How to work and play in Win10’s new Sandbox

Topic

New Reply

First offered with the Windows 10 May 2019 Update (aka Version 1903), the new Sandbox feature provides users a safe, protected area to install and run
[See the full post at: How to work and play in Win10’s new Sandbox]

3 users thanked author for this post.

Elly, abbodi86

Reply | Quote

Replies

[lylejk]

Been using a sandbox since 2009; don’t need Win10 Pro to do this.   If you are smart, you would be using a sandbox too.  Problem is, most people are ignorant and depend solely on their anti-malware programs.   Will give you a hint….no anti-malware program will protect your system for every mal-ware out there.   None.  A sandbox will.   Such anti-malware programs only gives you a false sense of security. I do have Windows Defender running in my Win10 Host, but for front-line protection, I use my sandbox with golden setpoint recovery.   I’ll add that in order to mitigate such things as keyloggers and malware creep, you do need to recover to your golden set point often.  I usually do so at least once every 8 or 9 days.   Probably should do so more often, but to do so every time you restart your Sandbox is, well, crazy.   lol

My first experience with sandboxes was when I was working for a PC shop and we helped install systems in a local school.  They ran a program called Deep Freeze and I thought this was awesome.    I saw my share of infected systems during this brief 5 year stint at the PC shop to know that even the best anti-malware program won’t protect you from all attacks and people are creatures of habit and tend to get re-infected despite using such precautions.    Anyway, enough of my spiel.   Glad Microsoft’s finally doing something about addressing the monster in the closet.    Hope folk learn how to properly use sandboxes, but I seriously doubt people will.   Of course I’m not referring to the people here at AskWoody.   Most IT folk know and appreciate virtualization, but ignorant masses don’t, but maybe now that Microsoft’s entering this fray, they may pick up this concept and run with it.  We shall see.  

• This reply was modified 5 years, 11 months ago by lylejk.

1 user thanked author for this post.

columbia2011

Reply | Quote

Is there some easy way to “set up” the sandbox? I’ve used VirtualBox for years, and one thing I like very much is that it preserves its state from one invocation to the next. Of course, I can blow it away and start clean when i need to, but it was very handy not to have to “reinstall” everything I use every time I fired up VB. Can you do something like that with the sandbox: do sort of the equivalent of having it “hibernate” so you could start it again and be back in the same place? It’d be a pain to have to install and configure all of my “standard” apps every time I started the sandbox [if that’s the case, I’ll likely go back to virtualbox]

Reply | Quote

berniec wrote:

Is there some easy way to “set up” the sandbox?

That’d be exactly the point of this new feature, I’d say…

There *have* been third-party applications, including some free ones, with this capability on various operating system versions.

Comodo Internet Security comes to mind for one… because someone had installed that, and then another person tried to install an application and it wouldn’t “take” (due to running the installer in the sandbox, but they didn’t realize that), and that’s when I was called to help…

Reply | Quote

Well yeah, being able to break out of a sandbox is one way to get a “critical” vulnerability rating… but those have been seen occasionally too.

And that’s not counting the occasional ability to make the VM consume all processor time, or whatever.

Various kinds of sandbox arrangements have been around for a long time after all, at least since IBM’s 1972 release of VM/370… some have been better than others.

Reply | Quote

Every student in the advanced 360/370 assembler class at Senior College got a virtualized VM/370 instance on the IBM 4341 so they would not take down the entire mainframe system doing their class assignments. If anything abended that did not affect anything outside of that virtualized environment.

I still like the Burroughs 6700 that my Junior college had as everything ran in a High level ALGOL like Stack Machine hardware implementation with the Burroughs Stack Machine MCP(Operating system) managing all the hardware Stack Pointers and the Burroughs Stack machine architecture intrinsically enforces a secure sort of sandbox supported by that Hardware/OS managed stack pointer and tagged descriptor system. Burroughs had a nice high level job/process control language named workflow while IBM had JCL and Burroughs Workflow was lees of a pain to work with compared to the rather cryptic IBM JCL. The Burroughs Stack architecture was essentially an object-oriented architecture and it was an in hardware implemented model for object oriented programming languages.

No problems with stack overflows on the Burroughs Stack machines as any stack pointer overflows or underflows resulted in an hardware interrupt being generated and that running job flushed by the MCP(Master Control Program) the MCP being the OS on Burroughs systems. And everything ran in a OS managed stack on that 6700 so any code, data and Objects/Arrays/Other structures all managed within Stacks(Hardware Stack pointers and tagged descriptors).

Reply | Quote

I have been using a free sandbox ( Sandboxie ) for years with no problem at all and it sounds like it is much more user friendly than the MS version. It also is Windows 10 compatible.

Reply | Quote

Let me clarify. I understand how and why sandboxes and VMs work and what they’re for. The big problem with VMs is that you need an OS for it. I do have a retail copy of win7/pro [which is what used with VirtualBox]. But the advantage of a “sandbox” [over a VM] is that it won’t require a separate OS [and separate license]. So I’m excited about the win10 sandbox.

My problem is that the article said you get a basically empty OS in the sandbox. That’s problematic for me: I have a bunch of “standard” programs I use in win10 and if I were testing a new program or doing something potentially dangerous [e.g., that might crash the system] I’d, of course, like to do in a sandbox. With VB I took the time to set up win7 with the “normal stuff” I use, and then it was easy to clone that VM into my test VM and then it was just a mouse click away from making the mess in THAT VM go away. I’m hoping to do the same with the win10 sandbox: I’ll take the time to install and configure the programs I use all the time and would need in the sandboxed environment, and then be able to “clone” that to a new, set up and configured sandbox in which I could play around. If the *only* thing you can get with a sandbox is a fresh-from-the-install-CD win10, that won’t be of much use to me [and I’ll likely either go back to VB or try one of the other sandbox/VM applications]

Reply | Quote

[rc primak]

I wonder if programs like Macrium Reflect (paid) might expand ViBoot to include the sandbox as if it were a Virtual Machine?

Otherwise, the “child directory” where the sandbox is contained could (permissions permitting) be copied wholesale without compression, onto another drive, essentially creating a “clone” of the sandbox, which could be “restored” at any time.

So there are or will be ways for advanced users (presumably the ones using the sandbox the most) to “save” our work, our entire sandboxes, as well as our whole systems, in the exact state they are in right now, and go back to that state fairly painlessly.

Technically, this is feasible. Whether in reality it is or will be possible, I don’t yet know.

Anyway, that’s my theory…

What this setup does not allow, is the installation of programs or updates which require a machine restart. But UWP and PWA apps (Store and Progressive Web Apps) do not require a machine restart to install and work. This is the wave of the future, so a sandbox like this may become more useful moving forward.

-- rc primak

• This reply was modified 5 years, 11 months ago by rc primak.
• This reply was modified 5 years, 11 months ago by rc primak.

Reply | Quote

For me, the Sandbox is more of a quick and dirty one-off tool if I want to check out one specific program on the spur of the moment. Otherwise, I use Oracle VirtualBox and VMWare Workstation for testing and experimenting with different applications and scenarios on a more permanent basis. So I think there’s a use for all of these tools

Reply | Quote

Hi Lance,

A bit early with this article since Woody advises on the same day NOt to install 1903!

Best to repeat when signs are green, don’t you think?

No harm meant though.

Regards, Sjors

Reply | Quote

I agree. I updated two of my PCs to 1903 mainly so that I could write about the new features. But I have not updated my main computer as I feel that 1903 is still buggy.

Reply | Quote

This article, Windows Sandbox, pretty clearly explains the feature. You can NOT configure the sandbox and have it retained from one session to another. It is NOT a full featured VM. It is a light-weight desktop environment meant to be pristine every time it is started.

--Joe

3 users thanked author for this post.

Sueska, berniec, PKCano

Reply | Quote

This MS Win 10 Sandbox is similar to deep freeze in that a restart will delete all changes. Consequently if you need to test a program that requires a restart in order to fully install, this is not the right tool. Like Joe said this is not a full featured VM. When I attempted a restart in the MS Win 10 Sandbox I got the following message box error “The connection to the sandbox was lost (0x80072746)” Microsoft’s response to this reported error in the their feedback app (currently 722 upvotes) was “Thanks for reporting this – Windows Sandbox doesn’t currently support persisting on shutdown or restart, which is why you’re seeing this message”

1 user thanked author for this post.

rc primak

Reply | Quote

Then I would not use this feature. Unless there were some specific app I wanted to test. But without the full Windows configuration of the host OS, stability, program and security conflicts, etc. could never be adequately tested in this type of sandbox environment.

A better use case would be secure or anonymous browsing, and financial or banking sites, where the added level of isolation and security may be of some specific advantage. High-risk sites might also benefit from being isolated the other direction.

-- rc primak

1 user thanked author for this post.

Sueska

Reply | Quote

joep517 wrote:

You can NOT configure the sandbox and have it retained from one session to another.

Basic repeatable configuration is possible:

How to configure Windows Sandbox on Windows 10

 

Reply | Quote

I am on 1809, however under “C:\ProgramData\Microsoft\Windows\Containers” I have several folders, one named “Sandboxes” and another which seems to have a bare bones version of windows named “BaseImages”. Does anyone else on 1809 have these and does anyone know why I would have them when 1809 doesn’t support the sandbox feature?

Reply | Quote

anonymous wrote:

C:\ProgramData\Microsoft\Windows\Containers

I am on 1809 pro, no May 2019 updates. Don’t have Containers folder.

Reply | Quote

I believe those folders are created by Windows Defender Application Guard, which can be enabled on 1803 or later:

What is this large folder?

How to enable Microsoft Edge Application Guard on Windows 10 April 2018 Update

Reply | Quote

Many thanks #b for the reply and the link. Since a lot of MS’s new security features rely on their hypervisor, I was trying to get it to play nice with my VMWare setup (which turns out not to be possible without rebooting between sessions). This folder must be related to something I left installed.

Reply | Quote

Lance Whitney wrote:

For me, the Sandbox is more of a quick and dirty one-off tool if I want to check out one specific program on the spur of the moment. Otherwise, I use Oracle VirtualBox and VMWare Workstation for testing and experimenting with different applications and scenarios on a more permanent basis. So I think there’s a use for all of these tools

How do you get around the requirement of a license for the win10 you run in VB?   I did that on my win7 system — I ran VB and had a retail win7 license kicking around and that was fine.  But I don’t see spending $200 to get VB/win10/pro to work.  Is there a trick I’m missing in using VB?

Reply | Quote

You can update the Win7 to Win10 in the VM (make a copy of the VM first, of course). Plug in your retail license in the upgrade and you have a Win10 VM.

Reply | Quote

… though I believe this is one of those situations where passing activation is neither necessary nor sufficient to determine that you have a valid license…

Reply | Quote

Isn’t that the sole purpose of activation? Why is it unnecessary and insufficient in this situation?

Reply | Quote

Well. It’s not that it’s completely useless, it’s just that it’s easy to run into the exceptions and loopholes even by accident.

In some situations it’ll pass activation even if you feed it a code that isn’t eligible for activating in a VM. Like for example one from an OEM sticker that was already active for a preinstalled instance directly on a device.
So, you can have an activated but unlicensed installation.

It’ll also sometimes fail to activate especially with downgrade rights even with a valid code.
So, you can have a fully licensed installation that doesn’t activate.

There’s a fixed number of VMs that a single non-Datacenter license can be used for. The activation cannot keep track of other VMs, especially ones that are isolated or not running; so, you need to keep track of those yourself to avoid accidental licensing violations.

And then there’s the fun part about buying licenses that may not be applicable to what you want to run and how… like non-preinstall OEM licenses, and what and when you can use those…

Reply | Quote

I dunno why this obvious path to getting my on-win7 VM moved to be on-win10 eluded me, but once you pointed it out it was clear. AND Worked perfecly!! I installed VirtualBox on my win10 system, copied the win7 VM files to my win10 system. Fired up virtualbox and voilà — my win7 system leapt to life in the VB VM. Pushing my luck, I went to the ms update site and did a plain ‘win7 to win10 upgrade’ Two hours and I dunno how many restarts of the VM [but no problems or other troubles] and I had win10/pro running in my VM. It now has firefox, my VPN and a few other things loaded in it and it works perfectly.

[Perhaps more amusingly, I didn’t bother to do the no-updates dance in the VM so among the many updates/restarts in getting it win10’ed included load 1903. So now I’m running 1903 in a VM on an 1809 win10.]

Reply | Quote

Posting this for @moss rawn:

In Windows Pro 10, version 1903 Windows Sandbox fails to open. Error message: “Windows Sandbox failed to start. Ox80070057 the parameter is incorrect”. I followed directions: verified that Virtualization is enabled; in Windows Features, Windows Sandbox and Hyper-V were checked, and it doesn’t open even if administrator tries. All updates are current.
Is there a remedy?

Reply | Quote

See if 1903 update and Sandbox error 0x80070057 the parameter is incorrect helps.

--Joe

Reply | Quote