Windows Privilege Escalation Via AlwaysInstallElevated Technique

Sharing is caring!

Windows Privilege Escalation Via AlwaysInstallElevated Technique

Windows Privilege Escalation is one of the crucial phases in any penetration testing scenario which is needed to overcome the limitations on the victim machine. This phase also results in providing fruitful information and maybe a chance of lateral movement in the Penetration Testing Environment. Well overcoming the limitations on the victim machine won’t be that easy but this blog is completely based on “low-fruit-hanging” technique for pentesters. So let’s get started!


AlwaysInstallElevated is functionality that offers all users(especially the low privileged user) on a windows machine to run any MSI file with elevated privileges. MSI is a Microsoft based installer package file format which is used for installing, storing and removing of a program.

Note: This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting.

By default, this option is turned off and to create this privilege escalation entry point we need to turn it on which we will see further in this blog.

As the functionality gives allowance to all the user to run msi file with escalated privileges the low privileged user can indeed run the malicious msi file and can spawn a shell or add a newly created user to Administrator group.

Setting up the Environment to perform the escalation technique.

Virtual Machine IPv4 Address
Windows 10 Enterprise version192.168.52.136
Kali Machine192.168.52.132

Now we will add the key to the Registry using gpedit (Obviously running with Administrator).

To Start with, open the Command Prompt with “Run as Administrator” option and type “gpedit”.


This command will open Local Group Policy Editor, now we need to select the Following Option.



“Computer Configuration”  ->  “Administrator Templates”  ->  “All Settings” -> “Always install with Elevated Privileges”

Windows-Privilege-Escalation local group policy

Click on the “Always install with elevated privileges” and Enable the Setting.

Windows Privilege Escalation local group policy 2


We will do the same for “User Configuration” and Enable the “Always install with elevated privileges” option.

“User Configuration”  ->  “Administrator Templates”  ->  “All Settings” -> “Always install with Elevated Privileges” and Enable the setting.


Windows Privilege Escalation AlwaysInstallElevated group policy

Now that we have set the option Enable for the “Always install with elevated privileges” we are ready to get on the hands-on practical part to escalate our privileges.

Let’s start by checking whether the system is vulnerable or not.We can use manual way or the tool way but let’s try it manually first.

Manual Method

[sh] reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated [/sh]

[sh] reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated [/sh]

If the system is vulnerable the machine would give the following result as shown in the image below.

Windows Privilege Escalation test

Now let’s do it the tool way. We will be using PowerUp.ps1 powershell script from Powersploit Project to find whether the machine is vulnerable or not.

Run the powershell in bypass mode.

[sh] powershell -ep bypass [/sh]

Loading the powershell script

[sh]  . .\PowerUp.ps1 [/sh]

Windows Privilege Escalation powerup


[sh] Invoke-AllChecks -Verbose [/sh]


And the Tool successfully detects the vulnerability as shown in the below image.

Windows Privilege Escalation check

To Escalate the “lowuser” privilege  we need to run the Abuse Function.

[sh] Write-UserAddMSI [/sh] 

Windows Privilege Escalation write-useraddmsi

Now we just need to run the msi file “UserAdd.msi”


Windows Privilege Escalation user add

Well we have another lazy pentester method to do it, and that’s the meterpreter way.

Now if we have a low privileged user meterpreter prompt on metasploit tool we can use the following module to escalate our privileges.


[sh] exploit/windows/local/always_install_elevated [/sh]

[sh]  use exploit/windows/local/always_install_elevated [/sh]

Windows Privilege Escalation msf

Setting the options for the module.

Windows Privilege Escalation setting up the module

As we can see in the image below we have successfully gain the system level privileges on the windows machine.

Windows Privilege Escalation exploit

Hope that this blog will help you in understanding the concept behind the always install elevated windows privilege escalation in a good manner.

Till then hacknpentest!!!


You may also like...

5 Responses

  1. Avatar Aviral says:

    Interesting stuff and thanks for sharing such a good blog.

  2. Avatar d says:

    This is not really an exploit if it involves you having to turn on a feature… with admin privs.

  3. Avatar David Walker says:

    It’s a good backdoor. Reminds me of the Ease of Access backdoor.

Leave a Reply

Your email address will not be published. Required fields are marked *