Cannot run any commands due to sandbox on windows in 2.5

After upgrading to 2.5.x any commands running in sandbox fail:

sandbox: warning - direct egress blocking is best-effort on Windows
C:\Users\user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 : Cannot dot-source this command because it 
was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator.
At line:1 char:1
+ . 'C:\Users\user\Documents\WindowsPowerShell\Microsoft.PowerShell_pro ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Microsoft.PowerShell_profile.ps1], NotSupportedException
    + FullyQualifiedErrorId : DotSourceNotSupported,Microsoft.PowerShell_profile.ps1
 
PHP Warning:  require(phar://box-auto-generated-alias-55b625b77c0f.phar/cli/herd.php): Failed to open stream: phar error: Cannot open temporary file for decompressing phar archive "C:/Users/user/.config/herd/bin/herd.phar" file "cli/herd.php" in C:\Users\user\.config\herd\bin\herd.phar on line 13
PHP Fatal error:  Uncaught Error: Failed opening required 'phar://box-auto-generated-alias-55b625b77c0f.phar/cli/herd.php' (include_path='.;C:\php\pear') in C:\Users\user\.config\herd\bin\herd.phar:13
Stack trace:
#0 {main}
  thrown in C:\Users\user\.config\herd\bin\herd.phar on line 13
The filename, directory name, or volume label syntax is incorrect.
New-Item : Access to the path 'C:\Users\user\AppData\Local\Temp\ps-state-out-bab3ea50-81a7-4182-8a67-5060cf7bed76.txt' 
is denied.
At C:\Users\user\AppData\Local\Temp\ps-script-ccb570a4-8156-4378-9d35-a6b6491155b3.ps1:25 char:5
+     New-Item -Path $OutputFile -ItemType File -Force | Out-Null
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\user\A...060cf7bed76.txt:String) [New-Item], UnauthorizedAcc 
   essException
    + FullyQualifiedErrorId : NewItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.NewItemCommand
 
Add-Content : Access to the path 
'C:\Users\user\AppData\Local\Temp\ps-state-out-bab3ea50-81a7-4182-8a67-5060cf7bed76.txt' is denied.
At C:\Users\user\AppData\Local\Temp\ps-script-ccb570a4-8156-4378-9d35-a6b6491155b3.ps1:19 char:9
+         Add-Content -Path $OutputFile -Value $Content -Encoding UTF8
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\user\A...060cf7bed76.txt:String) [Add-Content], Unauthorized 
   AccessException
    + FullyQualifiedErrorId : GetContentWriterUnauthorizedAccessError,Microsoft.PowerShell.Commands.AddContentCommand
 
Get-ChildItem : An item with the same key has already been added.
At C:\Users\user\AppData\Local\Temp\ps-script-ccb570a4-8156-4378-9d35-a6b6491155b3.ps1:31 char:16
+     $envVars = Get-ChildItem Env: | Sort-Object Name
+                ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ChildItem], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.GetChildItemCommand
 

I have a custom aliases for commands in the mentioned powershell configuration file or whatever it is called. In multi-root workspaces no commands work at all. In normal projects only some fail. I assume it is only those that rely on the script. Legacy terminal option fixes it but not in multi-root workspaces.

Hi there!

We detected that this may be a bug report, so we’ve moved your post to the Bug Reports category.

To help us investigate and fix this faster, could you edit your original post to include the details from the template below?

IDE:
Version: 2.xx.x
VSCode Version: 1.105.1
Commit: ......

CLI:
CLI Version 2026.01.17-d239e66

The more details you provide, the easier it is for us to reproduce and fix the issue. Thanks!

I am also experiencing this issue on the latest Cursor on Windows. Also using Composer 1.5, to attempt to work around this I’ve repeatedly tried telling it even in the same conversation not to run command line stuff like npm/pnpm but it doesn’t listen which makes this issue all the more aggravating. Is there a reason Composer doesn’t listen to very stern specific instructions to NOT RUN commands?

Anyway, these two issues combined make it very annoying to use/unusable as it breaks the flow halfway through it doing a task. I believe it is a critical issue.

yeah it seems mostly powershell is messing it up, sometimes commands run but still getting errors blocking the command output view

Hey, thanks for the report. This is a known issue. Sandbox on Windows doesn’t work well with custom PowerShell profiles and some other shells. Sandbox starts PowerShell in Restricted Language Mode, which blocks dot-sourcing profiles and access to temp files.

Workaround: turn off Auto-run in Sandbox.

1. Cursor Settings (gear icon in the top-right, or Ctrl+Shift+J) > Agents > Auto-run: turn it off

Or enable Legacy Terminal Tool.

2. Cursor Settings > Agents > Legacy Terminal Tool: turn it on

Commands will ask for confirmation, but they won’t have sandbox restrictions. This should also help in multi-root workspaces.

Related thread with the same workaround: Git Bash Fails in Cursor Shell Tool on Windows Due to Sandbox Restrictions

The team is aware of the Windows sandbox issues. There’s no exact ETA for a fix yet, but your report helps us prioritize. Let me know if the workaround doesn’t help.

I have both - auto run disabled and legacy terminal enabled, still same problem.

Version: 2.5.17 (user setup)
VSCode Version: 1.105.1
Commit: 7b98dcb824ea96c9c62362a5e80dbf0d1aae4770
Date: 2026-02-17T05:58:33.110Z
Build Type: Stable
Release Track: Early Access
Electron: 39.3.0
Chromium: 142.0.7444.265
Node.js: 22.21.1
V8: 14.2.231.22-electron.0
OS: Windows_NT x64 10.0.19045