Sandboxie fails to purge Sandbox - ACCESS DENIED error on delete invocation

 Hi. I've encountered a troubling error with Sandboxie this morning after having no issues for quite some time.

I'm running on the latest version of Windows 10, with ESET as my antivirus solution. The Sandbox in question contains only Chrome, version 75.0.3770.100.

I first experienced this issue on Sandboxie version 5.31.1

I have since upgraded and seen the issue on Sandboxie 5.31.2

 ---------

 The Issue:

I have a sandbox configured to contain Chrome, which on termination of Chrome processes, auto-deletes the contents of the sandbox. Last night (and for years prior) this was not an issue.

This morning I started up my machine, did some light browsing, and then closed Chrome to go to work. Sandboxie initiated the self-purge of the sandbox, and then gave this error:

The error reads "Delete Sandbox DefaultBox: Could not move the sandbox folder out of the way. The object (file or folder) may be in use by another program. Close any application or windows that may prevent access. System Error Code: Access is denied. (5)"

I attempted to update Sandboxie from 5.31.1 to 5.31.2, but the error persisted.

By rebooting my computer and then invoking a delete sandbox command from Sandboxie, I was able to purge the sandbox - But only if it was the first thing I did. If I opened Chrome again, then the error would repeat. It is not possible to purge the sandbox unless the system is rebooted again.

All Chrome processes are terminated when this error is observed. The Sandbox lists no processes running within it, and Process Explorer doesn't show any Chrome processes running.

By manually going into the sandbox folder, I was able to find the file that is giving the problem:

RegHive seems to be the culprit, though I'm not sure how. Somehow this file is in use and/or access to it is denied to both me, and from Sandboxie.

 --------------

 Any help on this would be greatly appreciated. I'm not sure why everything would have been fine last night, and now suddenly this is happening - As I installed no new software, and not even any updates were applied. I fear something nefarious may be afoot, but an ESET scan is not revealing anything.

 If anyone could provide assistance, I am getting worried and would thank you profusely for helping to determine just what is going on here. Thanks.

 EDIT: After a deeper Google Search, it appears this issue has been discussed numerous times on the old forums. Is there any way to access that knowledge? Clicking each Google search result link just brings me right back here, and there's no cached versions to view.

  • In reply to A2Razor:

    Maybe it's because of what Eset last marked as scanned. Run a full scan, maybe the problem will occur less often.

    Did you refer Eset Support to this thread? This might help to increase the priority a bit. Unfortunately this is probably not the case.

    Edit: I've already checked with ProcessMonitor (also started as admin) what accesses the registry keys HKEY_USERS\Sandbox_, but nothing is found if you exclude the processes of Sandboxie and the software itself. So it can't be ekrn.exe.

  • In reply to tec tec:

    tec tec
    Maybe it's because of what Eset last marked as scanned. Run a full scan, maybe the problem will occur less often.

    Worth a shot, perhaps if there's no registry changes made over the course of a session then cached scan results might help.

     

    tec tec
    Did you refer Eset Support to this thread? This might help to increase the priority a bit. Unfortunately this is probably not the case.

    I had not, yet I've now tacked this into the ticket.

     

    tec tec
    I've already checked with ProcessMonitor (also started as admin) what accesses the registry keys HKEY_USERS\Sandbox_, but nothing is found if you exclude the processes of Sandboxie and the software itself. So it can't be ekrn.exe.

    I've not tried Process Monitor yet.  Though Process Explorer, Process Hacker, Lock Hunter, etc, list ekrn as the culprit.  I'd expect that perhaps the method employed for monitoring access is different in Process Monitor.  -- At the very least we know that if NOD32 is uninstalled or real-time protection is disabled, the problem goes away.  {It minimally has to be some form of interaction involving ESET's real-time scanner}

     

     -- One of the initial troubleshooting steps that I tried was a Win10 VM as a fresh install of 1903, rather than my feature-upgraded.  That said, DISM and sfc /scannow come back clean (no errors).

  • In reply to A2Razor:

    The Process Explorer only shows which process was started by which one. It can't show registry calls, or am I missing something?

    Since my upgrade of PDFCreator (which has nothing to do with Sandboxie) suddenly prevented all sandboxes that were currently in use from being cleared, Eset must have blocked a registry key that was also used by software outside of Sandboxie.

    As an attempt, I nevertheless enter the RegHive file into Eset's scan exceptions: C:\Sandbox\username\*RegHive

  • In reply to tec tec:

    tec tec
    The Process Explorer only shows which process was started by which one. It can't show registry calls, or am I missing something? 

    Process Explorer [and Process Hacker] can't list registry-access persay, yet they can list all opened handles by a given process.  Or specifically in this case the file-handle of Sandboxie's mounted hive.  If Sandboxie is completely closed {including the service unloaded}, the only remaining software with open handles for the hive are Windows (system) and ekrn.

     

    I had not tried placing exclusions based on the hive files -- only by application exclusions, I'll have to give that a shot too.

  • In reply to Jerry Atricks:

    It's a little bit strange because sfc /scannow  didnt find any problems but it helped(DISM.exe /Online /Cleanup-image /Restorehealth). Thanks!

  • In reply to Jerry Atricks:

    Bah! Sorry guys, it seems I posted that "solution" in earnest after rebooting which tends to allow me to delete the sandbox contents. The issue is back again. :( 

  • In reply to A2Razor:

    Scan exception: C:\Sandbox\username\*RegHive doesn't help. :-|

    Edit: The coming cleaner module 1197 (currently 1195) could be the solution.

    forum.eset.com/.../

  • In reply to tec tec:

    Awesome!  Glad that this is getting adequate publicity and that ESET is looking into it. (more than I was let on to believe in my ticket and calls!)

    Can't wait to switch back off Avira.

  • In reply to A2Razor:

    ESET Cleaner module 1197 has fixed the issue for me on two 7x64 machines.

  • In reply to Page42:

    Page42

    ESET Cleaner module 1197 has fixed the issue for me on two 7x64 machines.

     

    How can I get this "ESET Cleaner module 1197" so that the problem goes away? Will it be downloaded as a virus definitions update by itself or do I downlaod it from somewhere?

    I have ESET Antivirus for Business, version 6.something.

    Thank you.

  • In reply to tec tec:

    I joined this forum this morning just to say thanks for this thread. Once I found this thread it was a simple matter to set the two Win7/x64 machines I use to download pre-release updates. Once ESET Cleaner module 1197 installed and I rebooted, Sandboxie is working normally.

     

    Thanks again to everyone in the thread.

  • In reply to dmj:

    Where did you get it? 

  • In reply to Jerry Atricks:

    Set your ESET updates to download pre-release updates instead of regular updates. Then go to update screen and click on Update Now.

    After that you can check view all modules to make sure you received the update.