Windows Sandbox Privacy Testing Guide 2026

Last updated: March 15, 2026

Windows Sandbox (Pro/Enterprise only) creates an isolated, temporary virtual desktop that automatically clears all files and settings when closed, making it perfect for testing privacy-invasive applications or analyzing suspicious files without risking your main system. Enable it via Optional features or PowerShell, then run untrusted software inside to see what network connections it attempts, what registry keys it modifies, or what persistence mechanisms it tries to install, Wireshark and Process Monitor inside the sandbox capture this activity safely. The sandbox automatically discards all changes on exit, unlike snapshot-based tools, eliminating the risk of persistent malware or privacy-invasive tracking on your host system.

Table of Contents

Prerequisites
Configuring Sandbox for Privacy Testing
Practical Privacy Testing Workflows
Security Considerations
Cleanup and Best Practices
Troubleshooting

Prerequisites

Before you begin, make sure you have the following ready:

A computer running macOS, Linux, or Windows
Terminal or command-line access
Administrator or sudo privileges (for system-level changes)
A stable internet connection for downloading tools

Step 1 - Enable Windows Sandbox

Windows Sandbox requires Windows 10 Pro, Enterprise, or Windows 11 Pro/Enterprise. It uses hardware virtualization (Intel VT-x or AMD-V) with Second Level Address Translation (SLAT). Before enabling, verify your processor supports these features.

To enable Windows Sandbox:

Open Settings → Apps → Optional features
Click “Add a Windows feature”
Scroll down and check Windows Sandbox
Click OK and restart when prompted

Alternatively, use PowerShell with administrator privileges:

Enable-WindowsOptionalFeature -Online -FeatureName Containers -All
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Sandbox -All
Restart-Computer

After installation, find Windows Sandbox in the Start menu or run wsandbox from the command line.

Configuring Sandbox for Privacy Testing

The default Sandbox configuration works for basic testing, but customizing it enhances privacy analysis capabilities. Sandbox supports configuration files that control networking, shared folders, and startup behavior.

Create a configuration file named sandbox.wsb in any folder:

<Configuration>
 <Networking>Disable</Networking>
 <MappedFolders>
 <MappedFolder>
 <HostFolder>C:\privacy-tools</HostFolder>
 <SandboxFolder>C:\shared</SandboxFolder>
 <ReadOnly>true</ReadOnly>
 </MappedFolder>
 </MappedFolders>
 <StartupFolder>C:\shared\startup.ps1</StartupFolder>
 <MemoryInMB>4096</MemoryInMB>
 <vGPU>Enable</vGPU>
 <ClipboardTransfer>Disable</ClipboardTransfer>
</Configuration>

Key configuration options for privacy testing:

Networking: Set to Disable to completely isolate the sandbox from network traffic, preventing data exfiltration during tests
MappedFolders: Share folders between host and sandbox for exchanging tools and samples
ClipboardTransfer: Disable to prevent accidental clipboard data leakage
MemoryInMB: Allocate sufficient memory for running privacy analysis tools

Launch your configured sandbox:

Launch default sandbox
wsandbox

Launch with custom configuration
Start-Process wsandbox -ArgumentList "C:\configs\sandbox.wsb"

Pre-Loading Analysis Tools via Startup Script

Rather than manually installing analysis tools every time you launch a sandbox, use the LogonCommand field to run a setup script automatically on startup:

<Configuration>
 <Networking>Enable</Networking>
 <MappedFolders>
 <MappedFolder>
 <HostFolder>C:\sandbox-tools</HostFolder>
 <SandboxFolder>C:\tools</SandboxFolder>
 <ReadOnly>true</ReadOnly>
 </MappedFolder>
 </MappedFolders>
 <LogonCommand>
 <Command>C:\tools\setup.ps1</Command>
 </LogonCommand>
</Configuration>

Your setup.ps1 can copy tools from the mapped folder, configure Wireshark capture filters, and launch Process Monitor with a pre-defined filter set:

setup.ps1. auto-configure sandbox for privacy analysis
Copy-Item C:\tools\Wireshark-*.exe $env:USERPROFILE\Desktop\
Copy-Item C:\tools\procmon.exe $env:USERPROFILE\Desktop\
Copy-Item C:\tools\procmon-filter.pmc $env:USERPROFILE\Desktop\

Start Process Monitor with pre-defined filters
Start-Process "$env:USERPROFILE\Desktop\procmon.exe" -ArgumentList "/LoadConfig $env:USERPROFILE\Desktop\procmon-filter.pmc /Quiet"

This means every new sandbox session opens with analysis tools ready, reducing the setup time from several minutes to seconds.

Practical Privacy Testing Workflows

Analyzing Privacy-Invasive Applications

When evaluating new software for privacy concerns, Windows Sandbox provides a controlled environment to monitor behavior:

Launch Windows Sandbox with networking disabled
Use Process Monitor (ProcMon) from Sysinternals to capture system activity
Install and run the target application
Analyze captured events for suspicious network connections, registry modifications, and file operations

Install ProcMon in the sandbox:

Download Sysinternals Suite
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -OutFile "C:\Users\WDAGUtilityAccount\Desktop\SysinternalsSuite.zip"
Expand-Archive -Path "C:\Users\WDAGUtilityAccount\Desktop\SysinternalsSuite.zip" -DestinationPath "C:\Users\WDAGUtilityAccount\Desktop\Sysinternals"

Look specifically for:

Registry writes under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. persistence mechanisms
Network connections to telemetry endpoints (common hostnames include events.data.microsoft.com, vortex.data.microsoft.com, or vendor-specific analytics domains)
File writes to %APPDATA% containing device identifiers or hardware fingerprints
Access to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs. applications reading your recent file history

Testing Browser Extensions and Web Applications

Browser extensions often request extensive permissions. Test them in Sandbox before installing on your main browser:

Configure Sandbox with networking enabled
Install a clean browser (Firefox, Brave, or Chromium)
Install the extension under review
Use browser developer tools to inspect network requests and local storage access
Compare behavior against the extension’s stated privacy policy

Open the browser’s developer tools Network panel while the extension is active and filter for XHR and Fetch requests. Legitimate privacy-focused extensions should show zero outbound requests to remote servers during idle browsing. Any beacon, analytics, or telemetry request not disclosed in the privacy policy is a red flag.

Network Traffic Analysis

For deeper network analysis, combine Sandbox with tools like Wireshark. Disable networking in the Sandbox config to test local-only applications, or enable it to capture network traffic:

<Configuration>
 <Networking>Enable</Networking>
</Configuration>

Run Wireshark on the host system while generating network traffic from the sandbox to observe what data applications transmit. Capture on the virtual network adapter that Sandbox creates (visible in Wireshark’s interface list as “vEthernet (WSL)” or a similarly named virtual adapter). Filter by the sandbox’s assigned IP to isolate its traffic:

Wireshark capture filter for Sandbox traffic only
host 172.16.x.x

Check for unencrypted HTTP transmissions, DNS lookups to tracking domains, and TLS connections to IP ranges associated with advertising networks (IAB Tech Lab publishes a list of known ad infrastructure IP ranges).

Step 2 - Interpreting Registry Modifications

Process Monitor captures every registry read and write. The volume of events is overwhelming without filters. Use these ProcMon filter presets to focus on privacy-relevant activity:

Operation is RegSetValue
Path contains Run
Result is SUCCESS

Save this as a filter configuration (procmon-privacy.pmc) and load it at startup. The filtered view will show only registry writes that could indicate persistence, startup registration, or identifier storage. Export the filtered results to CSV for offline analysis:

Export ProcMon results from command line
procmon.exe /Quiet /Minimized /BackingFile C:\logs\analysis.pml
After analysis period:
procmon.exe /OpenLog C:\logs\analysis.pml /SaveAs C:\logs\results.csv

Step 3 - Automate Sandbox Tests

For repeated testing scenarios, automate Sandbox launch and teardown using PowerShell scripts:

function Start-PrivacyTest {
 param(
 [string]$ApplicationPath,
 [string]$LogDirectory = "C:\privacy-logs"
 )

 # Create log directory
 if (!(Test-Path $LogDirectory)) {
 New-Item -ItemType Directory -Path $LogDirectory
 }

 $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
 $testLog = "$LogDirectory\test_$timestamp.log"

 # Launch sandbox with logging
 $sandbox = Start-Process wsandbox -PassThru -RedirectStandardError $testLog

 # Wait for sandbox startup
 Start-Sleep -Seconds 5

 # Copy test application if specified
 if ($ApplicationPath) {
 Copy-Item $ApplicationPath "C:\Users\WDAGUtilityAccount\Desktop\"
 }

 # Return process and log path
 return @{
 Process = $sandbox
 LogPath = $testLog
 }
}

Usage
$result = Start-PrivacyTest -ApplicationPath "C:\tools\testapp.exe"

Security Considerations

Windows Sandbox provides isolation but has limitations:

Kernel-level threats: Sophisticated malware detecting virtualization may escape Sandbox isolation
Covert channels: Timing-based communication could theoretically exfiltrate data
Resource exhaustion: Malicious code could consume all available resources
Shared kernel: Sandbox shares the host Windows kernel. A kernel exploit could break isolation entirely. For analyzing samples suspected of carrying kernel exploits, use a full VM on separate hardware or a dedicated cloud instance you can snapshot and discard.

For advanced threat analysis, consider additional isolation layers like virtual machines or dedicated hardware. Windows Sandbox complements rather than replaces thorough security analysis.

Comparing Sandbox to Hyper-V VMs for Privacy Testing

Feature	Windows Sandbox	Hyper-V VM
Setup time	Seconds	Minutes
State persistence	Never (auto-clear)	Configurable
Kernel isolation	Shared with host	Fully separate
Network control	Basic on/off	Full virtual networking
Snapshot support	No	Yes
Best for	Quick app testing	Deep malware analysis

Use Sandbox for routine privacy evaluation of commercial software and browser extensions. Reserve Hyper-V VMs (or VMware Workstation) for analyzing samples you suspect carry privilege escalation or kernel exploits.

Step 4 - Build a Repeatable Testing Library

Once you have established workflows for common test types, document them as reusable .wsb templates. Maintain a library structured by purpose:

C:\sandbox-configs\
  browser-extension-test.wsb # Networking on, Wireshark ready
  installer-audit.wsb # Networking off, ProcMon autostart
  network-capture.wsb # Networking on, host Wireshark attached
  document-test.wsb # Fully isolated, Office viewer only

Version control this directory with Git. When a new version of Windows ships, re-run your standard test suite against previously-approved software to catch regression in privacy behavior. Software vendors occasionally introduce telemetry in minor updates that wasn’t present in the version you originally reviewed.

For team environments, share the configs directory through a private repository. This allows a security-conscious member of the team to build and maintain testing templates while others consume them without needing to understand the underlying configuration details.

Cleanup and Best Practices

Windows Sandbox automatically deletes all data when closed. However, follow these best practices:

Always disable networking when testing untrusted files
Never enter credentials or personal information in Sandbox
Use separate configurations for different test scenarios
Review logs on the host system before deleting them
Keep Sandbox Windows updated for latest security patches
Store your .wsb configuration files in version control to track changes to your testing environment over time

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

How long does it take to 2026?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.