How can defenders detect or prevent this UAC bypass using sdclt.exe?

Setting UAC to 'Always Notify' will prompt for consent on every elevation, blocking this technique. Detection involves monitoring the creation of two registry keys: `HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe` and `HKCU:\Software\Classes\exefile\shell\runas\command\`. Security teams should alert on any modifications to these hive paths, especially by non‑administrative processes. Additionally, monitoring process creation chains that include sdclt.exe spawning unexpected children like cmd.exe or regedit.exe can indicate an attack.