You are hereProducts / Chroot for Windows
Chroot for Windows
Chroot is a popular Linux tool that allows you to run a program that cannot access files outside of a specific file system folder tree. Now, using undocumented features, a native Windows version is available that doesn't require the usage of Cygwin or any additional software.
Due to the differences in operating system between Windows and Linux, this version provides a bit more flexibility that that provided and indeed required by the original. For one, you can choose to how severely to chroot a program, preferring to blocking off access to one, a few or all of the available drives present in your computer configuration.
Version 2.0 also allows redirection of registry accesses, to further jail and isolate the process.
Usage: chroot rootDir [options] program args
Where [options] can be none, one, or more of these:
-h Shows this help
-v Shows the version banner
-a Run 'program' as an anonymous user
-rp Persist created registry keys across reboots
Note -a and -u cannot both be defined. If neither is defined
'program' will be run as the user running chroot
e.g. to allow 'program' to access drives C: and D: as normal
the format of the option would be -f cd
In registry redirection:
equivalent to -rlm
When the -rf option is specified, keys for the 4 branches (Machine, Users,
ClassesRoot and CurrentUser) are created automatically under the specified
path. By default these keys exist only until you reboot the computer.
To make them persistent across reboots, use the -rp flag
Valid registry path prefixes are HKLM for Local Machine, HKU for Users
HKCU for Current_User and HKCR for Classes_Root. Example registry options:
'rootDir' and 'program' can contain environment variables.
Since any process can chroot any other it has access to without any special privileges, there's no ultimate guarantee that a rooted process will stay rooted. While that is true, it is by no means a common occurance.
Unlike the Windows default of un-chrooting children of rooted processes, Chroot 2.0 now ensures that children don't break free. This is a change from version 1 which left children to their own devices.
A third limitation is that, unlike Linux, you can't use this tool to create a second 'version' of Windows in the new root directory. This is due the effects of both a) KnownDLL loading, which overrides the jail b) the volatile, numbered nature by which system calls are made.
Because of the way processes start under Windows, it is impossible to redirect all registry accesses until after a certain point. This applies mainly to OS components such as ntdll and kernel32 but extends to the DllMain's (startup code) of all statically linked dlls. Any accesses made after this (including usage of keys opened before) are trapped.
Without the correct entries in the new location, redirecting HKEY_LOCAL_MACHINE will lead to failures in some API's which use the registry to find dll paths, this is mainly a problem for tools that work with DACL's using the advapi32 security API.
How it Works
The tool works by running and pausing the requested program, changing what it sees as the location of the file system drives, and then letting it go on its way. This is achieved via the use of device maps, there is a more in-depth technical blog posting on the process and how it works here. Registry redirection is achieved by hooking and providing modified versions of the system registry functions.
The download includes both x86 and x64 binaries. On 32-bit Windows, only the 32-bit versions are required. On 64-bit Windows, both sets of binaries are required.
Size: 357 KB