Use File Image
UseFileImage is a sandbox setting in Sandboxie Ini (introduced in v1.11.0 / 5.66.0) that replaces the standard file system storage with a file-backed virtual disk image as the sandbox root directory.
Warning
Configure this setting on a per-sandbox basis. Applying it globally will force all sandboxes to use file images, which may break existing sandboxes that rely on standard file system storage or cause compatibility issues with non-encrypted sandbox configurations.
Note
This setting requires an active advanced supporter certificate.
Prerequisites
-
Install the ImDisk Toolkit via the Add-Ons Manager > Optional Add-Ons tab in Global Settings.
Usage
When this setting is enabled, the Sandboxie service creates a virtual disk image file with extension .box
. The image file path is determined by the service1 which appends .box
to the sandbox's file root2 path. The sandbox file system is then mounted from this image using the ImDisk virtual disk driver through the mount manager3. All file I/O operations within the sandbox are redirected to the mounted image rather than creating files directly on the host file system.
Password protection and header backup/restore operations are available through the SandMan GUI or the ImBox command-line utility.
SandMan GUI
Setting Password
- Right-click on the sandbox in SandMan >
Sandbox Options
. - Navigate to
File Options
tab. - Enable the
Encrypt sandbox content
. - (Optional) Enable the
Force protection on mount
-
Click the
Set Password
button. -
Enter and confirm password in the dialog.
Changing Password
- Right-click on the sandbox in SandMan >
Sandbox Options
. - Navigate to
File Options
tab. -
Click the
Change Password
button. -
Enter current password in the dialog.
-
Enter new password and confirm password in the dialog.
Header Backup
- In sandbox options
File Options
tab. - Click the down arrow next to
Change Password
button. -
Select
Backup Header
from dropdown menu. -
Choose location to save
.hdr
file. - Header is exported using ImBox utility4.
Header Restore
- In sandbox options
File Options
tab. - Click the down arrow next to
Change Password
button. -
Select
Restore Header
from dropdown menu. -
Select previously saved
.hdr
file. - Header is imported using ImBox utility4.
Mounting Box Image
- Right-click on the sandbox in SandMan.
-
Select
Mount Box Image
from the context menu. -
Enter the password when prompted.
-
(Optional) Enable
Protect Box Root from access by unsandboxed processes
to prevent unsandboxed programs from accessing the encrypted sandbox content. -
(Optional) Enable
Lock the box when all processes stop
to automatically unmount the image when the last sandboxed program terminates.
-
Note
The image is automatically mounted when starting any program from the sandbox via the UI.
Unmounting Box Image
-
Right-click on the sandbox in SandMan.
-
Select
Unmount Box Image
from the context menu.
Warning
Unmounting the image will terminate all running programs within the sandbox.
Best Practices
- Manually close programs before unmounting when possible.
- Ensure no critical processes are running in the sandbox.
Command Line Operations
- Using
ImBox.exe
for advanced image management:
# Backup header
ImBox.exe type=image image="C:\Sandbox\DefaultBox.box" backup="C:\Sandbox\backup.hdr"
# Restore header
ImBox.exe type=image image="C:\Sandbox\DefaultBox.box" restore="C:\Sandbox\backup.hdr"
- Using
Start.exe
for image mounting/unmounting operations.
Image mounting is handled by the service which verifies driver capabilities before attempting to mount the virtual disk. If the driver does not support encrypted containers or mounting fails, the sandbox will not start and an error is logged.
Technical Notes
- Requires ImDisk driver support for encrypted image containers.
- Mutually exclusive with UseRamDisk.
- Header corruption can render encrypted images unrecoverable - always maintain header backups.
- Maximum image size limited by available disk space and driver constraints.
- Command-line mounting operations handled by
Start.exe
withmount
andmount_protected
switches5.
Related Sandboxie Ini, ForceProtectionOnMount, UseRamDisk, FileRootPath, StartCommandLine
-
MountManager::GetImageFileName
- determines image file path. ↩ -
File root is the base directory where sandbox files are stored, configured via
FileRootPath
setting. ↩ -
MountManager::AcquireBoxRoot
- handles image mounting process. ↩ -
GUI operations implemented in
COptionsWindow::OnSetPassword
,COptionsWindow::OnBackupHeader
, andCOptionsWindow::OnRestoreHeader
. ↩↩ -
Command-line mounting switches implemented in
Sandboxie\apps\start\Start.cpp
-mount
andmount_protected
parameters for programmatic image mounting operations. ↩