How can an attacker use Image File Execution Options (IFEO) via remote registry to execute code in a domain environment?

In a domain environment, an attacker can hijack `taskhost.exe` — a process started during Group Policy updates (every 90 minutes on workstations, 5 minutes on domain controllers). By setting a `debugger` value under `Image File Execution Options\taskhost.exe`, they can launch arbitrary payloads. Alternatively, they can configure `GlobalFlag` and `SilentProcessExit` to trigger code when `taskhost.exe` terminates. This method is explained in Penetration Techniques - Remote Registry in Windows.