Categories
Design

How to use windows 10’s new sandbox (to safely test apps)

Josh Hendrickson has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smarthome enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read more.

How to use windows 10’s new sandbox (to safely test apps)

Windows 10’s new Sandbox feature lets you safely test programs and files downloaded from the internet by running them in a secure container. It’s easy to use, but its settings are buried in a text-based configuration file.

Windows Sandbox Is Easy to Use If You Have It

This feature is part of Windows 10’s May 2019 Update. Once you’ve installed the update, you’ll also have to be using the Professional, Enterprise, or Education editions of Windows 10. It isn’t available on Windows 10 Home. But, if it is available on your system, you can easily activate the Sandbox feature and then launch it from the Start menu.

Sandbox will launch, make a copy of your current Windows operating system, remove access to your personal folders, and give you a clean Windows desktop with internet access. Before Microsoft added this configuration file, you couldn’t customize Sandbox at all. If you didn’t want internet access, you normally had to disable it right after launch. If you needed access to files on your host system, you had to copy and paste them into Sandbox. And, if you wanted particular third-party programs installed, you had to install them after launching Sandbox.

Because Windows Sandbox deletes its instance entirely when close it, you had to go through that process of customization every time you launch. On the one hand, that makes for a more secure system. If something goes wrong, close the Sandbox, and everything gets deleted. On the other hand, if you need to make changes regularly, having to do this on every launch gets frustrating quickly.

To alleviate that issue, Microsoft introduced a configuration feature for Windows Sandbox. Using XML files, you can launch Windows Sandbox with set parameters. You can tighten or loosen the sandbox’s restrictions. For example, you can disable the internet connection, configure shared folders with your host copy of Windows 10, or run a script to install applications. The options are a bit limited in the first release of the Sandbox feature, but Microsoft will probably add more in future updates to Windows 10.

How to Configure Windows Sandbox

This guide assumes you have already set up Sandbox for general use. If you haven’t done yet, you’ll need to enable it first with the Windows Features dialog.

To get started, you’ll need Notepad or your favorite text editor—we like Notepad++—and a blank new file. You’ll be creating an XML file for configuration. While familiarity with the XML coding language is helpful, it’s not necessary. Once you have your file in place, you’ll save it with a .wsb extension (think Windows Sand Box.) Double-clicking the file will launch Sandbox with the specified configuration.

As explained by Microsoft, you have several options to choose from when configuring the Sandbox. You can enable or disable the vGPU (virtualized GPU), toggle the network on or off, specify a shared host folder, set read/write permissions on that folder, or run a script on launch.

Using this configuration file, you can disable the virtualized GPU (it’s enabled by default), toggle the network off (it’s on by default), specify a shared host folder (sandboxed apps don’t have access to any by default), set read/write permissions on that folder, and/or run a script at launch

First, open Notepad or your favorite text editor and start with a new text file. Add the following text:

All the options you’ll add must be between these two parameters. You can add just one option or all of them—you don’t have to include every single one. If you don’t specify an option, the default will be used.

How to use windows 10’s new sandbox (to safely test apps)” width=”650″ height=”300″ src=”https://www.howtogeek.com/pagespeed_static/1.JiBnMqyl6S.gif” onload=”pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);” onerror=”this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);”/>

How to Disable the Virtual GPU or Networking

As Microsoft points out, having the virtual GPU or Networking enabled increases the avenues malicious software can use to break out of the sandbox. So if you’re testing something you’re particularly worried about, it might be wise to disable them.

To disable the virtual GPU, which is enabled by default, add the following text to your configuration file.

How to use windows 10’s new sandbox (to safely test apps)

To disable network access, which is enabled by default, add the following text.

How to use windows 10’s new sandbox (to safely test apps)

How to Map a Folder

To map a folder you’ll need to detail out exactly what folder you want to share, and then specify whether the folder should be read-only or not.

Mapping a folder looks like this:

HostFolder is where you list the specific folder you’d like to share. In the above example, the Public Download folder found on Windows systems is being shared. ReadOnly sets whether Sandbox can write to the folder or not. Set it to true to make the folder read-only or false to make it writable.

Just be aware, you’re essentially introducing risk to your system by linking a folder between your host and Windows Sandbox. Giving Sandbox write access increases that risk. If you’re testing anything you think may be malicious, you shouldn’t use this option.

How to Run a Script at Launch

Finally, you can run custom created scripts or basic commands. You could, for instance, force the Sandbox to open a mapped folder upon launch. Creating that file would look like this:

WDAGUtilityAccount is the default user for Windows Sandbox, so you’ll always reference that when opening folders or files as part of a command.

Unfortunately, in the near-release build of Windows 10’s May 2019 Update, the LogonCommand option does not appear to be working as intended. It didn’t do anything at all, even when we used the example in Microsoft’s documentation. Microsoft will likely fix this bug soon.

How to use windows 10’s new sandbox (to safely test apps)

How to Launch Sandbox With Your Settings

After you’re done, save your file and give it a .wsb file extension. For example, if your text editor saves it as Sandbox.txt, save it as Sandbox.wsb. To launch the Windows Sandbox with your settings, double-click the .wsb file. You can place it on your desktop or create a shortcut to it in the Start menu.

How to use windows 10’s new sandbox (to safely test apps)

For your convenience, you can download this DisabledNetwork file to save you a few steps. The file has a txt extension, rename it with a .wsb file extension, and you’re ready to launch Windows Sandbox.

Lawrence Abrams
  • May 24, 2019
  • 03:39 AM
  • 0

How to use windows 10’s new sandbox (to safely test apps)

One of the more interesting features of Windows 10 version 1903, otherwise known as the May 2019 Update, is the Windows Sandbox. The Windows Sandbox is a Windows 10 virtual machine that can be quickly launched so you can test downloaded programs,browsers extensions, and suspect sites without risk of infecting your normal Windows operating system.

For those who are security conscious and do not want to deal with installing a dedicated virtual machine program like VirtualBox, Hyper-V, or VMWare, you can instead install Windows Sandbox for a very basic Windows 10 virtual machine.

While this feature brings terrific functionality to those who do not want to deal with a dedicated machine to test program, it could be improved, which we will discuss at the end of the article..

Before installing the Windows Sandbox, it is important to note that enabling the Sandbox will also enable Hyper-V, which makes it so VMWare and VirtualBox cannot run on the computer until it is uninstalled.

Installing the Windows Sandbox

Before you can install the Windows Sandbox, you first need to make sure your computer meets certain requirements. These are:

  • Windows 10 Pro or Enterprise build 1903 or later. There are ways to get it installed on Windows 10 Home, but those require a little extra work, which will not be covered in this article.
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)

To install Windows Sandbox, simply follow these steps:

  1. Make sure you are using Windows 10 Pro or or Enterprise running version 1903 or later.
  2. Make sure CPU’s virtualization is enabled in the computer’s BIOS.
  3. Click the Start button and search for Windows Features. When it appears in the search results, click on the Turn Windows features on or off control panel result.

How to use windows 10’s new sandbox (to safely test apps)

Open Windows Features Control Panel
When the Windows Features control panel opens, scroll down and put a check in the box next to Windows Sandbox and then press the OK button.

How to use windows 10’s new sandbox (to safely test apps)

Add Windows Sandbox Feature

  • After it has finished installing, Windows my ask you to reboot. Please allow it to do so.
  • The Windows Sandbox is now installed.

    Using the Windows Sandbox

    To use the Windows Sandbox, click on the Start button and search for Windows Sandbox. When it appears in the search results, click on it to launch the program.

    When the Windows Sandbox loads for the first time, it may take a bit longer than normal as it generates the Windows 10 image it will use for the virtual machine. Once loaded, you will be presented with a Window that contains a fully functional base Windows 10 installation as shown below.

    With the Windows Sandbox running, you can easily transfer files that you want to be tested or copy text to and from its clipboard. To transfer a file from your main Windows operating system (the Host), simply right-click on a file you want to transfer and select Copy.

    Now, go in the Windows Sandbox (the Guest) and right-click on the desktop and click on Paste to transfer the file from your Host.

    Transferring text between the Host machine and the Guest sandbox is easy as well, just copy text into the clipboard from either the main OS or the Sandbox and paste it into the other.

    As an example of how the Windows Sandbox could be used, I just visited a site that stated I needed a Adobe Flash Player update. It looked a little fishy, so instead of running it on my main machine, I can fire up the Windows Sandbox and transfer the file there to test it.

    I was lucky, because as you can see, this sure looks like an adware bundle rather than a Flash Player Update and is not something I would want to run on my normal computer. That’s because adware bundles have started to commonly install malware such as ransomware, miners, and password-stealing Trojans.

    The good news is that anything you try out in the Windows Sandbox has no effect on your normal computer. So you can just try any program you download, malware or otherwise, or visit a web site and close the Sandbox when done with nothing to fear.

    The next time you start it again, the Sandbox will be reset back to its default state so you can test more programs.

    The Windows Sandbox is great, but could be better

    Let me start out by saying I love the Windows Sandbox.

    It is very easy to use, it allows users to quickly get a Windows 10 virtual machine up and running, and is accessible to users of all skill levels. This makes it very easy to test programs you download from the web or web browser extensions.

    My only gripe is that it could be even better if we could easily use it to test malicious Office email attachments.

    Malicious Word and Excel email attachments have become a very common method used to distribute malware such as ransomware, banking trojans, password-stealing Trojans, backdoors, downloaders, miners, and more.

    Unfortunately, the Windows Sandbox only consists of a base operating system and no additional applications. This makes it impossible to test malicious Office documents such as Word and Excel documents without installing Office into the sandbox.

    As the virtual machine is reset back to the default base image every time you close it, it can be a real pain if you want to use the Windows Sandbox to test email attachments.

    It would be great if Microsoft included some way of testing malicious attachments. With that feature added, the Windows Sandbox would be incredibly useful for all users.

    One other concern I have is that the Windows Sandbox can read the contents of your Host operating system’s clipboard. This means that if your Host has a password, or other sensitive information, saved to the clipboard, anything you run in the Sandbox will be able to access it.

    To fix this, it would be nice if we had easy controls to control how clipboard data is transferred.

    Mayank Parmar
    • October 13, 2019
    • 12:10 PM
    • 0

    How to use windows 10’s new sandbox (to safely test apps)

    Windows 10 May 2019 Update (version 1903) included a new feature called the Windows Sandbox that allows you to safely run applications in isolation from the rest of the operating system.

    When you launch the Windows Sandbox, it will fire up an isolated lightweight desktop environment that is separate from your main Windows install, and all the software with its associated files are permanently deleted when you leave the session or close the Sandbox window..

    This means you can run untrusted software, scripts, malicious files and adware without the fear of impacting your normal Windows installation.

    In order to make it more useful for users, Microsoft allows you to specify create configuration files that modify the functionality of the Sandbox.

    In this guide we will explain how to create a configuration file and then use it to launch the Windows Sandbox.

    Create Windows Sandbox configuration file (.wsb)

    To create a Windows Sandbox configuration file, you will use a text editor such as Notepad to enter the configuration options, or directives, you wish to use and then save that file with the .wsb extension.

    When creating Windows Sandbox config files, you can make as many as you want and save them under descriptive names so that you know what tasks they perform. You can then launch the Windows Sandbox using a specific configuration file by double-clicking on the .wsb configuration file.

    For example, you can see a folder of different Windows Sandbox configuration files below, with each performing a different task.

    To create a Windows Sandbox configuration files, you would do the following:

    1. Open Notepad.
    2. Enter your configuration options.
    3. Save the file as a .wsb file.

    When saving the file, you can it any name, such as mapped-malware-folder.wsb, but it must end with a .wsb extension.

    When creating a configuration file, the file must start with the tag and end with . Between these two tags, we will add our various configuration directives.

    The following sections will introduce you to the various configuration options that we can use in a Windows Sandbox file. Then we will wrap it up all together into a configuration file that disables network but still allows you to transfer files through a mapped folder.

    Enable or disable networking

    When testing a malware sample, the infection may contact a remote host or perform some other unwanted network behavior. Therefore, it may be useful to disable networking in the Windows Sandbox.

    To do this, we use the Networking directive as shown below.

    When using this directive, we can enter two values; Disable to disable networking and Default to enable it.

    Enable or disable the vGPU

    The Windows Sandbox by default will use a virtual hardware GPU in order to increase performance.

    If you wish to use software rendering instead, you can disable the vGPU by using the following configuration directive.

    This options supports the Disable value, which disables the vGPU, or Default, which enables it.

    For the majority of users, the vGPU should not be disabled as software rendering will be much slower.

    Map a folder for transferring files

    The Windows Sandbox allows you to map folders from your Host Windows (your normal Windows installation) so that they are accessible in the Sandbox.

    To do this, you need to use the MappedFolder directive to specify the folder on the host you wish to make accessible in the Windows Sandbox.

    This directive is as follows:

    The ReadOnly value can be set to True or False. If set to true, then files cannot be modified in the folder from the Sandbox. If you set it to false, though, then the Sandbox can modify these files.

    As an example, if you wanted to share the D:\Programs folder so that you can access its contents file in the Sandbox, but not modify them, you would use the following directive.

    When these folders are shared in the Sandbox, they will be located on the Desktop under the C:\users\WDAGUtilityAccount\Desktop folder.

    It should be noted that if you map a folder from the Host to the Sandbox and set ReadOnly to false, then those files can be modified by any programs running in the Sandbox.

    LogonCommand

    The Windows Sandbox also supports the ability to automatically execute a command when the Sandbox is started using the directive.

    For example, if you wanted to automatically open File Explorer after the Windows Sandbox starts, you can use the following directive.

    Putting it all together with a sample configuration file

    Now that we know all of the directives that we can use in a Windows Sandbox configuration file, let’s create a sample to illustrate how we can use them.

    Let’s say you are using the Windows Sandbox to test files that you think may be malware. These files are stored on your Windows computer under the C:\Malware-Samples folder and you want the folder to be available in the Sandbox.

    At the same time, you are concerned that the samples may make malicious networking calls, so we want to disable networking when using them.

    Finally, we want the shared Malware-Samples folder to open automatically when you launch the Sandbox.

    To do this, we create the following configuration file that shares the C:\Malware-Samples folder with the Sandbox, disables networking, and then automatically opens the Malware-Samples folder in the Sandbox.

    As you can see, using a Windows Sandbox configuration file makes the feature much more useful and able to be customized for a variety of purposes.

    In the future, we hope Microsoft continues to expand on the configuration that can be added so that this feature can be even more useful.

    [dropcap]L[/dropcap]et’s have a 10 of the Best Sandbox Applications for Windows 10 that you can use for a security purpose to check all the vulnerabilities and these apps are known for their security purposes. So have a look at the complete guide below.

    Windows is a popular operating system that is used by millions of users on their devices. The abundance of apps available for this OS makes it more insane. The users are capable of downloading the different apps on their Windows through the Windows App Store or either they could get the app package from any other source too. Windows store could be considered safe for the downloads as it is the official market handled by will based team, but not every third-party source could be secure enough. Issues like stick malware, viruses, and much other malicious content could transfer to the device with the download package of apps.

    Sandbox is the solution to prevent the device from those malicious content that could be grasped together with Third party app installation setups. This generally creates a virtual environment for the testing of apps before their actual installment to the device itself. This virtual environment is totally secured with the defense walls that does not allow any kind of malware or viruses etc to enter to the device. There are a number of Sandbox apps available for the Windows 10 but only some of them are really good enough. We have listed the best sandbox apps in this article so as to help users go for the perfect one. Just read this article to know about that sandbox apps!

    10 of the Best Sandbox Applications for Windows 10

    Below we had selected some of the best apps according to their download rate, user ratings and some of my personal experience with these apps. So have a look at these apps below.

    #1 Sandboxie

    This free, as well as paid app, is immensely popular among the users due to its Virtual protection capabilities. Through this app, almost any app could be sandboxed! The free version of this app comes with limited features while the paid app unlocks the whole value of this amazing app.

    #2 SHADE Sandbox

    This is the another good sandbox app for the Windows. The major factor of this app that makes it must be acquired is its simple and minimal design as well as user interface. This app is incredibly easy to work on, the users just need to drag and drop the apps inside this software and it will be put into the sandbox container as soon. The quality of this tool is reliable and the users can actually see the results.

    #3 Toolwiz Time Freeze

    This is a kind of sandbox app but it is best usually for testing the apps rather running them inside the virtual environment. This app is best for users who want to highly test the stability, quality and other factors of the apps without the need to install them on the host OS.

    #4 Shadow Defender

    Alike to all other apps stated above this is the similar type of sandbox app that works in the same way. Through this app, the users can select any drive on their device to be mirrored for the virtual environment. Any changes made to the virtual environment gets abolished soon after the restart of the device. The changes users wish to keep could be embedded to the drive through using the various options!

    #5 Create a Virtual Machine

    The name of this app would be enough to describe its functions. As this app is listed in this best list so we have to describe the reason for that. This app can turn the preinstalled system apps to run inside the virtual environment while the changes made would fade away after shutting down this app. This app is capable of making the whole device turn into the virtual environment!

    #6 Turbo.net

    Turbo.net is more like a lightweight virtual machine which runs on the top of your operating system. Basically, Turbo.net is a virtual machine which is developed by turbo and it isolates the entire process so the sandboxed apps never interact with the host files.

    #7 BitBox

    Well, BitBox is a little bit different compared to all other listed above. The great thing about BitBox is that it allows users to browse the internet using a secure sandbox environment. Bitbox is more like a web browser which is installed on a copy of Virtualbox. However, since the tool runs on a Virtual environment, it consumes lots of resources.

    #8 BufferZone

    Well, if you are looking for an advanced sandbox solution, then Bufferzone might be a great choice for you. It allows the creation of virtual spaces and you can allocate those spaces to perform different activities. For example, you can create a space for accessing emails, open files, etc.

    #9 VoodooShield

    Well, VoodooShield is more like a security program rather than a Sandbox app. However, VoodooShield shares some sandbox features which could help you secure your computer. Instead of scanning your computer for malicious files, VoodooShield locks your computer and notifies users when it detects an unknown process. So, once your PC is locked, you can only execute apps or process that you have specifically whitelisted.

    #10 Shadow Defender

    Shadow Defender is another best security and privacy protection tool on the list which works in a different manner. The app allows users to run their system safely in a virtual environment, or sandbox. Shadow Defender offers a sandbox feature known as ‘Shadow Mode’ which allows users to run everything in a virtual environment rather than a real environment.

    So these are the best Sandbox apps that all could be used potentially to prevent the Windows 10 from any threatening content. We hope that you liked this list of best Sandbox apps. Share your opinions regarding the article through the comments section below. And if you think that any app is missing out of this list then also you can tell us about those apps!

    Co-workers often forward me emails when they are unsure if it is a valid email or something malicious. As one of the IT managers, I need to evaluate these emails in a safe environment. The tool I use for this is Windows Sandbox.

    Windows Sandbox was added as a feature to Windows 10 with the May 2019 Update (version 1903). Every time you start Sandbox, it creates a Virtual Machine with a clean install of Windows 10. When you shut it down, the image is erased. This makes it an ideal environment for testing untrusted applications, links, and emails.

    To enable Windows Sandbox, first make sure you have the minimum requirements:

    • Windows 10 Pro or Enterprise, version 1903.
    • Hardware virtualization enabled in your BIOS
    • At least 2 CPU cores
    • 4 GB of memory
    • 1 GB of available disk space

    Once the minimum requirements are met, click Start, then find ‘Turn Windows Features On or Off”. Select the Windows Sandbox feature and click Ok. Reboot when prompted.

    How to use windows 10’s new sandbox (to safely test apps)

    To use Windows Sandbox, click Start, search for the Windows Sandbox icon and click on it. A new VM will start. Depending on your hardware, it will take between a few seconds and a minute or two.

    For testing emails, I use the included Microsoft Edge browser to open Outlook Web Access. Then I can access the questionable email and evaluate it. If there’s a link involved, I can open the link without fear of lasting virus infections. In many cases, they are phishing emails that lead to fake login screens. Once I see such a login screen, I can confirm that the email is not legitimate and let the end-user know. Make sure not to enter any credentials beyond your initial OWAW login.

    You can also copy & paste files (but not drag/drop) from your physical machine into the Sandbox VM. This makes it easy to test questionable software applications. You could even install your preferred anti-virus application in the Sandbox for testing websites or applications.

    Once you are done testing within the VM, click the top right X to close it. Lastly, click Ok in the confirmation window, and the VM will be permanently erased.

    How to use windows 10’s new sandbox (to safely test apps)

    Learn more about Tallan or see us in person at one of our many Events!

    A sandbox environment is any non-production environment of Microsoft Dataverse. Isolated from production, a sandbox environment is the place to safely develop and test application changes with low risk.

    View your sandbox environments

    Manage your sandbox environments from the Power Platform admin center.

    Go to https://admin.powerplatform.microsoft.com/, and sign in using Environment Admin or System Administrator role credentials.

    Open the Environments page. Select the Type tab to sort by environment type.

    How to use windows 10’s new sandbox (to safely test apps)

    Create a sandbox environment

    Change a production environment to sandbox

    Sign in to the Power Platform admin center at https://admin.powerplatform.microsoft.com as an admin (Service admin, Global admin, or Delegated admin).

    From the left-side menu, select Environments, and then select a production environment.

    Select Edit

    How to use windows 10’s new sandbox (to safely test apps)

    Under Type, choose the sandbox environment type.

    How to use windows 10’s new sandbox (to safely test apps)

    Select Save.

    Reset a sandbox environment

    Reset a sandbox environment to delete and reprovision it. Consider a reset when you want to:

    • Create a new project
    • Free up storage space
    • Remove an environment containing personal data
    • You can only reset sandbox environments.
    • A reset will permanently delete environment components such as canvas apps, flows, custom connectors, and connections.

    An example scenario

    Thomas is looking at the storage consumed by the various Contoso environments. He is getting concerned that they’ll run out of space in one of their production environments. Thomas also wants to free up some space so that he can give the production environment some extra storage. He’s also been notified that the Legal department has a retention policy regarding the use of production data in test environments.

    After contacting Elisa, Thomas resets the Sales department’s complete sandbox environment. The environment has been reprovisioned to factory settings. It’s now ready for future use as a sandbox environment for a future project.

    To reset an environment

    Go to the Power Platform admin center and sign in using Environment Admin or System Administrator role credentials.

    From the left-side menu, select Environments, and then select an environment to reset.

    Select Reset from the top menu bar.

    How to use windows 10’s new sandbox (to safely test apps)

    On the Reset environment page, adjust the environment settings as needed and understand the following consequences:

    • The sandbox environment will be deleted and reset to factory settings. You will not be able to recover any data that was previously in the environment.
    • When you reset an environment, the security group specified on the Reset environment page will be applied. If a security group isn’t specified during the reset, no security group will be assigned to the environment after the reset is completed. Any existing security group configured before the reset is performed will no longer be applied to the environment. More information: Control user access to environments: security groups and licenses

    Select Reset, and then select Confirm to reset the selected environment.

    The reset process starts.

    How to use windows 10’s new sandbox (to safely test apps)

    Administration mode

    When you place a sandbox environment in administration mode, only users with System Administrator or System Customizer security roles are able to sign in to that environment.

    Administration mode is useful when you want to make operational changes and not have regular users affect your work, and not have your work affect regular users.

      tutorial by Codrut Neagu published on 06.17.2020

    How to use windows 10’s new sandbox (to safely test apps)

    Windows Sandbox is a virtualized environment similar to a virtual machine that’s available in Windows 10 Pro și Enterprise. You can use it to test apps that you’re not sure are safe, visit untrustworthy websites, and generally do things that you fear might compromise your main system. Up until May 2020 Update, you couldn’t personalize the Windows Sandbox in any way. Now you can, as Microsoft lets you create and use scripts that can alter the way Windows Sandbox works. Here’s how to do it:

    NOTE: Before you can customize how Windows Sandbox works on your PC, you must first install it. If you need help with that, read How to install Windows Sandbox in Windows 10 in three steps. Also, if you’re wondering how Windows Sandbox might be useful to you, here are a few ideas: 4 things you can do with Windows Sandbox. Furthermore, keep in mind that this guide only applies to Windows Sandbox in Windows 10 with May 2020 Update, Pro or Enterprise editions. It is not available in Windows 10 Home.

    How to configure Windows Sandbox

    In order to customize Windows Sandbox or automatically run apps and scripts when you launch it, you have to create a configuration file. To do that, you can use Notepad or any other text processor application to write code for Windows Sandbox. Every configuration file that you create for Windows Sandbox must start with the line and end with the line . All the other code that you’re going to add must be placed between these lines of code.

    Once you’ve created the configuration file and finished adding all the code to it, you have to save it using the file extension .wsb.

    Then, you can double-click or double-tap on the .wsb file to launch your personalized Windows Sandbox.

    Now let’s see what code and scripts you can use for Windows Sandbox:

    How to share folders with Windows Sandbox

    Windows Sandbox can map folders from the host. In other words, you can make your Windows Sandbox “see” folders found on your Windows 10 PC. To do that, in the .wsb file that you created with Notepad, add the following code:

    Folder shared with Windows Sandbox

    You can add as many folders to share as you want: just make sure to put their paths between the tags. Also, for each folder that you add to the list, you can specify whether you want Windows Sandbox to have read-only access to it. For that, add the code true after it. If you want Windows Sandbox to have write-access to that folder, add the code false after it. However, remember that this makes the files and folders from the shared folder available to the apps you run in Windows Sandbox. In other words, those apps can change your files, which you might not want.

    For example, if you want your Windows Sandbox to have access to your Downloads folder, type:

    Make sure to change UserName with the name of your Windows 10 user account.

    Then, when you run Windows Sandbox using this .wsb configuration file, all the shared folders are instantly available on the desktop or at this location: C:\Users\WDAGUtilityAccount\Desktop.

    How to automatically run an app or script in Windows Sandbox

    Windows Sandbox also lets you run an app (executable file) or a script immediately after launch. To do that, in the .wsb configuration file, you have to add this code:

    Command to run at startup

    The command can be the path to any executable file or script that’s available inside the Windows Sandbox. That means that you can, for example, automatically open File Explorer, Notepad, or other system apps. If you want, you can run even an app that’s found in a shared folder (as illustrated in the previous section of this guide).

    Here’s an example of a Windows Sandbox configuration file that automatically opens File Explorer on launch:

    And here’s an example of a Windows Sandbox configuration file that maps the Downloads host folder and automatically runs an executable file from it:

    In the last example, this is what we get when launching Windows Sandbox:

    NOTE: If you specify a path to a command, executable, or script file that doesn’t exist, Windows Sandbox returns an error and stops when you try to open it. Also, while experimenting with this feature, we did not manage to automatically run any executable files that required administrative permissions and triggered UAC prompts, such as Command Prompt.

    How to enable or disable the network in Windows Sandbox

    If you don’t want Windows Sandbox to be able to access your network and the internet, in the .wsb configuration file, add the following line of code: Disable .

    This disables the networking services for Windows Sandbox, as you can see in the screenshot below.

    In case you want the network to be accessible, either delete the Disable line from the configuration file or change the Disable value to Default: Default .

    How to enable or disable the virtual graphics processing unit in Windows Sandbox

    Similarly, Windows Sandbox also lets you disable the virtual graphics hardware rendering engine. In other words, Windows Sandbox shares your graphics card with Windows 10 on your PC by default. However, you can disable this feature and force Windows Sandbox to use software rendering, so that you don’t expose your GPU. Although this makes Windows Sandbox run slower, in some situations, it might be useful. To disable vGPU support in Windows Sandbox, in the .wsb config file, add this code: Disable .

    To enable the GPU sharing in Windows Sandbox, delete the Disable line from the .wsb configuration file or set its value to Default: Default .

    What other features would you like to see in Windows Sandbox?

    Although configuring how Windows Sandbox works is something you can do now, it still feels like it’s just in an early state. We would also like to see Microsoft add options for automatically connecting USB devices directly to the Windows Sandbox. We’re sure you have other cool ideas too. Tell us what other features you would like Windows Sandbox to have: comment below and let’s discuss.

    Many people have asked “You just announced that Linux distro’s are coming to the Windows Store – will they run on Windows 10 S?”

    The answer is No!

    Just because an “app” comes from the Windows Store does NOT automatically mean that it’s safe & suitable for running in Windows 10 S. There are some apps that are not allowed to run on Windows 10 S, including all command-line apps, shells and Consoles.

    Read on for more background & info…

    What is Windows 10 S?

    A couple of weeks ago, Microsoft announced Windows 10 S – a new SKU of Windows which is “Streamlined for security and superior performance“.

    Windows 10 S is primarily aimed at non-technical users – teachers & grade-school children, non-technical students, content creators, artists, etc. – people who don’t typically want to spend time & effort futzing with their PC – people who just expect their computer to work safely, quickly, reliably and efficiently.

    To deliver this experience, Windows 10 S users can only install apps from the Windows Store. This enables Microsoft to help ensure a safe, predictable, easy-to-use experience by preventing malicious and/or inefficient apps from getting onto users’ machines and wreaking havoc with their data and resources.

    Windows 10 S is not well-suited for many app developers/hackers, admins & IT pro’s!

    • App developers often need to use tools that have access to low-level features of the local machine, e.g. debuggers, registry access, filesystem access, hardware access, etc.
    • Admins & IT Pro’s need to write and run scripts & tools that deploy apps, configure users’ accounts, modify security settings, configure firewalls & anti-malware systems, etc.

    These needs are not well met by an operating system that has been deliberately constrained to prevent just these types of apps and tasks from running!

    This said, Windows 10 S can be used for building code that runs elsewhere – on the web, on IoT devices, on a remote VM via ssh, etc. Such scenarios don’t require the user access/modify a local machine’s system, settings/registry, filesystem, etc. And of specific interest to readers of this blog, Windows 10 S does not run command-line applications, nor the Windows Console, Cmd / PowerShell, or Linux/Bash/WSL instances since command-line apps run outside the safe environment that protects Windows 10 S from malicious / misbehaving software:

    Windows 10 S primarily runs apps downloaded & installed via the Windows Store.

    Modern Universal Windows Platform (UWP) store apps run within a secure & constrained sandbox, with explicitly controlled access to system resources, devices, and capabilities like file storage devices, cameras, ability to run in the background, etc.

    Another class of Windows Store app, called Desktop Bridge (or “Centennial”) apps, are given much broader access to the OS. However, Desktop Bridge apps are only published by organizations which have a direct engagement with Microsoft, and which have been vetted and are well supported by the publisher. Examples of Desktop Bridge apps include Evernote, Arduino IDE, doubleTwist, PhotoScape, Virtual Robotics Kit, etc.

    Linux distro store packages are an exotic type of app package that are published to the Windows Store by known partners. Users find and install distros , safely, quickly, and reliably via the Windows Store app.

    Once installed, however, distro’s should be treated as command-line tools that run outside the UWP sandbox & secure runtime infrastructure. They run with the capabilities granted to the local user – in the same way as Cmd and PowerShell do.

    This is why Linux distro’s don’t run on Windows 10 S: Even though they’re delivered via the Windows Store, and installed as standard UWP APPX’s, they run as non-UWP command-line tools and this can access more of a system than a UWP can.

    So what should I use?

    If you want to run all your dev tools, distros, shells, etc. on a machine running Windows 10 S – like the sweeet new Surface Laptop – then upgrade it to full Windows 10 . You’ll then be able to run Linux distro’s, Cmd/PowerShell, install dev tools, debuggers, profilers, packet sniffers, etc.

    I hope this helps clear-up the question as to whether Windows 10 S – an operating system environment “Streamlined for security and superior performance” – can run Linux distro’s (and other command-line tools).

    How to use windows 10’s new sandbox (to safely test apps)

    Windows Sandbox is a new feature available beginning with the Windows 10 May 2019 Update (version 1903) designed to run untrusted applications inside a lightweight isolated environment running independently from your main installation.

    Technically, Windows Sandbox is a virtual machine created on demand using Microsoft’s hypervisor using the same OS image as the one on your machine. However, it’s a very lightweight environment of around 100MB, which has been optimized to boot and run faster, its focus is on security, and it works more efficiently using integrated kernel scheduler, virtual graphics, and smart memory management.

    Although you can create a virtual machine to accomplish a similar experience, there are some key benefits with Windows Sandbox. For instance, you don’t need to spend additional steps creating or downloading a virtual machine. Every time you launch the feature, it runs a new clean installation of Windows 10. When you finish testing an application and close Windows Sandbox, everything gets deleted automatically. Also, using virtualization isolates anything occurring inside the environment from your main installation offering maximum security to test untrusted applications.

    In this Windows 10 guide, we’ll walk you through the steps to enable and get started using the Windows Sandbox feature available with the May 2019 Update.