What is Windows Sandbox?

Technically Windows Sandbox is a lightweight virtual machine created on demand which a user can safely run applications in isolation. This virtual machine is using the same OS image as the host machine. Software installed inside the Windows Sandbox environment remains “sandboxed” and runs separately from the base machine. This is ideal when trying to analyze some programs in isolation.

How to enable Windows Sandbox?

  1. First of all the machine should be using Windows 10 Pro or Enterprise, build version 18305 or later.
  2. Virtualization should be enabled on the machine from the BIOS.
  3. Use the search bar on the task bar and type Turn Windows Features on and off to access the Windows Optional Features tool. Select Windows Sandbox and then OK.
  4. Restart the computer if you’re prompted.

Check here for detailed step by step installation from the official docs.

How to configure Windows Sandbox using configuration file?

Windows Sandbox supports simple configuration file which enables us to customize minimal set of parameters. The configuration file is formatted as XML.

A configuration file enables the user to control the following aspects of Windows Sandbox:

  • vGPU (virtualized GPU): Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
  • Networking: Enable or disable network access within the sandbox.
  • Mapped folders: Share folders from the host with read or write permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
  • Logon command: A command that’s executed when Windows Sandbox starts.
  • Audio input: Shares the host’s microphone input into the sandbox.
  • Video input: Shares the host’s webcam input into the sandbox.
  • Protected client: Places increased security settings on the RDP session to the sandbox.
  • Printer redirection: Shares printers from the host into the sandbox.
  • Clipboard redirection: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
  • Memory in MB: The amount of memory, in megabytes, to assign to the sandbox.

All you have to do is open notepad.exe and specify the options that you want your Sandbox Instance to have.

Here is how a complete Sandbox file looks like:

<Configuration>
  <VGpu>Disable</VGpu>
  <Networking>Disable</Networking>
  <MappedFolders>

    <!-- Basically this block copies Host folder a.k.a. C:\Users\Public\Downloads 
    To the desktop inside Windows Sandbox.
    -->
    <MappedFolder>

      <!-- This is a path from the host machine. -->
      <HostFolder>C:\Users\Public\Downloads</HostFolder>

       <!-- This is the desktop inside the Windows Sandbox. -->
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
  </LogonCommand>
</Configuration>

Save the file with .wsb extension and you get Windows Sandbox icon which you can double click to start the instance.

The big “problem” using Windows Sandbox

There is a major problem using Windows Sandbox. Unlike any other virtual machine Windows Sandbox when it is closed will erase ANY user data. This includes every file created anywhere and every problem installed on the machine. This is not something that a user can turn on or off. This is how it was designed.

Every time when someone logs in the environment he should install all the software he needs.

Is there a solution to this? Of course there is!

Solution

If we check the configuration file we see that there is an option to execute a script inside Windows Sandbox — Logon command.

What the documentation didn’t make clear is even though this Logon Command looks like a collection, feels like a collection, acts like a collection it is actually not a collection and can execute only one script.

Here is a PowerShell script that installs Fiddler and Curl inside Windows Sandbox.


# Download and install Scoop Package manager
# Note: This will not work if you disable the network access from
# Windows Sandbox configuration file.
Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh')

# Scoop package manager requires git to be able to install most software.
scoop install git

# Add extra buckets so we have more software to choose from.
scoop bucket add extras
scoop bucket add nerd-fonts
scoop bucket add nirsoft
scoop bucket add java
scoop bucket add jetbrains
scoop bucket add nonportable
scoop bucket add php

# Install Fiddler and Curl
scoop install fiddler, curl

After we created the PowerShell we have to transfer it inside the virtual machine. If you look to the sample xml file there is a MappedFolder section which we can use to copy our script inside.

For example if you put the script in a Scripts folder in your desktop and want to execute it from inside the sandbox here is how your configuration should look like:

<Configuration>
  <VGpu>Disabled</VGpu>
  <Networking>Default</Networking>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Users\YOUR_USERNAME\Desktop\Scripts</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Sandbox\</SandboxFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>powershell.exe -ExecutionPolicy Bypass -File C:\Users\WDAGUtilityAccount\Desktop\Sandbox\MainScript.ps1</Command>
  </LogonCommand>
  <AudioInput>Default</AudioInput>
  <VideoInput>Default</VideoInput>
  <ProtectedClient>Default</ProtectedClient>
  <PrinterRedirection>Default</PrinterRedirection>
  <ClipboardRedirection>Default</ClipboardRedirection>
  <MemoryInMB>0</MemoryInMB>
</Configuration>

Note: The default user does not have permissions to execute scripts inside the sandbox. That is why we have to set an execution policy in order to see our script running.

Save it as .wsb file and run it. After some time you should see your programs installed and you can get to work.

What is ScoopBox?

ScoopBox is a C# library that automates the configuration file building and generates a script which inside contains commands to execute using PowerShell.

Install ScoopBox using your preferred way:

Install ScoopBox

Use whichever method you prefer

Install-Package ScoopBox -Version 1.0.0

dotnet add package ScoopBox --version 1.0.0

<PackageReference Include="ScoopBox" Version="1.0.0" />

How to use ScoopBox?

Here are some examples of the ScoopBox works:

Start Windows Sandbox with preinstalled applications

ISandbox represents a single instance of Windows Sandbox and you can install define which applications to install by which package manager. Currently ScoopBox supports Chocolatey and Scoop package managers.

ISandbox sandbox = new Sandbox();
await sandbox.Run(new ScoopPackageManagerScript(new List<string>() { "curl", "fiddler", "vscode" }));

Start Windows Sandbox with user scripts

You can start Sandbox with custom scripts located somewhere in you PC. It is just enough to point them out.

ISandbox sandbox = new Sandbox();
await sandbox.Run(new List<IScript>()
{
    new ExternalScript(new FileInfo(@"C:\Users\Scripts\StartBrowser.ps1"), new PowershellTranslator()),
    new ExternalScript(new FileInfo(@"C:\Users\Scripts\StartExplorer.ps1"), new PowershellTranslator()),
});

Start Windows Sandbox with combined scripts

Of course no one is stopping you to combine the scripts and package managers. For example if one of your software is available on Chocolatey and other is in Scoop.

ISandbox sandbox = new Sandbox();
await sandbox.Run(new List<IScript>()
{
    // PowerShell script as string to open notepad
    new LiteralScript(new List<string>() { @"Start-Process 'C:\windows\system32\notepad.exe'" }, new PowershellTranslator()),

    // Cmd script to open a browser
    new ExternalScript(new FileInfo(@"C:\Users\Scripts\StartBrowser.cmd"), new CmdTranslator()),

    // Bat script to open explorer
    new ExternalScript(new FileInfo(@"C:\Users\Scripts\OpenExplorer.bat"), new BatTranslator()),

    // Scoop package manager that installs curl and fiddler
    new ScoopPackageManagerScript(new List<string>(){ "curl", "fiddler" }),
});

All scripts are ran in the order they are defined.

Modify sandbox configuration file

You can also modify the sandbox configuration file before running scripts.

IOptions options = new Options()
{
    AudioInput = AudioInputOptions.Enable,
    PrinterRedirection = PrinterRedirectionOptions.Enable,
    Networking = NetworkingOptions.Default,
    VGpu = VGpuOptions.Enabled,
    // ...
};

ISandbox sandbox = new Sandbox(options);

Conclusion

Windows Sandbox is a great tool with some limitations. In this blog post we discussed how to work around these limitations using either a script or ScoopBox. As always I would like to hear from you in the comments section. Also take a look to ScoopBox in github.