Jump to content

MS announces Windows Sandbox to run bad software without screwing with your system.

AlexGoesHigh

With the exception of Windows itself...

 

We have all been there, running an app you have never used before and you don't know what is going to do, you either get what you wanted or your stuff gets encrypted for a ransom out of nowhere or you get 10 trojans to party on your RAM or simply a BSOD that pisses you off for 5 minutes unless you had a video export or compiling a project in the background which ruins your days. In such case, the sensible thing to do would be to throw it in a VM or run the installer against as many antiviruses as possible, either way, you get the point.

 

Now coming with the next big Windows update Microsoft is introducing a built-in container so you can do just this. Windows Sandbox is a fully insolated desktop that does not save the session once you shut it down, meaning it won't crap your system

 

image.png.6547b697147a9d00446950643cc2c5ad.png

 

The feature was announced on the Windows Kernel internals blog, the team notes this is the main features of Windows Sandbox.

 

Quote

As the post notes, Windows Sandbox has the following properties:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
  • Disposable – nothing persists on the device; everything is discarded after you close the application
  • Secure – uses hardware-based virtualization for kernel isolation, which relies on Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU

And to run this feature, your PC will need to meet the following requirements:

  • Windows 10 Pro or Enterprise build 18301 or later
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)

 

It is somewhat understandable why you need to have at least Pro but it would have been nice to have on Home to check stuff on your Pops PC and on a bunch of prebuilts that ship with Home instead of Pro like those 2K gaming PC's. also interesting that they recommend an SSD. 

 

This is essentially (at least to me) a pre-configured and ready to use Level 1 hypervisor and honestly one of the most interesting features they have announced in a while.

 

Source: https://www.petri.com/windows-sandbox-a-new-lightweight-desktop-environment-for-running-untrusted-apps

this is one of the greatest thing that has happened to me recently, and it happened on this forum, those involved have my eternal gratitude http://linustechtips.com/main/topic/198850-update-alex-got-his-moto-g2-lets-get-a-moto-g-for-alexgoeshigh-unofficial/ :')

i use to have the second best link in the world here, but it died ;_; its a 404 now but it will always be here

 

Link to comment
Share on other sites

Link to post
Share on other sites

So...another thing that I'll probably end up treating like Cortanna.

Anyone remember Microsoft's "virtual PC" that was mainly meant for running Windows XP under Windows 7 Pro?

https://www.microsoft.com/en-au/download/details.aspx?id=3702

"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, AlexGoesHigh said:

 

It is somewhat understandable why you need to have at least Pro but it would have been nice to have on Home to check stuff on your Pops PC and on a bunch of prebuilts that ship with Home instead of Pro like those 2K gaming PC's. also interesting that they recommend an SSD. 

 

 

I think the people who are running pro or higher are generally less likely to be running unknown 3rd party software for the first time, so it really is home users and home enthusiasts who need this facility the most.   Once you get to enterprise there is a good chance your IT department is already running several VM's for other things and so it really isn't hat hard to create one for testing new software (if they don't already).

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

9 minutes ago, mr moose said:

 

I think the people who are running pro or higher are generally less likely to be running unknown 3rd party software for the first time, so it really is home users and home enthusiasts who need this facility the most.   Once you get to enterprise there is a good chance your IT department is already running several VM's for other things and so it really isn't hat hard to create one for testing new software (if they don't already).

Exactly though at least in a corp environment, they can replace those VM's since this will be much faster unless they need to save something from it that isn't a screenshot.

this is one of the greatest thing that has happened to me recently, and it happened on this forum, those involved have my eternal gratitude http://linustechtips.com/main/topic/198850-update-alex-got-his-moto-g2-lets-get-a-moto-g-for-alexgoeshigh-unofficial/ :')

i use to have the second best link in the world here, but it died ;_; its a 404 now but it will always be here

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, AlexGoesHigh said:

Exactly though at least in a corp environment, they can replace those VM's since this will be much faster unless they need to save something from it that isn't a screenshot.

I would imagine in a corporate environment the IT department does all the testing of new software, for those who use enterprise for other reasons, well I'm just struggling too see them needing this because I imagine they would already have something setup or they use enterprise because their system is for a specific use and not the 3rd party software testing ground.

 

However I do agree it sounds like it is going to make it much easier and simpler for people without much experience in VM's or that don't have the hardware outside of their work PC to test out new stuff, maybe even open curious Email attachments.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

Quote

Prerequisites for using the feature

  • Windows 10 Pro or Enterprise build 18305 or later
  • AMD64 architecture

Does that mean it'll only work with AMD CPUs?

You own the software that you purchase - Understanding software licenses and EULAs

 

"We’ll know our disinformation program is complete when everything the american public believes is false" - William Casey, CIA Director 1981-1987

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Delicieuxz said:

Does that mean it'll only work with AMD CPUs?

AMD64 is 64bit x86, it has that name because AMD developed it and release it first.

this is one of the greatest thing that has happened to me recently, and it happened on this forum, those involved have my eternal gratitude http://linustechtips.com/main/topic/198850-update-alex-got-his-moto-g2-lets-get-a-moto-g-for-alexgoeshigh-unofficial/ :')

i use to have the second best link in the world here, but it died ;_; its a 404 now but it will always be here

 

Link to comment
Share on other sites

Link to post
Share on other sites

12 minutes ago, Strike105X said:

I feel the need to nitpick a bit ?, home enthusiasts generally/most of them run pro for more os control, so pro being included is a must, that said, i fully agree that its the home users regardless of edition who need this feature the most.

Agree, I run Pro at home for RDP, Bitlocker and Group Policy editor.

Link to comment
Share on other sites

Link to post
Share on other sites

So something like Hyper-V?

Intel i7 12700K | Gigabyte Z690 Gaming X DDR4 | Pure Loop 240mm | G.Skill 3200MHz 32GB CL14 | CM V850 G2 | RTX 3070 Phoenix | Lian Li O11 Air mini

Samsung EVO 960 M.2 250GB | Samsung EVO 860 PRO 512GB | 4x Be Quiet! Silent Wings 140mm fans

WD My Cloud 4TB

Link to comment
Share on other sites

Link to post
Share on other sites

Would be cool if the main OS wouldn't screw up after an update either 

Link to comment
Share on other sites

Link to post
Share on other sites

This is a really nice feature to have. Microsoft are really good at virtualization too, so I expect this to work really well. 

 

It's a shame that it won't work on home, because I think those people are those who could benefit the most, but other than that I think it sounds great. 

Link to comment
Share on other sites

Link to post
Share on other sites

I've been using VMs a lot more lately, mostly for the reasons stated. If Win10 really can just activate a VM, that'll be nice. I'd still recommend a real VM solution or something like Sandboxie until we get a better idea how well this works. Though is this seems more like a blank VM rather than a real Sandbox approach. 

 

Also, and this is just a minor nitpick: but all web-browsers really should be in a Sandbox by default.

Link to comment
Share on other sites

Link to post
Share on other sites

The decision for excluding Home version is a bit funny considering these are the people who need it the most. Normies running everything they get under their hands...

Link to comment
Share on other sites

Link to post
Share on other sites

Say there was a CPU bench-marking tool that is suspected of having adwares. You would run this tool in the sandbox, but it wouldn't be able to measure the performance of your computer, only the resources provided to the sandbox right? Is Sandboxie different in this regard?

Link to comment
Share on other sites

Link to post
Share on other sites

A Docker containment like approach would be less demanding and seamless too, with some tweaks maybe 

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, RejZoR said:

The decision for excluding Home version is a bit funny considering these are the people who need it the most. Normies running everything they get under their hands...

As mentioned in the post itself, this isn't really a "Walled Garden" sandbox for the regular user. This is more in the hypervisor realm, so it's really almost non-functional for the Home User. You'd need either the corporate type solution or something like Sandboxie (Google it, great program) for the normal user. If MS was smarter, they'd buy Sandboxie and put all web browsers in actual sandboxes. That'd save them so many security issues.

 

Though that thing that gives me most pause: those system requirements are strange. RAM is too low, more than likely. Space is fine. It's the 4 corres/8 threads that sticks out. It doesn't really take much to run an OS + Desktop tasks VM. Does this mean the VM has "baremetal" system access? While useful for some things if that's true, that really just means it's a testing VM with a rather limited set of abilities.

 

If MS didn't regularly drop interesting projects they're working on, I'd have a lot more faith in this.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, bugl7 said:

Say there was a CPU bench-marking tool that is suspected of having adwares. You would run this tool in the sandbox, but it wouldn't be able to measure the performance of your computer, only the resources provided to the sandbox right? Is Sandboxie different in this regard?

We don't know how much virtualization is actually happening, yet, thus it's hard to say. The statements about it point to it being a VM of some form, so, to the question about testing, we'll have to see how much system access is available.

 

Sandboxie puts installed programs into a data sandbox. Basically, full read-access to everything, but write-access is removed and everything is placed within a container to keep files from moving out. A sandbox doesn't protect the underlying OS quite as well, but it's rare for there to be ways to get out of the sandbox, unless it's a targeted attack. Sandboxie would also not sandbox the Install of the program, which is really where most adware gets into systems.

Link to comment
Share on other sites

Link to post
Share on other sites

32 minutes ago, Taf the Ghost said:

As mentioned in the post itself, this isn't really a "Walled Garden" sandbox for the regular user. This is more in the hypervisor realm, so it's really almost non-functional for the Home User. You'd need either the corporate type solution or something like Sandboxie (Google it, great program) for the normal user. If MS was smarter, they'd buy Sandboxie and put all web browsers in actual sandboxes. That'd save them so many security issues.

 

Though that thing that gives me most pause: those system requirements are strange. RAM is too low, more than likely. Space is fine. It's the 4 corres/8 threads that sticks out. It doesn't really take much to run an OS + Desktop tasks VM. Does this mean the VM has "baremetal" system access? While useful for some things if that's true, that really just means it's a testing VM with a rather limited set of abilities.

 

If MS didn't regularly drop interesting projects they're working on, I'd have a lot more faith in this.

This is MS post about it. https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849

 

They do a couple of things, first, it runs on Hyper-V, second, the "image" they use just has the files that window writes on a constant basis, everything else, which is read-only is copied from the main installation, this is so the "image" is just a couple of megs, and third the kernel is shared with the host (mainly the memory management side and the scheduler is fully run by the host), similar to a level 1 hypervisor, they also have graphics acceleration working thanks to changes into WDDM and DirectX.

 

It's honestly really clever, it's closer to a VM that a sandbox but it shares some resources with the host to decrease the performance penalty of a VM.

this is one of the greatest thing that has happened to me recently, and it happened on this forum, those involved have my eternal gratitude http://linustechtips.com/main/topic/198850-update-alex-got-his-moto-g2-lets-get-a-moto-g-for-alexgoeshigh-unofficial/ :')

i use to have the second best link in the world here, but it died ;_; its a 404 now but it will always be here

 

Link to comment
Share on other sites

Link to post
Share on other sites

10 minutes ago, AlexGoesHigh said:

This is MS post about it. https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849

 

They do a couple of things, first, it runs on Hyper-V, second, the "image" they use just has the files that window writes on a constant basis, everything else, which is read-only is copied from the main installation, this is so the "image" is just a couple of megs, and third the kernel is shared with the host (mainly the memory management side and the scheduler is fully run by the host), similar to a level 1 hypervisor, they also have graphics acceleration working thanks to changes into WDDM and DirectX.

 

It's honestly really clever, it's closer to a VM that a sandbox but it shares some resources with the host to decrease the performance penalty of a VM.

 

Lol I remember having a BSOD by having HyperV enabled and running Bluestacks

 

Anyway I expect the graphics performance to be like VMware which has a similar implementation 

Link to comment
Share on other sites

Link to post
Share on other sites

MS screwed up here. the people who would benefit from this are people running Windows 10 home. less tech-savy people. systems running enterprise are likely being used in a domain where a network admin manages the software or something... 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

11 minutes ago, Taf the Ghost said:

We don't know how much virtualization is actually happening, yet, thus it's hard to say. The statements about it point to it being a VM of some form, so, to the question about testing, we'll have to see how much system access is available.

 

Sandboxie puts installed programs into a data sandbox. Basically, full read-access to everything, but write-access is removed and everything is placed within a container to keep files from moving out. A sandbox doesn't protect the underlying OS quite as well, but it's rare for there to be ways to get out of the sandbox, unless it's a targeted attack. Sandboxie would also not sandbox the Install of the program, which is really where most adware gets into systems.

These days, such system doesn't really help. Back in days of destructive malware (parasitic file infectors and disk erasers) write access restriction made more sense. These days restriction of access and network connectivity is far more important.  Even in Sandboxie or shall I say especially there. Because if read access is not restricted, malware can collect all data from within sandbox and upload it somewhere. So, you either have to restrict red access or network connectivity to really protect things...

Link to comment
Share on other sites

Link to post
Share on other sites

6 minutes ago, RejZoR said:

These days, such system doesn't really help. Back in days of destructive malware (parasitic file infectors and disk erasers) write access restriction made more sense. These days restriction of access and network connectivity is far more important.  Even in Sandboxie or shall I say especially there. Because if read access is not restricted, malware can collect all data from within sandbox and upload it somewhere. So, you either have to restrict red access or network connectivity to really protect things...

We're headed towards fairly hard program isolation on all platforms, just as a security measure, but a Sandbox approach is still valuable for the average user. Especially for users you know aren't very good with computers. It just cuts down on a lot of problems.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×