I have a textual resource file filled with hashed usernames + passwords and their associated privileges. When they start the application they log in and depending on their credentials they have access to different parts of the application.
This all works well but the problem is is that those with Administrator accounts should be able to add new users to the list from within the program. I've looked around and it seems like you're not meant to edit compiled resource files.
However, I cannot save this user list to the computer because someone can delete it, edit it, or corrupt it. Also, I cannot query an online service because the application is often used in places without an internet connection.
I like using resource files because they're embedded within the executable and new users will not be created very often. Is there any way to edit and recompile the resource file during the runtime of the application? Does anyone know of any other alternatives I can use to provide offline security to this application?
It is possible to update a string resource in an executable. Microsoft has an Stablupd example that shows how to do it. There are also C# libraries built around the WinAPI resource functions such as ResourceLib. However, I would not recommend trying to change the resources of the executable while it is running. It might not cause any problems but it isn't a good design practice. I think your best bet is to store the information in an encrypted file or encrypted in the registry. You could mark the file as read-only when your program closes and lock it while the program is running. Yes, the user could still delete it, but if you are editing resources in a program, they could also delete or uninstall your program, then you would end up losing all the data that way too. At least storing it in the registry has less of a likelihood of being deleted.