Win10 - SandboxieCrypto.exe prevents Windows updates from installing

Windows 10 Enterprise, v10.0.18363, x64

Sandboxie 5.31.6, x64

Firefox 68.4.2esr, x64

 

When Firefox is started (inside a sandbox), installation of Windows updates fails with error 0x8000FFFF or 0x8E5E0408. In Windows event (application) log, there are the following errors (source=ESENT, eventId=490):

Catalog Database (5548,D,50) Catalog Database: An attempt to open the file "C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

and (source=CAPI2, eventId=257):

The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.

The process that has CatRoot2 database files locked is SandboxieCrypto.exe, executed with start of Firefox. When I exit Firefox, SandboxieCrypto.exe exits too, the CarRoot2 files are released, and then Windows update installation succeeds.

Do I have something set incorrectly, or is this a bug? I copied the Sandboxie.ini configuration from my old Windows 7 notebook, and there was no such problem. The Windows 10 notebook has very few programs installed, yet.

Parents
  • It seems that there is no other way to report Sandboxie problems than to post it in this forum.

    Has this post been noted by the Sandboxie maintainers? Is there anything I am supposed to do in order to report this (probable) bug?

  • That would mean that SandboxCrypto.exe has a handle open to the file outside of the sandbox. Can you verify that on your machine? You can use a tool like "Process Explorer" to determine if that is happening.

  • Yes, it has opened handles in the "C:\Windows\system32\catroot2" folder, as I have written, every time Firefox is opened. I don't know where to find the list of opened handles in the Process Explorer, but I see that using another tool (without further information).

  • I cannot repro this because my Firefox install does not cause the SandboxCrypto.exe to launch. This might be due to some plugin that is running. There might also be an program outside injecting code that performs operations that require the Crypt Service.

    Even if I couldn't reproduce this, we think the source of this problem is that recently Sandboxie opens the CatRoot2 folder by default. We are looking at the code why we had to do so.

    [EDIT] Actually I retract my last statement. We are not opening up the CatRoot2 folder by default. So while sandboxie can copy the content of the folder into the sandboxie, it should not hold onto the file. You might want to look at the sandbox configuration for any customization that opens up the CatRoot2 folder.

  • [Akhilesh@Sophos] I cannot repro this because my Firefox install does not cause the SandboxieCrypto.exe to launch. This might be due to some plugin that is running.

    That's strange. I've got two notebooks with similar setup, and on both the SandboxieCrypto.exe is immediately started by Firefox. Even when I create a new Firefox profile without addons and default config, SandboxieCrypto.exe is started every time.

    Configuration:

    Win10 Home + Sandboxie 5.31.2 x64 + Firefox 68.2.0esr x64,

    Win10 Enterprise + Sandboxie 5.31.6 x64 + Firefox 68.4.2esr x64.

    Edit:

    Maybe these SB messages are related?

    SBIE2214 Request to start service 'bits' was denied due to dropped rights
    SBIE2219 Request was issued by program SandboxieDcomLaunch.exe [Internet]
    SBIE2220 To permit use of Administrator privileges, please double-click on this message line
  • @Akhilesh@Sophos More information:

    SandboxieCrypto is a wrapper for the Windows cryptosvc (https://www.sandboxie.com/ServicePrograms). Without it, Firefox cannot access HTTPS sites. Hence it seems very improbable to me that your Firefox doesn't start this program.

    I've played a bit with the Sandboxie configuration, cut it to the minimum, and Firefox still starts SandboxieCrypto.exe. I also temporarily upgraded FF to the latest version 75.0, and still the same. In fact, Firefox starts SandboxieCrypto.exe even in Windows 7, but this program doesn't lock the catroot2 directory there.

    When I disallowed start of SandboxieCrypto.exe in the Sandboxie.ini, Firefox was unable to open HTTPS sites and I immediately got these errors:

    SBIE2312 Could not enable BrowseNewProcess setting:  [99 / C0000001] (repeatedly, every few seconds)

    Sanboxie Crypto - Could not load service DLL - cryptsvc.dll (a dialog window)

    Here is my reduced Sandboxie.ini:

    [GlobalSettings]

    BoxNameTitle=y
    Template=WindowsLive
    Template=OfficeClickToRun
    Template=SystemAudioStream
    Template=WindowsRasMan
    Template=WindowsFontCache
    Template=WindowsDefender
    Template=Avira_Antivirus
    Template=NOD32
    Template=SynapticsTouchPad
    Template=FinePrint
    Template=OfficeLicensing
    ActivationPrompt=n
    ForceDisableSeconds=180
    ProcessGroup=<SandboxieApps>,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe,SandboxieCrypto.exe
    ProcessGroup=<FirefoxPrograms>,firefox.exe,crashreporter.exe

    [Internet]

    Enabled=y
    BoxNameTitle=y
    BorderColor=#00FFFF,ttl
    ConfigLevel=7
    AutoRecover=y
    AutoDelete=y
    NeverDelete=n
    DropAdminRights=y
    Template=AutoRecoverIgnore
    Template=BlockPorts
    Template=LingerPrograms
    Template=Firefox_Phishing_DirectAccess
    Template=Firefox_Profile_DirectAccess
    ForceProcess=<FirefoxPrograms>
    ClosedFilePath=!<InternetAccess>,InternetAccessDevices
    ClosedFilePath=!<StartRunAccess>,*
    ClosedKeyPath=!<StartRunAccess>,*
    ProcessGroup=<StartRunAccess>,<SandboxieApps>,<InternetAccess>,<FirefoxPrograms>
    ProcessGroup=<InternetAccess>,<FirefoxPrograms>
    ClosedIpcPath=!<StartRunAccess>,*
    NotifyInternetAccessDenied=n
    NotifyStartRunAccessDenied=n

    I think, however, that the problem is not in that SyndboxieCrypto.exe is started by FF, but in that in Win10 (not in Win7) it locks the catroot2 directory.

    Could you, please, check that? Thank you.

  • Still cannot reproduce this with Firefox on Windows 10 (1909). Even with HTTPS sites.

    It appears the folder is open for SandboxieCrypto, have to dig into the code. I think it's been that way for a long time (maybe even during Ronen's time).

     

  • In the source code, this might be relevant:

    In dll\file.c(2736):
                    // special case for SandboxieCrypto on Windows Vista,
                    // which tries to open catdb that are locked by
                    // the real CryptSvc process.  convert read-only access
                    // to write access so the files can be migrated

    This code has been around for a long time.

    It may be worth trying to comment out the code and seeing if it's still relevant.

  •     [Akhilesh@Sophos] Still cannot reproduce this with Firefox on Windows 10 (1909). Even with HTTPS sites.

    Do you mean that Firefox doesn't start SandboxieCrypto, or that SandboxieCrypto doesn't lock the catroot2 folder?

    In the first case, does your Sandboxie.ini allow execution of SandboxieCrypto.exe? Explicitly, or implicitly? (In my Sandboxie.ini, there it is allowed explicitly.) What happens when you prohibit execution of SandboxieCrypto in Sandboxie.ini?

    Or maybe you use a development version of Sandboxie that behaves differently? It's hard to believe that your FF would be able to use cryptosvc.dll without help from SandboxieCrypto.exe.

Reply
  •     [Akhilesh@Sophos] Still cannot reproduce this with Firefox on Windows 10 (1909). Even with HTTPS sites.

    Do you mean that Firefox doesn't start SandboxieCrypto, or that SandboxieCrypto doesn't lock the catroot2 folder?

    In the first case, does your Sandboxie.ini allow execution of SandboxieCrypto.exe? Explicitly, or implicitly? (In my Sandboxie.ini, there it is allowed explicitly.) What happens when you prohibit execution of SandboxieCrypto in Sandboxie.ini?

    Or maybe you use a development version of Sandboxie that behaves differently? It's hard to believe that your FF would be able to use cryptosvc.dll without help from SandboxieCrypto.exe.

Children
No Data