Skip to content
daniel@cosenza:~/blog
WindowsHow-To April 6, 2026 3 min read

How to Set Up and Use Windows Sandbox

A complete walkthrough enabling Windows Sandbox for running untrusted applications in a clean, disposable, isolated environment — no separate VM image to manage.

Windows Sandbox provides a lightweight, temporary, isolated desktop environment for running untrusted software safely — every session starts clean and is discarded entirely on close, with none of the setup overhead of maintaining a dedicated virtual machine image.

Step 1: confirm system requirements

Windows 10/11 Pro, Enterprise, or Education edition
(not available on Home edition)
Virtualization enabled in BIOS/UEFI
At least 4GB RAM (more recommended)

Step 2: enable the Windows Sandbox feature

Control Panel → Programs → Turn Windows features on or off →
  check "Windows Sandbox" → OK → restart when prompted

Or via PowerShell (as Administrator):

Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online

Step 3: launch Windows Sandbox

Start menu → Windows Sandbox

A fresh, clean Windows desktop opens in its own window within moments — no separate ISO, no VM setup wizard, no persistent disk image to manage between sessions.

Step 4: run untrusted software inside it

Copy an installer or executable into the Sandbox window (drag-and-drop from the host works directly) and run it there instead of on your actual machine — anything it does is contained entirely within the Sandbox environment.

Step 5: close the Sandbox when done

Simply closing the Sandbox window discards the entire environment — every file, every registry change, every installed application from that session disappears completely, with no cleanup required on your part.

Step 6: use a configuration file for a customized, repeatable Sandbox setup

<!-- mysandbox.wsb -->
<Configuration>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\SandboxShare</HostFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>explorer.exe C:\Users\WDAGUtilityAccount\Desktop</Command>
  </LogonCommand>
</Configuration>

Double-clicking a .wsb file launches a Sandbox session configured according to its settings — useful for a repeatable setup that automatically shares a specific folder or runs a specific startup command, rather than configuring the same thing manually every session.

Step 7: map a folder read-only for safely testing files without exposing your whole system

<MappedFolders>
  <MappedFolder>
    <HostFolder>C:\Downloads\untrusted</HostFolder>
    <ReadOnly>true</ReadOnly>
  </MappedFolder>
</MappedFolders>

A read-only mapped folder lets the Sandbox environment access specific files from the host without any risk of the Sandbox session writing back to or modifying anything on the host system.

Step 8: understand what Sandbox is (and isn’t) appropriate for

Windows Sandbox is well suited to quickly testing an installer, checking whether a suspicious file actually does anything malicious, or trying software you’re not sure you want to keep — all without any persistent trace on your real system. It’s not a substitute for a full, persistent VM when you need an environment that retains state between sessions, since by design nothing survives closing the window.

Why “no persistent state” is the entire point, not a limitation

Every other isolation approach — a dedicated VM, a container, a separate physical test machine — requires some ongoing maintenance to keep in a known-clean state. Windows Sandbox’s guarantee that literally nothing persists between sessions means every single launch starts from an identically clean baseline, with zero risk of a previous session’s changes accumulating and eventually undermining the isolation you’re relying on.