No Security Isolation
NoSecurityIsolation is a sandbox setting available since v1.0.0 / 5.55.0 that transforms Sandboxie from a secure isolation environment into an Application Compartment mode, prioritizing compatibility over security.
Usage
Syntax
Where:
yenables compartment mode,n(default) maintains security isolation.
How It Works
When enabled, the driver sets bAppCompartment = TRUE, fundamentally changing Sandboxie's operation by:
- Bypassing token filtering: Both primary and impersonation tokens remain unmodified123
- Excluding Job Objects: Processes avoid Windows Job Object restrictions4
- Relaxing path controls: Default security-oriented path blocking is disabled5
Feature Matrix
| Feature | Standard Sandbox | Application Compartment |
|---|---|---|
| File System Virtualization | ✓ | ✓ |
| Registry Virtualization | ✓ | ✓ |
| Object Namespace Isolation | ✓ | ✓ |
| Process Monitoring | ✓ | ✓ |
| Token-Based Security | ✓ | ✗ |
| Privilege Restrictions | ✓ | ✗ |
| Job Object Assignments | ✓ | ✗ |
| Security Path Blocking | ✓ | ✗ |
Path Control Changes
In Application Compartment mode, three key path behaviors are automatically disabled5:
AlwaysCloseForBoxed: Boxed processes can access normally blocked paths6.DontOpenForBoxed: Open path rules apply equally to all processes7.ProtectHostImages: Host binary protection is relaxed8.
Compatibility & Integration
Automatic Activation
- Unsupported Windows builds: Automatically enabled with warning MSG_120711.
- Sandboxie Plus box types: Pre-configured in
Application CompartmentandApplication Compartment with Data Protection.
Enhanced Compatibility
- Processes interact freely with the host system.
- Reduced conflicts with privilege-dependent applications.
- Better support for complex software and development tools.
Security Implications
Important
Application Compartment mode significantly reduces security isolation:
- Processes run with original security context and privileges.
- No token-based protection or privilege dropping.
- Sandbox provides virtualization but not security boundary.
Related Settings
Complementary
- NoSecurityFiltering: Further disables filtering9.
- OriginalToken: Auto-enabled in compartment mode.
- Template Paths:
TemplateAppCPathsare applied10.
Job Object Limits (Disabled)
These settings become ineffective due to Job Object exclusion:
ProcessNumberLimitProcessMemoryLimitTotalMemoryLimit
Use Cases & Troubleshooting
When to Enable:
- Software testing and development environments.
- Legacy applications requiring full system privileges.
- Token restriction compatibility issues.
- Virtualization-only scenarios (file/registry separation).
Common Triggers:
- Applications failing to start due to token restrictions.
- Administrative privilege requirements.
- Complex software compatibility issues.
Related
- Sandboxie Plus: Sandbox Options > Security Options > Security Isolation
- Box Types
- DropChildProcessToken
-
Token Bypass:
Token_ReplacePrimaryreturnsTRUEwhenproc->bAppCompartmentis set, bypassing all token filtering operations. ↩ -
Primary Tokens: Left unmodified in
token.cwhen Application Compartment mode is active. ↩ -
Impersonation Tokens:
Thread_CheckTokenForImpersonationreturnsSTATUS_SUCCESSwithout restrictions whenproc->bAppCompartmentis enabled. ↩ -
Job Object Exclusion: Condition
new_proc->bAppCompartmentinprocess.cexcludes processes from Windows Job Objects. ↩ -
Path Handling: Three behaviors disabled in
process.c:always_close_for_boxed,dont_open_for_boxed, andprotect_host_images. ↩↩ -
AlwaysCloseForBoxed:
proc->always_close_for_boxed = !proc->bAppCompartment && Conf_Get_Boolean(...)ensures boxed processes aren't blocked from normally closed paths. ↩ -
DontOpenForBoxed:
proc->dont_open_for_boxed = !proc->bAppCompartment && Conf_Get_Boolean(...)allows equal path rule application. ↩ -
ProtectHostImages:
proc->protect_host_images = !proc->bAppCompartment && Conf_Get_Boolean(...)disables host binary protection. ↩ -
Security Filtering:
no_filtering = proc->bAppCompartment && Conf_Get_Boolean(..., L"NoSecurityFiltering", ...)enables complete filtering bypass. ↩ -
Template Paths:
Process_GetPaths(proc, list, L"TemplateAppCPaths", setting_name, FALSE)applies compartment-specific template paths. ↩ -
Auto Fallback:
!Dyndata_Active && !proc->bAppCompartmenttriggers automatic compartment mode withLog_Msg1(MSG_1207, info). ↩