windows sandbox running

Windows 10’s new Sandbox feature lets you safely test programs and files downloaded from the internet by running them in a secure container. It’s easy to use, but its settings are buried in a text-based configuration file.

Windows Sandbox Is Easy to Use If You Have It

This feature is part of Windows 10’s May 2019 Update. Once you’ve installed the update, you’ll also have to be using the Professional, Enterprise, or Education editions of Windows 10. It isn’t available on Windows 10 Home. But, if it is available on your system, you can easily activate the Sandbox feature and then launch it from the Start menu.

RELATED: How to Use Windows 10's New Sandbox (to Safely Test Apps)

Sandbox will launch, make a copy of your current Windows operating system, remove access to your personal folders, and give you a clean Windows desktop with internet access. Before Microsoft added this configuration file, you couldn’t customize Sandbox at all. If you didn’t want internet access, you normally had to disable it right after launch. If you needed access to files on your host system, you had to copy and paste them into Sandbox. And, if you wanted particular third-party programs installed, you had to install them after launching Sandbox.

Because Windows Sandbox deletes its instance entirely when close it, you had to go through that process of customization every time you launch. On the one hand, that makes for a more secure system. If something goes wrong, close the Sandbox, and everything gets deleted. On the other hand, if you need to make changes regularly, having to do this on every launch gets frustrating quickly.

To alleviate that issue, Microsoft introduced a configuration feature for Windows Sandbox. Using XML files, you can launch Windows Sandbox with set parameters. You can tighten or loosen the sandbox’s restrictions. For example, you can disable the internet connection, configure shared folders with your host copy of Windows 10, or run a script to install applications. The options are a bit limited in the first release of the Sandbox feature, but Microsoft will probably add more in future updates to Windows 10.

How to Configure Windows Sandbox

Windows Sandbox Explorer and Host system Explorer showing a shared file
Your sandboxed copy of Windows 10 can have access to a shared folder on your host operating system.

This guide assumes you have already set up Sandbox for general use. If you haven’t done yet, you’ll need to enable it first with the Windows Features dialog.

To get started, you’ll need Notepad or your favorite text editor—we like Notepad++—and a blank new file. You’ll be creating an XML file for configuration. While familiarity with the XML coding language is helpful, it’s not necessary. Once you have your file in place, you’ll save it with a .wsb extension (think Windows Sand Box.) Double-clicking the file will launch Sandbox with the specified configuration.

As explained by Microsoft, you have several options to choose from when configuring the Sandbox.  You can enable or disable the vGPU (virtualized GPU), toggle the network on or off, specify a shared host folder, set read/write permissions on that folder, or run a script on launch.

Using this configuration file, you can disable the virtualized GPU (it’s enabled by default), toggle the network off (it’s on by default), specify a shared host folder (sandboxed apps don’t have access to any by default), set read/write permissions on that folder, and/or run a script at launch

First, open Notepad or your favorite text editor and start with a new text file. Add the following text:

<Configuration> 

</Configuration>

All the options you’ll add must be between these two parameters. You can add just one option or all of them—you don’t have to include every single one. If you don’t specify an option, the default will be used.

Notepad showing <configuration> </configuration>

How to Disable the Virtual GPU or Networking

As Microsoft points out, having the virtual GPU or Networking enabled increases the avenues malicious software can use to break out of the sandbox. So if you’re testing something you’re particularly worried about, it might be wise to disable them.

To disable the virtual GPU, which is enabled by default, add the following text to your configuration file.

<VGpu>Disable</VGpu>

adding command to disable virtual gpu

To disable network access, which is enabled by default, add the following text.

<Networking>Disable</Networking>

adding command to disable networking

How to Map a Folder

To map a folder you’ll need to detail out exactly what folder you want to share, and then specify whether the folder should be read-only or not.

Mapping a folder looks like this:

<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Public\Downloads</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>

HostFolder is where you list the specific folder you’d like to share. In the above example, the Public Download folder found on Windows systems is being shared. ReadOnly sets whether Sandbox can write to the folder or not. Set it to true to make the folder read-only or false to make it writable.

Just be aware, you’re essentially introducing risk to your system by linking a folder between your host and Windows Sandbox. Giving Sandbox write access increases that risk. If you’re testing anything you think may be malicious, you shouldn’t use this option.

How to Run a Script at Launch

Finally, you can run custom created scripts or basic commands. You could, for instance, force the Sandbox to open a mapped folder upon launch. Creating that file would look like this:

<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Public\Downloads</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>

WDAGUtilityAccount is the default user for Windows Sandbox, so you’ll always reference that when opening folders or files as part of a command.

Unfortunately, in the near-release build of Windows 10’s May 2019 Update, the LogonCommand option does not appear to be working as intended. It didn’t do anything at all, even when we used the example in Microsoft’s documentation. Microsoft will likely fix this bug soon.

notepad file showing logon command

How to Launch Sandbox With Your Settings

After you’re done, save your file and give it a .wsb file extension. For example, if your text editor saves it as Sandbox.txt, save it as Sandbox.wsb. To launch the Windows Sandbox with your settings, double-click the .wsb file. You can place it on your desktop or create a shortcut to it in the Start menu.

configuration files in file explorer

For your convenience, you can download this DisabledNetwork file to save you a few steps. The file has a txt extension, rename it with a .wsb file extension, and you’re ready to launch Windows Sandbox.

Josh Hendrickson Josh Hendrickson
Josh Hendrickson has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smarthome enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code.
Read Full Bio »