Hi.

tzuk: You probably readed the post where I comment I´m coding a tool to check for differences between two sandboxes.

At the beginning I only had on mind to do a similar tool to the one majoMo did but after working a while on it I considered it would be more interesting and useful going one step further: analyze changes and evaluate if the sandboxed program(s) performed actions that could be considered as malicious.

Some people may use the tool just to see modifications and other people to get a report with the evaluation of performed actions. So it´s not just a malware behaviour analyzer.

File modifications can be checked directly comparing the files that were on disk before and after the comparision. Something similar happens with registry changes.

I would like to include other checkings: if sandboxed application installed a service or tried to connect to internet or tried to hook keyboard.

I could get such information from the messages presented by Sandboxie when such actions are performed. I talk about the messages telling that X application tried to do this or that and the user must choose if hide of close the message.

My feature request is: I would like to have the option to log to disk Sandboxie´s messages.

Is it possible?

Yes, that happens to be a feature that I want to add to Sandboxie some time soon.

But I was thinking about logging everything to c:\Windows\Sandboxie.log, rather than inside the folder of a particular sandbox, so I'm not sure how appropriate it would be for you utility.

Nice to hear!

As it´s a simple feature that will not cause compatibility problems, do you think it could be included in the next official release?




I would delete the log before doing the comparision so all the messages would be refered to the sandbox process that SandDiff pretends to analyze.

Therefore logging everything to the same log is fine for me.

You mean in version 3.40 ? No, I'm afraid not. It's not so simple, and not so small. It will have to wait.

Yeah, I meant 3.40.

Ok, let me know when you have included the feature to test it.

With "everything", do you mean something more than just the messages that the user must hide or close?

If the reply is affirmative, what other things would you be logging?

I mean all SBIExxxx messages that pop up.

That´s exactly what I need.

tzuk: This feature will be included in Sandboxie 3.41.01?

Not in 3.41.01. There are some more pressing issues. But it is on my plans for version 3.42. You're going to have to be patient, Buster.

Do you know when patience will have a discount at Bits du Jour? I must buy some of it.

Added in version 3.41.10.

To enable, simply create a REG_SZ-type registry value LogFile in the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SbieSvc

The contents of this value should be something like this,
1;C:\SbieLog.txt

The prefix 1; is required and indicates the format of the output log file. At this time there is only format level 1.

Then you just specify the file location.

To disable the logging, simply delete this registry value. There is no need to restart the service or take any other action other than creation of the value (to enable) or deletion of the value (to disable).

The log file is a UNICODE text file.