How can an attacker leverage AlwaysInstallElevated for privilege escalation without existing registry entries, and how can backdoors be created?

If an attacker holds privileges like `SeRestorePrivilege` or `SeTakeOwnershipPrivilege`, they can write to the registry to create the required `AlwaysInstallElevated` keys under `HKLM` and `HKCU`, then use the technique to escalate to SYSTEM. Additionally, if SYSTEM access is already obtained, a backdoor can be created by modifying the ACL on those registry keys to allow `Everyone` write access, enabling any standard user to toggle the setting. For details on modifying registry ACLs, refer to the article Penetration Techniques - Access Control List in Windows.