This allows you to do the below things in Windows Sandbox just from a right-click by adding context menus:
- Run PS1 as user or system in Sandbox
- Run CMD, VBS, EXE, MSI in Sandbox
- Run Intunewin file
- Open URL or HTML file in Sandbox
- Open PDF file in Sandbox
- Extract ZIP file directly in Sandbox
- Extract 7z file directly in Sandbox (uses host-installed 7-Zip or downloads latest version)
- Extract ISO directly in Sandbox (uses host-installed 7-Zip or downloads latest version)
- Share a specific folder in Sandbox
- Run multiple app´s/scripts in the same Sandbox session
Note that this project has been build on personal time, it's not a professional project. Use it at your own risk, and please read How to install it before running it.
All the steps need to be executed from the Host, not inside the Sandbox
- Right-click on the Windows start menu and select PowerShell or Terminal (Not CMD), preferably as admin.
- Copy and paste the code below and press enter:
irm https://raw.githubusercontent.com/Joly0/Run-in-Sandbox/master/Install_Run-in-Sandbox.ps1 | iexiex "& { $(irm https://raw.githubusercontent.com/Joly0/Run-in-Sandbox/master/Install_Run-in-Sandbox.ps1) } -Branch dev"Replace dev with your desired branch name (e.g., beta, test, etc.)
The installer supports the following optional parameters:
| Parameter | Description |
|---|---|
-Branch <name> |
Install from a specific branch (default: master, or your currently installed branch for updates) |
-DeepClean |
Performs a deep-clean of legacy registry entries before installation. Removes old context menu entries (takes 5-10 minutes) |
-NoCheckpoint |
Skips creation of a system restore point during installation |
Examples:
# Install from dev branch with deep-clean
iex "& { $(irm https://raw.githubusercontent.com/Joly0/Run-in-Sandbox/master/Install_Run-in-Sandbox.ps1) } -Branch dev -DeepClean"
# Install without creating a restore point
iex "& { $(irm https://raw.githubusercontent.com/Joly0/Run-in-Sandbox/master/Install_Run-in-Sandbox.ps1) } -NoCheckpoint"
# Combine multiple parameters
iex "& { $(irm https://raw.githubusercontent.com/Joly0/Run-in-Sandbox/master/Install_Run-in-Sandbox.ps1) } -Branch dev -DeepClean -NoCheckpoint"- You will see the process being started. You will probably be asked to grant admin rights if not started as admin.
- That's all.
Note - On older Windows builds you may need to run the below command first: \
[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12This method allows you to use the parameters "-NoCheckpoint" to skip creation of a restore point and "-NoSilent" to give a bit more output
- Download the ZIP Run-in-Sandbox project (this is the main prerequiste)
- Extract the ZIP
- The Run-in-Sandbox-master should contain at least Add_Structure.ps1 and a Sources folder
- Please do not download only Add_Structure.ps1
- The Sources folder should contain folder Run_in_Sandbox containing 58 files
- Once you have downloaded the folder structure, check if files have not be blocked after download
- Do a right-click on Add_Structure.ps1 and check if needed check Unblocked
- Run Add_Structure.ps1 with admin rights
If you are running a hardened Windows install (for example the OpenIntuneBaseline or any other configuration that ships AppLocker script rules), Run-in-Sandbox will run into two related problems:
- Some of the scripts under
C:\ProgramData\Run_in_Sandbox\get blocked outright (you will see them in the AppLocker event log) - The ones that are not blocked get forced into ConstrainedLanguage mode, which breaks the WPF/MahApps dialogs (Intunewin, EXE params, etc.) and can cause errors like
Cannot dot-source this command because it was defined in a different language mode
Thanks to @ak47uk for tracking this down. The fix is to whitelist the install folder in AppLocker's Scripts collection. Add the following rule to your Scripts.xml:
<FilePathRule Id="e23de120-6c05-455a-b585-72939a592234" Name="Run In Sandbox" Description="Whitelists Run In Sandbox scripts" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="C:\PROGRAMDATA\RUN_IN_SANDBOX\*" />
</Conditions>
</FilePathRule>After deploying the updated AppLocker policy, the scripts run in FullLanguage mode again and the context menus / dialogs behave normally.