admin-plugins author calendar category facebook post rss search twitter star star-half star-empty

Tidy Repo

The best & most reliable WordPress plugins

How to Use Windows Sandbox: Safely Test Suspicious Files

How to Use Windows Sandbox: Safely Test Suspicious Files

Ethan Martinez

May 21, 2026

Blog

Opening an unknown attachment, installer, script, or archive on your main Windows system can be risky. Even a single careless double-click may expose documents, browser sessions, saved credentials, or network resources. Windows Sandbox is a built-in Microsoft feature designed to provide a clean, temporary Windows environment where you can inspect suspicious files with far less risk than running them directly on your computer.

TLDR: Windows Sandbox creates a disposable Windows desktop that is isolated from your main system and erased when closed. Use it to examine suspicious files, installers, links, or scripts before deciding whether they are safe. It is useful for quick testing, but it is not a guaranteed malware analysis lab, so avoid testing highly dangerous files on important devices or connected networks. Always combine Sandbox with antivirus scanning, backups, and cautious judgment.

What Windows Sandbox Does

Windows Sandbox is a lightweight virtualized environment included with certain editions of Windows. When you launch it, Windows creates a fresh, isolated desktop that looks like a clean installation of Windows. You can copy files into it, run programs, browse websites, and observe behavior. When you close the Sandbox, everything inside it is permanently discarded.

This makes it especially useful for testing files that are suspicious but not necessarily confirmed malware. Examples include a strange email attachment, an unknown executable downloaded from a forum, a document that asks you to enable macros, or a software installer from an unfamiliar source.

Unlike a full virtual machine, Windows Sandbox starts quickly and requires little setup. It uses your installed Windows image as the base, then creates a temporary environment on demand. This is convenient for everyday security checks, software trials, and cautious investigation.

System Requirements

Before using Windows Sandbox, confirm that your device supports it. The feature is available on Windows 10 Pro, Enterprise, and Education, as well as Windows 11 Pro, Enterprise, and Education. It is generally not available on Windows Home without unsupported workarounds, which are not recommended for security-sensitive workflows.

You also need virtualization support enabled in your computer’s firmware. Most modern systems support this, but it may be disabled by default. In Task Manager, open the Performance tab, select CPU, and check whether Virtualization is listed as enabled. If it is disabled, you may need to turn it on in the BIOS or UEFI settings.

  • Supported Windows edition: Pro, Enterprise, or Education
  • Virtualization enabled: Intel VT-x, AMD-V, or equivalent
  • Administrator access: Required to enable the feature
  • Sufficient resources: At least 4 GB of RAM is required, but 8 GB or more is recommended

How to Enable Windows Sandbox

To enable Windows Sandbox, sign in with an administrator account and follow these steps carefully:

  1. Open the Start menu and search for Windows Features.
  2. Select Turn Windows features on or off.
  3. Scroll down and check Windows Sandbox.
  4. Click OK and allow Windows to install the required components.
  5. Restart your computer when prompted.

After the restart, open the Start menu and search for Windows Sandbox. Launch it as you would any other application. After a brief startup period, a new isolated Windows desktop will appear in a separate window.

How to Safely Test a Suspicious File

The safest way to use Windows Sandbox is to follow a structured process. Do not treat it as a place for reckless clicking. Treat it as a controlled environment where you observe carefully, minimize exposure, and avoid unnecessary data sharing.

1. Scan the File Before Opening It

Before moving a file into Windows Sandbox, scan it with Microsoft Defender or another reputable antivirus tool. You can also consider uploading the file hash, or the file itself if confidentiality is not a concern, to a multi-engine scanning service. Be aware that uploading sensitive business files or private documents to public scanning services may expose their contents.

A clean scan does not guarantee safety. New malware, obfuscated scripts, and targeted attacks may not be detected immediately. However, scanning first gives you another layer of information before you proceed.

2. Copy the File Into the Sandbox

You can usually copy and paste a file from your host system into the Sandbox window. For simple checks, this is convenient. Right-click the file on your main system, choose Copy, then click inside Windows Sandbox and use Paste.

Only copy the suspicious file and any non-sensitive supporting files that are absolutely necessary. Do not copy personal documents, password files, client records, browser exports, SSH keys, or anything else that would be harmful if exposed.

3. Disconnect or Restrict Network Access When Appropriate

By default, Windows Sandbox may have network access. This can be useful if you need to test whether an installer downloads additional components or whether a suspicious link redirects somewhere dangerous. However, network access can also allow malware to contact command-and-control servers, download payloads, or attempt attacks against nearby systems.

If you are testing a file that may be malicious, consider using a Windows Sandbox configuration file that disables networking. This reduces risk and helps prevent the sample from communicating externally. For ordinary unknown installers, you may choose to keep networking enabled, but do so deliberately.

4. Observe Behavior Carefully

Once inside the Sandbox, run the file and watch what happens. Look for signs such as unexpected command prompt windows, attempts to change system settings, requests for administrator privileges, dropped files on the desktop, unusual browser activity, or messages demanding payment or credentials.

You can open Task Manager inside the Sandbox to check running processes. You can also inspect startup locations, temporary folders, and network behavior using built-in Windows tools. For deeper analysis, advanced users may bring in tools such as Process Explorer, Autoruns, or network monitoring utilities, but this requires experience and caution.

  • Unexpected privilege requests: A major warning sign, especially for simple documents or viewers.
  • Disabled security settings: Suspicious programs may attempt to weaken protection.
  • Strange network activity: Unknown outbound connections should be treated seriously.
  • File encryption or mass file changes: Possible ransomware behavior.
  • Credential prompts: Never enter real passwords inside a test environment.

Using Windows Sandbox Configuration Files

For more controlled testing, you can create a .wsb configuration file. This is an XML file that tells Windows Sandbox how to launch. You can use it to disable networking, disable clipboard sharing, control mapped folders, and run a startup command.

For example, a basic configuration that disables networking might look like this:

<Configuration>
  <Networking>Disable</Networking>
</Configuration>

Save the file with a .wsb extension, such as SafeTest.wsb, then double-click it to start Windows Sandbox with those settings.

You can also disable clipboard sharing:

<Configuration>
  <Networking>Disable</Networking>
  <ClipboardRedirection>Disable</ClipboardRedirection>
</Configuration>

This makes moving files less convenient, but improves isolation. If you need to provide files to the Sandbox, you can use a mapped folder in read-only mode. Be extremely careful with mapped folders, because they create a bridge between the Sandbox and your host system.

<Configuration>
  <Networking>Disable</Networking>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\SandboxFiles</HostFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
</Configuration>

With this setup, files in C:\SandboxFiles are visible inside the Sandbox, but the Sandbox should not be able to write back to that folder. This is helpful when you want to provide a sample without allowing changes to your host data.

What Happens When You Close Windows Sandbox

When you close Windows Sandbox, Windows warns that all content will be discarded. This includes downloaded files, installed applications, system changes, malware activity, browsing history, and anything else created during the session. Once closed, the Sandbox cannot be restored.

This temporary nature is one of its greatest strengths. If a suspicious installer clutters the system, a script modifies settings, or a document behaves strangely, you can simply close the Sandbox and start over with a fresh instance.

However, remember that anything copied out of the Sandbox before closing may carry risk. Do not copy results, logs, extracted files, or modified documents back to your host unless you are confident they are safe and necessary. If you must preserve evidence, store it in a clearly labeled quarantine folder and scan it again.

Important Limitations

Windows Sandbox is powerful, but it is not a perfect containment system. Serious malware may detect that it is running in a virtualized environment and refuse to activate. Other malware may delay execution, wait for user activity, or behave differently if it cannot reach the internet.

There is also a difference between reducing risk and eliminating risk. Virtualization vulnerabilities are rare but possible. A sophisticated attacker may attempt to escape a sandbox or exploit shared resources. For this reason, Windows Sandbox should not be used as the only defense when analyzing confirmed high-risk malware.

If you are handling dangerous samples, ransomware, targeted malware, or files connected to an active incident, use a dedicated malware analysis lab or consult qualified security professionals. A proper lab usually includes isolated networks, snapshots, monitoring tools, non-personal hardware, and strict handling procedures.

Best Practices for Safer Testing

To use Windows Sandbox responsibly, follow these practical rules:

  • Keep Windows updated: Security patches help protect both the host and Sandbox environment.
  • Use standard caution: Do not assume isolation makes every action safe.
  • Disable networking when possible: Especially for files that may be malicious.
  • Do not enter real credentials: Never type passwords, account numbers, or private information inside the Sandbox.
  • Avoid host folder write access: Use read-only mapped folders if you need file transfer.
  • Maintain backups: Reliable offline or cloud backups protect you if something goes wrong outside the Sandbox.
  • Document suspicious findings: Record file names, hashes, timestamps, and observed behavior when appropriate.

When to Trust the Result

A file that behaves normally in Windows Sandbox is not automatically safe. It may be benign, or it may be designed to hide its behavior. Consider the file’s source, reputation, digital signature, scan results, and purpose. If an unknown executable claims to be an invoice, a delivery notice, or a security update, treat it with suspicion even if it appears quiet during a short test.

For software installers, check whether the publisher is known and whether the file is digitally signed. Right-click the file, select Properties, and review the Digital Signatures tab if available. A missing signature is not always proof of danger, but a valid signature from a reputable publisher is useful supporting evidence.

For office documents, be especially cautious with files that ask you to enable macros, disable Protected View, or ignore security warnings. These are common tactics used in phishing and malware campaigns. In most legitimate business situations, modern documents should not require you to weaken security protections.

Recommended Workflow

A disciplined workflow helps prevent mistakes. Start by saving the suspicious file in a dedicated folder on your host, such as C:\SandboxFiles. Scan it with Microsoft Defender. If you still need to inspect it, launch Windows Sandbox using a configuration that disables networking and clipboard sharing where practical. Copy or map the file into the Sandbox in read-only mode, run it, observe behavior, then close the Sandbox without copying anything back unless absolutely necessary.

If the file shows suspicious behavior, delete it from the host or place it in quarantine according to your organization’s policy. If it came from email, report the message as phishing or suspicious. If it came from a website, avoid returning to that source. If you are in a workplace, notify your IT or security team and provide the original email, URL, file hash, and notes about what you observed.

Final Thoughts

Windows Sandbox is one of the most practical security features available to Windows Pro and Enterprise users. It offers a fast, disposable environment for checking files that you do not fully trust, without the overhead of maintaining a full virtual machine. Used carefully, it can help you avoid unnecessary exposure and make better decisions about suspicious downloads, attachments, and installers.

Still, the most important security tool is disciplined behavior. Do not open unknown files casually, do not trust a single scan result blindly, and do not treat Sandbox as an impenetrable shield. Use it as part of a layered approach that includes updates, antivirus protection, backups, cautious file handling, and professional help when the situation demands it.