Actual Window Manager template has stopped working

[isaak654]

What happened?

Source:
https://www.wilderssecurity.com/threads/sandboxie-plus-v1-0-11.444070/page-7#post-3069615
https://www.wilderssecurity.com/threads/sandboxie-plus-v1-0-11.444070/page-7#post-3069808
https://www.wilderssecurity.com/threads/sandboxie-plus-v1-0-11.444070/page-8#post-3070021

Since some versions of Sandboxie (classic x64) the template for the "Actual Window Manager" (Actual Tools) does not work anymore. I thought for a long time that it was due to the browsers own protection techniques, because Actual Window Manager stopped working in the browsers. But now I see that it no longer works for all windows in sandboxes.

Edit: The reason seems to be not a change in Sandboxie, but in the current version 8.14.6.1 of the Actual Window Manager. Up to version 8.14.5 it still works, since version 8.14.6.1 it does not. I hope David can adjust the template so that it works again.

Sandboxie classic x64 v5.55.11
Windows 7 x64
(But also on Windows 10 VM and there also with "plus 1.0.11")

I tried to find a solution today with the resource access monitor. I noticed that in the template the OpenIpcPath "\BaseNamedObjects*_ServiceMapping" is no longer sufficient. There must be added a wildcard at the end now.

Now AWM works again in sandboxes, but the buttons are invisible. If you move the mouse over the places where they should be, you can see their tooltips. Clicking on them only works for the invisible "Always on top" button, for the others it does nothing.

An additional single wildcard (*) in OpenWinClass works, but cannot be the solution.
I had tried all values from the WinClass Resource Access Monitor, of course with substrings and wildcards, but none of it worked.

Note: I suspect it could be partially related to #1667, since both Listary & Actual Window Manager templates allow to overwrite graphical elements. I would suggest to verify possible connections between them.

To Reproduce

I can reproduce it on the Win7 VM with IE11 that can be downloaded from here (Virtualbox).

Download link of Actual Window Manager: https://www.actualtools.com/windowmanager/

Template in question:

Sandboxie/Sandboxie/install/Templates.ini

Lines 2423 to 2433 in a1afe0a

	[Template_ActualWindowManager]
	Tmpl.Title=Actual Tools Actual Window Manager
	Tmpl.Class=Desktop
	Tmpl.Url=http://www.actualtools.com/
	OpenIpcPath=*\BaseNamedObjects*\*_ServiceMapping
	OpenIpcPath=*\BaseNamedObjects*\*_ParamStrings_*
	OpenIpcPath=*\BaseNamedObjects*\MMF{*}
	OpenIpcPath=*\BaseNamedObjects*\ActualTools*
	OpenWinClass=*_MessengerServerWindow
	Tmpl.Scan=s
	Tmpl.ScanIpc=*\BaseNamedObjects*\ActualTools_*

Another issue I found is that the latest two Scan options don't allow the template to be recognized in the Software Compatibility tab (that should happen when you are running the program outside of the sandbox).

Expected behavior

A working template when you open a Windows Explorer session inside a sandbox (see the third pic with the extra buttons that should be on the title bar).

What is your Windows edition and version?

I reproduced it on a Windows 7 VM, but the original report was written by the Wilders member "100".

In which Windows account you have this problem?

A local or Microsoft account without special changes.

What version of Sandboxie are you running?

Plus 1.0.10-1.0.13

Is it a regression?

No response

List of affected browsers

No response

In which sandbox type you have this problem?

In a Standard isolation sandbox (yellow sandbox icon).

Is the program installed outside the sandbox?

It is only installed and running outside the sandbox.

Can you reproduce this problem on an empty sandbox?

I can confirm it also on an empty sandbox with a sandboxed explorer.exe session (while AWM is running in the outside system).

Workaround

1. Add NoAddProcessToJob=y (not OpenWinClass=* because it's considerably less safe).
2. Add a final asterisk at the end of *\BaseNamedObjects*\*_ServiceMapping template rule.

@DavidXanatos

I should really look into how much isolation is actually really lost when the job object is disabled,
one that I know of is clipboard isolation,
but it would be good to have a full list of what is not covered by UIPI, because possibly on modern Windows we may opt for using the job object only for the enhanced isolation boxes.
I asked Curt (one of the old sophos devs) about that some time ago but he did not know either.

[rugabunda]

referencing #1667

Note: I suspect it could be partially related to #1667, since both Listary & Actual Window Manager templates allow to overwrite graphical elements. I would suggest to verify possible connections between them.

Just updated to SBIE 1.5.1, and I noticed that Listary is working now, mostly. Jumping from an explorer window to sandboxed firefox save as, or open box works properly. Only issue is the listary box is not linked to the bottom of the save as window... its free floating.

@isaak654, have the other issues you mention been alleviated as well?