Sandbox in Windows

Original author: Hari Pulapaka
  • Transfer
The sandbox is a new lightweight tool in Windows that allows you to run applications in a secure, isolated environment.

Have you ever been in a situation where you need to run some program, but you are not quite sure about the source of its origin? Or another example - the need to check something on a “clean” version of Windows. In all such cases, there used to be only one way out - install the OS on a separate physical or virtual machine and conduct the necessary experiment. But this is no longer the case.

Microsoft has developed a new mechanism called Sandbox(eng. Windows Sandbox). This is an isolated temporary environment in which you can run suspicious software without the risk of harming your PC. Any software installed in the Sandbox remains only in the Sandbox and cannot interact with the main OS. As soon as you close the Sandbox - all its contents are irretrievably destroyed.

Here are the main features of the Sandbox:

  • This is part of Windows. If you have Windows 10 Pro or Enterprise, then you can already start using it.
  • From scratch. Every time you start the Sandbox, you get the same, clean, unchanging environment. Exactly what your OS was right after its installation.
  • No trace. When the Sandbox is closed, all applications installed in it, all files created there are destroyed. The Sandbox was closed - there were no traces of its existence.
  • Security. Hardware virtualization is used, which uses the hypervisor to run a separate OS kernel and isolates it from your main OS.
  • Efficiency. Uses integrated task scheduler, smart memory management, virtual GPU.

System requirements

  • Windows 10 Pro or Enterprise, build 18305 or higher
  • AMD64 architecture
  • BIOS Virtualization Enabled
  • Minimum 4 GB (recommended 8 GB) RAM
  • At least 1 GB of free disk space (SSD recommended)
  • Dual core processor (4 recommended with hyper-threading support)

Fast start

1. Install Windows 10 Pro or Enterprise, build 18305 or higher

2. Enable virtualization:

  • If you work on a physical machine - do it in the BIOS
  • If you are running a virtual machine, use the following PowerShell command:

    Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true

3. Open (via the Control Panel) the list of installed Windows components and turn on the Sandbox. Click OK. If you see a request to restart the computer - confirm it.


4. Run the Sandbox from the Start menu. Allow elevation of rights for its process.

5. Copy (via the clipboard) to the Sandbox the binary you want to run.

6. Run the binary in the Sandbox. If this is an installer, go through the installation procedure and run the installed application.

7. Use the application as intended.

8. When done - just close the Sandbox. All its contents will be deleted.

9. Optional - you can make sure that nothing has changed in your main OS.


What is under the hood of the Sandbox

The Windows sandbox is built on a technology called Windows Containers. Containers were developed (and used for a long time) to work in the cloud. Microsoft has already taken a fairly mature and tested technology and finalized it for users of desktop Windows.

Among the key adaptations include:

Dynamically generated image

The sandbox is a lightweight, but still virtual machine. And, like any virtual machine, it needs an image from which it can boot. The most important feature of the Sandbox is that you do not need to download or create this image from somewhere. It will be created on the fly, from your current Windows files.

We want to always get the same “clean” environment for the Sandbox. But there is a problem: some system files may vary. The solution was to create a “dynamically generated image”: for modified files, their original versions will be included in it, but physically unchanged files will not be included in this image. Instead, links to real files on the disk will be used. As practice has shown, such links will be the majority of files in the image. Only a small part of them (about 100 MB) will be included in the image completely - this will be its size. Moreover, when you do not use the Sandbox, these files are stored in a compressed form and take about 25 MB. When running the Sandbox, they unfold into that same “dynamic image” about 100 MB in size.


Smart memory management

Sandbox memory management is another important improvement. The hypervisor allows you to run several virtual machines on a single physical machine, and this, in general, works well on servers. But, unlike servers, the resources of ordinary user machines are much more limited. To achieve an acceptable level of performance, Microsoft has developed a special memory mode in which the main OS and the Sandbox can in some cases use the same memory pages.

In fact: since the main OS and the Sandbox launch the same OS image, most of the system files in them will be the same, which means there is no point in loading the same libraries into memory twice. You can do this once in the main OS, and when the same file is needed in the Sandbox memory, you can give it a link to the same page. Of course, some additional measures are required to ensure the security of this approach, but Microsoft has taken care of this.


Integrated scheduler

In the case of using conventional virtual machines, the hypervisor controls the operation of the virtual processors working in them. For the Sandbox, a new technology has been developed called the “integrated scheduler”, which allows the main OS to decide when and how much resources to allocate to the Sandbox. It works like this: Virtual Sandbox processors work like threads inside the Sandbox process. As a result, they have the same “rights” as the rest of the threads in your main OS. If, for example, some high-priority threads are working for you, then the Sandbox will not take a lot of time from them to perform their tasks, which have a normal priority. This will allow the Sandbox to be used without slowing down the work of critical applications and retaining sufficient responsiveness of the main OS UI, similar to how it works.Linux KVM .

The main task was to make the Sandbox on the one hand just an ordinary application, and on the other - to guarantee its isolation at the level of classic virtual machines.

Using "snapshots"

As mentioned above, the sandbox uses the hypervisor. We essentially run one copy of Windows inside another. This means that it will take some time to load. We can spend it every time the Sandbox runs, or do it only once, after saving, after loading, all the state of the virtual OS (changed files, memory, processor registers) on the disk. After this, we will be able to launch the Sandbox from this snapshot, while saving time for its start.

Graphics virtualization

Graphics hardware virtualization is the key to a smooth and fast user interface, especially for graphics-intensive applications. However, classic virtual machines are initially limited in the ability to directly use all the resources of the GPU. And here the important role played by the means of virtualization graphics, which allow to overcome this problem and in some form use hardware acceleration in a virtual environment. An example of such a technology could be, for example, Microsoft RemoteFX .

In addition, Microsoft has worked extensively with graphics and driver manufacturers to integrate graphics virtualization capabilities directly into DirectX and WDDM (a driver model in Windows).

As a result, the graphics in the Sandbox works as follows:

  • The application in the Sandbox uses graphical functions in the usual way, without knowing who will execute them and how
  • Sandbox graphics subsystem, receiving graphics rendering commands, sends them to the main OS
  • The main OS, having received graphics rendering commands, perceives them as if they came from a locally running application and executes them accordingly, allocating and managing the necessary resources.

This process can be depicted as follows:


This allows the virtual environment to get full access to hardware accelerated graphics, which gives both performance gains and savings of some resources (for example, battery power for laptops), due to the fact that heavy calculations are no longer used for drawing graphics on the CPU.

Battery use

The sandbox has access to information about the battery charge and can optimize their work to save it.

Feedback and Problem Reports

Any new technology may have bugs. Microsoft asks to send messages about them and offers new features via the Feedback Hub .

Also popular now: