Windows caches MSI files at C:\Windows\Installer\ with randomized filenames consisting of letters and numbers followed by the ".msi" extension. This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file to investigate local privilege escalation vulnerabilities through MSI repairs. Read more about MSI repair vulnerabilities at Escalating Privileges via Third-Party Windows Installers.

Author: Andrew Oliveau (@AndrewOliveau)

x86_64-w64-mingw32-gcc -c msi_search.c -o msi_search.x64.o
i686-w64-mingw32-gcc -c msi_search.c -o msi_search.x86.o

Aggressor script included. Import it into Cobalt Strike and run msi_search. Alternatively, run the PowerShell script msi_search.ps1.