Skip navigation

JSI Tip 3292. Allow users to always install with System privileges.

Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

I quote the Resource Kit:

This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.

Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a REG_DWORD data type, and set the data value to 1, at the following keys:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.