Advice Request Why does Sandboxie sometimes require admin permissions when running something that requires it?

[Hormoz]

There have been some discussions about it, on other places (not this forum), but all that I have seen fail to answer the question properly.

Why does Sandboxie sometimes, especially when dealing with an installer, require admin permissions if the app requires it too? It's not even the app itself asking for it, but Sandboxie itself, and along with that something also shows up that says the app will still remain sandboxed even if you give sandboxie admin permissions (although it is hard to see it, since it is quickly shadowed by the UAC warning).

So, this is not emulating the app, as it is not a sandboxed UAC window asking for admin permissions nor is it even the app asking for it, but it is a legit UAC windows asking for Sandboxie admin permissions. And another common answer is that, some things just can't be sandboxed, but if that were the case, why does it say that the app will still remain sandboxed? So why does it require admin permissions if it can just emulate everything? Is there any security problem in it too?

 

[silversurfer]

Here are really a few users only using Sandboxie as it might be causing major issues sooner or later: software failed to run inside Sandboxie...

Your topic should be better asked to the developer on GitHub:

GitHub - sandboxie-plus/Sandboxie: Sandboxie Plus & Classic

Sandboxie Plus & Classic. Contribute to sandboxie-plus/Sandboxie development by creating an account on GitHub.

github.com

 

[ForgottenSeer 89360]

The app remains sandboxed, as it is a child process of Sandboxie. You are not elevating the isolated app directly, but you are elevating the parent process. The parent process doesn't need to be isolated, as it is in this case a harmless program. The fact that there are issues and bypasses in Sandboxie is a different topic.

 

[Hormoz]

Major issues? I know developers seemed to have changed, and it went open source, but is it that big of a problem?

Well, that's the thing, why does the parent process need elevation? What does it use it for?

 

[Andy Ful]

Please, give a concrete example of the installer and concrete Sandboxie settings (default sandbox or tweaked).

 

[Hormoz]

I think pretty much any installer should do as long as it requires admin elevation, and default sandbox with default settings should do.
If you want one example, then Sandboxie-Classic-x64-v5.47.0.exe itself for example.

 

[Andy Ful]

I think pretty much any installer should do as long as it requires admin elevation, and default sandbox with default settings should do.
If you want one example, then Sandboxie-Classic-x64-v5.47.0.exe itself for example.

If you execute an application installer via Sandboxie ("Run sandboxed") and the installer requires Admin rights, then before executing the installer, the Sandboxie process asks for Admin rights (Sandboxie alert + UAC prompt). The Sandboxie alert disappears very quickly and looks like:

The UAC prompt is also triggered by Sandboxie process (not by the installer).
Next, the application installer itself does not ask for elevation any more (no additional UAC prompt), because it thinks that it has been run by the parent process with Admin rights.
Default Sandbox allows thinking applications that they can run with Admin rights so they can write to the virtualized HKLM registry hive and virtualized Program Files folder. In fact, they are running with an Untrusted Integrity level into the sandbox.

Usually, Sandboxie is not used to run installers sandboxed, but the installer installs the application into the real system. Next, the already installed application is run sandboxed (usually without asking Admin rights).

Edit.
Many application installers do not require Admin rights. In such cases, they are usually installed in the ProgramData folder or user Appdata folder.