But it gets unstable when another instance is running on the same machine. Must be to do with the way they note the settings, but I do not know any details.


So is this a feature that exists? And if yes, please send me to the right place in the documentation or give me the correct keywords and I will give it a try.

 

[bastik-1001]

Do you have set HideOtherBoxes=n for these boxes? With HideOtherBoxes=y boxes don't see what is running in another box. HideNonSystemProcesses=y also hides any non-system processfrom software inside the sandbox.

Both of these settings can be enabled or disabled in the Sandbox Options, if the user interface is set to "Advanced View". Sandbox Options > Advanced Options > [Processes]

 

[boxinator]

@bastik-1001 Thank you for your reply. First I will answer your question:

All my sandboxes up to this morning were running with the default settings, concerning the "hiding" aspect. When I looked under > Advanced Options and > Processes, I found an option in the GUI which resembles your question about "HideOtherBoxes". It is labeled "Don't allow sandboxed processes to see processes running in other boxes".
My problem was this: When I look into my "Edit ini Section", I cannot find that option, although it is ticked under > Advanced > Processes. And I had to experiment to find out:
What is "default" does not show up in my ini Section. So I could only see the status of my "HideOtherBoxes" when I untick it, and click Apply, because then it would be listed as HideOtherBoxes=n in my ini Section.


So I can report that I now have those settings:

HideOtherBoxes=y

HideNonSystemProcesses=y

And your question gave me the indirect information that I cannot prevent any program outside any sandbox to see what is running on my Windows machine. I can only "control" programs which are under the influence of a sandbox. Correct?

So a solution for the program GnuCash, which cannot handle to run as more than one instance at any time, could be this:

I keep the settings of all my GnuCash sandboxes to "HideOtherBoxes=y". And this is new: I will try to run my installer also from a dedicated sandbox and I block it from seeing what is happening in my other boxes. Like I said before: I am running those GnuCash installations in "portable mode", so in theory the installer should not touch anything outside a designated folder or maybe outside a designated USB-drive.

Which means that I next need to learn about "File Recovery", because installing something means that what is happening should absolutely persist and nothing must be deleted or altered during and after my installation process. I need to chose a folder before I start and I need to learn how "immediate recovery" works.

Please let me know, if it is possible, to run an installer (for a portable Windows app with a folder as a target) inside a sandbox, or if this would be a stupid or impossible idea.

 

[bastik-1001]

I cannot prevent any program outside any sandbox to see what is running on my Windows machine. I can only "control" programs which are under the influence of a sandbox. Correct?

That is mostly correct. For example, the Windows task manager (or any other task manager) can see processes running on the system, that includes the sandboxes. (Unlike with virtual machines, where the external task manager sees the VM processes, but not what is running on the guest.) (VMs provided by VirtualBox, for example, are separate Windows installation, there is more overhead to them. Sandboxie works differently, by hooking the software and running it with fewer privileges, while applying some restrictions.)

Spoiler

That said, there is the setting "Protect processes within this box from host processes." This can be found at: Sandbox Options > Security Options > [Box Protection] and sets ConfidentialBox=y This setting still does not hide the processes in any way, but other software won't be able to interact with it, unless allowed to do so. This is a feature that requires a certificate. I will not help you, but for correctness’ sake, there is something that Sandboxie can do.

I keep the settings of all my GnuCash sandboxes to "HideOtherBoxes=y". And this is new: I will try to run my installer also from a dedicated sandbox and I block it from seeing what is happening in my other boxes. Like I said before: I am running those GnuCash installations in "portable mode", so in theory the installer should not touch anything outside a designated folder or maybe outside a designated USB-drive.

Which means that I next need to learn about "File Recovery", because installing something means that what is happening should absolutely persist and nothing must be deleted or altered during and after my installation process. I need to chose a folder before I start and I need to learn how "immediate recovery" works.

Please let me know, if it is possible, to run an installer (for a portable Windows app with a folder as a target) inside a sandbox, or if this would be a stupid or impossible idea.

You can run the installer for the portable software over and over again, but you also can "install" it in one sandbox and then "clone" that sandbox. The feature to copy a sandbox was present before, but recently there is a function that copies the sandbox settings and its content. Right-click on the sandbox you want to clone and select Sandbox Tools > "Duplicate Box with content". The default name is the current name appended by "copy", you can change the name right away.

You can protect the sandboxes from being removed by Sandboxie itself. Sandbox Options > File Options > [File Options] > "Protect this sandbox from deletion or emptying". When partially checked, it sets NeverRemove=y. If it is fully checked, it also sets NeverDelete=y Only Sandboxie honors that, something else can still delete the contents of the sandbox. It would be good to create backups outside the sandboxes.

For the files that get created in the sandboxes, you can either recover them, via the internal function, or copy them manually from the sandboxed location to a folder of your choice, or bypass the sandbox, by having GnuCash write to a location outside the sandbox.

For bypassing the sandbox, while the program binary is located in the sandbox folder, OpenPipePath has to be used. e.g. OpenPipePath=GnuCash.exe,C:\storage-for-the_files\ProjectA This can be set at Sandbox Options > Resource Access > [Files]. In your case, you have to use "OpenForAll", instead of "Open" (which only allows binaries that are located outside the sandbox folder to write to that folder.)

 

[boxinator]

Thank you @bastik-1001 for the corrections and lots of interesting extra information. It is kind to answer what I cannot ask, as a beginner. I just clicked the option "protect from deletion" for all my past and present sandboxes; just in cases.

Just one detail: I learnt now about cloning sandboxes. That might be very useful one day for experiments, and for not putting any actual accounting in danger.

What I normally do is installing a fresh version of GnuCash portable for each new fiscal year and for each of the nonprofits I am helping, and not touch it during the year unless prompted by the creators about a security risk. This is why I had never searched so far about copying or cloning.

I might try creating one fresh installation for the first nonprofit and then clone that one, while it is still "without content-data". Just need to keep my paths, names and color-code correct. So far the annual fresh install is when I step through many of the Sandboxie-options and try to get a feel for the tool and to remind myself about the options I am using. I have no memory for details and need refreshers on what is meant by "recovery" or how the run-menu works.

I am very happy at the moment. Each change-of-year feels like a struggle, but by now I am well into 2025 and can concentrate on helping people. Thank you again.