How to configure Windows Sandbox (run apps/scripts, share folders, etc.)

Windows Sandbox is a virtualized environment similar to a virtual machine that's available in Windows 10 Pro și Enterprise. You can use it to test apps that you're not sure are safe, visit untrustworthy websites, and generally do things that you fear might compromise your main system. Up until May 2020 Update, you couldn't personalize the Windows Sandbox in any way. Now you can, as Microsoft lets you create and use scripts that can alter the way Windows Sandbox works. Here's how to do it:

NOTE: Before you can customize how Windows Sandbox works on your PC, you must first install it. If you need help with that, read How to install Windows Sandbox in Windows 10 in three steps. Also, if you're wondering how Windows Sandbox might be useful to you, here are a few ideas: 4 things you can do with Windows Sandbox. Furthermore, keep in mind that this guide only applies to Windows Sandbox in Windows 10 with May 2020 Update, Pro or Enterprise editions. It is not available in Windows 10 Home.

How to configure Windows Sandbox

In order to customize Windows Sandbox or automatically run apps and scripts when you launch it, you have to create a configuration file. To do that, you can use Notepad or any other text processor application to write code for Windows Sandbox. Every configuration file that you create for Windows Sandbox must start with the line<Configuration> and end with the line</Configuration>. All the other code that you're going to add must be placed between these lines of code.

Creating a Windows Sandbox configuration file

Once you've created the configuration file and finished adding all the code to it, you have to save it using the file extension .wsb.

Saving a Windows Sandbox config file (.wsb)

Then, you can double-click or double-tap on the .wsb file to launch your personalized Windows Sandbox.

A custom Windows Sandbox config file

Now let's see what code and scripts you can use for Windows Sandbox:

How to share folders with Windows Sandbox

Windows Sandbox can map folders from the host. In other words, you can make your Windows Sandbox "see" folders found on your Windows 10 PC. To do that, in the .wsb file that you created with Notepad, add the following code:



<HostFolder>Folder shared with Windows Sandbox</HostFolder>

<ReadOnly>true or false</ReadOnly>



You can add as many folders to share as you want: just make sure to put their paths between the<HostFolder></HostFolder> tags. Also, for each folder that you add to the list, you can specify whether you want Windows Sandbox to have read-only access to it. For that, add the code<ReadOnly>true</ReadOnly> after it. If you want Windows Sandbox to have write-access to that folder, add the code<ReadOnly>false</ReadOnly> after it. However, remember that this makes the files and folders from the shared folder available to the apps you run in Windows Sandbox. In other words, those apps can change your files, which you might not want.

For example, if you want your Windows Sandbox to have access to your Downloads folder, type:







Sharing a folder with Windows Sandbox

Make sure to change UserName with the name of your Windows 10 user account.

Then, when you run Windows Sandbox using this .wsb configuration file, all the shared folders are instantly available on the desktop or at this location: C:\Users\WDAGUtilityAccount\Desktop.

What a shared folder looks like in Windows Sandbox

How to automatically run an app or script in Windows Sandbox

Windows Sandbox also lets you run an app (executable file) or a script immediately after launch. To do that, in the .wsb configuration file, you have to add this code:


<Command>Command to run at startup</Command>


The command can be the path to any executable file or script that's available inside the Windows Sandbox. That means that you can, for example, automatically open File Explorer, Notepad, or other system apps. If you want, you can run even an app that's found in a shared folder (as illustrated in the previous section of this guide).

Here's an example of a Windows Sandbox configuration file that automatically opens File Explorer on launch:

Running a command/script in Windows Sandbox

And here's an example of a Windows Sandbox configuration file that maps the Downloads host folder and automatically runs an executable file from it:

Running an executable file in Windows Sandbox at startup

In the last example, this is what we get when launching Windows Sandbox:

A program that was automatically run when Windows Sandbox launched

NOTE: If you specify a path to a command, executable, or script file that doesn't exist, Windows Sandbox returns an error and stops when you try to open it. Also, while experimenting with this feature, we did not manage to automatically run any executable files that required administrative permissions and triggered UAC prompts, such as Command Prompt.

How to enable or disable the network in Windows Sandbox

If you don't want Windows Sandbox to be able to access your network and the internet, in the .wsb configuration file, add the following line of code:<Networking>Disable</Networking>.

Disable network in Windows Sandbox

This disables the networking services for Windows Sandbox, as you can see in the screenshot below.

Windows Sandbox launched without networking

In case you want the network to be accessible, either delete the <Networking>Disable</Networking> line from the configuration file or change the Disable value to Default:<Networking>Default</Networking>.

How to enable or disable the virtual graphics processing unit in Windows Sandbox

Similarly, Windows Sandbox also lets you disable the virtual graphics hardware rendering engine. In other words, Windows Sandbox shares your graphics card with Windows 10 on your PC by default. However, you can disable this feature and force Windows Sandbox to use software rendering, so that you don't expose your GPU. Although this makes Windows Sandbox run slower, in some situations, it might be useful. To disable vGPU support in Windows Sandbox, in the .wsb config file, add this code:<VGpu>Disable</VGpu>.

Disable graphics card sharing in Windows Sandbox

To enable the GPU sharing in Windows Sandbox, delete the<VGpu>Disable</VGpu> line from the .wsb configuration file or set its value to Default:<VGpu>Default</VGpu>.

What other features would you like to see in Windows Sandbox?

Although configuring how Windows Sandbox works is something you can do now, it still feels like it's just in an early state. We would also like to see Microsoft add options for automatically connecting USB devices directly to the Windows Sandbox. We're sure you have other cool ideas too. Tell us what other features you would like Windows Sandbox to have: comment below and let's discuss.

Discover: Security Programs Recommended System and Security Tutorials Windows
Join the discussion: See the comments Comment