id: windows-installer-elevated-privileges

info:
  name: Windows Installer Elevated Privileges Enabled
  author: princechaddha
  severity: medium
  description: Checks if Windows Installer runs with elevated privileges for non-admin users, which could be exploited.
  impact: |
    Elevated privileges for the Windows Installer may allow non-administrative users to install unauthorized software.
  remediation: |
    Disable elevated privileges for non-admin users in Windows Installer settings.
  tags: installer,elevated-privileges,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      if ((Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -Name 'AlwaysInstallElevated' -ErrorAction SilentlyContinue).AlwaysInstallElevated -eq 1) {
        Write-Output 'Installer runs with elevated privileges';
      }

    matchers:
      - type: word
        words:
          - "Installer runs with elevated privileges"
# digest: 490a00463044022000e882e619467b4e9e70ade823fd198573b26fb72fc72ca11aad7b2163a01b6502207a4354d774a6755466da6189b49dda531a6beb5cda57d69bb0301d6383630878:922c64590222798bb761d5b6d8e72950