Windows Sandbox: An In-Depth Look

What is Windows Sandbox?

Windows Sandbox is a sandboxing environment built into Microsoft Windows version 1903 and higher, which lets you safely run your applications in isolated, lightweight desktop environments.

When you install software inside Windows Sandbox, Windows runs applications in an isolated virtual machine, preventing threats from impacting the rest of the environment. This ensures software components run separately from the host, and any software installed on the host is not available to the sandbox environment. Any software needed in the sandbox should be directly installed in the environment.

Because the sandbox is temporary, once it is closed all software, files, and the state are deleted. When you open the application, a new sandbox instance is created.

Here are key features of Windows Sandbox:

  • Secure—Windows Sandbox leverages the Hyper-V hypervisor to run a separate operating system kernel, isolating the sandboxed environment from the physical host.
  • Windows native—Windows Sandbox components are included in Windows 10 Pro and Enterprise.
  • Clean environment—Windows Sandbox initiates a clean installation for each sandboxed application
  • Disposable—the device is wiped clean after a user closes the application.
  • Efficient—Windows Sandbox uses advanced capabilities, including an integrated kernel scheduler, virtual graphics processing unit (GPU), and smart memory management.
  • No file system duplication—files in the sandbox are pointers to the same file system, so the storage overhead of the sandbox is minimal.

How Windows Sandbox Works

Windows Sandbox leverages several technologies when creating isolated environments:

A dynamic base image—Windows Sandbox uses virtual machines (VMs) to generate a sandbox. A VM requires an operating system (OS) to work. To consistently create new and clean OS-installed VMs, Windows Sandbox generates a dynamic base image, and each sandbox is a clean copy of the original host operating system, with a clean registry and file system, just like a fresh OS installation.

  • Snapshots—makes the boot process faster than booting up a full operating system.. Windows Sandbox boots an individual sandbox only once, then uses snapshots to save memory and device state for subsequent use. This helps the environment to restore memory without initiating another boot process.
  • Kernel-based memory management—enables the host to reclaim memory from Windows Sandbox, as needed. A direct memory map that lets the sandbox use the same memory pages accessed by the host.
  • Integrated scheduler—the host OS treats the visual processors of the sandbox like process threads. This means that the host OS manages Windows Sandbox like a process and not like a traditional VM. The integrate scheduler ensures that the base OS prioritizes the operations of the host over other processes. This makes resource allocation more efficient compared to a traditional VM, where the host doesn’t have visibility to the guest.
  • Graphics—Windows Sandbox uses hardware-accelerated rendering, for GPUs with WDDM version 2.6 and higher, to improve the performance and responsiveness of applications. In addition, Sandbox dynamically allocates graphic resources across the host and environments.

Related content: read our guide to app sandboxing

Windows Sandbox Architecture

Dynamically Generated Image

Instead of using separate copies of Windows when booting the sandbox, Windows Sandbox dynamically generates pointers to different operating system images.

The majority of OS files are immutable. This means that files can be shared with the sandbox environment. However, several OS files cannot be shared, and in this case the sandbox image creates clean copies of these files.

Together—the shared immutable files and the copies of the mutable files—create a complete image, used to boot a sandbox environment. Before the installation of the environment, the image is packaged and stored as a compressed file. Once installed, the image takes up approximately 500 MB of disk space.

Memory Management

VMs usually use static allocation to apportion host memory. This means that traditional VMs are limited—once resource needs change, there are few mechanisms that enable you to scale. A Windows Sandbox, on the other hand, offers more flexibility.

Windows Sandbox leverages containers to enable collaboration with the host, which can then dynamically determine how to allocate host resources. The goal is to supply hosts with resources when it is under memory pressure. In this case, the host can reclaim memory from a container.

Memory Sharing

A “direct map” technology enables the image and the host to share the same physical memory pages. This technology ensures that the image and host use less memory without compromising host secrets.

Integrated Kernel Scheduler

Traditionally, the Microsoft hypervisor controls the scheduling of any virtual processor running in the VM. Windows Sandbox leverages an integrated scheduler that lets the host scheduler specify when the sandbox environment gets central processing unit (CPU) cycles.

This process lets the Sandbox schedule virtual processors like host threads, and prioritize the most important jobs regardless of where they are performed.

WDDM GPU Virtualization

To ensure optimal performance and responsiveness, Windows Sandbox leverages hardware-accelerated rendering. This is especially useful for graphic-intensive workloads. Sandbox uses DirectX and Windows Display Driver Model (WDDM), which lets sandbox-based programs compete for GPU resources with any application running on the host.

To use this feature you need a GPU, and graphics drivers supporting WDDM 2.5+. Otherwise, applications will be rendered based on the CPU using Windows Advanced Rasterization Platform (WARP), without leveraging GPU resources.

Battery Pass-Through

Windows Sandbox is always aware of the battery state of the host. This enables Sandbox to continuously optimize power consumption. Battery pass-through processes are critical for laptops, which heavily rely on battery life.

Windows Sandbox Configuration

Windows Sandbox provides simple configuration files that let you customize ten parameters per sandbox environment. This feature supports Windows 10 build 18342 or newer versions.

A Windows Sandbox configuration file can only be formatted as XML. The .wsb file extension associates configuration files with Sandbox.

Here are the ten customizations you can achieve with a Windows Sandbox configuration file:

  1. Virtualized GPU (vGPU)—lets you enable or disable the vGPU. Note that when you disable vGPU, the sandbox starts using WARP.
  2. Networking—lets you enable or disable the sandbox’s network access.
  3. Mapped folders—lets you share host folders with write or read permissions. However, do this with caution because exposing host directories might let malware perform unauthorized actions on the data and applications.
  4. Logon command—executed when Sandbox starts.
  5. Audio input—lets you share the microphone input of the host with the sandbox.
  6. Video input—lets you share the webcam input of the host with the sandbox.
  7. Protected client—adds extended security measures on the remote desktop protocol (RDP) session.
  8. Printer redirection—lets you share host printers with the sandbox.
  9. Clipboard redirection—lets you share the host clipboard with a sandbox environment. This configuration enables you to paste text and files between host and sandbox.
  10. Memory in MB—lets you define the amount of required memory per sandbox, in megabytes.

Hysolate- Windows Sandbox on Steroids

Hysolate can be used as a sandbox for isolating risky websites, applications documents or even peripherals on Windows10 endpoint devices. Developers or researchers can download open source-code repositories, access training videos over YouTube, or try out potentially malicious software within an isolated OS, without exposing risk to corporate data.

Hysolate is a full OS isolation solution, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Hysolate has several advantages over Windows10 sandbox. It sits on the user endpoint so provides a better UX, but is managed by a granular management console via the cloud. This means that admins can monitor and control exactly what their team is using the sandbox environment for, and it can be wiped  at the touch of a button if threats are detected. Unlike Windows Sandbox, Hysolate can be scaled to your entire team, not just the technical members. Hysolate sandboxes all applications, websites, documents and peripherals in a “risky” Workspace, giving you better security, and manageability.

Try out Hysolate Free today for easier sandboxing to isolate risky activities.