Windows Sandbox — disposable Windows environment for safe testing
What it is
Windows Sandbox is a feature built into modern Windows (Pro and Enterprise editions, from Windows 10 1903 onward). It provides a temporary, isolated environment that runs a clean Windows instance on demand. The main idea is simple: you launch Sandbox, test or run something risky, then close it — and everything inside is discarded. No need to spin up a full VM manually or reinstall the OS after running untrusted software.
How it works (in short)
– It uses Microsoft’s built-in hypervisor (Hyper-V) under the hood.
– When launched, it boots a clean Windows image based on system files from the host.
– The environment is isolated: no permanent access to host files unless explicitly shared.
– Once Sandbox is closed, all changes (apps installed, files, registry edits) are wiped.
– Configuration files (.wsb) can define behaviors — shared folders, GPU support, or networking.
Technical profile
| Area | Details |
| Availability | Windows 10 Pro/Enterprise (1903+), Windows 11 Pro/Enterprise |
| Hypervisor | Based on Hyper-V |
| Type | Disposable VM with clean Windows image |
| Persistence | None by default (reset on exit) |
| Configuration | .wsb files for custom settings |
| Integration | Clipboard, file copy between host and Sandbox |
| Security | Kernel isolation, memory sandboxing |
| License | Included with Windows (no extra cost) |
Deployment notes
– Must enable virtualization in BIOS/UEFI (Intel VT-x/AMD-V).
– Windows features “Windows Sandbox” must be turned on via “Optional Features.”
– Requires enough disk space and RAM — typically at least 4 GB RAM and 1 GB free disk.
– Networking can be enabled or disabled in .wsb config.
– GPU passthrough is optional for graphics workloads.
Usage scenarios
– Testing untrusted software: run installers or unknown apps without risking the host.
– Opening suspicious attachments: isolate potential malware in a temporary Windows environment.
– Configuration trials: check registry tweaks or scripts without messing with the production machine.
– Developer checks: verify how an app behaves on a “clean” Windows without existing dependencies.
Limitations
– Available only on Pro/Enterprise editions (not Home).
– No persistent state — once closed, everything is lost.
– Limited flexibility compared to full VMs (e.g., cannot run different Windows versions).
– Relies on Hyper-V, so it can conflict with other virtualization tools like VMware or VirtualBox.
Comparison snapshot
| Tool | Distinctive trait | Best suited for |
| Windows Sandbox | Disposable, built into Windows | Quick, safe testing on Windows hosts |
| Hyper-V | Full virtualization, persistent VMs | SMB/enterprise virtualization |
| VirtualBox | Cross-platform, flexible | Training, multi-OS labs |
| VMware Workstation | Rich features, snapshots | Professional dev/test setups |
Quick start
1. Enable virtualization in BIOS.
2. In Windows, enable the “Windows Sandbox” feature (Control Panel → Programs → Turn Windows features on/off).
3. Reboot the host.
4. Launch “Windows Sandbox” from Start Menu.
5. Run the test; close Sandbox to discard all changes.
Field notes (2025)
– Ideal for IT staff handling suspicious files daily.
– Much faster than provisioning a full VM for small tests.
– No need to manage snapshots — it resets by design.
– Limited to “one flavor” of Windows (no version choice).
– Handy for quick isolation tasks, but not a substitute for lab virtualization.