Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    New Lounger
    Join Date
    Jan 2013
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Exclamation Using Sandboxie to "sandbox" gadgets - is it possible?

    Quote Originally Posted by ruirib View Post
    What was the thread about? Maybe I can help you find it.
    Very kind of you to ask, and if you decide my reply belongs elsewhere, please feel free to move it. Maybe there someone here that can help confirm I'm on the right track with my idea.

    Background: After using the Active Desktop for years (to put a live foreign-exchange graph in the corner of my Desktop) I moved to Windows 7, and lost the ability to do that. I recently discovered how to get it back, using Eduardo Macero's MiniBrowser Gadget. The MiniBrowser works so well (more stable than Active Desktop) that I now have a 24-hour news channel running in a second instance of the MiniBrowser, just above the graph.

    After telling users how great it is to have Internet connectivity built-into the Desktop since Windows 95, in July Microsoft discovered it's a grave security risk that can only be remedied by 'breaking' the feature in Windows 7, and then moving to their next OS, Windows 8. I never expected the financial site (Dukascopy Bank) was going to send malware into my system, but now that I'm considering feeds from other sources, I thought more security would be a good idea, and no, I'm not ready to 'ditch' Windows 7 for the yet-unknown advantages of Windows 8.

    What I'm looking for help with, on the other thread: I've found it's possible to make all Windows 7 gadgets run (fully) sandboxed. If the sandbox rules are correctly written, I suspect that this may make Microsoft's statement about the problem, and their solution, null and void. But before I assume that, I'm looking for a forum where I can run what I'm doing by other 'pairs of eyes' to make sure I haven't opened the sandbox too much, or in the wrong places.

    Even on Wilder's forum, there are threads repeating Microsoft's words as to the problem and the solution of crippling the OS, with no mention of how to work-around the problem for those finding a use for desktop Gadgets. Is there anyone, in any section of the Windows Secrets Lounge, who could help settle this question?

    More details here. Although this link is to the forum for the protective software I'm using, as of this writing, please note the thread ends with my question, asking for someone to tell me if there are any 'holes' in the solution I propose ... anyone here able to tell me if my system is really safe, even with the Gadgets going 'full blast'?
    Last edited by BeloSolo; 2013-04-28 at 08:26. Reason: minor syntax error; incorrect Windows version

  2. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,284
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    Split and moved here from Forum Feedback, seems the best place to ask the question being asked.

  3. #3
    New Lounger
    Join Date
    Jan 2013
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks!
    I tried to thank you personally, but got the following message from the BBS:
    Errors
    The following errors occurred with your submission

    ruirib has exceeded their stored private messages quota and cannot accept further messages until they clear some space.

  4. #4
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,284
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    Sorry about that .

  5. #5
    Lounger
    Join Date
    May 2010
    Location
    Wisconsin
    Posts
    43
    Thanks
    9
    Thanked 7 Times in 6 Posts
    Wow, Ron, I looked your Sandboxie forum posts, and it looks as though by trying to answer your own question you're becoming 'the expert' on your own - especially since there haven't been any replies so far.

    I'm wondering if Sandboxie - and Gadgets - are setting your config changes in their respective App(lication) data folders, or if your someplace such as Users/All Users or a Common folder. (sorry, don't remember the correct paths, it's been a while since I've gone looking; my only Windows is XP done in a virtual machine on a Linux host OS)

    Which leads me also to wonder: what would happen if you ran a separate Windows instance as a virtual machine using VirtualBox, then sized the window to just show the appropriate gadget? (You'd need to have a separate licence and copy of a Windows OS, and enough memory for everything to run comfortably.) Running a vm would automatically work as a sandbox, depending on settings for moving things in and out of your host OS.

    My post here may be naive, I've never used Sandboxie because I kept forgetting to try it out. Also, my meager suggestion may be superfluous as I think it likely you've already looked in other places for the relevant config or ini files. Sorry if that's so. After all this time and effort on your part I hope you can get an answer that works for you.

  6. #6
    2 Star Lounger
    Join Date
    Apr 2013
    Posts
    103
    Thanks
    9
    Thanked 10 Times in 9 Posts
    I have been trying to do something similar myself....

    Don't know minibrowser.... but I have discovered gadgets can store things in 3 different locations.

    Two are in your User folder ( c:\Users\YOURENAMEHERE ) within other folders.
    One is within ProgramFiles (or x86)

    I also don't know sandboxie- every time I tried to use it, I got smacked down by lack of time to really pick it up...

    The free VMPlayer from VMWare supports seamless VMs... You can open a window in the VM and seamlessly add it to your desktop as if it wasn't a separate machine.... not really what you asked for, but a possible solution nonetheless...?

    Please update the thread here so I can keep tabs on your progress! this sounds like something I could *really* use.

    Question:

    Does a sandboxed gadget for reading temperatures work?
    Or a sandboxed gadget used for reading Network Stats?
    In other words, do you know if gadgets that read data from other programs on the local machine run correctly when sandboxed? And how difficult is it to set up?

    If it is viable for MY use, I'll give it a shot as well.

    great engineering mind!

  7. #7
    2 Star Lounger
    Join Date
    Apr 2013
    Posts
    103
    Thanks
    9
    Thanked 10 Times in 9 Posts
    I just downloaded and installed the gadget....

    it doesn't save any settings for me... not sandboxed or anything.

    Am I doing something wrong???
    EDIT

    No, I'm not. I opened the gadget, set a homepage, and closed the gadget. Re-opening the gadget, all my settings were lost.

    The information is stored in the registry. no, read next post

    You can open the same gadget multiple times and have different settings in each copy, but as soon as you CLOSE the gadget, the settings are LOST.

    Are you doing your sandboxing experiments with REBOOTS and NOT CLOSING the gadget??

    I hope you can make out what I'm talking about.
    Last edited by Ben09880; 2013-04-25 at 13:16.

  8. #8
    2 Star Lounger
    Join Date
    Apr 2013
    Posts
    103
    Thanks
    9
    Thanked 10 Times in 9 Posts
    C:\Users\YOURNAME\AppData\Local\Microsoft\Windows Sidebar\settings.ini

    You included the settings for gadgets in general, right?

    it isn't in the registry, per se... but in that ini file

  9. #9
    New Lounger
    Join Date
    Jan 2013
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by kermidge View Post
    ... I'm wondering if ... [the] Gadgets - are setting ... [their] config changes in their respective App(lication) data folders, or if your someplace such as Users/All Users or a Common folder. ...
    Thanks for your interest, and yes, the Gadgets are now holding their settings. You'll note I made a few minor edits in your question, and if that moved it away from what you wanted to know, please ask again.

    The Gadgets, at first, were losing their configuration when the sandbox automatically dumped itself, at the end of each session. That of course wasn't acceptable, and one reason I started saying what I was doing, and asking how others had solved it, both on the Sandboxie and on Wilders' forums.

    Which leads me also to wonder: what would happen if you ran a separate Windows instance as a virtual machine using VirtualBox, then sized the window to just show the appropriate gadget? ...
    That would likely work ... speculation on my part. Sandboxie has always been running on my MS Windows installations, starting with Windows 2000 Pro, so I never thought of doing it any way else.

    ... After all this time and effort on your part I hope you can get an answer that works for you.
    Yes, thanks for asking. Right now I have, running on my Windows Desktop, a live currency exchange rate graph, a Giveaway of the Day 'ticker', two live video news feeds, and the Clock Gadget that ships with Windows 7. Anything new is automatically protected, since the sandboxed process is sidebar.exe, and all Gadgets run under that.

    Wherever possible, I've restricted sandbox exceptions to processes running under the control of sidebar.exe. So, for anything to break out of the sandbox ... I think ... it would need to have corrupted sidebar.exe. And any attempts to corrupt it would be 'dumped' whenever the sandbox is emptied. That's why automatic dumping after each session is enabled. But this should really be posted on the Sandboxie forum, as a question for the experts!

    Especially with the MiniBrowser, I have been able to recreate the Windows Active Desktop more closely than by using any of the utilities that appeared soon after Microsoft removed this functionality from all their OS's, following XP.

    In one way, it's better, because the Active Desktop items would occasionally disappear, for no discernible reason. To be 100% honest, the Windows 7 Gadgets occasionally do the same, but I can always get them back with a Last Good Start, and if I recall, this failed to bring them back, with Windows 2000 Pro, using the original Active Desktop to display web content.
    Last edited by BeloSolo; 2013-04-28 at 07:52.

  10. #10
    New Lounger
    Join Date
    Jan 2013
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Ben09880 View Post
    ...
    Question:

    Does a sandboxed gadget for reading temperatures work?
    Or a sandboxed gadget used for reading Network Stats?
    In other words, do you know if gadgets that read data from other programs on the local machine run correctly when sandboxed? And how difficult is it to set up?

    If it is viable for MY use, I'll give it a shot as well.

    great engineering mind!
    Thanks also for your interest.

    I assume the process would work equally well for any sandboxed Gadget, as what I did is general and not tailored to any one of them. All I know is, when the cursor is passed over any and all of them, and the left mouse button clicked, the default yellow Sandboxie border surrounds the Gadget -- which to me means it's isolated from your operating system files.

    And, when I Log-Out and Log-In, or reboot, the sandboxed Gadgets reappear in their original places on the Desktop, with any changes to their 'Settings' made while sandboxed, intact in the next session. My MiniBrowser 'communicates' with mshtml.dll, but for other types of communication, I suppose you'd have to try it and see what happens.

    It's possible that some Gadgets may be written to store data in non-standard locations. In that case, the sandbox rule would need an addition, to open the box to that location. Of course, make certain they're no system files in the location the Gadget is trying to access!

    Configuring Sandboxie, for processes no one has ever sandboxed before, can be complicated, so I thought there would be enough interest that a moderator on the Sandboxie forum, or on the Wilders' security forum, would want to say what I was doing was OK.

    On the Wilder's thread, another member even posted the word, "Sandboxie" as his answer, but the others ignored this by saying, good riddance to Gadgets as they were only 'resource wasters' having no benefits.

    Tzuk at Sandboxie pointed me in the right direction on one or two configuration questions, for things that early on were not working, and of course, the suggestions worked when I tried them.

    However, as far as I know, the subject was then dropped on both forums, and I never saw any confirmation from the more-experienced members that my configuration was the best possible, nor if it was, in any way, 'bulletproof'. I never had any feedback on whether or not anyone who's an expert in configuring Sandboxie had, in fact, ever sandboxed a Gadget.

    So with that proviso, here's what is working here:

    Set-up a separate sandbox, with an appropriate name: Gadgets

    Sandbox Settings (Sandboxie v3.76, on Windows 7 Professional, SP1):
    Appearance:
    • Display a (yellow) border around the window (or, the Gadget).
    • Display the border only when the mouse cursor is in the window title.
    Delete Invocation: Automatically delete contents of sandbox.
    Forced Programs: sidebar.exe
    Lingering Programs: sidebar.exe
    Resource Access; File Access; Full Access:
    • Full File Access (OpenPipePath)
    The list below applies to: sidebar.exe
    %Local AppData%\Microsoft\Windows Sidebar\*
    Applications; Miscellaneous:
    [+] Screen Readers: Jaws, NVDA, Window-Eyes, System Access
    Applications; Accessibility:
    Checked: Screen Readers (same as listed above)

    As far as I can see, all of the other settings, if not mentioned, are unchanged from their defaults. Any obvious typos, please ask.

    Having to choose between doing this, and Microsoft's solution -- editing the Registry to disable Gadgets -- I chose to run them sandboxed.

    And, let us not forget, Microsoft's other solution was, after 'crippling' Windows 7, presumably by now 'outdated' (and old fashioned?) it was time to move to the next offering, Windows 8. Yes, their security alert really said that, for those who wished to regain the now-disabled functionality.
    Last edited by BeloSolo; 2013-07-20 at 08:42. Reason: Terminology error corrected.

  11. #11
    2 Star Lounger
    Join Date
    Apr 2013
    Posts
    103
    Thanks
    9
    Thanked 10 Times in 9 Posts
    do all your gadgets retain a yellow border???

    only one of mine gets it, but it loses it a minute later...

    then again, I didn't register sandboxie, so I can't do 'forced programs', 'lingering programs', etc.

  12. #12
    New Lounger
    Join Date
    Jan 2013
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    You have to click once inside the sandboxed Gadget, to Select it, then the yellow border flashes on and off as the cursor passes over the Gadget. This assumes you have Sandboxie set as described above, under Appearance. It's a matter of preference and cosmetics, only -- the Gadget, or for that matter, any sandboxed application, remains protected, whether or not the border is visible.
    Last edited by BeloSolo; 2013-04-27 at 19:50.

  13. #13
    New Lounger
    Join Date
    Jan 2013
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by BeloSolo View Post
    I assume the process would work equally well for any sandboxed Gadget, as what I did is general and not tailored to any one of them. ...
    If a Gadget seems not to work 100% correctly when sandboxed, turn it off (the 'X') and the open the Gadget Gallery. Turn on the Sandboxie Resource Monitor (it should be blank as it opens) and then Open the Gadget that's not behaving right.

    You will see a number of entries appear in the Resource Monitor window, as the Gadget opens and runs. These lines show what the Gadget is accessing on your system. Any with an 'X' in front of them are not 'getting through' the sandbox.

    Look into the rules for the Gadgets sandbox, and look for IPC Access -> Direct Access. When you open this window, you'll see entries quite similar to those displayed by the Monitor. In the case of one Gadget, the problem line with the 'X' contained the term, 'BaseNamedObjects'.

    I entered it, using the entries already there as a syntax-guide.

    In my case, I went back a second time, just to make sure after the first change, that no more 'X''s were appearing. Then, the Gadget operated normally.

  14. #14
    2 Star Lounger
    Join Date
    Apr 2013
    Posts
    103
    Thanks
    9
    Thanked 10 Times in 9 Posts
    *very* helpful post!

    In working on following your steps, you have put together a darn decent guide in using SandBoxie!

    Thank you for showing me step by step how to set this up- while I haven't registered sandboxie, now I have a 2 step procedure to load my sidebar gadgets securely.

    I also found a gadget that puts a real sidebar on Windows 7; 7 Sidebar.gadget

    thank you for giving me secure gadgets


  15. #15
    New Lounger
    Join Date
    Jan 2013
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Ben09880 View Post
    *very* helpful post!
    ...
    thank you for giving me secure gadgets

    You're welcome. And, thanks for a reference to a Gadget I didn't know about. I'll definitely look into it.

    In turn, Eduardo Mancero's Minibrowser gets my vote: I've got three instances of it running on my Desktop: a Giveaway of the Day ticker, a live currency-exchange graph, and two streaming-video news feeds. I like it because just about anything you can find on the web can instantly be converted into a Gadget.

    It's really because of the Minibrowser's versatility and ability to do so much, with a variety of new sites, that I wanted to do it in a secure fashion. With the Active Desktop, I'd been running only the exchange-rate graph for years and years, without any indication of a security risk coming from the bank. Nor did I really expect one ...

    If you ever get over to the Sandboxie forum, you may want to post a link to the directions here on Windows Secrets, and if anyone 'bites'. I tried, but didn't have much luck -- but I know there are people over there who could just look at the Sandboxie settings, and either say it couldn't be better, or they could offer suggestions to 'tighten' the security more, without harming the Gadgets' functioning. Sandboxie configuration can be complex.
    Last edited by BeloSolo; 2013-04-30 at 13:30.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •