An XDA piece last week made a case a lot of readers were quietly thinking: Windows 11’s new AI agent framework is powerful, and the default file-access grant it gets is broader than most users want. Scoped access beats standing access, and the tools to enforce that on Windows exist. They are not the shiniest part of the OS, and they take an evening to set up, but they turn a broad “the agent can read your Documents folder” into “the agent can read this project directory and nothing else.” The best apps for controlling AI agent file access on Windows below are the seven that make the scoping practical.

We picked tools that either sandbox the agent at a process level, block or log its file operations, restrict network egress so a compromised or over-eager agent cannot exfiltrate what it read, or give you the visibility to notice when something touches a folder it should not. Some cost money, several are free, and one is a Microsoft-supplied Windows feature most users have never turned on.

What to look for in a file-access control tool

The agent runs as a process. Everything below controls what a process on Windows can do.

Quick comparison

AppBest forFree planStarting price/yrFocus
Windows SandboxRunning the agent in a disposable VMYesFree with Pro/EnterpriseFull isolation
Sandboxie-PlusPersistent per-app sandbox on any Windows editionYesOptional supporter tierProcess isolation
GlassWireWatching what the agent talks to on the networkFree tierAnnual subscriptionNetwork visibility
OSArmorHardening the process launch surfaceFree tierAnnual subscriptionBehaviour blocking
Voidtools EverythingAuditing the file surface an agent could touchYesFreeFile visibility
SimpleWallWhitelist-only Windows firewallYesFreeEgress control
Process MonitorDeep-diving what the agent actually didYesFreeForensic logging

The apps

1. Windows Sandbox

Windows Sandbox is the built-in Microsoft answer: run the agent in a disposable VM that vanishes when you close it. On Windows 10 and 11 Pro, Enterprise, and Education, enable the feature, launch the sandbox, install the agent inside, and give it a shared folder only if you want it to see specific data. The rest of the file system is invisible.

Where it falls short: Home editions of Windows do not include it. Persistent state between sessions is deliberately absent, so tools that need long-lived configuration are awkward.

Pricing:

Platforms: Windows Pro, Enterprise, Education

Download: Microsoft Learn: Windows Sandbox

Bottom line: the first move if the edition of Windows supports it.

2. Sandboxie-Plus

Sandboxie-Plus is the persistent alternative when Windows Sandbox is not available. It is the open-source revival of the original Sandboxie: a per-app sandbox that intercepts file writes and redirects them to a private layer, and can be configured to block reads to specific paths entirely. Runs on any Windows edition and keeps state between sessions.

Where it falls short: modern apps that hook deep into Windows APIs occasionally fight the sandbox. Configuration has a learning curve.

Pricing:

Platforms: Windows 10, Windows 11

Download: sandboxie-plus.com

Bottom line: the pick when Windows Sandbox is not available and you want persistent state.

3. GlassWire

GlassWire is the visibility layer for what an app talks to on the network. If a scoped agent starts making DNS queries to hosts you have never seen, GlassWire flags it. The GUI is calm, the alerts are actionable, and per-app firewall rules can block egress without opening Windows Firewall UI in three places.

Where it falls short: the free tier is capped on features; the useful controls sit in the paid tier. It is a monitor, not an isolation layer.

Pricing:

Platforms: Windows

Download: glasswire.com

Bottom line: pair with a sandbox to see what still tries to leave.

4. OSArmor

OSArmor hardens the process launch surface: it blocks child processes from spawning powershell.exe, wscript.exe, cmd.exe with unusual arguments, and other patterns AI agents sometimes take when handling tools. That is the exact class of behaviour that turns a scoped read into an unscoped write.

Where it falls short: the ruleset is opinionated and can trip legitimate developer workflows if you skip the whitelist step. Some features sit behind the paid tier.

Pricing:

Platforms: Windows

Download: novirusthanks.org

Bottom line: the pick when you want to stop the agent from spawning something you did not ask for.

5. Voidtools Everything

Everything is not a control tool; it is a visibility tool. Its instant filename index makes an audit of “what would the agent see if you let it read your Documents folder” take five seconds, not an evening. Before you scope, understand the surface. Everything makes that trivial.

Where it falls short: it does not itself control access. It shows what is there so you can decide.

Pricing:

Platforms: Windows

Download: voidtools.com

Bottom line: the pick to run before you configure anything else.

6. SimpleWall

SimpleWall is a whitelist-only Windows firewall. Every process asks permission on first connect, and the default deny is honest. Combined with a sandboxed agent, it gives you the second layer that matters: even if the agent reads something it should not, it cannot phone home.

Where it falls short: the whitelist prompt cycle on first install is real work. It is a firewall, not a sandbox.

Pricing:

Platforms: Windows 7+

Download: github.com/henrypp/simplewall

Bottom line: the pick for anyone who prefers deny-by-default networking.

7. Process Monitor

Process Monitor (Procmon) is the Sysinternals tool that logs every file, registry, and process operation on the system. Point it at the agent process, replay a session, and every file it touched shows up in the log. That is how you confirm the scoping worked, or discover which config file the agent read that you did not remember to protect.

Where it falls short: it is a diagnostic tool, not a live control. Reading a session takes time and attention.

Pricing:

Platforms: Windows

Download: Microsoft Sysinternals

Bottom line: the pick when you need to prove what the agent did.

How to pick the right one

Stack two or three. Sandbox, egress control, and monitoring together make the setup real.

FAQ

Are Windows 11’s own AI agent permission controls enough?

The default grants an agent broad read access inside the user profile. The permission UI has improved but the settings are opt-out for most categories. Layering a sandbox and egress control gives you a stricter posture than the OS defaults.

Which combination gives the strongest isolation?

Windows Sandbox for process isolation, SimpleWall inside or on the host for egress, and Process Monitor for a log. Add GlassWire when you want a nicer network-visibility surface than raw firewall logs.

Does running an agent in a sandbox break its features?

It depends on the agent. Ones that expect broad file access will show fewer results; ones that expect specific mounted folders will keep working. The trade-off is intentional: the sandbox is where you decide what the agent can see.

Is there an equivalent to Little Snitch on Windows?

GlassWire and SimpleWall together cover the same ground as Little Snitch on macOS. GlassWire is the visibility half; SimpleWall is the whitelist firewall half. Neither is a single-app parity.

Do these slow the machine down?

Windows Sandbox costs RAM per running instance. Sandboxie-Plus adds negligible overhead on typical workloads. GlassWire and Process Monitor cost background CPU that is only noticeable on busy servers.