The Windows Sandbox Guide

Status
Not open for further replies.
ubuysa

ubuysa

The BSOD Doctor
I'm posting this a topic at a time to tray and pacify the forums software. The Mods may want to move this to the Knowledge Base perhaps?

What Is The Sandbox?

The Windows sandbox is a temporary virtual machine, created automatically, with a single virtual disk (the C: drive of course) and a vanilla installation of Windows. It is completely separate from your 'real' Windows system and it does not contain any apps or customisations that you have on your 'real' Windows system.

This virtual machine is created, and populated, automatically when you start the sandbox. You can immediately use the Windows system in the sandbox just as you would your 'real' Windows system – you don't have to install Windows into the sandbox, it's already there. All the basic apps you get with a new Windows install are included; the Edge browser, File Explorer, Notepad, Calculator, etc. etc. Using the Windows system inside the sandbox is thus exactly the same as using your 'real' Windows system.

When you close the sandbox, which you do just like any other app by clicking the red X in the top right corner, the virtual drive is deleted. This removes the entire sandbox Windows system and everything that you may have installed in there, as well as any configuration changes you may have made. When you start the sandbox again it's a completely fresh vanilla install of Windows, just as before.

You cannot save anything from the sandbox, although you can copy and paste files and folders from the sandbox to your 'real' system, and vice-versa. Whether it's wise to do this is something we'll talk about later.
 
ubuysa

ubuysa

The BSOD Doctor
What Is The Sandbox Used For?

Because the sandbox is a complete vanilla Windows system that is completely isolated from your 'real' Windows system, it's ideal for installing software for evaluation and/or testing, safe in the knowledge that the installed software cannot affect anything in your 'real' system.

This makes the sandbox ideal for testing apps that you're not sure does what you need, or apps that you're concerned may include malware. Any malware that does get installed can infect only the sandbox, it cannot get out onto your 'real' machine. In most cases the malware has no way of knowing that it's running in a sandbox, so it doesn't behave any differently.

I use the sandbox to test out any app that's come from a source that I don't fully trust. It's also useful for testing out the install process of apps. We all know that many of them try to sneak additional apps in with the install, you have to be careful to uncheck anything you don't want installed – sometimes several times. With the sandbox you can easily look around afterwards to see whether any unexpected software was installed 'under the covers'.

Once you have the app installed it will work exactly the same way it would on your 'real' machine, so you can try out all the features and facilities and verify that it does what you want and expect, and more importantly, verify that it doesn't do anything unexpected.

When you're happy you can close the sandbox and install the app on your 'real' machine, safe in the knowledge that it does what you want and nothing more. If you decide that you don't want the app you simply close the sandbox. No complex uninstall is required, the virtual drive containing the sandbox Windows system and anything you installed is simply deleted. That means that any malware that was installed is also completely gone.
 
ubuysa

ubuysa

The BSOD Doctor
How To Enable The Sandbox

The disappointing news for many is that the Sandbox is not available in the Home versions of Windows. For me the sandbox alone is a good enough reason to pay for the Pro version of Windows. It's available in both Windows 10 and Windows 11.

The sandbox is not enabled by default (at least not in my Pro version) so you have to enable/install it manually....

1. In the Run command box (or at a command prompt or PowerShell prompt) enter the command appwiz.cpl.
2. The Programs & Features window will open. Click the 'Turn Windows features on or off' text link in the left-hand pane.
3. Scroll down the list of features until you find Windows Sandbox and select the checkbox next to it. Then click the OK button.
4. The Windows Sandbox features will be downloaded and installed. You will need to reboot when asked.

And that's it, the Windows Sandbox is now available for use.

Note that the sandbox depends on Hyper-V, that was already enabled on my Pro system but if it's not you enable it in the same way you enable the sandbox, via appwiz.cpl and the 'Turn Windows features on or off' dialog. Hyper-V of course depends on the hardware virtualisation features in your UEFI BIOS being enabled, so you might need to check that as well (typically they are enabled by default).
 
ubuysa

ubuysa

The BSOD Doctor
How To Use The Sandbox

The Windows Sandbox can be started in several ways...

- It's a normal app listed under W in the full app list.
- You can type Sandbox in the search box on the taskbar.
- In Windows 11 you can type Sandbox on the popup main menu to find it
- You can also pin the sandbox app to either (or both) the start menu and the taskbar

When the sandbox opens you'll see a windowed version of the default Windows desktop, complete with default desktop background, File Explorer and Edge pinned to the taskbar, and a normal Windows Start icon.

If this is your first time with the sandbox I suggest you list all the apps so you can see how this is a very limited Windows system with only the essential standard apps. This is just a sandbox for testing new installs remember, it is not, and never can be, a fully-fledged virtual machine.

One thing you'll discover fairly soon is that, whilst you can modify the firewall settings in the sandbox (which a pointless exercise really) there is no access to other components of Windows Security. The sandbox runs behind the firewall of your 'real' system and so is already protected from the Internet, but you cannot right-click on a file and have it scanned by Defender. According to Microsoft, Defender does run in the sandbox and provides all the usual security.

The two key apps you will most usually be using are the Edge browser – to locate and download the installation file of whatever app you want to evaluate – and the File Explorer - to locate the downloaded file in the Downloads folder. Note that this is not your 'real' downloads folder, it's the downloads folder in the virtual drive that the sandbox is using. Keep in mind that the sandbox is completely separate from your 'real' system.

Once you have the installer downloaded you double-click it just as you would on your 'real' system. The app will install into the sandbox system exactly as it would on your 'real' system and it will work exactly as it would on your 'real' system.

You will now have installed an app for evaluation in an isolated sandbox. Now you should test out the app and satisfy yourself that it does what you need and that it doesn't do anything you don't want, or don't like.

Because the Defender virus scan feature is not available in the sandbox you might want to download and install an anti-virus tool into the sandbox and verify that the app you're evaluating didn't introduce any malware. This is probably overkill but it's good to know that you can do it.
 
ubuysa

ubuysa

The BSOD Doctor
Copying Data To And From The Sandbox

Because the sandbox is an isolated system there is no direct connection between it and your 'real' system. You cannot copy from the Documents folder in the sandbox to the Documents folder on your 'real' machine for example. At least, you can't do that directly.

Copy and Paste works as normal between the sandbox and the 'real' machine however, they apparently share the clipboard. That means you can copy a file from the sandbox to your 'real' system, and vice-versa. You can even copy entire folder structures from one system to the other.

This ability might be useful in some circumstances, which is why it exists of course, but in general it would be very unwise to copy anything from the sandbox to your 'real' machine. The main reason is that the sandbox protects you against any malware introduced by the app under evaluation. As soon as you start copying files and folders from the sandbox you lose that protection – because the malware could be in the file or folder that you copied.

If you do find yourself wanting to copy from the sandbox to your 'real' machine I would go and have a coffee first and think about whether this is wise.
 
ubuysa

ubuysa

The BSOD Doctor
When You're Finished With The Sandbox

Another huge advantage of the sandbox is that you don't need to uninstall anything when you're done testing. All you need to do is to close the sandbox by clicking on the familiar red X in the top right corner.

When the sandbox closes, the virtual drive on which the sandbox resides is deleted. That completely removes all trace of the sandbox, the Windows system it contained, and anything you may have installed.

It is possible to shut the Windows system in the sandbox down, the option is there, but after the Windows system in the sandbox closes (and a real PC would be powered off) the virtual drive that supports the sandbox is deleted – just as if you'd simply clicked the red X. There is thus no point at all shutting the sandbox down.

However, a reboot is different. If the installed app installs a kernel-mode driver, or anything that must be loaded at boot time, then a reboot will be needed to fully install the app. When you reboot the sandbox it doesn't delete the virtual drive hosting it, it's just a normal reboot. This is true even if you have made no changes to the sandbox, a reboot always reboots the sandbox as it was, with all the extra software and changes that you have made.

This 'normal' reboot of the sandbox means that you can also test an app's uninstaller and reboot afterwards. That's something you might want to test as well if you ever think you might need to uninstall the app from your 'real' system.
 
ubuysa

ubuysa

The BSOD Doctor
Summary

If you have the Pro/Enterprise/Education version of Windows then you really should consider enabling and using the sandbox. The advantages of this are...

- Any app can be installed, tested and evaluated in safety
- Any malware introduced is isolated and can easily be detected
- Rogue apps cannot harm or modify your 'real' system
- Bloatware installed alongside the app can be easily detected
- No need to uninstall after testing, just close the sandbox
- It's quick and simple to use and it adds an extra layer of protection and safety

There really are no disadvantages to the sandbox at all. What are you waiting for?
 
ubuysa

ubuysa

The BSOD Doctor
A Related Feature (that you might want)

As we have seen, the sandbox provides a separate Windows environment that is isolated from your 'real' machine and that because of this nothing can escape from the sandbox onto your real machine*. The same is true the other way round; nothing from your real machine can get into the sandbox either (except for manual copy/paste as we've mentioned). The sandbox isolates both ways.

Microsoft have taken advantage of this and you can now run Windows Defender inside its own sandbox. Microsoft haven't said how Defender operates in a sandbox but the advantage of this is that malware running on the 'real' machine cannot disable or interfere with Defender because it's in a sandbox.

Defender does not run in a sandbox by default, although Microsoft have said that it will do so in a future release of Windows. To make Defender run in a sandbox now you must open an elevated command prompt and enter the following command...

setx /M MP_FORCE_USE_SANDBOX 1

You then have to reboot.

Should you later decide that you want to turn this feature off and stop Defender running in a sandbox enter the following command and reboot...

setx /M MP_FORCE_USE_SANDBOX 0

do have Defender running in a sandbox and so far, so good....

*Whilst it's impossible to say that nothing can ever get out of the sandbox no matter what, Windows provides multiple layers of protection to ensure that the sandbox is fully isolated. There are certainly no reports to the contrary, and it's been around for a some time now.
 
ubuysa

ubuysa

The BSOD Doctor
Windows Store Apps

At the moment the sandbox does not contain the Windows Store and so it's not possible to test install Windows Store apps in the sandbox. If you do a web search you'll find several different hacks that will install the Windows Store into the sandbox so that you can test install Windows Store apps.

I'm not providing any of those links and I'm not recommending any of the techniques either, for the reasons below...

- You will of course need to install the Windows Store every time you start the sandbox, which partly defeats the ease of use of the sandbox.
- These hacks are unsupported by Microsoft and I don't believe it's wise to be running unsupported hacks in a testing environment.
- There will be valid reasons why the Windows Store is not (yet) included in the sandbox, these are probably undocumented.
- Installing a Windows Store app is a simple 'one-click' process. Uninstall is similarly simple with far less chance of orphaned files.
- Like all app stores, apps need top pass a number of checks to be included in the Windows Store, so there is far less chance of them containing malware.
 
Last edited by a moderator:
Status
Not open for further replies.
Top