79804451

Date: 2025-10-30 06:42:04
Score: 3.5
Natty:
Report link

Are there any Microsoft or industry best practices that discourage storing serial or license information in the Uninstall key?

You should not store anything in a location not owned by you, unless specifically instructed by the owning app to do so.

Create your own key, i.e. [HKEY_LOCAL_MACHINE] or [HKEY_CURRENT_USER]/[Your-Company]/[Your-App] and store any and all information about the app there. In your WiX configuration, be sure to clean it up on uninstallation.

Be careful to use [HKEY_LOCAL_MACHINE] or [HKEY_CURRENT_USER] correctly, depending on whether the installation is per-machine or per-user.

Use of the registry is however not as widespread as it once was, since cross-platform requirements often make it unsuitable as a mechanism. We're mostly back to storing such things in the file system, or at times in the app database. I recommend storing it in a file in %LOCALAPPDATA%\[Your-Company]\[Your-App] on Windows and the corresponding places on other platforms, if any.

Since this key is accessible to users (especially those with local admin privileges), could this expose license or customer-sensitive data

It certainly exposes the license number, but it only exposes what you write there. If it's customer sensitive depends on what's in the number, but it is not likely unless you use the customer's social security number or credit card number as a license number ;-) .

If this is not advisable, what would be a more secure method of storing such data? (For example, encrypting serial key)

It depends on how you view the license key, but typically you should not view it as a secret in the sense that it requires encryption. You can't really encrypt it securely without things getting complicated, and in the end, if the user has access to the decryption key, so does anyone else running as the user.

Normally you would view a serial number or license key to be something of value, under the custody of the user, and have the license agreement state how the license key may be used.

A common practice for offline license verification is to create a license key by including something tying it to the user or the users system perhaps an email-address, a name or a hardware identifier, and then digitally sign it before delivering it. The app then verifies it has a valid license with an embedded public key (which is not a secret). The license key can still be stolen or misused, but if it's discovered the source can be determined.

A signed license key is my personal preference. If online access is ok, a revocation server may be contacted to ensure that the license key has not been disabled, but personally I think it is overkill unless the license is perpetual and misuse causes you direct costs, not just lost revenue. One of the the beautiful things about software is that the marginal cost of producing a copy is essentially zero, so typically a stolen license key only causes you potentially lost revenue and in most cases not even that as the user using a stolen license key is unlikely to purchase it anyway under any circumstances unless you really created a must-have killer app with no alternatives.

If you are interested, I have made a nuget package for .NET, that handles signing and verification of a software license.

Alternatively, perform online verification if suitable, where the user signs in to the app in a cloud service, and receives some form of indication or token back if the user is licensed to use the app.

There's more that can be said and many nuances, but this should be a start.

Reasons:
  • RegEx Blacklisted phrase (3): does anyone else
  • Long answer (-1):
  • No code block (0.5):
  • Contains question mark (0.5):
  • Low reputation (0.5):
Posted by: Xecrets