What is Windows Sandbox? How can it help you with security issues?

Unknown or suspicious programs can cause a whole range of problems on the main system, from malware to unwanted changes to system settings. One effective protection is the so-called sandbox ("sandbox"), which allows programs to run in an isolated and protected virtual environment, separate from the rest of the system.

For years, Windows users have used tools like Sandboxie, which tracks all changes made by a program and undoes them upon exit, restoring the system to its original state. For an even higher level of isolation, virtual machines (with VirtualBox or Microsoft's built-in Hyper-V technology) were used, in which we installed the operating system separately and could run dangerous programs there - with the ability to restore the virtual system state to its original state at any time. This approach is very reliable, but it requires more knowledge and time to set up and maintain an additional system.

What is Windows Sandbox?

Windows Sandbox is an isolated desktop environment with the Windows operating system designed for safe testing of programs and files. It runs as a temporary lightweight virtual machine inside your system. It uses hardware-accelerated virtualization (Hyper-V) to completely separate it from the host operating system. Every time we start it, we get a completely clean and empty system that behaves like a freshly installed Windows, and all installed programs and files in the sandbox are irretrievably lost when we close it. Sandbox is part of Windows 10/11 (available in Pro, Enterprise and Education editions, but not in Home) and does not require any additional license or installation of another operating system.

If you have a Windows 10/11 Home version installed, you can later change it to a supported version using a script found online (massgrave), or by purchasing a new license.

How to enable and use Windows Sandbox?

To use Sandbox, you need a compatible system. This is Windows 10 (1903 or later) or Windows 11 with a Pro, Enterprise, or Education license and support for hardware virtualization. Modern Intel/AMD processors mostly support virtualization technologies (Intel VT-x, AMD-V, etc.), but this option often needs to be enabled in the BIOS/UEFI settings.

1. In Windows 10/11, open the Control Panel or the Start search box and search for "Turn Windows features on or off" (Turn Windows features on or off). In the list of features, find Windows Sandbox and select the check box. Click Okay and restart your computer when prompted to install the feature.
2. After logging into Windows, open the Start menu and type Windows Sandbox. Click the Windows Sandbox icon. The system will load for a few seconds, and then a window with a virtual Windows desktop will open. You will see a desktop similar to yours, but it is a separate temporary system with a default setup (you may notice that only the default programs and the Edge browser are installed, for example).
3. In the sandbox, you can now install programs or open files almost exactly as you would on a regular system. You can install a suspicious application and test it. Even if it contains a virus, it will remain inside the sandbox. By default, the sandboxed system has Internet access (via a virtual network), which makes it easier to transfer files or updates, but be careful, as malicious code can also have access to the network. You can exchange files between the host and the sandbox using the clipboard. For example, copy a file on the main system (Ctrl+C) and paste it inside the sandbox (Ctrl+V). More advanced users can also enable automatic mapping of individual host folders to the sandbox by preparing a configuration .wsb file.
4. When you are finished testing, simply close the Windows Sandbox window (click the X as usual). A warning will appear stating that all contents of the sandbox will be deleted. Confirm with Okay. The virtual system will shut down and everything in it will be permanently deleted. Your main Windows will remain exactly as it was before you started the sandbox, as if nothing had happened. If you later start the sandbox again, you will get a completely new instance of Windows, with no trace of your previous session.

If you want to keep any output (a downloaded file) in the sandbox, you must make sure to copy it from the sandbox to the host (say, via the clipboard or to a shared folder) before closing it. Otherwise, the data will be lost when you close the sandbox window.

Windows Sandbox, Sandboxie, VirtualBox or...?

Windows Sandbox is not the only solution for isolating malicious or unwanted software.

Tool Sandboxie It works at the operating system level. It runs the application inside the sandbox by intercepting its access to the system. All changes made by the program (e.g., registry entries, files) are redirected by Sandboxie to an isolated area and undone when closed, thus restoring the system to its original state. The advantage of Sandboxie is that it is undemanding and also works on Windows Home (and older versions of Windows), and it allows the isolation of individual programs without running the entire system. In addition, multiple programs or multiple separate sandboxes can run in parallel in the Sandboxie environment.

A full virtual machine (VM), whether through the open-source VirtualBox, VMware or the built-in Hyper-V, means that we manually create a virtual computer and install a complete operating system (Windows or Linux) on it. Such a solution provides complete isolation, as the VM runs separately from the host and has its own virtual disk, hardware, and so on. In addition, the user has full control over the virtual system: he can keep it running for a long time, permanently install software on it, change settings, etc.

A key advantage of a VM is the ability to save the state. In VirtualBox/VMware/Hyper-V, you can create a snapshot (checkpoint) of the system and return to it later, which is very useful for testing. For example, if you are not sure about the credibility of an unknown program, you can take a snapshot before installing it, and after the installation/testing is complete, you can restore the system to the saved point.

Another advantage of true virtual machines is that you can have multiple virtual machines running at the same time (if you have enough resources) and run different systems in them, such as a different version of Windows or Linux. Whereas a Windows sandbox always runs the same version of Windows as on the host.

Of course, VMs also have disadvantages. They require additional disk space (several gigabytes for each VM) and more memory (the VM reserves, for example, 4+ GB of RAM, which is taken from the host). The setup is also longer, as you first have to manually install the operating system and take care of its updates and maintenance, while Windows Sandbox does all this automatically in a matter of seconds.

For short-term testing or analysis of suspicious files, Windows Sandbox is much more practical because you can turn it on and off at any time without much advance work. However, if you want to run a program for a longer period of time, make more permanent changes, or run an entire server in isolation, for example, then a full virtual machine remains a better solution.

Hyper-V and persistent test systems

Windows Sandbox aims to make testing in isolation as fast and easy as possible, which means it's not suitable for all situations. More advanced users who already have Windows 10/11 Pro or Enterprise can take advantage of the built-in Hyper-V platform and manually create their own virtual machines for testing.

This is essentially a similar approach to sandboxing, but with more customization options in exchange for a bit more setup up front. Hyper-V allows you to create one or more VMs on your computer. Each of them can be completely isolated from the network and other computers (if you specify), which is ideal for safely testing highly dangerous programs without an internet connection. In the Hyper-V Manager console, you can configure the virtual hardware (CPU, RAM, disk, network interfaces, etc.) for each VM and, for example, choose not to connect the virtual network interface to the external network, thus creating an isolated closed environment.

Once you create a new VM, you install the desired operating system (Windows again or something else). To do this, you will need an installation ISO file or a pre-prepared system image. After installation, you treat the VM as a separate computer. You can turn it on and off as needed, and all the data in it is preserved until you delete it yourself. This means that you can install a whole collection of programs on such a test VM and test them over a long period of time without having to reinstall them every time you boot (like with Windows Sandbox).

A particular advantage of using Hyper-V (or other VM platforms) is the ability to create checkpoints or snapshots of the system state. For example, when you install a clean operating system and basic updates in a VM, you can capture the original state. Then, over the next few days, you install and test different programs. If one turns out to be harmful or causes problems, you can easily roll back the VM to a clean state and thus “clean” the system of the consequences of testing.

This is similar to using a sandbox, except that here you have the option to choose a restore point and can store several different states (one with the basic configuration, another after installing certain updates, etc.). Of course, such flexibility means that you need to allocate enough disk space for the VM (snapshots take up additional space) and monitor system updates within the VM, as it will not automatically update the system like Windows Sandbox does at every startup.

In practice, many advanced users set up entire virtual labs. On a more powerful computer or server, several virtual machines can run simultaneously, for example, one with Windows 10 without a network for virus testing, another with Windows Server for testing server settings, a third with Linux for development, and so on.

To set up a Hyper-V environment in Windows Pro, all you need to do is enable Hyper-V (similar to what we described for Windows Sandbox) and launch the Hyper-V Manager tool, in which you create new virtual environments. The process of installing the operating system in this environment is the same as on a physical computer.

Choose the right tool for you

Windows Sandbox is a great tool for quickly and easily testing programs in a safe environment, especially when we want to test something once or occasionally and don't want to waste time setting up an entire VM. For many IT professionals, it has become indispensable when checking for unknown attachments, suspicious software, or when visiting risky websites. They simply launch it, do what they need to, and close it, without worrying about anything "leaking" to the production system. On the other hand, classic virtual machines (Hyper-V, VirtualBox, etc.) remain important for more in-depth testing and development, where we need a longer-lasting system, different environments, or the ability to take snapshots.