Windows Sandbox alternatives

[OpenSource Ghost]

I want to sandbox just a couple of applications running on Windows 10, but they both utilize drivers that require full memory access. Software-based solution (IPC, COM, Window, Classes isolation), such as Sandboxie, does not work with drivers. Can Windows Sandbox isolate programs that use their own kernel drivers? I know Windows Sandbox creates a brand new environment for each box, but what if I want to preserve settings and configuration files for sandboxed applications and not have it create new environment each time? There is that and AFAIK Window Sandbox is also slow.

 

[socK]

it looks like Windows Sandbox is essentially a VM running under Hyper-V.

in which case it will be running its own kernel (and, well, OS as a whole) in a VM.

a software driver should work fine. a device driver is another story.

 

[OpenSource Ghost]

Thanks!

 

[LukeTbk]

I know Windows Sandbox creates a brand new environment for each box, but what if I want to preserve settings

I would try to create an virtual machine in hyper-v, sandbox are all about temporary session.

Any changes made, files downloaded, or software installations performed within the Sandbox are confined to that session and do not persist after it is closed

VMware could have more passthrought capability for GPU or other, by full memory do you mean the whole computer memory if so are you sure you really want them sandboxed in a vm ?

 

[Absalom]

Sandbox is about isolation.

I would try to create an virtual machine in hyper-v, sandbox are all about temporary session.

Any changes made, files downloaded, or software installations performed within the Sandbox are confined to that session and do not persist after it is closed

VMware could have more passthrought capability for GPU or other, by full memory do you mean the whole computer memory if so are you sure you really want them sandboxed in a vm ?

Sandboxes, like Sandboxie, are about specific application isolation. Typically, anything the application writes to or attempts to modify gets intercepted and a copy (or pseudo-copy) is made and tracked by the Sandbox host itself; and that includes changes to the Windows registry. In the case of the Windows registry, you essentially have two versions, the real one the host sees and the one the Sandboxed applications sees. The way this differs from a VM or Hypervisor is the degree of indirection. Sandboxed applications still run like normal apps in the OS (perhaps as a child process to the host) and interact normally through typical OS api calls, although apps that require a high degree of ring level access may not function at all because the host app (the thing sandboxing everything) has to intercept and simulate that. So sandboxes are great for most simple apps even some games (games with anti-cheat might not like it though).

A good example of Sandboxing is a Chrome browser tab. It gets its own thread, own memory, etc. The host (i.e. Chrome parent process) tracks everything I/O related, but a Chrome tab is essentially a highly monitored child process, restricted to what the parent allows. So Chrome tabs (really child processes) can't directly access things like USB devices and often times even the disk drive. It's what keeps a malicious website's javascript from doing things like spawning off rogue processes and writing to random places on the hard drive.

A Virtual Machine or Hypervisor is doing all of these things to the entire OS and environment. A VM is essentially an entirely seperate machine sandboxed, its state is tracked and changes are saved (typically to disk via host) A VM is often a heavy handed approach if the goal is to isolate a single application, although most VM solutions get help from hardware so as to simulate an actual machine fairly precisely. A good VM doesn't need to intercept anything, it's simulating an entire OS so any changes that aren't passed through to the host (i.e. plugging in a USB drive) are contained within that specific virtual machine.

VMware could have more passthrought capability for GPU or other, by full memory do you mean the whole computer memory if so are you sure you really want them sandboxed in a vm ?

The only use case I could see with running a sandbox within a VM is if you are 100% expecting things to go bad, but you don't want the VM itself to be permanently changed.

VMware Workstation has a feature exactly for this, where you snapshot the state of the virtual machine and can roll back to that snapshot state after changes have been made. This is a really useful feature when testing software.