How Windows Sandbox config files work
Microsoft is working on Windows Sandbox, a sandboxed environment for the Windows operating system, currently.
The feature is being tested in Windows 10 Insider Builds currently and it is possible that Windows Sandbox will find its way into Windows 10 version 1903.
The initial version of Windows Sandbox was quite basic: users could launch it on Windows 10 devices and use it, but that was about the scope of it.
Sandbox Config files
Starting with the latest builds, it is now possible to use config files to customize certain aspects. Config file support is basic at this point but it allows administrators and users to launch apps or scripts automatically in the sandbox. In other words: you may run something in the sandboxed environment automatically.
The config files use XML and have the extension .wsb. You may run any .wsb file with a double-click or by running it from the command line or by using scripts.
Windows Sandbox .wsb scripts support the following configuration options currently:
- Enable or disable the virtualized GPU.
- Enable or disable networking in the sandbox.
- Share folders from the host.
- Run a startup script or program.
Most options are straightforward at this point in time.
Virtualized GPU
- <VGpu>Disable</VGpu> -- Disables virtual GPU support in the sandbox. Software rendering will be used.
- <VGpu>Enable</VGpu> -- Enables virtual GPU support.
Networking:
- <Networking>Disable</Networking> -- Disables networking in the sandbox.
- <Networking>Enable</Networking> -- Enables networking in the sandbox.
Shared Folders:
<MappedFolder>
<HostFolder>path to the host folder</HostFolder>
<ReadOnly>value</ReadOnly>
</MappedFolder>
You need to specify a folder that you want to share with the host system, e.g. c:\virtual, and whether you want it to be read-only or support write operations as well.
ReadOnly values are true (make it read-only) or false (read and write support).
Note that folders are always mapped under the path C:\Users\WDAGUtilityAccount\Desktop.
Command on Logon
<LogonCommand>
<Command>The command</Command>
</LogonCommand>
You may specify a file name and path or a script. The command explorer.exe would work, as would reference to a script, e.g. C:\users\wdagutilityaccount\desktop\test\start.cmd.
Example XML file
<Configuration>
<VGpu>Disable</VGpu>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Martin\Downloads</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>
</Configuration>
Save the file as something.wsb and launch it whenever you want to run the sandbox with this configuration. It is pretty basic: disables the virtual GPU and networking, maps the Downloads folder of the user account Martin, and launches File Explorer in the sandbox that displays the Downloads folder.
Closing Words
Config file support extends Windows Sandbox functionality significantly as you may use these files to share folders with the sandbox and run scripts. You could use it to map a downloads folder and run downloaded files in the sandbox for that extra bit of security.
We will update the guide when new features are introduced.
Now You: What is your take on the Windows Sandbox so far? What would you like to see?
That they reduce memory use.
I know that not so powerful hardware should be able to run the Sandbox.
And I also know that they are trying to let Windows automatically take back the memory used by (from) the sandbox but main understanding is, that you need at least 8Gb Ram for only the Sandbox to run perfectly smooth.
But when on the other hand when you want to run together at the same time with the Sandbox one – or more outer not Sandbox programs you will need at least 16 GB Ram I have read and I also reading already discussions, that 32 GB Ram is even better to run multiple applications next to each other perfectly smoothly, when there will be any use of the page file (hickups/stop of use), file transferring or swapping going on.
Does Windows Sandbox supports GPU Passthrough / running games ?
Wild guess is it will be full of bugs.
how to isolate something on the top of a system that is in its base the opposite of an isolated system. backdoors everywhere. possibly better protection against dangerous 3rd party software, but not against the dangerous operating system itself on which the (proprietary) container is running. “windows – sandbox” .. yet another contradiction in itself. the whole os itself must be container. and much more.
Gnome Boxes does the job, run legacy Windows 10 as a KVM guest, sans any networking.
Anyone else unable to get a script to run? Sandbox opens the same way regardless of script or not. But the batch file isn’t being executed apparently.
Just received this long-awaited feature in the release version.
What a letdown Microsoft! First as predicted by Anonymous above, it is buggy as hell. It won’t let me type in the search box in the taskbar! Although I can cut and paste files into the sandbox, I cannot drag-and drop them! Basic operations keep hanging for hours on end!
But also I thought at least it would herald Microsoft letting us run a virtualised version of Windows 10 inside a licenced host version without buying an additional licence, but no, Windows is not activated inside the sandbox! It is this kind of greed that turns people to linux!
Finally, what’s with all this config files re-invention of the wheel? Just let us configure the OS however we want inside the sandbox and then save it as our own VHD. That feature is already there in Hyper-V!
Honestly, you’d think an organisation with the resources of Microsoft could do better than this!