Windows Sandbox – light weight playground for R&D, tutorials and workshops

Lucas Jellema 3

Windows Sandbox to me is a light weight Windows 10 virtual machine that I can quickly start and stop and use to install and run programs. The Windows Sandbox provides a well defined, clean environment that is fresh every time it is started. Inside the Sandbox, I can create an isolated environment for working through a tutorial or the labs in a workshop or for doing R&D to stuff I do not want (yet) in my regular Windows environment. One instance of the Sandbox can run at any one time.

image

The Sandbox has its own IP address. I can access applications running in the Sandbox over HTTP and vice versa (if I want to, I can define firewall rules to prevent this cross-boundary traffic). I can copy and paste files to and from the Sandbox. Additionally, I can configure mapped folders – folders from the Windows host to appear in the Sandbox. Apps in the Sandbox are run under the user account “WDAGUtilityAccount”. Hence, all folders are mapped under the following path: C:\Users\WDAGUtilityAccount\Desktop.

Windows Sandbox is based on Hyper-V, but does not require users to activate the hypervisor themselves. It is not necessary to install a guest operating system in the VM either; rather, it is generated automatically from the binaries of the host OS (see this article on the Windows Sandbox).

Sandbox configurations (XML files with wsb extension) can be prepared and used to start a Sandbox from.

SandboxConfigFile.png

You can configure host directories – on the regular Windows environment – to be mapped into the Sandbox. You may also specify Startup Scripts- PowerShell scripts to execute when the Sandbox is started, that can prepare – configure, install – the sandbox for what you want to do to it. The Windows Sandbox Editor is a GUI tool to edit Sandbox configuration files.

Note: Windows Sandbox is introduced in Windows 1903 – installed yesterday on my laptop.

To Get Started Quickly

To use Windows Sandbox, the feature must be turned on:

image

The the usual steps:

image

followed by

image

and

image

followed by a System Reboot.

After the reboot completed, sure enough: Windows Sandbox has become available.

image

 

I run as Administrator (I am not sure it is required, but it is certainly recommended).

This Sandbox startup logo appeared for a few seconds

image

and then a fresh Windows desktop appeared. Inside my regular Windows desktop. A Windows virtual environment – fresh and clean as freshly fallen snow.

image

Some apps are available on this pristine environment – including the Edge browser and Powershell

image

Just for kicks, I opened Edge, browsed to Visual Studio Code and installed the latest version of VS Code – basically to see whether it works and works any differently from regular, outside-the-sandbox actions. And of course it feels quite the same:

image

(although I had to install the Server edition – because I am running the Sandbox as Admin it seems)

image

And Install it:

image

I am not sure what I was expecting – and of course nothing special happened:

image

and

image

VS Code running in the Sandbox. No big deal. Nice thing: it did not interfere, potentially mess with my regular environment. Not that VS Code is such a big threat, but it is the principal that matters.

The file system looks squeaky clean – mine never does apart from the first few minutes after I have collected my new laptop.

image

Then for more kicks I installed Node:

image

To find out if I can run a Node application that handles HTTP requests and send HTTP requests from outside the Sandbox. Turns out (spoiler alert) that I can.

image

I also installed GitKraken to give it a try, cloned a GitHub repo with a Node application to handle HTTP requests, ran that applicationimage

Figured out the IP address for the Sandbox (just use IP Config; in blue is the Sandbox, in black the Windows host):

image

 

 

And accessed the Node application from a browser on the Windows host – so from outside the Windows Sandbox:

image

 

Close the Sandbox environment:

image

And press OK to be done with it.

Starting a new and fresh Sandbox takes just a few seconds.

Run a Sandbox with Host Folder Mapping and auto-installation of Software

Using a simple wsb file, taken from this article, I can configure a Sandbox – with a mapped folder from the Windows host and with a startup scripts to install Visual Studio Code.

The wsb file contains the following XML definition:

<Configuration>
   <MappedFolders>
     <MappedFolder>
       <HostFolder>C:\SandboxScripts</HostFolder>
       <ReadOnly>true</ReadOnly>
     </MappedFolder>
     <MappedFolder>
       <HostFolder>C:\CodingProjects</HostFolder>
       <ReadOnly>false</ReadOnly>
     </MappedFolder>
   </MappedFolders>
   <LogonCommand>
     <Command>C:\users\wdagutilityaccount\desktop\SandboxScripts\VSCodeInstall.cmd</Command>
   </LogonCommand>
</Configuration>

This startup script lives in the directory c:\SandboxScripts on the Windows Host (that will be mapped to C:\users\wdagutilityaccount\desktop\SandboxScripts in the Sandbox):

REM Download VSCode
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe

REM Install and run VSCode
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes

Starting the Sandbox by running the wsb script works well.

image

It takes about 5 seconds to start the Sandbox and one minute for the installation of VS Code to be complete. As an alternative, the installer could be available in the folder mapped to the Sandbox and executed from there. This brings down the time to get coding in VS Code to less than 10 seconds.

image

 

Resources

Configure Windows Sandbox options: Network, Shared Folders, Startup Scripts – https://4sysops.com/archives/configuring-windows-sandbox-network-mapped-folders-and-startup-scripts-using-a-free-gui-tool/

Disable Network traffic between Sandbox and Host: https://medium.com/@rootsecdev/windows-sandbox-9762291e1f54 

Tips on using Windows Sandbox: https://www.digitaltrends.com/computing/how-to-use-windows-sandbox/

Utility to run EXE, PS1, MSI or ZIP file in Sandbox from context (right click) menu in File Explorer: http://www.systanddeploy.com/2019/06/run-file-in-windows-sandbox-from-right.html 

Details on WSB file format – https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file 

More details and examples of preparing a WSB configuration file: https://www.tenforums.com/tutorials/143381-windows-sandbox-how-configure-windows-10-a.html

3 thoughts on “Windows Sandbox – light weight playground for R&D, tutorials and workshops

  1. Thanks for this post Lucas, it got me to try the sandbox.

    However, I think a word of warning is in place for people using VirtualBox.
    Due to the Hyper-V being activated by installing this feature you will not be able to start any of your Virtualbox VMs anymore.
    An attempt to start one will result in the error message “(VERR_NEM_MISSING_KERNEL_API). VT-x is not available (VERR_VMX_NO_VMX).”

    If you fell into this trap like me, to get your VM’s working again:
    Disable Windows-Sandbox similar to how you activated it.
    Reboot.
    Run a dosbox as administrator and run the command:
    dism.exe /Online /Disable-Feature:Microsoft-Hyper-V
    Reboot.

    and you should be good to go again.

    1. There is an easier solution: start cmd as administrator and use bcdedit /set hypervisorlaunchtype off (and then reboot) to use VirtualBox. Use bcdedit /set hypervisorlaunchtype auto (and then reboot) to use Hyper-V (and, I assume, also the sandbox Lucas is talking about). It is possible to have VM’s configured in Hyper-V while you are using VirtualBox (vv).

    2. Hi Erik,

      I am sorry you ran into the VirtualBox issue. I am familiar with it – every time a Windows Update is rolled out, I have to make VirtualBox work again. I have written a fairly extensive article to describe the steps that get me out of trouble when that happens: Getting VirtualBox to work again on Windows . I probably should have given that warning. I hope Frederique’s comment resolve your immediate pain. Thanks for reaching out and letting me know.

      kind regards/hartelijke groeten,
      Lucas

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Next Post

Example application in AWS using Lambda

Facebook0TwitterLinkedinIntroduction I have to admit: I love serverless. Serverless computing is using the cloud as it is supposed to be used: it scales up when you need more capacity, it scales down to zero when you don’t need resources. That is really good when you have, for example, a shop […]