Ever since a sneaky crypto mining malware hitched a ride onto my machine — one I only discovered after it disabled Windows Defender and tanked my frame rate in games — I’ve been more reserved about installing anything I don’t know. But since trying out software has once again become part of my job at XDA, I’ve been using Windows Sandbox rather than fully fledged virtual machines to test nearly all tools before transferring them to my main system. With it, I can instantly spin up a secure environment for testing software without jeopardizing my host machine.

What is Windows Sandbox, and how to enable it

It's already part of Windows; you just need to nudge it awake

Windows Sandbox uses the Hyper-V hypervisor to create a temporary, isolated Windows test environment complete with its own virtual network stack. At a glance, it looks just like a fresh installation of Windows, but you’ll immediately notice the absence of a few core features like Windows Defender. That difference aside, I can freely install any software I want, and the contents are erased the moment the sandbox closes, including any malware.

Windows Sandbox is great for:

  • Testing applications
  • Tinkering with Windows settings
  • Testing software compatibilities
  • Accessing potentially dangerous websites
  • Recording Windows tutorials

If your PC is running Windows 11 Pro, Enterprise, or Education editions, you can enable Windows Sandbox by turning on a few settings. The first step is to enable virtualization in the UEFI. It should be called VT-x on Intel boards or AMD-V on AMD boards. Then, once you’ve booted into Windows, you need to enable Windows Sandbox and Hyper-V in the “Turn Windows features on or off” panel (you can find it by pressing the Start key and typing in its name).

Once that’s all done, restart your PC, and Windows Sandbox should be good to go. Launch it by searching for it in Windows Search (hit Start, then type “Windows Sandbox”). Because it uses the same Windows build as the host OS, it’s a good idea to run Windows Update as well.

It’s safe and fast

An incredibly convenient screening tool

Windows Sandbox is essentially Hyper-V, a type 1 hypervisor that runs natively on the physical hardware. This grants it the best performance and isolation for its virtualized environments. Type 1 hypervisors also eliminate the vulnerabilities present in the host operating system (though, in this case, they’re the same).

On top of that, Windows Sandbox itself is lightweight; every instance can launch in seconds. Because it launches into a clean copy of Windows every time, I need to set up the testing environment for every run. For example, if I want to play an MP3 file, I’ll need to download VLC and antivirus software like Malwarebytes. Another limitation is that it only allows a single instance to run at a time. Still, a small price to pay for such a convenient tool.

A simple diagram that shows the different ways a traditional VM and Windows Sandbox handle memory sharing. Source: Microsoft

Windows Sandbox uses several tricks to make it fast and efficient. Thanks to the Dynamic Base Image feature, it builds its base image by sharing many of the immutable files of the host operating system, rather than installing Windows from scratch each time, allowing it to deploy almost instantly. It also uses the same memory pages as the host for OS binaries, reducing its memory footprint without sacrificing security. Finally, it dynamically allocates resources according to its workload and uses hardware-accelerated rendering via the host’s GPU.

How it can be defeated

It isn’t invulnerable

Just because Windows Sandbox makes it supremely difficult for malware to escape its containment doesn't mean it's airtight. The two biggest failure points are clipboarding (copying and pasting) and networking. If the malware gets copied from the sandbox onto the host machine, then it nullifies the safety of isolation. And although Windows Sandbox uses its own virtual network switch that isolates its traffic from the hosts, it’s still a complete network node, meaning malware can use it as an entry point to scan and attack vulnerabilities within the network.

Another thing to be wary of is how malware behaves. Some malware can detect that it’s running in a virtualized environment and suspend its malicious activities. Moreover, if they’re hiding a timed or delayed payload set to trigger after some time, then the initial brief testing period may not always reveal the dangers.

Tweaking Windows Sandbox

Make it even more secure

An example configuration file for Windows Sandbox.

To limit the clipboarding and networking risks, Windows Sandbox allows me to tweak its behavior by creating a custom .wsb XML file. All I need to do is save a set of custom values as a .wsb XML file using a text editor (Notepad or Visual Studio Code). Through it, I can disable clipboard redirection, networking, and even printer redirection. I can also disable GPU virtualization and audio input to further isolate the environment.

Here’s a sample .wsb configuration file. Here are all its custom parameters. To launch the custom configuration, simply double-click on the XML file.

Remember never to log into any accounts in a Sandbox session used to test software and websites.

Windows Sandbox is one of my favorite tools

It brings me peace of mind when testing applications

Even though I trust that Windows Sandbox can protect me against most threats, I still won’t be downloading every suspicious piece of software I come across. The only surefire way to guarantee isolation is to run the application on a physically isolated device without any networking capability. Still, it has been an instrumental tool in testing out the tools that I need to write about. Even beyond security, Windows Sandbox is also a quick way to test for compatibility and mess around with all the weird settings within Windows.