1

In my C# application, if I wanted to be able to download an "add-in" from our website and store it locally on the user's computer, and then run it (assume it's an assembly DLL or EXE, doesn't matter), I assume I can't store it in a subdirectory of my Program Files folder, and that's not really the right place for it since add-ins are user-specific. Where should I store these, and what kinds of trust/security issues might I run into?

Scott Whitlock
  • 13,739
  • 7
  • 65
  • 114
  • Just make sure any code you download is digitally signed by you before running it, otherwise you are exposing your users to many risks including, for example, someone hacking into your site or attacking your users DNS server to make your software download the files from the wrong site (there are many more risks). – Nir Nov 11 '09 at 15:44
  • @Nir: Easy enough if I'm writing my own add-ins, but if I want to allow 3rd party add-ins, I need to sign all of their keys too? – Scott Whitlock Nov 11 '09 at 15:47

2 Answers2

3

The application data directory of the current user would be one place to store them.

string basePath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
basePath = System.IO.Path.Combine(basePath, "MyProgram");
if (!Directory.Exists(basePath))
  Directory.CreateDirectory(basePath);

Trying to write anything inside of Program files after installation will run into problems in Vista, Windows 2008 server, Windows 7 and later. Unless of course your application requires elevation. Also you mentioned your files are specific per user.

Brian R. Bondy
  • 339,232
  • 124
  • 596
  • 636
1

Use the IsolatedStorage class provided in .NET for storing user specific stuff.

More information: Working with Isolated Storage in .NET

Scott Whitlock
  • 13,739
  • 7
  • 65
  • 114
Ian
  • 33,605
  • 26
  • 118
  • 198
  • Anyone want to provide a reason why this method is better or worse than Brian's? – Scott Whitlock Nov 11 '09 at 15:48
  • Scott, it isn't a lot different. I think the storage location is slightly different to the one that would be used in Brian's answer. Generally its the recommended according to the .NET books I've read for user/app specific data. Depending on the system deployed you've got a much better change of allowing privileges to use IsolatedStorage using CAS if you run into problems that you might not have using Brian's approach. – Ian Nov 11 '09 at 16:25
  • According to this: http://stackoverflow.com/questions/882490/how-to-decide-where-to-store-per-user-state-registry-appdata-isolated-storage/882496#882496 isolatedstorage is inside the ApplicationData folder anyway, so I think this is the better answer. – Scott Whitlock Nov 11 '09 at 18:11