1

The newly released computer game Genshin Impact must be run as administrator on Windows 10. Millions of people have downloaded this game. It runs on multiple platforms, however I assume that a signification proportion of the downloads are being run on Windows 10 as administrator. There is almost no reference to the requirement to run as administrator on the Genshin Impact web site or other discussion boards. I therefore conclude that very few people care about the requirement to run as administrator. I therefore ask, what are the real risks of running an online, multi-person game as administrator on Windows 10?

Update

There are a couple of good answers here already. They describe why what could happen if you run as administrator. They don’t address probably of such bad things happening. Since millions of people are doing this I’m interested to know if the risks are something which should prevent people from doing this or are just the possibly but unlikely.

OrangeBunny
  • 11
  • 4
  • Installers for most other games require administrator access - it's basically the same as running the game as administrator. – dthusian Oct 03 '20 at 01:35
  • 4
    @forthe Is it the same? When someone runs the installer they trust the game developer. When they run the software as administrator every day they trust every piece of user generated data the software downloads. – OrangeBunny Oct 03 '20 at 02:27
  • 1
    There is no way that we can assess the probability of an entire class/category/genre of software would end up being/becoming malicious. And no, we are not going to assess this specific software. You are correct that the answers do not address the likelihood part of "risk", because they can't. But they do address the impact part of risk. – schroeder Oct 05 '20 at 08:52
  • @forthe Installers for most games don't require administrator access. Steam installs games to your user directory for example. If the installer wants to install to Program Files it needs to be Admin, but games don't have any legitimate reasons that they must be installed to Program Files. Many game installer provides an option to install to user directory. The only reason games or its installer must be run as Admin is if they want to install malware deep into your system in ways you can't easily uninstall, sometimes they call it DRM or anticheat system, but it's basically the same thing. – Lie Ryan Oct 06 '20 at 09:49

2 Answers2

3

From the perspective of IT security there is no "being safe" or "being secure" 1. There is only being more or less secure and the idea of being sufficiently secure by having most relevant risks mitigated. Deciding if a specific software is sufficiently secure would require a deep evaluation not only of the specific software but also of the environment where the software is run in, i.e. what impact problems can have. Such a deep evaluation is out of the scope of this site.

But what can be said is that running a software as administrator provides additional and powerful attack vectors compared to running as an unprivileged user. The impact of these new attack vectors can be small and the risks acceptable if the system does not contain any sensitive data and is not used for sensitive activity like online banking. Given the right environment it can be very dangerous though, for example when being inside the network of a nuclear power station.

It can also be said that already running a potential malicious or buggy software as a non-privileged user poses considerable risks. Many malicious actions like extorting the user by encrypted the users files (ransomware), spying on the user or impersonating the user do not actually require administrative privileges in the first place.

1 In the context of IT security the term security is typically used to describe harm against IT systems, compromise of information etc. Safety instead is used to describe more direct harm against humans, like when hacking a car and disabling the brakes.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
1

The short answer is, no it is not safe. If the developer had malicious intent, or the software package was compromised without his knowledge, the attacker gets keys to the castle. If other malicious software gains access to this application, it can use escalated privilege to cause harm to your system/data.

Your application is executed in the context of the Administrator user which gives it equal access to the system as the Administrator has. It means that the application can basically do whatever it wants on your system.

The industry-wide best practice is to limit Admin access to an account doing admin tasks only. The applications running on the system should run in the context of a user (this way they can cause only harm to the user space and not the system itself).

schroeder
  • 129,372
  • 55
  • 299
  • 340
nethero
  • 500
  • 2
  • 6
  • 1
    " ... this way they can cause only harm to the user space and not the system itself ... " - which is sufficient for most malicious activities like ransomware or banking trojans. It is also sufficient for many attacks against other systems in the network. Thus requiring administrative privileges increases the risk but not necessarily a lot, depending on the actual use of the system. – Steffen Ullrich Oct 03 '20 at 15:35
  • @SteffenUllrich This is the beauty of the ransomware, architecture makes sure that your system will be alive whilst your data is encrypted. I know you may feel like my answer is very similar to yours, but I wanted to provide something less sophisticated/academic so to limit the intellectual heavy lifting. It makes me wonder why would a game require admin rights does it not? – nethero Oct 05 '20 at 08:32
  • Since this answer is specifically in reference to a previous answer, I'd disagree with it. To say "safe/not safe" is inaccurate. It exposes more risk. – schroeder Oct 05 '20 at 09:03
  • This is really a semantic discussion now. We can either try to establish industry meaning of "safe" or go with the dictionary. m'I safe if I'm at risk? Or other way, m'I safe If i knowingly enlarge the risk of something I'm afraid of. Is the following sentence true: "you are, safe from falling from the ladder if you don't climb it"? – nethero Oct 05 '20 at 09:14
  • If this was the only provided answer, I'd agree with it, but your expressed desire was to provide a better answer in the context of a previous one. That makes this a semantic discussion. In that context, you have over-simplified the situation to a point where your answer is inaccurate. The other answer is better and more accurately describes the situation. – schroeder Oct 05 '20 at 10:40
  • I don't think we need to discuss that in terms of worse and better considering that they're quite different. Point of my answer was to make it less academic and more human readable. I assume certain level of knowledge from the person asking the question (based on the question itself) and provide the answer fitting the tone of the discussion. I think that simple question require simple answers. In my opinion the question can be boiled down to: "should I do it?" and my answer is "no". – nethero Oct 05 '20 at 10:48
  • 1
    @KamilKurzynowski: "... why would a game require admin rights does it not ..." - such invasive rights might be needed to implement a DRM scheme or similar, similar to why antivirus needs administrator privileges. – Steffen Ullrich Oct 05 '20 at 11:26
  • @SteffenUllrich this is one of the reasons I do not use anti-virus software beyond what is present in Windows by default. – nethero Feb 03 '21 at 09:08