Setting Up a Windows Sandbox
Oct 16, 2025Computer HardwareComments (0)
Windows Sandbox is a built-in feature of Windows 10 and later, which allows you to quickly fire up an isolated desktop environment inside a window. This is great for testing software or running something from a non-trusted source. Each time you open the sandbox it is a fresh instance of Windows, and when you close it, it is wiped and gone.
If you haven't yet, enable the Windows Sandbox feature. In the search bar, start typing "Turn Windows features on or off" and it should quickly find the control panel you need (usually after just typing "turn"). Open it, then scroll down to Windows Sandbox, make sure it is checked, and click OK.
Windows sandboxes use text files with the extension "wsb". Giving a text file this extension tells Windows it is a sandbox configuration file, and double-clicking it will open a sandbox with the configuration contained inside.
Make sure you have enabled file extensions, then create an empty text file and name it something like "sandbox.wsb". Its icon should change to represent the Windows Sandbox icon.
Now open that empty file in a text editor and paste in this:
That is all you need and the sandbox will use default configuration for everything. You should now be able to double-click your wsb file and it will fire up a window with a sandbox environment.
If you want to share files between your computer and the sandbox environment, you can create mapped folders. These are folders where you can share files to and from the sandbox. They can be set as read only if you don't want the sandbox to be able to edit anything in the shared folder (just read or copy from).
Here is an example configuration, which creates a "Share" folder on the sandbox desktop, that will have the contents of the "Share" folder on your regular PC desktop:
The HostFolder is the path to the folder you want to share to the sandbox. It does not need to be the same name as what shows up in the sandbox, but you do have to create it yourself.
If you're going to be running untrusted software, you may not want it reaching out to the Internet. You can use the Networking configuration like this:
You can combine multiple configurations. Here is one that disables networking, and allows both ready and write access to a shared folder (so the sandbox can share files back):
For more information and troubleshooting, view the official Microsoft Sandbox page.
Enable Windows Sandbox
If you haven't yet, enable the Windows Sandbox feature. In the search bar, start typing "Turn Windows features on or off" and it should quickly find the control panel you need (usually after just typing "turn"). Open it, then scroll down to Windows Sandbox, make sure it is checked, and click OK.
Create a Simple Sandbox
Windows sandboxes use text files with the extension "wsb". Giving a text file this extension tells Windows it is a sandbox configuration file, and double-clicking it will open a sandbox with the configuration contained inside.
Make sure you have enabled file extensions, then create an empty text file and name it something like "sandbox.wsb". Its icon should change to represent the Windows Sandbox icon.
Now open that empty file in a text editor and paste in this:
<Configuration>
</Configuration>That is all you need and the sandbox will use default configuration for everything. You should now be able to double-click your wsb file and it will fire up a window with a sandbox environment.
Shared Folders
If you want to share files between your computer and the sandbox environment, you can create mapped folders. These are folders where you can share files to and from the sandbox. They can be set as read only if you don't want the sandbox to be able to edit anything in the shared folder (just read or copy from).
Here is an example configuration, which creates a "Share" folder on the sandbox desktop, that will have the contents of the "Share" folder on your regular PC desktop:
<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\YOUR_USERNAME\Desktop\Sandbox\Share</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Share</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
</Configuration>The HostFolder is the path to the folder you want to share to the sandbox. It does not need to be the same name as what shows up in the sandbox, but you do have to create it yourself.
Disabling Networking
If you're going to be running untrusted software, you may not want it reaching out to the Internet. You can use the Networking configuration like this:
<Configuration>
<Networking>Disable</Networking>
</Configuration>More Examples
You can combine multiple configurations. Here is one that disables networking, and allows both ready and write access to a shared folder (so the sandbox can share files back):
<Configuration>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\YOUR_USERNAME\Desktop\Sandbox\Share</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Share</SandboxFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
</MappedFolders>
</Configuration>More Reading
For more information and troubleshooting, view the official Microsoft Sandbox page.