Best Practices for .config files - in %ProgramData% or %ProgramFiles% ?


  • We have a point of sale application that has a local database and a connection to a server. There are two categories of settings we wish to keep on the machine. 

    Category 1: Server connection information (IP Addresses, locations of shared server files, etc)
    Category 2: Preferences that the individual user can change - like fonts and colors.

    I haven't been able to find a definite reference from Microsoft that says what the best practice is for the location of a .config file. So far, we are thinking we need two config files - a machine.config located in the %ProgramFiles% directory - so only the installer and admins can mess with it - and a second app.config file in the %ProgramData% folder for the user settings that can change during the operation of the program as well as the local database.

    Is this correct? Should we only have a single .confg file in %ProgramData% and use encryption for the server settings? (This leads me to think that a user could delete the encrypted portion of the file and hose-up the system, and is thus a bad idea).

    What is the best practice for the .config file?

    Thanks in advance for any opinions or answers.

      - Sean
    Tuesday, February 02, 2010 9:16 PM

All replies

  • If it's a .config file, then it needs to be in the application root, and sub-folders if required.

    Personally I would just use one .config file, and not the machine.config, so you can have application specific settings.

    If you had a hand rolled storage; your own custom Xml or something, you might want to consider where you put it, particularly if you don't want to care about permissions, as you could put it in isolated storage, but system information doesn't belong there.

    If your settings aren't really a .config, and are instead some file based storage, then you can put them wherever you find is most appropriate, but if you put them in a different location to the application, then you will need to consider permissions and security for that location as well.

    You could also put these in a database settings table, to keep you from needing an answer to this question?

    Hope that helps,


    MCSD, MCTS, MCPD. Please mark my post as helpful if you find the information good!
    Friday, February 05, 2010 9:21 AM
  • Hi,

    For Category 1, apart from the suggestions from Martin, what you could also consider for server connections are something called DSNs. There are user and system DSNs so depending on your security preferences you can look at one of them as an option. 

    The other thing that I have seen being done is to store the settings in an external .config file apart from the web.config which will enable you to apply your custom encryption and decryption technologies.

    And do not forget!!! Registry is also an option


    Sunday, February 07, 2010 4:08 PM
  • i'm assuming you are writing a .net application.

    for starters, no 'config' file in program files should be written to in an OS like Vista and beyond. vista will do it but it will be virtualised. plus its subject to access rights .  it's better to use the program data virtual folder instead.

    personally i would highly recommend you use .net Isolated Storage as it does exactly what you want -

    • provides an isolated storage area for system-wide settings
    • provides individual isolated storage area for each user
    the location of these areas are nicely encapsulated and provides a brilliant way so that other applications or users can't corrupt it.

    i would avoid the registry as it is subject to security issues that must be solved during install time
    Micky D
    Thursday, March 11, 2010 4:20 AM