How can I run an untrusted code in a sandbox in Windows?

Question

Is there exists a way to run an untrusted code (C or C++) under a sandbox in Windows. Something that would prevent the program from opening files, or network connections, or forking, exec, etc?

It would be a small program, that gets uploaded to a server where it'll be compiled and executed, the program would be short lived.

Answer 1

When this question was asked, Windows did not have as many isolation options available to it. However there is been some improvement.

The now goto answer for this is to either use use Docker or Hyper V containers/VM.

---

But in the pre-Windows 10 era, answer was to manipulate the process isolation that came around windows vista/7 and use a separate user/application account.

Process Abilities:

You could manipulate the programs Integrate level and run with a restricted/unique user so reach is limited (group policy can further limit user).

Network access:

• Limit using a firewall that blocks outbound connections.

File access:

The NTFS file system has one of the most configurable file systems around,if you are running the process as a distinct user, you can craft an ACL policy to significantly limits the process's file access.

Source:

Finally if you have access to the source-code, you can likely remove or modify problem parts.

Answer 2

Windows 10 and Windows 11 now include a built-in isolation environment called Windows Sandbox.

Description (from here):

Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.

...

Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.

Windows Sandbox has the following properties:

• Part of Windows: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.

...

• Secure: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.

Assuming your version of Windows supports it, Windows Sandbox can be installed just by going to "Turn Windows features on and off" from the Start menu.

The following Windows versions are required: Windows 10 Pro, Enterprise or Education build 18305 or Windows 11.