Windows: what is AppData LocalLow

By Xah Lee. Date: .

what's Low-integrity processes

ai answer

"Low-integrity processes" (and the related AppData\LocalLow folder) are a security feature in Windows Vista and later called Integrity Levels or Mandatory Integrity Control (MIC).

What "integrity level" means

Windows assigns every program and process one of these integrity levels:

Integrity Level Meaning Typical programs
High Administrator / full privileges Programs you run as Administrator
Medium Normal user privileges Most apps you run normally (Chrome, Word, games, etc.)
Low Very restricted – can barely write anywhere Protected Mode Internet Explorer, Chrome/Edge sandboxed tabs, PDF readers in sandbox, some browser plugins

Why low-integrity processes exist

They are a defense against malware.
If you visit a shady website and it tries to exploit your browser:

The only place a low-integrity process is normally allowed to write is the AppData\LocalLow folder.

Real-world examples of low-integrity processes

Program Which part runs at Low integrity
Microsoft Edge / Google Chrome / Firefox Individual tabs and extensions (sandbox)
Old Internet Explorer “Protected Mode”
Adobe Reader / Foxit Reader (when sandboxed) The PDF rendering process
Windows Defender SmartScreen Some checks
Some UWP/Metro apps By default run at Low or Medium

The three AppData folders and integrity

Folder Who can normally write there
AppData\Roaming Medium and High integrity processes (your normal apps)
AppData\Local Medium and High integrity processes
AppData\LocalLow Low-integrity (heavily sandboxed) processes only

Summary in plain words

For regular home users, you almost never need to care about this — it’s all automatic security running in the background.

Windows AppData