How to Configure the Windows Sandbox

sandbox windows being run

Windows 10 new Sandbox function Allows you to securely test programs and files downloaded from the Internet by running them in a secure container. It's easy to use, but its parameters are buried in a textual configuration file.

Windows Sandbox is easy to use if you have one

This feature is part of May 2019 update of Windows 10. Once the update is installed, you will also need to use the Professional, Enterprise or Education editions of Windows 10. It is not available on Windows 10 Home. But, if it's available on your system, you can easily enable the Sandbox feature then launch it from the Start menu.

RELATED: How to use the new Windows 10 sandbox (to test applications safely)

Sandbox will launch, create a copy of your current Windows operating system, remove access to your personal folders and give you a clean Windows desktop with Internet access. Before Microsoft added this configuration file, you could not customize Sandbox at all. If you do not want to access the Internet, you should normally disable it immediately after launch. If you needed to access the files on your host system, you had to copy and paste them into Sandbox. And, if you wanted to install particular third-party programs, you had to install them after launching Sandbox.

Because Windows Sandbox completely deletes its instance when it is closed, you must follow this customization process at each launch. On the one hand, it makes the system more secure. If something goes wrong, close the sandbox and everything will be deleted. On the other hand, if you have to make changes on a regular basis, doing it at each launch becomes frustrating quickly.

To mitigate this problem, Microsoft introduced a configuration feature for Windows Sandbox. With the help of XML files, you can launch Windows Sandbox with defined parameters. You can tighten or relax sandbox restrictions. For example, you can disable the Internet connection, set up shared folders with your host copy of Windows 10, or run a script to install applications. The options are somewhat limited in the first version of the Sandbox feature, but Microsoft will probably add some in future Windows 10 updates.

How to configure Windows Sandbox

Windows Sandbox Explorer and Host System Explorer displaying a shared fileYour sandboxed copy of Windows 10 may have access to a shared folder on your host operating system.

This guide assumes that you have already configured Sandbox for general use. If you have not done so yet, you will have to enable it first with the Windows Features dialog box.

For starters, you'll need Notepad or your favorite text editor. We like Notepad ++– and a new blank file. You will create an XML file for the configuration. While familiarity with the XML encoding language is useful, it is not necessary. Once your file is in place, you must register it with a .wsb extension (think of Windows Sand Box). Double-clicking on the file will launch Sandbox with the specified configuration.

As explained by Microsoftyou have a choice of options when setting up the sandbox. You can enable or disable vGPU (virtualized GPU), enable or disable the network, specify a shared host folder, set read / write permissions on that folder, or run a script at launch.

Using this configuration file, you can disable the virtualized GPU (enabled by default), disable the network (enabled by default), specify a shared host folder (sandboxed applications have access to none by default ), set read / write permissions on this folder, and / or run a script at launch

First, open Notepad or your favorite text editor and start with a new text file. Add the following text:

All the options that you will add must be between these two parameters. You can add one option or all options – you do not have to include one. If you do not specify an option, the default value will be used.

<img class = "alignnone wp-image-412181", data-pagespeed-lazy-src = " gp + jp + jw + pj + ws + js + rj + rp + rw + ri + cp + md.ic.LEjn-ADeSc.png "alt =" Notepad showing ” width=”650″ height=”300″ src=”/pagespeed_static/1.JiBnMqyl6S.gif” onload=”pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);” onerror=”this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);”/>

How to disable the virtual GPU or networking

As Microsoft points out, virtual GPU activation or networking increases the possibilities that a malicious software can use to get out of the sandbox. Therefore, if you are testing something that is of particular concern to you, it may be wise to disable it.

To disable the virtual GPU, enabled by default, add the following text to your configuration file.


adding the command to disable the virtual gpu

To disable network access, which is enabled by default, add the following text.


adding a command to disable the network

How to map a folder

To map a folder, you must detail exactly the folder you want to share, and then specify whether the folder should be read-only or not.

The mapping of a folder looks like this:

C: Users Public Downloads

HostFolder is where you list the specific folder you want to share. In the example above, the public download folder found on Windows systems is being shared. ReadOnly defines whether Sandbox can write to the folder or not. Set to true to make the folder read-only or false to make it writable.

Just be aware that you're essentially putting your system at risk by linking a folder between your host and the Windows sandbox. Giving Sandbox write access increases this risk. If you are testing for malware, you should not use this option.

How to run a script at launch

Finally, you can run custom scripts or created basic commands. For example, you can force the Sandbox to open a mapped folder when it is launched. To create this file would look like this:

C: Users Public Downloads

explorer.exe C: users WDAGUtilityAccount Desktop Downloads

WDAGUtilityAccount is the default user for the Windows Sandbox. So you must always refer to this when opening folders or files as part of an order.

Unfortunately, in the forthcoming release of the May 2010 Windows 10 update, the LogonCommand option does not seem to work as expected. It did not do anything at all, even when we used the Microsoft documentation example. Microsoft will probably fix this bug soon.

notepad file showing the login command

How to launch Sandbox with your settings

Once you're done, save your file and give it a .wsb extension. For example, if your text editor saves it as Sandbox.txt, save it as Sandbox.wsb. To launch the Windows sandbox with your settings, double-click the .wsb file. You can place it on your desktop or create a shortcut to it on the Start menu.

configuration files in the file explorer

For your convenience, you can download this DisabledNetwork file to save you some steps. The file has a txt extension, rename it with a .wsb file extension, and you are ready to launch Windows Sandbox.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.