Win10 - SandboxieCrypto.exe prevents Windows updates from installing

Windows 10 Enterprise, v10.0.18363, x64

Sandboxie 5.31.6, x64

Firefox 68.4.2esr, x64

 

When Firefox is started (inside a sandbox), installation of Windows updates fails with error 0x8000FFFF or 0x8E5E0408. In Windows event (application) log, there are the following errors (source=ESENT, eventId=490):

Catalog Database (5548,D,50) Catalog Database: An attempt to open the file "C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

and (source=CAPI2, eventId=257):

The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.

The process that has CatRoot2 database files locked is SandboxieCrypto.exe, executed with start of Firefox. When I exit Firefox, SandboxieCrypto.exe exits too, the CarRoot2 files are released, and then Windows update installation succeeds.

Do I have something set incorrectly, or is this a bug? I copied the Sandboxie.ini configuration from my old Windows 7 notebook, and there was no such problem. The Windows 10 notebook has very few programs installed, yet.

  • [Akhilesh@Sophos] In the source code, this might be relevant

    I don't know where to find the source files, so I cannot comment on that. But it's definitely worth trying. It seems that the "real CryptSvc process" no longer locks catdb(2). It does that not even in Win7. On the other hand, the comment says that SandboxieCrypto asks for write locks, but in Win7 the catdb2 files are not locked, they are locked in Win10 only.

    If you send me a custom build where you disable that lock, I can test that so that we know whether it helps. Thank you.

  • My firefox when run in the sandbox also does not trigger the Crypto service.

    To be honest that's the expected behavior as Firefox does not use the system's root certificate store but instead comes with an own assortment of root CA's.

    To enable this you need to switch security.enterprise_roots.enabled to true than FF invokes the crypto service.

    I don't think many users would do that so may be its some 3rd party software integrating with FF that requires the crypto service for some own stuff.

     

     

    Does this service running in the sandbox affects all windows updates or only some particular KB's?

    I would imagine that it may only be a problem with updates that try to update the rot CA, but I haven't that just guessing for now.

  • [David Xanatos] Does this service running in the sandbox affects all windows updates or only some particular KB's?

    It prevents all Windows updates from installing (on Win10 only).

    [David Xanatos] To enable this you need to switch security.enterprise_roots.enabled to true than FF invokes the crypto service.

    That explains why SandboxieCrypto.exe starts on all my computers but not on yours. Because I use the ESR version of FF on all my computers, and security.enterprise_roots.enabled is set to true for FF ESR versions by default.

    After changing this value to false, SandboxieCrypto ceased to be started. (On my work computer which is part of a domain, this option was locked, I had to follow this advice in order to be able to change the value in about:config. On my home computers, this was not necessary.)

    Hence, this solves my current problem, though it doesn't solve the problem of SandboxieCrypto. In every case, half of the mystery is solved. Thank you very much!

    What remains:

    • I'm not sure if it's a right thing to disable this configuration property on my work computer, or whether it won't be enabled automatically again in a short time. (Because the property was locked by the ESET antivirus, or after a FF update.) I have to ask the domain admins whether this was part of the domain policy.
    • There seems to be no reason why SandboxieCrypto should be locking catroot2 for itself and preventing thus Windows update. The same problem may affect other users. But for me, the priority of this problem lowers (at least for now).
  • So, unfortunately, the issue is not resolved.

    security.enterprise_roots.enabled was set to true by the ESET antivirus, in order to inject its own SSL certificate to the browser. I turned off this injection (ESET Advanced Settings > Web and Email > SSL/TLS > Root Certificate > Add to known browsers) and imported the certificate manually (at the same place in ESET settings > View Certificate, then save and import in FF). After that, Firefox doesn't start the SyndboxieCrypto at the FF start. But after several hours/days of running, this program gets executed anyway. I do not know what kind of action or web page triggers its execution, but it gets started. Hence, the problem persists.