Windows-Sandbox icon indicating copy to clipboard operation
Windows-Sandbox copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Possible to revert to the old sandbox?

Open dovholuknf opened this issue 7 months ago • 4 comments

Provide a description of requested docs changes

I need to use the old version of sandbox. I am a maintainer of an open source zero trust overlay network project, I constantly need to install things in windows that I don't want on my MAIN machine. I used to be able to use and rely on windows sandbox, but "things changed" for me Feb 2025 when Windows 11, version 24H2 was installed. Now windows sandbox is garbage. It won't install my app in a timely fashion (taking many minutes, not many seconds) for "reasons", it won't start my services for "reasons" and it's unusable to me. I need to revert back to be able to use it.

Some programs will seem to install, that's great, I love that it persists a restart now, that's also great but it not installing our app properly is a massive problem for me - and presumably others.

I either need to revert, or I need to be able to understand what it is about sandbox that's preventing my app from getting installed (it's installed on thousands of machines just fine)

dovholuknf avatar Apr 18 '25 12:04 dovholuknf

I'm just a developer tinkering with Windows Sandbox and trying out a few automation tricks.

Please note:

[!WARNING] I am not affiliated with Microsoft

The following content is a community-contributed workaround and should be used at your own discretion. It may not fully resolve every situation, and should be tested in an isolated environment.

It won't install my app in a timely fashion (taking many minutes, not many seconds

The following community suggested workarounds can be configured to run automatically in a sandbox using a wsb config file and PowerShell: https://github.com/microsoft/Windows-Sandbox/issues/68#issuecomment-2684473932

How to reduce installation time

This workaround leverages PowerShell and registry modifications to improve the installer behavior. The steps below will automate this setup using a .wsb file.

1. Prepare Your PowerShell ScriptCreate a PowerShell script named general.ps1 with the following content:

$path = "C:\Users\WDAGUtilityAccount"

if (!(Test-Path -Path $path -PathType Container)) {
    Write-Error "Error: Required directory '$path' not found."
    exit 1
}

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy" -Name "VerifiedAndReputablePolicyState" -Value "0"
echo "" | C:\Windows\System32\CiTool.exe -r

[!CAUTION] If this workaround is applied on the host machine (not just in the sandbox), it will disable Smart App Control, a Windows security feature. This could reduce protection against untrusted applications. Be aware that SAC cannot be re-enabled without reinstalling Windows. When used only inside Windows Sandbox, this setting does not affect the host system.

2. Set Up the .wsb Configuration

[!TIP] For other configuration options, please refer to the documentation https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file

Use the .wsb file to mount a host folder and run the PowerShell script automatically when the sandbox starts.

Example general.wsb:

[!IMPORTANT] Make sure to replace D:\drivers with a folder path that exists on your host system. This folder should contain the general.ps1 script.

<Configuration>
    <MappedFolders>
        <MappedFolder>
            <HostFolder>d:\drivers\</HostFolder>
            <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Sandbox-Files\</SandboxFolder>
            <ReadOnly>true</ReadOnly>
        </MappedFolder>
    </MappedFolders>
    <LogonCommand>
        <Command>powershell -executionpolicy unrestricted -command "start powershell {-file "C:\Users\WDAGUtilityAccount\Desktop\Sandbox-Files\general.ps1"}"</Command>
    </LogonCommand>
</Configuration>

3. Always launch from a wsb file

To ensure consistent behavior and avoid manual steps each time, always launch Windows Sandbox using a prepared .wsb file. You can create a desktop shortcut pointing to this file to make it easier to launch the sandbox with your custom configuration.
Just double-click the shortcut whenever you want to start the sandbox your mapped folders and startup script will be loaded automatically at that time.

DaisukeDaisuke avatar Apr 21 '25 10:04 DaisukeDaisuke

Thanks @DaisukeDaisuke, I already do all these sorts of things. The issue is that "something" changed in the sandbox. What used to work, no longer works.

One such example: Get-DnsClientNrptRule

PS C:\Users\WDAGUtilityAccount> Get-DnsClientNrptRule
Get-DnsClientNrptRule : Cannot connect to CIM server. Access is denied.
At line:1 char:1
+ Get-DnsClientNrptRule
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (PS_DnsClientNrptRule:String) [Get-DnsClientNrptRule], CimJobExcept
   ion
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-DnsClientNrptRule

This absolutely used to work. There are other "problems" I can't figure out on my own which is the "reasons" I allude to. This needs someone with greater visibiltity to comment.

dovholuknf avatar Apr 21 '25 12:04 dovholuknf

Unfortunately I think you'll have to revert to 23H2 as the Sandbox is running from an image generated from your host OS installation.

Sandbox within 24H2 is still in a pretty dire state.

andshrew avatar Apr 22 '25 14:04 andshrew

The issue with Get-DnsClientNrptRule is due to a bug in WMI. There was a workaround that worked for some people. I will copy that below. I do believe the WMI bug was resolved in the latest 24H2 update in April.

net stop winmgmt
winmgmt /resetrepository
net stop winmgmt
net start winmgmt

kvega005 avatar May 06 '25 23:05 kvega005