Despite all the complaints I've seen about the way GOG handles certain things on the technical side, I think I've rarely seen people criticize the fact that GOG installers require administrator privileges, even when there is no reason at all for them to need those privileges.

The only reason a game should ask for admin privileges is when they require a certain redistributable to be installed alongside the game (Visual C++, OpenAL and the like). So, for starters, any game that doesn't install one of those (and there are many games that don't) should not require admin privileges at all (the default install path is not a UAC-protected one, so that's not a reason either).

And this takes me to what I think is the real problem: I'd very much rather not give admin privileges to redistributables whose origin I don't really know. Look, don't take me wrong: I'm not presupposing malicious intent on the part of developers. I genuinely don't. But, on the other hand, I'm not really sure I should always presuppose good security practices either. Am I supposed to assume each and every developer downloads those redistributables from their official source? Sure, sounds reasonable enough... but not long ago, for instance, I read an article about some app developer for iOS which had downloaded the development kit from a shady, infected source, so who really knows?

For all its other, numerous disadvantages, Steam does this exactly the way it should be done: you can install each and every game without being asked for admin privileges, and then it will ask for them when you launch the game. But if, at that point, you refuse to grant those privileges, the game will start nevertheless (provided you have already installed the required redistributables separately, of course). In fact, and unlike GOG, since the redistributables are openly stored in the game's folder, you can even check their digital signatures before granting them admin privileges.

Well, perhaps GOG actually checks every redistributable they bundle with their installers is digitally signed by Microsoft (or Creative Labs or whoever), but I'm not going to assume that. It would be great to know if they do.

And by the way, although it is usually said that "for the game to work, you need the exact Visual C++ version the developer used", in my experience that is not true. Obviously, I can't speak for every game, but it's been ages since I've only kept installed the latest Visual C++ versions provided by Microsoft, and not a single game has ever complained about that.

Any opinions about this?

Also, a lot of games would not need to be run as an admin albeit some do. I change that whenever possible.

I think you can manage with 2-3 VB versions.

I like to live dangerously, so I go admin all the time.

By the way, is it true that Windows 10 defaults to an admin account on installation? I clearly remember someone from Microsoft suggesting making a non-admin account and using that back in 1999-2004. Sorry cannot remember exact year after all this time. I remember it not working well with Windows XP, so so with Vista and almost alright on Windows 7. Still need to login to admin account once a month. W10 feature updates (twice a year) and Norton AV at least demand you login to admin regularly = fail.

not for me. I've had to turn it on several times,

This is actually not an issue at all on Linux. I haven't seen a commercial game that needs admin privileges at all, and games running under WINE never need them, even if they would need them under Windows.

(Of course, there are still some security risks; a malicious game could still steal/delete your files or steal your CPU time (and hence electricity) for cryptocurrency mining, for example, but those can happen on pretty much any modern OS.)

A surprisingly common thing for cheap or free games. A virtual plague among Android games, I hear.

Yeah, from what I've seen, Linux games on GOG don't require admin privileges at all. The thing is, despite what many people seem to think, Windows games don't actually require them either. At all. As I said, you can install and play Steam games from a regular user account, without ever logging in as administrator.

The only reason you need admin privileges for GOG games is because the installers are set not to even run otherwise. And once you grant the installer admin privileges, it proceeds to install every redistributable it is bundled with, without an opt-out option and without even telling you what it is it's installing.

Of course, I would assume it's safe to trust that well-established developers/publishers like EA, Activision, Double Fine or, I don't know, Beamdog or Daedalic will only use developer tools from official sources. But both GOG and Steam are full of games made by completely unknown, first-time developers. And it's not that I think they will deliberately distribute malicious software but, as I said, not long ago I read about some app developers who had been using infected development tools downloaded from an unofficial source (out of ignorance or because of corner-cutting, it doesn't really matter). So it's not unthinkable. And there's really no need to go granting full admin access to every program every developer decides to bundle with their game.

A common mistake to make is to search for what you want on internet and just click on the first result without seeing that the developer of that program is eg the third result and the first two are click-baits feeding you malware.

Gog appear to have written a generic installer "wrapper" that as well as installing the game offers certain generic things like "Try GOG Galaxy". If they were to implement your suggestion then I expect that would require them to alter the wrapper to allow them to know if the game requires elevated rights, and package the games differently based on that. Not impossible, but probably one thing that is stopping them.

There's also the problem that you can't change the elevation level after a process has started, so if they were not running as admin, and the user chose to install to "program files", it would crash. Once again, not blocking them, would just require more work to detect such things.

However I'd suggest it's mostly useless anyway. Lets suppose they've done this, and now only some installers require admin rights. You come to install a GOG game and it prompts you to elevate to admin rights. What now? It's unlikely that you'll be able to find out why it's prompting you, so really your choice is elevate or don't install the game. The support answer would be "It requires admin rights to install" (and they won't know why, even if you demand to know), so really you've got a choice of don't install and throw your money away, or click that "yes" button, just like everyone else is doing. Maybe you're being hyper secure and checking everything out, in which case this should not be the last line of defense for you, but for most people they will have no real choice but to give that installer admin rights. At this point, your malicious installer has won anyway, just because it claimed to need admin rights.

This isn't really the main point of elevated rights. It's supposed to stop processes that have snuck onto the machine from accessing admin functions, it's not really about stuff you're actually initiating yourself.

Security. If you have something valuable in your house you put it in a safe, even though there's a lock on your front door. If something is running as admin then it's able to do things to your computer that it wouldn't otherwise be able to do. For some people that's very important as the security concern could install a keylogger and get their bank details etc. For others it's irrelevant because the most information they'd get is that you're looking at some really deviant porn.

Some people are really concerned about security and like to ensure that all precautions are taken.

makes sense.

I keep forgetting about where I live and the fact that no one here locks their doors.

I'd have to double check, but I would swear I've seen some installers that ask for admin privileges after they have been launched. In fact, I think that's what Origin does: you launch the Origin installer as a regular user, and then it asks for the elevated rights after you have selected the folder and the install settings.

True, that's why I think that the installers should simply give the option to only install the game and nothing else. Keep the admin rights requirement for all installers, make the "install all additional libraries" the default option and hide it away in some submenu or whatever, but give the option. Obviously, GOG installers themselves can be trusted, so granting them admin privileges wouldn't be a problem, as long as you can be sure that the installers are not using those privileges to also install additional programs (without notifying the user, by the way). In fact, isn't that how everybody did it back in the day? I remember all physical games worked like that: during installation, they asked you if you wanted to also install DirectX, Visual C++ or whatever. If you unticked those options, only the actual game was installed.

As it is, with every GOG game you install, you're giving full admin access to whatever executable every random developer has downloaded from who knows where and decided to bundle with their game.

No need to check - you have seen this. It's called MSI chaining. This will happen if the installer is using MSIs, and some of them require elevation. This could even be the case with just a single MSI. In such cases then the installer will then elevate at that point, because the MSI starts a separate process. However this is dependent on the game installer being an MSI. Alternatively if the game installer is launched by GOG specifically as runas admin then it will do so, but that's where I think GOG are being lazy and just doing that always simply by elevating the main installer (probably to save trying to get the game installers re-written).

These options were always just niceties, there was never an operating system block to stop you doing it. GOG installers will always be dependent on the game installers being honest. If those have issues then that's GOG's fault, and they have to be held accountable (you can bet the T&C's say they're not).

I agree with you, it would of course be good (better security is always preferable), but it's not going to happen.