Why are there directories called Local, LocalLow, and Roaming under \Users\<username>\AppData?
Roaming
is the folder that would be synchronized with a server if you logged into a domain with a roaming profile (enabling you to log into any computer in a domain and access your favorites, documents, etc. Firefox stores its information here, so you could even have the same bookmarks between computers with a roaming profile.
Local
is the folder that is specific to that computer - any information here would not be synchronized with a server. This folder is equivalent in Windows XP to C:\Documents and Settings\User\Local Settings\Application Data
.
LocalLow
is the same folder as local, but it has a lower integrity level. For example, Internet Explorer 8 can only write to the LocalLow folder (when protected mode is on).
This document from Microsoft ("Managing Roaming User Data Deployment Guide") has a long explanation for what these three folder areas are and how they are used, as well as the changes implemented between Windows XP and Vista (Windows 7 retains the Vista structure).
Roaming: This folder (%appdata%
) contains data that can move with your user profile from PC to PC—like when you’re on a domain—because this data can be synced with a server. For example, if you sign in to a different PC on a domain, your web browser favorites or bookmarks will be available.
Local: This folder (%localappdata%
) contains data that can't move with your user profile. This data is typically specific to a PC or too large to sync with a server. For example, web browsers usually store their temporary files here.
LocalLow: This folder (%appdata%/../LocalLow
) contains data that can't move, but also has a lower level of access. For example, if you're running a web browser in a protected or safe mode, the app will only be able access data from the LocalLow folder.
The apps themselves choose whether to save to the Local
, LocalLow
, or Roaming
folders. Most desktop apps use the Roaming folder by default, while most Windows Store apps use the Local folder by default.
As explained in this blog post, The LocalLow folder (and several other Low folders) are created as an extra level of security for programs that are frequently under attack because they are exposed to the web. Internet Explorer and Adobe Acrobat are two prime examples on my system.
Essentially, a program that knows it is vulnerable can start itself in in "low" access mode so that it can only write into those folders and not infect the rest of the hard drive.