What are the different statuses on the trace log in monitor mode?

[michaelbui21]

I'm running a privacy enhanced box but I also want access to ProgramFiles and all its child directories blocked so I made a file access rule specifically only giving box-access to "C:\Program Files (x86)*". While running the trace log for file access in monitor mode, I noticed that the access to \Device\HarddiskVolume3\Program Files (x86) had an X status but there were multiple entries in the log to child directories within ProgramFiles that had no status at all; the field was empty.
I assume having a status of X means that access was denied and O means that it was allowed. What does having no status mean? Is the program still getting access to child directories within ProgramFiles even though access to the main directory was denied?

[DavidXanatos]

O measns full access, nothing means read access only, X means blocked, although there may be a fake access granted that looks th the boxed process like having one without actually having one

[michaelbui21]

So are you saying that even though I have a rule giving box access only to the file path "C:\Program Files (x86)*", the boxed process is still getting read only access to my host files for Program Files' child directories?

Or are you saying that an empty status in the monitor log has no way to differentiate between the boxed process having read access to the host files and it having read access to the boxed files only?

[michaelbui21]

I should have clarified. The rule I have had since the beginning is WriteFilePath=C:\Program Files\* and WriteFilePath=C:\Program Files (x86)\*

the rule with an * at the end applyes to the directory and all child directories.
So your setting actually allows that access

Which access to what? Please clarify. This is very ambiguous to me.

To clarify my goal: I want to have the boxed process able to read and write to the duplicates of those directories within the sandbox, but not read my files in those directories outside the sandbox.

If you have set a Box Only (Write Only) rule for the C:\Program Files (x86) path, you have done the opposite of what you want to do.

Have I? It is my understanding that Box Only (Write Only) grants read/write access to the duplicates of those directories within the sandbox but blocks read/write access to those directories outside the sandbox. This is what I want. Am I mistaken in this?

Program Files locations are accessible by default. So you don't need to specifically grant read access to them.

I know that it is the default and I am trying to revoke read access to them outside of the sandbox by creating a rule to override the default one.

In your case, the following rule is sufficient.
Box Only (Write Only)
WriteFilePath=C:\Program Files\*

I am confused at the fact that you just told me I am doing the opposite of what I'm trying to do by using Box Only (Write Only), but also to keep doing it.

What I'm seeing on the monitor log is that C:\Program Files\ has an X status, but C:\Program Files\Test has an empty status. Does this mean that the boxed process was given read access to C:\Program Files\Test outside of the sandbox (I don't want this) or was it given read access to a duplicate within the sandbox (I want this)?
Or are you telling me the monitor log can't differentiate between the two?

[offhub]

I should have clarified. The rule I have had since the beginning is WriteFilePath=C:\Program Files* and WriteFilePath=C:\Program Files (x86)*

Sorry, I misunderstood your first post. You wanted to block access to both real locations. Then it's fine to use WriteFilePath for both locations.

What I'm seeing on the monitor log is that C:\Program Files\ has an X status, but C:\Program Files\Test has an empty status. Does this mean that the boxed process was given read access to C:\Program Files\Test outside of the sandbox (I don't want this)

If WriteFilePath is defined, data in the real location cannot be accessed from the sandbox.

was it given read access to a duplicate within the sandbox (I want this)?

Yes, it was.

are you telling me the monitor log can't differentiate between the two?

You can see it as a "Trace" if you enable "File Trace" in the "Tracing" tab under "Advanced Settings" in the "Sandbox Options".

|Process|                               |Type|     |Status|   |Value|                                                                                                

cmd.exe - File (U)              \Device\HarddiskVolumeX\Program Files\Test                                                             
cmd.exe - File (K)   Trace      \Device\HarddiskVolumeY\Sandbox\user\New_Box\drive\C\Program Files\Test (FA) 001000A0.01.00000021   

[michaelbui21]

Thank you for clarifying!

I want to make sure I understand what the various Type - Status means when I'm looking at the trace log. The documentation you linked seems to refer to the classic version of the trace program and the formatting it documents is no longer representative of how the log looks in Sandboxie Plus.
File (U) - empty status field - what the boxed program wanted access to
File (K) - Trace - what sandboxie redirected the boxed program's access to
File (K) - Closed - what sandboxie denied the boxed program's access to
Is this correct? If I filtered the log by Status - Other, that would give me all the file locations that the program wanted access to right?

[DavidXanatos]

(U) - user Mode log entry created by sbiedll
(K) - kernel mode log entry created by sbiedrv

[michaelbui21]

I don't really understand what that means so it doesn't answer my questions.