Windows Sandbox
Published Dec 18 2018 04:18 PM 2M Views

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.


How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?


At Microsoft we regularly encounter these situations, so we developed Windows Sandbox: an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.


Windows Sandbox has the following properties:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
  • Disposable – nothing persists on the device; everything is discarded after you close the application
  • Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU


Prerequisites for using the feature

  • Windows 10 Pro or Enterprise Insider build 18305 or later
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)


Quick start

  1. Install Windows 10 Pro or Enterprise, Insider build 18305 or newer
  2. Enable virtualization:
    • If you are using a physical machine, ensure virtualization capabilities are enabled in the BIOS.
    • If you are using a virtual machine, enable nested virtualization with this PowerShell cmdlet:
    • Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
  3. Open Windows Features, and then select Windows Sandbox. Select OK to install Windows Sandbox. You might be asked to restart the computer.
  4. Optional Windows Features dlg.png
  5. Using the Start menu, find Windows Sandbox, run it and allow the elevation
  6. Copy an executable file from the host
  7. Paste the executable file in the window of Windows Sandbox (on the Windows desktop)
  8. Run the executable in the Windows Sandbox; if it is an installer go ahead and install it
  9. Run the application and use it as you normally do
  10. When you’re done experimenting, you can simply close the Windows Sandbox application. All sandbox content will be discarded and permanently deleted
  11. Confirm that the host does not have any of the modifications that you made in Windows Sandbox.

 Windows Sandbox Screenshot - open.jpg


Windows Sandbox respects the host diagnostic data settings. All other privacy settings are set to their default values.


Windows Sandbox internals

Since this is the Windows Kernel Internals blog, let’s go under the hood. Windows Sandbox builds on the technologies used within Windows Containers. Windows containers were designed to run in the cloud. We took that technology, added integration with Windows 10, and built features that make it more suitable to run on devices and laptops without requiring the full power of Windows Server.


Some of the key enhancements we have made include:


Dynamically generated Image

At its core Windows Sandbox is a lightweight virtual machine, so it needs an operating system image to boot from. One of the key enhancements we have made for Windows Sandbox is the ability to use a copy of the Windows 10 installed on your computer, instead of downloading a new VHD image as you would have to do with an ordinary virtual machine.


We want to always present a clean environment, but the challenge is that some operating system files can change. Our solution is to construct what we refer to as “dynamic base image”: an operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host. The majority of the files are links (immutable files) and that's why the small size (~100MB) for a full operating system. We call this instance the “base image” for Windows Sandbox, using Windows Container parlance.


When Windows Sandbox is not installed, we keep the dynamic base image in a compressed package which is only 25MB. When installed the dynamic base package it occupies about 100MB disk space.

 Dynamic Image.PNG

Smart memory management

Memory management is another area where we have integrated with the Windows Kernel. Microsoft’s hypervisor allows a single physical machine to be carved up into multiple virtual machines which share the same physical hardware. While that approach works well for traditional server workloads, it isn't as well suited to running devices with more limited resources. We designed Windows Sandbox in such a way that the host can reclaim memory from the Sandbox if needed.


Additionally, since Windows Sandbox is basically running the same operating system image as the host we also allow Windows sandbox to use the same physical memory pages as the host for operating system binaries via a technology we refer to as “direct map”. In other words, the same executable pages of ntdll, are mapped into the sandbox as that on the host. We take care to ensure this done in a secure manner and no secrets are shared. 

 Direct Map.PNG

Integrated kernel scheduler

With ordinary virtual machines, Microsoft’s hypervisor controls the scheduling of the virtual processors running in the VMs. However, for Windows Sandbox we use a new technology called “integrated scheduler” which allows the host to decide when the sandbox runs. 


For Windows Sandbox we employ a unique scheduling policy that allows the virtual processors of the sandbox to be scheduled in the same way as threads would be scheduled for a process. High-priority tasks on the host can preempt less important work in the sandbox. The benefit of using the integrated scheduler is that the host manages Windows Sandbox as a process rather than a virtual machine which results in a much more responsive host, similar to Linux KVM.


The whole goal here is to treat the Sandbox like an app but with the security guarantees of a Virtual Machine. 


Snapshot and clone

As stated above, Windows Sandbox uses Microsoft’s hypervisor. We're essentially running another copy of Windows which needs to be booted and this can take some time. So rather than paying the full cost of booting the sandbox operating system every time we start Windows Sandbox, we use two other technologies; “snapshot” and “clone.”


Snapshot allows us to boot the sandbox environment once and preserve the memory, CPU, and device state to disk. Then we can restore the sandbox environment from disk and put it in the memory rather than booting it, when we need a new instance of Windows Sandbox. This significantly improves the start time of Windows Sandbox. 


Graphics virtualization

Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intense or media-heavy use cases. However, virtual machines are isolated from their hosts and unable to access advanced devices like GPUs. The role of graphics virtualization technologies, therefore, is to bridge this gap and provide hardware acceleration in virtualized environments; e.g. Microsoft RemoteFX.


More recently, Microsoft has worked with our graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and WDDM, the driver model used by display drivers on Windows.


At a high level, this form of graphics virtualization works as follows:

  • Apps running in a Hyper-V VM use graphics APIs as normal.
  • Graphics components in the VM, which have been enlightened to support virtualization, coordinate across the VM boundary with the host to execute graphics workloads.
  • The host allocates and schedules graphics resources among apps in the VM alongside the apps running natively. Conceptually they behave as one pool of graphics clients.

This process is illustrated below:


GPU virtualization for Sandbox - diagram.png 


This enables the Windows Sandbox VM to benefit from hardware accelerated rendering, with Windows dynamically allocating graphics resources where they are needed across the host and guest. The result is improved performance and responsiveness for apps running in Windows Sandbox, as well as improved battery life for graphics-heavy use cases.


To take advantage of these benefits, you’ll need a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer). Incompatible systems will render apps in Windows Sandbox with Microsoft’s CPU-based rendering technology.


Battery pass-through

Windows Sandbox is also aware of the host’s battery state, which allows it to optimize power consumption. This is critical for a technology that will be used on laptops, where not wasting battery is important to the user.


Filing bugs and suggestions

As with any new technology, there may be bugs. Please file them so that we can continually improve this feature. 


File bugs and suggestions at Windows Sandbox's Feedback Hub (select Add new feedback), or follows these steps:

  1. Open the Feedback Hub
  2. Select Report a problem or Suggest a feature.
  3. Fill in the Summarize your feedback and Explain in more details boxes with a detailed description of the issue or suggestion.
  4. Select an appropriate category and subcategory by using the dropdown menus. There is a dedicated option in Feedback Hub to file "Windows Sandbox" bugs and feedback. It is located under "Security and Privacy" subcategory "Windows Sandbox".
  5. Feedback Hub.png
  6. Select Next 
  7. If necessary, you can collect traces for the issue as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select Stop capture.
  8. Attach any relevant screenshots or files for the problem.
  9. Submit


We look forward to you using this feature and receiving your feedback!



Hari Pulapaka, Margarit Chenchev, Erick Smith, & Paul Bozzay

(Windows Sandbox team)

Brass Contributor

can i tag windows sandbox and reuse those sandboxes instead of going from the beginning(like vms). it would be really helpful if it were like this.

i might want to run software only in sandbox environment only.

Steel Contributor

Can the sandbox provide (through an API) a summary/list of changes performed on the machine by the application I am running inside? i.e. what registry entries have been created/modified, same for files, etc...

Copper Contributor


I have no Sandbox 


any advance ? thanks !

Copper Contributor

You need "Windows 10 Pro or Enterprise, build 18305 or newer" to use the feature. Read the article :)

Copper Contributor

@Bogdan Mitrache windows already has nice auditing tools that you can enable as a domain policy rule, it could be nice if they enabled this by default into the VM so we can already have a detailed log on what the suspicious app has done :smiling_face_with_smiling_eyes:

Silver Contributor

Cool. No need to install Sandboxie to check some possibly infected web page :)

Silver Contributor

18305 is not yet released to Insider Fast ring. I guess it might be in Skip Ahead, but i haven't seen that either. So, officially in 1903 update next spring.

Copper Contributor

So, when the office will release the 18305.

Copper Contributor

Will Windows 10 Education also receive this feature or only Pro and Enterprise?  

Copper Contributor

Annotation 2018-12-19 122032.jpgAnnotation 2018-12-19 122139.jpg

and no any Sandbox! 

Brass Contributor

Just reading the title of this post made me leap out of my chair in happiness.


Sadly, the post itself didn't live up to my expectations. Windows Containers is very disappointing. I have been using a free sandboxing offering from Comodo Group for years now and I have very high expectations of performance and flexibility from Windows Sandbox.

Copper Contributor

Will it possible to load a driver in the sandbox, Since it has a separate kernel.

Copper Contributor

The really importaint question is: Can you run a Windows Sandbox in a Windows Sandbox?

Copper Contributor

I just wonder will it possible to integrate the windows, taskbar and NotifyIcon from the sandbox system to the host Windows? Just like RemoteApp do. You can use those apps just like they are in local desktop, although they are in the remote desktop session.  And if the sandbox can be saved, it would be better. With that we can let the 'not so well' applications live in the sandbox, the good applications and personal data in the host, and work with the whole system seamlessly and safely.

Steel Contributor

 @vegidi I was asking about an API from the WIndows Sandbox as I was hoping to use this as an alternative to Hyper-V vms when repackaging old exes (to create msi/app-v/msix packages)


We currently use hyper-v and vmware vms for the monitoring phase of the repackager, but these eat up a lot of resources and are also slower. Using the sandbox could be a big improvement during the repackaging process, if possible.

Copper Contributor

THIS is an extremely cool integrated container approach for Windows.


I would be very curious to know whether a similar approach may soon be available for Windows Server... ideally I could package custom applications (usually headless console scheduled tasks, occasionally services) to run in such an environment.


I specifically like the light footprint, and especially like that the base image is maintained over time, so as updates are applied to the host, they'd also presumably be applied to the sandbox... this addresses my biggest two concerns over containerization - first and foremost the MASSIVE amount of disk space needed to maintain base images, and secondarily the need for each container to have its own network identity (they don't - let them share the hosts' IP/hostname/domainAcct/etc).


I would LOVE to know if such an option is in the roadmap, or whether this will remain limited to desktops (a la win7's "XP Mode" VM).


Thanks. and keep up the good work!

Copper Contributor

I'd like to use this technology to investigate ransomware or crytoware files.  However, the article mentions mutable files, which could be problematic if the malware has access to make permanent changes to files outside of the sandbox.  Is there the ability to control if outside file access is permitted or not based on the type of executable I'm testing?

Copper Contributor

This is definitely a nice development, but to anyone that is wondering it'll be a while till it goes into a normal release update release and not a Windows Insider build.  

Copper Contributor

Curious, is anything being done with this technology to thwart rudimentary sandbox detection many malicious applications now run before revealing itself? e.g. look for a sound device?

Brass Contributor

Do you mind sharing what "compatible GPUs" are? Will hardware acceleration work on a typical consumer PC for example, assuming a somewhat recent architecture like Pascal or Vega and WDDM 2.5? Unsure about AMD, but recent Nvidia drivers do support WDDM 2.5 at least.


Copper Contributor

I don't use Hyper-V.  I wish there was a way around this.  VirtualBox cannot run if you are using HyperV virtual machines.  I like to create VirtualBox virtual machines so I can move them to Linux or Mac systems.  Anyway around turning on Hyper-V???

Copper Contributor

Looks like VirtualBox 6.0 was just released December 18 2018....


Added support for using Hyper-V as the fallback execution core on Windows host, to avoid inability to run VMs at the price of reduced performance.


Maybe we can all co-exist?  Smiley Happy

Copper Contributor

Wouldn't it be more simple to use the low privilege account mode, existing since Vista? 


All reads allowed, all writes discarded.

Copper Contributor

I agree with @Scott Brickey. This is a super cool feature in containerization. Aside from the simple sandbox functionality, will we be getting sandboxes that can be defined with dockerfiles and deployed to Server? My team would find this immensely useful.

Brass Contributor

@adamwinterI am afraid you seem to have misunderstood the concept of mutable files. The mutability is not two sided, i.e. the change in the sandbox does cause a change on the host OS.

In this case, "immutable files" are those that do not get copied to the sandbox; the sandbox emulates a read-only copy of them and gets their actual bytes from the host OS. "Mutable files" get copied to the sandbox.

Copper Contributor
@MasterMysterious, ah that makes much more sense. Thanks for the clarification.
Silver Contributor
Copper Contributor

Would it be possible to run sandbox on its own core other than guest OS..

Copper Contributor

Is there any plans to put this in the context menu, so that you can right click an exe and have it go straight into a sandbox instead of copy/paste?

Copper Contributor

Is there any documentation? Can we tailor this for malware analysis? Is there any API for the hypervizor to dump memory hook syscalls and all that?

Copper Contributor

Windows Sandbox not opening for me, just after first time app dialog disappear and im unable to run it again, any fix?

@cedric05  Thanks for the feedback! Currently we do not support this. Windows Sandbox is always a pristine environment. Could you help us understand your multi-sandbox scenario?

@David Kohn  Thanks for expressing interest in Windows Sandbox! Could you describe the scenario that you have in mind?

@Karuboniru  Installing a driver is possible! That being said installing a driver which requires reboot is not currently supported. Also if the driver that you are installing is a hardware driver it will not work as expected because the hardware will not be exposed to the sandbox.


@Ruikuan - you have some interesting ideas. Currently, Windows Sandbox provides access to the full desktop environment only, and is unable to persist data. Thanks for your feedback!


@adamwinter, good question. @MasterMysterious is correct; in the current configuration, software running in the sandbox cannot change any host files.


Hi @Scott Brickey, thanks for the enthusiastic feedback! Sounds like you are familiar with containers and I am sure you know about Hyper-V containers (which offer some of the functionality you are interested in). Unfortunately, I cannot address our future plans, but we are very attentive to feedback and appreciate the suggestions. It's great to see your excitement!


@ThomasMansfield if you haven't already, take a look at Hyper-V containers, which already support Docker files on server. It sounds like that may provide a satisfactory solution for you. If not, can you help us understand what's missing?

Copper Contributor

I agree with @Scott Brickey and @ThomasMansfield. It would be great if Windows-Sandbox could be integrated into a docker image. Thanks.

Copper Contributor

@Margarit_Chenchev  We often have faculty that want to try out new applications and allowing them to use Windows Sandbox would be wonderful.

Copper Contributor
Do we know if this has a performance penalty similar to enabling full Hyper-V because the main OS now runs in the parent partition?
Copper Contributor
It seems like being able to run apps in a sandbox would also be useful and quite important for Home users, since most users of Windows 10 seem to be using the Home version as a result of it being bundled with their computer. Making this available for the ARM version of Windows 10 would also be swell. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Since you mentioned Linux KVM however, it is worth noting that somebody ported the Linux KVM to Windows, enabling Linux-based device drivers to actually run on Windows, but it still has a lot of rough edges and is far from perfect. Any chance that you guys could take a look at that as well? It could probably supplement WSL: Taking another look at the NTVDM would be nice too. Somebody has successfully ported it to Windows x64, but can only distribute the patches they made to help get it working as the majority was built on leaked Windows NT source code, which for obvious legal reasons they themselves could not distribute. Since most if not all of the work is already done, however, it is their hope that Microsoft would take notice and officially implement the NTVDM x64 port in some form. Here's a link to their patches on github: Also of note are vDOS and DOSBOX. Though neither of those are perfect, and they do not offer the full transparency and flexibility provided by NTVDM, they are both open source, and code from them could probably be implemented in a future version of NTVDM as well, in order to improve performance, compatibility and security. Not going to link DOSBOX, because everyone already knows about it by now, including where to find the source code. P.S.: The website here seems to be broken. Clicking "Preview" instead reloads the page, and I'm not able to like people's comments.
Copper Contributor

Great news! A few questions:

  1. Is there a command line interface to execute some command in the sandbox?
  2. Is it possible to mount a folder on the host drive and give the sandbox permissions to write to it?
  3. What user are sandbox programs run as? Is it the same user who started the sandbox or some temporary container user?
Copper Contributor
Will this feature also be available to Windows 10 Education users?
Copper Contributor

I would love to have something similar but… for VPN clients! I have around 10 different VPS clients installed, some conflict with others, and would love to have this kind of isolation that would prevent my host OS from having so much different network adapters, monitor tools and services, and that would of course let my host OS join the VPN connections established from this isolated environments.

Copper Contributor

Sandbox not starting elevated. After 1 minute it just shuts down again :(


Copper Contributor

Well , nice feature, but still looks like another VMWare - you are  sandboxing the whole OS. What if I want to run my already preinstalled program in a sandbox mode to prevent viruses getting into my OS? A browser, for instanace. And not a fresh one, but the one I already have! And with one single click. And what if I want to get downloaded files, like PDFs, zips, msi's outside sandbox on the fly immediately after downloading them, because I know, they are safe? What if I want to test a virus in a sandbox and see the traces it leaves in my OS? Having a virus ran in  separate OS would mean having all the traces of its activity being spreaded through the whole OS "image" ! But I (as a virus analyst or whoever) want to have them locked in a single folder!  These things are for sure unachievable in that kind of sandboxes. But still possible in sandboxes, based on filter drivers technology like SHADE Sandbox, for instance :)

Copper Contributor

I'm not getting it to run.  At one attempt I got what you could call the splash screen, but at no point does a VM ever fire up.

Does it do any logging, and if so where?  

Copper Contributor

Aaah. It might have something to do with Symantec Antivirus. Checking the system log shows "The service Container manager depends of the service Hyper-V Host Compute Service that couldn't start up" 

Have seen this earlier with Hyper-V and Symantec :(  Might try to uninstall Symantec

Copper Contributor
Eeek! My previous comment seems to have been mysteriously stripped of all linebreaks... That wasn't supposed to happen. Anyways, I have another thought. Could it be possible to configure certain software to always run in a Sandbox (examples: Java, Skype, Adobe Reader/Flash), or to enable a Sandbox to run in a persistent (non-deleting) mode, such as for Windows XP Mode applications? Also, for testing VM-aware/Sandbox-aware applications, there's ways to hide all indications from a program that a system isn't the host. However, for safety reasons it should also be possible to fool programs into thinking that the host system is itself a Sandbox or VM.

@Parkerthon   Windows Sandbox does not attempt to hide the fact that it is a sandbox.

Version history
Last update:
‎Dec 12 2022 11:07 AM
Updated by: