All shortcuts/hotkeys conflicts/occupied when a program is running inside sandboxie?

[skygunner]

Hi,

Tried to google this but no result.

When a program is running inside sandboxie, it seems all shortcuts/hotkeys have became conflict and not useable by this program?

Is there any settings or solution?

Windows 10 20H2
Sandboxie 5.43.7

[DavidXanatos]

This is a security restriction of sandboxie,
I could add an option to lift that restriction for selected boxes.

[skygunner]

That would be handy like allow the user to control if the shortcuts/hotkeys will be passed through into the boxed app

[DavidXanatos]

I have to look into it a bit deeper, on a first glance it seams that to alow hotkeys its necessary to disable one of the core security guarantees.

So to make it work properly and securely it would be required to intercept the call to RegisterHotKey and make a helper service register hotkeys on the behalf of the sand-boxed applications and relay detected events to the sand-boxed applications.

[DavidXanatos]

If you want to take the risks you can add
OpenWinClass=*
to the box you need the hot keys to work from.
But that will allow sandboxed programs to talked to unsandboxed windows and so in, hence its really not recommended.

[Jayve]

@DavidXanatos
Thank you!
After adding OpenWinClass=*,
The shortcut keys worked.
But the tray icon of the program cannot appear in the tray, how to fix this?

[Nacho-Neko]

@Jayve , are you try use tencent soft in sandboxie?

[bigfoxtail]

@Jayve , are you try use tencent soft in sandboxie?

QQ WeChat BaiduNetdisk tray icon not found

[stickynoteme]

I'm trying to get sandboxie to let me send global hotkeys to text aloud, I don't care about security with it, I just want to be able to run two copies of text aloud for personal accessibility reasons which it doesn't' allow natively.

adding: OpenWinClass=*
to the sandbox ini didn't allow the global hotkeys to work, and it also caused the tray Icon to fail to load as well as mentioned above by others.

[mitchcapper]

I was able to get around this by doing my own proxy shortcut handler and would be happy to take a wack at adding such a proxy to the code itself. I am not overly familiar with the sandboxie infrastructure and while I read the service docs (not sure what else would be good) I am not sure where things would go. There is the sandman process that already has UGlobalHotkey and so could use that (assuming it is desirable over the native api calls).

I realize I could use the SboxDll to override the native call in a per process injection option, but there is likely a better way. You hook so many calls I am not sure if there is a standard I should follow.

For communication between inside the sandbox and outside what service should I use ?

If there is a sample of a similar control/comm style I can read that code and try from there. Windows ( I believe ) monitors for the thread that created the hotkey is associated with and if it ends it unregisters the hotkey automatically. I would assume we would want a similar watchdog, but also assume that should be doable from the sandman external process(or service) rather than having to run anything inside the box.

[DavidXanatos]

@mitchcapper
you need to use the sbiesvc, it starts a gui worker instance of itself in the user's session and provides a communication facility to call functions inside that worker.
look at ´´´bool GuiServer::CreateQueueSlave(const WCHAR *cmdline)´´´ for all the functions that are already proxied

I haven't looked into if RegisterHotKey can be called from one process to register the hotkey for a hwnd belonging to an other process. if that works that would simplify things. But than we still have the case when hwnd is NULL and the calling thread is to be notified.

So for a fully featured solution the sbiesvc worker will need to receive all the hotkey events and send them to the sandboxed program that registered the particular hotkey.

Best would be to implement this in a similar manner as what I did for SetWindowsHookEx, we create a listener thread in the process that set the hook or here the hot key, and if the sbiesvc receives a hotkey it uses QueueUserAPC to notify the process, which then internally does the required operations.

It would be also needed to add an additional thread to the sbiesvc worker to listen for the hotkey events.

[mitchcapper]

Thanks for the guidance.

I haven't looked into if RegisterHotKey can be called from one process to register the hotkey for a hwnd belonging to an other process. if that works that would simplify things.

I too thought that might be a great solution on a previous project (low integrity process related) but no, you cannot even modify or receive hotkey messages on a different thread from the one originally (this includes you can't register a hotkey for a window created on the main thread from a background thread). I think no matter what the app requests the external process registers them all on the same thread callback and then dispatches them to the sandboxed process in the form they want. I assume you want to also follow the same rules as MS (only can interact with a hotkey on the thread registered).

The fact SetWindowsHookEx has similar proxying already is fantastic, ill look at that for an example.

[KelvinChi]

I used AutoHotkey to implement the interface toggle function of WeChat in Sandboxie using hotkeys. Below is the AutoHotkey hotkey setting code, which toggles the WeChat interface with alt + w:

; Set key binding to Alt + W
!w::
{
    ; Try to get the process name of the current active window
    activeProcess := WinGetTitle("A")
    ; If the process of the current active window contains "WeChat", close the window
    if (activeProcess ~= "WeChat")
    {
        ; Close the current active window
        WinClose("A")
    }
    else
    {
        ; If it's not WeChat, run the following command
        Run("D://Program Files//Sandboxie-Plus//Start.exe /box:CK D://Program Files//Tencent//WeChat//WeChat.exe")
    }
return
} 

you can print current window name by order below:

!p::
{
    windowTitle := WinGetTitle("A")

    MsgBox(windowTitle)
return
}

[inko16]

I run Wechat inside a sandbox on Windows 11 24H2 (Build 26100) with Sandboxie-Plus Version: 1.13.3 (5.68.3), it gives message below:

Your Windows build 26100 exceeds the current support capabilities of your Sandboxie version, resulting in the disabling of token-based security isolation. Consequently, all applications will operate in application compartment mode without secure isolation.
Please check if there is an update for sandboxie.

SBIE1207 Your Windows build (26100) is not yet supported by Sandboxie, which means applications will run without security isolation!

and all keyboard shortcuts are working fine now.

so if the software is not harmful, disabling security isolation is the solution.