Windows maintains a separate certificate store set for each user account, and one system-wide store set shared by all the user accounts. That is, each user account has its own copy of MY, CA and ROOT stores for keeping certificates for their own purposes (e.g. authentication or validation of certain hosts), and also has access to the system-wide MY, CA and ROOT stores that contain certificates common for all the user accounts (e.g. widely known root CA certificates, such as Verisign's or Thawte's). Particular stores comprising user-specific store set are often referred to as “current user” stores (from the point of view of the user account that uses them), while system-wide stores are known as “local machine” certificate stores.
In most cases, the ideal location for application-specific certificates is current user store set. Usage of local machine stores is a subject for certain security restrictions due to it's importance to the health of the system. In particular, only accounts with administrative privileges can add or delete certificates from local machine stores; and only administrator accounts or accounts with explicitly granted permissions can use private keys associated with certificates residing in such stores. However, sometimes it is technically impossible to use current user stores with applications that should run under specific system accounts such as NetworkService (e.g. ASP.NET websites); other examples do also exist where the use of current user stores is unacceptable. Under such conditions, local machine store set is the only in-system certificates location available for an application.