How Can I Store Program Settings?

Question

I am creating a desktop app that will sit on a PC and occasionally check a web server for updates to various settings.

The program will be using these settings frequently so I would like cache the settings in a file on the PC so it doesn't have to hit the server constantly. There are a lot of settings. I was thinking about storing them in an XML file but I need the file to be unreadable by the PC users.

How should I store the settings on the PC that the program can read and write to but the user cannot read?

EDIT: Sorry guys. The application is being written in C# using .NET 2.0. The application will only run on Windows. It is a console app that will run as a Windows Service.

Answer 1

You are concerned about users reading the file or modifying it?

Regardless - you can encrypt it with a random key and bury the key somewhere in the registry

Answer 2

If the app is a service then it can run under an account that isn't the user's; then it's easy enough to keep the file hidden from him.

As a Windows app, you have your choice of the Registry or a file or a local database. For files, your choice of a simple properties file or an XML file.

For any of those, your choice of encrypted (just in case) or not.

Answer 3

Your idea for an xml configuration is a good start (the XML DOM is easy to nagivated, well known, documented, etc.).

If you don't want the user to be able to read/edit the settings you could keep it in memory but you would lose the data from run to run. You didn't seem to indicate that the app would be restarted tho so this may work for you. There is also the option of detecting when the app is shutting down and you can then dump you cache to disk.

Answer 4

Assuming that you are targeting the Windows platform, you can either

• use the registry
• use a configuration file
• or use a database

Data can be encrypted in all 3 cases if needed. If you really have lots of settings, the registry is probably not the easiest way to do this. If you have a .net app, look at SQL Server Compact Edition, it is really light-weight, easy to deploy with your app, and does not need a runtime environment.

Answer 5

Regardless of if you store these settings locally, if you load them into memory a user can read them. If you transfer them across a network it is a pretty simple to scan network packets, even over an encrypted connection there are plenty of tools that will man-in-the-middle your own network connection for you (I've used OpenSTA for that, even though it isn't exactly made for it). Someone who really, really wants to see what you're using for settings will be able to see them if you're running something on their computer.

Now, having said that, keeping them in XML and just encrypting the file is probably the simplest solution. Even just compressing the file and changing the extension will keep away people who are merely curious about what settings you have.

Answer 6

If it is on the end users machine, sooner or later they can read it. If the program is running on their local machine, then they can make it do whatever they want. If this is some sort of a client-server program, you simply can never trust what the client says.

One of the easiest ways to store settings in .Net is to create a class that contains everything you want to keep track of, and then serialize it to and from the disk. Since this file just acts as a cache, you can probably just use a Binary Formatter, which will make the file only readable to those who know what they are doing.

Be sure to save the settings in a UAC friendly directory like ApplicationData.

Answer 7

you could write the aplication configs in a xml like this

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <appSettings>
        <add key="Test1" value="My value 1" />
        <add key="Test2" value="Another value 2" />
    </appSettings>
</configuration>

Answer 8

Settings are pretty easy in C#.net. Creating a settings file can be done through the project's property pages (Settings tab). Then if you really want to, you could pick up the settings file and encrypt the root xml element either with symmetric or asymmetric keys

Then, as others have mentioned, keeping the keys and routines to edit the settings out of the user's hands is another problem. You could send the settings to the server on which the private key exists keeping only the public key on the client for decryption, have the server do the encryption/signing. Any tampering with the settings on the client you would know because the signature would fail. So, if you have the settings saved locally, the user couldn't read them without a bit of code and you can only decrypt them to use them; writing/creating would be done by the server.