Quick Links

Whether it's a program you found on the Internet or something that came in your email, running executable files has always been risky. Testing software in clean systems requires virtual machine (VM) software and a separate Windows license to run inside the VM. Microsoft is about to solve that problem with Windows Sandbox.

VMs: Great for Safe Testing, But Hard to Use

We've all received an email that appears to be from a friend or a family member and has an attachment. Maybe we were even expecting it, but somehow it looks not quite right. Or perhaps you've found a great looking app on the Internet, but it's from a developer you've never heard of.

What do you do? Download and run it and just take the risk? With things like ransomware running rampant, it's almost impossible to be too cautious.

In software development, sometimes the thing a developer needs the most is a clean system---a quick and easy to pull up OS that has no other installed programs, files, scripts, or other baggage. Anything extra could skew testing results.

The best solution to both situations is to spin up a Virtual Machine. This gives you a clean, isolated OS. If that attachment turns out to be malware, then the only thing it affects is the virtual machine. Restore it to an earlier snapshot, and you're good to go. If you're a developer, you can do your testing as if you'd just set up a brand new machine.

Related: Beginner Geek: How to Create and Use Virtual Machines

There are some problems with VM software, though.

First, it can be expensive. Even if you use a free alternative like VirtualBox, you still need a valid Windows license to run on the virtualized OS. And sure, you can get away with not activating Windows 10, but that limits what you can test.

Second, running a VM at decent performance levels requires reasonably powerful hardware and lots of storage space. If you make use of snapshots, you can quickly fill up a smaller SSD. If you use a large HDD, then performance can be slow. You probably don't want to use these power hungry resources on a laptop.

And finally, VMs are complicated. Not exactly something you want to set up just to test out a questionable executable file.

Fortunately, Microsoft has announced a new solution that solves all of these problems at once.

Windows Sandbox

In a post on Microsoft's Tech Community blog, Hari Pulapaka details the new Windows Sandbox. Previously referred to as InPrivate Desktop, this feature creates an "isolated, temporary, desktop environment" that you can run software on without fear of harming your machine.

Much like a standard VM, any software you install in the Sandbox stays isolated and cannot affect the host machine. When you close the Sandbox, any programs you installed, files you added, and settings changes you made are deleted. The next time you run Sandbox, it's back to a clean slate. Microsoft is using hardware-based virtualization, through hypervisor, to run a separate kernel so it can isolate Sandbox from the host.

This means you can safely download an executable file from a risky source and install in Sandbox without risk to your host system. Or you could quickly test out a development scenario in a fresh copy of Windows.

Impressively, the requirements are fairly low:

  • Windows 10 Pro or Enterprise build 18301 or later (currently not available, but should soon be released as an Insider Preview build)
  • x64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)

One of the better parts of Sandbox is that you won't need to download or create a virtual hard disk (VHD). Instead, Windows dynamically generates a clean snapshot OS based on the Host OS on your machine. In the process, it links to files that don't change on the system and refers to common files that do change.

This makes for an incredibly light image---just 100 MB. If you don't use the Sandbox, the image gets compressed to a tiny 25 MB. And because it's essentially a copy of your OS, you don't need a separate license key. If you have Windows 10 Pro or Windows 10 Enterprise, you have everything you need to run Sandbox.

For safety and security, Microsoft makes use of the container concept it has introduced previously. The Sandbox OS is isolated from the host, allowing what is ostensibly a VM to run like an app.

Despite those degrees of separation, the host machine and Sandbox do work together. As needed, the host will reclaim memory from the Sandbox to keep your machine from slowing down. And the Sandbox is aware of your host machine's battery levels so that it can optimize power consumption. It's feasible to run the Sandbox on a laptop on the go.

All of this, and other enhancements, make for an extremely safe, fast, and inexpensive virtual system. It provides a fast and safe VM-like solution with far less overhead than a traditional solution. You can quickly call up, test, and destroy snapshots---then repeat as necessary. Like all things intensive, better hardware will make this run even more smoothly. But as shown above, even less powerful hardware should be able to run the Sandbox.

The one downside is that not all machines come with Windows 10 Pro or Enterprise. If you're using Windows 10 Home, you won't be able to use Sandbox.

How Do I Get it?

Update: Microsoft just released Windows 10 build 18305 to Insiders on the Fast Ring, which means if you're willing to live on the edge, you can update to the latest preview build now by joining the Insiders program and updating. We definitely don't recommend doing this on your primary PC though.

Unfortunately you can't get Windows Sandbox quite yet. It requires Windows 10 build 18301 or higher, which Microsoft hasn't released yet. But once that version is available it's a straightforward affair. You'll want to make sure that your BIOS has virtualization capabilities enabled. Then you'll just need to turn Windows Sandbox on in the Windows Features dialog:

Once the Windows Sandbox is installed, launching is nearly the same as any other app or program. Just find it in the Start menu, run it, and accept the UAC prompt giving it administrative privileges. You'll then be able to drag and drop files and programs into the Sandbox to test as you need. Just close the program when you're done, and Sandbox discards all the changes you've made.

Related: What Windows 10's "Optional Features" Do, and How to Turn Them On or Off

via Mary Jo Foley