CoverBoxedWindows does not fully protect sandboxed windows from Zoom's screen capture

[e-t-l]

Describe what you noticed and did

1. Create a standard Yellow sandbox with the CoverBoxedWindows=y config.
2. Install the Zoom Workplace program.
3. Launch Zoom (unsandboxed) and start a Zoom meeting.
4. Open some program (e.g. Explorer) in the "protected" Yellow sandbox.
5. In Zoom, click the green "Share Screen" button.
6. You will see that Zoom can capture the "protected" sandboxed Explorer window.

How often did you encounter it so far?

Reliably.

Expected behavior

The CoverBoxedWindows setting should prevent ALL programs from capturing the windows of programs in that sandbox.

Affected program

Zoom

Download link

https://zoom.us/support/download

Where is the program located?

The program is installed only outside the sandbox.

Did the program or any related process close unexpectedly?

No, not at all.

Crash dump

No response

What version of Sandboxie are you running now?

Sandboxie Plus 1.16.2 64-bit

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression from previous versions?

not to my knowledge

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

Windows 11 Enterprise 24H2

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

N/A

Did you previously enable some security policy settings outside Sandboxie?

N/A

Trace log

No response

Sandboxie.ini configuration

Literally just a default yellow box from a clean install of Sandboxie, plus the added config CoverBoxedWindows=y.

[e-t-l]

A strange detail I just noticed: I currently have Firefox and Brave running in the protected sandbox. Windows 11's built-in Screen Snipping Tool, I cannot capture Firefox's window, but I can capture Brave's window. They are running in the same sandbox and neither are running elevated.

But the main concern is still that Zoom can capture ALL windows in the sandbox, including Firefox (as well as other more sensitive windows, like KeePassXC)

[offhub]

Enable the following¹ feature from the SandMan interface settings and restart SandMan. After restarting, try recording the SandMan interface using Zoom. If you are able to record it, this means that Zoom is using a lower-level method for screen capturing. In that case, the issue is not caused by Sandboxie, since the CoverBoxedWindows setting relies on the Windows API. The fact that this setting does not work properly in Chromium-based browsers is a known issue. #4302

Footnotes

1. SandMan > Options > Global Settings > Interface Config > Interface Options > Graphic Options > Hide SandMan windows from screen capture (UI restart required) ↩

[offhub]

You can also try after disabling sandboxed applications' access to Zoom and GPU-related files on the host. See #4740.

[e-t-l]

Enable the following1 feature from the SandMan interface settings and restart SandMan. After restarting, try recording the SandMan interface using Zoom. If you are able to record it, this means that Zoom is using a lower-level method for screen capturing. In that case, the issue is not caused by Sandboxie, since the CoverBoxedWindows setting relies on the Windows API. The fact that this setting does not work properly in Chromium-based browsers is a known issue. #4302

Footnotes

1. SandMan > Options > Global Settings > Interface Config > Interface Options > Graphic Options > Hide SandMan windows from screen capture (UI restart required) [↩](#user-content-fnref-1-7ba00bb55cb3a75099944b7ccedded51)

I followed your instructions to enable that setting and when I clicked "Okay" the Sandman window disappeared, so I believe it restarted the UI automatically when saving that setting. Unfortunately, Zoom could still capture the Sandman window.

You can also try after disabling sandboxed applications' access to Zoom and GPU-related files on the host. See #4740.

If I understand you correctly, I don't believe that would help, because Zoom is not sandboxed in this scenario. Sandboxed apps do not have access to Zoom or the GPU, and I don't mind if they do; I want to prevent *unsandboxed Zoom* from accessing the sandboxed windows.

[e-t-l]

Here is something curious that I didn't try initially: If you follow the steps in the original issue, you will see that Zoom displays all desktop windows (including protected sandboxed windows) as options to share. However, if you actually start screen sharing one of those protected windows, it will be invisible and so cannot be shared!

So, it looks like the box protection is mostly working as expected, but Zoom is able to take some sort of "snapshot" of window contents that it displays on the Share Screen selection page.

EDIT: I had a hypothesis that Zoom was using the Explorer shell's window previews (like you see when hovering over a taskbar icon), but after disabling taskbar previews and restarting, Zoom is still able to capture those window snapshots, so it must be doing it using some other method.