Sandboxie causing "An anonymous session connected from [MY COMPUTER NAME] has attempted to open an LSA policy handle ..." on Windows 10

OS: Windows 10 x64 1809

Sandboxie Version: 5.30

Anti Virus: Kaspersky Internet Security v2019

Steps to reproduce: Simply run Firefox(v57) in Sandboxie mode

Screenshot(not mine, but same): filedb.experts-exchange.com/.../LSAsrv-Error2.JPG

Event ID in Event Viewer: 6033

 

Hello.

After upgrading Windows 7 to Windows 10, whenever I launch Firefox in Sandbox mode I get the following error in the Event Viewer:

"An anonymous session connected from [MY COMPUTER NAME] has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Lsa\TurnOffAnonymousBlock DWORD value to 1.
This message will be logged at most once a day."

As confirmed by https://www.tenforums.com/general-support/84319-event-id-6033-lsa-lsasrv.html it is a Sandboxie problem.

I never saw this event before, I run Sandboxie on multiple machines, all Windows 7, this is now the only one running Windows 10 and the only one with this issue.

The anonymous "attack", if so it can be called, is coming from my own machine.

Is this a known issue?

Edit: I clean installed Windows 10 v1809 and the problem persists.

Thank you.

Parents Reply
  • Interesting results sandboxieuser456.

    This morning I woke up to the LsaSrv error. There is no doubt that it's sandboxie but I think something else with sandboxie triggers the event.

    I reached out to 2 friends and my son a little while ago because they use sandboxie, also. 2 out of the 3 have the event. All 3 use Comodo Internet Security and are on Win10 64-bit (1809 and (2)1903). None run any type of server software. The one that didn't have the event is on the 1809.

    I finally upped to v5.30 and will install the May window updates later. This is so mysterious and I have no clue what is causing it.

    I hope the Devs figure it out because I really don't know where to go from here. This really needs to be resolved.

Children
  • Hi Sam.

    By any chance, do you have Giorgio Maone's NoScript installed in Firefox?

    I noticed a strange behaviour this afternoon on machine #1, the NoScript icon was a gray square box(also outside the Sandbox). I uninstalled and reinstalled the extension and it's now working again with and without Sandboxie.

    I'm not entirely sure it's related but as we're in the dark, I preferred to add it to the thread.

    I will complete the clean installation of machine #2 tomorrow so I'll have news on that one as well.

    Edit: No event logged on machine #1 today, could it be related to NoScript? Will soon have news on machine #2, almost there.

    Edit #2: Machine #2 tested, has same issue.

    Edit #3: Machine #1 again logging the event this morning, it did not yesterday because it is probably related to "This message will be logged at most once a day."

  • HI sandboxieuser456 ,

    I do use Noscript and have it installed in several sandboxes. I don't see any abnormal behavior with that plugin on my machine. I suspect it's not the problem because it's a "logging-in" issue and NoScript is not run as a server and it doesn't log in. Doesn't hurt to throw things on the table though.

    I just rebuilt my drive from the ground up instead of using an image and Win7 and SB are fully patched - (May updates & v5.30, respectively).

    Now it's a waiting game... again!

    Oh, boy... It's so fun being a techie. 

  • Hi Sam.

    I confirm NoScript was an unlucky coincidence, I will clean install on another machine next week but since I'll install KIS 2019 as it was the case on the other two, I see no reason why it should behave differently.

  • Hi sandboxieuser456,

    I believe I found the issue on my machine - the Intel Turbo Booster. Before the building the new drive, I was using an image that had an older version of the Turbo util. When I rebuilt from scratch I couldn't find the util anywhere and had to download it from ASUS website. I noticed it was a different version.

    Currently, I had not had any errors and before the fresh drive build I also had a "side-by-side" event viewer error which means a program is conflicting with C++ runtime libraries. Neither the errors have shown since the Turbo update. Going by previous patterns, if it does happen, it will within the next 24 hours but I suspect the issue has been addressed. The other two people I mentioned who had these errors, also have ASUS with the Turbo installed. It should fix it for them, too.

    This however doesn't explain why it was an issue in the first place being SB and the Turbo played well together for years. I think when I uninstalled Turbo and still got the LSASrv error, maybe there was some remnants of the program that didn't get completely uninstalled. Going back to my earlier thinking, I believe ultimately it's related to either a windows update or .net update that changed something that caused these programs to act differently than they normally would.

    Did you contact KIS devs about the issue?

  • Apologies for the late reply, Sam.

    Kaspersky asked for a GSI report which I cannot provide as these systems are used by multiple users so I'm basically stuck on square one.

    Still everyone fine with your machines after the changes?

  • Hi sandboxieuser456,

    Everything on my end is working within the expected parameters - no more LsaSrv errors.

    Well, you have one system that isn't acting right; maybe try a different security suite to solve the problem?

    I really like Comodo but I don't recommend the default settings because it doesn't protect very well. With a few minor adjustments it becomes a powerful weapon in the hands of a user. In fact in 2017, WikiLeaks did a CIA data dump on security software they hacked - (Avast, Kaspersky, McAfee, Norton, Microsoft Security Essentials) and it’s interesting what they said about Comodo. Quote:

    "Security software firm Comodo, which deals with business solutions, received perhaps the best badge of honor from the CIA, described as: "a colossal pain in the posterior."

    It literally catches everything until you tell it not to, including standard windows services (say what?!?), the documents state."

    Also, it's annoying for a couple of weeks when you first install it because it needs to learn the software installed on the computer and user's habits. You'll get a lot of pop-ups but that's only temporary. If you decide to try it let me know and I'll share some helpful tweaks to get you started.