With Windows 10's new Sandbox feature, you can safely test programs and files downloaded from the Internet by running them in a secure container. It is easy to use, but its settings are buried in a text-based configuration file.
Windows Sandbox is easy to use if you have it
This feature is part of the Windows 10 May 2019 update. After you install the update, you also need to use the Professional, Enterprise, or Education editions of Windows 10. It is not available on Windows 10 Home. But if it is available on your system, you can easily activate the Sandbox function and then start it from the Start menu.
RELATED: How to use Windows 10's new sandbox (to safely test programs)
Sandbox will launch, make a copy of your current Windows operating system, remove access to your personal folders and give you a clean Windows desktop with internet connection. Before Microsoft added this configuration file, you could not customize the Sandbox at all. If you do not want access to the internet, you normally have to disable it immediately after the start. If you needed access to files on your host system, you had to copy and paste them into the Sandbox. And if you want to install some third-party applications, you need to install them after starting the Sandbox.
Because Windows Sandbox deletes its instance completely when it is closed, you have to go through the customization process every time you start. On the one hand, it provides a safer system. If something goes wrong, close the sandbox and everything will be deleted. On the other hand, if you need to make changes regularly, you need to do so on each launch quickly.
To alleviate that problem, Microsoft introduced a Windows Sandbox configuration feature. With the help of XML files, you can start Windows Sandbox with set parameters. You can tighten or loosen the sandbox's limitations. For example, you can disable the Internet connection, configure shared folders with your host copy of Windows 10, or run a script to install programs. The options are a bit limited in the first version of the Sandbox feature, but Microsoft will probably add more to future updates to Windows 10.
How to configure Windows Sandbox
This guide assumes that you have already set up Sandbox for general use. If you haven't done so yet, you must first activate it with the Windows Features dialog box.
To get started, you need Notepad or your favorite text editor – we like Notepad ++ – and an empty new file. You create an XML file for configuration. While acquaintance with the XML encoding language is useful, it is not necessary. Once you've got your file in place, it is saved with a .wsb extension (think of the Windows Sand Box.) Double-click on the file, the Sandbox starts with the specified configuration.
As explained by Microsoft, you have several options to choose from when configuring the sandbox. You can enable or disable vGPU (virtualized GPU), switch the network on or off, set a common host folder, set read / write permissions in that folder, or run a script at startup.
This configuration file can disable the virtual GPU (it is enabled by default), turn off the network (it is default), enter a shared host folder (sandboxed apps do not access anyone by default), set read – / write permissions in that folder, and / or run a script at launch
First, open notebooks or your favorite text editor and start with a new text file. Add the following text:
All options you add must be between these two parameters. You can only add one or all of them – you don't need to include each individual. If you do not specify an option, the default value will be used.
<img class = "alignnone wp-image-412181 size-covering" data-pagespeed-lazy-src = "https: //www.howtogeek.com / wp-content / uploads / 2019/04 / xConfiguration-brackets.png .pagespeed.gp + jp + jw + pj + ws + js + rj + rp + rw + ri + cp + md.ic.LEjn-ADeSc. png "alt =" Notepad showing
How to disable the virtual GPU or network
As Microsoft points out, with the virtual GPU or Networking enabled, the pathways that malicious software can use to break out of the sandbox are increasing, so if you're testing something you're particularly worried about
To disable the virtual GPU enabled by default, add the following text to your configuration
19659010] How to map a folder
For To map a folder, you must specify exactly which folder you want to share and specify whether or not the folder should be read-only.
Folder a Folder Looks Like:
C: Users Public Downloads true
HostFolderis where you list the specific folder you want to share. In the above example, the Public Download folder is shared on Windows systems.
ReadOnlyindicates whether the Sandbox can write to the folder or not. Set it to
trueto make the folder read-only or
falseto make it writable.
Just be aware that you are essentially at risk for your system by linking a folder between your host and the Windows Sandbox. Giving Sandbox write access increases the risk. If you are testing something you think might be harmful, you should not use this option.
How to run a script at startup
Finally, you can run custom scripts or basic commands. For example, you can force the Sandbox to open a mapped folder at the launch. Creating that file looks like this:
C: Users Public Downloads true explorer.exe C: users WDAGUtilityAccount Desktop Downloads
WDAGUtilityAccount is the default user for the Windows Sandbox, so you will always refer to that when opening folders or files as part of a command.
Unfortunately, the option
does not see LogonCommandin the almost released building of Windows 10's May 2019 update to work as intended. It did nothing at all, even when we used the example in Microsoft's documentation. Microsoft is likely to fix this error soon.
How to start the Sandbox with your settings
When done, save the file and give it a .wsb file extension. For example, if your text editor saves it as Sandbox.txt, save it as Sandbox.wsb. To start the Windows Sandbox with your settings, double-click the .wsb file. You can place it on the desktop or create a shortcut to it on the Start menu.
For your convenience, download this DisabledNetwork file to save you a few steps. The file has a txt extension, renames it with a .wsb extension, and you are ready to start the Windows Sandbox.