Since the user is not an administrator of the machine (this is a fundamental hypothesis), there are many ways to hide things from her.

What I propose is:

• Make sure the main app runs under different credentials than the logged user, a "special user".
• Write another end-user app, just for setup, that talks to this app (using any interprocess communication you see fit, TCPIP, whatever, maybe secure but I wouldn't care too much at this). This app is used only to gather credentials and send them to the first app
• Now, the main app can write the token anywhere the logged user has no access, but I recommand protected data because it's very easy to use

Here is some graphical explanation:

Since data encrypted using protected data (Windows Data Protection) can only be decrypted by the Windows user who has encrypted it, the logged on user will not be able to read the "special user" data.