How to view all Registry and file accesses after start? Logfile output?

pstein

New member
Ok, I installed successfully Sandbox Plus v1.14.10 in portable mode on Windows 10 pro.

Now I want to use it.

Therefore I right-clicked on a certain external test foobar.exe file utility somewhere on my partition.

Sandboxie-plus prompts me if the program should run sandboxed in DefaultBox.
I clicked OK and the program starts.
And now?
How can I see which Registry and file accesses foobar.exe performs?

Can I create a logfile for this information?
 
There is a feature request, which still has not been implemented.

You can enable trace logging, which can be exported to a file.

Sysinternals Process Monitor (procmon.exe) can monitor processes inside sandboxes. You might want to take a look at SandboxToys2, which relies on Sandboxie.

I clicked OK and the program starts.
And now?

Now, the program runs under the control of Sandboxie.

Quoting the readme.md:

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying local & mapped drives or the Windows registry. An isolated virtual environment allows controlled testing of untrusted programs and web surfing.
Sandboxie allows you to create virtually unlimited sandboxes and run them alone or simultaneously to isolate programs from the host and each other, while also allowing you to run as many programs simultaneously in a single box as you wish.

Maybe there is a difference in expectation.

Maybe what you are looking for is something like cuckoo, or any.run.
 
@bastik-1001:

Thank you for your explanation above.
Some questions:

"trace logging" looks good.

How can I some how hide all trace lines/entries which are from the wrapping SandboxieRpcSs.exe service?
I only want to see (Registry accesses) from traced program.

In the drop down there are multiple processes from the traced program. I cannot select them all at once.
Moreover having to do this manually every time for every traced program is cumbersome and user unfriendly

On the other side there is no NOT PID option which would let be exclude the Sandboxie stuff.

You mentioned "cuckoo, or any.run.".
Hmm I am confused: what can they do what Sandboxie-Plus cannot?
 
How can I some how hide all trace lines/entries which are from the wrapping SandboxieRpcSs.exe service?
I only want to see (Registry accesses) from traced program.

In the drop down there are multiple processes from the traced program. I cannot select them all at once.
Moreover having to do this manually every time for every traced program is cumbersome and user unfriendly

I don't see a way to filter it out either, and agree that there is room for improvement, which is why I am going to suggest this to the developer.

On the other side there is no NOT PID option which would let be exclude the Sandboxie stuff.

This would be a good start, which I am going to suggest.

Hmm I am confused: what can they do what Sandboxie-Plus cannot?
I am under the impression that they are able to generate (automatic) reports of what applications did or are doing, which is something Sandboxie does not do.
 
Back
Top