codex - 💡(How to fix) Fix Windows sandbox users are created but their profiles are not initialized until manual first logon [1 participants]

Summary

On Windows, Codex creates the local sandbox users:

• CodexSandboxOnline
• CodexSandboxOffline

but their user profiles are not initialized automatically. Before a manual first logon:

• LastLogon is empty
• C:\Users\CodexSandboxOnline does not exist
• C:\Users\CodexSandboxOffline does not exist

After forcing a first logon with -LoadUserProfile, the profile directory is created and LastLogon updates.

This suggests the Windows sandbox setup leaves the sandbox users in a partially initialized state until they are manually logged in.

I investigated this because sandboxed HTTPS requests using the Windows Schannel stack were failing with SEC_E_NO_CREDENTIALS. Since Schannel often depends on per-user Windows profile state, the absence of C:\Users\CodexSandboxOnline / C:\Users\CodexSandboxOffline looked like a plausible explanation and was worth checking directly.

Version / platform

• Date observed: April 11, 2026
• Platform: Windows 11 / Windows 10.0.26200
• PowerShell: 7.5.5

What I observed

The users do exist:

Get-LocalUser CodexSandboxOnline, CodexSandboxOffline

but initially:

• LastLogon was empty for both
• C:\Users\CodexSandboxOnline did not exist
• C:\Users\CodexSandboxOffline did not exist

Then I forced first logon manually using the stored sandbox credentials and -LoadUserProfile.

After that:

• C:\Users\CodexSandboxOnline existed
• C:\Users\CodexSandboxOffline existed
• LastLogon updated for both users

Expected behavior

If the Windows sandbox relies on dedicated local users, they should be fully initialized before first sandboxed use, or the first-use path should reliably initialize them automatically.

At minimum:

• first sandbox use should not depend on a manual logon workaround
• profile creation should be part of setup or first-run bootstrap

Actual behavior

The users are created, but their profiles are not initialized until manual first logon.

Why this matters

This appears to affect Windows sandbox reliability. In my testing, the sandbox users only started behaving like normal Windows users after profile creation.

That is especially relevant for any feature that depends on per-user Windows state, such as:

• TLS/Schannel
• user environment variables
• AppData-backed state
• DPAPI / profile-backed crypto state

Repro

Before manual first logon

Get-LocalUser CodexSandboxOnline, CodexSandboxOffline | Format-List Name,Enabled,LastLogon
Test-Path C:\Users\CodexSandboxOnline
Test-Path C:\Users\CodexSandboxOffline

Observed:

• users exist
• LastLogon empty
• profile directories missing

Manual first logon workaround

Run a process as the sandbox user with -LoadUserProfile.

After that:

Get-LocalUser CodexSandboxOnline, CodexSandboxOffline | Format-List Name,LastLogon
Test-Path C:\Users\CodexSandboxOnline
Test-Path C:\Users\CodexSandboxOffline

Observed:

• LastLogon populated
• profile directories now exist

Suspected source area

The Windows sandbox code creates the users during setup, but profile creation seems to be deferred until first actual logon.

Relevant files:

• codex-rs/windows-sandbox-rs/src/sandbox_users.rs
• codex-rs/windows-sandbox-rs/src/elevated_impl.rs
• codex-rs/windows-sandbox-rs/src/hide_users.rs

The code in hide_users.rs explicitly notes that Windows only creates the profile directory when the user first logs in.

Suggested fix direction

One of:

1. initialize the sandbox-user profiles during setup
2. explicitly bootstrap first logon/profile creation on first sandbox use
3. fail with a clear diagnostic if profile initialization did not happen