Windows: what is AppData LocalLow
what's Low-integrity processes
ai answer
"Low-integrity processes" (and the related AppData\LocalLow folder) are a security feature in Windows Vista and later called Integrity Levels or Mandatory Integrity Control (MIC).
What "integrity level" means
Windows assigns every program and process one of these integrity levels:
| Integrity Level | Meaning | Typical programs |
|---|---|---|
| High | Administrator / full privileges | Programs you run as Administrator |
| Medium | Normal user privileges | Most apps you run normally (Chrome, Word, games, etc.) |
| Low | Very restricted – can barely write anywhere | Protected Mode Internet Explorer, Chrome/Edge sandboxed tabs, PDF readers in sandbox, some browser plugins |
Why low-integrity processes exist
They are a defense against malware.
If you visit a shady website and it tries to exploit your browser:
- The browser tab/process runs at Low integrity.
- Even if the attacker takes full control of that tab, Windows blocks it from:
- Writing to most folders (like Program Files, Documents, etc.)
- Reading sensitive files
- Starting other programs with higher privileges
The only place a low-integrity process is normally allowed to write is the AppData\LocalLow folder.
Real-world examples of low-integrity processes
| Program | Which part runs at Low integrity |
|---|---|
| Microsoft Edge / Google Chrome / Firefox | Individual tabs and extensions (sandbox) |
| Old Internet Explorer | “Protected Mode” |
| Adobe Reader / Foxit Reader (when sandboxed) | The PDF rendering process |
| Windows Defender SmartScreen | Some checks |
| Some UWP/Metro apps | By default run at Low or Medium |
The three AppData folders and integrity
| Folder | Who can normally write there |
|---|---|
| AppData\Roaming | Medium and High integrity processes (your normal apps) |
| AppData\Local | Medium and High integrity processes |
| AppData\LocalLow | Low-integrity (heavily sandboxed) processes only |
Summary in plain words
- Low-integrity process = a program (or part of a program) that Windows deliberately runs in a “jail” so that even if malware hijacks it, it can’t do much damage.
- AppData\LocalLow = the only safe sandbox folder where these jailed processes are allowed to store their settings or temporary files.
For regular home users, you almost never need to care about this — it’s all automatic security running in the background.