For Privilege Access (Windows)
Post

For Privilege Access (Windows)

First, on Windows systems, we should check the status of the \_AlwaysInstallElevated registry setting. If this key is enabled (set to 1) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with elevated privileges. We can use reg query to check these settings:

1
2
3
4
5
6
7
8
9
10
11
// For current user
C:\> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

// For local machine
c:\>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

If this setting is enabled, we could craft an MSI file and run it to elevate our privileges.