MSI packages and local privilege escalation in 2025

This summer 2025, Microsoft finalized a security update against a well-known privilege escalation path in the Windows ecosystem: the silent and privileged execution of .msi package repair.

Indeed, a software publisher can define various actions ("Custom Actions") in its MSI package to aid in software repair, and these are sometimes launched with privileged access even when the user who clicked on the package is not privileged themselves. If the MSI package publisher is not careful about the custom actions they have defined, it can be easy to exploit them when they call a command prompt or a binary that can be modified by a standard user, for example.

Microsoft resolved this issue primarily by ensuring that a UAC pop-up requesting administrator credentials is systematically launched when repairing an MSI package.

The vulnerability now lies in the configuration

However, as is often the case, software compatibility has its requirements. To allow certain applications to continue functioning, Microsoft introduced a new registry key (SecureRepairWhitelist). If an MSI package is listed there, it reverts to its previous vulnerable behavior (executing in SYSTEM mode without a UAC prompt).

Privilege escalation is no longer solely a matter of vulnerable installers crafted by publishers, but also of local configuration.

How to protect yourself?

In addition to applying recent Microsoft updates, we recommend that you only whitelist trusted MSI packages, or those that have been audited to ensure the absence of dangerous custom actions.

Our auditing tool

One of our auditors developed a simple PowerShell script to help identify an up-to-date but vulnerable system that allows dangerous MSI packages. The tool can also be used on older systems, although the concept of a whitelist will not yet be implemented on those systems.

Github link: [garatc/MSIAudit: Auditing tool for MSI packages whitelisted through the SecureRepairWhitelist reg key](https://github.com/garatc/MSIAudit)