Runtime Settings
The behaviour of containers and images can be modified by changing VM settings at runtime.
Effect the settings below using the --enable=VALUE
or --disable=VALUE
flags with the turbo run
or turbo build
command. For standalone executables, use the /XEnable=VALUE
and /XDisable=VALUE
flags.
# Example
turbo run --enable=IsolateWindowsClasses nodejs cmd
Altering VM settings for a container will override the settings of the base image(s).
Flag |
Default |
Persisted to Images |
Behavior |
---|---|---|---|
BootstrapWait |
Disabled |
No |
Forces the bootstrap process to remain alive even if otherwise would be terminated after spawning startup files. Useful if maintaining the process tree hierachy is required. |
ChromiumSupport |
Disabled |
Yes |
Enables support for the Chromium sandbox (used in Google Chrome, Microsoft Edge, etc). |
DEPCompat |
Disabled |
Yes |
Enables compatibility for systems with Data Execution Protection (DEP) enabled. Enable this setting for containerized applications running on Windows 2003. |
DRMCompat |
Disabled |
Yes |
Enables additional compatibility with common DRM systems such as Armadillo. |
FaultExecutables |
Disabled |
Yes |
Forces all executable files to be faulted into the application container. |
HonorWow6464Access |
Enabled |
Yes |
Grants registry access to 32-bit applications snapshotted and running on 64-bit operating systems. |
IndicateElevated |
Disabled |
Yes |
Forces an application to run as if it has elevated security privileges even if the application does not. Enabling this setting will also eliminate UAC security prompts for elevation and subsequent application crashes. |
IsolateWindowsClasses |
Enabled |
Yes |
Prevents a containerized process from viewing window classes that are registered by external processes. You can use this to prevent interaction between containerized and non-containerized versions of the same program when the application checks for existing class registrations. |
MergeStartupDir |
Disabled |
Yes |
If executing a shell operation, instead of setting isolation level to Merge for the startup file only, set it for its parent folder and all subfolders except well-known root folders. |
PeriodicRegFlush |
Disabled |
No |
Enables a container's registry to be periodically flushed to disk storage. |
ReadOnly |
Disabled |
Yes |
Any attempts to write to a file or registry value will result in an access denied error code. |
ReadShare |
Disabled |
Yes |
Forces any files opened within the container to open with the `READ_SHARE` flag. Enabling this setting may help resolve compatibility issues caused by sharing violations. |
ShutdownProcTree |
Disabled |
Yes |
Forces all child processes in the container to shutdown when the root process exits. |
SpawnComServers |
Enabled |
Yes |
Forces any COM servers to be isolated from the host device. By default, COM servers are created outside the virtual environment to allow COM communication between containerized processes and native applications. |
SpawnVM |
Enabled |
Yes |
Forces all child processes of a container to be launched inside the container with access to the virtual environment. |
SuppressPopups |
Enabled |
Yes |
Suppresses any error popup dialogs that the virtual environment generates during application runtime. |
UseDllInjection |
Disabled |
No |
Launches container processes using DLL injection rather than stub-executables. This can be used to mitigate security false positives or eliminate other maintaince caused by stub-executables. If 64-bit processes are being spawned in the container then must use a 64-bit bootstrap executable. |
Standalone Executable Commandline Options
Standalone executables have several additional settings that can be customized on the command line.
- /XCollisionCheck=false - Disables the sandbox collision check.
- /XDeleteSandbox=[path] - Deletes the sandbox rooted at the specified path.
- /XDisable=[setting] - Disables the specified VM setting.
- /XEnable=[setting] - Enables the specified VM setting.
- /XEntry=[path] - Specifies the path to the entry SVM.
- /XLayerPath=[path] - Specified the path to an additional SVM to be layered into the virtual environment.
- /XLogPath=[path] - Specifies the path where logs are to be stored. By default they are created in the same directory as the virtual .exe. The directory must exist before the application is executed or else the logs will not be written.
- /XRegRoot=[path] - Specifies the path where the registry sandbox is stored (ex: "@HKCU@\Software\TurboSandboxes"). Default is "HKCU\Software\Spoon\SandboxCache".
- /XSandboxPath=[path] - Specifies the path where the filesystem sandbox is to be stored. Default is defined in the entry SVM settings.
- /XShellEx=[path] - Specifies a path to a file which is shell executed on startup. This is used to override the startup file behavior that is built into the entry SVM. Path can use tokenized paths (ex: "@SYSTEM@\cmd.exe").
- /XShellExVerb=[verb] - Specifies the shell execute verb to use. Default is "open".
- /XSpawnVmExceptions=[exceptions] - Specifies a list of processes that are execptions to the SpawnVm setting. Processes are to include the extension and are semi-colon delimited (ex: "/XSpawnVmExceptions=regedit.exe;notepad.exe"). Must be accompanied by an explicit declaration of SpawnVm with either /XEnable or /XDisable or the exceptions will not be honored (to avoid ambiguity about meaning when there are layers with conflicting SpawnVm settings).