New issue
Advanced search Search tips
Starred by 1 user
Status: Assigned
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Feature

Sign in to add a comment
[Windows Sandbox] Enable new process mitigations
Project Member Reported by, Jul 31 Back to list
New ticket to track a chunk of mitigation updates.  I'll keep this description updated.

Project Member Comment 1 by, Aug 8
The following revision refers to this bug:

commit 9e9ae5c744fa28bd50a3e7bb18d4f51016e560a2
Author: Penny MacNeil <>
Date: Tue Aug 08 01:35:38 2017

[Windows Sandbox] MS-signed binaries only, post-startup.

Enable MITIGATION_FORCE_MS_SIGNED_BINS post-startup (after warmup) on
all sandboxed child processes.  Any third-party modules must be loaded
at process startup.

Also includes a temporary emergency off switch. "WinSboxForceMsSigned" can be used on the command line to disable the block.

(Aside: this CL also removes the old emergency off switch around MITIGATION_EXTENSION_POINT_DISABLE - for child processes.)

TEST= sbox_integration_tests.exe, ProcessMitigationsTest.*

Change-Id: I638aebade28ff42743b07d885dff8230a1e25c49
Commit-Queue: Penny MacNeil <>
Reviewed-by: Will Harris <>
Reviewed-by: Charlie Reis <>
Cr-Commit-Position: refs/heads/master@{#492495}

First hit canary in M62, branch 3180, 08 Aug 2017. (62.0.3180.x)
Here are the steps I used on Chrome Dev channel 62 since Beta was still on release 61. 

Start ZoomText (64-bit) - I used Zoom Level 2.25
Start Google Chrome 62.0.3202.9 (Official Build) dev (64-bit) (cohort: Dev)
Fonts appear to be smooth, no anomalies seen. 
Note the following messages appeared. I didn't follow any of the instructions except opening ZoomText first for this specific test.
Sign in to add a comment