Windows 10 May 2019 Update (version 1903) included a new feature called the Windows Sandbox that allows you to safely run applications in isolation from the rest of the operating system.
When you launch the Windows Sandbox, it will fire up an isolated lightweight desktop environment that is separate from your main Windows install, and all the software with its associated files are permanently deleted when you leave the session or close the Sandbox window.
This means you can run untrusted software, scripts, malicious files and adware without the fear of impacting your normal Windows installation.
In order to make it more useful for users, Microsoft allows you to specify create configuration files that modify the functionality of the Sandbox.
This guide will explain how to create a configuration file and then use it to launch the Windows Sandbox.
Create Windows Sandbox configuration file (.wsb)To create a Windows Sandbox configuration file, you will use a text editor such as Notepad to enter the configuration options, or directives, you wish to use and then save that file with the .wsb extension.
When creating Windows Sandbox config files, you can make as many as you want and save them under descriptive names so that you know what tasks they perform. You can then launch the Windows Sandbox using a specific configuration file by double-clicking on the .wsb configuration file.
For example, you can see a folder of different Windows Sandbox configuration files below, with each performing a different task.
Windows Sandbox Configuration FilesTo create a Windows Sandbox configuration files, you would do the following:
1. Open Notepad.
2. Enter your configuration options.
3. Save the file as a
.wsb file.
When saving the file, you can it any name, such as mapped-malware-folder.wsb, but it must end with a .wsb extension.
When creating a configuration file, the file must start with the <Configuration> tag and end with </Configuration>. Between these two tags, we will add our various configuration directives.
For example:
<Configuration>
<directive></directive>
...
</Configuration>
The following sections will introduce you to the various configuration options that we can use in a Windows Sandbox file. Then we will wrap it up all together into a configuration file that disables network but still allows you to transfer files through a mapped folder.
Enable or disable networkingWhen testing a malware sample, the infection may contact a remote host or perform some other unwanted network behavior. Therefore, it may be useful to disable networking in the Windows Sandbox.
To do this, we use the Networking directive as shown below.
<Networking>Disable</Networking>
When using this directive, we can enter two values; Disable to disable networking and Default to enable it.
Enable or disable the vGPUThe Windows Sandbox by default will use a virtual hardware GPU in order to increase performance.
If you wish to use software rendering instead, you can disable the vGPU by using the following configuration directive.
<VGpu>Disable</VGpu>
This option supports the Disable value, which disables the vGPU, or Default, which enables it.
For the majority of users, the vGPU should not be disabled as software rendering will be much slower.
Map a folder for transferring filesThe Windows Sandbox allows you to map folders from your Host Windows (your normal Windows installation) so that they are accessible in the Sandbox.
To do this, you need to use the MappedFolder directive to specify the folder on the host you wish to make accessible in the Windows Sandbox.
This directive is as follows:
<MappedFolder>
<HostFolder>path to the host folder</HostFolder>
<ReadOnly>value</ReadOnly>
</MappedFolder>
The ReadOnly value can be set to True or False. If set to
true, then files cannot be modified in the folder from the Sandbox. If you set it to
false, though, then the Sandbox can modify these files.
As an example, if you wanted to share the D:\Programs folder so that you can access its contents file in the Sandbox, but not modify them, you would use the following directive.
<MappedFolder>
<HostFolder>D:\Programs</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
When these folders are shared in the Sandbox, they will be located on the Desktop under the C:\users\WDAGUtilityAccount\Desktop folder.
It should be noted that if you map a folder from the Host to the Sandbox and set ReadOnly to false, then those files can be modified by any programs running in the Sandbox.
LogonCommandThe Windows Sandbox also supports the ability to automatically execute a command when the Sandbox is started using the <LoginCommand> directive.
<LogonCommand>
<Command>command to be invoked</Command>
</LogonCommand>
For example, if you wanted to automatically open File Explorer after the Windows Sandbox starts, you can use the following directive.
<LogonCommand>
<Command>explorer.exe</Command>
</LogonCommand>
Putting it all together with a sample configuration fileNow that we know all of the directives that we can use in a Windows Sandbox configuration file, let's create a sample to illustrate how we can use them.
Let's say you are using the Windows Sandbox to test files that you think maybe malware. These files are stored on your Windows computer under the C:\Malware-Samples folder and you want the folder to be available in the Sandbox.
At the same time, you are concerned that the samples may make malicious networking calls, so we want to disable networking when using them.
Finally, we want the shared Malware-Samples folder to open automatically when you launch the Sandbox.
To do this, we create the following configuration file that shares the C:\Malware-Samples folder with the Sandbox, disables networking, and then automatically opens the Malware-Samples folder in the Sandbox.
<Configuration>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Malware-Samples</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Malware-Samples</Command>
</LogonCommand>
</Configuration>
As you can see, using a Windows Sandbox configuration file makes the feature much more useful and able to be customized for a variety of purposes.
In the future, we hope Microsoft continues to expand on the configuration that can be added so that this feature can be even more useful.
source
