-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStart-Container.ps1
181 lines (157 loc) · 6.66 KB
/
Start-Container.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#Requires -Version 5.1
<#
.SYNOPSIS
Launch Windows Sandbox with a configuration built from the user's intent.
.DESCRIPTION
-None-
.PARAMETER TargetPath
An item to launch into the container. This could be a file or directory.
The script will automatically figure out what to do with this item.
.EXAMPLE
Start-Container -TargetPath 'C:\Windows\System32\notepad.exe'
.EXAMPLE
Start-Container -TargetPath 'C:\Users\Public\Desktop'
.LINK
https://github.com/Bert-Proesmans/WindowsSandboxShortcuts
.LINK
More information about Windows Sandbox can be found here;
https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
.COMPONENT
This script requires Windows Optional Feature 'Containers-DisposableClientVM'
.NOTES
Author: Bert Proesmans
Install the required Windows Optional Feature 'Containers-DisposableClientVM' by
executing the following command in an elevated powershell prompt;
`Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM`
#>
param (
[Parameter(Mandatory = $true)]
[ValidateScript({
if (-Not ($_ | Test-Path) ) {
throw "Item does not exist."
}
if ((-Not [System.IO.Directory]::Exists($_)) -and (-Not [System.IO.File]::Exists($_))) {
throw "The TargetPath argument is an unexpected item, only files and directories are supported."
}
return $true
})]
[string]$TargetPath
)
# WARN; Variable types are sticky, so we manually override the type once
[System.Management.Automation.PathInfo]$TargetPath = Resolve-Path $TargetPath
$ConfigurationPath = New-TemporaryFile
$SandboxBasePath = "C:\Users\WDAGUtilityAccount\Desktop"
$ItemPreparation = 'folder'
$SandboxMounts = @()
$LogonCommand = ''
$IsFile = [System.IO.File]::Exists($TargetPath)
if ($IsFile) {
$ItemPreparation = (Get-Item $TargetPath).Extension
$ParentDirectoryPath = (Get-Item $TargetPath).Directory
$SandboxMounts += @{
HostPath = $ParentDirectoryPath
ContainerPath = $SandboxBasePath, (Get-Item $ParentDirectoryPath).Name -join '\'
}
}
else {
$SandboxMounts += @{
HostPath = $TargetPath
ContainerPath = $SandboxBasePath, (Get-Item $TargetPath).Name -join '\'
}
}
function Get-Incantation {
param(
# Program to launch within the container
[Parameter(Mandatory = $true, Position = 0)]
[string]
$Process,
# Arguments for the started process
# This parameter is forwarded to ArgumentList of Start-Process
# NOTE; We do the quoting for you!
[Parameter(Position = 1)]
[string[]]
$ArgumentList,
# Toggle flag to produce a command window with (hopefully) error messages
[Parameter()]
[switch]
$VisiblePrompt
)
function FlattenArgumentList {
param([Parameter(Mandatory = $true, Position = 0)][string[]] $arguments)
# ERROR; Handle nested quoting properly! For each level deep we need to escape quotes
($arguments | ForEach-Object { $_ -replace "'", "''" } | ForEach-Object { "'$_'" }) -join ', '
}
if ($VisiblePrompt.IsPresent) {
# The launcher process has a flag to hide the console window => any directly invoked script
# will not be visible (but would run!) unless we invoke a new command window
$ArgumentList = FlattenArgumentList $ArgumentList
$ArgumentList = @('-NoExit', 'Start-Process', "$Process @($ArgumentList)")
$Process = 'powershell'
}
$ArgumentList = FlattenArgumentList $ArgumentList
# "[..] -command "Start-Process powershell @('-NoExit', 'Start-Process', 'powershell @(''-NoExit'')')"
"powershell -executionpolicy unrestricted -command ""Start-Process $Process @($ArgumentList)"""
}
switch ($ItemPreparation) {
"folder" {
$ContainerFilePath = $SandboxBasePath, (Get-Item $TargetPath).Name -join '\'
$LogonCommand = Get-Incantation 'explorer.exe' $ContainerFilePath
}
".msi" {
$ContainerFilePath = $SandboxMounts[0].ContainerPath, (Get-Item $TargetPath).Name -join '\'
$LogonCommand = Get-Incantation 'msiexec.exe' @('/i', $ContainerFilePath)
}
{ $_ -in ".cmd", ".bat" } {
$ContainerFilePath = $SandboxMounts[0].ContainerPath, (Get-Item $TargetPath).Name -join '\'
$LogonCommand = Get-Incantation 'cmd.exe' @('/k', $ContainerFilePath)
}
".ps1" {
$ContainerFilePath = $SandboxMounts[0].ContainerPath, (Get-Item $TargetPath).Name -join '\'
$LogonCommand = Get-Incantation 'powershell.exe' @('-ExecutionPolicy Bypass', '-NoExit', '-File', $ContainerFilePath)
}
Default {
# Default behavious is shell-executable thingie (file-like with default app association)
$ContainerFilePath = $SandboxMounts[0].ContainerPath, (Get-Item $TargetPath).Name -join '\'
$LogonCommand = Get-Incantation 'explorer.exe' $ContainerFilePath
}
}
@"
<Configuration>
<!-- REF; https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file -->
<ProtectedClient>enable</ProtectedClient>
<VGpu>disable</VGpu>
<Networking>enable</Networking>
<PrinterRedirection>disable</PrinterRedirection>
<!--
Node text cannot be empty otherwise a startup exception is thrown.
Remove node for automatic memory calculation, or set a value larger than 1500.
WARN; A value lower than 1.5GB will cause performance degradation due to swapping.
-->
<MemoryInMB>2700</MemoryInMB>
<!-- Settings below can now be toggled from the client window -->
<AudioInput>disable</AudioInput>
<VideoInput>disable</VideoInput>
<ClipboardRedirection>disable</ClipboardRedirection>
<!-- Toggled settings -->
<MappedFolders>
$(
$SandboxMounts | ForEach-Object {
@"
<MappedFolder>
<HostFolder>$($_.HostPath)</HostFolder>
<SandboxFolder>$($_.ContainerPath)</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
"@
}
)
</MappedFolders>
<LogonCommand>
<Command><![CDATA[$($LogonCommand)]]></Command>
</LogonCommand>
</Configuration>
"@ | Out-File $ConfigurationPath -Encoding utf8
# Windows sandbox tool _requires_ the configuration file ending on wsb extension
Move-Item -Path $ConfigurationPath -Destination "$ConfigurationPath.wsb"
# Launch the sandbox providing our situational configuration file
& "$env:SystemRoot\System32\WindowsSandbox.exe" "$ConfigurationPath.wsb"