Trying to use the "Enable itch.io sandbox" option of the itch.io launcher under windows, from a non-admin user, won't work for me: It consistently fails with a rather uninformative "Sandbox check failed: The parameter is incorrect."

After some code digging, I believe I understand what's breaking here.
To set up the sandbox, we fork out something like "butler.exe --elevate fuji setup" which re-runs itself on administrator permissions before setting up the user.
smaug/fuji stores the credentials of this user in the registry under HKEY_CURRENT_USER/Software/itch/Sandbox.

Now, HKEY_CURRENT_USER is different between the two environments: In the elevated butler, it refers to the registry of the administrator user. In the normal butlerd, it refers to the registry of the normal user. So fuji successfully creates a user, but then stores its credentials in a place the normal butler can't reach.

As a manual workaround, you can run regedit (as administrator) and manually copy/move the relevant registry keys from the admin user's HKEY_USERS subtree to the normal user.

A proper fix may prove a little awkward: We'll have to teach smaug/fuji/credentials.go that it shouldn't use registry.CURRENT_USER but sometimes, in the elevated case, go into another user's tree instead. Which will require explicitly passing that user through --elevate, or detecting the elevated-from user automatically somehow?
Alternatively, we could either generate the credentials up front in the parent and pass them down (passwords on argv might be dodgy?) or have the child write them to stdout rather than to its registry...

Thanks for the detailed report. I think you've identified the source of the problem accurately and the proposed fix seems acceptable.

I'm currently reworking the itch/butler interface to make butler a library, so I'm gonna have to rethink the sandboxing somewhat.

One thing that discourages me from spending more time working on the Windows sandbox is I'm not entirely sure it's even the right approach. Unlike the Linux and macOS sandboxes, it's just using another user profile. I would like to find a better approach.

I'll revisit this issue when I'm at the point where sandboxing is the only remaining issue with the new itch/butler interfacing.

I see where you're coming from. I'll see if I can come up with a quick elegant fix (can probably get the actual user from inspecting PPID in the elevated child) but if not, this can stay wonky until the rework.

Windows does have proper containers now, which seem tempting, but they may have licensing issues - also they seem very not-persistent, which won't help people's savegames.

Oh well. Worst case we'll solve it when we need to distill out a smaller "setup itch sandbox" binary for that pure library version.

Well, what's up with this now? It's been 4 years and the problem still persists.
Wouldn't it at least be possible to put out a guide, on how to fix it manually?

As far as I understand, the user is created and its credentials are saved, only in the registry of the admin account that was used for creating the account, which Butler can't access once it drops back to the original, non-admin account.
Therefore it should be possible to edit the registry manually (I know that's dangerous xD) and move the sandbox user's credentials to the user you are actually running the launcher from, right?

Besides, I'd recommend, maybe deactivating the sandbox by default on non-admin users and just prompt the user, that it is deactivated and can't be easily activated, while they are running the Itch App without admin privileges.

I can see most casual users getting easily frustrated with the error popping up, just saying: "An error occured while launching ...: The parameter was incorrect", when they want to launch their games. And it's not easy, finding an answer online either, if you don't know, what you're looking for.

PS: I just realized, I might have turned on the sandbox feature myself long before I tried running a game from the launcher. If that's the case: My bad!
Still would be kinda cool, if the setting had a warning: "Currently doesn't work on non-admin accounts" or something along the lines.