Never tried Windows Sandbox? – This will change your mind

Windows what? Windows Sandbox, a feature that I completely missed. Then I tried it once and loved it immediately. It takes you literally 5 minutes to set up and is really useful in your daily sysadmin tasks.

Prerequisites for using the feature (source: docs.microsoft.com)

  • Windows 10 Pro or Enterprise Insider build 18305 or later
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)

Table of contents

What is Windows Sandbox?

Windows Sandbox allows you to start a lightweight “virtual” desktop environment to run applications in an isolated environment. Every time you reopen the sandbox, it will revert all the changes and you will start with a clean slate.

Installing Windows Sandbox

  1. Enable virtualization in your BIOS.
  2. Hit Windows Key + R and type “appwiz.cpl” hit enter or search “Turn Windows Features on and off”.
  3. Select Windows Sandbox hit Ok and restart your computer.
  4. Search for Windows Sandbox and start it, it takes a while the first time.

Cool things you can do with your Sandbox.

Basically your Sandbox can be started by a simple double click on the icon or by creating a config file. These are just basic XML files that get the ending .wsb to start a configuration simply click it and Windows Sandbox will start.

Mount a directory to Windows Sandbox

This one is pretty straight forward, I use it to open suspicous files I just downloaded. This will map your Downloads folder, or whatever folder you choose to the desktop of the sandbox.

<Configuration>
<MappedFolders>
   <MappedFolder>
     <HostFolder>C:\Users\FistofTech\Downloads</HostFolder>
     <ReadOnly>false</ReadOnly>
   </MappedFolder>
</MappedFolders>
</Configuration>

Download a script and execute it

This configuration I use to do bigger configurations and to run it on every system I got without copying the code across different machines. You could also combine the mapping of the folders with a logon command to run a local script. But this is just way cooler 😉

<Configuration>
<LogonCommand>
   <Command>powershell.exe -ExecutionPolicy Bypass -c "Invoke-WebRequest -Uri https://pastebin.com/raw/x4ZR39G3 -UseBasicParsing | Select-Object -ExpandProperty content | Out-File ./downloadedscript.ps1 ; ./downloadedscript.ps1" </Command>
</LogonCommand>
</Configuration>

Explanation of the one liner:

Invoke-WebRequest -Uri https://pastebin.com/raw/x4ZR39G3 -UseBasicParsing | Select-Object -ExpandProperty content | Out-File ./downloadedscript.ps1 ; ./downloadedscript.ps1

Starts PowerShell at boot and bypasses the execution policy (it is set to “signed” at boot). After that Invoke-Webrequest downloads the script and Select-Object removes everything except the instructions from the script. In the end it saves the text to a script file and executes it. The “;” sign is used to separate the commands.

Further reading:

If you have found other uses for Windows Sandbox let me know in the comments. If you want to know more about it check this site there is a list of every possible command.

2 thoughts on “Never tried Windows Sandbox? – This will change your mind

Add yours

  1. Hi! Would you mind if I share your blog with my twitter group? There’s a lot of people that I think would really enjoy your content. Please let me know. Thank you

Leave a Reply

Powered by WordPress.com.

Up ↑

%d bloggers like this: