Skip to main content

How Windows Sandbox config files work

Microsoft is working on Windows Sandbox, a sandboxed environment for the Windows operating system, currently.

The feature is being tested in Windows 10 Insider Builds currently and it is possible that Windows Sandbox will find its way into Windows 10 version 1903.

The initial version of Windows Sandbox was quite basic: users could launch it on Windows 10 devices and use it, but that was about the scope of it.

Sandbox Config files

SandboxConfigFile

Starting with the latest builds, it is now possible to use config files to customize certain aspects. Config file support is basic at this point but it allows administrators and users to launch apps or scripts automatically in the sandbox. In other words: you may run something in the sandboxed environment automatically.

The config files use XML and have the extension .wsb. You may run any .wsb file with a double-click or by running it from the command line or by using scripts.

Windows Sandbox .wsb scripts support the following configuration options currently:

  • Enable or disable the virtualized GPU.
  • Enable or disable networking in the sandbox.
  • Share folders from the host.
  • Run a startup script or program.

Most options are straightforward at this point in time.

Virtualized GPU

  • <VGpu>Disable</VGpu> -- Disables virtual GPU support in the sandbox. Software rendering will be used.
  • <VGpu>Enable</VGpu> -- Enables virtual GPU support.

Networking:

  • <Networking>Disable</Networking> -- Disables networking in the sandbox.
  • <Networking>Enable</Networking> -- Enables networking in the sandbox.

Shared Folders:

<MappedFolder>
<HostFolder>path to the host folder</HostFolder>
<ReadOnly>value</ReadOnly>
</MappedFolder>

You need to specify a folder that you want to share with the host system, e.g. c:\virtual, and whether you want it to be read-only or support write operations as well.

ReadOnly values are true (make it read-only) or false (read and write support).

Note that folders are always mapped under the path C:\Users\WDAGUtilityAccount\Desktop.

Command on Logon

<LogonCommand>
<Command>The command</Command>
</LogonCommand>

You may specify a file name and path or a script. The command explorer.exe would work, as would reference to a script, e.g. C:\users\wdagutilityaccount\desktop\test\start.cmd.

Example XML file

<Configuration>
<VGpu>Disable</VGpu>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Martin\Downloads</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>
</Configuration>

Save the file as something.wsb and launch it whenever you want to run the sandbox with this configuration. It is pretty basic: disables the virtual GPU and networking, maps the Downloads folder of the user account Martin, and launches File Explorer in the sandbox that displays the Downloads folder.

Closing Words

Config file support extends Windows Sandbox functionality significantly as you may use these files to share folders with the sandbox and run scripts. You could use it to map a downloads folder and run downloaded files in the sandbox for that extra bit of security.

We will update the guide when new features are introduced.

Now You: What is your take on the Windows Sandbox so far? What would you like to see?

 

This article was first seen on ComTek's "TekBits" Technology News

HOME