Sandboxie-Plus 1.13.3 has been released.
https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.13.3
This release advances the 1.13.x build line from its experimental pre release stage to stable release, it adds significant enhancements to the hooking mechanism associated with SCM-related functions, which enhances compatibility with newer versions of Windows. The revised hooking mechanism now supports API call tracing without the necessity for LogAPI.dll.
Additionally, this update introduces a feature aimed at increasing the privacy of encrypted boxes. When the option IsProtectScreen=y is set, windows of processes operating within boxes with this option enabled will be obscured during screenshot capture or recording, enhancing user privacy.
The release also enhances the compatibility of privacy-focused boxes with Windows Explorer, resolving issues related to the Recycle Bin. To this end a new default compatibility template has been introduced, which uses a new functionality of the wildcard pattern mechanism. Now the "**" pattern is supported, which acts as a placeholder for an arbitrary string without including the backslash ("") character, thus allowing users to apply wildcards to exactly one directory level, unlike the single asterisk ("*") which applies to multiple levels.
The update also introduces compatibility with Windows 11 insider builds up to 26080.
And modifies how the driver manages offset-dependent kernel object changes, the new method now enables loading an offset configuration directly from the registry, allowing offsets to be updated without the need to rebuild the driver.
To increase system stability, Sandboxie will cease using outdated known offsets for new, unrecognized kernel builds. This change applies except in cases where the PC is part of the Windows Insider Program.
In such instances, instead of using outdated offsets, the software will disable token-based security isolation and will display the warning SBIE1207, indicating that it has reverted to an less secure fallback mode of operation.
To force the use of the last known offsets on a newer build of windows than known to be supported import the below reg file to your system registry:
Windows Registry Editor Version 5.00
While this build has been tested and appears functional, users may encounter minor issues in certain edge cases.
Changes since the last stable release:
[1.13.3 / 5.68.3] - 2024-03-16
Added
added certificate usage guide link to support page
Fixed
fixed issues with "IsProtectScreen=y" 3656
fixed issue with hotkeys and changed default suspend all hotkey to Shift+Alt+Pause
fixed issue with suspended state not being updated when the global hotkey was used
fixed issue with new ** pattern failing in some cases
[1.13.2 / 5.68.2] - 2024-03-07
Added
added menu entry to restart SandMan as admin #3581 (thanks Yeyixiao)
added option to block taking screen capture/screenshot of sandboxed processes (thanks Yeyixiao)
it can be enabled with "IsProtectScreen=y"
see the sandbox option "Prevents getting an image of the window in the sandbox" in SandMan UI
added option to prevent sandboxed processes from interfering with power operations #3640 (thanks Yeyixiao)
it can be enabled with "BlockInterferePower=y"
see the sandbox option "Prevents processes in the sandbox from interfering with power operations" in SandMan UI
added new pattern mechanism using a ** as a placeholder to indicate an arbitrary path element not containing a \ 1ff2867
Changed
reworked option for suspending all processes in SandMan (introduced in 1.13.1) #3582
Fixed
fixed privacy mode, NormalFilePath and symbolic link issue #3660
fixed access to Recycle Bin in an Application Compartment sandbox with data protection #3665
[1.13.1 / 5.68.1] - 2024-02-27
Added
added option for suspending all processes in SandMan #3582 (thanks Yeyixiao)
added "On Terminate" trigger #3584 (thanks Yeyixiao)
Changed
changed DynData format to add flags
reverted the new sandbox directory structure for volumes without drive letters #3632
GUID usage can be re-enabled with "UseVolumeGuidWhenNoLetter=y"
Fixed
added missing checkbox for API tracing
fixed incompatibility with Windows ARM64 Insider build 26052 and later
fixed symlink issue #3537
fixed file redirection issue in an Application Compartment sandbox #3637
fixed issues with compartment mode compatibility fallback
fixed missing maximum password length check #3639
fixed issue with launching executables from volumes without a drive letter in a sandbox on Windows 1803 and earlier #3627
Removed
removed UseNewSymlinkResolver setting, as the new mechanism is always used
[1.13.0 / 5.68.0] - 2024-02-10
Added
added advanced API trace functionality
Changed
reworked SCM hooking to improve Windows 10 compatibility
reworked offset dependent handling of undocumented Windows kernel objects
the required offsets can be now updated independently from the driver
the DynData blob is digitally signed, when in testsigning mode the signature is however ignored
when Sandboxie encounters a yet unsupported kernel build, token based isolation is disabled to prevent system instability
this safety mechanism is disabled on systems participating in the Windows Insider program
for systems in the Insider program, the latest known offsets are tried
reworked part of the low level code injection mechanism to add compatibility with Windows Insider build 26040 and later
enabled CET Shadow Stack compatible flag for core Sandboxie binaries
Fixed
fixed incompatibility with Windows Insider build 26040 and later
Removed
cleaned up code and removed obsolete VC 6.0 workarounds
Full change log up to this release.
https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.13.3
This release advances the 1.13.x build line from its experimental pre release stage to stable release, it adds significant enhancements to the hooking mechanism associated with SCM-related functions, which enhances compatibility with newer versions of Windows. The revised hooking mechanism now supports API call tracing without the necessity for LogAPI.dll.
Additionally, this update introduces a feature aimed at increasing the privacy of encrypted boxes. When the option IsProtectScreen=y is set, windows of processes operating within boxes with this option enabled will be obscured during screenshot capture or recording, enhancing user privacy.
The release also enhances the compatibility of privacy-focused boxes with Windows Explorer, resolving issues related to the Recycle Bin. To this end a new default compatibility template has been introduced, which uses a new functionality of the wildcard pattern mechanism. Now the "**" pattern is supported, which acts as a placeholder for an arbitrary string without including the backslash ("") character, thus allowing users to apply wildcards to exactly one directory level, unlike the single asterisk ("*") which applies to multiple levels.
The update also introduces compatibility with Windows 11 insider builds up to 26080.
And modifies how the driver manages offset-dependent kernel object changes, the new method now enables loading an offset configuration directly from the registry, allowing offsets to be updated without the need to rebuild the driver.
To increase system stability, Sandboxie will cease using outdated known offsets for new, unrecognized kernel builds. This change applies except in cases where the PC is part of the Windows Insider Program.
In such instances, instead of using outdated offsets, the software will disable token-based security isolation and will display the warning SBIE1207, indicating that it has reverted to an less secure fallback mode of operation.
To force the use of the last known offsets on a newer build of windows than known to be supported import the below reg file to your system registry:
Windows Registry Editor Version 5.00
Code:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SbieDrv\Parameters]
"AllowOutdatedOffsets"=dword:00000001
While this build has been tested and appears functional, users may encounter minor issues in certain edge cases.
Changes since the last stable release:
[1.13.3 / 5.68.3] - 2024-03-16
Added
added certificate usage guide link to support page
Fixed
fixed issues with "IsProtectScreen=y" 3656
fixed issue with hotkeys and changed default suspend all hotkey to Shift+Alt+Pause
fixed issue with suspended state not being updated when the global hotkey was used
fixed issue with new ** pattern failing in some cases
[1.13.2 / 5.68.2] - 2024-03-07
Added
added menu entry to restart SandMan as admin #3581 (thanks Yeyixiao)
added option to block taking screen capture/screenshot of sandboxed processes (thanks Yeyixiao)
it can be enabled with "IsProtectScreen=y"
see the sandbox option "Prevents getting an image of the window in the sandbox" in SandMan UI
added option to prevent sandboxed processes from interfering with power operations #3640 (thanks Yeyixiao)
it can be enabled with "BlockInterferePower=y"
see the sandbox option "Prevents processes in the sandbox from interfering with power operations" in SandMan UI
added new pattern mechanism using a ** as a placeholder to indicate an arbitrary path element not containing a \ 1ff2867
Changed
reworked option for suspending all processes in SandMan (introduced in 1.13.1) #3582
Fixed
fixed privacy mode, NormalFilePath and symbolic link issue #3660
fixed access to Recycle Bin in an Application Compartment sandbox with data protection #3665
[1.13.1 / 5.68.1] - 2024-02-27
Added
added option for suspending all processes in SandMan #3582 (thanks Yeyixiao)
added "On Terminate" trigger #3584 (thanks Yeyixiao)
Changed
changed DynData format to add flags
reverted the new sandbox directory structure for volumes without drive letters #3632
GUID usage can be re-enabled with "UseVolumeGuidWhenNoLetter=y"
Fixed
added missing checkbox for API tracing
fixed incompatibility with Windows ARM64 Insider build 26052 and later
fixed symlink issue #3537
fixed file redirection issue in an Application Compartment sandbox #3637
fixed issues with compartment mode compatibility fallback
fixed missing maximum password length check #3639
fixed issue with launching executables from volumes without a drive letter in a sandbox on Windows 1803 and earlier #3627
Removed
removed UseNewSymlinkResolver setting, as the new mechanism is always used
[1.13.0 / 5.68.0] - 2024-02-10
Added
added advanced API trace functionality
Changed
reworked SCM hooking to improve Windows 10 compatibility
reworked offset dependent handling of undocumented Windows kernel objects
the required offsets can be now updated independently from the driver
the DynData blob is digitally signed, when in testsigning mode the signature is however ignored
when Sandboxie encounters a yet unsupported kernel build, token based isolation is disabled to prevent system instability
this safety mechanism is disabled on systems participating in the Windows Insider program
for systems in the Insider program, the latest known offsets are tried
reworked part of the low level code injection mechanism to add compatibility with Windows Insider build 26040 and later
enabled CET Shadow Stack compatible flag for core Sandboxie binaries
Fixed
fixed incompatibility with Windows Insider build 26040 and later
Removed
cleaned up code and removed obsolete VC 6.0 workarounds
Full change log up to this release.