How do I create a Windows Sandbox? The Config Files

Share this post:

Last week, I published a QuickByte about the new Windows Sandbox with some insights on how to use it. One YouTube user asked “How do you create the files to run the sandbox?” so I created this post to break it down.

Windows Sandbox now has support for simple configuration files (.wsb file extension). You can use this feature in the latest Windows Insider build 18342. Here is how you do it:

Overview

Sandbox configuration files are formatted as XML, and are associated with Windows Sandbox via the .wsb file extension. A configuration file allows the user to control the following aspects of Windows Sandbox:

  1. vGPU (virtualized GPU) – Enable or Disable the virtualized GPU. If vGPU is disabled, Sandbox will use WARP (software rasterizer).
  2. Networking – Enable or Disable network access to the Sandbox.
  3. Shared folders – Share folders from the host with read or write permissions.
    NOTE: exposing host directories may allow malicious software to affect your system or steal data.
  4. Startup script – Logon action for the sandbox.

You can double click a config file to open it in Windows Sandbox, or invoke it via the command line as shown:

C:\WSB> ITPROTVConfigFile.wsb

What are the keywords, values, and limits that I need to be aware of?VGpu – Enables or disables GPU sharing

<VGpu>value</VGpu>

Supported values:

Disable – disables vGPU support in the sandbox. If this value is set Windows Sandbox will use software rendering, which can be slower than virtualized GPU.

Default – this is the default value for vGPU support; currently, this means vGPU is enabled.

NOTE: Enabling virtualized GPU can potentially increase the attack surface of the sandbox.

Networking – Enables or disables networking in the sandbox. Disabling network access can be used to decrease the attack surface exposed by the Sandbox.

<Networking>value</Networking>

Supported values:

Disable – disables networking in the sandbox.

Default – this is the default value for networking support. This enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.

NOTE: Enabling networking can expose untrusted applications to your internal network.

MappedFolders – Wraps a list of MappedFolder objects

<MappedFolders>
    list of MappedFolder objects
</MappedFolders>

NOTE: Files and folders mapped in from the host can be compromised by apps in the Sandbox or potentially affect the host.

MappedFolder – Specifies a single folder on the host machine which will be shared on the container desktop. Apps in the Sandbox are run under the user account “WDAGUtilityAccount.” Hence, all folders are mapped under the following path:

C:\Users\WDAGUtilityAccount\Desktop

Example: “C:\ITPROTV” will be mapped as “C:\users\WDAGUtilityAccount\Desktop\ITPROTV”

<MappedFolders>
    <HostFolder>path to the host folder</HostFolder>
    <ReadOnly>value</ReadOnly>
</MappedFolders>

HostFolder – Specifies the folder on the host machine to share to the sandbox. Note that the folder must already exist the host or the container will fail to start if the folder is not found.

ReadOnly – If true, enforces read-only access to the shared folder from within the container. Supported values: true/false

NOTE: Files and folders mapped in from the host can be compromised by apps in the Sandbox or potentially affect the host.

LogonCommand – Specifies a single Command which will be invoked automatically after the container logs on.

<LogonCommand>
   <Command>command to be invoked</Command>
</LogonCommand>>

Command – A path to an executable or script inside of the container that will be executed after login.

NOTE: Although very simple commands will work (launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the LogonCommand directive.

EXAMPLE .wsb Configuration files

NOTE: you can create the .wsb file in ANY editor. The trick is making sure that when you save the file it has the .wsb extension. Depending on the editor that you choose you will need to modify the default extension and/or file type BEFORE saving to ensure that you get the correct file name and extension.

For example, in Notepad, if you do not change the default extension type first when you go to save the file, you will get the following:

sample1.wsb.txt

You would need to change the SAVE AS TYPE setting to All Files(*) first and then you would get the following:

sample1.wsb

Example 1: how to map a drive and then connect to the Sysinternals website and download the COMPLETE sysinternals toolset for use in the Sandbox VM.

<Configuration>
<LogonCommand>
   <Command>net use S: \\live.sysinternals.com\tools</Command>
</LogonCommand>
</Configuration>

Example 2: how to map the HOST MACHINE’s specified users downloads folder so that it is available under the default user profile as a mapped folder shortcut via the desktop. The folder is mounted as READ ONLY from the host machine.

<Configuration>
<vgpu>Default</vgpu>
<networking>Default</networking>
<MappedFolders>
   <MappedFolder>
     <HostFolder>C:\Users\User.000\Downloads</HostFolder>
     <ReadOnly>true</ReadOnly>
   </MappedFolder>
</MappedFolders>
<LogonCommand>
   <Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>
</Configuration>

Example 3: how to map the HOST MACHINE’s default users public downloads folder so that it is available under the default user profile as a mapped folder shortcut via the desktop. Folder is mounted as READ ONLY from the host machine.

<Configuration>
<vgpu>Disable</vgpu>
<networking>Disable</networking>
<MappedFolders>
   <MappedFolder>
     <HostFolder>C:\Users\Public\Downloads</HostFolder>
     <ReadOnly>true</ReadOnly>
   </MappedFolder>
</MappedFolders>
<LogonCommand>
   <Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>
</Configuration>

Example 4: use to invoke a separate .cmd script file that connects to the web, downloads and installs the latest version of Visual Studio Code from Microsoft, and then launches the program inside the sandbox VM.

MORE COMPLICATED !!! PLEASE NOTE THE FOLLOWING BEFORE ATTEMPTING TO USE THIS EXAMPLE:

The code below, between the === lines must be saved as a SEPARATE .cmd script file and saved into a location that can be accessed when the .wsb file is invoked from the host machine.

The name of the .cmd script file and path to store it are up to you, you can see the name and path used in the .wsb file below as an example.

=============================================================================

REM Download VSCode
curl -L “https://update.code.visualstudio.com/latest/win32-x64-user/stable” –output C:\users\WDAGUtilityAccount\Desktop\vscode.exe

REM Install and run VSCode
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes

==============================================================================

<Configuration>
<MappedFolders>
   <MappedFolder>
     <HostFolder>C:\SandboxScripts</HostFolder>
     <ReadOnly>true</ReadOnly>
   </MappedFolder>
  <MappedFolder>
     <HostFolder>C:\CodingProjects</HostFolder>
     <ReadOnly>false</ReadOnly>
   </MappedFolder>
</MappedFolders>
<LogonCommand>
   <Command>C:\users\wdagutilityaccount\desktop\SandboxScripts\VSCodeInstall.cmd</Command>
</LogonCommand>
</Configuration>

Leave a Reply

Your email address will not be published. Required fields are marked *