Skip to content

SBIE2225

Message SBIE2225 An attempt was made to access an EFS file: %2

Severity: Warning

Description

This message is logged when Sandboxie detects that a sandboxed process attempted to access a file protected by Windows Encrypting File System (EFS), and the attempt was blocked or could not be proxied.

The message includes the path of the attempted file access. In many cases this indicates a configuration or certificate issue preventing EFS access from being granted to the sandboxed process.

Typical Causes

  • The sandbox setting EnableEFS is not enabled for the box.
  • An advanced supporter certificate with the encryption feature is not present or not active.
  • The attempted path is not eligible for EFS proxying (for example, it does not reside on a supported device path).
  • Proxy operation failed due to permission, matching, or handle-duplication errors in the UserServer component.

What Sandboxie Does

  • Detects EFS-protected files during file open/create operations.
  • If EnableEFS is configured and the supporter certificate includes the encryption feature, Sandboxie attempts to perform the file operation by proxying the request to the UserServer service and duplicating back a handle to the sandboxed process.
  • If proxying fails, or EnableEFS is not permitted, Sandboxie logs SBIE2225 and denies the sandboxed process access to the file.

Suggested Actions

  1. Verify the sandbox has EnableEFS=y in the box section of Sandboxie.Ini or via the Sandboxie settings UI.1
  2. Ensure an advanced supporter certificate is installed and active, and that it includes the encryption option (opt_enc).2
  3. Check that the target path is on a supported device (typically \Device\HarddiskVolume*).3
  4. If you expect EFS access to work but it does not, enable driver/file tracing and collect logs to help diagnose proxy failures (see TraceLog and EnableEFS docs).4
  • SBIE6004 — Supporter certificate missing or insufficient.2
  • EnableEFS — contains an extended explanation, examples, and additional footnotes reused above.
  • TraceLog - displays the names of any system resources that are accessed by programs running under the supervision of Sandboxie.

Implementation Notes and Footnotes

The following notes reference implementation points in the Sandboxie source. They are intended for maintainers and advanced users who want to trace how SBIE2225 is generated.

  1. EnableEFS is the box-level setting described in EnableEFS. When enabled, Sandboxie allows EFS proxying for sandboxed processes. 

  2. Certificate checks are performed in the UserServer path when attempting proxy operations; the code verifies both CertInfo.active and CertInfo.opt_enc before allowing EFS proxying. If the certificate check fails, proxy requests are rejected which can lead to SBIE6004 or SBIE2225 being logged. 

  3. The UserServer restricts proxy operations to paths that begin with \Device\HarddiskVolume (hard disk volumes). Requests outside these device paths are not eligible for EFS proxying. 

  4. SBIE2225 is logged when File_NtCreateFileProxy() or related proxy code fails while attempting to service an EFS access request. The error is emitted by SbieApi_Log(2225, TruePath) in the proxy path.