Windows Sandbox Guide: Build a Secure Isolated Environment

Introduction

In Windows, the built-in Sandbox feature uses virtualization technology to securely isolate potential threats while ensuring applications run in a restricted environment without impacting the host system. It’s perfect for testing unknown applications or for experimental development.

Key advantages of Windows Sandbox:

Lightweight isolation: A secure desktop environment that doesn’t affect the host system.
Complete reset on reboot: Each session provides a new, isolated environment.
No extra downloads: Pre-installed with Windows—no need for additional software.
Hardware-based security: Enhanced protection using hardware virtualization.
Optimized performance: Intelligent resource allocation for smooth operation.

However, by default, Sandbox only offers basic functionality, and newer Windows 11 versions may lack even simple apps like Notepad. This guide explains how to configure Sandbox to support essential tools (e.g., VS Code or portable apps) for a functional and efficient testing environment.

Enabling Virtualization in BIOS

To use the Windows Sandbox feature, you must first ensure that virtualization is enabled in the BIOS or UEFI settings.

Identifying the Motherboard Model

Identify your motherboard model by opening the Command Prompt and entering the following command to retrieve the motherboard information:

1
powershell "Get-CimInstance -ClassName Win32_BaseBoard | Select-Object Manufacturer, Product, Version, SerialNumber"

After executing the command, detailed information about the motherboard will be displayed. For example:

1
2
3
Manufacturer          Product                      Version  SerialNumber
------------          -------                      -------  ------------
ASUSTeK COMPUTER INC. TUF GAMING B760-PLUS WIFI D4 Rev 1.xx 230418721200683

How to Enable Virtualization

Based on your motherboard model, you can quickly find relevant tutorials for enabling virtualization using the following methods:

Search by Model Keywords
Use the motherboard model as a keyword, such as TUF GAMING B760-PLUS WIFI D4 virtualization, to locate specific guides.
Refer to Official Resources or Video Tutorials
Visit the official website of your motherboard brand or search for related YouTube tutorials to find step-by-step instructions.
Search by Brand Name
If you know the brand of your motherboard, search for terms like ASUS virtualization or Lenovo virtualization to find brand-specific guidance.

Here are some common virtualization guides provided by the major motherboard manufacturers:

Verifying Virtualization is Enabled

After completing the configuration, restart into Windows. Open Task Manager (shortcut: Ctrl + Shift + Esc), navigate to the Performance tab, and check if Virtualization is displayed as “Enabled.”

Check Virtualization Status in Task Manager

Installing Windows Sandbox

By default, only Professional, Enterprise, or Education editions of Windows support Windows Sandbox. If you use the Home edition, refer to Enable Windows Sandbox Feature in Windows 10 Home Edition.

To enable the Windows Sandbox feature, run Command Prompt or PowerShell as an administrator and enter the following command:

1
powershell -Command "Enable-WindowsOptionalFeature -FeatureName 'Containers-DisposableClientVM' -All -Online"

After installation, you can find Windows Sandbox in the Start menu:

Find Windows Sandbox in the Start Menu

When you launch Windows Sandbox, you will see a clean virtual environment:

Launch Windows Sandbox

Configuring Windows Sandbox (.wsb)

Creating the Sandbox Working Directory

To maintain a consistent environment, it is recommended to create a dedicated working directory for the Sandbox. Folder names and default paths can be adjusted as needed, but ensure script paths are updated accordingly:

C:\Sandbox: Maps to the main directory in the Sandbox with read/write permissions.
C:\Sandbox\Apps: Stores installed or portable applications, similar to the C:\Program Files directory.
C:\Sandbox\Install: Holds original installation files for manual installation if necessary.
C:\Sandbox\boot.bat: A script executed automatically at Sandbox startup to perform basic configurations.
C:\Sandbox\create_paths.ps1: A PowerShell script for generating desktop shortcuts from applications in the Apps directory.

Creating a WSB Configuration File

Windows Sandbox supports basic initialization through an XML configuration file. You can create a boot.wsb file on your desktop using VS Code or any other text editor. Below is an example configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
<Configuration>
    <MappedFolders>
        
        <MappedFolder>
            <HostFolder>C:\Sandbox</HostFolder>
            <SandboxFolder>C:\Sandbox</SandboxFolder>
        </MappedFolder>

        <MappedFolder>
            <HostFolder>C:\Users\wells\Downloads</HostFolder>
            <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
            <ReadOnly>true</ReadOnly>
        </MappedFolder>

    </MappedFolders>
    <LogonCommand>
        <Command>cmd /c "C:\Sandbox\boot.bat"</Command>
    </LogonCommand>
</Configuration>

The above configuration mainly includes the following:

Main Directory Mapping: Maps the host’s C:\Sandbox to C:\Sandbox within the Sandbox, with read/write permissions.
Downloads Folder Mapping: Maps the host’s C:\Users\wells\Downloads to C:\Users\WDAGUtilityAccount\Downloads within the Sandbox, with read-only access.
Auto-Execution Script: Automatically executes C:\Sandbox\boot.bat upon Sandbox login to complete necessary initialization.

Creating a Startup Script

Create a boot.bat file in the C:\Sandbox directory on the host machine. This script will automatically initialize the Sandbox environment upon startup. Its main functions include:

Creating Desktop Shortcuts (Line 4)
Installing 7-zip (Line 7)
Configuring Windows Basic Options (Lines 9–58)
Setting File Associations (Lines 60–78)

This script is highly customizable. For instance, if you need to install Notepad++, place the installer in C:\Sandbox\Install and add the following command to the script:

1
"C:\Sandbox\Install\npp.8.4.6.Installer.x64.exe" /S

If using a portable version, extract it to a designated path (e.g., C:\Sandbox\Apps) and set up automatic desktop shortcut creation in subsequent steps.

C:\Sandbox\boot.bat:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
@echo off

REM Execute the PowerShell script to create paths
powershell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\Sandbox\create_paths.ps1'"

REM Silently install 7-zip
"C:\Sandbox\Install\7z1900.exe" /S

REM Enable Sudo simulation feature
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Sudo" /v "Enabled" /t REG_DWORD /d 3 /f

REM Show "Run as different user" in the application context menu
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v "ShowRunAsDifferentUserInStart" /t REG_DWORD /d 1 /f

REM Set the default delegation for the console to Windows Console
reg add "HKEY_CURRENT_USER\Console\%%Startup" /v "DelegationConsole" /t REG_SZ /d "{2EACA947-7F5F-4CFA-BA87-8F7FBEEFBE69}" /f

REM Set the default delegation for the terminal to Windows Terminal
reg add "HKEY_CURRENT_USER\Console\%%Startup" /v "DelegationTerminal" /t REG_SZ /d "{E12CFF52-A866-4C77-9A90-F570A7AA2C6B}" /f

REM Enable "End Task" in the taskbar menu
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarDeveloperSettings" /v "TaskbarEndTask" /t REG_DWORD /d 1 /f

REM Set Alt+Tab multitasking to display all windows
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "MultiTaskingAltTabFilter" /t REG_DWORD /d 3 /f

REM Show seconds in the system clock
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSecondsInSystemClock" /t REG_DWORD /d 1 /f

REM Align taskbar icons to the left
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAl" /t REG_DWORD /d 0 /f

REM Disable grouping of identical application windows in the taskbar
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarGlomLevel" /t REG_DWORD /d 2 /f

REM Disable grouping of taskbar items in multi-monitor setups
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "MMTaskbarGlomLevel" /t REG_DWORD /d 2 /f

REM Pin applications to the taskbar on the current screen in multi-monitor setups
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "MMTaskbarMode" /t REG_DWORD /d 2 /f

REM Enable custom layouts in the Start menu
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_Layout" /t REG_DWORD /d 1 /f

REM Disable suggested items in the Start menu
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_IrisRecommendations" /t REG_DWORD /d 0 /f

REM Show file extensions for known file types
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f

REM Show hidden files and folders
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f

REM Restore the classic Windows context menu
reg add "HKEY_CURRENT_USER\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /f /ve

REM Set the default path for File Explorer's Win+E to "This PC"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f

REM Set the .txt file association type to txt_auto_file
reg add "HKEY_CURRENT_USER\Software\Classes\.txt" /ve /d "vscode_file" /f
reg add "HKEY_CURRENT_USER\Software\Classes\.js" /ve /d "vscode_file" /f
reg add "HKEY_CURRENT_USER\Software\Classes\.inf" /ve /d "vscode_file" /f

REM Configure the open command for txt_auto_file to set VSCode as the default editor
reg add "HKEY_CURRENT_USER\Software\Classes\vscode_file\shell\open\command" /ve /d "\"C:\\Sandbox\\Apps\\VSCode\\Code.exe\" \"%1\"" /f

REM Configure the open command for VSCode (Code.exe)
REM Create registry entries for the Code.exe application
reg add "HKEY_CURRENT_USER\Software\Classes\Applications\Code.exe" /f
REM Set DefaultIcon for VSCode with its icon path
reg add "HKEY_CURRENT_USER\Software\Classes\Applications\Code.exe\DefaultIcon" /ve /d "C:\\Sandbox\\Apps\\VSCode\\resources\\app\\resources\\win32\\default.ico" /f
REM Create shell registry entry for VSCode
reg add "HKEY_CURRENT_USER\Software\Classes\Applications\Code.exe\shell" /f
REM Set the icon for the "open" command in VSCode
reg add "HKEY_CURRENT_USER\Software\Classes\Applications\Code.exe\shell\open" /v "Icon" /d "\"C:\\Sandbox\\Apps\\VSCode\\Code.exe\"" /f
REM Set the open\command registry entry to use VSCode for opening files
reg add "HKEY_CURRENT_USER\Software\Classes\Applications\Code.exe\shell\open\command" /ve /d "\"C:\\Sandbox\\Apps\\VSCode\\Code.exe\" \"%1\"" /f

REM Restart File Explorer to apply changes
taskkill /f /im explorer.exe
start explorer.exe

Automatically Adding Shortcuts to the Desktop

Create a create_paths.ps1 file in the C:\Sandbox directory on the host machine. This script will be used to create desktop shortcuts when the Sandbox starts.

To add new shortcuts, simply update the $Apps array with the application paths and names. For example, I currently have VS Code, WeChat, and BaiduNetdisk stored in C:\Sandbox\Apps.

Here is the complete PowerShell script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Suppress progress messages
$ProgressPreference='Silent'

# Get the desktop path
$DesktopPath = [Environment]::GetFolderPath("Desktop")

# Define a function to create shortcuts
function Create-Shortcut {
    param (
        [string]$ShortcutPath,     # Path to save the shortcut
        [string]$TargetPath,       # Target application path
        [string]$Description = "", # Optional description
        [string]$IconLocation = "" # Optional icon path
    )
    $WScriptShell = New-Object -ComObject WScript.Shell
    $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath)
    $Shortcut.TargetPath = $TargetPath
    $Shortcut.Description = $Description
    if ($IconLocation -ne "") {
        $Shortcut.IconLocation = $IconLocation
    }
    $Shortcut.Save()
}

# Define the application paths and shortcut names
$Apps = @(
    @{ Path = "C:\Sandbox\Apps\BaiduNetdisk\BaiduNetdisk.exe"; Name = "BaiduNetdisk" },
    @{ Path = "C:\Sandbox\Apps\WeChat\WeChat.exe"; Name = "WeChat" },
    @{ Path = "C:\Sandbox\Apps\VSCode\Code.exe"; Name = "VSCode" }
)

# Create desktop shortcuts for each application
foreach ($App in $Apps) {
    $ShortcutPath = Join-Path -Path $DesktopPath -ChildPath ("$($App.Name).lnk")
    Create-Shortcut -ShortcutPath $ShortcutPath -TargetPath $App.Path -Description "Launch $($App.Name)"
}

With the necessary folders and scripts in place, you can now proceed to launch the Sandbox with the following steps.

Using WSB to Launch the Sandbox

Launch the Sandbox
Click on the boot.wsb file on your desktop to quickly start the Sandbox environment.
Automatically Load Settings
As shown below, by using a pre-written configuration file, the Sandbox automatically loads the required settings upon each launch. This avoids the need to repeatedly download or install specific software, significantly improving efficiency.

Conclusion

By creating a well-prepared Sandbox environment with pre-installed software, you can quickly test applications while maintaining complete isolation from the host system. The Sandbox is ideal for running software from unknown sources, as well as for development tasks, providing a secure and independent workspace.

For example, in my use case, the Sandbox is primarily used to run Chinese applications like WeChat and BaiduNetdisk. Since these applications may make unknown modifications to the system, the Sandbox allows for quick restoration to the initial state, effectively eliminating security risks and enhancing overall system safety.

Additionally, the Sandbox serves as an ideal environment for testing software after compilation, especially when simulating a fresh Windows system. It helps identify whether the necessary runtime environment is fully provided, preventing issues caused by incomplete environments when distributing program files to others.