Windows Sandbox

What is Windows Sandbox?

Windows Sandbox is a lightweight virtualization feature introduced by Microsoft in Windows 10 (starting from version 1903) and Windows 11. It provides users with a secure and isolated environment to run untrusted or potentially malicious applications without affecting the underlying operating system.

Windows Sandbox creates a temporary virtual machine (VM) that mimics a clean installation of Windows. When you open Windows Sandbox, it launches a fresh instance of Windows, separate from your main operating system. Any changes made within the sandbox, such as installed applications, files, or system settings, are contained within the sandbox and do not impact your actual Windows installation.

The primary purpose of Windows Sandbox is to provide a safe testing environment for applications that you may be uncertain about, such as those downloaded from the internet or received from untrusted sources. By running them in the sandbox, you can evaluate their behavior without the risk of affecting your primary system.

Once you close Windows Sandbox, all the changes made within the sandbox are discarded. This ensures that any potential malware or unwanted software is completely removed, and you start with a clean slate every time you use the sandbox.

Windows Sandbox utilizes hardware virtualization capabilities built into modern CPUs, such as Intel VT-x or AMD-V, to provide efficient and secure isolation. It is a feature available in certain editions of Windows, such as Windows 10 Pro, Enterprise, and Education, as well as Windows 11 Pro and Enterprise.

When should I use Windows Sandbox?

1. Running suspicious or untrusted software: If you come across a program or file that you're unsure about, you can use Windows Sandbox to test it without worrying about potential harm to your system. This is particularly useful for evaluating applications from unreliable sources or testing software with unknown origins.
2. Opening potentially dangerous files: When you receive files from unknown sources, such as email attachments or downloaded files from the internet, you can open them in Windows Sandbox to mitigate the risk of malware infecting your main system. The sandbox ensures that any changes made to the files are contained within the isolated environment.
3. Web browsing in a secure environment: If you encounter a website that seems suspicious or could potentially be harmful, you can visit it using Windows Sandbox. This way, any malicious scripts, viruses, or malware that might be present on the website won't be able to affect your primary operating system or compromise your sensitive data.
4. Software testing and debugging: Developers and software testers can take advantage of Windows Sandbox to quickly test and debug their applications. The sandbox provides a clean and isolated environment, allowing them to assess the behavior of their software without interfering with their main development setup.
5. Trying out new software: If you want to experiment with new software or install applications that you're uncertain about, Windows Sandbox offers a convenient way to try them out. You can install and run the software within the sandbox without worrying about potential conflicts or cluttering your primary system.

How do I install Windows Sandbox?

1. Go to settings
2. Click Apps -> Programs and Features -> Turn Windows Features on or off -> Select Windows Sandbox.
3. Reboot

Once you reboot Windows Sandbox is install and can be used to browse the web isolated from your computer. However, you will not be able to transfer files from your host computer to the Windows Sandbox. To do this you need to create a .wsb configuration file.

Here is a very basic .wsb configuration file.

<Configuration>

<MappedFolders>
  <MappedFolder>
    <HostFolder>FULL PATH TO FOLDER ON HOST COMPUTER</HostFolder>
    <ReadOnly>True</ReadOnly>
  </MappedFolder>
</MappedFolders>

</Configuration>

A full description of configuration options is available on the Microsoft website here:

Note: Initially, I encountered an error "Invalid Configuration File" when I tried to place the host folder in OneDrive. I do not know if it was because it was in OneDrive or because my full path included an "&" and once I used a simpler path, not in OneDrive the issue was resolved.