Windows Sandbox - personalized base image?  


  1. Posts : 3
    windows 10 N Pro
       #1

    Windows Sandbox - personalized base image?


    Hi,
    I was wondering if anyone had found a way to use a personalised base image in Windows Sandbox. The version of Windows it uses is the 2004 Enterprise (19041.1503). Through wsb configuration file it is possible to do many things to personalize the sandbox (mount a local folder, apply themes, run startup commands, apply reg configs, etc.), but the base image is stuck on 2004 Enterprise.

    As far as I know this tecnology is based on Windows Containers and all the files it uses are found in ProgramData\Microsoft\Windows\Containers (attached the structure of the folder made with snap2html).

    In particular in the subfolder PortableBaseLayer is found the base image in the form of a VHDX file: WindowsDefenderApplicationGuard.vhdx (this file is hardlinked as BaseLayer.vhdx under BaseImages subfolder) .

    There are also two other files (SystemTemplateBase.vhdx and SystemTemplate.vhdx) that seems to be snapshot vhds, maybe used as layers on top of the base image.

    using fsutil volume list it turns out that the sub folder BaseLayer is a mount point of a VHDX
    Code:
    fsutil volume list
    \\?\Volume{629458e4-0000-0000-0000-010000000000}\
    C:\ProgramData\Microsoft\Windows\Containers\BaseImages\af4dcbf9-b553-4d86-8a8b-e825ff729191\BaseLayer\
    most probably WindowsDefenderApplicationGuard.vhdx or BaseLayer.vhdx. If you try to explore the BaseLayer folder Windows will complain of missing permissions, but through Disk Manager->Mount VHD the folder is browsable. In fact most of the vhds in these folders can be actually mounted in Disk Manager.

    In the registry, there are also key values, as attached in Containers.reg, that point to C:\WINDOWS\Containers\serviced\WindowsDefenderApplicationGuard.wim which is hardlinked to C:\Windows\WinSxS\amd64_microsoft-windows-dynamic-image_31bf3856ad364e35_10.0.19041.1503_none_b4e081eeeaa333a6\WindowsDefenderApplicationGuard.wim

    It would be interesting to dig more and find a way to use in original ways this technology, maybe using a Windows 11 sandbox on windows 10?
    Windows Sandbox - personalized base image? Attached Files
    Last edited by artioni81; 05 Feb 2022 at 09:33.
      My Computer


  2. Posts : 3,249
    Win10
       #2

    I haven't tried it, but if you want to experiment with custom Sandboxes, have you seen this ? Although at first glance, it might not be possible to achieve a Windows 11 Sandbox in Windows 10, considering the amount of inter-dependencies between the BaseLayer.vhdx and the actual OS files that the Sandbox is running on.

    Playing in the (Windows) Sandbox - Check Point Research
      My Computers


  3. Posts : 3
    windows 10 N Pro
    Thread Starter
       #3

    das10 said:
    I haven't tried it, but if you want to experiment with custom Sandboxes, have you seen this ? Although at first glance, it might not be possible to achieve a Windows 11 Sandbox in Windows 10, considering the amount of inter-dependencies between the BaseLayer.vhdx and the actual OS files that the Sandbox is running on.

    Playing in the (Windows) Sandbox - Check Point Research
    Great article!!
      My Computer


  4. Posts : 15,066
    Windows10
       #4

    artioni81 said:
    Great article!!
    The article is out of date in one key respect. The Dev version of Windows 11 now has persistence across reboots e.g. if you need to reboot Windows in sandbox to finish installing a program (quite common), you can now do that.

    Incidentally (imo), so far, this is the only really useful technical development in Windows 11 that is a real technical change rather than zillions of cosmetic changes
    Last edited by cereberus; 07 Feb 2022 at 04:00.
      My Computer


  5. Posts : 11,247
    Windows / Linux : Arch Linux
       #5

    cereberus said:
    The article is out of date in one key respect. The Dev version of Windows 11 now has persistence across reboots e.g. if you need to reboot Windows in sandbox to finish installing a program (quite common), you can now do that.

    Incidentally (imo), so far, this is the only really useful technical development in Windows 11 that is a real technical change rather than zillions of cosmetic changes
    With physical vhdx files where you can install as many Windows systems as you like (without losing activation) and where you get full use of the hardware I rather fail to see the value any more of the Sandbox as it's easier to do your testing on a "Complete" Windows install with real hardware and simply delete it if it gets hosed up.

    Simply keep a "reference" vhdx windows install and "replicate" when you want a new test bed.

    E.g

    Windows Sandbox - personalized base image?-multios.png

    (Also performance etc is far better too).

    Cheers
    jimbo
      My Computer


  6. Posts : 15,066
    Windows10
       #6

    jimbo45 said:
    With physical vhdx files where you can install as many Windows systems as you like (without losing activation) and where you get full use of the hardware I rather fail to see the value any more of the Sandbox as it's easier to do your testing on a "Complete" Windows install with real hardware and simply delete it if it gets hosed up.

    Simply keep a "reference" vhdx windows install and "replicate" when you want a new test bed.

    E.g

    Windows Sandbox - personalized base image?-multios.png

    (Also performance etc is far better too).

    Cheers
    jimbo
    We have discussed this several times. A vhd is not a sandbox, and does not insulate the main OS from viruses, malware etc.

    A vhd as part of a virtual machine relatively insulates the main OS but infections can still get through e.g. if somebody later attaches vm vhd as a boot host vhd.

    With the sandbox, it is really hard to infect the host other than possible infection to shared host/sandbox files, which are effectively data files only. Given most infected files are .exe files, user would have to manually copy infected files to the shared host folder, and then run them on host as well.

    So if a person was deliberately infecting windows to test some antivirus application, then a sandbox would be the way to go.
      My Computer


  7. Posts : 11,247
    Windows / Linux : Arch Linux
       #7

    cereberus said:
    We have discussed this several times. A vhd is not a sandbox, and does not insulate the main OS from viruses, malware etc.

    A vhd as part of a virtual machine relatively insulates the main OS but infections can still get through e.g. if somebody later attaches vm vhd as a boot host vhd.

    With the sandbox, it is really hard to infect the host other than possible infection to shared host/sandbox files, which are effectively data files only. Given most infected files are .exe files, user would have to manually copy infected files to the shared host folder, and then run them on host as well.

    So if a person was deliberately infecting windows to test some antivirus application, then a sandbox would be the way to go.
    Hi there

    agreed also --but like all these things it depends on what the actual end user wants to achieve -- there's no "1 Standard" single best option usually. 3 methods are readily available -- VM's, Sandbox, or Multi-boot. All of them are fine for specific conditions and user requirements. It's best to be aware of the possibilities available without always trying to fit a requirement into less than the best solution.

    I've loads of experience with some dubious management trying to fit everybody's work applications into rigid packages not fit for purpose rather than getting user requirements first and then deciding on the best solution for achieving it.

    I think "Hole nr 19" on a Golf course is often the deciding factor. !!

    Cheers
    jimbo
      My Computer


  8. Posts : 3
    windows 10 N Pro
    Thread Starter
       #8

    Thanks to all who engaged in this thread.

    As mentioned from some of you, there are many options out there to achieve different things. I think Sandbox is a great tool for many use cases as a disposable tool. I found a product that builds upon Windows Sandbox, Hysolate, that takes it to some next level.

    I'll continue to try understanding more on how can Sandbox be adapted to ones needs and update this thread.
      My Computer


  9. Posts : 11
    Windows 10 PRO X64 (Native VHD)
       #9

    After reading the insanely thorough article on playing in the sandbox, I agree it's unlikely, but possible...

    Does anyone have the win11 vhdx programdata? Eg the vhdx files.
    If someone can drop in the cloud we can fudge and see what happens... assuming no-one (here) has been bold enough to even go there...

    I've just updated to pro so I can sandbox on my current/only workstation again, and tried to use an old method of prepping winget at launchtime via wsb, but appear to have used a different method (this method?) to obtain the installers. Now gonna try the Flare VM config guide, to hopefully inject "pre-installed" apps into a vhd, perhaps setting up a system where different vm-profiles can be used with launch parameters (eg a dev box, vs a clean box, a flare rev-eng box, etc)
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 07:47.
Find Us




Windows 10 Forums