We live in a digital world and any sensible person would agree that it is full of danger, security experts have warned us over and over again not to click links, open attachments, or run programs unless we can trust them. However, if there are legitimate cases where we have to test a new program to see how it works, then what should we do? There are different ways to do it, but I will show you a new feature in Windows that can protect your computer from any potential harm caused by a dangerous program. This feature is called Windows Sandbox.
Windows Sandbox is a new feature in Windows Pro, Enterprise, or Education version and it provides a lightweight virtual desktop environment that allows you to run programs in a safe and isolated environment. Software installed inside the Windows Sandbox environment is “sandboxed” and runs separately from the host machine, therefore, if an application is dangerous, it can only affect the sandbox environment and the damage will not pass to the host machine. By default, the Windows Sandbox does not have access to resources in the host machine, but it can be configured to access a specific folder in the host machine.
Installation
The installation of Windows Sandbox is very easy:
- Check your computer and make sure your Windows supports Windows Sandbox.
- Enable virtualization in the BIOS on the computer
- Press the Windows key and type Turn Windows Features on and off to access the Windows Optional Features tool. Select Windows Sandbox and then OK. Then restart the computer to complete the installation.
Run Windows Sandbox
From the Start menu, search for Windows Sandbox to run it.
Now, you can use the Edge web browser in the sandbox to download an executable file and run it. When you’re finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select Ok.
If you run Windows Sandbox again, you will notice that the downloaded executable is not in the sandbox.
Customization
The following properties can be customized for Windows Sandbox:
- vGPU (virtualized GPU): Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
- Networking: Enable or disable network access within the sandbox.
- Mapped folders: Share folders from the host with read or write permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
- Logon command: A command that’s executed when Windows Sandbox starts.
- Audio input: Shares the host’s microphone input into the sandbox.
- Video input: Shares the host’s webcam input into the sandbox.
- Protected client: Places increased security settings on the RDP session to the sandbox.
- Printer redirection: Shares printers from the host into the sandbox.
- Clipboard redirection: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
- Memory in MB: The amount of memory, in megabytes, to assign to the sandbox.
However, at the time of writing this post, there is no graphical interface for customizing Windows Sandbox. To customize Windows Sandbox, you will need to manually create a configuration file in the XML format with the .wsb file extension. Below is an example of a customized Windows Sandbox that can access the Download folder on the host machine and the Download folder will automatically open when Windows Sandbox is launched:
<Configuration>
<VGpu>Disable</VGpu>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\YourUsername\Downloads</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
</LogonCommand>
</Configuration>Save the file as Downloads.wsb, then double-click the file to launch the customized Windows Sandbox.
I think Windows Sandbox is a very nice feature in Windows, what do you think? Share your comments below.
