/  Blog /
EnglishActivate Windows sandbox

Activate Windows sandbox

Eingetragen: 05.09.2019 Editiert: 06.09.2023

Microsoft Windows
Since version 18305 of Windows 10, there is the possibility to use an in-house sandbox solution from Microsoft. Unfortunately, this is only available for owners of the Windows PRO version and up.

What is a Sandbox??

A sandbox in Windows is an isolated and secure environment that allows you to run potentially dangerous or unsafe software or files without compromising the main operating system. This allows users to test programs or open files without the risk of malware infections or other security issues.

The sandbox separates the executed processes from the main system to ensure the integrity and security of the operating system. When a Sandbox is finished, all processes and files running in the isolation environment are completely deleted or disabled. Thus, after completion, no traces or effects remain on the main system.

How is the Sandbox activated?

  1. Make sure "SVM mode" is enabled in your computer bios

  2. Enable Sandbox Virtualization

  3. Open the classic control panel using the "Windows + R key," then enter "control.exe"
  4. Alternatively, you can enter and open "control.exe" from the Start menu
  5. Click on Programs, activate or deactivate Windows features and scroll to almost the bottom
  6. Select "Windows Sandbox," confirm and reboot your device

Which sandbox settings are possible?

In order to use the sandbox function, it is best if you create your own templates that meet your needs.
Just create a file on the desktop and name it "Sandbox.wsb." Of course, another name also works.

<HostFolder>C:\Users\own username\Downloads</HostFolder>
</Command>aufzurufender Befehl</Command>

Explanation of parameters

  1. VGPU: Enabled (Virtual Graphics Unit) | "disable" to deactivate
  2. Network: enabled (network) | "disable" to deactivate
  3. Mapped Folders: The directory "Downloads" with loaded into the sandbox and set to Readonly during the session
  4. Host Folder: A directory specified by the user which is loaded into the sandbox
  5. ReadOnly: Host folder can only read or write within the sandbox
  6. Audio Input: de/activates the audio output in the sandbox
  7. VideoInput: De/Enables video input
  8. ProtectedClient: Increased protection function and lower attack surface
  9. PrinterRedirection: Allows or prohibits sharing printers in the sandbox
  10. LogonCommand: A path to an executable file or script within the container that runs after logon.
  11. ClipboardRedirection: Prevents or allows the use of the clipboard. Copying/pasting can thus be restricted.
  12. MemoryInMB: Assign a certain amount of RAM to the sandbox.

Adjust the parameters for yourself.

Here is a simple sandbox example with activated network drivers and a preconfigured folder that is read in by the main system.


Save the contents in the sample file "Sandbox.wsb", close and start the file.

Aktive Sandbox


With the value VGpu, it is recommended to leave it disabled as it makes it easier for malicious software to break out of the sandbox. The value should be Disabled. This also ends support for Direct3D and replaces it with the Advanced Rasterization Platform (WARP).

For more information about the sandbox and its parameters, please visit the pages of the article Windows Sandbox configuration   from Microsoft Corporation.

Alternate download of the example sandbox

Sandbox.wsb (324 B)
Date: 2023-09-06
CRC32 Hash: 41a72026
SHA-256 Hash: cadd32e57b2d6354b35ac9a75b9a130eb87de05081620688fc25bd93c9f4152d



  Rules for posting comments can be found in the F.A.Q.