{"id":51367989,"url":"https://github.com/26zl/windows-sandbox-lab","last_synced_at":"2026-07-03T03:04:15.109Z","repository":{"id":339143333,"uuid":"1160644896","full_name":"26zl/windows-sandbox-lab","owner":"26zl","description":"One-command disposable Windows 11 sandbox that auto-installs a dev or malware-analysis toolchain via winget and logs what software does (Sysmon + PowerShell).","archived":false,"fork":false,"pushed_at":"2026-07-02T13:07:25.000Z","size":39,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-02T15:07:59.095Z","etag":null,"topics":["developer-tools","dfir","dynamic-analysis","malware-analysis","powershell","reverse-engineering","sandbox","security-hardening","sysmon","windows-sandbox","windows11","winget"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/26zl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-18T07:39:29.000Z","updated_at":"2026-07-02T13:08:25.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/26zl/windows-sandbox-lab","commit_stats":null,"previous_names":["26zl/windows-sandbox-dev","26zl/windows-sandbox-lab"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/26zl/windows-sandbox-lab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/26zl%2Fwindows-sandbox-lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/26zl%2Fwindows-sandbox-lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/26zl%2Fwindows-sandbox-lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/26zl%2Fwindows-sandbox-lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/26zl","download_url":"https://codeload.github.com/26zl/windows-sandbox-lab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/26zl%2Fwindows-sandbox-lab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35070342,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-03T02:00:05.635Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["developer-tools","dfir","dynamic-analysis","malware-analysis","powershell","reverse-engineering","sandbox","security-hardening","sysmon","windows-sandbox","windows11","winget"],"created_at":"2026-07-03T03:04:14.495Z","updated_at":"2026-07-03T03:04:15.100Z","avatar_url":"https://github.com/26zl.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Windows Sandbox Lab — disposable, tooled, and watched\n\n\u003e One command spins up a **disposable Windows Sandbox** that auto-installs the toolchain you\n\u003e pick — fullstack, data, devops, database, web, or **security/malware-analysis** — and\n\u003e **watches what software does** (Sysmon + PowerShell logging + process auditing). Fresh every\n\u003e session, isolated from your host, gone on close.\n\n![Lint](https://github.com/26zl/windows-sandbox-lab/actions/workflows/lint.yml/badge.svg)\n![License](https://img.shields.io/github/license/26zl/windows-sandbox-lab)\n![Windows 11 Pro](https://img.shields.io/badge/Windows-11%20Pro-0078D6?logo=windows\u0026logoColor=white)\n![Tools via winget](https://img.shields.io/badge/tools-winget-success)\n\n## Why\n\nTesting a sketchy installer, a new SDK, a client's repo, or a malware sample? Doing it on your\nmain machine is how you end up with leftover services, registry cruft, or worse. This gives you\na throwaway, fully-provisioned Windows box in minutes — and, unlike a bare sandbox, it shows you\nwhat ran inside it.\n\n- **Disposable** — built-in Windows Sandbox VM; everything is gone on close.\n- **Tooled** — pick a profile, winget installs the latest versions automatically.\n- **Watched** — PowerShell script-block/module logging and command-line process auditing are on\n  by default, plus Sysmon where the built-in Windows 11 feature is available — so you can see\n  what software did.\n\n## Use cases\n\n- Software/package triage before installing anything on your real machine.\n- Client repo, SDK, compiler, and build-tool testing in a clean Windows environment.\n- Browser/API/database/data-science/devops toolboxes without polluting your workstation.\n- Malware triage and reverse-engineering practice with offline mode, audit logs, and RE tools.\n- Pentest lab utilities for quick, disposable network and web testing.\n\n## Prerequisites\n\n- Windows 11 **Pro or Enterprise**\n- [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview) enabled\n- Sysmon monitoring needs a Windows 11 build with the built-in Sysmon feature; PowerShell +\n  process-creation logging work on every supported build\n\n## Quick start\n\n**One-liner** (PowerShell):\n\n```powershell\nirm https://raw.githubusercontent.com/26zl/windows-sandbox-lab/main/install.ps1 | iex\nstart sandbox.wsb\n```\n\n**Or clone** (gives you profile selection):\n\n```powershell\ngit clone https://github.com/26zl/windows-sandbox-lab.git\ncd windows-sandbox-lab\n.\\setup.ps1                          # default dev toolchain\nstart sandbox.wsb                    # winget installs everything automatically\n```\n\n\u003e Setup takes ~**10–15 minutes** inside the sandbox (longer with big profiles). A PowerShell\n\u003e window shows progress — wait until it prints **\"Sandbox ready\"**.\n\n## Profiles\n\nThe **default** profile is a fullstack dev box. Add any combination of opt-in profiles — the\ndefault is always included, and duplicates are de-duplicated automatically:\n\n```powershell\n.\\setup.ps1 -Profiles datascience,web        # default + two profiles\n.\\setup.ps1 -Profiles security               # default + reverse-engineering tools\n.\\setup.ps1 -Profiles security -Offline      # hardened, network-disabled box (see below)\n```\n\n| Profile | What you get |\n| --- | --- |\n| **default** | Go, Rust, Python 3.13, JDK 21, Node LTS, Ruby, PHP, Zig, .NET 9 SDK+runtime, VS Build Tools, CMake, Git, 7-Zip, Sysinternals, PowerShell 7, VS Code, Notepad++ |\n| **datascience** | Miniconda, uv, R, RStudio, VS Code (JupyterLab via `uv tool install`) |\n| **devops** | Terraform, kubectl, k9s, Helm, AWS/Azure/gcloud CLIs *(client-only — no local containers, see note)* |\n| **database** | DBeaver, PostgreSQL, SQLite, SQL Server 2022 Express, SSMS |\n| **web** | Firefox, Chrome, Brave, Bruno, Postman, VS Code |\n| **security** | x64dbg, Detect It Easy, PE-bear, HxD, Resource Hacker, dnSpyEx, ILSpy, System Informer, YARA, FLOSS, Wireshark, mitmproxy + Ghidra/PEStudio/capa/CyberChef/CFF Explorer (auto-listed for manual download) |\n| **pentest** | Nmap, Wireshark, Burp Suite Community, ffuf (sqlmap via pip) |\n\nAll winget tools are configured in `tools.json`. Tools without a winget package are listed at\nthe end of setup with a download link. Add your own with their [winget ID](https://winget.run/).\n\n\u003e **No nested virtualization.** Windows Sandbox can't run Docker Desktop, WSL2, Hyper-V,\n\u003e minikube/kind, or Android emulators. The devops profile ships **client CLIs** that manage\n\u003e remote infrastructure — not a local container engine.\n\n## Security / malware analysis (offline)\n\nFor analysing untrusted binaries, use `-Offline` to generate a hardened box:\n\n```powershell\n.\\setup.ps1 -Profiles security -Offline\nstart sandbox.wsb\n```\n\n`-Offline` generates `sandbox.wsb` with **networking and clipboard disabled**, and the same\n`autostart.ps1` runs in no-network mode: it applies the logging/auditing hardening and lists the\ntools to bring in (no winget).\nBecause winget needs the network, **pre-stage your tools** (and optionally a `sysmonconfig.xml`)\ninto `scripts/` on the host before launching — `scripts/` is mapped read-only, so a sample can\nnever modify your toolchain.\n\n\u003e ⚠️ **Windows Sandbox is not a malware-grade isolation boundary.** VM-aware malware detects it\n\u003e (the `WDAGUtilityAccount` user, Hyper-V artifacts) and may refuse to run or change behavior, so\n\u003e a \"clean\" run does **not** mean a sample is safe. It shares the host kernel via Hyper-V. For\n\u003e genuinely dangerous samples, use a dedicated, snapshot-capable, air-gapped analysis VM.\n\n## How it compares\n\n| | this | [ThioJoe/Windows-Sandbox-Tools](https://github.com/ThioJoe/Windows-Sandbox-Tools) | [WSBEditor](https://github.com/leestevetk/WSBEditor) | [FLARE-VM](https://github.com/mandiant/flare-vm) |\n| --- | :-: | :-: | :-: | :-: |\n| One command, auto-installs tools | ✅ | partial | ❌ (config only) | ✅ |\n| Disposable (destroyed on close) | ✅ | ✅ | ✅ | ❌ (persistent VM) |\n| Built-in Sysmon + PowerShell logging | ✅ | ❌ | ❌ | partial |\n| Multiple domain profiles | ✅ | ❌ | ❌ | ❌ (RE only) |\n| Offline malware-analysis mode | ✅ | ❌ | ❌ | ✅ |\n\n## Monitoring \u0026 logging\n\nOn by default so you can see what software does inside the sandbox:\n\n- Sysmon with SwiftOnSecurity config (built-in optional feature; pinned commit +\n  SHA256-verified) — process creation, network connections, file changes\n- PowerShell script-block + module logging\n- Process creation auditing with command-line capture\n- Telemetry and Windows Error Reporting disabled\n\n## Environment tweaks\n\nDark mode · file extensions, hidden \u0026 protected OS files visible · classic context menu (Win 11) ·\nlong path support · clipboard history · PowerShell/CMD \"Open Here\" · New Text/PowerShell Script\ncontext-menu entries.\n\n## Sandbox settings\n\n- 12 GB RAM, ProtectedClient enabled\n- Networking enabled (required for winget), vGPU/audio/video/printer disabled\n- Clipboard sharing with the host is **on** (for convenience); `scripts/` mapped read-only\n\n\u003e \"Isolated\" means disk/process isolation on a disposable VM — **not** clipboard or network\n\u003e isolation. Outbound internet is open and the host clipboard is reachable from inside. For\n\u003e hostile software use the `-Offline` mode (or set `\u003cClipboardRedirection\u003eDisable\u003c/ClipboardRedirection\u003e`\n\u003e and `\u003cNetworking\u003eDisable\u003c/Networking\u003e` in the template yourself).\n\n## Adding a tool\n\n1. Find the winget ID: `winget search \u003cname\u003e`\n2. Add an entry to `tools.json` under `default` or a profile:\n   `{ \"name\": \"...\", \"wingetId\": \"...\", \"enabled\": true }`\n   (no winget package? use `{ \"name\": \"...\", \"wingetId\": \"\", \"enabled\": true, \"source\": \"manual\", \"url\": \"...\" }`)\n3. Disable any tool with `\"enabled\": false`.\n\n## Files\n\n```text\ntools.json             ← default toolchain + opt-in profiles (winget IDs)\nsetup.ps1              ← run once: resolve profiles → scripts/tools.json + generate sandbox.wsb\ninstall.ps1           ← one-liner bootstrap (irm | iex)\nsandbox.wsb.template  ← sandbox config (networking/clipboard toggled for -Offline)\nscripts/autostart.ps1 ← runs inside the sandbox: env, hardening, winget installs, Sysmon (-Offline = no-network variant)\nscripts/launch.cmd    ← launcher (forwards -Offline to autostart.ps1)\n```\n\nInstall log inside the sandbox: `%TEMP%\\sandbox-install.log`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F26zl%2Fwindows-sandbox-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F26zl%2Fwindows-sandbox-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F26zl%2Fwindows-sandbox-lab/lists"}