OpenAI builds custom Windows sandbox for Codex coding agent without admin privileges

OpenAI has implemented a custom sandbox for its Codex coding agent on Windows after determining that native Windows isolation tools were insufficient for developer workflows. The solution allows Codex to run securely on Windows without requiring administrator privileges.

The problem: No adequate Windows isolation

Before September 2025, Codex on Windows lacked sandbox implementation, forcing users to either approve nearly every command manually or enable Full Access mode with no restrictions. Codex runs locally on developer machines through CLI, IDE extensions, or desktop apps with full user permissions by default.

OpenAI evaluated three existing Windows isolation mechanisms:

AppContainer: Microsoft's native capability-based sandbox proved too narrow for Codex's open-ended developer workflows involving shells, Git, Python, package managers, and arbitrary build tools.

Windows Sandbox: Microsoft's disposable lightweight VM offered strong isolation but couldn't operate directly on users' actual checkouts and environments. Additionally, Windows Sandbox is unavailable on Windows Home editions.

Mandatory Integrity Control (MIC): While elegant conceptually, marking workspaces as low-integrity would make them writable by any low-integrity process on the system, creating broader security risks than targeted sandbox constraints.

The solution: Synthetic SIDs and write-restricted tokens

OpenAI's engineering team, led by David Wiesen, built what they call the "unelevated sandbox" using two Windows primitives:

Synthetic SIDs for identity: Security identifiers (SIDs) in Windows tie to permissions. OpenAI created synthetic SIDs specifically for the Codex sandbox that don't correspond to real users but can appear in access control lists (ACLs).

Write-restricted tokens for constraint: These special process tokens require two checks for write operations to succeed: the normal user identity must have permission, and at least one SID in the token's restricted list must also be granted access. This allows precise control over where Codex can modify files.

The implementation creates a synthetic SID called "sandbox-write" that is granted write, execute, and delete access only to specific directories like the current workspace. The sandbox runs without requiring administrator elevation.

Technical implementation

Every Codex command launches in a sandboxed environment from the start. The operating system enforces constraints that propagate down the entire process tree, ensuring all descendant processes stay within the same security boundary.

According to OpenAI, Codex's default mode allows the agent to read files almost anywhere and write files only within the user's workspace (the directory where Codex is running), with no internet access unless explicitly specified.

What this means

This implementation brings Windows Codex functionality to parity with macOS (which uses Seatbelt) and Linux (which uses seccomp or bubblewrap) without requiring users to grant administrator privileges. The solution demonstrates a practical approach to sandboxing AI coding agents that need to perform arbitrary developer tasks while maintaining security boundaries. The design choice to avoid elevation is particularly significant for enterprise environments where developers often lack admin rights on their machines.