Windows Sandbox
Windows Sandbox (WSB) is a disposable, hypervisor-isolated desktop environment built into Windows 10/11 Pro, Enterprise, and Education editions. It launches in seconds, runs a full Windows desktop in a separate kernel, and wipes everything on close. It is Microsoft's answer to "I want to test this r
Canonical version: Windows Sandbox.
Windows Sandbox (WSB) is a disposable, hypervisor-isolated desktop environment built into Windows 10/11 Pro, Enterprise, and Education editions. It launches in seconds, runs a full Windows desktop in a separate kernel, and wipes everything on close. It is Microsoft's answer to "I want to test this random .exe without burning a VM."
The defining trick: WSB is not a regular VM. It uses Hyper-V for kernel-level isolation, but it does not ship a Windows image. Instead, it boots from a dynamically constructed image assembled from the host's already-installed Windows files — making it closer to a container than to a traditional virtual machine.
Architecture: container–VM hybrid
- Dynamic Base Image — most Windows OS files are immutable; the sandbox shares them directly with the host. Only the small mutable subset is shipped as a pristine package: 30 MB compressed → 500 MB on disk after install. No second copy of Windows.
- Direct map memory sharing — when
ntdll.dll(and other binaries) load inside the sandbox, the sandbox is mapped to the same physical memory pages as the host's copy. No duplication, no leakage of host secrets. - Dynamic memory reclamation — host can reclaim sandbox memory under pressure, like it would from a process. Traditional VMs allocate statically and can't give it back.
- WDDM GPU virtualization — graphics inside the sandbox compete with host apps for the real GPU (requires WDDM 2.5+). Falls back to WARP CPU-rendering on incompatible systems.
- Battery pass-through — the sandbox sees the host battery state and tunes power accordingly.
- Hardware-rooted isolation — runs on the Microsoft hypervisor with a separate kernel; the host kernel is not exposed.
The result: VM-grade isolation with container-grade footprint and start time.
Default behavior
- Networking: on (via Hyper-V default switch — exposes guest to internal network)
- Clipboard redirection: on
- Audio input: on, video input: off
- vGPU: on (non-Arm64)
- Printer redirection: off
- Memory cap: 4 GB
- Single instance only — no parallel sandboxes from the GUI
- Closing the window deletes all software, files, and state. No persistence across sessions (reboots within a session do persist, since Windows 11 22H2)
Configuration: .wsb files
Sandboxes are declared as XML in .wsb files. Double-click to launch. This makes one-off sandboxes reproducible and scriptable.
<Configuration>
<vGPU>Disable</vGPU>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Suspicious</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Suspicious</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>C:\Users\WDAGUtilityAccount\Desktop\Suspicious\run.cmd</Command>
</LogonCommand>
<MemoryInMB>8192</MemoryInMB>
<ProtectedClient>Enable</ProtectedClient>
<ClipboardRedirection>Disable</ClipboardRedirection>
</Configuration>
Configurable knobs: vGPU, Networking, MappedFolders (with read-only flag), LogonCommand, AudioInput, VideoInput, ProtectedClient (runs sandbox inside AppContainer for an extra isolation boundary, restricts copy/paste), PrinterRedirection, ClipboardRedirection, MemoryInMB (auto-bumped to 2048 minimum). Default sandbox user is WDAGUtilityAccount.
CLI (wsb, Windows 11 24H2+)
A command-line interface turns the sandbox into something scriptable from CI, automation, or AI agents:
wsb start [--config "<XML>"]— launches a sandbox, returns its IDwsb list— running sandboxes (table or--rawJSON)wsb exec --id <id> -c <cmd> -r <ExistingLogin|System>— run a command inside (no stdout capture; requires active session for user context)wsb share --id <id> -f <host> -s <sandbox> [--allow-write]— mount a folder after launchwsb connect --id <id>— RDP into the sandbox windowwsb stop --id <id>— terminatewsb ip --id <id>— get the sandbox IP
This collapses a long-standing gap: pre-CLI, the only way to drive WSB was the GUI launcher and a LogonCommand.
When to reach for it
- Detonating untrusted installers, email attachments, or random
.exefiles - Browsing sketchy URLs without polluting the host browser profile
- Testing software that "totally won't" leave registry keys / scheduled tasks behind
- Per-project dev environments (different Python/Node versions, isolated dependency trees)
- Quick reproductions where spinning up a real VM is overkill
Not the right tool for: long-running workloads, anything you want to keep, multi-VM scenarios, or Windows Home users (use Docker / a real VM / Linux Containers (LXC) instead).
Limitations
- Pro/Enterprise/Education only — not on Windows Home
- Single sandbox at a time from the GUI
- Networking on by default — easy footgun for malware analysis (always disable in
.wsbfor that use case) - No process I/O capture from
wsb exec— fire-and-forget only MappedFolderswith write enabled persist after the sandbox is destroyed- Sandbox window size is not configurable
Open source surface
- The sandbox engine itself ships with Windows and is closed-source
- The microsoft/Windows-Sandbox GitHub repo is MIT-licensed and hosts community add-ons, sample
.wsbfiles, GUI utilities (e.g., "Run in Sandbox" context menu, PyWinSandbox), and issue tracking — not the core code
References
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot
- https://github.com/microsoft/Windows-Sandbox
Related
About Sébastien
I'm Sébastien Dubois, and I'm on a mission to help knowledge workers escape information overload. After 20+ years in IT and seeing too many brilliant minds drowning in digital chaos, I've decided to help people build systems that actually work. Through the Knowii Community, my courses, products & services and my Website/Newsletter, I share practical and battle-tested systems.
I write about Knowledge Work, Personal Knowledge Management, Note-taking, Lifelong Learning, Personal Organization, Productivity, and more. I also craft lovely digital products and tools.
If you want to follow my work, then become a member and join our community.
Ready to get to the next level?
If you're tired of information overwhelm and ready to build a reliable knowledge system:
- 📚 KM for Beginners — 10+ hours of structured video lessons
- 🚀 Obsidian Starter Kit — Ready-made vault with 40+ templates
- 💼 Knowledge Worker Kit — Complete guides + lifetime community
- 🦉 1-on-1 Coaching — Personalized guidance
- 🎯 Join Knowii — Community + ALL courses & tools
Found this valuable? Share it with someone who needs it.