Windows Sandbox configuration - Windows Security (2023)

  • Article
  • Applies to:
    Windows 11, ✅ Windows 10

Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or Windows 11. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension.

A configuration file enables the user to control the following aspects of Windows Sandbox:

  • vGPU (virtualized GPU): Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
  • Networking: Enable or disable network access within the sandbox.
  • Mapped folders: Share folders from the host with read or write permissions. Exposing host directories may allow malicious software to affect the system or steal data.
  • Logon command: A command that's executed when Windows Sandbox starts.
  • Audio input: Shares the host's microphone input into the sandbox.
  • Video input: Shares the host's webcam input into the sandbox.
  • Protected client: Places increased security settings on the RDP session to the sandbox.
  • Printer redirection: Shares printers from the host into the sandbox.
  • Clipboard redirection: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
  • Memory in MB: The amount of memory, in megabytes, to assign to the sandbox.


The size of the sandbox window currently isn't configurable.

Creating a configuration file

To create a configuration file:

  1. Open a plain text editor or source code editor (for example, Notepad, Visual Studio Code, etc.)

  2. Insert the following lines:

  3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below.

  4. Save the file with the desired name, but make sure its filename extension is .wsb. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, "My config file.wsb".

Using a configuration file

To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here:

C:\Temp> MyConfigFile.wsb

Keywords, values, and limits


Enables or disables GPU sharing.

(Video) Enable ALL These Windows Security Features!


Supported values:

  • Enable: Enables vGPU support in the sandbox.
  • Disable: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
  • Default This value is the default value for vGPU support. Currently, this default value denotes that vGPU is disabled.


Enabling virtualized GPU can potentially increase the attack surface of the sandbox.


Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.


Supported values:

  • Enable: Enables networking in the sandbox.
  • Disable: Disables networking in the sandbox.
  • Default: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.


Enabling networking can expose untrusted applications to the internal network.

Mapped folders

An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder will be mapped to the container user's desktop.

<MappedFolders> <MappedFolder> <HostFolder>absolute path to the host folder</HostFolder> <SandboxFolder>absolute path to the sandbox folder</SandboxFolder> <ReadOnly>value</ReadOnly> </MappedFolder> <MappedFolder> ... </MappedFolder></MappedFolders>

HostFolder: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container will fail to start.

SandboxFolder: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop.

(Video) How to configure Windows Sandbox

ReadOnly: If true, enforces read-only access to the shared folder from within the container. Supported values: true/false. Defaults to false.


Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.

Logon command

Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. The container user account should be an administrator account.

<LogonCommand> <Command>command to be invoked</Command></LogonCommand>

Command: A path to an executable or script inside the container that will be executed after signing in.


Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the LogonCommand directive.

Audio input

Enables or disables audio input to the sandbox.


Supported values:

  • Enable: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
  • Disable: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
  • Default: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.


(Video) How to configure the Windows Sandbox

There may be security implications of exposing host audio input to the container.

Video input

Enables or disables video input to the sandbox.


Supported values:

  • Enable: Enables video input in the sandbox.
  • Disable: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
  • Default: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox.


There may be security implications of exposing host video input to the container.

Protected client

Applies more security settings to the sandbox Remote Desktop client, decreasing its attack surface.


Supported values:

  • Enable: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
  • Disable: Runs the sandbox in standard mode without extra security mitigations.
  • Default: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.


This setting may restrict the user's ability to copy/paste files in and out of the sandbox.

Printer redirection

Enables or disables printer sharing from the host into the sandbox.

(Video) How to use the Windows Sandbox as a security feature in Windows 10 and 11


Supported values:

  • Enable: Enables sharing of host printers into the sandbox.
  • Disable: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
  • Default: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.

Clipboard redirection

Enables or disables sharing of the host clipboard with the sandbox.


Supported values:

  • Enable: Enables sharing of the host clipboard with the sandbox.
  • Disable: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
  • Default: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under Default.

Memory in MB

Specifies the amount of memory that the sandbox can use in megabytes (MB).


If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.

Example 1

The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.


<Configuration> <VGpu>Disable</VGpu> <Networking>Disable</Networking> <MappedFolders> <MappedFolder> <HostFolder>C:\Users\Public\Downloads</HostFolder> <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command> </LogonCommand></Configuration>

Example 2

The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.

Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.

With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.


Download vscode to downloads folder and run from downloads folder.

REM Download Visual Studio Codecurl -L "" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exeREM Install and run Visual Studio CodeC:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes


<Configuration> <MappedFolders> <MappedFolder> <HostFolder>C:\SandboxScripts</HostFolder> <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads\sandbox</SandboxFolder> <ReadOnly>true</ReadOnly> </MappedFolder> <MappedFolder> <HostFolder>C:\CodingProjects</HostFolder> <SandboxFolder>C:\Users\WDAGUtilityAccount\Documents\Projects</SandboxFolder> <ReadOnly>false</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd</Command> </LogonCommand></Configuration>

Example 3

The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.

(Video) How to Install Windows 10 Sandbox Feature | Side-by side-application testing

C:\sandbox folder on the host is mapped to the C:\sandbox folder in the sandbox, so the SwapMouse.ps1 script can be referenced in the sandbox configuration file.


Create a powershell script using the following code, and save it in the C:\sandbox directory as SwapMouse.ps1.

[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null$SwapButtons = Add-Type -MemberDefinition @'[DllImport("user32.dll")]public static extern bool SwapMouseButton(bool swap);'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))


<Configuration> <MappedFolders> <MappedFolder> <HostFolder>C:\sandbox</HostFolder> <SandboxFolder>C:\sandbox</SandboxFolder> <ReadOnly>True</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1</Command> </LogonCommand></Configuration>


Is Windows Sandbox 100% safe? ›

Pristine: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows. Disposable: Nothing persists on the device. Everything is discarded when the user closes the application. Secure: Uses hardware-based virtualization for kernel isolation.

How do I fix Windows Sandbox error? ›

What can I do to fix the Windows Sandbox failed to start error?
  1. Disable and enable Windows Sandbox. Press Windows + R to open the Run console. ...
  2. Start Sandbox services. ...
  3. Restart Hyper V and other programs. ...
  4. Use Windows troubleshooter. ...
  5. Repair system files. ...
  6. Restore Windows to its previous version. ...
  7. Update the device drivers.
Mar 3, 2023

Is Windows Sandbox safe for ransomware? ›

Using a sandbox can protect your machine from malware. If you were to run a piece of ransomware in a sandbox, the files inside the sandbox would probably be encrypted but your primary operating system would remain untouched.

What are the limitations of Windows sandbox? ›

Limitations of Windows Sandbox

A single file copy, like procmon.exe, does not take much time. Moving in a larger tool, especially one that requires installation, may prove tiresome. No installable roles or features: Without the ability to install roles or features, you will have a limited testing scope.

Can sandbox prevent viruses? ›

Programs in a sandbox are not allowed to access or modify any files outside of the sandbox. This isolation can help prevent malware from infecting your system and can also help prevent one program from interfering with another.

How do I clear Windows Sandbox? ›

Open Programs and Features, then click 'Turn Windows Features on or off' on the left. Uninstall the Sandbox from there, then restart (not shut down) your PC. Then go back in and re-enable the Sandbox feature, that should then be a clean reset version of the Sandbox.

How do I unlock Windows Sandbox? ›

1. Enable Windows Sandbox Using the Windows Features Dialog
  1. Press Win + R to open Run.
  2. Type appwiz. ...
  3. In the left panel, click on Turn Windows features on or off.
  4. In the Turn Windows features on or off dialog, scroll down and locate Windows Sandbox.
  5. Check the Windows Sandbox option and click OK.
Nov 26, 2022

What is Windows Sandbox? ›

The Windows Sandbox is a temporary virtual machine built into Windows 10 and Windows 11 that allows you to run software without it affecting the rest of your system.

Is sandbox Security safe? ›

In cybersecurity, a sandbox is an isolated environment on a network that mimics end-user operating environments. Sandboxes are used to safely execute suspicious code without risking harm to the host device or network.

How does malware detect sandbox? ›

Malware will execute a WMI query to fetch the cores count, and if the value is one, it concludes that it is running inside a sandbox. Checking disk space and physical memory—Just like the case for CPU cores, VMs are typically allocated a limited amount of disk space and physical memory.

Should I turn on Windows ransomware protection? ›

Be sure Windows Security is turned on to help protect you from viruses and malware (or Windows Defender Security Center in previous versions of Windows 10). In Windows 10 or 11 turn on Controlled Folder Access to protect your important local folders from unauthorized programs like ransomware or other malware.

Can sandbox be deleted? ›

Yes. You can delete sandboxes.

What does it mean to disable sandbox? ›

Sandbox mode is a security feature that prevents Access from running certain expressions that could be unsafe. These unsafe expressions are blocked regardless of whether the database has been 'trusted' – its content enabled.

What does restarting your sandbox do? ›

Resetting a personal workspace or sandbox or clears all the changed data values that you have entered up to that point and resets all the data values back to the current values in the base data.

Is the sandbox safe? ›

Sandboxes are great fun for young children. Unfortunately, they also pose several safety hazards, including exposure to germs and bacteria, scratches from foreign materials, chemical exposure, and splinters.

What is sandbox virus? ›

A sandbox is a system for malware detection that runs a suspicious object in a virtual machine (VM) with a fully-featured OS and detects the object's malicious activity by analyzing its behavior. If the object performs malicious actions in a VM, the sandbox detects it as malware.

Should I use sandbox? ›

Without sandboxing, software or applications could have potentially unlimited access to all the user data and system resources on a network. Sandboxes are also used to safely execute malicious code to avoid harming the host device, the network or other connected devices.

How much RAM does Windows sandbox use? ›

Check Windows Sandbox prerequisites

Virtualization enabled in BIOS. 4 GB of RAM (8 GB recommended) 1 GB of free disk space (SSD recommended)


1. How to use Windows Sandbox - a lightweight virtual machine
(Kevin Stratvert)
2. Windows Sandbox Complete Explanation, Configuration & Demonstration
3. How to configure Windows Sandbox
(Talking tech with Techielass)
4. How To Setup A Sandbox Environment For Malware Analysis
5. What is Windows Sandbox? How to Enable and Use it?
6. Setup Windows Sandbox and map a host folder
(Knowledge Sharing Tech)


Top Articles
Latest Posts
Article information

Author: Arielle Torp

Last Updated: 08/02/2023

Views: 6219

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.