Sandbox behaviour differs between admin and non-admin accounts [Renamed]

Hi all,
CIS free 4.141842.182
xp sp3

I seems error on my part or sanbox is really difficult to understand.
here is in brief what i did to understand the behavior of sandbox.

1 -created a exe ( names as testing.exe) that will create two text files c:\vd\a.txt and c:\windows\adi.txt
files were created in above order.
2- when i first run this program from Non admin account i received sandbox alert and debug assertion failure, its ok. no problem here.

3- when i run this program from admin account i received sandbox alert and access denied messege on command prompt also the file c:\vd\a.txt was not created.( its ok as per manual, sandbox imposed limited resrictions) but why c:\vd\a.txt was not created as it is not falling under any protected file group and Non admin(Limited) restrictions does not applies to C;\vd\

4- i added the above program manually to sandbox.

tried running from admin account , recieved acess denied and c:\vd\a.txt was not created.

  • again run the same program from Non admn account it executed smmothly and both files were created under c:\virtual root.… folder.

Now qustion is what kind of security sandbox is providing as it allowing the creation and modification of files though virtually even in non admin accounts.

It does not matter where you creates the files as long as you have the capability to create and modify a file and able to access it.

like many virus nowadays does not write to windows directory but in user profile folder.

in my opinion sanboxed process(above) should also not able to create files in virtual directory also ,if user who is executing it ,is doing from non admin account.

pl. ignore my poor writing skills.



I think this is likely to be a bug, so I will transfer it to Bug Reports.

There have been some other indications of different behaviour between admin and non-admin accounts, so this may help to clarify.

Please add the information requested here.

Many thanks in anticipation


I wonder if you could tell me whether this is resolved in 4.1?

Many thanks


CIS Ver 5.0 …

You you can say behaviour is solved but need some refinements and has also introduced some new problems.

1-if you run from Admin account, file is created in both folders i.e c:\vd and c:\windows\system32.( in my view c:\windows.. should be created in Virtual root folder as you are using Admin account and some restrictions are required)

2-if you run from NonAdmin account file is created only in c:\vd not in c:\windows\system32 that is virtualization iis not done and malicious behaviour is sucessfully blocked, however program halts at this point and leaves orphans windows on desktop whose handle could not be located and these windows could not be terminated by any means.

3-These orhaned windows are created VC2008 Environment(debug mode)

4-The only solution to remove these orphaned windows is to cold reboot as log off takes an indefinite time.

I am enclosing screen shots for clarity
dev should do something to look into this problem


[attachment deleted by admin]