So you want something that would ultimately be entirely pointless, seeing as the installers have to be run admin anyway?

Let me try to adopt the only kind of feedback language that seems to get a response, even though I am actually serious with this point:

Galaxy is already too privileged to even be able to check its privilege. I consider Galaxy to be a microaggression against users like me who identify as DRM-free offline gamers.

@Darvond : Indeed, the program would have to be executed as admin in the end, but that would have to be done following regular elevation (non admin to admin) procedures, hence knowingly from the user. That's the big difference...

You may object that GOG can add a warning each time such action is performed, but you're missing an important point here : normally when you are about to perform an administrative operation, you're presented with a consent request from the OS. The programs requesting your consent and sometimes asking you to prevent credentials are security-sensitive and designed as such. Galaxy isn't, isn't supposed to be, and can't be. There's not a single time when I will accept to replace the secure desktop consent verification with a Galaxy yes/no prompt. Same goes for the Steam client, btw.

@rjbuffchix : I absolutely agree with you, DRM-free shall remain, abandonment would be a huge betrayal and reduce GOG to not much more than another Steam, but as long as there are up to date offline installers, I'm fine with that, but that's not my point here, it's rather that GOG crossed a red security line with their Galaxy implementation.

Now that being said I understand the fear of Galaxy becoming mandatory, and I don't feel the need for it as it is. There was a time where multiplayer was done by simply entering each other's IPs and not providing credentials whatsoever. In fact, I would have better seen the role of Galaxy as a simple API easing networked multiplayer, but no more than that. Gwent could have been done that way, I don't necessary mean LAN-only however, I understand how online matchmaking features, finding other players and social interactions are better with a central infrastructure.

You haven't explained why running with elevated privileges is a problem to you. You've given vague hints and I could work out the logical implications, but why not spare us the trouble and tell us why you think this is troubling.

You could always just turn off auto updates. It'll still automatically run any installers it downloads, but it will never download anything in the first place unless you manually tell it to do so, so the end result is pretty much the same.

You mean you wanted galaxy to be more like that shitty service Gamespy Comrade and that shitty service gamefly.

@Darvond : If you make a mistake or get pirated while running privileged, the damage will be potentially far worse than if you run with adequately limited rights. A program that has one foot in the non-admin world, and another one in the admin world is open to exploits that would permit an attacker to gain admin access to your system. And that's exactly the problem with Galaxy, one foot admin (the Galaxy service), and one foot non-admin (the Galaxy client program, or game process using the Galaxy API).

I'm not american, nor is english my mother language and I'm not sure about that teal deer thing, but my intention is not to explain why it's a concern to you. If you're happy like that, then it's no concern of yours, that's only my humble point of view. I'm perfectly conscious that for most people, security is more of a hindrance than anything !

@Hesusio : It's not just a matter of telling Galaxy not to do so, it should not have the possibility to do so without going through the normal privilege elevation procedure. I understand that some people hate being annoyed by security prompts, well that's fine for them, but I for one like that one can't become admin on my system without asking me first, only when necessary and for a previously determined task.

@fr33kSh0w2012 : I was rather thinking Galaxy as an API easing multiplayer gaming from a developer point of view. I doubt Gamespy was doing much in that respect, and I remember being annoyed by that Gamespy Comrade window with some games, which is definitely not what I want.

Anyway that's not my point, the Galaxy model is what it is and I'm not here to ask to change it, my only problem is with its implementation through the Galaxy service that enables execution of commands as admin on the fly, as I explained before. I usually resort to offline installers, but when it comes to Gwent I can't any more. And that's why I came here !

It actually makes sense: Galaxy becomes an elevation method for viruses. If it had to ask every time, there's a little extra security.

But, here we are, expecting security on windows.

So you're expecting something to sneak into a secured connection between you and a server. It isn't like the install is managed online.

No, that's not how it works. The idea is, as galaxy is elevated, something could use galaxy DLLs to pose as a GOG program as long as galaxy is running (IE. when any gog game is running). You could then exploit any weakness in the API (and we all surely trust GOG's DLLs given how well the site is functioning) to get elevated permissions. Moreover, if we use a feature of galaxy itself (multiplayer API or something?) we don't even need to find an exploit in galaxy, but simply use galaxy itself as an exploit since the permissions are already elevated.

This just reads like paranoia for the sake of paranoia. Besides that, I'm somehow doubtful the API could do that much aside from inconvenience a user.

Not sure how Windows does it, but the security is not bypassed, its either that there is a part that does just those things isolated from main code and afterwards drops down the privileges; or there is a part that elevates main block in privileges for a short time - and drops them afterwards. Since there is just one part, OS can whitelist that part.
Since large part of Galaxy is installing and upgrading stuff, disabling that effectively achieves what you want.

Also, on home machines, its actually user data that is valuable, not the system ("privilege") data. The later is for servers or server managers. If on home machine the user data is corrupted, stolen or deleted its a gameover.

I recommend Nixos, yes its based on Linux kernel. You can install and run there unprivileged.

Unless you've seen something like it before. Even if it were like, say, mobile phones with permissions, file creation permission alone at administrator level can create some havoc. Given that Galaxy is to provide multiplayer, as well, that could be exploited to send data back and forth without triggering a firewall, and that includes not just personal data, but files as well. I saw a small PE file take advantage of this for the purposes of a demo: to make the smallest executable file for windows that downloads a file from the internet and executes it. The program used an old feature of windows itself: if you specify a URL in the import table of an exe file, older versions of windows (i think up to and including vista or 7 to some point) will actually download the file from the URL, but it'll do it as windows, bypassing all firewall protection. I tested it out, and it allowed me to bypass my highschool's firewall as well, which i still see businesses using.

It's done like linux, except that even though there are specific security associations available, they effectively are't really implemented. As of at least windows 7, there are 2 types of administrative priviledges: 1. actual admin, 2 pretend admin that doesn't have the power to overwrite system functions (this is a pain since this is default, and sometimes you legitimately want to disable some silly service or install another).

Otherwise, you're right. The trick to getting user data, though, is usually to get those elevated permissions. Because the way windows handles things, and how user data is always scattered all over the place, searching for data is a pain, and sometimes it's actually encrypted. Makes more sense if you want data to use Windows' "hooks api" which basically allows those with administrative priviledges to mess witn another program's executable and data segments, effectively hijacking the program. Best part is that user32.dll (and equivalents) are applicable targets, so you can "hook" all textbox windows (since they're actually subwindows within a given window) and focus on ones that are marked with a password flag, then hijack the data from every window that has one of those password windows (so you can get URLs, usernames, etc). This is effectively how "trainers" work, except trainers (presumably) don't have the goal of stealing you data, but instead just helping you cheat at a computer game.

And this is only considering data as the prize: maybe they just need a proxy for illegal activity, whether that's directly or as part of a botnet (this seems most common). It's generally not lucrative to hack 1 computer to get one person's email info. That's what big sites are targeted for: you get alot more bang for all your effort.

Source: Script Kiddies ("Hackers" who can't hack, but still do the same damage) whom i tried to bust (surprisingly difficult); Personal programming knowledge

Yeah, privileged scanning/writing into other processes memory segment is more of the hijack part, not damage part. You see, the hijack part can be shortened to making user run modified binary or some masked script by some means. Not hard through poisoning of illegal sources, for example. Then just locate archive, text, mbox file extensions and corrupt or ftp them: encrypted or not - application will be run with current user privileges, so full access to user data.

How many users have a dedicated user profile just for games - and dedicated user profile to work with their data? Thats also a hint for OP, if he/she is troubled.

Otherwise, doing something that Nixos does like hash-based atomic system with explicit declarative linking of its components for every program, would secure the static post-boot OS part (breaking hooks), but requires full OS redesign. And if its not opensauce (Windows's been all-proprietary since its birth), so I bet it will roll out own set of headaches in the process...

GOG could however split the Galaxy in "install/update" and "chat/achievement" parts. I don't know how Galaxy does this, if it constantly stays resident as privileged process, - because, you know, there is no Galaxy for linux.