Suggestion: System-wide sandboxing and stricter app permissions in Windows and Idea: Make Windows run new apps in a full sandbox by default Could Windows block apps from opening CMD and run them in isolation?

Question

Suggestion: System-wide sandboxing and stricter app permissions in Windows and Idea: Make Windows run new apps in a full sandbox by default Could Windows block apps from opening CMD and run them in isolation?

mahmoud mahmoud 20

Hello Microsoft,

I wanted to share an idea about improving Windows security. Would it be possible in the future for Windows to have a stronger, system-wide sandbox model where apps don’t have the ability to open CMD or PowerShell unless the user explicitly allows it?

Another part of the idea is for Windows Defender to scan every downloaded file automatically, and when a file is executed, run it in a fully isolated sandbox by default. That way, even if the file contains malware, it wouldn’t be able to interact with the main system or cause any damage.

This is more of a security suggestion, but I think something like this could make Windows much safer overall.

Thanks.

mahmoud mahmoud 20 Reputation points

2025-12-11T16:10:40.06+00:00

making this real will most likely use more ram and cpu but will make things way better and I forgot to say that everything I said should be enabled by normal and make windows defender use a high system level instead of user level

Answer accepted by question author

0 additional answers

Your answer

mahmoud mahmoud 20 Reputation points

2025-12-11T16:10:40.06+00:00

making this real will most likely use more ram and cpu but will make things way better and I forgot to say that everything I said should be enabled by normal and make windows defender use a high system level instead of user level

Answer 1

Your suggestion for a stronger system-wide sandbox model in Windows is aligned with ongoing efforts to enhance security in the operating system. Currently, Windows does provide features like Windows Sandbox, which allows users to run untrusted applications in an isolated environment, preventing them from affecting the host system. This feature utilizes hardware-based virtualization technology to ensure that any untrusted application remains contained within the sandbox.

The idea of blocking applications from opening CMD or PowerShell unless explicitly allowed is an interesting approach to further restrict application capabilities and enhance security. While Windows does have mechanisms to limit application permissions through features like AppContainers, implementing a more robust system-wide sandboxing approach would require a significant architectural change.

Additionally, integrating automatic scanning of downloaded files by Windows Defender before execution could further mitigate risks associated with malware. Currently, Windows Defender provides real-time protection and can scan files, but the implementation of a default sandbox for all executable files would enhance the security posture significantly.

Such enhancements would indeed contribute to making Windows a safer environment for users, especially in light of increasing cybersecurity threats.

mahmoud mahmoud 20 Reputation points

2025-12-11T16:04:39.9+00:00

to be honest I think this will make windows use more ram because think about it adding this will use more PC resources but they can make it

Share via

Suggestion: System-wide sandboxing and stricter app permissions in Windows and Idea: Make Windows run new apps in a full sandbox by default Could Windows block apps from opening CMD and run them in isolation?

0 additional answers

Your answer