The new Windows 10 Sandbox feature lets you securely scan programs and files you have downloaded from the Internet by running them in a secure container.
It is easy to use, but its settings are saved in a plain text configuration file.
The Windows Sandbox it is easy to use
The Windows Sandbox was first released with Windows 10 May Update and is available in the Professional, Enterprise or Education versions of the Microsoft operating system. The service is not available in Windows 10 Home.
If available on your system, you can enable the Sandbox feature and then launch it from the Start menu.
Sandbox will launch, make a copy of your current Windows operating system, cut off access to your personal folders, and give you a clean Windows desktop with Internet access.
Microsoft is adding a configuration file from which you can customize your Sandbox. For example, if you do not want to access the Internet, you will need to change the text file. If you need access to files on your host system, you will need to copy and paste them into the Sandbox. If you want to install specific third-party programs, you must install them after starting Sandbox.
Because the Windows Sandbox is completely deleted when you close it, you should go through all the above changes-settings every time you start it. On the one hand, this creates a more secure system, as if something goes wrong, you close the Sandbox and everything is deleted. On the other hand, you have to make the changes constantly, with every start and this is quite annoying.
To address this issue Microsoft provided a configuration option for Windows Sandbox. Using XML files, you can start the Windows Sandbox with defined parameters. You can turn off the Internet connection, configure shared folders, or run whatever you want to install applications. Options are a bit limited in the first version of Sandbox, but Microsoft will add more in future updates to Windows 10.
How to set it up Windows Sandbox
A copy of Windows 10 in a sandbox environment can access a shared folder on your host operating system.
This wizard assumes that you have already set up Sandbox for general use. If you have not already done so, you must first enable it from the Windows Features dialog box.
To get started, you will need Notebook or your favorite word processor (we recommend Notepad ++) and a blank new file. You will create an XML file that contains the settings. Once you have your file ready, you need to save it with a .wsb extension (from Windows Sand Box.) Double-click the file and the Sandbox will start with the settings you saved.
Such as says Microsoft , you have many options for configuring the Sandbox. You can enable or disable vGPU, enable or disable the network, specify a shared folder on the host, set read / write permissions on this folder, or run a script at startup.
Using this configuration file, you can turn off the virtual GPU (enabled by default), turn off the network (enabled by default), specify a shared folder (sandbox applications do not have access to any by default), set read-write permissions on this folder or run script at startup
First, open Notepad or your favorite word processor and start with a new text file. Add the following text:
All the options you add must be between these two parameters. You can only add one option or all of them. If you do not set an option, the default will be used.
How to turn off the virtual GPU or network
According to Microsoft, activating the virtual GPU or Network increases the possibilities that malware can use to escape the testing environment. Therefore, if you are trying something you are particularly worried about, it would be good to turn them off.
To turn off the virtual GPU, which is enabled by default, add the following text to the configuration file.
To turn off network access, which is enabled by default, add the following text.
Add a folder
To add a folder, you must specify the folder you want to share, and then specify whether the folder should be read-only or not.
Add a folder:
<MappedFolders> <MappedFolder> <HostFolder>C:\Users\Public\Downloads</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders>
In HostFolder you specify the specific folder you want to share. In the example above, the Users \ Public \ Downloads folder in Windows is shared.
ReadOnly determines whether Sandbox can write to the folder or not. Set it to true so that it can write to the folder or to false read-only.
Be aware that setting to true is dangerous if you do not know what you are doing. Giving Sandbox registration access increases the risk if you try something you think is malicious.
How to run a script at startup
Finally, you can run custom scripts or basic commands. You could, for example, force Sandbox to open a folder that you added to the startup settings.
Let's see how it is done:
<MappedFolders> <MappedFolder> <HostFolder>C:\Users\Public\Downloads</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command> </LogonCommand>
WDAGUtilityAccount is the default user for Windows Sandbox, so you will always mention it when opening folders or files as part of a command.
How to start Sandbox with your settings
When you're done, save your file and give it a .wsb file extension. For example, if the word processor saves it as Sandbox.txt, save it as Sandbox.wsb. To get started Windows Sandbox with your settings, double-click the .wsb file. You can place it on your desktop or create a shortcut in the Start menu.
For your convenience, you can create a DisabledNetwork file to save you a few steps. Rename the extension to .wsb and you're ready to go Windows Sandbox.
<Configuration> <Networking>Disable</Networking> </Configuration>