Sandboxie-Plus v1.12.3

the picture is useless, get windbg from the windows SDK and drag the dmp file into.
btw krnl most times crashes due drivers. its not firefox or current sb classic (using it), i dont have issues. could be some driver from an antimalware.

 

please try if NtNamespaceIsolation=n fixes your issue

 

There is usually no point to uninstalling sandboxie, the onyl thing that changes is the sandboxie.ini,
so there is a point to renaming sandboxie.ini to something else start out with a fresh clean uncustomized one and see if the errors go away.
If no, then restore old sandboxie ini and loog for an otehr error source,
if yes restore port the config in chunks until you find the offending preset.

 

I put NtNamespaceIsolation=n in Sandboxie.ini under the GlobalSettings, under the DefaultBox and under the UserSettings (all the 3, at the same time, as I didn't know where I should put it exactly) and then reloaded the configuration - but that didn't help, the SBIE2321 messages still appeared when I tried to run anything in DefaultBox.

Then I uninstalled Sandboxie, together with removing the Sandboxie.ini and rebooting. Then installed it anew and had the same problem with the SBIE2321 messages displaying with a brand new Sandboxie.ini. The only way those messages don't display is if I disable the Drop Rights feature.

I then tested different versions and can now 100% confirm:
- The v5.62.2 does not display the SBIE2321 messages when running things sandboxed with Drop Rights enabled.

- The next version, v5.63.0 does display the SBIE2321 messages when running things sandboxed with Drop Rights enabled.

Then I installed the latest version v5.67.3 again, hid the errors again, and now I'm hoping that it will work OK...

What do you think about the BSOD I posted (on the previous page)?
EDIT: Added also windbg analysis below.

121723-4359-01.dmp:

Code:

121723-4359-01.dmp
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff803`78800000 PsLoadedModuleList = 0xfffff803`7942a360
Debug session time: Sun Dec 17 14:05:43.116 2023 (UTC + 1:00)
System Uptime: 0 days 0:21:35.769
Loading Kernel Symbols
...............................................................
................................................................
.....................................................
Loading User Symbols
Loading unloaded module list
.........
For analysis of this file, run !analyze -v
6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_PROCESS_DIED (ef)
        A critical system process died
Arguments:
Arg1: ffff8007d7bd50c0, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000, The process object that initiated the termination.
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 5764

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 8719

    Key  : Analysis.Init.CPU.mSec
    Value: 1061

    Key  : Analysis.Init.Elapsed.mSec
    Value: 25134

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 75

    Key  : CriticalProcessDied.ExceptionCode
    Value: cfb7a080

    Key  : CriticalProcessDied.Process
    Value: svchost.exe

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  121723-4359-01.dmp

BUGCHECK_CODE:  ef

BUGCHECK_P1: ffff8007d7bd50c0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  svchost.exe

CRITICAL_PROCESS:  svchost.exe

ERROR_CODE: (NTSTATUS) 0xcfb7a080 - <Unable to get error code text>

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

STACK_TEXT:
fffffd8b`be55f838 fffff803`7910e5a2     : 00000000`000000ef ffff8007`d7bd50c0 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
fffffd8b`be55f840 fffff803`7901613f     : 00000000`00000000 fffff803`78acd1f1 00000000`00000002 fffff803`78acd11b : nt!PspCatchCriticalBreak+0x10e
fffffd8b`be55f8e0 fffff803`78e82110     : ffff8007`00000000 00000000`00000000 ffff8007`d7bd50c0 ffff8007`d7bd54f8 : nt!PspTerminateAllThreads+0x15dfaf
fffffd8b`be55f950 fffff803`78e81f0c     : ffff8007`cfbdb080 00000000`00000000 00000000`00000001 00000000`00000c60 : nt!PspTerminateProcess+0xe0
fffffd8b`be55f990 fffff803`78c10ef5     : ffff8007`d7bd50c0 ffff8007`cfb7a080 fffffd8b`be55fa80 ffff8007`00000000 : nt!NtTerminateProcess+0x9c
fffffd8b`be55fa00 00007ffd`2a98d564     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000061`a75fee28 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffd`2a98d564


SYMBOL_NAME:  nt!PspCatchCriticalBreak+10e

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

IMAGE_VERSION:  10.0.19041.3570

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  10e

FAILURE_BUCKET_ID:  0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_cfb7a080_nt!PspCatchCriticalBreak

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {e8746f58-173c-7cbf-5fbd-3061b4b701d1}

Followup:     MachineOwner
---------

MEMORY.DMP:

Code:

MEMORY.DMP
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff803`78800000 PsLoadedModuleList = 0xfffff803`7942a360
Debug session time: Sun Dec 17 14:05:43.116 2023 (UTC + 1:00)
System Uptime: 0 days 0:21:35.769
Loading Kernel Symbols
...............................................................
................................................................
.....................................................
Loading User Symbols
.........................................
Loading unloaded module list
.........
For analysis of this file, run !analyze -v
6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_PROCESS_DIED (ef)
        A critical system process died
Arguments:
Arg1: ffff8007d7bd50c0, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000, The process object that initiated the termination.
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 5359

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 11329

    Key  : Analysis.Init.CPU.mSec
    Value: 1078

    Key  : Analysis.Init.Elapsed.mSec
    Value: 13617

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 85

    Key  : CriticalProcessDied.ExceptionCode
    Value: cfb7a080

    Key  : CriticalProcessDied.Process
    Value: svchost.exe

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  MEMORY.DMP

BUGCHECK_CODE:  ef

BUGCHECK_P1: ffff8007d7bd50c0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  svchost.exe

CRITICAL_PROCESS:  svchost.exe

ERROR_CODE: (NTSTATUS) 0xcfb7a080 - <Unable to get error code text>

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

STACK_TEXT:
fffffd8b`be55f838 fffff803`7910e5a2     : 00000000`000000ef ffff8007`d7bd50c0 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
fffffd8b`be55f840 fffff803`7901613f     : 00000000`00000000 fffff803`78acd1f1 00000000`00000002 fffff803`78acd11b : nt!PspCatchCriticalBreak+0x10e
fffffd8b`be55f8e0 fffff803`78e82110     : ffff8007`00000000 00000000`00000000 ffff8007`d7bd50c0 ffff8007`d7bd54f8 : nt!PspTerminateAllThreads+0x15dfaf
fffffd8b`be55f950 fffff803`78e81f0c     : ffff8007`cfbdb080 00000000`00000000 00000000`00000001 00000000`00000c60 : nt!PspTerminateProcess+0xe0
fffffd8b`be55f990 fffff803`78c10ef5     : ffff8007`d7bd50c0 ffff8007`cfb7a080 fffffd8b`be55fa80 ffff8007`00000000 : nt!NtTerminateProcess+0x9c
fffffd8b`be55fa00 00007ffd`2a98d564     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000061`a75fee28 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTerminateProcess+0x14


SYMBOL_NAME:  ntdll!NtTerminateProcess+14

MODULE_NAME: ntdll

IMAGE_NAME:  ntdll.dll

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  14

FAILURE_BUCKET_ID:  0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_cfb7a080_ntdll!NtTerminateProcess

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {b220f163-e82d-b1a6-f66e-30de398e770a}

Followup:     MachineOwner
---------

Could be these 2 in the v1.8.0 / v5.63.0 to have something to do with the BSOD (relating to ntdll in BSOD analysis)?

- added virtualization for CreateDirectoryObject(Ex) and OpenDirectoryObject (improves security, prevents name squatting)

- FIXED SECURITY ISSUE ID-22 NtCreateSectionEx was not filtered by the driver

 

seriously?
Win10 2004 got last update on 2021-12-14, this is 2 years ago and it missed a lot of stability patches. terminal server or not.

svchost is the service provider
ef critical process died
https://learn.microsoft.com/en-us/w...ebugger/bug-check-0xef--critical-process-died

you need to upload the first dump for further investigations, either windows is defective as mentioned, or something else is going on.

 

That's all the dumps I have, I have uploaded both.

@DavidXanatos If you have time to look at my BSOD I posted above, it would be much appreciated. I have Windows 10 Pro 22H2 with Windows Defender, nothing else for security, except for Sandboxie of course. Thank you!

 

I suspect that he won't really find anything. The issue has been known for some time:

https://github.com/sandboxie-plus/Sandboxie/issues/1316

Unfortunately, it is practically impossible to reproduce the issue, so it is still not clear what triggers it.

 

I wasn't aware that the issue was more common, thank you. But for me, the BSOD happened after I clicked on Forget Hidden Messages. It's possible I started and ended sandboxed Firefox prior to this, but that must have been at least a couple of seconds before I changed the hidden messages setting. And I surely didn't use the Terminate All Programs feature, I simply closed Firefox, as always, and the sandbox self-terminated (as it's set to do). But I remember the BSOD happening after I clicked on the Forget Hidden Messages, maybe just a few seconds after the action.

I've been using Sandboxie since 2010, on WinXP, 7, 8.1 and 10. The Tzuk/Invincea/Sophos versions, on many computers, until Noveber of 2022. At that time I upgraded to David's v5.60.3, on a Win10 desktop (which I have since 2017) and on a Win10 laptop (which I have since 2020), which I both use every day for hours. Never ever had a BSOD - until I updated to v5.67.3 on the desktop PC this last weekend, then this one BSOD happened once (so far). I tough it could be connected to the SBIE2321 messages I started seeing after I updated Sandboxie, as those messages never displayed before for me.

I hope David looks into my BSOD memory dump, maybe some new info could be gathered from it to help solve the problem. I've read a little bit on the CRITICAL_PROCESS_DIED error and, if I understood correctly, it happens because Windows self-protects itself by going into stop screen because of a dead ciritcal process. So from that, I would think, and hope, that this kind of BSOD can't be harmful to the hardware, the data on the drive or the file structure or the Windows installation itself?

 

I do not use the "Terminate All Programs" function either. In my case, the BSOD only occurs after a normal closing of a sandboxed program. It may well be that the BSOD is triggered after a few seconds, as Sandboxie first has to terminate all processes in the sandbox.

Funny, I have also been using Sandboxie since 2010, but I have had the odd BSOD. However, all of them could be fixed as they could be easily reproduced. For this BSOD, however, a rare unfortunate timing is probably required, which unfortunately cannot be reproduced intentionally.

(What I have noticed: The more programs run together in a sandbox, the sooner the BSOD occurs. Since I have been using a separate sandbox for each forced program and have defined a breakout for the PDF viewer, for example, the BSOD has no longer occurred.)

 

I remembered I wrote notes when the BSOD happened and I checked them again - I forgot a little detail before, my notes say "BSOD happened after I unhid the messages and run Firefox sandboxed again" - so yes, it was (a couple of seconds) after a sandboxed Firefox was terminated. I'm pretty sure it was only Firebox running sandboxed in the sandbox at the time though, nothing else. I must have unhid the messages and then run Firefox sandboxed again to check that the SBIE2321 messages are back, before trying to apply the NtNamespaceIsolation=n in the Sandboxie.ini for a possible fix - but then the BSOD happened.

Myself, I had no BSODs before whatsever on this PC (so since 2017) or on the laptop (so since 2020). I had some BSODs back in the XP times, on older computers, but that was way back and not related to Sandboxie. I still find it very weird that it only happened after I updated, after over one year of using v5.60.3 without a single problem.

I'm thinking about restoring the system backup I did before updating Sandboxie and using the older version with the Firefox v119.01, but that's not really sustainable on the longer run. I guess I'll wait and see how the PC will behave, if there will be any more BSODs - hope not.

 

windbg shows 19041, not 19044/19045 - how, why?

is it public to have a personal view? i am using windbg for a longer period now.

 

It is normal, my Windows 10 22H2 system has the same build lab string.

 

It shows the kernel (ntoskrnl.exe) version.

(for BSODs) Windows 10 Kernel Version 19041 =/= (for softwares) Windows 10 Version 19045

or

This https://support.microsoft.com/en-us...age-file-0141c14e-b3b6-e4ab-88bb-6e3ba0d96b14

 

not here
win10 19045.3803

see what i mean?
here: 22621.755.221019-1136.ni_release_svc_prod3_WindowsSDK.iso
current to load: 22621.2428.230929-1800.ni_release_svc_prod1_WindowsSDK.iso

after update:

PS i dont see any relation to building a wim here. my latest installation (22H2) was with an original iso file from MS created with the MCT.

edit
i have windbg (current) installed on windows 11.
and it shows 19045 as windows source.

either the crash happened with 19041 before updating, or is rather old.
windbg is NOT lying!

 

The dmp's are not helpfull with the critical process died crashes, as they don't offer any insight why it crashed.

What would be interesting to test would be to disable most of sbie's mechanics i.e. see if programs ran in a green box also can trigger this issue, so set
NoSecurityIsolation=y
also one may consider adding NoSecurityFiltering=y
that's the extra über insecure config but for testing why not.

 

for sure the dmp contain such information. and it contains a list of used modules (dll, libs etc). ofc a small dump is helpful in most cases, but here a full dump would even better.
and currently for me is not visible which service died and raised a BSOD which is a clear warning that something important is really going wrong. SB classic dont force bsod, even not firefox. i dont know about his windows nor which security tools he uses. i would bet that sandboxie is not causing this.

 

I have Windows 10 Pro x64 22H2 and only use Windows Defender for security. The only thing I changed recently was that I updated Sandboxie Classic from v5.60.3 to Classic v5.67.3 and then soon got a BSOD for the first time ever on this PC, which I've been using every day for hours, for the last 7 years. The dumps are posted above, I'm sorry if they aren't of any help. The good news is that it's been a week now since the BSOD and I didn't get another one. Hope it stays that way.

 

BTW, I'm still using an older Sandboxie Plus version because it does the job. But can you guys install and run Firefox clones like Floorp and Pale Moon without any problems, I mean inside the sandbox? I keep getting errors on Win 8.1.

 

Any update on the progess toward v1.13.x with these changes?

 

The CRITICAL_PROCESS_DIED BSOD happened again today, on the same Windows PC, only Firefox was running sandboxed. First BSOD happened in December and now the second one in January. Never ever had a BSOD with the Sandboxie Classic v5.60.3 and now had 2 since I uodated to v5.67.3 last month.

 

@Bellzemos
It would be better to open a separate thread for this issue. Don't forget to include details about your system configuration (hardware, 3rd party security software, security settings, etc.).

Also, if you can try the versions released between 5.60.3 and 5.66.4 and determine which one caused the problem, the developer may be able to find the source of the problem more easily.

PS: I also use the Firefox browser in the sandbox all the time, but I have not encountered this problem.
PS2: Is Windows Sandbox enabled on your system?

 

Hi busy,

if/when the BSOD happens again, I will open a new thread and post everything there again. I've written everything when the 1st BSOD happened in this thread and this 2nd BSOD seems to be caused by the same issue (I checked the memory dump).

I wouldn't want to use older versions of Sandboxie on this machine as it's my main PC and I can't use Firefox v120 or above with the older versions of Sandboxie. And yes, Windows Sandbox is disabled on my PC.

Thank you.