.CFG Configuration File
.cfg

Configuration File

A CFG file is a plain text configuration file, but there is no single CFG format — the extension is shared by hundreds of applications with incompatible syntaxes, from INI-style key-value pairs to game console commands. FileDex reference only.

Learn more ↓
Binary layout
Header magic bytes
Sections code · data
Text1980
By FileDex
Not convertible

CFG file conversion is not applicable — CFG is a naming convention with no single format. Use a text editor to read and modify configuration files directly.

Common questions

What is a CFG file?

A CFG file is a plain text configuration file that stores application settings. The .cfg extension has no single standard — it is used by games (Counter-Strike 2, Quake), network equipment (Cisco routers), programming tools (Python configparser), and the Linux kernel build system, each with a different syntax. Opening a CFG file in any text editor reveals its contents.

How do I open a CFG file?

Open it with any text editor: Notepad or Notepad++ on Windows, TextEdit on macOS, or VS Code on any platform. CFG files are plain text. If the content appears as binary gibberish rather than readable text, the file may be mislabeled — the actual file type is likely something other than a configuration file.

Can I edit game CFG files to improve performance?

Competitive players in Counter-Strike 2 and other Source engine games edit autoexec.cfg to set network rates, crosshair size, mouse sensitivity, and keybindings. Open the file in a text editor, modify values, and save. Always back up the original first — some games overwrite CFG files on exit, so set the file to read-only if changes keep reverting.

What is the difference between CFG and INI files?

Many CFG files use INI-style syntax — [sections] with key=value pairs — but CFG is broader. Source engine game configs contain console commands, not key-value pairs. Cisco IOS configs use indentation-based hierarchies. Kconfig files use CONFIG_OPTION=y syntax. The .ini extension specifically implies the [section]/key=value convention. The .cfg extension makes no such guarantee.

Is CFG the same as CONF?

Both are plain text configuration files with no formal specification. The .conf extension is more common in Unix/Linux (Apache httpd.conf, nginx.conf, systemd .conf files), while .cfg is more common in games and cross-platform applications. The internal syntax of each file depends on the application, not the extension.

Why did TOML replace CFG files in modern projects?

TOML was created in 2013 by Tom Preston-Werner (GitHub co-founder) because INI-style CFG files lacked a formal specification, a type system, and standardized nesting. TOML provides typed values (integers, dates, booleans), nested tables, and a test suite for parser compliance. Python replaced setup.cfg with pyproject.toml. Rust adopted Cargo.toml from its first release.

Are CFG files safe to download?

CFG files are plain text and cannot execute code on their own. The risk depends on the application: Source engine .cfg files run as console commands when loaded, so a downloaded autoexec.cfg could rebind keys unexpectedly. CFG files may also contain plaintext passwords or API keys. Inspect any downloaded CFG in a text editor before using it.

How do I find which application a CFG file belongs to?

Check the directory — a CFG inside a Steam game folder is a game config; one in /etc/ is a system config. Open the file and look for application-specific keywords: Source engine commands like bind or cl_interp, Cisco IOS commands like interface or ip address, or INI-style [section] headers. The filename often matches the parent application.

What makes .CFG special

The Most Ambiguous Extension
One extension, five incompatible syntaxes
INI-style, Source engine commands, Quake console variables, Cisco IOS hierarchies, and Linux Kconfig — all use .cfg. No other three-letter extension maps to this many unrelated formats.
The autoexec.cfg Ritual
Every competitive CS player has a personal .cfg
Since Quake in 1996, competitive FPS players have maintained hand-tuned autoexec.cfg files with custom keybindings, crosshairs, and network rates. Professional CS2 players publish theirs. Fans copy and modify them.
Credential Graveyard
CFG files are a top source of leaked secrets
Database passwords, API keys, and SMTP credentials stored as plaintext key=value pairs in .cfg files. Accidental git commits expose them permanently in repository history. GitHub’s secret scanner flags thousands monthly.
Replaced but Unkillable
TOML was built to replace CFG — CFG persists
Tom Preston-Werner created TOML in 2013 specifically because CFG/INI lacked a spec. Python replaced setup.cfg with pyproject.toml. Rust uses Cargo.toml. But game engines, Cisco, and legacy systems still produce millions of .cfg files.

What is a CFG file?

CFG files store application settings, system parameters, and user preferences as plain text. The .cfg extension has no specification, no standards body, and no formal definition. It is a naming convention adopted independently by hundreds of applications since the early 1980s. Two CFG files from different applications may have nothing in common beyond the three-letter extension.

Continue reading — full technical deep dive

This ambiguity is the defining characteristic of .cfg as a format. Opening an unknown CFG file in a text editor almost always reveals readable text, but understanding what that text means requires knowing which application created it.

Five syntax families, one extension

At least five distinct syntax families share the .cfg extension, each with different parsing rules:

INI-style uses [Section] headers with key=value pairs, one per line. Comments begin with # or ;. This is the syntax Python’s configparser module reads. MySQL’s my.cnf (sometimes distributed as .cfg), PHP’s php.ini, and Git’s .gitconfig all use variations of this pattern. There is no formal INI specification either — Microsoft introduced the convention with Windows 1.0 in 1985 but never published a grammar.

[database]
host = localhost
port = 3306
user = admin
; this is a comment

Source engine (Valve) treats .cfg files as console command scripts. Each line is a command that the game console executes sequentially. bind, cl_interp_ratio, rate, and sensitivity are commands, not key-value pairs. The exec command includes another .cfg file, making these files composable. Counter-Strike 2, Half-Life 2, Portal, Team Fortress 2, and Dota 2 all use this syntax. Comments use //.

// autoexec.cfg — custom CS2 settings
cl_interp_ratio "2"
cl_cmdrate "128"
rate "786432"
bind "mwheeldown" "+jump"
exec crosshair.cfg

Quake-engine uses seta and set commands to assign console variables. id Software’s Quake (1996) established the convention that game engines store settings in .cfg files. The syntax is similar to Source engine but uses different command verbs.

seta cg_fov "110"
seta com_maxfps "250"
seta name "Player"

Cisco IOS uses indentation-based command hierarchies. A interface GigabitEthernet0/1 line is followed by indented sub-commands that apply to that interface. Comments use !. These files represent the running configuration of network switches and routers.

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!

Kconfig uses CONFIG_OPTION=y, CONFIG_OPTION=n, or # CONFIG_OPTION is not set syntax. The Linux kernel build system and Buildroot use this format to track which features are enabled in a build.

CONFIG_SMP=y
CONFIG_MODULES=y
# CONFIG_PREEMPT is not set

The autoexec.cfg ritual

No discussion of .cfg files is complete without the autoexec.cfg phenomenon in competitive gaming. Every serious Counter-Strike player maintains a personal autoexec.cfg — a hand-tuned file of console commands that configure network rates, crosshair appearance, mouse sensitivity, keybindings, and graphical settings. This file executes automatically when the game launches.

The practice dates to Quake in 1996, where players discovered that editing config.cfg gave them control over settings not exposed in the game menu. By Counter-Strike 1.6, sharing autoexec.cfg files was standard practice in competitive communities. Professional players publish their settings, and fans copy and modify them. The autoexec.cfg file is personal — players who have refined their settings over thousands of hours of play treat it as irreplaceable.

Source engine games read config.cfg for the default settings and then execute autoexec.cfg, which overrides anything in config.cfg. This two-file architecture lets players reset to defaults (delete autoexec.cfg) without losing the game’s internal settings, or preserve custom settings across game reinstalls by backing up autoexec.cfg.

Key commands in a CS2 autoexec.cfg:

  • rate "786432" — maximum network bandwidth (bytes/second)
  • cl_interp_ratio "1" — interpolation ratio for hit registration
  • sensitivity "1.6" — mouse sensitivity
  • bind "mwheeldown" "+jump" — mousewheel bunny-hop binding
  • cl_crosshairsize "2" — crosshair arm length

Why no standard exists

CFG files predate the era of formal file format specifications. When Unix developers in the early 1980s needed to store application settings, they wrote a simple text parser, saved the output as something.cfg, and moved on. There was no coordination between applications. Microsoft did the same with .ini files for Windows 1.0 in 1985, and developers began using .cfg and .ini interchangeably.

The lack of standardization persists because there is no pressure to standardize. Each application owns its .cfg parser. Game engines define their own command syntax. Network equipment vendors define their own configuration language. The extension serves as a human-readable signal ("this file contains configuration") rather than a machine-readable format identifier.

This stands in direct contrast to formats like JSON (RFC 8259), YAML (yaml.org/spec), and TOML (toml.io/en/v1.0.0), which have formal grammars, test suites, and interoperable parsers.

From INI to TOML: the evolution

Microsoft’s INI format (1985) was the first widely adopted configuration file convention. It introduced [sections] and key=value pairs but was never formally specified. Different Windows applications interpreted INI differently — some allowed duplicate keys, others didn’t; some supported multi-line values, others treated newlines as terminators.

CFG files inherited this ambiguity. Throughout the 1990s and 2000s, developers chose .cfg or .ini based on personal preference or platform convention. Unix applications often used .conf. The three extensions (.cfg, .ini, .conf) are functionally siblings — same general idea, no interoperability guarantee.

JSON (formalized in 2006 via RFC 4627) offered machine-parseable configuration but its syntax is hostile to hand-editing — missing commas, mandatory quoting, and no comments make it error-prone for configuration files that humans need to modify.

YAML (first released 2001, yaml.org) added human-friendly syntax with significant whitespace, but its complexity and parser inconsistencies across languages created its own category of bugs.

TOML (2013, by Tom Preston-Werner, GitHub co-founder) was created specifically to replace INI-style .cfg files. TOML provides INI’s readability with a formal specification, typed values (integers, floats, dates, booleans), nested tables, and arrays. TOML v1.0.0 was published on March 10, 2021. Python’s pyproject.toml replaced setup.cfg as the standard package configuration file. Rust’s Cargo.toml established TOML as the default in the Rust ecosystem.

Security: the plaintext credential problem

CFG files are a persistent vector for accidental credential exposure. Database connection strings, SMTP passwords, API keys, and service account tokens are routinely stored in .cfg files as plaintext key-value pairs:

[smtp]
host = smtp.example.com
user = admin@example.com
password = P@ssw0rd123

When developers commit these files to version control, the credentials become part of the repository history. Even if the file is later deleted, the plaintext remains in git history unless the repository is rewritten. GitHub’s secret scanning service detects common credential patterns in pushed commits, but .cfg files with custom key names may evade pattern-based detection.

Cisco IOS .cfg files present a distinct risk. A router’s running configuration contains interface IP addresses, SNMP community strings, VPN pre-shared keys, and TACACS+ server credentials. Backup copies of these files, if stored on unencrypted network shares or sent via email, expose the entire network topology and authentication infrastructure.

Source engine .cfg files pose minimal credential risk but can contain commands that alter game behavior in ways the user didn’t intend. A downloaded autoexec.cfg could rebind keys, change sensitivity to unusable values, or execute additional .cfg files via the exec command. These are nuisances rather than security threats — Source engine commands cannot access the filesystem or network.

Platform-specific behavior

Windows historically treated .cfg files as belonging to the associated application. Double-clicking a .cfg file may open the application rather than a text editor, depending on file associations. The Windows Registry replaced .cfg/.ini files for system-level configuration starting with Windows 95, but application-level .cfg files persist.

macOS and Linux treat .cfg files as generic text. The file utility identifies them as text/plain based on content heuristics — there are no magic bytes to detect. On Linux, .cfg files coexist with .conf files (used by systemd, Apache, nginx) and dotfiles (~/.gitconfig, ~/.bashrc) in a fragmented configuration landscape.

Game distribution platforms (Steam, Epic Games Store) store .cfg files in platform-specific directories. On Windows, Steam games typically write to C:\Program Files (x86)\Steam\steamapps\common\<game>\cfg\. On Linux via Proton/Wine, the same files appear under ~/.steam/steam/steamapps/compatdata/. Editing the wrong copy of a .cfg file is a common source of "my changes don’t work" complaints.

.CFG compared to alternatives

.CFG vs .INI
Format standardization
Neither has a formal specification. INI has a narrower de facto convention ([sections] with key=value), while CFG encompasses at least five incompatible syntax families including INI, Source engine commands, Cisco IOS, and Kconfig.
 Draw
.CFG vs .TOML
Type safety
TOML v1.0.0 (March 2021) defines integers, floats, booleans, dates, strings, arrays, and nested tables with a formal grammar and test suite. INI-style CFG treats every value as a raw string with no type system.
 TOML wins
.CFG vs .YAML
Human editability
CFG’s key=value syntax requires no knowledge of indentation rules or special characters. YAML’s significant whitespace, colon-space delimiters, and implicit typing (the string ‘no’ becomes boolean false) cause frequent editing errors.
 CFG wins
.CFG vs .JSON
Comment support
JSON (RFC 8259) explicitly forbids comments. CFG files universally support comments via #, ;, //, or ! depending on the variant. Configuration files that humans edit need comments.
 CFG wins
.CFG vs .YAML
Parser consistency
YAML has a formal specification (yaml.org/spec/1.2.2) and a compliance test suite. CFG has no spec, so parsers vary by application. YAML parsers across languages produce identical output for the same input. CFG parsers do not.
 YAML wins

Technical reference

MIME Type
text/plain
Developer
Various
Year Introduced
1980
Open Standard
No

Binary Structure

CFG files are plain text with no binary structure, no magic bytes, and no file header. The internal format depends entirely on the consuming application. The most common pattern is key=value pairs separated by newlines, optionally grouped under [Section] headers (INI-style). Source engine CFG files contain console commands, one per line. Cisco IOS CFG files use indentation-based hierarchies. All variants are line-oriented — parsers process CFG files one line at a time. There is no universal encoding declaration. Most CFG files are ASCII or UTF-8.

1980Unix applications begin using plain text key-value files for configuration, with .cfg as one of several common extensions alongside .conf and .rc1985Microsoft Windows 1.0 introduces the INI format — [sections] with key=value pairs. Developers use .ini and .cfg interchangeably.1996id Software’s Quake establishes .cfg files as the standard game configuration format, using ‘seta’ commands for console variable assignment1998Counter-Strike mod for Half-Life inherits the .cfg convention, introducing autoexec.cfg as a player-customizable startup script2004Valve’s Source Engine (Half-Life 2, Counter-Strike: Source) formalizes .cfg as executable console command scripts with bind, exec, and alias commands2013Tom Preston-Werner creates TOML as a formally specified replacement for INI-style .cfg files, with typed values and a grammar2016Python PEP 518 introduces pyproject.toml, beginning the migration away from setup.cfg for Python package configuration2021TOML v1.0.0 published (March 10). Rust’s Cargo.toml and Python’s pyproject.toml establish TOML as the modern config format2023Counter-Strike 2 replaces CS:GO, carrying forward the autoexec.cfg convention to a new generation of players on Source 2 engine
Identify CFG file type with file utility other 
file -bi config.cfg

Reports the MIME type and encoding of a CFG file. Output is always text/plain because CFG has no magic bytes. The charset field (us-ascii, utf-8) reveals the encoding.

Parse INI-style CFG with Python configparser other 
python3 -c "import configparser; c=configparser.ConfigParser(); c.read(‘config.cfg’); [print(f’[{s}]’, dict(c[s])) for s in c.sections()]"

Reads an INI-style CFG file using Python’s standard library and prints all sections with their key-value pairs. Only works for CFG files that follow INI syntax — Source engine or Cisco IOS files will fail.

Search for a specific key across all CFG files other 
grep -rn ‘password’ /etc/*.cfg ~/.config/**/*.cfg 2>/dev/null

Searches for the string ‘password’ in CFG files under /etc and user config directories. Useful for auditing plaintext credential exposure in configuration files.

Diff two CFG files ignoring comments and blank lines other 
diff <(grep -v ‘^[#;]’ config.cfg | grep -v ‘^$’) <(grep -v ‘^[#;]’ config.cfg.bak | grep -v ‘^$’)

Compares two CFG files after stripping comment lines (starting with # or ;) and blank lines. Reveals actual configuration differences without noise.

Validate INI-style CFG syntax with Python other 
python3 -c "import configparser, sys; c=configparser.ConfigParser(); c.read_string(open(‘config.cfg’).read()); print(‘Valid INI-style CFG’)" 2>&1

Attempts to parse the file as INI. If the file uses a non-INI syntax (Source engine, Cisco IOS), configparser raises MissingSectionHeaderError, confirming a different format.

MEDIUM

Attack Vectors

  • Plaintext credentials — CFG files routinely contain database passwords, API keys, SMTP credentials, and VPN pre-shared keys in unencrypted key=value pairs. Accidental git commits expose these permanently in repository history.
  • Config injection — applications that interpolate CFG values into commands or SQL queries without sanitization may be vulnerable to injection attacks via crafted configuration values.
  • Path traversal via values — a CFG file with a value like output_dir=../../etc/passwd could cause an application to read or write outside its intended directory if the value is used in file operations without validation.
  • Source engine exec chain — a downloaded .cfg file containing ‘exec malicious.cfg’ causes the game console to execute additional files, potentially rebinding all keys or altering game behavior.
  • Cisco IOS config exposure — backup .cfg files from routers contain the full network topology, SNMP community strings, and authentication credentials for TACACS+ or RADIUS servers.

Mitigation: FileDex does not open, execute, or parse CFG files. This is a reference page only. For credential protection: use environment variables or secret managers instead of plaintext CFG entries. Add sensitive .cfg files to .gitignore. Cisco IOS: use ‘service password-encryption’ and store backups on encrypted storage.

Notepad++ tool
Free text editor with syntax highlighting for INI-style CFG files and line-ending conversion tools
VS Code tool
Free editor with automatic language detection for INI, properties, and CFG variants via built-in heuristics and extensions
Standard library module for reading and writing INI-style CFG files with section interpolation, default values, and multi-line support
Valve game engine (CS2, Half-Life 2, Portal, TF2) using .cfg files as executable console command scripts with bind, exec, and cvar commands
CiscoConfParse library
Python library for parsing Cisco IOS, NX-OS, and ASA configuration files — understands indentation-based parent-child hierarchy
kconfiglib library
Python library for reading and manipulating Linux kernel Kconfig .cfg files with full tristate logic and dependency resolution