Windows Sandbox (WSB) starter project for malware analysis: automatically provisions a ready-to-use Windows Sandbox environment, including analysis tools, a preconfigured .wsb file, and helper scripts/samples.
Change the MemoryInMB entry in analysis.wsb to something that your system can handle - it is 8GBs of RAM by default; designed for a 16GB machine.
- Ensure Windows Sandbox is enabled.
- Use the preconfigured
.wsbfile from this repo. - Start the Sandbox and let the installer provision tools automatically. (this will take 10 mins or more depending on internet connection/system speed)
The installer uses winget to install the following tools:
| Category | Tool | Winget id |
|---|---|---|
| Utilities | Everything | voidtools.Everything |
| Compression / archives | 7-Zip | 7zip.7zip |
| System / process tooling | Sysinternals Suite | Microsoft.Sysinternals.Suite |
| Reverse engineering | x64dbg | x64dbg.x64dbg |
| Reverse engineering | rizin | Rizin.Rizin |
| .NET reverse engineering | dnSpyEx | dnSpyEx.dnSpyEx |
| Browser | Helium | ImputNet.Helium |
| Editor / IDE | Zed | ZedIndustries.Zed |
| Network analysis | Wireshark | WiresharkFoundation.Wireshark |
| Launcher | Flow Launcher | Flow-Launcher.Flow-Launcher |
After installation, the script pins these binaries to the taskbar when they exist at their expected locations:
- Helium (
chrome.exe) - dnSpyEx (
dnSpy.exe) - Sysinternals (
ProcMon64.exe,procexp64.exe,tcpview64.exe,Autoruns64.exe) - x64dbg (
x64dbg.exe) - Wireshark (
Wireshark.exe)
*.wsb(preconfigured Windows Sandbox file)scripts/Pin-Taskbar/function helper is included as a submodule of https://github.com/Freenitial/Pin-Taskbar- Install scripts (
install-winget.ps1,install-deps.ps1)
samples/- A placeholder folder for malware samples
The installer also references:
C:\Users\WDAGUtilityAccount\AppData\Local\...and expects Windows Sandbox’s default account profile path.
The installer is a PowerShell script that:
-
Creates a simple always-on-top UI
- Uses WinForms to show a single “console-style” status window.
-
Installs dependencies via
winget- Defines a list of
WinGetPackages. - Iterates each package:
- Updates the UI text:
Installing: <pkg> - Runs:
winget install <id> --silent --force --accept-source-agreements --disable-interactivity --source winget
- Updates the UI text:
- Defines a list of
-
Computes install paths inside the Sandbox profile
- Sets:
$AppDataLocal = "C:\Users\WDAGUtilityAccount\AppData\Local\"
- Builds expected binary paths under:
$AppDataLocal\imput\Helium\...$AppDataLocal\Microsoft\WinGet\Packages\...
- Because winget may place package contents under a versioned folder tail, the script captures:
$WinGetPackageTail = "_Microsoft.Winget.Source_8wekyb3d8bbwe"
- It uses that tail to form paths to Sysinternals + dnSpyEx + x64dbg executables.
- Sets:
-
Removes pinned Edge from the taskbar
- Deletes:
HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
- (This is an aggressive reset of the taskbar band settings.)
- Deletes:
-
Restores the classic context menu and restarts Explorer
- Restores legacy context menu behavior by writing a registry value:
HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32(default value)
- Restarts Explorer:
Stop-Process -processname explorersleep 3
- Restores legacy context menu behavior by writing a registry value:
-
Pins selected tools to the taskbar
- Uses the https://github.com/Freenitial/Pin-Taskbar
Set-TaskbarPinfunction - thank you for your work!
- Uses the https://github.com/Freenitial/Pin-Taskbar
-
Launches Flow Launcher and Helium
-
Closes the UI and shows a completion toast
- Please respect the license of https://github.com/Freenitial/Pin-Taskbar and do not use their tool for commercial use; you can use my work for commercial use but you will need to remove all traces of their project.
- The installer relies on specific install-path conventions (especially for winget packages inside the sandbox profile). If package layouts differ, you may need to adjust the
$WinGetPackageTailand binary paths ininstall-deps.ps1. - The
.wsbfile is configured to integrate yourscripts/andsamples/directories into the Sandbox session.