With the latest release of Windows 10 (1903), Microsoft introduced a new feature called Windows Sandbox. Windows Sandbox is based on Hyper-V technology and allows you to spin up an isolated, temporary, desktop environment where you can run untrusted software. In this blog post, I will show you how you can set up and configure Windows Sandbox in Windows 10. I will also cover how you can do an advanced configuration of your Windows Sandbox using Windows Sandbox config files.
The sandbox is great for demos, troubleshooting or if you are dealing with malware. If you close the sandbox, all the software with all its files and state are permanently deleted. It is a Windows 10 virtual machines, with the advantage that it is built into Windows 10, so it leverages the existing OS, which gives you faster startup, less footprint, better efficiency, and easier handling, without losing security.
Windows Sandbox is a lightweight virtual machine with an operating system. The significant advantage which makes it so small is the usage of existing files from the host, for data which cannot change. For the files which can change, it uses a dynamically generated image, which is only
There are much more exciting things happening with the Windows Sandbox like smart memory management, Integrated kernel scheduler, Snapshot and clone, Graphics virtualization and Battery pass-through. If you want to find out more about the Windows Sandbox, check out the official blog post.
Windows Sandbox comes with a couple of requirements. How more powerful your machine is, the better the experience will be.
- Windows 10 (1903) Pro or Enterprise build 18362 or later
- 64-bit architecture
- Virtualization capabilities enabled in BIOS
- At least 4GB of RAM (8GB recommended)
- 1GB of free disk space (SSD recommended)
- 2 CPU cores (4 cores with hyperthreading recommended)
To install Windows Sandbox feature on Windows 10 (1903) or higher, you need to make sure that the virtualization capabilities are enabled in the BIOS/UEFI. Most of the desktop and notebook CPUs today, will support this. If you are running Windows 10 inside a virtual machine, you will need to enable nested virtualization. You can find more information about enabling Nested Virtualization on my blog: Nested Virtualization in Windows Server 2016 and Windows 10
Open Windows Features and select the Windows Sandbox. When you have clicked okay, it might require a reboot of your machine. You can also run the following PowerShell command:
Start and using the Sandbox
After the installation and the reboot, you can start the Windows Sandbox from the Windows 10 start menu, shortcut on the desktop or just run WindowsSandbox.exe
You can now copy and paste a file from the host to the sandbox and run it in a secure environment.
Windows Sandbox Config Files
By default, Windows Sandbox spins up a default image. However, in many cases, you want to spin up a customized environment, with already preinstalled tools or access to local files. For that, you can use config files which allow you to customize the sandbox during startup. The sandbox configuration files are formatted as XML and use the .wsb file extension. Today, you can configure four different settings to configure the Windows Sandbox.
- Enable or Disable the virtualized GPU.
- Enable or Disable network access
- Shared Folders – Share folders from the host with read or write access
- Startup Script – allows you to run different commands at startup
Here is a quick overview of the different settings you can use in the config files.
|Virtual GPU||vGPU||Disable – Disables vGPU|
|Default – vGPU enabled|
|Networking||Networking||Disable – disables Networking|
|Default – Networking enabled|
|Shared Folder||MappedFolder||HostFolder||Path to the host folder|
|Startup Script||LogonCommand||Command||Command which gets executed|
Example Config Files
To give you a better look about how configuration files are helping you to set up a Windows Sandbox, here are a couple of examples.
Here is one which mounts my local download folder read-only from my host, into the sandbox.
This means my download folder (C:UsersThomasMaurerDownloads) will be mounted in the desktop folder (C:UsersWDAGUtilityAccountDesktopDownloads) of the sandbox. With the command “explorer.exe C:usersWDAGUtilityAccountDesktopDownloads” it will directly open up the download folder in an explorer window.
The next example is from the official Microsoft blog about the Sandbox configuration files. Uses an additional installation script file to run commands to download and install the latest version of Visual Studio Code. For that, we mount a local folder and run a script file from the folder.
This example installs the Microsoft Edge Insider version inside the Windows Sandbox. I stored the MicrosoftEdgeSetup.exe in my download folder. In the config file, I mount the download folder and run the MicrosoftEdgeSetup.exe.
If you want to work with Sysinternals, you can also just easily mount the Sysinternals SMB share using the following config file.
You can also combine different tasks, depending on what you need. You can also use the mount option or the command option to download files. It depends on your scenario.
I stored all my configuration files in a folder, so if I want to start a specific configuration of my Windows Sandbox, I can double click the configuration file.
If you want to have more details on the sandbox configuration files, check out the blog post by Hari Pulapaka from the Windows Sandbox team.
It is excellent to see Hyper-V used in different features inside Windows 10, like Windows Defender Application Guard and others. I hope this helps you to set up and configure the Windows Sandbox and if you have any questions, please let me know in the comments.
April 24, 2019, 8:00am EDT
Windows 10’s new Sandbox feature lets you safely test programs and files downloaded from the internet by running them in a secure container. It’s easy to use, but its settings are buried in a text-based configuration file.
Windows Sandbox Is Easy to Use If You Have It
This feature is part of Windows 10’s May 2019 Update. Once you’ve installed the update, you’ll also have to be using the Professional, Enterprise, or Education editions of Windows 10. It isn’t available on Windows 10 Home. But, if it is available on your system, you can easily activate the Sandbox feature and then launch it from the Start menu.
Sandbox will launch, make a copy of your current Windows operating system, remove access to your personal folders, and give you a clean Windows desktop with internet access. Before Microsoft added this configuration file, you couldn’t customize Sandbox at all. If you didn’t want internet access, you normally had to disable it right after launch. If you needed access to files on your host system, you had to copy and paste them into Sandbox. And, if you wanted particular third-party programs installed, you had to install them after launching Sandbox.
Because Windows Sandbox deletes its instance entirely when close it, you had to go through that process of customization every time you launch. On the one hand, that makes for a more secure system. If something goes wrong, close the Sandbox, and everything gets deleted. On the other hand, if you need to make changes regularly, having to do this on every launch gets frustrating quickly.
To alleviate that issue, Microsoft introduced a configuration feature for Windows Sandbox. Using XML files, you can launch Windows Sandbox with set parameters. You can tighten or loosen the sandbox’s restrictions. For example, you can disable the internet connection, configure shared folders with your host copy of Windows 10, or run a script to install applications. The options are a bit limited in the first release of the Sandbox feature, but Microsoft will probably add more in future updates to Windows 10.
How to Configure Windows Sandbox
This guide assumes you have already set up Sandbox for general use. If you haven’t done yet, you’ll need to enable it first with the Windows Features dialog.
To get started, you’ll need Notepad or your favorite text editor—we like Notepad++—and a blank new file. You’ll be creating an XML file for configuration. While familiarity with the XML coding language is helpful, it’s not necessary. Once you have your file in place, you’ll save it with a .wsb extension (think Windows Sand Box.) Double-clicking the file will launch Sandbox with the specified configuration.
As explained by Microsoft, you have several options to choose from when configuring the Sandbox. You can enable or disable the vGPU (virtualized GPU), toggle the network on or off, specify a shared host folder, set read/write permissions on that folder, or run a script on launch.
Using this configuration file, you can disable the virtualized GPU (it’s enabled by default), toggle the network off (it’s on by default), specify a shared host folder (sandboxed apps don’t have access to any by default), set read/write permissions on that folder, and/or run a script at launch
First, open Notepad or your favorite text editor and start with a new text file. Add the following text:
All the options you’ll add must be between these two parameters. You can add just one option or all of them—you don’t have to include every single one. If you don’t specify an option, the default will be used.
” width=”650″ height=”300″ src=”https://www.howtogeek.com/pagespeed_static/1.JiBnMqyl6S.gif” onload=”pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);” onerror=”this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);”/>
How to Disable the Virtual GPU or Networking
As Microsoft points out, having the virtual GPU or Networking enabled increases the avenues malicious software can use to break out of the sandbox. So if you’re testing something you’re particularly worried about, it might be wise to disable them.
To disable the virtual GPU, which is enabled by default, add the following text to your configuration file.
To disable network access, which is enabled by default, add the following text.
How to Map a Folder
To map a folder you’ll need to detail out exactly what folder you want to share, and then specify whether the folder should be read-only or not.
Mapping a folder looks like this:
HostFolder is where you list the specific folder you’d like to share. In the above example, the Public Download folder found on Windows systems is being shared. ReadOnly sets whether Sandbox can write to the folder or not. Set it to true to make the folder read-only or false to make it writable.
Just be aware, you’re essentially introducing risk to your system by linking a folder between your host and Windows Sandbox. Giving Sandbox write access increases that risk. If you’re testing anything you think may be malicious, you shouldn’t use this option.
How to Run a Script at Launch
Finally, you can run custom created scripts or basic commands. You could, for instance, force the Sandbox to open a mapped folder upon launch. Creating that file would look like this:
WDAGUtilityAccount is the default user for Windows Sandbox, so you’ll always reference that when opening folders or files as part of a command.
Unfortunately, in the near-release build of Windows 10’s May 2019 Update, the LogonCommand option does not appear to be working as intended. It didn’t do anything at all, even when we used the example in Microsoft’s documentation. Microsoft will likely fix this bug soon.
How to Launch Sandbox With Your Settings
After you’re done, save your file and give it a .wsb file extension. For example, if your text editor saves it as Sandbox.txt, save it as Sandbox.wsb. To launch the Windows Sandbox with your settings, double-click the .wsb file. You can place it on your desktop or create a shortcut to it in the Start menu.
For your convenience, you can download this DisabledNetwork file to save you a few steps. The file has a txt extension, rename it with a .wsb file extension, and you’re ready to launch Windows Sandbox.
- Convert Hyper-V virtual machines from generation 1 to 2 – Tue, Dec 1 2020
- Run Docker container on Subsystem for Linux 2 (WSL 2) – Tue, Nov 24 2020
- Free up disk space on WSUS server by deleting expired and superseded updates – Thu, Nov 19 2020
- Configuration via four parameters
- Multiple configurations per sandbox
- Isolation in the network
- Data exchange via folders
- Running startup scripts
Windows Sandbox is based on Hyper-V, but does not require users to activate the hypervisor themselves. It is not necessary to install a guest operating system in the VM either; rather, it is generated automatically from the binaries of the host OS (see this article on the Windows Sandbox).
Configuration via four parameters ^
In addition to its simple management, Sandbox also has the advantage that no additional license is required (unlike for Windows in a regular VM). However, its limited customization options are a real disadvantage.
Since the first preview of the Sandbox did not provide any configuration at all, Windows 10 1903 now supports a few settings. These include the activation of the vGPU, the network, folders for data exchange with the host, and the execution of programs and scripts at startup.
Multiple configurations per sandbox ^
You can start Windows Sandbox immediately by double-clicking on the XML files with the extension .wsb. Users can store several configurations for different requirements in separate .wsb-files. However, you can only execute one instance of Windows Sandbox at a time.
The sandbox can be customized via configuration files in XML format
Windows 10 does not provide tools for editing the sandbox configuration, so users must create and edit the XML structure themselves. The PowerShell-based Sandbox Editor, which can be downloaded from Microsoft’s TechNet Gallery, addresses this issue.
Isolation in the network ^
The relatively simple tool reflects the four parameters with which the sandbox can be configured. Its use is self-explanatory. However, the individual settings require further explanation.
Network and vGPU configuration for the Windows Sandbox
For example, setting the sandbox’s networking status to “Enabled” does not allow the sandbox to have full access to the network or be accessed via the network. However, it provides a connection to the internet, but the computers in the local network are still not visible. Setting the sandbox to
Data exchange via folders ^
If the network is switched off, the only connection with the outside world is the exchange of data with the host. For this purpose, you can define directories on the host OS, which are then displayed on the desktop of the sandbox. You can choose to allow Read-only or Write access.
The host folders are displayed on the sandbox desktop
Some tutorials warn that Write access to transfer directories will allow malware to spread to the host. This cannot be denied, but the restriction to Read-only is of limited help as long as unhindered data exchange via Copy/Paste over RDP is possible. This cannot be deactivated via sandbox configuration.
Folders for data exchange between guest and host can be shared with Read or Write access
The effects are relatively clear when the vGPU is switched off. This eliminates the hardware support for Direct3D graphics operations and the sandbox uses the Advanced Rasterization Platform (WARP) instead.
Running startup scripts ^
The last of the four settings allows you to specify programs or scripts to run when the sandbox starts. Since the sandbox discards all changes on exit and starts up with a fresh copy of Windows every time, this option allows you to customize the isolated environment to some extent.
In many cases, this will result in inserting or updating registry keys, for example to change the most common settings for File Explorer. By default, it hides file extensions, which you usually do not want. For this purpose, you could run a script like the one from the TechNet Gallery.
Please keep in mind that the PowerShell execution policy in the sandbox does not allow the execution of scripts. The Sandbox Editor solves this problem by compiling a call to PowerShell.exe with the appropriate value for the ExecutionPolicy parameter.
The Sandbox Editor automatically creates the command line for PowerShell scripts
The script itself must be stored in a directory on the host and shared for data exchange. You must enable sharing on the exchange folder yourself, since the Sandbox Editor only generates the command line, regardless of whether the script is accessible from the sandbox or not.
Programs and scripts can be started from a mapped folder
Whether the script really works seems a matter of luck, and the reasons for failure are hard to find due to the limited resources in this environment. To make the overall process more transparent, it is recommended to compile the PowerShell script into an .exe. If necessary, you can run a compiled script manually after starting the sandbox without much effort.
In addition, the sandbox refuses to run PowerShell on some machines and offers a misleading error message about a missing .NET Framework. However, KB4495620, which is cited in Microsoft forums as the reason for this error, is not the cause.
PowerShell often fails to run and shows a misleading error message
The Windows Sandbox is based on an interesting concept. However, in its current state, it is immature and does not even have a tool to edit the configuration. The Sandbox Editor bridges this gap, even if it is only a rudimentary program.
The customization of the sandbox based on just four settings is very limited. One major drawback is that RDP access to the guest console cannot be configured at all.
Theoretically you can change the appearance of Windows in the VM via a startup script if you want to make the effort. But the sandbox by itself should allow you to specify folder settings, font sizes, or other preferences. Hopefully, Microsoft will improve this in a future version.
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains “sandboxed” and runs separately from the host machine.
A sandbox is temporary. When it’s closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.
Software and applications installed on the host aren’t directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
Windows Sandbox has the following properties:
- Part of Windows: Everything required for this feature is included in Windows 10 Pro and Enterprise. There’s no need to download a VHD.
- Pristine: Every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows.
- Disposable: Nothing persists on the device. Everything is discarded when the user closes the application.
- Secure: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
- Efficient: Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
The following video provides an overview of Windows Sandbox.
- Windows 10 Pro, Enterprise or Education build 18305 or later (Windows Sandbox is currently not supported on Home SKUs)
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
- At least 1 GB of free disk space (SSD recommended)
- At least two CPU cores (four cores with hyperthreading recommended)
Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later.
Enable virtualization on the machine.
- If you’re using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- If you’re using a virtual machine, run the following PowerShell command to enable nested virtualization:
Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
Use the search bar on the task bar and type Turn Windows Features on and off to access the Windows Optional Features tool. Select Windows Sandbox and then OK. Restart the computer if you’re prompted.
- If the Windows Sandbox option is unavailable, your computer doesn’t meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
Locate and select Windows Sandbox on the Start menu to run it for the first time.
Updated August 12, 2020, 1:32pm EDT
Windows 10’s May 2019 Update (19H1) added a new a new Windows Sandbox feature. Here’s how you can use it on your Windows 10 PC today.
Note: Windows Sandbox is not available on Windows 10 Home. It’s only available on Professional, Enterprise, and Education editions of Windows 10.
What is Sandbox?
In short, Windows Sandbox is half app, half virtual machine. It lets you quickly spin up a virtual clean OS imaged from your system’s current state so that you can test programs or files in a secure environment that’s isolated from your main system. When you close the sandbox, it destroys that state. Nothing can get from the sandbox to your main installation of Windows, and nothing remains after closing it.
How Do I Get It?
All you need is a modern version of Windows 10 running Windows 10 Professional or Enterprise—Windows 10 Home doesn’t have this feature. The Sandbox feature became stable back in May 2019.
Step One: Make Sure Virtualization is Enabled
First, you’ll need to make sure virtualization is enabled in your system’s BIOS. It typically is by default, but there’s an easy way to check. Fire up Task Manager by hitting Ctrl+Shift+Esc and then head to the “Performance” tab. Make sure the “CPU” category is selected on the left and on the right, just make sure it says “Virtualization: Enabled.”
If virtualization is not enabled, you’ll need to enable it in your PC’s BIOS settings before you continue.
Step Two: Turn On Nested Virtualization if You’re Running the Host System in a Virtual Machine (Optional)
If you’re testing out the Insider build of Windows in a virtual machine already and you want to test Sandbox in that VM, you’ll need to take the extra step of turning on nested virtualization.
To do that, fire up PowerShell in the version of Windows running inside the VM and then issue the following command:
That lets your guest version of Windows in the VM expose the virtualization extensions so that Sandbox can use them.
Step Three: Enable the Windows Sandbox Feature
After making sure virtualization is enabled, turning on the Windows Sandbox feature is a snap.
To do so, head to Control Panel > Programs > Turn Windows Features On or Off. (By the way, we’ve got a full write-up on using those Windows Features if you’d like to learn more.)
In the Windows Features window, enable the “Windows Sandbox” checkbox.
Click “OK” and then let Windows restart.
Step Three: Fire It Up
After Windows restarts, you can find Windows Sandbox on the Start Menu. Either type “Windows Sandbox” into the search bar or dig through the menu and then double-click on the Icon. When it asks, permit it to have administrative privileges.
You should then see a near replica of your current OS.
There are some differences. It’s a clean Windows installation, so you’ll see the default wallpaper and nothing but the default apps that come with Windows.
The virtual OS is dynamically generated from your main Windows OS, so it will always run the same version of Windows 10 you are using, and it will always be fully up to date. That latter fact is especially nice, as a traditional VM requires taking the time to update the OS on its own.
How Do I Use It?
If you’ve ever used a VM before, then using the Sandbox will feel like old hat. You can copy and paste files directly into the Sandbox like any other VM. Drag and drop does not work, though. Once the file is in the Sandbox, you can proceed as normal. If you have an executable file, you can install it in the Sandbox where it’s nicely cordoned off from your main system.
One thing to note: If you delete a file in the Sandbox it does not go the recycle bin. Instead, it’s permanently deleted. You will receive a warning when you delete items.
Once you are done with testing, you can close the Sandbox like any other app. This will destroy the snapshot entirely, including any changes you’ve made to the OS and any files you copied there. Microsoft has been kind enough to provide warning first.
The next time you launch Sandbox, you will find it back to a clean slate, and you can begin testing again.
Impressively, Sandbox runs well on minimal hardware. We performed the testing for this article on a Surface Pro 3, an aging device without a dedicated graphics card. Initially, the Sandbox ran noticeable slow, but after a few minutes, it ran surprisingly well given the constraints.
This better speed persisted through closing and reopening the app as well. Traditionally, running a Virtual Machine called for more horsepower. Because of the narrower use cases with Sandbox (you won’t be installing multiple OSes, running multiple instances, or even taking multiple snapshots), the bar is a little lower. But it is this very specific target that makes the Sandbox work so well.
- October 13, 2019
- 12:10 PM
Windows 10 May 2019 Update (version 1903) included a new feature called the Windows Sandbox that allows you to safely run applications in isolation from the rest of the operating system.
When you launch the Windows Sandbox, it will fire up an isolated lightweight desktop environment that is separate from your main Windows install, and all the software with its associated files are permanently deleted when you leave the session or close the Sandbox window..
This means you can run untrusted software, scripts, malicious files and adware without the fear of impacting your normal Windows installation.
In order to make it more useful for users, Microsoft allows you to specify create configuration files that modify the functionality of the Sandbox.
In this guide we will explain how to create a configuration file and then use it to launch the Windows Sandbox.
Create Windows Sandbox configuration file (.wsb)
To create a Windows Sandbox configuration file, you will use a text editor such as Notepad to enter the configuration options, or directives, you wish to use and then save that file with the .wsb extension.
When creating Windows Sandbox config files, you can make as many as you want and save them under descriptive names so that you know what tasks they perform. You can then launch the Windows Sandbox using a specific configuration file by double-clicking on the .wsb configuration file.
For example, you can see a folder of different Windows Sandbox configuration files below, with each performing a different task.
To create a Windows Sandbox configuration files, you would do the following:
- Open Notepad.
- Enter your configuration options.
- Save the file as a .wsb file.
When saving the file, you can it any name, such as mapped-malware-folder.wsb, but it must end with a .wsb extension.
When creating a configuration file, the file must start with the tag and end with . Between these two tags, we will add our various configuration directives.
The following sections will introduce you to the various configuration options that we can use in a Windows Sandbox file. Then we will wrap it up all together into a configuration file that disables network but still allows you to transfer files through a mapped folder.
Enable or disable networking
When testing a malware sample, the infection may contact a remote host or perform some other unwanted network behavior. Therefore, it may be useful to disable networking in the Windows Sandbox.
To do this, we use the Networking directive as shown below.
When using this directive, we can enter two values; Disable to disable networking and Default to enable it.
Enable or disable the vGPU
The Windows Sandbox by default will use a virtual hardware GPU in order to increase performance.
If you wish to use software rendering instead, you can disable the vGPU by using the following configuration directive.
This options supports the Disable value, which disables the vGPU, or Default, which enables it.
For the majority of users, the vGPU should not be disabled as software rendering will be much slower.
Map a folder for transferring files
The Windows Sandbox allows you to map folders from your Host Windows (your normal Windows installation) so that they are accessible in the Sandbox.
To do this, you need to use the MappedFolder directive to specify the folder on the host you wish to make accessible in the Windows Sandbox.
This directive is as follows:
The ReadOnly value can be set to True or False. If set to true, then files cannot be modified in the folder from the Sandbox. If you set it to false, though, then the Sandbox can modify these files.
As an example, if you wanted to share the D:Programs folder so that you can access its contents file in the Sandbox, but not modify them, you would use the following directive.
When these folders are shared in the Sandbox, they will be located on the Desktop under the C:usersWDAGUtilityAccountDesktop folder.
It should be noted that if you map a folder from the Host to the Sandbox and set ReadOnly to false, then those files can be modified by any programs running in the Sandbox.
The Windows Sandbox also supports the ability to automatically execute a command when the Sandbox is started using the directive.
For example, if you wanted to automatically open File Explorer after the Windows Sandbox starts, you can use the following directive.
Putting it all together with a sample configuration file
Now that we know all of the directives that we can use in a Windows Sandbox configuration file, let’s create a sample to illustrate how we can use them.
Let’s say you are using the Windows Sandbox to test files that you think may be malware. These files are stored on your Windows computer under the C:Malware-Samples folder and you want the folder to be available in the Sandbox.
At the same time, you are concerned that the samples may make malicious networking calls, so we want to disable networking when using them.
Finally, we want the shared Malware-Samples folder to open automatically when you launch the Sandbox.
To do this, we create the following configuration file that shares the C:Malware-Samples folder with the Sandbox, disables networking, and then automatically opens the Malware-Samples folder in the Sandbox.
As you can see, using a Windows Sandbox configuration file makes the feature much more useful and able to be customized for a variety of purposes.
In the future, we hope Microsoft continues to expand on the configuration that can be added so that this feature can be even more useful.
No pail or shovel is needed
Imagine being able to test out any software or visit any website without having to worry that your computer might get a virus. That’s what a browser sandbox does. It can be done with the Sandbox app built into Windows 10 or another free app called Sandboxie. However, the Sandboxie app is the easiest way to do this. Did we say it’s free, already?
What is a Browser Sandbox?
Sandbox is a bit of a weird term to use with computers, but think about what a real-life sandbox does. It’s a set of walls to keep all the sand inside. Otherwise, it just kind of creeps out to ruin part of the lawn. It also gives us a defined space to play in.
The kind of sandbox we’re talking about, a browser sandbox, does the same thing. It keeps things inside so it doesn’t creep out and ruin the computer. It also provides a place to play freely without worry.
Windows 10 Sandbox
If you have Windows 10 Pro, Enterprise, or the Education version, there’s a built-in sandbox feature. We’ve got an article that shows how to install and use the Windows 10 Sandbox. If you have the right version of Windows and install the sandbox, you could use it to browse the web. It defaults to use Edge. If you want to use another browser, you need to install it in the Windows 10 Sandbox.
But there’s a big challenge. Each time you close Windows Sandbox, you lose all the settings. That means the next time you open it, it’s like a brand new install of Windows. You have to set everything up again.
If you want to use a browser other than Edge, you need to install it. You need to transfer your bookmarks and re-install your favorite browser extensions and add-ins. No bookmarks get saved. No extensions or add-ins get saved.
It’s true that you could configure Windows Sandbox to maintain some things between sessions. But that involves finding and editing an XML configuration file. That’s more work than most people want to do.
Sandboxie for Sandboxed Web Browsing
Sandboxie is a cutesy name, but it’s a powerful sandbox tool from Sophos. Sophos is an industry leader in digital security. Sandboxie is a full sandbox solution. You can run any program in it, so it’s useful for testing software, open sketchy e-mail attachments, and amongst other things – browse the web. Plus, it’s free.
Download Sandboxie for free now. Install it, and go through the tutorial to see how it works.
We’re just going to look at the Sandboxie Web Browser today. Sandboxie is capable of doing a lot more, though! Play around with it.
Once you’ve downloaded and installed Sandboxie, browsing becomes as easy as opening your regular web browser. Sandboxie will place a shortcut on the desktop. Simply double-click on the Sandboxed Web Browser icon that Sandboxie will place on the desktop.
The default browser will open with all of its current bookmarks and extensions. You can use the web just like you always have. No additional set up is required like with Windows Sandbox. That’s what makes Sandboxie better for most people than Windows Sandbox.
What’s Happening in the Browser Sandbox?
Sandboxie has isolated all the processes that make a web browser work from everything else running on the computer. It’s almost like having a mini-computer inside a computer.
Sandboxie gives the browser just enough resources and permissions to do what it has to do. Anything within it that tries to access resources beyond that will get denied. You can also see exactly what the browser is doing as it is doing it. Double-click on the Sandboxie icon in the system tray to see the Sandboxie Control Window. It will show all the processes running that the browser sandbox is using.
How can you tell which window is sandboxed? What if you have a few browsers open? Just move the mouse to the top of the window. If it’s a Sandboxie window, a yellow highlight box will appear around the edge of the browser.
Why Don’t Web Browsers Already Use a Sandbox?
Most web browsers do use a sandbox. Yet people still get viruses and such from websites. And there are, apparently, degrees of sandboxing. It’s hard to get the details of how the different web browsers use sandboxing. If they said, “We sandbox everything except such and such.” then they’d be admitting they’re not as secure as they’d like us to believe.
The options we’re showing say that they are 100% sandboxed. Outside of reverse-engineering the programs, you must either chose to trust these browsers or not. If you want to try reverse-engineering a program, check out Ghidra. Ghidra is a free tool for reverse engineering from the National Security Agency (NSA)
We’re not saying that all web browsers are unsafe. They’re as safe as we want them to be. But you can make your web browser more secure with a browser sandbox. If you’re concerned about the safety of our current browser outside of the sandbox, consider using a different browser. There are more browser options that you might not know about.
Will Browsing in a Browser Sandbox Completely Protect Me?
The short answer is that yes browsing in a browser sandbox will protect you. The long answer is that it won’t completely protect you. If you use the browser sandbox to simply browse websites, then yes, you’re protected. But if you use the sandboxed browser to download something, and then open that download outside of the sandbox, you’re not protected. Unless you use Sandboxie for that as well.
Would you use a sandboxed browser? What would you use it for? Do you know of any other ways to isolate your web browsing from the rest of your computer? Let us know in the comments section!
Guy has been published online and in print newspapers, nominated for writing awards, and cited in scholarly papers due to his ability to speak tech to anyone, but still prefers analog watches. Read Guy’s Full Bio
What is Windows Sandbox?
As Microsoft said it is a lightweight desktop and isolation environment. It’s running independently from your main Windows, temporary and fresh Windows on each time you launch it. It’s useful for testing new applications, the untrusted software in an isolation environment that not get infecting your main Windows.
Let’s imagine you download software from an untrusted source, you would like to check it out but shy to install on your main computer since it may cause your computer virus-infected, you didn’t want to install a clean Windows or even set up a Virtual Machine since it takes too much time to install/setup.
Windows Sandbox will help you deal with your concerns. All the untrusted apps, the software will be in the Sandbox and it cannot affect your main Windows. After closing Sandbox, all the apps, software installed will be deleted permanently. Your main Windows will be safe.
How to configure and use it?
Windows Sandbox has the following properties:
- Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
- Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
- Disposable – nothing persists on the device; everything is discarded after you close the application
- Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host
- Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU
Prerequisites for using the feature:
- Windows 10 Pro or later
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4GB of RAM (8GB recommended)
- At least 1 GB of free disk space (SSD recommended)
- At least 2 CPU cores (4 cores with hyperthreading recommended)
From the Start menu, find and run Turn Windows features on or off
Then the Windows Features will open. Enable Windows Sandbox feature by check to the box.
Go through the configure wizard. Once the setup is completed you must restart your computer to take effect.
From the Start menu, find Windows Sandbox run it and allow the elevation.
Oops, you may get this warning message.
Make sure Virtualization on your computer must be enabled.
After Starting, your Windows Sandbox will be like this
Please note that once the Windows Sandbox shutdown/restart/disconnect, your installed app, data, everything will be gone.
You may also aware of your host resource performance during operating in Windows Sandbox.
From now, you able to confidently test the untrusted software that no fear impacts your main Windows.
Windows 10’s new sandbox feature lets you securely test programs and files downloaded from the Internet by running them in a secure container. It’s easy to use, but the settings are in a text-based configuration file.
The Windows Sandbox is easy to use if you have it
This feature is part of the May 2019 update of Windows 10. After you install the update, you must also have the Professional, Enterprise, or Use Education editions of Windows 1
CONNECTION: How to Use the New Windows 10 Sandbox (for Safe Testing of Apps)
Sandbox is started, creates a copy of your current Windows operating system, removes and gives access to your personal folders a clean windows desktop with internet access. Before Microsoft added this configuration file, you could not customize Sandbox at all. If you do not want Internet access, you usually had to disable it right after it started. If you need access to files on your host system, you must copy and paste them into Sandbox. If you want to have certain third-party programs installed, you must install them after starting Sandbox.
Because Windows Sandbox completely drops the instance when closing the instance, you had to go through this customization process every time it was started. On the one hand, this leads to a safer system. If something goes wrong, close the sandbox and everything will be deleted. However, if you need to make regular changes, it will quickly get frustrating every time you start up.
To resolve this issue, Microsoft has introduced a configuration feature for Windows Sandbox. With XML files, you can start Windows Sandbox with set parameters. You can tighten or relax the restrictions of the sandbox. For example, you can disable the Internet connection, configure folders shared with your host copy of Windows 10, or run a script to install applications. The options are somewhat limited in the first version of the Sandbox feature, but Microsoft will likely add more Windows 10 updates in future updates.
Configuring the Windows Sandbox
This guide assumes that you have already set up Sandbox for general use. If you have not already done so, you must first enable it in the Windows Features dialog box.
To get started, you need Notepad or your favorite text editor (we like Notepad ++) and a blank new file. You create an XML file for configuration. Familiarity with the XML encoding language is helpful, but not required. If you have saved your file, save it with the .wsb extension (think of Windows Sandbox.) Double-clicking the file starts Sandbox with the specified configuration.
As explained by Microsoft, you have several options to choose from when configuring the sandbox. You can enable or disable the vGPU (virtualized GPU), turn the network on or off, specify a shared host folder, set read / write permissions for this folder, or run a script on startup.
This configuration file allows you to disable the virtualized GPU (enabled by default), disable the network (enabled by default), specify a shared host folder (sandbox apps do not have access by default), set read / write permissions for it Make folder fixed and / or execute a script at startup
First open Notepad or your favorite text editor and start with a new text file. Add the following text:
All options that you add must be between these two parameters. You can only add one or all options – you do not have to add every single option. If you do not specify an option, the default value is used.
Disable Virtual GPU or Network
As Microsoft points out, enabling the virtual GPU or the network increases the ability of malicious software to break out of the sandbox, so if you’re testing something that’s particularly troublesome, it might be a good idea to disable them.
To disable the virtual GPU that is enabled by default, add the following text to your configuration file:
Disable the default enabled network access, add the following text:  Disable
How to Map a Folder
To map a folder, you must specify exactly which folder you want to share, and then specify whether the folder should be read-only or not.
The assignment of a folder looks like this:  C: Users Public Downloads
In HostFolder you list the specific folder that you want to share. The above example releases the public download folder found on Windows systems. ReadOnly determines whether sandbox can write to the folder or not. Set to to make the folder read-only, or to to make it writable.
Be aware that linking a folder puts your system at risk between your host and the Windows Sandbox. Write access to Sandbox increases this risk. If you test everything that you believe is harmful, you should not use this option.
Running a Script at Startup
Finally, you can run custom scripts or basic commands. For example, you can force the sandbox to open a mapped folder at startup. Creating this file would look like this:
WDAGUtilityAccount is the default user for Windows Sandbox will always refer to it when you open folders or files as part of a command.
Unfortunately, in the near release of Windows 10s update from May 2019, the option LogonCommand does not work as intended. It did not do anything, even if we used the example in the Microsoft documentation. Microsoft will probably fix this error soon.
To start Sandbox with your settings
Save your file and give it a .wsb file extension. For example, if your text editor saves it as Sandbox.txt, save it as Sandbox.wsb. To start the Windows Sandbox with your settings, double-click the .wsb file. You can put it on your desktop or create a shortcut in the Start menu.
You can download this DisabledNetwork file to save some steps. The file has a TXT extension, renames it to a WFS file extension, and you can start Windows Sandbox.