Test your nasty apps in Windows 10’s disposable Sandbox

Raise your hands, everyone who's ever wanted to quickly check if a given program is kosher or will murder your system. Glad to see we're all here. The savviest gerbils probably have a clean virtual machine (VM) somewhere for this purpose, but that approach still entails some work and substantial disk space. Microsoft has good news, though: a compact, fast, and disposable Sandbox is coming to Windows 10.

The Sandbox contains a full-featured Windows desktop, all clean and pristine and ready for testing. Copy-paste some stuff into it and hit the road. It's disposable, too—all you need to do to ditch it is close it, and it'll come back devoid of any installed software when you fire it up again. Although the obvious use case for the Sandbox is checking if a program is bad, it can also be used for testing if an application works correctly in a pristine Windows environment. Having routinely used VMs for that exact purpose, I can only ever be so thankful. System administrators everywhere will love the ability to see if an app is truly broken or if the cause is just the user's biohazardous machine.

Microsoft's engineers, uh, engineered the Sandbox in a clever way. Underneath, it uses Windows Containers tech and employs dynamic links to the host's system files on disk and in RAM. The result is that 100 MB of disk space is all that's required for the Sandbox, and the necessary RAM is significantly reduced compared to a fully virtualized environment. To start up quickly, the Sandbox simply boots up from a VM snapshot instead of going through the entire Windows boot process.

As an added bonus, Microsoft says that there's hardware acceleration for DirectX and WDDM in the Sandbox, so long as you're running an WDDM 2.5 or newer graphics driver in the host. Last but not least, the Sandbox is aware of the host's battery state to avoid chewing right through it.

The feature will be available on Windows 10 Pro and Enterprise, and it requires nothing beyond the obvious: a 64-bit CPU and virtualization support enabled in the BIOS. Once it's shipped, the Sandbox will be available in the Windows Features applet. The feature is currently present in Windows 10 build 18305 and should make it to Insiders soon. Our best guess is that it'll see a release to the public this coming spring. Those looking for further technical detail can and should read Microsoft's blog post.

Comments closed
    • Kretschmer
    • 10 months ago

    Pornbox?

      • MOSFET
      • 10 months ago

      complete with wsappx and diagnostics

      • curtisb
      • 10 months ago

      *renames Stuff folder to Sandbox*

    • Flying Fox
    • 10 months ago

    I can’t seem to find information about how networking works inside the sandbox. Is the networking selectable like Hyper-V virtual switch where you can select Internal/Bridged/None, or it will be able to access the internet or (the usually more wide open) LAN just like any malware infested nodes able to do things to other devices on the network?

    • sweatshopking
    • 10 months ago

    BUT WHAT ABOUT ITUNES SPEED

      • Redocbew
      • 10 months ago

      YOU CAN RUN TWO COPIES AND HAVE THEM RACE EACH OTHER

    • mikewinddale
    • 10 months ago

    “Underneath, it uses Windows Containers tech and employs dynamic links to the host’s system files on disk and in RAM. ”

    So if the host’s system files are corrupted, won’t the VM’s files be corrupted too?

    So doesn’t that undermine the following statement? “System administrators everywhere will love the ability to see if an app is truly broken or if the cause is just the user’s biohazardous machine.”

      • Redocbew
      • 10 months ago

      The purpose would be to stop the bad-gunky from getting out into the host in the first place. If the host is corrupted, then you won’t be looking inside the sandbox for how to fix it.

      • morphine
      • 10 months ago

      [quote<] if the host's system files are corrupted[/quote<] If that happens, you have much bigger problems than the Sandbox not working 🙂

      • ludi
      • 10 months ago

      A system administrator will test the app in a sandbox on a clean machine. If it fails the way the user claims, then they know it’s the app causing (at least some of) the trouble on the user’s machine.

    • tipoo
    • 10 months ago

    Can we use it to check if new Windows 10 builds are safe? ¯\_(ツ)_/¯

    • DoomGuy64
    • 10 months ago

    RIP Sandboxie that costs money, and seems more difficult to use.

      • Hsldn
      • 10 months ago

      It doesn deploy a full windows installation and actually was quite easy to use.

    • Wirko
    • 10 months ago

    It looks like the Sandbox will have no ability to save the state. Could this be a technical limitation or just an artificial one?

      • Redocbew
      • 10 months ago

      Probably just an artificial one, but it can get a little messy when you start trying to save state of a container. If you’re using the container its self to store data instead of storing it in an attached volume, then you’re probably Doing It Wrong.

    • Goty
    • 10 months ago

    Can we test windows updates in it?

      • chuckula
      • 10 months ago

      Sure but there’s no guarantee that a Windows Update that works fine in a VM will work fine on your real system.

      The best Windows install I ever used was one I setup in Virtualbox to let me run Office & Acrobat reader and that’s it. Never had a glitch during an upgrade.

        • ludi
        • 10 months ago

        I’d tell you the joke about the roof…but it’s over your head.

      • Wirko
      • 10 months ago

      Can we can windows in it?

      • K-L-Waster
      • 10 months ago

      You think the update patcher will update only the VM and not the core system? After the mess they made of the 1809 update I wouldn’t trust them to get that right…

        • Zoolook
        • 10 months ago

        Well if you run windows update only in the sandbox, it wouldn’t be able to erase your photos, problem solved 🙂

      • tipoo
      • 10 months ago

      Daw, beat me to it!

      • Krogoth
      • 10 months ago

      Poor Microsoft needs the global supply of liquid Helium to treat that burn.

      • sreams
      • 10 months ago

      Not the one that includes this update. 😛

      • maxxcool
      • 10 months ago

      Bahahahaha this makes me happy inside

    • davidbowser
    • 10 months ago

    disclaimer – I work for the Goog

    I’m glad that MS is working on this because I think it really benefits developers to have options regardless of the platform they develop on. I know it isn’t really a consumer thing, but VMware Workstation was my choice for years. Now I use “the cloud” .

    [url<]https://cloud.google.com/compute/docs/quickstart-windows[/url<] There are several ways to automate it to get deployment time down if you need to do it in a consistently repeatable way. EDIT - typos galore

      • DragonDaddyBear
      • 10 months ago

      Yes, but this solution is free (with Windows 10 Pro).

        • morphine
        • 10 months ago

        And local. But OP’s information is still interesting, I hadn’t even realized that Google’s VMs were consumer options.

        • davidbowser
        • 10 months ago

        Free is legit best reason to use it.

    • Waco
    • 10 months ago

    …restricting this to Pro and Enterprise is very stupid. Regular users are by far the best target to auto-sandbox unknown crap they try to run from the interwebs.

      • morphine
      • 10 months ago

      Regular users would have their brains broken by the sight of another desktop, let alone get their minds around it well enough to make use of it. Source: been there, done that.

        • Waco
        • 10 months ago

        I hope there’s a feature in progress that would do it transparently going forward – I can see this being specific to power users, but something like this would be magical to stop a huge number of problems that techs end up fixing.

        • Voldenuit
        • 10 months ago

        For regular users, this should *be* their regular desktop, or at least one that’s derived from known good VM snapshots.

          • bthylafh
          • 10 months ago

          Try making sure this will work correctly every time on Ma and Pa Kettle’s cheapie Walmart PC that gets random peripherals plugged into it.

        • davidbowser
        • 10 months ago

        Windows-ception!

        • Neutronbeam
        • 10 months ago

        I just upvoted you–it’s a Christmas miracle!

        • arunphilip
        • 10 months ago

        “I saved my files on the desktop-in-a-desktop, and now they’re gone!”

          • Krogoth
          • 10 months ago

          This is exactly why it is a Professional/SMB-tier feature set. The average user doesn’t know what a VM is much less a VM snapshot.

            • LostCat
            • 10 months ago

            And a lot of people who know what it is would have no use for it whatsoever.

          • morphine
          • 10 months ago

          [url=https://www.youtube.com/watch?v=OLmVTr9hq8Q<]BIN-GO![/url<]

          • MOSFET
          • 10 months ago

          The latest update tried to prepare us for this eventuality.

        • maxxcool
        • 10 months ago

        [url<]https://wallpapercave.com/wp/4gcdhVn.jpg[/url<]

      • Krogoth
      • 10 months ago

      No, it is a professional/SMB-tier feature set. It is Microsoft’s way of justifying the premium for Pro and Enterprise.

      Paranoid types already have freeware VM solutions in place. So it is really a non-issue.

      • superjawes
      • 10 months ago

      The kind of user who downloads “unknown crap from the interwebs” is the kind of user who wouldn’t even know about the sandbox.

        • Waco
        • 10 months ago

        Right, but a transparent way to do it (even automagically) for those types of users would seriously cut down on malware / ransomware crap.

          • tay
          • 10 months ago

          This makes sense to me. Why is this not possible?

            • Redocbew
            • 10 months ago

            The hard part is determining what’s “bad” and what’s not, but I agree that would be a nifty way to go with the sandbox. If the intention is to ever make this more than a dev tool, then it’s going to need something like that.

            • Waco
            • 10 months ago

            It should be pretty straightforward to characterize the “badness” of any new app, at least until malware designers get to be clever and attack this specifically.

          • SomeOtherGeek
          • 10 months ago

          Upvoted for using the word “automagically”. i LOL’ed.

          • curtisb
          • 10 months ago

          The only way I could see this working is to use something like App-V and install everything in the sandbox first. Run the application virtually inside the sandbox, but only display the application’s GUI instead of the full sandbox GUI. Once it’s been run in the sandbox for a while it could either prompt the user to or automatically merge those applications and settings into the host OS.

          Since the sandbox is so lightweight, it could actually spin up a separate sandbox for each new application install, and then destroy that particular sandbox when the application is merged with the host OS. That way the initial application install truly is sandboxed and can’t cause any ill effects on anything else.

          The real question is how do you determine when, or even if, to merge the applications and settings into the host OS? Maybe you don’t…maybe all applications are sandboxed permanently. This would dramatically reduce the ability of malware to affect the entire system…particularly ransomware.

          In a business environment, there are tools native to Pro and Enterprise for limiting the ability of malware and ransomware to infect a regular user (or even an admin user, for that matter). AppLocker is one such tool, but not a lot of people use or even know about it. We’re doing some limited testing with it now. Most malware hits from the user’s profile, usually in AppData. You can set AppLocker so that it doesn’t allow executables to be run from within AppData. In fact, you can restrict it so that applications can only be run from Program Files and Windows, where regular user accounts don’t have write privileges (by default).

          [i<]*Note that App-V doesn't actually do this. It doesn't run the application on the server and send the GUI elements to the local machine. Instead it streams the application files to the local machine.[/i<]

            • Waco
            • 10 months ago

            Right, this is the sort of setup I would imagine them moving into eventually. Just the application showing, even though it’s sandboxed. Maybe permanent or not depending on settings / behavior. It doesn’t seem like a huge challenge once the infrastructure is in place.

            • curtisb
            • 10 months ago

            Well, I don’t think it would be trivial to implement, but done correctly it could solve a lot of problems.

            • Waco
            • 10 months ago

            I guess I shouldn’t have said easy – but the sandboxing part is the hard part in my mind. Seems like a worthwhile addition though!

            • curtisb
            • 10 months ago

            Application dependencies are going to be the hard part. Applications that need some runtime, toolkit, viewer, codec, or, God forbid, Java. Yeah, I know “runtime” covers Java, but it just had to be mentioned on its own, for reasons. 🙂

            Those are the things that will kill getting it off the ground for consumers…aka The Average Joe. IT shops should already be used to dealing with checking for these things when mass deploying software, so the impact shouldn’t be felt as much there.

            • Waco
            • 10 months ago

            Sure, but dependencies, unless we’re talking about malware, are all read-only. 🙂

            • curtisb
            • 10 months ago

            Yes, but if I understand the way the sandbox works, it’s a clean environment with only Windows. That means the dependencies won’t be “installed” in the newly created sandbox. And if every application is installed in its own sandbox, then the dependencies still wouldn’t be available since the whole idea of sandboxing is to keep the application from interfacing with the rest of the system…including another sandbox.

            There are a ton of things to be considered for it to work seamlessly and transparently. 🙂

      • dragontamer5788
      • 10 months ago

      Regular users won’t ever benefit, and such a good feature makes sense to pay $30 more for.

        • Waco
        • 10 months ago

        Not from this directly, but a transparent implementation? Oh yes.

          • ludi
          • 10 months ago

          That sounds like Kiosk Mode. Fine for libraries and such, not so fine for a user’s personal machine: they need files and programs to stay where they left them.

            • Waco
            • 10 months ago

            I don’t think blindly applying this is what I was proposing – just a way to sandbox apps (and contain their state) so that the most damage they can do is to themselves.

Pin It on Pinterest

Share This