OpenAI Deploys 4-Layer Windows Sandbox for Codex, Adding 2 Dedicated Users and Firewall Blocks
Updated
Updated · OpenAI · May 13
OpenAI Deploys 4-Layer Windows Sandbox for Codex, Adding 2 Dedicated Users and Firewall Blocks
6 articles · Updated · OpenAI · May 13
OpenAI’s current Windows sandbox for Codex now uses an elevated setup that creates two local accounts—CodexSandboxOffline and CodexSandboxOnline—to run agent commands under restricted tokens.
That redesign let OpenAI apply Windows Firewall rules to block all outbound traffic for the offline account, fixing the earlier unelevated prototype’s network controls, which relied on proxy and PATH tricks that processes could bypass.
The new architecture adds four layers: codex.exe, a sandbox-setup binary, a command-runner binary, and the final child process, after Windows privilege limits blocked a simpler direct launch flow.
Setup now needs admin rights to create users, encrypt credentials with DPAPI, install firewall rules, and grant read ACLs to paths such as C:\Users<real-user> and Program Files so sandboxed commands can still access developer environments.
OpenAI said Windows lacked a native isolation primitive suited to open-ended coding-agent workflows, pushing it past rejected options including AppContainer, Windows Sandbox, and Mandatory Integrity Control labeling.
With rivals using faster security tech, is OpenAI's complex Windows sandbox already obsolete?
Why are users reporting catastrophic data loss with OpenAI's new 'robust' Windows AI sandbox?
If AI coding agents boost productivity, why did one study find they actually make developers slower?