In certain scenarios, especially when software is not built for multi-user environments, it is helpful if we can "sandbox" files or registry.

This kind of software often wants to write either into registry HKLM and/or file locations such as Program Files or ProgramData instead of writing user data into HKCU and the users AppData.


Sandboxing helps us to virtualize certain directories, files or registry keys so that they are redirected into the users AppData instead of writing to the original location.


Example:

Let's assume a software writes its (user-) settings to C:\ProgramData\MyDesktopSoftware\Settings\settings.conf, we can set the following PowerTag:

!SANDBOX=FILES\%Common AppData%\MyDesktopSoftware\Settings=isolated 

this would make, that every user saves its settings to the settings file above but independently, so it gets redirected to his users AppData and one user doesn't overwrite the settings of another user even though it looks they are writing to the same location.


The same would happen if the software writes its settings to HKLM\Software\MyDesktopSoftware\Settings in registry. In this case the PowerTag would be:

!SANDBOX=REGISTRY\MACHINE\SOFTWARE\MyDesktopSoftware\Settings=isolated

THIS WILL BE DEPRECATED BY BEGINNING OF 2024


Multiple locations:
You can define multiple locations by adding them double comma separated (note: ,,):

!SANDBOX=FILES\C_\MYPROG\DATA=isolated,,FILES\E_\MYPROG=isolated 


Applications:

You also can define an executable:

!SANDBOX=FILES\C_\MYPROG\myprog.exe=isolated

This part is not tested and I don't know yet if it works and if yes, what it does


Mode:

There are two modes;
isolated, just isolates the folder, file registry (reading from the original location, if there is no sandboxed version)
strictly, not even reading from the original location, only from the sandboxed


Users AppData

All changes to files will be written into the users %AppData%\VOS\VirtPlaceholder\CHANGES and therefore (can be) fully user persistent (across servers)



Whenever possible, you should use variables instead of plain paths. For this use the Cameyo variables below.


If you use plain paths you have to replace the colon (:) with an underscore (_):
!SANDBOX=FILES\C_\Data=isolated



Cameyo variables:

Variable:

Example of target location:

%Program Files%

C:\Program Files

%System%

C:\Windows\System32

%Windows%

C:\Windows

%Fonts%

C:\Windows\Fonts

%Common Startup%

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

%Common Programs%

C:\Documents and Settings\All Users\Start Menu\Programs

%Common StartMenu%

C:\Documents and Settings\All Users\Start Menu

%Common AppData%

C:\Documents and Settings\All Users\Application Data

%Common Desktop%

C:\Documents and Settings\All Users\Desktop

%Common Profile%

C:\Documents and Settings\All Users

%Local AppData%

C:\Documents and Settings\user\Local Settings\Application Data

%Startup%

C:\Documents and Settings\user\Start Menu\Programs\Startup

%Programs%

C:\Documents and Settings\user\Start Menu\Programs

%AppData%

C:\Documents and Settings\user\Application Data

%Desktop%

C:\Documents and Settings\user\Desktop

%Favorites%

C:\Documents and Settings\user\Favorites

%SendTo%

C:\Documents and Settings\user\SendTo

%Templates%

C:\Documents and Settings\user\Templates

%NetHood%

C:\Documents and Settings\user\NetHood

%Recent%

C:\Documents and Settings\user\My Recent Documents

%MyVideo%

C:\Documents and Settings\user\My Documents\My Videos

%MyPictures%

C:\Documents and Settings\user\My Documents\My Pictures

%Personal%

C:\Documents and Settings\user\My Documents

%Internet Temp%

C:\Documents and Settings\user\Temp\Temporary Internet Files

%Internet History%

C:\Documents and Settings\user\History

%Profile%

C:\Documents and Settings\user