Can you "virtualize" a folder for a sandboxed process (don't show any host files but let the sandbox freely write to it)

Post Reply
fmillion
Posts: 1
Joined: Thu Jun 09, 2022 7:06 am

Can you "virtualize" a folder for a sandboxed process (don't show any host files but let the sandbox freely write to it)

Post by fmillion »

I want to install a program within Sandboxie that is already installed on my host system. I don't want the installer or the program to have any awareness of its existence on the host.

When I run the installer in Sandboxie, it detects the host installed instance (naturally, since sandboxed programs aren't prevented from reading host files by default) and thus thinks it's an upgrade and not a full installation. Furthermore, since the program stores data in the registry, the copy running in the sandbox pulls in all my settings from the host, which I don't want the sandboxed version to do.

I tried using the Resource Rules to add a "Box Only (Write Only)" rule for the path under Program Files, the path under %APPDATA% and the Registry key that I know the program uses. However, this seems to have turned it into a "drop box" folder, where the sandbox cannot view the contents of the folder at all, but can write to files within it. This isn't what I want, I want the sandboxed process to see an empty folder (or even better, no folder at all, but react correctly when the setup program creates the folder - as in, create the folder but don't show its host contents).

An even more "pro" level of this feature (that I'd gladly contribute whatever I could towards, even helping with documentation if it were possible - sadly I'm not a strong C coder) would be a "virtual user account". As in, you have a sandbox that for all intents and purposes acts just like you made a new user account on Windows. The entire %USERPROFILE% hierarchy and the entire HKCU registry tree are empty (or copied in from the Default User folder the first time the sandbox launches - I think that's how Windows does it?) Running a browser or any application for that matter in that sandbox would be a completely empty browser, no plugins, no extensions, no bookmarks, no settings, etc. Combine this with isolating paths like I said above and you could work all sorts of scenarios involving installing temporary copies of programs that are much more strongly isolated from the host's filesystem and registry.

Can this be done already?

User avatar
DavidXanatos
Posts: 340
Joined: Fri Mar 19, 2021 11:26 am

Re: Can you "virtualize" a folder for a sandboxed process (don't show any host files but let the sandbox freely write to

Post by DavidXanatos »

I tried using the Resource Rules to add a "Box Only (Write Only)" rule for the path under Program Files, the path under %APPDATA% and the Registry key that I know the program uses. However, this seems to have turned it into a "drop box" folder, where the sandbox cannot view the contents of the folder at all, but can write to files within it.
strange this is not how this should work, it should work the way you expect it "I want the sandboxed process to see an empty folder (or even better, no folder at all, but react correctly when the setup program creates the folder - as in, create the folder but don't show its host contents)."
Perhaps there is a bug, can you test this using for example cmd.exe and see if that works well, may be there is a special case where it fails

Post Reply