News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • How to work and play in Win10’s new Sandbox

    Posted on Tracey Capen Comment on the AskWoody Lounge

    Home Forums AskWoody blog How to work and play in Win10’s new Sandbox

    This topic contains 23 replies, has 11 voices, and was last updated by

     mn– 2 days, 16 hours ago.

    • Author
      Posts
    • #1829834 Reply

      Tracey Capen
      AskWoody MVP

      First offered with the Windows 10 May 2019 Update (aka Version 1903), the new Sandbox feature provides users a safe, protected area to install and run
      [See the full post at: How to work and play in Win10’s new Sandbox]

      3 users thanked author for this post.
    • #1830966 Reply

      lylejk
      AskWoody Lounger

      Been using a sandbox since 2009; don’t need Win10 Pro to do this.   If you are smart, you would be using a sandbox too.  Problem is, most people are ignorant and depend solely on their anti-malware programs.   Will give you a hint….no anti-malware program will protect your system for every mal-ware out there.   None.  A sandbox will.   Such anti-malware programs only gives you a false sense of security. I do have Windows Defender running in my Win10 Host, but for front-line protection, I use my sandbox with golden setpoint recovery.   I’ll add that in order to mitigate such things as keyloggers and malware creep, you do need to recover to your golden set point often.  I usually do so at least once every 8 or 9 days.   Probably should do so more often, but to do so every time you restart your Sandbox is, well, crazy.   lol

      My first experience with sandboxes was when I was working for a PC shop and we helped install systems in a local school.  They ran a program called Deep Freeze and I thought this was freaking awesome.    I saw my share of infected systems during this brief 5 year stint at the PC shop to know that even the best anti-malware program won’t protect you from all attacks and people are creatures of habit and tend to get re-infected despite using such precautions.    Anyway, enough of my spiel.   Glad Microsoft’s finally doing something about addressing the monster in the closet.    Hope folk learn how to properly use sandboxes, but I seriously doubt people will.   Of course I’m not referring to the people here at AskWoody.   Most IT folk know and appreciate virtualization, but ignorant masses don’t, but maybe now that Microsoft’s entering this fray, they may pick up this concept and run with it.  We shall see.   🙂

      • This reply was modified 5 days, 11 hours ago by
         lylejk.
      1 user thanked author for this post.
    • #1830980 Reply

      berniec
      AskWoody Plus

      Is there some easy way to “set up” the sandbox? I’ve used VirtualBox for years, and one thing I like very much is that it preserves its state from one invocation to the next. Of course, I can blow it away and start clean when i need to, but it was very handy not to have to “reinstall” everything I use every time I fired up VB. Can you do something like that with the sandbox: do sort of the equivalent of having it “hibernate” so you could start it again and be back in the same place? It’d be a pain to have to install and configure all of my “standard” apps every time I started the sandbox [if that’s the case, I’ll likely go back to virtualbox]

      • #1831377 Reply

        mn–
        AskWoody Lounger

        Is there some easy way to “set up” the sandbox?

        That’d be exactly the point of this new feature, I’d say…

        There *have* been third-party applications, including some free ones, with this capability on various operating system versions.

        Comodo Internet Security comes to mind for one… because someone had installed that, and then another person tried to install an application and it wouldn’t “take” (due to running the installer in the sandbox, but they didn’t realize that), and that’s when I was called to help…

    • #1831017 Reply

      mn–
      AskWoody Lounger

      Well yeah, being able to break out of a sandbox is one way to get a “critical” vulnerability rating… but those have been seen occasionally too.

      And that’s not counting the occasional ability to make the VM consume all processor time, or whatever.

      Various kinds of sandbox arrangements have been around for a long time after all, at least since IBM’s 1972 release of VM/370… some have been better than others.

      • #1837309 Reply

        anonymous

        Every student in the advanced 360/370 assembler class at Senior College got a virtualized VM/370 instance on the IBM 4341 so they would not take down the entire mainframe system doing their class assignments. If anything abended that did not affect anything outside of that virtualized environment.

        I still like the Burroughs 6700 that my Junior college had as everything ran in a High level ALGOL like Stack Machine hardware implementation with the Burroughs Stack Machine MCP(Operating system) managing all the hardware Stack Pointers and the Burroughs Stack machine architecture intrinsically enforces a secure sort of sandbox supported by that Hardware/OS managed stack pointer and tagged descriptor system. Burroughs had a nice high level job/process control language named workflow while IBM had JCL and Burroughs Workflow was lees of a pain to work with compared to the rather cryptic IBM JCL. The Burroughs Stack architecture was essentially an object-oriented architecture and it was an in hardware implemented model for object oriented programming languages.

        No problems with stack overflows on the Burroughs Stack machines as any stack pointer overflows or underflows resulted in an hardware interrupt being generated and that running job flushed by the MCP(Master Control Program) the MCP being the OS on Burroughs systems. And everything ran in a OS managed stack on that 6700 so any code, data and Objects/Arrays/Other structures all managed within Stacks(Hardware Stack pointers and tagged descriptors).

    • #1831401 Reply

      anonymous

      I have been using a free sandbox ( Sandboxie ) for years with no problem at all and it sounds like it is much more user friendly than the MS version. It also is Windows 10 compatible.

    • #1831711 Reply

      berniec
      AskWoody Plus

      Let me clarify. I understand how and why sandboxes and VMs work and what they’re for. The big problem with VMs is that you need an OS for it. I do have a retail copy of win7/pro [which is what used with VirtualBox]. But the advantage of a “sandbox” [over a VM] is that it won’t require a separate OS [and separate license]. So I’m excited about the win10 sandbox.

      My problem is that the article said you get a basically empty OS in the sandbox. That’s problematic for me: I have a bunch of “standard” programs I use in win10 and if I were testing a new program or doing something potentially dangerous [e.g., that might crash the system] I’d, of course, like to do in a sandbox. With VB I took the time to set up win7 with the “normal stuff” I use, and then it was easy to clone that VM into my test VM and then it was just a mouse click away from making the mess in THAT VM go away. I’m hoping to do the same with the win10 sandbox: I’ll take the time to install and configure the programs I use all the time and would need in the sandboxed environment, and then be able to “clone” that to a new, set up and configured sandbox in which I could play around. If the *only* thing you can get with a sandbox is a fresh-from-the-install-CD win10, that won’t be of much use to me [and I’ll likely either go back to VB or try one of the other sandbox/VM applications]

      • #1838569 Reply

        rc primak
        AskWoody_MVP

        I wonder if programs like Macrium Reflect (paid) might expand ViBoot to include the sandbox as if it were a Virtual Machine?

        Otherwise, the “child directory” where the sandbox is contained could (permissions permitting) be copied wholesale without compression, onto another drive, essentially creating a “clone” of the sandbox, which could be “restored” at any time.

        So there are or will be ways for advanced users (presumably the ones using the sandbox the most) to “save” our work, our entire sandboxes, as well as our whole systems, in the exact state they are in right now, and go back to that state fairly painlessly.

        Technically, this is feasible. Whether in reality it is or will be possible, I don’t yet know.

        Anyway, that’s my theory…

        What this setup does not allow, is the installation of programs or updates which require a machine restart. But UWP and PWA apps (Store and Progressive Web Apps) do not require a machine restart to install and work. This is the wave of the future, so a sandbox like this may become more useful moving forward.

        -- rc primak

        • This reply was modified 3 days, 8 hours ago by
           rc primak.
        • This reply was modified 3 days, 8 hours ago by
           rc primak.
      • #1838863 Reply

        Lance Whitney

        For me, the Sandbox is more of a quick and dirty one-off tool if I want to check out one specific program on the spur of the moment. Otherwise, I use Oracle VirtualBox and VMWare Workstation for testing and experimenting with different applications and scenarios on a more permanent basis. So I think there’s a use for all of these tools

    • #1831713 Reply

      anonymous

      Hi Lance,

      A bit early with this article since Woody advises on the same day NOt to install 1903!

      Best to repeat when signs are green, don’t you think?

      No harm meant though.

      Regards, Sjors

      • #1838864 Reply

        Lance Whitney

        I agree. I updated two of my PCs to 1903 mainly so that I could write about the new features. But I have not updated my main computer as I feel that 1903 is still buggy.

    • #1831949 Reply

      joep517
      AskWoody MVP

      This article, Windows Sandbox, pretty clearly explains the feature. You can NOT configure the sandbox and have it retained from one session to another. It is NOT a full featured VM. It is a light-weight desktop environment meant to be pristine every time it is started.

      --Joe

      3 users thanked author for this post.
      • #1832409 Reply

        Sueska
        AskWoody Plus

        This MS Win 10 Sandbox is similar to deep freeze in that a restart will delete all changes. Consequently if you need to test a program that requires a restart in order to fully install, this is not the right tool. Like Joe said this is not a full featured VM. When I attempted a restart in the MS Win 10 Sandbox I got the following message box error “The connection to the sandbox was lost (0x80072746)” Microsoft’s response to this reported error in the their feedback app (currently 722 upvotes) was “Thanks for reporting this – Windows Sandbox doesn’t currently support persisting on shutdown or restart, which is why you’re seeing this message”

        1 user thanked author for this post.
        • #1838573 Reply

          rc primak
          AskWoody_MVP

          Then I would not use this feature. Unless there were some specific app I wanted to test. But without the full Windows configuration of the host OS, stability, program and security conflicts, etc. could never be adequately tested in this type of sandbox environment.

          A better use case would be secure or anonymous browsing, and financial or banking sites, where the added level of isolation and security may be of some specific advantage. High-risk sites might also benefit from being isolated the other direction.

          -- rc primak

          1 user thanked author for this post.
    • #1838652 Reply

      anonymous

      I am on 1809, however under “C:\ProgramData\Microsoft\Windows\Containers” I have several folders, one named “Sandboxes” and another which seems to have a bare bones version of windows named “BaseImages”. Does anyone else on 1809 have these and does anyone know why I would have them when 1809 doesn’t support the sandbox feature?

      • #1838764 Reply

        Alex5723
        AskWoody Plus

        C:\ProgramData\Microsoft\Windows\Containers

        I am on 1809 pro, no May 2019 updates. Don’t have Containers folder.

      • #1838872 Reply

        b
        AskWoody Plus

        I believe those folders are created by Windows Defender Application Guard, which can be enabled on 1803 or later:

        What is this large folder?

        How to enable Microsoft Edge Application Guard on Windows 10 April 2018 Update

        Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/ignorant Toxic drinker Blockhead Unwashed mass Seeker/"Sucker" (Group ASAP) Win10 v.1903

        • #1839365 Reply

          anonymous

          Many thanks #b for the reply and the link. Since a lot of MS’s new security features rely on their hypervisor, I was trying to get it to play nice with my VMWare setup (which turns out not to be possible without rebooting between sessions). This folder must be related to something I left installed.

    • #1839115 Reply

      berniec
      AskWoody Plus

      For me, the Sandbox is more of a quick and dirty one-off tool if I want to check out one specific program on the spur of the moment. Otherwise, I use Oracle VirtualBox and VMWare Workstation for testing and experimenting with different applications and scenarios on a more permanent basis. So I think there’s a use for all of these tools

      How do you get around the requirement of a license for the win10 you run in VB?   I did that on my win7 system — I ran VB and had a retail win7 license kicking around and that was fine.  But I don’t see spending $200 to get VB/win10/pro to work.  Is there a trick I’m missing in using VB?

      • #1839117 Reply

        PKCano
        Da Boss

        You can update the Win7 to Win10 in the VM (make a copy of the VM first, of course). Plug in your retail license in the upgrade and you have a Win10 VM.

        • #1839670 Reply

          mn–
          AskWoody Lounger

          … though I believe this is one of those situations where passing activation is neither necessary nor sufficient to determine that you have a valid license…

          • #1839672 Reply

            b
            AskWoody Plus

            Isn’t that the sole purpose of activation? Why is it unnecessary and insufficient in this situation?

            Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/ignorant Toxic drinker Blockhead Unwashed mass Seeker/"Sucker" (Group ASAP) Win10 v.1903

            • #1839831 Reply

              mn–
              AskWoody Lounger

              Well. It’s not that it’s completely useless, it’s just that it’s easy to run into the exceptions and loopholes even by accident.

              In some situations it’ll pass activation even if you feed it a code that isn’t eligible for activating in a VM. Like for example one from an OEM sticker that was already active for a preinstalled instance directly on a device.
              So, you can have an activated but unlicensed installation.

              It’ll also sometimes fail to activate especially with downgrade rights even with a valid code.
              So, you can have a fully licensed installation that doesn’t activate.

              There’s a fixed number of VMs that a single non-Datacenter license can be used for. The activation cannot keep track of other VMs, especially ones that are isolated or not running; so, you need to keep track of those yourself to avoid accidental licensing violations.

              And then there’s the fun part about buying licenses that may not be applicable to what you want to run and how… like non-preinstall OEM licenses, and what and when you can use those…

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: How to work and play in Win10’s new Sandbox

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel