Sandboxie fails to purge Sandbox - ACCESS DENIED error on delete invocation

 Hi. I've encountered a troubling error with Sandboxie this morning after having no issues for quite some time.

I'm running on the latest version of Windows 10, with ESET as my antivirus solution. The Sandbox in question contains only Chrome, version 75.0.3770.100.

I first experienced this issue on Sandboxie version 5.31.1

I have since upgraded and seen the issue on Sandboxie 5.31.2

 ---------

 The Issue:

I have a sandbox configured to contain Chrome, which on termination of Chrome processes, auto-deletes the contents of the sandbox. Last night (and for years prior) this was not an issue.

This morning I started up my machine, did some light browsing, and then closed Chrome to go to work. Sandboxie initiated the self-purge of the sandbox, and then gave this error:

The error reads "Delete Sandbox DefaultBox: Could not move the sandbox folder out of the way. The object (file or folder) may be in use by another program. Close any application or windows that may prevent access. System Error Code: Access is denied. (5)"

I attempted to update Sandboxie from 5.31.1 to 5.31.2, but the error persisted.

By rebooting my computer and then invoking a delete sandbox command from Sandboxie, I was able to purge the sandbox - But only if it was the first thing I did. If I opened Chrome again, then the error would repeat. It is not possible to purge the sandbox unless the system is rebooted again.

All Chrome processes are terminated when this error is observed. The Sandbox lists no processes running within it, and Process Explorer doesn't show any Chrome processes running.

By manually going into the sandbox folder, I was able to find the file that is giving the problem:

RegHive seems to be the culprit, though I'm not sure how. Somehow this file is in use and/or access to it is denied to both me, and from Sandboxie.

 --------------

 Any help on this would be greatly appreciated. I'm not sure why everything would have been fine last night, and now suddenly this is happening - As I installed no new software, and not even any updates were applied. I fear something nefarious may be afoot, but an ESET scan is not revealing anything.

 If anyone could provide assistance, I am getting worried and would thank you profusely for helping to determine just what is going on here. Thanks.

 EDIT: After a deeper Google Search, it appears this issue has been discussed numerous times on the old forums. Is there any way to access that knowledge? Clicking each Google search result link just brings me right back here, and there's no cached versions to view.

Parents
  • Hi Carbonyl,

    This is a fairly common scenario, and it is usually triggered by AVs holding on to files. 

    A few suggestions:
    -Try a leader program setting for Chrome https://www.sandboxie.com/ProgramStopSettings#leader
    -Add Sandboxie to the AVs exclusions and see if that helps. 

    The last option is what you already figured out, a reboot takes care of whatever is holding on the files and allows Sandboxie to empty the contents. 

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Hi Barb,

    Thanks for the fast reply. I very much appreciate the information. Just to be clear, does the frequency of this issue indicate it's fairly benign? It's the first time I've seen it, and it has me quite worried.

    To respond to your suggestions:

    -At present the sandbox in question already has Chrome as a leader program. The sandbox was configured this way before the issue occurred, and the settings are still configured that way. From what I can tell, no processes are running in the sandbox at all when this error is encountered.

    -I believe I had already added Sandboxie to the exclusions list in ESET, but I will verify that once I get home from work to check on that today.

    As an additional question: Is there any way to determine what program is holding on to RegHive? It seems to be quite persistent, but I can't find out what program is doing it in this case.

    I'd prefer not to have to reboot my computer every time I want to purge the Sandbox!

     

    Thanks very much for your help on this matter. I will also update as I learn more.

  • tec tec said:
    Maybe it's because of what Eset last marked as scanned. Run a full scan, maybe the problem will occur less often.

    Worth a shot, perhaps if there's no registry changes made over the course of a session then cached scan results might help.

     

    tec tec said:
    Did you refer Eset Support to this thread? This might help to increase the priority a bit. Unfortunately this is probably not the case.

    I had not, yet I've now tacked this into the ticket.

     

    tec tec said:
    I've already checked with ProcessMonitor (also started as admin) what accesses the registry keys HKEY_USERS\Sandbox_, but nothing is found if you exclude the processes of Sandboxie and the software itself. So it can't be ekrn.exe.

    I've not tried Process Monitor yet.  Though Process Explorer, Process Hacker, Lock Hunter, etc, list ekrn as the culprit.  I'd expect that perhaps the method employed for monitoring access is different in Process Monitor.  -- At the very least we know that if NOD32 is uninstalled or real-time protection is disabled, the problem goes away.  {It minimally has to be some form of interaction involving ESET's real-time scanner}

     

     -- One of the initial troubleshooting steps that I tried was a Win10 VM as a fresh install of 1903, rather than my feature-upgraded.  That said, DISM and sfc /scannow come back clean (no errors).

  • The Process Explorer only shows which process was started by which one. It can't show registry calls, or am I missing something?

    Since my upgrade of PDFCreator (which has nothing to do with Sandboxie) suddenly prevented all sandboxes that were currently in use from being cleared, Eset must have blocked a registry key that was also used by software outside of Sandboxie.

    As an attempt, I nevertheless enter the RegHive file into Eset's scan exceptions: C:\Sandbox\username\*RegHive


    Windows 7 x64 with all updates • Sandboxie 5.31.6 x64 • Browser (each with its own sandbox, cleared on exit): Firefox 70 x64, Internet Explorer 11, Pale Moon 26.5.0 x86 • Eset Internet Security 13

  • tec tec said:
    The Process Explorer only shows which process was started by which one. It can't show registry calls, or am I missing something? 

    Process Explorer [and Process Hacker] can't list registry-access persay, yet they can list all opened handles by a given process.  Or specifically in this case the file-handle of Sandboxie's mounted hive.  If Sandboxie is completely closed {including the service unloaded}, the only remaining software with open handles for the hive are Windows (system) and ekrn.

     

    I had not tried placing exclusions based on the hive files -- only by application exclusions, I'll have to give that a shot too.

  • Scan exception: C:\Sandbox\username\*RegHive doesn't help. :-|

    Edit: The coming cleaner module 1197 (currently 1195) could be the solution.

    forum.eset.com/.../


    Windows 7 x64 with all updates • Sandboxie 5.31.6 x64 • Browser (each with its own sandbox, cleared on exit): Firefox 70 x64, Internet Explorer 11, Pale Moon 26.5.0 x86 • Eset Internet Security 13

  • Awesome!  Glad that this is getting adequate publicity and that ESET is looking into it. (more than I was let on to believe in my ticket and calls!)

    Can't wait to switch back off Avira.

  • ESET Cleaner module 1197 has fixed the issue for me on two 7x64 machines.

  • Page42 said:

    ESET Cleaner module 1197 has fixed the issue for me on two 7x64 machines.

     

    How can I get this "ESET Cleaner module 1197" so that the problem goes away? Will it be downloaded as a virus definitions update by itself or do I downlaod it from somewhere?

    I have ESET Antivirus for Business, version 6.something.

    Thank you.

  • I joined this forum this morning just to say thanks for this thread. Once I found this thread it was a simple matter to set the two Win7/x64 machines I use to download pre-release updates. Once ESET Cleaner module 1197 installed and I rebooted, Sandboxie is working normally.

     

    Thanks again to everyone in the thread.

  • Set your ESET updates to download pre-release updates instead of regular updates. Then go to update screen and click on Update Now.

    After that you can check view all modules to make sure you received the update.

Reply Children