MSI Installation Failed - Error code 1603

[ptr0x1]

Hi,

I've been playing with this project recently, trying to better understand these delete to EoP vectors. Great find! Locally I'm running into an issue where I get "MSI installation failed with error code 1603" during the install part after triggering the vulnerability. I modified the code to enable logging of MSI installation and make the UI visible and I see that the install is prompted with UAC actually which probably causes the error.

I've tried looking into this but did not find a clear answer yet, do you need the "AlwaysInstallElevated" key set to 1 in order to trigger the EoP? Or is the installation error expected and then the rollback would trigger the payload?

Any tips on how I can fix the error and make the race condition more reliable?

Thanks in advance!

[Hagrid29]

Hi, you dont need the "AlwaysInstallElevated" key for this exploit. But the installation rollback without that error code 1603 in my case. One of the possible conditions is you may have the app installed. I create the MSI with app name "test" as I remebered. You can try to search and unintall it. Or you can create your own MSI. I created one with Advanced Installer.

[ptr0x1]

Hi, I appreciate the respone, I wanted to capture the error code in case others also run into it, but indeed after redoing it a few times I managed to get rid of it. However I still see a general problem, where the MSI installer prompts for UAC (I am seeing this as I removed the UI hide from the code). Looking at ProcMon, until I pass admin creds in the UAC prompt the installer does not even create the Config folder or .rbs files so it does not seem to trigger the install at all.

Nice to know that it works as expected for you though, so trying to figure out if its a Windows version thing or anything else (I'm testing on a latest install Win11 version). Thanks for the tip I'll check with advanced installer to create my own version and try to test it in parts.

[ptr0x1]

Thanks for the tip, I could confirm the behavior working as expected after redoing the MSI with Advanced Installer! Indeed no UAC, or special privileges needed.