OpenAI Details Codex Windows Sandbox Redesign With Two Local Accounts, DPAPI Credentials, and a Four-Layer Execution Path
After a March 2026 launch that left users contending with broad ACL changes and stale sandbox profiles, OpenAI published a stricter design splitting Codex into offline and online local users with DPAPI-protected credentials and a command-runner handoff.
Overview
OpenAI has published a technical explanation of how Codex runs inside a Windows sandbox on developer PCs, describing a redesign that splits the coding agent across two dedicated local users, gates its credentials through Windows DPAPI, and routes every command through an intermediary executable before it reaches a child process.
According to WinBuzzer, the OpenAI design post was dated May 8 and focused on “stricter sandbox behavior without breaking ordinary development work” after the March launch had brought a native sandbox for PowerShell-based developer environments. Before that launch, WinBuzzer noted, “Windows Codex had no sandbox” at all.
What the New Architecture Looks Like
Codex on Windows now runs under two purpose-built local users, CodexSandboxOffline and CodexSandboxOnline. The offline identity is used by default and Windows “can cut the offline identity off from outbound traffic,” per WinBuzzer, while the online user is provisioned only when broader connectivity is authorized.
The same outlet describes the technical pre-flight: “DPAPI-protected credentials, firewall checks, codex-command-runner.exe, and a four-layer execution path are prepared before the final child process begins.” The setup executable creates the sandbox users and checks firewall state before command handoff, WinBuzzer reports, and DPAPI in this context is “Windows credential protection, not a separate cloud gate.”
The binaries those descriptions point to are visible directly in the openai/codex Rust workspace at codex-rs/windows-sandbox-rs. The crate ships a codex-windows-sandbox-setup binary, a codex-command-runner binary, a codex-windows-sandbox-setup.manifest file, and a sandbox_smoketests.py test suite next to the Rust source.
Why OpenAI Rebuilt It
The first Windows sandbox shipped on March 4, 2026, when, WinBuzzer reported, OpenAI released the Codex app on the Microsoft Store after more than 500,000 developers joined the Windows waitlist and the Mac version exceeded one million downloads in its first week. The Windows build was described by WinBuzzer as the “first Windows-native agent sandbox,” built with Microsoft and enforcing OS-level isolation through restricted tokens, filesystem ACLs, and dedicated sandbox users at the process level. Codex on Windows also picks up WSL support for teams that prefer Linux tooling.
That initial design, per the May 14 WinBuzzer write-up, used a synthetic sandbox-write SID, file permission rules, and a restricted token, with directories such as .git, .codex, and .agents blocked. The same article notes that OpenAI evaluated AppContainer, Windows Sandbox, and Mandatory Integrity Control labeling, each of which “covered only part of the job” because developer workflows still needed file access, child-process execution, and network controls that would survive normal tools rather than a staged demo.
The redesign came after the unelevated model exposed a network gap. WinBuzzer says the original setup relied on environment overrides such as “dead proxy endpoints, Git proxy settings, and a denybin path,” but processes could ignore those settings or open sockets directly. “Package managers, scripts, and test runners can create child processes, so the boundary needs to follow the command tree rather than the first executable only,” the outlet writes.
The user-facing side of those gaps surfaced in the openai/codex tracker. A May 7 report, issue #21455, described “~170 leaked temporary user profile directories” under C:\Users\TEMP.<user>.* on a Windows 11 machine, with the reporter naming codex-windows-sandbox-setup.exe, codex-command-runner-0.128.0-alpha.1.exe, CodexSandboxOffline, and CodexSandboxOnline as the components involved. The reporter attributed the leak to “sandbox/user bootstrap retry loops,” “temporary profile fallback,” “profile unload/cleanup failure,” or “repeated failed noninteractive logons.” The issue remained open at time of writing.
Open-Source Sandbox With a Long Tail
The Windows sandbox is open source. WinBuzzer’s launch coverage said the implementation is “published as open source, with the code available on GitHub for developers who want to inspect the isolation logic directly,” and the openai/codex repo hosts the codex-windows-sandbox crate.
The development history goes back further than the March launch. GitHub PR #4905, titled “Windows Sandbox - Alpha version,” was opened on October 7, 2025 and merged on October 30, 2025 — roughly four months before the Microsoft Store release.
What Still Doesn’t Change
The redesign tightens write and network access; read access is a different story. According to WinBuzzer, Codex “can still read broadly across a system, write inside the active workspace, and operate with offline-by-default access unless a user explicitly allows more connectivity.”
What We Don’t Know
- Whether the temporary-profile leak documented in issue #21455 is closed by the May redesign. The issue is still open and references the 0.128.0-alpha.1 command runner; the May 8 design post sits between that report and the present.
- How the new four-layer execution path performs on Git, Python, package managers, and build tools at daily-development speed. WinBuzzer frames that as the ongoing test: keep
CodexSandboxOfflinecut off from outbound traffic while everyday workflows still run fast enough for daily development. - Whether the broader read access on user profile directories will be narrowed. WinBuzzer’s coverage of the May 8 design says Codex “can still read broadly across a system” and does not specify which paths remain reachable.