How to Use Windows Sandbox to Safely Test Files on Windows 11

Enable the built-in Windows 11 sandbox, run a suspect file in a throwaway desktop, and walk away without touching your real PC.

31 May 2026 7 min read Cybersecurity Alex M.
How to Use Windows Sandbox to Safely Test Files on Windows 11

Every week we get someone in the Edinburgh workshop holding a USB stick or an email attachment and asking the same nervous question: "Is this safe to open?" Most of the time the honest answer is "we don't know yet" — and the safest way to find out is to run it inside Windows Sandbox, a feature already built into Windows 11 that almost nobody seems to use. This guide shows you how to enable it, what it's good at, where it falls short, and when to bring the file to us instead.

If you've already opened something you shouldn't have and your PC is acting strangely, stop reading and book an emergency clean-up with our virus and malware removal team before things spread further.

What Windows Sandbox Actually Is

Windows Sandbox is a tiny, throwaway copy of Windows that runs inside your real Windows 11 installation. When you open it, a fresh blue desktop pops up in a window — it has its own Start menu, its own Edge browser, and crucially, its own isolated file system. Anything you do inside that window (downloading a dodgy installer, opening a suspicious PDF, double-clicking a "definitely_not_a_virus.exe" you found on a forum) happens in a sealed-off virtual machine. When you close the sandbox, the whole thing is wiped. Nothing it touched can leak out onto your real desktop, your documents or your network drives.

The clever bit is that, unlike a traditional virtual machine, you don't need to install Windows separately, hunt down a licence key or allocate gigabytes of permanent disk space. Microsoft has shipped it as a single tick-box feature since Windows 10 1903, and it's still there in Windows 11 24H2 — most Edinburgh customers have it sitting unused on their machine right now.

Who Can Actually Run It

Before you get excited, check the small print. Windows Sandbox requires:

  • Windows 11 Pro, Enterprise or Education. Windows 11 Home does not include the feature — Microsoft reserves it for the higher editions. Home users on a Stockbridge laptop or a Newington home PC will need to upgrade the edition first, or use a full virtual machine instead.
  • Virtualisation enabled in BIOS/UEFI. On most modern Intel boards this is called VT-x; on AMD it's SVM. If it's switched off, Windows Sandbox refuses to start. Our guide to updating your BIOS on Windows 11 covers how to get into the firmware settings safely.
  • At least 8 GB of RAM and a 64-bit CPU with two or more cores. Anything older than a 2018 machine will struggle.

How to Enable Windows Sandbox

Once you've confirmed the requirements, switching it on takes about a minute:

  1. Press Windows + S and type Turn Windows features on or off.
  2. In the list, scroll down to Windows Sandbox and tick the box. If the box is greyed out, virtualisation is disabled in BIOS — head into the firmware and enable VT-x or SVM first.
  3. Click OK. Windows will install the components and ask you to restart.
  4. After the reboot, open the Start menu and type Windows Sandbox. Run it.

That's it. You should see a fresh, blank Windows desktop in a new window within about ten seconds.

Running Your First Test in the Sandbox

Pretend you've just been emailed a suspicious "invoice.exe" that you're 80% sure is a phishing payload but you'd like to confirm before deleting it. Here's how a careful test looks:

  1. Don't open the file on your real desktop first. Copy it — copy, not double-click — to the clipboard.
  2. Switch to the Windows Sandbox window. Paste the file onto its desktop (clipboard sharing works both ways by default).
  3. Inside the sandbox, run the file. Watch what it does: does it open something that looks like an invoice, or does it silently spawn PowerShell windows, contact strange URLs, or ask for admin rights?
  4. Open Task Manager inside the sandbox (Ctrl + Shift + Esc) and look at the processes it created. Any background process pretending to be "svchost" or "explorer" but running from a Temp folder is a giant red flag.
  5. When you've seen enough, close the sandbox window. Click "OK" on the warning — every change is discarded.

If the file behaved like malware, delete the original from your real PC immediately and run a full scan. Our piece on the signs your PC has a virus covers what to watch for if you accidentally opened the same file on your main desktop earlier.

What Windows Sandbox Is Good For

In the workshop we use it almost daily for jobs like these:

  • Checking suspicious email attachments — invoices, "delivery failed" PDFs, fake HMRC letters.
  • Testing unknown installers before letting them touch a customer's machine, especially small open-source utilities or no-name driver tools.
  • Visiting risky websites a customer needs to access for work but can't trust — phishing landing pages, scam refund forms, dodgy login portals.
  • Trying out new applications without leaving registry leftovers on the host PC, which is handy for small businesses in Bathgate and Falkirk where one bad app can drag a fleet machine down.
  • Demonstrating to a customer what a scam actually does. Watching a fake "tech support" page in a sealed window is a lot less stressful than seeing it on your own desktop.

What Sandbox Can't Protect You From

Windows Sandbox is excellent but not magic. A few things it won't stop:

  • Network-based attacks. The sandbox shares your internet connection. A keylogger that exfiltrates data over the web during the test will still leak it from inside the sandbox.
  • Credentials you type into the sandbox. Never log into your real email, bank or Microsoft account inside it — assume anything typed there has been seen.
  • Very advanced sandbox-aware malware. Some samples detect that they're inside a virtual environment and stay quiet. If a file looks suspicious but does nothing in the sandbox, treat that as a warning, not an all-clear.
  • Damage already done. If you opened the file on your real PC before sandboxing it, the sandbox won't undo that. Get a professional check instead.

Sandbox vs Full Virtual Machine

People often ask whether they should use Windows Sandbox or set up something like Hyper-V or VirtualBox. The short answer: Sandbox for quick, throwaway tests; a full VM for anything you want to keep. A Glasgow developer testing a new IDE for a week wants a persistent VM with snapshots. A Galashiels customer who just wants to know if "WinRAR-installer.exe" from a forum is safe wants Sandbox — boot, run, close, gone. If you'd like a hand setting up either, our software troubleshooting and remote support teams can configure both safely on your machine.

Need Help With a Suspect File?

If you've been sent something that looks dodgy and you'd rather not test it yourself, bring it to our Edinburgh workshop on a USB stick or email it to us first. We can detonate it in an isolated environment, work out what it tries to do, and confirm whether your real PC is clean. Businesses on a managed plan with our business IT support team get this kind of check built into the monthly service.

Worried About a Suspicious File?

Let our Edinburgh technicians detonate it safely, then make sure your PC is clean and locked down.

Book a Check Contact Us