Registry

HKEY_LOCAL_MACHINE

If you store configuration data under HKEY_LOCAL_MACHINE , remember that any process on the local computer can potentially access the data. To restrict access, apply a restrictive access control list (ACL) to the specific registry key to limit access to administrators and your specific process or thread token. If you use HKEY_LOCAL_MACHINE , it does make it easier at installation time to store configuration data and also to maintain it later on.

HKEY_CURRENT_USER

If your security requirements dictate an even less accessible storage solution, use a key under HKEY_CURRENT_USER . This approach means that you do not have to explicitly configure ACLs because access to the current user key is automatically restricted based on process identity.

HKEY_CURRENT_USER allows more restrictive access because a process can only access the current user key, if the user profile associated with the current thread or process token is loaded.

Version 1.1 of the .NET Framework loads the user profile for the ASPNET account on Windows 2000. On Windows Server 2003, the profile for this account is only loaded if the ASP.NET process model is used. It is not loaded explicitly by Internet Information Services (IIS) 6 if the IIS 6 process model is used on Windows Server 2003.

Reading from the Registry

The following code fragment shows how to read an encrypted database connection string from under the HKEY_CURRENT_USER key using the Microsoft.Win32.Registry class.

 using Microsoft.Win32; public static string GetEncryptedConnectionString() {   return (string)Registry.                  CurrentUser.                  OpenSubKey(@"SOFTWARE\YourApp").                  GetValue("connectionString"); } 

For more information about how to use the code access security RegistryPermission to constrain registry access code for example to limit it to specific keys, see "Registry" in Chapter 8, "Code Access Security in Practice."