Every program and file interact with your system, creating digital traces along the way: they may modify other files, utilize system resources, alter entries in the registry, and even install supplementary software.
At best, you might simply clutter your Windows environment if an application’s uninstall process fails to remove all associated files and registry entries. At worst, you could face malware infection or ransomware that compromises your files.
If you’re eager to explore new software or open unfamiliar files, it’s wise to do so within a controlled and secure environment separate from your main system. This is where a sandbox comes into play.
When you execute a program within a sandbox, it functions normally but cannot make lasting changes to your system or interact with resources outside of its designated environment. The sandbox effectively restricts access and ensures that all activities are erased once the session is closed.
Utilizing a sandbox allows you to safely experiment with new applications, install software from questionable sources, browse potentially harmful websites, and keep your system pristine.
We’ll explore different methods to set up and utilize an effective sandbox for files and applications on Windows, which range from built-in Windows features and virtual machines to browsers and sandbox-enabled software.
In particular, we will take a closer look at Sandboxie-Plus — an exceptionally user-friendly and effective sandbox solution for the average user.
Browser Sandbox
Chances are, you’re already utilizing a form of sandbox. Modern browsers, including Chrome and Firefox, incorporate this protective technology.
These browsers leverage Windows security features, allowing them to provide robust protection without significantly taxing system resources that could slow down website loading times.
IDG
Each browser tab operates within its own sandbox, which prevents Chrome and similar browsers from executing unauthorized downloads or malicious scripts from websites.
This process also adds a layer of security against attacks that exploit browser vulnerabilities without raising any alarms — these are known as zero-day exploits.
Each tab functions as a separate process with no access to other tabs or the operating system, and initiates with limited permissions. For instance, you often have to grant access for a website to use your computer’s camera.
The separation of tabs ensures that if one website crashes, it doesn’t bring down the whole browser; only the affected tab will shut down.
You can verify how your browser’s sandboxing works by checking the Task Manager in Windows. Under “Processes,” you’ll see multiple processes listed beneath “Google Chrome,” which represent the individual sandboxes for each tab.
For more detailed information, you can type the following command in the browser’s address bar:
chrome://sandbox/This will provide you with a list of tabs referred to as “Renderer” — the function responsible for displaying web content. Each tab should also display a “Sandbox” column and be marked as “Lockdown.”
The term “Untrusted” next to it indicates that this process possesses very restricted access rights.
IDG
Always make sure to keep your browser updated, as hackers frequently attempt to exploit sandboxing by targeting other security weaknesses to gain elevated permissions for scripts and applications on websites.
Applications with Built-In Sandboxes
Windows also employs sandboxing for certain applications: Apps from the Microsoft Store — or Universal Windows Platform (UWP) apps — operate in an isolated environment with restricted permissions.
This means they can be uninstalled without leaving remnants. Frequently, these applications require approval before accessing files or hardware, like the camera or microphone.
However, UWP apps are not as widely used among users. Most standard programs — referred to as desktop applications — run without sandboxing or permissions limitations.
During installation, you often grant UWP apps specific permissions. To check these permissions pre-installation, visit the app page in the Microsoft Store, where they are listed under “This app can,” and after installation, you can view them under “Privacy > App permissions” in Windows settings.
You can revoke these permissions, though doing so may lead to the app not functioning properly.
Foundry
With the Windows 11 version 24H2, a sandbox function for regular programs — Win32 App Isolation — has also been introduced, but developers need to integrate this feature into their software for it to function correctly.
Adobe Acrobat Reader offers a secure sandbox for handling PDF documents. If you receive a PDF attachment from an uncertain source, you can prevent any embedded code from executing or being directed to a harmful website through its links.
To activate PDF sandboxing, navigate to “Settings > Security (advanced)” in Acrobat Reader, and enable the “Enable protected mode on startup” option.
Sandboxie-Plus, an accessible open-source tool, is the perfect choice for isolating suspicious files and programs. You can install it like any typical Windows application and then launch the desired content directly within a sandbox container.
The complete functionality of Sandboxie-Plus is available for $40 annually, payable directly to the developer via PayPal or by purchasing a supporter certificate from the website.
However, for a personal computer, the free basic features detailed below are usually adequate.
Foundry
Sandboxie-Plus is compatible with both standard Windows and Arm Windows versions.
The tool can also be installed as a portable version on a USB stick. After installation, you’ll be guided by a setup wizard where you first select “Personal, for non-commercial use” to access free features.
An evaluation certificate for a 10-day trial of the full software can usually be acquired by clicking the highlighted red text during setup. Alternatively, you can simply click “Next.” Choose your preference for the user interface between beginner and expert modes, and select either light or dark themes.
It’s best to stick with the default settings and hit “Next” again. Complete the setup by clicking “Finish” in the last window.
During “Global settings,” you can leave the default options as they are and click “OK.”
Running Risky Programs in Sandboxie-Plus
Sandboxie-Plus features a dual interface: the upper section displays an entry for a “DefaultBox” where you can launch suspect programs, and the lower section logs all actions and settings.
You can access this interface by right-clicking the tool icon in the system tray and selecting “Show / Hide.”
To safely run software in a sandbox, click on “Sandbox > Run in sandbox.” Confirm your selections in the ensuing window by clicking “OK.”
A new window will appear: input the name of the software you wish to launch in Sandboxie-Plus and confirm your entry with “OK.” If you are unsure of the exact name or the tool cannot locate a matching program, you can search for it using Explorer.
This approach is particularly advisable for launching installed programs that you want to execute in a secure environment — for instance, your web browser: firing it up in the sandbox allows you to visit dubious websites worry-free.
Once the program is initiated, you’ll see the relevant EXE file in the upper section of Sandboxie-Plus.
You can recognize that software is operating in the sandbox by these characteristics: The program name both starts and ends with a diamond symbol — for example, opening Chrome in the sandbox, its icon will read [#] New Tab – Google Chrome [#].
If you move your mouse to the top of the program window, a yellow frame will appear. You can also use the window finder in Sandboxie-Plus to check if a program is in the sandbox by selecting the circle in the small program window on the left, holding down the mouse button, and releasing it over the window of the program you wish to check. The answer will display in the window finder.
Moreover, Sandboxie-Plus is included in the context menu of Windows Explorer, allowing you to right-click on the desired program and select “Start Sandboxed.”
Programs recently downloaded can be installed in the sandbox by running the relevant EXE or installation file through Sandboxie-Plus.
It’s advisable to execute every program and file in its own sandbox: When starting through Sandboxie-Plus or the context menu, select the “Run in a new sandbox” option in the following window, and then choose “Standard sandbox.” You may also assign meaningful names to each sandbox here.
Frequent programs, such as your browser, email client, or Windows Explorer, can be started promptly in Sandboxie-Plus: Click on an existing sandbox at the upper right of the tool window.
Then select “Start > Standard programs” and choose the desired application.
Open and Inspect Suspicious Files
In a similar fashion to applications, individual files can also be opened within an isolated sandbox. Sandboxie-Plus will start the default application for this file — for example, Word for a DOCX document.
If the program fails, adjust a setting in Sandboxie-Plus: Open the file in a new sandbox as outlined previously. In the window where you select “Standard Sandbox” as the box type, check the “Configure advanced options” option at the bottom right.
Proceed by selecting “Version 1” for “Virtualization scheme,” then click “Next” multiple times, finishing with “Finish.”
IDG
Important: A program initiated in the sandbox is only able to read files outside of it and cannot alter them. If a file is opened within the sandboxed application, modifications can occur, but these changes will not affect the original file:
For instance, if you launch Outlook in the sandbox and delete an email, it will remain unaffected when you open Outlook normally.
Emails containing suspicious attachments can be scrutinized this way: You can open your email client in the sandbox and view the attachment. If it seems questionable or originates from an unexpected sender, simply delete the sandbox and then remove the email in your standard email program without accessing it or examining the attachment.
Sandboxie-Plus isolates both applications and files by creating separate directories, found in the program directory “C:\Sandbox\username,” where each sandbox has its own folder.
Changes made by isolated applications are also saved in the registry within these folders. Therefore, when deleting a sandbox, no digital remnants are left on the system.
You can easily achieve this by right-clicking on the desired sandbox in the upper window of Sandboxie-Plus and selecting “Remove sandbox” from the context menu. If you wish to retain the sandbox but close all running programs within it, opt for the “Close all processes” command in the context menu.
Alternative: Virtual PC
A Virtual PC (VPC) is another viable option for running risky applications or opening suspicious files. Windows includes a feature called Windows Sandbox for this purpose. It’s powered by Microsoft’s Hyper-V virtualization software, but is only available in Windows Pro editions.
Before use, you need to enable it: Go to the Control Panel, select “Enable or disable Windows features,” and check the “Windows Sandbox” box. A system restart will be required for it to take effect.
Once activated, the program will appear as “Windows Sandbox” among your installed applications. Upon launching, a separate Windows desktop serves as your VPC interface, allowing you to operate it just like your primary system — thus, enabling you to install and test out applications in the Windows Sandbox.
You can copy and paste suspicious files from the main system to this virtual environment.
Since update 22H2 for Windows 11, the VPC supports a restart that preserves its data and applications, but only if you restart the sandbox — closing the VPC window or rebooting the main system will result in the loss of the sandbox’s contents.
If you’re using Windows Home, free virtualization tools like VirtualBox can serve as a VPC, though you will need an operating system for the virtual machine. Installing a Windows OS will require an additional license.
Overall, a VPC is largely disconnected from the main system, providing a secure environment for testing.
However, compared to Sandboxie-Plus, a virtual machine may feel cumbersome for users who only occasionally want to try out unknown applications or examine suspicious email attachments, as you’ll have to go through the process of setting up an operating system within the VPC, which can place heavy demands on your computer’s hardware.
This is especially true for CPU performance and RAM: ideally, you should allocate a minimum of 4GB of RAM solely for the virtual system; more RAM significantly improves VPC usability.
Using a VPC is also not ideal for a quick file check: you’ll need to open the VPC like a regular system and wait for the virtual Windows environment to become operational.
