A PowerShell script to audit installed MSI packages listed in the Windows SecureRepairWhitelist registry key for privilege escalation (but can also audit all MSI packages and ignore the whitelist if needed).
The HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\SecureRepairWhitelist registry key allows standard users to trigger repair operations (msiexec /fa) on specific MSI packages without an UAC prompt (which was allowed by default for years before the recent patch by MS).
-
Enumerates all installed MSI products on a system.
-
Cross-references them with the
SecureRepairWhitelist. -
For each whitelisted package, scans for potentially dangerous
CustomActions(those running withNoImpersonatebetweenInstallInitializeandInstallFinalizethat run with elevated privileges). -
Generates a comprehensive audit report in both TXT and HTML formats.
-
This script can also be useful if your target system is older and doesn't have the MS patch installed. Just use the -ScanAll switch.
The script generates an HTML report for easy analysis of potential vulnerabilities.
Scan only whitelisted packages (useful for recent Windows versions - default)
.\auditMSIWhitelist.ps1 -ReportPath "C:\ReportPath"Scan ALL installed packages (useful for older Windows versions where UAC never showed during repair process)
.\auditMSIWhitelist.ps1 -ReportPath "C:\ReportPath" -ScanAllThis script is intended for security auditing and educational purposes. Always test scripts in a controlled environment. The author is not responsible for any misuse or damage.