Microsoft has shipped a new feature in Windows 10 Pro and Enterprise builds 18305 and up that let users create throwaway desktop environments for testing and developing software.
Normally, developers have to spin up a virtual machine or use a separate system specifically for running new or untrusted apps. But the new feature, called Windows Sandbox, uses the container technologies recently added to Windows to provide a high degree of isolation for individual programs, Microsoft says.
When launched, Windows Sandbox presents a Windows desktop running in a window, similar to a VM. Files and applications can simply be dragged and dropped, or copied and pasted, into the sandbox process, then run as is. Nothing running in the sandbox process affects the host. When the sandbox is closed, all its content is erased.
Right now, the feature set for Sandbox is very limited. There doesn’t seem to be any way to save and restore the state of multiple sandboxes. Windows Sandbox’s APIs, if any will be available, aren’t documented yet.
Much of how Windows Sandbox works comes from the work Microsoft has been doing with virtualization and containers. When a new sandbox process boots, the operating system files inside the image are just immutable links to the files for the OS on the host, similar to a Docker file system image layer. Any changes to the file system, such as the apps launched in sandbox and any data generated by them, are saved separately.
Sandbox processes also have more flexible memory management. They can return unused memory to the host, where VMs have to use a preallocated slab of memory that can’t be altered.
Third-party programs for Windows have provided functionality like Windows Sandbox in the past. In addition to full-blown VMs through VirtualBox, Parallels, or VMware Desktop, an app named Sandboxie, available since 2004, has provided a way to run Windows apps in insolation with a great many options available. However, Sandboxie didn’t work with some applications, such as Windows 10 UWP applications, many antivirus programs, or programs that use copy-protection shells such as games distributed through Steam.