Andy Ying, from security firm Trail of Bits, detailed his method in a blog post last week.
He said he had released the code which he had used, under the name Flying Sandbox Monster.
Ying's work comes in the wake of the discovery of numerous bugs in Windows Defender by Google.
It would also allow wrapping the I/O of an application behind a TCP server, letting the sandboxed application run on a completely different machine so that it had an additional isolating later.
Ying pointed out that the core Windows Defender process, MsMpEng, ran as a service with SYSTEM privileges, the scanning engine, MpEngine, supported the parsing of a huge number of file formats and also provided full-system emulators for different architectures and language interpreters.
"All of this, performed with the highest level of privilege on a Windows system. Yikes," he wrote.
Ying has provided a detailed technical explanation of his method here and also listed the reasons he used Rust to write the code.