Activate Windows sandbox
A sandbox in Windows is an isolated and secure environment that allows you to run potentially dangerous or unsafe software or files without compromising the main operating system. This allows users to test programs or open files without the risk of malware infections or other security issues.
The sandbox separates the executed processes from the main system to ensure the integrity and security of the operating system. When a Sandbox is finished, all processes and files running in the isolation environment are completely deleted or disabled. Thus, after completion, no traces or effects remain on the main system.
In order to use the sandbox function, it is best if you create your own templates that meet your needs.
Just create a file on the desktop and name it "Sandbox.wsb." Of course, another name also works.
Adjust the parameters for yourself.
Here is a simple sandbox example with activated network drivers and a preconfigured folder that is read in by the main system.
Save the contents in the sample file "Sandbox.wsb", close and start the file.
With the value VGpu, it is recommended to leave it disabled as it makes it easier for malicious software to break out of the sandbox. The value should be Disabled. This also ends support for Direct3D and replaces it with the Advanced Rasterization Platform (WARP).
For more information about the sandbox and its parameters, please visit the pages of the article Windows Sandbox configuration from Microsoft Corporation.
What is a Sandbox??
A sandbox in Windows is an isolated and secure environment that allows you to run potentially dangerous or unsafe software or files without compromising the main operating system. This allows users to test programs or open files without the risk of malware infections or other security issues.
The sandbox separates the executed processes from the main system to ensure the integrity and security of the operating system. When a Sandbox is finished, all processes and files running in the isolation environment are completely deleted or disabled. Thus, after completion, no traces or effects remain on the main system.
How is the Sandbox activated?
- Make sure "SVM mode" is enabled in your computer bios
- Open the classic control panel using the "Windows + R key," then enter "control.exe"
- Alternatively, you can enter and open "control.exe" from the Start menu
- Click on Programs, activate or deactivate Windows features and scroll to almost the bottom
- Select "Windows Sandbox," confirm and reboot your device
Which sandbox settings are possible?
In order to use the sandbox function, it is best if you create your own templates that meet your needs.
Just create a file on the desktop and name it "Sandbox.wsb." Of course, another name also works.
<Configuration>
<VGpu>Disabled</VGpu>
<Networking>Default</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\own username\Downloads</HostFolder>
<ReadOnly>True</ReadOnly>
</MappedFolder>
</MappedFolders>
</LogonCommand>
</Command>aufzurufender Befehl</Command>
</LogonCommand>
<AudioInput>Enabled</AudioInput>
<VideoInput>Default</VideoInput>
<ProtectedClient>Enabled</ProtectedClient>
<PrinterRedirection>Disabled</PrinterRedirection>
<ClipboardRedirection>Disabled</ClipboardRedirection>
<MemoryInMB>value</MemoryInMB>
</Configuration>Explanation of parameters
- VGPU: Enabled (Virtual Graphics Unit) | "disable" to deactivate
- Network: enabled (network) | "disable" to deactivate
- Mapped Folders: The directory "Downloads" with loaded into the sandbox and set to Readonly during the session
- Host Folder: A directory specified by the user which is loaded into the sandbox
- ReadOnly: Host folder can only read or write within the sandbox
- Audio Input: de/activates the audio output in the sandbox
- VideoInput: De/Enables video input
- ProtectedClient: Increased protection function and lower attack surface
- PrinterRedirection: Allows or prohibits sharing printers in the sandbox
- LogonCommand: A path to an executable file or script within the container that runs after logon.
- ClipboardRedirection: Prevents or allows the use of the clipboard. Copying/pasting can thus be restricted.
- MemoryInMB: Assign a certain amount of RAM to the sandbox.
Adjust the parameters for yourself.
Here is a simple sandbox example with activated network drivers and a preconfigured folder that is read in by the main system.
<Configuration>
<ProtectedClient>value</ProtectedClient>
<VGpu>Disable</VGpu>
<Networking>Default</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Sandbox\Dokumente</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Dokumente</SandboxFolder>
</MappedFolder>
</MappedFolders>
</Configuration>Save the contents in the sample file "Sandbox.wsb", close and start the file.
Remarks
With the value VGpu, it is recommended to leave it disabled as it makes it easier for malicious software to break out of the sandbox. The value should be Disabled. This also ends support for Direct3D and replaces it with the Advanced Rasterization Platform (WARP).
For more information about the sandbox and its parameters, please visit the pages of the article Windows Sandbox configuration from Microsoft Corporation.
Alternate download of the example sandbox
Sandbox.wsb (324 B)Date: 2023-09-06
CRC32 Hash: 41a72026
SHA-256 Hash: cadd32e57b2d6354b35ac9a75b9a130eb87de05081620688fc25bd93c9f4152d