Information
A quote from Ten Forums tutorial Enable Windows Sandbox Feature in Windows 10 Home Edition
Windows Sandbox does not contain any third party software, and uses a default theme. It looks quite plain by default:Starting with Windows 10 build 18305, Microsoft introduced Windows Sandbox.
Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.
How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?
At Microsoft, they regularly encounter these situations, so they developed Windows Sandbox: an isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all of its files and state are permanently deleted.
By creating a configuration file, users can change the theme, switch to Dark Mode, add software and so on. This tutorial will show how to do that.
Part One: Sample Windows Sandbox Configuration File Part Two: Virtual GPU Part Three: Networking Part Four: Shared Folders Part Five: Startup script
1.1 A Windows Sandbox configuration file contains information about vGPU (virtualized GPU), networking, folders on host shared with Sandbox, and can run a startup script to execute commands:
(Image from Thomas Maurer's blog on Microsoft Tech Community.)
1.2 All four modules are optional. If user wants to run Sandbox with default settings, only adding a shared folder, only that module is required.
1.3 Here's the configuration file I use to enable vGPU and networking, map a host folder %userprofile%\OneDrive\Sandbox, and run a batch file SBConfig.bat (see step 1.5) to apply a custom Windows theme, install Chrome, Firefox and Opera browsers, and set Windows to use dark mode:
Code:<Configuration> <vGPU>Enable</vGPU> <Networking>Default</Networking> <MappedFolders> <MappedFolder> <HostFolder>E:\Users\Kari\OneDrive\Sandbox</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>C:\users\WDAGUtilityAccount\Desktop\Sandbox\SBConfig.bat</Command> </LogonCommand> </Configuration>
1.4 A Sandbox configuration file must have extension .wsb (Windows SandBox). I have saved the above file as Browsers and theme.wbs in folder %userprofile%\OneDrive\Sandbox, and can start Windows Sandbox with a custom theme and dark mode, vGPU and networking enabled, three third party browsers installed, and host folder Sandbox shared with Sandbox simply by double clicking the .wsb file on host:
(Click screenshots to enlarge.)
1.5 The batch file SBConfig.bat run from <LogonCommand> tags in configuration file, which I have also saved in %userprofile%\OneDrive\Sandbox folder:
Code:REM Apply a custom theme REM As Windows Sandbox is not activated, this is the only way to personalize it C:\Users\WDAGUtilityAccount\Desktop\Sandbox\W10G-TF.deskthemepack REM Install Chrome start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\ChromeStandaloneSetup64.exe /silent /install REM Install Firefox start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\FirefoxSetup.exe -ms REM Install Opera start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\Opera_64.0.3417.73_Setup.exe /silent /allusers=yes /launchopera=no /setdefaultbrowser=no REM Switch to Dark Mode reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 00000000 /f REM Close Settings app left open when theme was applied start /wait taskkill /F /IM SystemSettings.exe
The first command in batch file applies my custom Windows Theme Pack file. When a theme is applied, Settings app will automatically open in Personalization page.
The last command in batch then closes the Settings app. Because Settings App opens with a slight delay, if the TASKKILL command to close it would have been executed just after applying the theme, Settings would have not been completely opened, therefore causing TASKKILL command to fail.
Let's break the configuration file in parts and look into each module.
2.1 By default, vGPU (virtualized GPU) is enabled in Sandbox. The vGPU tags in configuration file can be used to disable vGPU and make Sandbox use software rendering instead. Especially when testing possible malware, this reduces the risk for host to get infected, at the same time making rendering somewhat slower.
2.2 Allowed values for vGPU tags are Enable (default) and Disable.
2.3 If you want to accept all other defaults, just disable vGPU, a simple three line configuration file is enough:
Code:<Configuration> <vGPU>Disable</vGPU> </Configuration>
2.4 I save this as %userprofile%\OneDrive\Sandbox\VGPUDisabled, and can run Sandbox with vGPU sisabled by double clicking it.
3.1 By default, Networking is enabled in Sandbox. The Networking tags in configuration file can be used to disable networking. Disabling networking, together with disabled vGPU is recommended when testing possible malware. These two settings make Sandbox completely isolated from host and network.
3.2 Allowed values for Networking tags are Default (network enabled) and Disable.
3.3 If you want to accept all other defaults, just disable networking, use the following configuration file. I save it as %userprofile%\OneDrive\Sandbox\NoNetwork.wsb:
Code:<Configuration> <Networking>Disable</Networking> </Configuration>
3.4 To completely isolate Sandbox from host and network, use the following configuration file. I save it as %userprofile%\OneDrive\Sandbox\Isolated.wsb:
Code:<Configuration> <vGPU>Disable</vGPU> <Networking>Disable</Networking> </Configuration>
4.1 All host folders can be shared with Sandbox. When shared, each folder will be added to desktop of Sandbox default user profile WDAGUtilityAccount.
4.2 To share a host folder is done in <MappedFolders> tags. Inside the <MappedFolders> tags (notice the plural s at the end of the tag name), each shared folder is then given in <MappedFolder> (singular).
Having user profiles stored on E: drive, to share my host folder E:\Users\Kari\Downloads with Sandbox, I use the following configuration file, saving it as %userprofile%\OneDrive\Sandbox\Downloads.wsb:
Code:<Configuration> <MappedFolders> <MappedFolder> <HostFolder>E:\Users\Kari\Downloads</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> </Configuration>
4.3 In addition, I want to share my custom Sandbox folder, located in my OneDrive. With following configuration script I can share both:
Code:<Configuration> <vGPU>Enable</vGPU> <Networking>Default</Networking> <MappedFolders> <MappedFolder> <HostFolder>E:\Users\Kari\OneDrive\Sandbox</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> <MappedFolder> <HostFolder>E:\Users\Kari\Downloads</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>C:\users\WDAGUtilityAccount\Desktop\Sandbox\SBConfig.bat</Command> </LogonCommand> </Configuration>
4.4 The <ReadOnly> tags with valuetrueused for both shared folders tell Sandbox that I want it not to have right to write to these folders, not to save anything on them nor edit their content. Changing the <ReadOnly> value tofalsegives Sandbox full access.
5.1 The <LogonCommand> tags can contain any Windows command, or run an executable file, batch file or script.
5.2 If the command is not an internal, native Windows command, Sandbox must find its target in a shared folder. For instance, if I want to accept all other defaults, just run my SBConfig.bat batch file when Sandbox is started (see Step 1.5), I would first save the batch in folder shared in configuration script, then run it from <LogonCommand> tags:
Code:<Configuration> <MappedFolders> <MappedFolder> <HostFolder>E:\Users\Kari\OneDrive\Sandbox</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>C:\Users\WDAGUtilityAccount\Desktop\Sandbox\SBConfig.bat</Command> </LogonCommand> </Configuration>
5.3 In above code sample, I first share host folder E:\Users\Kari\OneDrive\Sandbox with Windows Sandbox, which will be added to its default user profile's desktop. The folder contains the batch file SBConfig.bat, which Windows Sandbox runs from this mapped network share.
Important to remember: if the command given is not an internal, native Windows command, Sandbox must be able to find it in a shared folder. If you run an application installer, a PowerShell script, a batch file, a Java script and so on from <LogonCommand> tags, the target, executable or script itself must be accessible to Sandbox.
5.4 To automatically install software in Windows Sandbox, download its offline installer, and find out which switches need to be used for a silent unattended install. For instance, if you want Google Chrome to be available every time Sandbox starts. download its offline installer from here: Google Chrome - The New Chrome & Most Secure Web Browser
5.5 In my case, I saved the Chrome installer in my custom Sandbox folder, shared that folder, and run the silent installer from mapped drive in Windows Sandbox with following configuration file. It starts Windows Sandbox with default settings, and installs Chrome silently in the background:
Code:<Configuration> <MappedFolders> <MappedFolder> <HostFolder>E:\Users\Kari\OneDrive\Sandbox</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>C:\Users\WDAGUtilityAccount\Desktop\Sandbox\ChromeStandaloneSetup64.exe /silent /install</Command> </LogonCommand> </Configuration>
That's about it. Looking at my OneDrive\Sandbox folder, it contains all my .wsb scripts to start Windows Sandbox in a different way. I can run any of them to start Windows Sandbox in a way I want to. It also contains the offline software installers, a batch file to install software and apply theme, the theme file itself naturally saved in same folder:
Please post your possible issues and questions about configuring Windows Sandbox in this thread.
Kari
Related Tutorials
- How to Enable or Disable Windows Sandbox in Windows 10
- How to Enable Windows Sandbox Feature in Windows 10 Home Edition
- How to Enable or Disable Audio Input in Windows Sandbox in Windows 10
- How to Enable or Disable Clipboard Sharing with Windows Sandbox in Windows 10
- How to Enable or Disable Networking in Windows Sandbox in Windows 10
- How to Enable or Disable Printer Sharing with Windows Sandbox in Windows 10
- How to Enable or Disable Virtualized GPU (vGPU) Sharing for Windows Sandbox in Windows 10
- How to Enable or Disable Video Input in Windows Sandbox in Windows 10
Windows Sandbox - How to configure in Windows 10
-
New #1
Anyone else having this issue when upgraded to Insider Preview build 19013:
Tweet
— Twitter API (@user) View on Twitter
Kari
-
New #2
OK, seems that Sandbox team is taking my feedback seriously.
Tweet
— Twitter API (@user) View on Twitter
Tweet
— Twitter API (@user) View on Twitter
Tweet
— Twitter API (@user) View on Twitter
-
-
New #4
My current custom sandbox:
What I changed:
- Exported my current theme from host system
- Added my %USERPROFILE%\Downloads and %USERPROFILE%\Documents\Sandbox host folders
- Enabled Dark Theme for Apps
- Runs a .reg-file with all locale data exported from host system (changes clock display format and others, because my system locale is EN-US but regional settings are Finnish)
Thanks for this. Now I have a decent Sandbox. Next I will add some development software to my configuration and start hacking some code without having to be afraid to break my host.
-
New #5
Can't make the commands work.
Wanted it to install Edge. Downloaded the offline installer, used the quiet switch, didn't do anything.
-
New #6
Just to be sure, I just downloaded the latest stable version of new Edge, then created new batch file to install it, and finally a new WBS configuration file to launch Sandbox and install Edge.
Works perfectly, exactly as told in tutorial.
With the little information you give, it's impossible to tell why can't get it working.
Kari
Windows Sandbox - How to configure in Windows 10
How to configure Windows Sandbox with custom theme and preinstalled software in Windows 10Published by Kari "Kalsarikänni" FinnCategory: Virtualization
02 Jul 2020
Quote
Tutorial Categories
Related Discussions
