Windows 10 May 2019 Update (1903 version) included a new feature called the Windows Sandbox that allows programs to be run safely isolated from the rest of the operating system.
Once you open the Windows Sandbox, it will fire a separate, isolated lightweight desktop environment, removed from your Windows installation and will permanently delete all the program with its related files when you exit the session or close the Sandbox window.
You can run untrusted software, scripts, malicious files and adware without fear that your Windows normal installation will be affected.
Microsoft allows you to specify configuration files to modify the functionality of the sandbox for users.
In this section, we will explain how to build a configuration file and launch the Windows Sandbox with it.
Create the Configuration File for Windows Sandbox(.wsb)
You will use a text editor such as Notepad to enter configuration options or instructions to create a Windows Sandbox configuration file, then save it with the.wsb extensions.
You can create as many files as you want when building Windows Sandbox and save them with descriptive names in order to know the tasks they do. You will then be able to start the Windows Sandbox with a certain setup file by double-clicking on the.wsb setup file.
For example, a directory of different Windows Sandbox configuration files can be seen below, with a different task performed.
Windows Sandbox Configuration Files
To build a setup file for Windows Sandbox, you’d do the following:
- Open Notepad.
- Enter your settings options.
- Save the.wsb directory as a directory.
When you save the file, you can save it any name like mapped-malware-folder.wsb, but it must end in a.wsb extension.
The file should start with the < Configuration > tag and end with < /Configuration > when creating the configuration file. We will add our various configuration directives between these two tags.
For example:
<Configuration>
<directive></directive>
...
</Configuration>The following sections will explain the different configuration options we can use in a Windows Sandbox folder. Then we bundle all of it into a network disabled configuration file that still allows you to transfer files via a mapped directory.
Enable or Disable Networking
The infection may contact a remote host or perform any other undesirable network activity by testing a malware instance. Therefore, disabling networking in the Windows Sandbox may be useful.
We use the Networking Directive for this purpose, as shown below.
<Networking>Disable</Networking>When we use this rule, two values can be entered: Allow network deactivation and Default to enable it.
Switch the vGPU On or Off
The Windows Sandbox uses a virtual hardware GPU to increase performance by default.
You can disable the vGPU with the following configuration directive if you want to use software rendering in place.
<VGpu>Disable</VGpu>This choice supports a deactivation price, which deactivates or deactivates the vGPU.
The vGPU should not be disabled for the majority of users as computer rendering is much slower.
Map a File Transfer Folder
The Windows sandbox helps you to migrate files from your Windows host (usually installing your Windows) to be available in the Sandbox.
In order to do that, you must use the MappedFolder command to show the folder on your host that you want to access in the Windows Sandbox.
The following is the directive:
<MappedFolder>
<HostFolder>path to the host folder</HostFolder>
<ReadOnly>value</ReadOnly>
</MappedFolder>You can set the ReadOnly value to True or False. When set to false, files can not be updated in the Sandbox directory. But, if you set it to false, the Sandbox will alter such files.
If you want to share, for example, the directory D:\Programs to allow you to access but not change it’s contents file in the Sandbox, you’d use the following guideline.
<MappedFolder>
<HostFolder>D:\Programs</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>When shared in the Sandbox, these files are located on the Server under the directory C:\users\WDAGUtilityAccount\Desktop.
It should be noted that if a directory is mapped to the Sandbox and ReadOnly is set to false, then any programs running on the Sandbox can modify such files.
Log on Command
In addition, the Windows Sandbox supports the ability to execute a command automatically when the Sandbox is started with the < LoginCommand > instruction.
<LogonCommand>
<Command>command to be invoked</Command>
</LogonCommand>For example, if you want to open File Explorer automatically after starting the Windows Sandbox, you can use the following directive.
<LogonCommand>
<Command>explorer.exe</Command>
</LogonCommand>Put it in a Sample Configuration File Together
Now that we know all the instructions that can be used in the configuration file for Windows Sandbox, let us build a sample showing how to use it.
Let’s say you use Windows Sandbox to check malware files you think. Such files are stored under the directory C:\Malware-Samples on your Windows computer and you want the folder to be accessible in the Sandbox.
At the same time, you want to deactivate the networking experiment by making malicious networking calls.
Finally, when you launch the Sandbox, we want the shared malware samples folder to open automatically.
To do so, we build the following configuration directory, sharing the C:\Malware-Samples folder, deactivating the networking, and opening the Malware-Samples folder in the Sandbox automatically.
<Configuration>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Malware-Samples</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Malware-Samples</Command>
</LogonCommand>
</Configuration>As you can see, the feature is much more versatile and can be modified for a variety of purposes using a Windows Sandbox configuration file.
We hope in the future that Microsoft will continue to expand the functionality that can be added to support this feature.