How to completely sandbox registry and file system for Windows app?

Question

We have a legacy Windows application which does its job very well. The problem is, it stores and manipulates registry values and files in both AppData and ProgramData Windows folders during runtime, and no source code is available to change it. We need to run multiple copies (they have different settings) of this application simultaneously, which is currently not possible, because they conflict with each other and crash. Creating a separate Windows VM for each copy is not possible (the machines are low-end and simply do not handle it; besides, some users do not have the knowledge for setting up a VM).

How can we completely isolate each copy of the app in its own directory? I thought about intercepting WinAPI calls and replacing calls to the file system and registry with our own database, but I am not sure how to implement this. A brief search gave me Deviare (open-source) and Detours (proprietary). Are these the right tools for the job? If so, which WinAPI functions should be intercepted?

Answer 1

This may help: https://github.com/YukiIsait/PortableLauncher

You have to rename "WindowPortableLauncher.exe" to "your_application_name.portable.exe" and place it at the same location where your "your_application_name.exe" is placed and this app will create 3 folders in the same folder with names "AppData", "LocalAppData", "UserProfile" and hopefully the files from "AppData Windows folder" will be saved into this ones. At least it worked for me with TreasuresOfMontesuma3, my kid often deleted my profile and I just created a separate "portable" copy of the game for myself using this hack.

Answer 2

Did you try Sandboxie? This is a lightweight virtualization environment, redirects all file and registry access to separate files.

Answer 3

It is an old question but there is a quite new solution - Windows Sandbox (win10 pro and up). You can have a sandbox BOOM - just like that.

take moment to read: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file

It is awesome!

Answer 4

You can use sandboxing solution, such as SHADE Sandbox. It runs programs in isolated environment and roughly speaking, redirects all operations with files and registry to a virtual copy of those files and registry keys. A redirecting fs and registry driver sits at its core, as described above ("the general solution")

Answer 5

A general solution to this problem is to develop a kernel driver. Starting with WIndows Vista, the kernel allows drivers absolute control over registry and file system operations (look at CmRegisterCallbackEx and FltRegisterFilter routines, read about registry filter drivers and file system minifilter drivers). However, as said in the comments, doing the sandboxing right is difficult since there are many edge cases and some things are not officially documented (e.g. there is not much information about some types of file system and registry operations available).

In general, hooking API calls in the applications is not a good solutions since the applications may bypass your hooks by simply making direct system calls (the interface for the core system calls, including those implementing file and registry operations, did not change for ages and their numbers may be computed dynamically).

If you trust the application not to do things like direct system calls, you can take advantage of API hooking or using some quite clever routines like (RegOverridePredefKey (allows you to change registry root handles for the application, effectively redirecting registry accesses made via RegXxx Windows API calls). I am not aware of anything similar for easy file system redirection.