An XDA piece last week made a case a lot of readers were quietly thinking: Windows 11’s new AI agent framework is powerful, and the default file-access grant it gets is broader than most users want. Scoped access beats standing access, and the tools to enforce that on Windows exist. They are not the shiniest part of the OS, and they take an evening to set up, but they turn a broad “the agent can read your Documents folder” into “the agent can read this project directory and nothing else.” The best apps for controlling AI agent file access on Windows below are the seven that make the scoping practical.
We picked tools that either sandbox the agent at a process level, block or log its file operations, restrict network egress so a compromised or over-eager agent cannot exfiltrate what it read, or give you the visibility to notice when something touches a folder it should not. Some cost money, several are free, and one is a Microsoft-supplied Windows feature most users have never turned on.
What to look for in a file-access control tool
The agent runs as a process. Everything below controls what a process on Windows can do.
- Process isolation, so the agent cannot touch the user’s real file system from the get-go.
- Per-folder access rules that override the default “any signed app can read this user’s profile.”
- Network egress control so a leak stops at the firewall, not at the file read.
- Real-time file operation logging, so a rogue read shows up immediately.
- Ease of setting up a whitelist without breaking the agent every time it updates.
- A working uninstaller if the trial ends, and low overhead on a normal workload.
Quick comparison
| App | Best for | Free plan | Starting price/yr | Focus |
|---|---|---|---|---|
| Windows Sandbox | Running the agent in a disposable VM | Yes | Free with Pro/Enterprise | Full isolation |
| Sandboxie-Plus | Persistent per-app sandbox on any Windows edition | Yes | Optional supporter tier | Process isolation |
| GlassWire | Watching what the agent talks to on the network | Free tier | Annual subscription | Network visibility |
| OSArmor | Hardening the process launch surface | Free tier | Annual subscription | Behaviour blocking |
| Voidtools Everything | Auditing the file surface an agent could touch | Yes | Free | File visibility |
| SimpleWall | Whitelist-only Windows firewall | Yes | Free | Egress control |
| Process Monitor | Deep-diving what the agent actually did | Yes | Free | Forensic logging |
The apps
1. Windows Sandbox
Windows Sandbox is the built-in Microsoft answer: run the agent in a disposable VM that vanishes when you close it. On Windows 10 and 11 Pro, Enterprise, and Education, enable the feature, launch the sandbox, install the agent inside, and give it a shared folder only if you want it to see specific data. The rest of the file system is invisible.
Where it falls short: Home editions of Windows do not include it. Persistent state between sessions is deliberately absent, so tools that need long-lived configuration are awkward.
Pricing:
- Free: included with Pro, Enterprise, and Education
- Paid: not applicable
Platforms: Windows Pro, Enterprise, Education
Download: Microsoft Learn: Windows Sandbox
Bottom line: the first move if the edition of Windows supports it.
2. Sandboxie-Plus
Sandboxie-Plus is the persistent alternative when Windows Sandbox is not available. It is the open-source revival of the original Sandboxie: a per-app sandbox that intercepts file writes and redirects them to a private layer, and can be configured to block reads to specific paths entirely. Runs on any Windows edition and keeps state between sessions.
Where it falls short: modern apps that hook deep into Windows APIs occasionally fight the sandbox. Configuration has a learning curve.
Pricing:
- Free: full app
- Paid: optional supporter tier
Platforms: Windows 10, Windows 11
Download: sandboxie-plus.com
Bottom line: the pick when Windows Sandbox is not available and you want persistent state.
3. GlassWire
GlassWire is the visibility layer for what an app talks to on the network. If a scoped agent starts making DNS queries to hosts you have never seen, GlassWire flags it. The GUI is calm, the alerts are actionable, and per-app firewall rules can block egress without opening Windows Firewall UI in three places.
Where it falls short: the free tier is capped on features; the useful controls sit in the paid tier. It is a monitor, not an isolation layer.
Pricing:
- Free: basic monitoring
- Paid: annual subscription for advanced features
Platforms: Windows
Download: glasswire.com
Bottom line: pair with a sandbox to see what still tries to leave.
4. OSArmor
OSArmor hardens the process launch surface: it blocks child processes from spawning powershell.exe, wscript.exe, cmd.exe with unusual arguments, and other patterns AI agents sometimes take when handling tools. That is the exact class of behaviour that turns a scoped read into an unscoped write.
Where it falls short: the ruleset is opinionated and can trip legitimate developer workflows if you skip the whitelist step. Some features sit behind the paid tier.
Pricing:
- Free: reduced ruleset
- Paid: annual subscription for the full ruleset
Platforms: Windows
Download: novirusthanks.org
Bottom line: the pick when you want to stop the agent from spawning something you did not ask for.
5. Voidtools Everything
Everything is not a control tool; it is a visibility tool. Its instant filename index makes an audit of “what would the agent see if you let it read your Documents folder” take five seconds, not an evening. Before you scope, understand the surface. Everything makes that trivial.
Where it falls short: it does not itself control access. It shows what is there so you can decide.
Pricing:
- Free: full app
- Paid: not applicable
Platforms: Windows
Download: voidtools.com
Bottom line: the pick to run before you configure anything else.
6. SimpleWall
SimpleWall is a whitelist-only Windows firewall. Every process asks permission on first connect, and the default deny is honest. Combined with a sandboxed agent, it gives you the second layer that matters: even if the agent reads something it should not, it cannot phone home.
Where it falls short: the whitelist prompt cycle on first install is real work. It is a firewall, not a sandbox.
Pricing:
- Free: full app
- Paid: not applicable
Platforms: Windows 7+
Download: github.com/henrypp/simplewall
Bottom line: the pick for anyone who prefers deny-by-default networking.
7. Process Monitor
Process Monitor (Procmon) is the Sysinternals tool that logs every file, registry, and process operation on the system. Point it at the agent process, replay a session, and every file it touched shows up in the log. That is how you confirm the scoping worked, or discover which config file the agent read that you did not remember to protect.
Where it falls short: it is a diagnostic tool, not a live control. Reading a session takes time and attention.
Pricing:
- Free: full app
- Paid: not applicable
Platforms: Windows
Download: Microsoft Sysinternals
Bottom line: the pick when you need to prove what the agent did.
How to pick the right one
- If you run Windows Pro or Enterprise: start with Windows Sandbox.
- If you run Windows Home or need persistent state: Sandboxie-Plus.
- If the concern is what it sends over the network: GlassWire for visibility, SimpleWall for the block.
- If the concern is what it launches: OSArmor.
- If you want to know what the agent could touch: Voidtools Everything.
- If you want a forensic log after the fact: Process Monitor.
Stack two or three. Sandbox, egress control, and monitoring together make the setup real.
FAQ
Are Windows 11’s own AI agent permission controls enough?
The default grants an agent broad read access inside the user profile. The permission UI has improved but the settings are opt-out for most categories. Layering a sandbox and egress control gives you a stricter posture than the OS defaults.
Which combination gives the strongest isolation?
Windows Sandbox for process isolation, SimpleWall inside or on the host for egress, and Process Monitor for a log. Add GlassWire when you want a nicer network-visibility surface than raw firewall logs.
Does running an agent in a sandbox break its features?
It depends on the agent. Ones that expect broad file access will show fewer results; ones that expect specific mounted folders will keep working. The trade-off is intentional: the sandbox is where you decide what the agent can see.
Is there an equivalent to Little Snitch on Windows?
GlassWire and SimpleWall together cover the same ground as Little Snitch on macOS. GlassWire is the visibility half; SimpleWall is the whitelist firewall half. Neither is a single-app parity.
Do these slow the machine down?
Windows Sandbox costs RAM per running instance. Sandboxie-Plus adds negligible overhead on typical workloads. GlassWire and Process Monitor cost background CPU that is only noticeable on busy servers.