If you spotted sandbox.exe running on your Windows PC and you’re wondering whether it’s safe, a virus, or something you can close, this article gives you the full picture. Short answer: sandbox.exe is most often a legitimate Windows process tied to Windows Sandbox, a built-in virtualization feature in Windows 10 and 11 Pro and Enterprise editions. But like any executable, it can also be mimicked by malware. This guide helps you figure out exactly what’s running on your machine and what to do about it.
What Is sandbox.exe?
sandbox.exe is the main executable file that powers Windows Sandbox, a feature Microsoft introduced in Windows 10 version 1903. Windows Sandbox creates a lightweight, isolated virtual environment on your PC. You can open a suspicious app or file inside it, and when you close the sandbox, everything inside it disappears. Nothing touches your real system.
Think of it like a glass box inside your computer. You can do whatever you want inside it. Once you close it, the glass shatters and every trace is gone.
The file itself lives here on a standard Windows installation:
C:\Windows\System32\sandbox.exe
or within the virtualization components folder depending on your build.
How Windows Sandbox Actually Works
Windows Sandbox uses hardware virtualization technology. It spins up a stripped-down version of Windows using your existing Windows license. No separate ISO needed. No product key. Microsoft designed it to be fast to launch (under 10 seconds on modern hardware) and lightweight compared to a full virtual machine.
Here is what happens technically when you launch Windows Sandbox:
The hypervisor creates an isolated kernel. A temporary user profile is generated. A clean Windows instance loads inside. You interact with it through a remote desktop-style window. When you close it, the entire environment is deleted from memory.
This is different from running a VM in VirtualBox or VMware. Those require a full OS image. Windows Sandbox uses your current OS as the base but keeps everything compartmentalized.
Is sandbox.exe Safe?
Yes, if it lives in the right place. The legitimate sandbox.exe sits in:
C:\Windows\System32\
or
C:\Windows\SysWOW64\
If you see sandbox.exe anywhere else, especially in folders like AppData, Temp, Downloads, or Program Files under a sketchy name, that is a red flag. Malware writers often name their files after known Windows processes to avoid detection.
How to Verify sandbox.exe Is Legitimate
Open Task Manager by pressing Ctrl + Shift + Esc. Find sandbox.exe in the list. Right-click on it and choose “Open file location.” If it opens to C:\Windows\System32, you are fine. If it points somewhere else, run a full malware scan immediately.
You can also check the digital signature. Right-click the file in System32. Go to Properties, then the Digital Signatures tab. It should be signed by Microsoft Windows. No signature or a different publisher means the file is suspicious.
Why Is sandbox.exe Running?
There are a few common reasons sandbox.exe appears in Task Manager.
You launched Windows Sandbox from the Start menu. A third-party security tool (like some antivirus programs) uses a sandbox environment to test files before allowing them to run. Windows Update or a system process triggered a background check. Some developer tools invoke sandbox environments for safe testing.
If you did not knowingly open Windows Sandbox but the process is running, check what application triggered it. In Task Manager, right-click sandbox.exe and look for “Go to details” or check the parent process in Process Explorer (a free tool from Microsoft Sysinternals that gives you a much clearer picture of what is launching what).
How to Enable or Disable Windows Sandbox
Windows Sandbox is a Windows Optional Feature. It is not enabled by default on all systems. Here is how to turn it on or off.
Enable Windows Sandbox
Press Win + R and type optionalfeatures. This opens the Windows Features dialog. Scroll down to “Windows Sandbox.” Check the box. Click OK. Windows will install the feature and ask you to restart.
After the restart, search for “Windows Sandbox” in the Start menu and open it. It launches like any other app.
Requirements to run Windows Sandbox:
- Windows 10 or 11 Pro, Enterprise, or Education edition (Home does not support it)
- 64-bit processor
- Virtualization enabled in BIOS/UEFI
- At least 4GB RAM (8GB recommended)
- At least 1GB of free disk space (SSD recommended)
- At least 2 CPU cores
Disable Windows Sandbox
If you want sandbox.exe to stop running entirely, disable the feature. Same path: Win + R, type optionalfeatures, uncheck “Windows Sandbox,” click OK, restart. The process will no longer appear in Task Manager.
You can also disable it via PowerShell as an administrator:
Disable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -Online
sandbox.exe and Malware: What You Need to Know
Some trojans and RATs (remote access tools) disguise themselves as sandbox.exe. This is called process name spoofing. The goal is simple: if Task Manager shows a familiar Windows name, most users will not investigate further.
Here is a quick comparison table to help you distinguish the real file from a fake one:
| Property | Legitimate sandbox.exe | Suspicious sandbox.exe |
|---|---|---|
| File location | C:\Windows\System32 | AppData, Temp, Desktop, Downloads |
| Digital signature | Microsoft Windows | None or unknown publisher |
| File size | Varies by Windows build, typically under 1MB | Often oddly large or small |
| CPU/RAM usage | Moderate when Sandbox is open, near zero otherwise | High CPU/RAM for no clear reason |
| Parent process | svchost.exe or explorer.exe | cmd.exe, wscript.exe, unknown |
If anything in the suspicious column matches what you are seeing, take action right away.
Steps to Take If You Suspect Malware
Disconnect from the internet temporarily to stop any data from being sent out. Open Task Manager, find sandbox.exe, and note the file path. Run Windows Defender Full Scan immediately. If Defender does not catch it, run Malwarebytes (free version works well for this). Delete the file manually only after your security tool has flagged and quarantined it. Check your startup entries using Task Manager > Startup tab or Autoruns from Sysinternals.
You can download Autoruns directly from Microsoft here: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Using Windows Sandbox Effectively in 2026
If sandbox.exe is running because you actually use Windows Sandbox, here are some practical ways to get more out of it.
Testing Suspicious Files and Software
This is the most common use case. Before installing any sketchy freeware, copy it into the Sandbox window, install it, and watch what it does. If anything looks wrong, close Sandbox. The file and any changes it made vanish.
Testing Browser Extensions
Drag a browser installer into Sandbox, install Chrome or Firefox, then install the extension you want to test. Watch network traffic or unusual behavior. Close Sandbox when done.
Safe Browsing
Open Sandbox and browse from within it when visiting sites you do not fully trust. Even if a site tries to drop malware, it only lands inside the Sandbox environment, not on your real OS.
Using Windows Sandbox Configuration Files
Microsoft lets you customize the Sandbox environment using .wsb configuration files. These are XML files that let you map folders from your real PC into the Sandbox, control network access, set the GPU behavior, and configure startup commands.
Example of a simple .wsb file:
<Configuration>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\TestFiles</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
</Configuration>
Save this as test.wsb and double-click it. Windows Sandbox will open with network disabled and your TestFiles folder mounted as read-only inside the sandbox. This is a powerful setup for security researchers and IT admins.
Microsoft’s full documentation on Windows Sandbox configuration is available here: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file
sandbox.exe High CPU or Memory Usage
If sandbox.exe is eating up CPU or RAM and you did not launch the Sandbox app yourself, here is what to check.
First, verify the file path. If it is legitimate, the high usage may mean Sandbox is still open in the background. Check your taskbar and open apps. Close Windows Sandbox if you are done using it.
If usage is high and no sandbox window is open, a background service may have triggered it. Restart your PC. If the high usage returns immediately, something is auto-launching it.
Run these checks:
Open Task Manager, go to the Startup tab, look for anything triggering Sandbox on boot. Use Autoruns to check scheduled tasks. Check Windows Event Viewer under Windows Logs > Application for any sandbox-related errors that might hint at a crash loop.
If the process refuses to close or keeps respawning, that strongly suggests a malware impersonator rather than the real Windows Sandbox.
Windows Sandbox vs. Hyper-V vs. Virtual Machines
Many people confuse Windows Sandbox with Hyper-V and traditional VMs. Here is a clear breakdown:
| Feature | Windows Sandbox | Hyper-V | VirtualBox/VMware |
|---|---|---|---|
| Setup time | Under 1 minute | Moderate | Long |
| Persistent storage | No (wipes on close) | Yes | Yes |
| Needs OS image | No | Yes | Yes |
| Ideal use | Quick testing | Full dev/server environments | Multi-OS environments |
| Performance overhead | Low | Medium | Medium to High |
| Part of Windows | Yes (Pro/Enterprise) | Yes (Pro/Enterprise) | Third-party install |
For most users who just want to test a file quickly, Windows Sandbox is the right tool. For developers who need a persistent Linux or older Windows environment, Hyper-V or a third-party VM is the better choice.
Common sandbox.exe Errors and Fixes
“Windows Sandbox failed to start”
This usually means virtualization is not enabled in your BIOS. Restart your PC, enter BIOS settings (usually F2 or Delete during boot), find the Virtualization Technology option (Intel VT-x or AMD-V), and enable it. Save and restart.
“Windows Sandbox is not supported on Home edition”
This is not an error you can work around without upgrading your Windows edition. Microsoft Home edition simply does not include the hypervisor components needed. Your options are upgrading to Pro or using a free alternative like Sandboxie-Plus.
Sandbox Opens But Is Blank or Frozen
This can happen after a Windows Update that breaks the hypervisor components. Open PowerShell as admin and run:
Then restart. If that does not fix it, try disabling and re-enabling the Windows Sandbox feature through optionalfeatures.
sandbox.exe Crashes on Launch
Check that your drivers are up to date, especially your graphics driver. Outdated GPU drivers sometimes conflict with the virtual display adapter that Windows Sandbox uses.
Alternatives to Windows Sandbox
If your system does not support Windows Sandbox or you want different features, these tools serve a similar purpose:
Sandboxie-Plus is a free, open-source sandboxing tool that works on Windows Home. It runs apps in isolated containers without a full VM.
Any.run is an online interactive malware sandbox. Upload a suspicious file and watch it run in a controlled cloud environment without touching your machine at all.
Cuckoo Sandbox is a more advanced open-source option used by security researchers. It requires more setup but gives detailed behavioral analysis.
Windows Defender Application Guard is another Microsoft tool, focused specifically on isolating Microsoft Edge sessions. It uses similar hypervisor technology to Windows Sandbox.
Conclusion
sandbox.exe is a safe and useful Windows process when it is the real thing sitting in System32 and signed by Microsoft. It powers Windows Sandbox, one of the most underused security features built into Windows 10 and 11 Pro and Enterprise. You can use it to test files, browse risky websites, and experiment with software without ever touching your real operating system.
The only time sandbox.exe becomes a problem is when it is not the real Windows file. Fake versions living in AppData or Temp folders, unsigned, or consuming unusual resources are a clear sign of malware.
Check the file path first. Check the digital signature second. If both look right, you are fine. If anything seems off, run Malwarebytes, use Autoruns, and remove the impersonator before it does damage.
Frequently Asked Questions
Is sandbox.exe a virus?
Not by default. The legitimate sandbox.exe is a signed Microsoft process located in C:\Windows\System32 and it is completely safe. However, malware can use the same filename. Always verify the file path and digital signature in Task Manager if you are unsure. If it is in any folder other than System32 or SysWOW64 and is not signed by Microsoft, treat it as suspicious.
Can I delete sandbox.exe?
You should not delete the legitimate sandbox.exe from System32. It is a core component of the Windows Sandbox feature. Deleting it can cause system errors. If you want to stop it from running, disable Windows Sandbox through Windows Optional Features instead. If the file is a confirmed malware impersonator in a different folder, yes, delete it after your antivirus quarantines it.
Why does sandbox.exe use so much CPU?
If Windows Sandbox is open and you are running something inside it, moderate CPU usage is normal. If Sandbox is not open and sandbox.exe is still consuming high CPU, check whether a background service triggered it or whether the running process is actually a malware impersonator. Use Task Manager to check the file path and kill the process if the location looks wrong.
Does Windows Sandbox work on Windows 11 Home?
No. Windows Sandbox requires Windows 10 or 11 Pro, Enterprise, or Education. The Home edition does not include the hypervisor layer that Sandbox depends on. If you are on Home and need sandboxing, use Sandboxie-Plus instead, which is free and works without hypervisor support.
What happens to files I put in Windows Sandbox?
Everything inside Windows Sandbox is temporary. When you close the Sandbox window, all files, installed software, browser history, and settings inside it are permanently deleted. Nothing is saved to your real PC. If you need to move something out of Sandbox before closing it, copy it to a mapped folder you configured in your .wsb file beforehand.
- How to Fix Overscan on Windows 11/10: Stop Your Screen Getting Cut Off (2026) - April 1, 2026
- How to Disable Lock Screen on Windows 11/10 in 2026 - April 1, 2026
- Top 7 NFT Integration Ideas for Brands in 2026 - March 31, 2026