sandboxed program modifying the registry

I was testing the sandbox so I ran a program that I know adds a registry entry to HKEY_CURRENT_USER, and it still added the key there despite being sandboxed. I ran it as untrusted and registry virtualization was turned on. Shouldn’t it add the entry to CIS sandbox area of the registry?

HKEY_CURRENT_USER as such is not part of the protected registry keys. What key exactly does this program write to? Check this key with Protected Registry Keys (Defense + → Common Tasks).

Ok i think i misunderstood how the sandbox worked. So you’re saying that it only protects the registry keys that are listed under the Protected Registry Keys section right? I was thinking it would protect the complete registry and instead write to the sandbox registry area if a program is sandboxed. So it makes sense then that the program is writing in the root of HKEY_CURRENT_USER, because CIS doesn’t protect it by default.

Moderator Mouse1 wrote useful guide about how the sandbox works. It is in my signature.

When people hear sandbox most of them immediately assume it will be something like Sandboxie.

The sandbox has not reached his final form yet. So, stay tuned for changes coming with v4.1 and successors.

Ok I get it now, thanks for the help.