Every time I start the PC, I see svchost.exe , shell32.dll , and explorer.exe in sandbox, like this:
Why does CIS automatically sandboxes these every startup?
I have scanned the PC for threats and it seems clean, yet these processes still
appear in sandbox. It it from an unknown/unsigned DLL or context control from a program?
And how do I remove them from Sandbox and add to trusted files?
There seems to be something that has these processes as parents
and CIS doesn’t like it, but I don’t know what it is. Could you help me? 
(Oh, and the “Add to trusted files” option is grayed out):
These show up when you are running an application in the sandbox. It is normal behavior. These processes will get terminated if you reset your sandbox
CAUTION: resetting the sandbox deletes everything stored in the sandbox
“These show up when you are running an application in the sandbox.”
This happens without me explicitly running any application… It’s just that I always see
these programs in the sandbox as soon as the computer boots up. It doesn’t happen
only when I sandbox an app on purpose.
It only made me curious, because the processes appear there at every startup, even when I
reset the sandbox and reboot the PC. This points to the fact that there may be an unsigned
component in my system that has explorer.exe / shell32.dll / svchost.exe as parent processes
and CIS sandboxes them because of this.
My only question is that: If I install an app that needs to modify my shell/context menu/explorer
add-ons and these apps are in the sandbox, the changes would be discarded at the next start-up,
right?
Besides, I may not remember to reset the sandbox every time my computer starts up.
This is curious behaviour to me, even though I trust you when you say it’s normal.
But I assume that a change somewhere was made that caused CIS to sandbox the process
just like that. This is the only dilemma I have. Maybe I will figure this out by myself eventually.
I believe there may be a bug in CIS where it will start certain processes in the sandbox during start-up for no apparent reason.
I do not have BB/auto-sandbox enabled, the only thing I use the sandbox for currently is Thunderbird (e-mail program) and that is NOT set to auto-start, yet I see svchost etc in the sandbox upon starting the system. This shouldn’t happen because I have BB off and the only program set to be sandbox is not set to auto-start, hence I believe it is a bug and I will report it as such.
