Sandboxie causing "An anonymous session connected from [MY COMPUTER NAME] has attempted to open an LSA policy handle ..." on Windows 10

OS: Windows 10 x64 1809

Sandboxie Version: 5.30

Anti Virus: Kaspersky Internet Security v2019

Steps to reproduce: Simply run Firefox(v57) in Sandboxie mode

Screenshot(not mine, but same): filedb.experts-exchange.com/.../LSAsrv-Error2.JPG

Event ID in Event Viewer: 6033

 

Hello.

After upgrading Windows 7 to Windows 10, whenever I launch Firefox in Sandbox mode I get the following error in the Event Viewer:

"An anonymous session connected from [MY COMPUTER NAME] has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Lsa\TurnOffAnonymousBlock DWORD value to 1.
This message will be logged at most once a day."

As confirmed by https://www.tenforums.com/general-support/84319-event-id-6033-lsa-lsasrv.html it is a Sandboxie problem.

I never saw this event before, I run Sandboxie on multiple machines, all Windows 7, this is now the only one running Windows 10 and the only one with this issue.

The anonymous "attack", if so it can be called, is coming from my own machine.

Is this a known issue?

Edit: I clean installed Windows 10 v1809 and the problem persists.

Thank you.

Parents
  • I'm having this exact same error but I'm using Win7 64-bit, Sandboxie v5.30.

    All drivers and OS updates are current. I'm using Firefox and Waterfox.

  • Hi Sam.

    Thank you for the update, I'm glad I'm not the only one. Never had such issues on Windows 7 myself, did you have them before installing v5.30?

    With all that has been going on with Sandboxie in the last few months I prefer not see such errors which could be interpreted as some sort of Malware infection.

  • Hi sandboxieuser456,

    I have been trying hard to duplicate this on purpose but without any luck. It appears random but I should know something more in a couple of days.

    The only thing left on my system that could trigger this event is Sandboxie. So we'll see.

  • Just for your information: It is clearly related to Sandboxie version 5.30 and a sandboxed Firefox. If I install the previous version 5.28, the message never appears. If I reinstall version 5.30, a sandboxed Firefox will trigger this message every day. That's why it's very strange that there were supposedly no changes...

     

    [Windows 10 1803, Sandboxie 5.30, Windows Defender]

  • I believe Sam encountered the problem with Sandbox v5.28 as well but I stand corrected.

    It's also an issue first reported in May 2017(maybe earlier) so it's pre v5.30.

    But it's definitely a Sandboxie issue, I find it hard to believe that Kaspersky, Comodo, ESET and Windows Defender all have the same issue.

  • Hi sandboxieuser456,

    You are correct, I did encounter it with v5.28. After uninstalling Intel Turbo Booster I haven't come across it yet but it's still too soon to tell on my machine. If something is going to happen it will tomorrow or the next (going by the pattern on my machine).

    This is an odd error because the Turbo and sandboxie has been installed since I first bought the computer and the only one that has been updated is SB.

    I haven't had any issues until recently, which would indicate a possibility that a windows update did something to cause sandboxie to trigger the error on Win7 and Win10 machines.

    I'm going to go through the windows updates and see if there is anything that could possibly cause this to happen.

  • Thank you for the update Sam.

    On my side I am now taking care of another upgrade + clean install with KIS 2019 installed.

    There are two minor differences, the upgrade is to Win 10 32bit v1903 and not v1809. The clean install will be to Win 10 x64 v1809 though (I don't trust v1903 yet).

    Here are the results:

    Windows 10 v1903, x86, KIS 2019, Firefox default profile: No event logged

    Windows 10 v1903, x86, KIS 2019, My backuped up Firefox profile: No event logged

    Windows 10 v1809, x64, KIS 2019, My backuped up Firefox profile: Yet to check.

  • Interesting results sandboxieuser456.

    This morning I woke up to the LsaSrv error. There is no doubt that it's sandboxie but I think something else with sandboxie triggers the event.

    I reached out to 2 friends and my son a little while ago because they use sandboxie, also. 2 out of the 3 have the event. All 3 use Comodo Internet Security and are on Win10 64-bit (1809 and (2)1903). None run any type of server software. The one that didn't have the event is on the 1809.

    I finally upped to v5.30 and will install the May window updates later. This is so mysterious and I have no clue what is causing it.

    I hope the Devs figure it out because I really don't know where to go from here. This really needs to be resolved.

  • Hi Sam.

    By any chance, do you have Giorgio Maone's NoScript installed in Firefox?

    I noticed a strange behaviour this afternoon on machine #1, the NoScript icon was a gray square box(also outside the Sandbox). I uninstalled and reinstalled the extension and it's now working again with and without Sandboxie.

    I'm not entirely sure it's related but as we're in the dark, I preferred to add it to the thread.

    I will complete the clean installation of machine #2 tomorrow so I'll have news on that one as well.

    Edit: No event logged on machine #1 today, could it be related to NoScript? Will soon have news on machine #2, almost there.

    Edit #2: Machine #2 tested, has same issue.

    Edit #3: Machine #1 again logging the event this morning, it did not yesterday because it is probably related to "This message will be logged at most once a day."

  • HI sandboxieuser456 ,

    I do use Noscript and have it installed in several sandboxes. I don't see any abnormal behavior with that plugin on my machine. I suspect it's not the problem because it's a "logging-in" issue and NoScript is not run as a server and it doesn't log in. Doesn't hurt to throw things on the table though.

    I just rebuilt my drive from the ground up instead of using an image and Win7 and SB are fully patched - (May updates & v5.30, respectively).

    Now it's a waiting game... again!

    Oh, boy... It's so fun being a techie. 

  • Hi Sam.

    I confirm NoScript was an unlucky coincidence, I will clean install on another machine next week but since I'll install KIS 2019 as it was the case on the other two, I see no reason why it should behave differently.

  • Hi sandboxieuser456,

    I believe I found the issue on my machine - the Intel Turbo Booster. Before the building the new drive, I was using an image that had an older version of the Turbo util. When I rebuilt from scratch I couldn't find the util anywhere and had to download it from ASUS website. I noticed it was a different version.

    Currently, I had not had any errors and before the fresh drive build I also had a "side-by-side" event viewer error which means a program is conflicting with C++ runtime libraries. Neither the errors have shown since the Turbo update. Going by previous patterns, if it does happen, it will within the next 24 hours but I suspect the issue has been addressed. The other two people I mentioned who had these errors, also have ASUS with the Turbo installed. It should fix it for them, too.

    This however doesn't explain why it was an issue in the first place being SB and the Turbo played well together for years. I think when I uninstalled Turbo and still got the LSASrv error, maybe there was some remnants of the program that didn't get completely uninstalled. Going back to my earlier thinking, I believe ultimately it's related to either a windows update or .net update that changed something that caused these programs to act differently than they normally would.

    Did you contact KIS devs about the issue?

Reply
  • Hi sandboxieuser456,

    I believe I found the issue on my machine - the Intel Turbo Booster. Before the building the new drive, I was using an image that had an older version of the Turbo util. When I rebuilt from scratch I couldn't find the util anywhere and had to download it from ASUS website. I noticed it was a different version.

    Currently, I had not had any errors and before the fresh drive build I also had a "side-by-side" event viewer error which means a program is conflicting with C++ runtime libraries. Neither the errors have shown since the Turbo update. Going by previous patterns, if it does happen, it will within the next 24 hours but I suspect the issue has been addressed. The other two people I mentioned who had these errors, also have ASUS with the Turbo installed. It should fix it for them, too.

    This however doesn't explain why it was an issue in the first place being SB and the Turbo played well together for years. I think when I uninstalled Turbo and still got the LSASrv error, maybe there was some remnants of the program that didn't get completely uninstalled. Going back to my earlier thinking, I believe ultimately it's related to either a windows update or .net update that changed something that caused these programs to act differently than they normally would.

    Did you contact KIS devs about the issue?

Children
  • Apologies for the late reply, Sam.

    Kaspersky asked for a GSI report which I cannot provide as these systems are used by multiple users so I'm basically stuck on square one.

    Still everyone fine with your machines after the changes?

  • Hi sandboxieuser456,

    Everything on my end is working within the expected parameters - no more LsaSrv errors.

    Well, you have one system that isn't acting right; maybe try a different security suite to solve the problem?

    I really like Comodo but I don't recommend the default settings because it doesn't protect very well. With a few minor adjustments it becomes a powerful weapon in the hands of a user. In fact in 2017, WikiLeaks did a CIA data dump on security software they hacked - (Avast, Kaspersky, McAfee, Norton, Microsoft Security Essentials) and it’s interesting what they said about Comodo. Quote:

    "Security software firm Comodo, which deals with business solutions, received perhaps the best badge of honor from the CIA, described as: "a colossal pain in the posterior."

    It literally catches everything until you tell it not to, including standard windows services (say what?!?), the documents state."

    Also, it's annoying for a couple of weeks when you first install it because it needs to learn the software installed on the computer and user's habits. You'll get a lot of pop-ups but that's only temporary. If you decide to try it let me know and I'll share some helpful tweaks to get you started.