How to Analyze Suspicious Files Safely with Windows Sandbox
Use Windows Sandbox to safely analyze suspicious files, installers, and attachments without risking your main system. Step-by-step workflow for safe file analysis.
Windows Sandbox provides a disposable Windows environment that resets completely on close. It's the safest way to open suspicious files when you're not sure if they're malicious.
Why Sandbox is Better Than Just Running Defender
Antivirus can miss novel malware that evades signature detection. Running a file in Sandbox:
- Executes it in a completely isolated environment
- Lets you observe behavior (network connections, file writes, registry changes)
- Leaves your real system completely untouched
- Resets to clean state automatically on close
Enable Windows Sandbox
Win + R → optionalfeatures → check Windows Sandbox → OK → restart
Or:
Enable-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM" -All
Requires Windows 10/11 Pro, Enterprise, or Education.
Basic Analysis Workflow
Step 1: Create a folder for suspicious files on your PC:
New-Item -ItemType Directory -Path "C:\SandboxAnalysis"
Step 2: Create a .wsb config that maps this folder read-only into Sandbox:
<Configuration>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\SandboxAnalysis</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Analysis</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
</Configuration>
Save as C:\SandboxAnalysis\analyze.wsb.
Step 3: Copy the suspicious file to C:\SandboxAnalysis\
Step 4: Double-click analyze.wsb → Sandbox opens with the file on desktop
Step 5: Inside Sandbox, run the file and observe:
- Does it try to create files? (check Desktop, AppData)
- Does it open network connections? (check Task Manager → Performance → Network)
- Does it install services? (check Task Manager → Services)
- Does it drop other executables?
With Network Enabled (For Online Threats)
If you need to analyze something that requires internet:
<Configuration>
<Networking>Default</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\SandboxAnalysis</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Analysis</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
</Configuration>
With network enabled, malware can phone home or download additional components — this is valuable for behavioral analysis but means the malware "runs" more completely.
What to Look For
File system activity: Inside Sandbox, open Task Manager → Details → right-click suspicious process → Open file location
Registry activity:
Run regedit → check HKCU\Software and HKLM\SOFTWARE for new entries before and after execution
Network activity:
Open Task Manager → Performance → Network → watch for unexpected traffic
Or inside Sandbox: netstat -ano in CMD
Services: Task Manager → Services tab → look for new entries
Automated Observation Script
Copy this to Sandbox desktop and run before executing the suspicious file:
# Snapshot baseline
$baseline = @{
Processes = Get-Process | Select-Object Name, Id
Services = Get-Service | Select-Object Name, Status
RegKeys = Get-ChildItem "HKCU:\Software" | Select-Object Name
}
Write-Host "Baseline captured. Run the suspicious file now..."
Read-Host "Press Enter when done"
# Compare after
$after = @{
Processes = Get-Process | Select-Object Name, Id
Services = Get-Service | Select-Object Name, Status
}
Write-Host "`n=== NEW PROCESSES ===" -ForegroundColor Yellow
Compare-Object $baseline.Processes $after.Processes -Property Name |
Where-Object {$_.SideIndicator -eq "=>"} | Select-Object Name
Write-Host "`n=== NEW SERVICES ===" -ForegroundColor Yellow
Compare-Object $baseline.Services $after.Services -Property Name |
Where-Object {$_.SideIndicator -eq "=>"} | Select-Object Name
Capture Output from Sandbox
To get analysis results out of the isolated Sandbox:
<MappedFolder>
<HostFolder>C:\SandboxOutput</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Output</SandboxFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
Save screenshots or text files to the Output folder — they persist to your PC after Sandbox closes.
Online Alternatives
For files you can't run even in Sandbox:
- virustotal.com — scan with 70+ antivirus engines
- any.run — interactive malware sandbox (free tier)
- hybrid-analysis.com — automated sandbox analysis
🛡️ Перевір безпеку свого ПК
Хочеш знати чи немає витоків даних, зайвих служб або підозрілих програм на твоєму ПК?
→ AuditShield — аудит Windows по 22 напрямках за 10 хвилин. HTML-звіт з оцінкою ризику. Є безкоштовне демо.
Summary
Enable Sandbox, create a .wsb with networking disabled and a mapped read-only folder. Copy suspicious file to the folder, launch config, run the file, observe behavior. Use the comparison script to catch new processes and services. Never run suspicious files on your main system — Sandbox takes 15 seconds to set up and provides complete isolation.