The rule "Always Install Elevated Windows Installer" focuses on detecting potentially malicious activities relating to the Windows Installer service (msiexec.exe) when it aims to install MSI packages with SYSTEM privileges. Privilege escalation techniques often misuse the Windows Installer by executing processes with high-level access, which can lead to significant security breaches. This rule targets process creation events on Windows systems where MSI packages are initiated by users containing either 'AUTHORI' or 'AUTORI' in their username, alongside filtering for specific images and parameters tied to the installer operations. The detection mechanism relies on identifying the process images and integrity levels, while also accounting for legitimate processes through various filters. This makes the rule useful in mitigating risks associated with unauthorized privilege escalation via the Windows Installer.