Skip to content

fmuecke/claude-win-sandbox

Repository files navigation

claude-win-sandbox

Run Claude Code on Windows as a dedicated low-privilege local user, inside a Visual Studio Developer Shell, scoped to a fixed workspace directory.

This is blast-radius reduction for Windows-native development. It is not hard containment. Use a VM for adversarial code or strong isolation.

The CEO's assistant is not the CEO. Give the agent delegated access, not your full Windows identity.

What It Offers

This project helps you:

  • Run Claude Code as a dedicated standard Windows user instead of your main account.
  • Keep Claude Code configuration, credentials, and installation under C:\Users\ClaudeSandbox.
  • Limit expected agent writes to a fixed sandbox workspace.
  • Protect launcher, bootstrap, check, and managed-settings files under admin-write locations.
  • Block common Windows lateral-movement protocols from the sandbox account.

Limitations

This project currently does not solve:

  • Hard isolation for malicious code, malware, or highly sensitive third-party repos.
  • Prompt injection from repos, issues, docs, web pages, attachments, tool output, or MCP servers.
  • Exfiltration over allowed channels such as HTTPS, git remotes, package feeds, or internal web apps.
  • Protection for anything readable by ClaudeSandbox, including the sandbox workspace, its own credentials, broadly readable local paths, and secrets stored outside protected profile areas.
  • Rollback, snapshots, resource limits, centralized audit logs, or automatic kill switches.

Requirements

  • Windows 10/11
  • Visual Studio installed machine-wide
  • Git for Windows installed machine-wide
  • Admin rights for setup, removal, and policy installation

Setup

Run once from an elevated PowerShell:

.\Setup-ClaudeSandbox.ps1

During setup, choose whether to deploy the Claude Code managed settings to:

C:\Program Files\ClaudeCode\managed-settings.json

If a policy file already exists there, setup asks whether to overwrite or skip it.

Start the sandbox shell via desktop shortcut or use:

& 'C:\ProgramData\claude-win-sandbox\Start-ClaudeSandbox.ps1'

In the new window, install Claude Code as the ClaudeSandbox user:

irm https://claude.ai/install.ps1 | iex

Close and reopen the sandbox shell, then verify from an elevated PowerShell:

& 'C:\ProgramData\claude-win-sandbox\Check-ClaudeSandbox.ps1'

Daily Use

Desktop shortcut, or

& 'C:\ProgramData\claude-win-sandbox\Start-ClaudeSandbox.ps1'

Enter the ClaudeSandbox password when runas prompts. In the new window:

claude

Removal

Run from an elevated PowerShell:

.\Remove-ClaudeSandbox.ps1

Removal deletes the sandbox user, profile, generated ProgramData state, firewall rules, and optional desktop shortcut. It does not delete the workspace directory, for example C:\dev\ClaudeSandbox.

Notes

  • Claude Code must be installed per-user under C:\Users\ClaudeSandbox, not machine-wide and not from your main profile.
  • Trusted launcher/check/bootstrap/config files live under ProgramData and are locked admin-write / Users-read-execute.
  • The sandbox user can still access anything explicitly placed in the sandbox workspace and anything otherwise readable by normal Windows users.
  • HTTPS/web egress remains available for Claude Code, git, package managers, and internal services.

More Detail

License

MIT

About

Isolation for Claude Code on native Windows with MSVC, no docker/WSL.

Resources

License

Stars

4 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors