Why do you need a sandbox in Windows 10?

Luke In The Clouds
4 min readNov 13, 2019

Windows Sandbox is a new feature in Windows 10. It provides a lightweight, separated environment where you can safely run your applications.

Microsoft has introduced the sandbox in Windows 10, version 1903. It is some kind of a virtual machine, but you don’t need to configure Hyper-V (or any other virtualization tool) or install a new operating system. Moreover, it uses only around 100MB of your disk space!

To check your Windows 10 version just press Win+R
and run winver in the “Run” command box.

Each time you run the sandbox, you get a clean version of your operating system. Yes — the same system you have installed on your computer/laptop.

The Sandbox uses some special techniques to reuse your operating system files (and other resources) — that’s why it does not take a lot of space, like a normal virtual machine. But no worries — it is safe.

Once you close the sandbox, all the changes that you made in this environment disappear.

You can visit Windows Kernel Internals blog for more technical details about these techniques:

  • Dynamically generated Image — the magical trick for reusing your original operating system files
  • Smart memory management
  • Integrated kernel scheduler
  • Graphics virtualization
  • Battery and power optimization

Why should you use Windows Sandbox?

I believe it’s worth using sandbox because:

1. You can safely test applications

I love testing new applications. But installing new apps on my computer can be dangerous — I don’t know if the downloaded application is safe, maybe there is some malware?

Now, I can quickly(!) run any application in the sandbox. I’m not afraid of my computer being infected or destroyed.

The sandbox can come in handy even if you trust the installed application. For example, you would like to install an app for a moment, or you are just testing a trial version. After closing this environment you can be sure nothing is left after the installed application.

2. You can open untrusted websites and files

Sometimes you have a website you don’t trust. Or you receive an email with some link or attachment, and you are not sure if it is safe to open it.

With the sandbox, you can safely run them — they will not hurt your main system.

3. You can check if your app is working on a clean environment

Sandbox is useful not only for security reasons. If you are developing desktop applications you can use it to validate if your application is working on a clean system. You can have some frameworks and libraries installed globally and your application works on your machine. With the sandbox, you can quickly check if it is working on other machines, too.

On twitter (and my other social media) I’m sharing interesting (in my opinion ;)) stuff about Cloud, DevOps, Software Development and Technical Leadership.

4. You can check if you can set up your development environment on a clean system

Similar to the above. If you have a script to configure your dev environment you can easily validate it with the sandbox.

5. You can investigate cache issues

Sometimes you come across strange issues with package managers or different tools, because of cached dependencies. If you are unable to fix these issues locally you can run your application on the clean system (sandbox) to check if it is really the cache problem.

6. You can play with Windows settings

Windows provides a lot of options. With the sandbox, you can safely modify them (including the registry!) without changing your main system.

How can you use Windows Sandbox?

In order to work with Windows Sandbox, you need a Windows 10 Pro or Enterprise (Home edition is not supported) and virtualization enabled in BIOS.

To use the sandbox, you need to enable it on the Windows Features list — press Win+R and run optionalfeatures in the “Run” command box.

Once installed, you can run the sandbox from the start menu.

How can you configure Windows Sandbox?

You can change the standard sandbox behavior with a config file — it is an XML file with .wsb extension.

With the config file you can:

  • enable or disable the virtualized GPU
  • enable or disable a network
  • mount a shared folder (I would recommend sharing folders as read-only)
  • define startup scripts — you can open some folder in the explorer or run a custom script to install the necessary tools

So far I haven’t used the custom configuration, but it is nice to have such a possibility.

An example of a config file looks like this:

<Configuration> <VGpu>Disable</VGpu> <Networking>Disable</Networking> <MappedFolders> <MappedFolder> <HostFolder>C:\Users\Public\Downloads</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command> </LogonCommand> </Configuration>

The above example:

  • disables virtualized GPU and network
  • mounts C:\Users\Public\Downloads folder as read-only. In the sandbox, it is available as a desktop subfolder C:\users\WDAGUtilityAccount\Desktop\Downloads
  • runs the mounted folder in the explorer

In order to run the sandbox with a specified configuration, you need to double the click config file (you can’t run multiple sandbox instances).

More about config files (with nice examples) can be found on the Windows Kernel Internals blog.

That’s all for today. I hope you will find Windows Sandbox useful!

Originally published at https://gasior.net.pl on November 13, 2019.



Luke In The Clouds

👍 Notes from my work with Azure and other clouds | 🌍https://socialshub.net/LukeInTheClouds