Sandbox, What it is and How it works in Windows 10

67

Windows Sandbox Operation Guide, a new feature introduced with the Windows 10 May 2019 Update, allows you to try programs and test in an environment that is completely isolated from the rest of the system.

With the Windows 10 Update release in May 2019 (version 1903), a new feature was brought to debut, integrated directly into the Microsoft operating system: Windows Sandbox.

The result of some experiments that Microsoft had already carried out in the recent past, Windows Sandbox, once activated, allows you to run any application in an environment isolated from the rest of the operating system.

Windows Sandbox ensures that any operating system changes do not affect it once the application is closed.

The benefits are enormous: with Windows 10 Pro, Enterprise, or Education (the feature is not offered to Windows 10 Home users), you can request to run any program in a separate environment (not just the Edge browser as it was). Possible only until recently).

How to activate Windows Sandbox in Windows 10

To enable and use Windows Sandbox, it is important to check that BIOS / UEFI side virtualization support is enabled.

To check it, just press the key combination CTRL + SHIFT + ESC to access the Task Manager, click on More details if necessary, go to the Performance tab, and make sure that it is at the bottom right shows Enabled next to the Virtualization item.
Sandbox, What it is and How it works in Windows 10

For more information, we suggest reading the article How to activate virtualization in Windows.

At this point, it will be sufficient to press the key combination Windows + R, then type optionalfeatures, check the Windows Sandbox box, and press the OK button.

How to activate Windows Sandbox in Windows 10

By typing Windows Sandbox in the Windows 10 search box, you will see a new window appear containing a sort of replica of the operating system desktop, complete with icons and taskbar.

How to activate Windows Sandbox in Windows 10.

The sandbox will be generated by relying on the version of the Windows version in use: the version used will therefore correspond to that of the operating system installed on the machine. The sandbox will appear as a clean installation of Windows 10 fully detached from the main one.

By closing the Windows sandbox window, all the changes made within it and all the tests will be immediately and permanently lost.

By closing the Windows sandbox window

To configure the sandbox operation and set your preferences, Microsoft explains that you can use a properly structured XML file (see this support page ).

By creating an XML file containing the following (use a program such as a Notepad ++ to do this ), you will ensure that no application or operating system components from the sandbox can access the Internet:

Disable

Using such a configuration, you can give the sandbox read-only access to the contents of a folder present at the file system level on the main system:

<
D: \ Download
true

The XML file must be saved in any memory location, for example, on the desktop. In the File Name of Notepad ++, you must indicate “Sandbox.wsb” , including the quotation marks.

Sandbox.wsb

By double-clicking the Sandbox.wsb file , the Windows Sandbox will start with the preferences set at the XML file level.

The sandboxes can thus be exploited to safely run, from a virtual environment, any software you have doubts about or programs on which you wish to carry out in-depth tests and analyzes.

The sandboxes can thus be exploited to safely run

The image is taken from this post by Hari Pulapaka (Microsoft).

When to use Windows Sandbox

There are many possible fields of application for a tool like Windows Sandbox.

You can use it, for example, to:

1) Start an application you have doubts about without it damaging the main system in any way. From Windows Sandbox, you will be able to monitor the program’s operation, subject it to a thorough scan, verify the changes it applies to the system and decide only at the end whether to install it in Windows 10.

2) Use Windows Sandbox as a test environment so that you can do all the possible tests without damaging the main installation of the operating system.

3) Check the behavior of an attachment in an e-mail message about which you have doubts.

In all three situations, just close Windows Sandbox to get rid of all the elements without them having been able to make the slightest change on the main system. However, it is essential to always keep Windows 10 updated with the installation of patches released every month by Microsoft: any malware could use sandbox escaping techniques to execute potentially malicious code outside the perimeter of Windows Sandbox by exploiting a vulnerability. not resolved by applying Microsoft patches.

Automate the creation of Windows Sandbox configuration files

For the moment, Microsoft has not yet released an official tool for creating Windows Sandbox configuration files, useful for creating new virtual machines.

An independent developer, Damien Van Robaeys, thought of it, introducing his free Windows Sandbox Editor utility.

Automate the creation of Windows Sandbox configuration files

In the EXE folder of Windows Sandbox Editor, you will find two executable files (“v1” and “v2”): they differ only in the structure of the interface, but the program functions are the same.

The Basic infos section allows you to assign a name to the sandbox, indicate the sandbox’s path, to specify the status of the network (connected or content of the sandbox completely separate also on the networking side), to activate the virtual GPU (better performance).

By clicking on Mapped folders, you can share one or more folders between the host system and the sandbox, while with a click on Command, you can request the automatic execution of some commands when the operating system is loaded.

Automate the creation of Windows Sandbox configuration files.

The Overview section shows the structure of the .wsb file based on the preferences selected.

In case you specify an incorrect folder as the destination for creating the Windows Sandbox configuration file, the editor will save the .wsb file in the % userprofile% folder (press the Windows + R key combination, then type % userprofile% ).

Van Robaeys has also published a useful PowerShell script that allows you to add the Run in the sandbox item to the context menu.

This will allow Windows 10 to instantly run any file within the sandbox’s perimeter rather than on the main system.

Compatibility, interoperability, and alternative solutions

During our tests, the Windows Sandbox functionality performed very well, allowing programs to run quickly.

The only problem with Windows Sandbox is that it doesn’t get along with third-party virtualization solutions (based on Microsoft Hyper-V): trying to start Virtualbox or VMware. The virtual machines will not load. On the other hand, the system is very light and takes up just 60 MB in memory once running.

In case you want to disable Windows Sandbox and go back to using Virtualbox or other virtualization software, after restarting the PC, you will need to press the key combination ALT + F4 and choose to Restart the system; otherwise, the loading of the virtual machines will present an error.

Alternatively, you can add a new entry in the Windows 10 boot menu to choose whether to boot the operating system normally (you can use Windows Sandbox) or temporarily disable Hyper-V to use other virtualization software like Virtualbox, VMware, and the like. The term “Windows Sandbox” can be used instead of “Docker” as the above tips also apply to Microsoft’s sandboxing solution. Virtualbox

virtual machines can be used as an alternative to Windows Sandbox: so-called snapshots allow you to store the state of the virtual system and restore it if necessary (for example, to undo previous changes and instantly recover the virtual machine in case of problems and instability).

From the virtual network adapter’s point of view, you can isolate the Virtualbox virtual machine so that it cannot even communicate with the host.

Microsoft is also currently working on Application Guard for Office, a new mechanism that helps protect against threats embedded in malicious Word, Excel, and PowerPoint documents.