How does exploitation via remote registry differ between a workgroup and a domain environment?

In a workgroup, attackers commonly hijack a specific application like `notepad.exe` (via `Image File Execution Options` or `SilentProcessExit`) to run `calc.exe`. In a domain, `taskhost.exe` is the preferred target because it runs predictably during Group Policy refreshes, which can also be forced remotely using `Invoke-GPUpdate`. Both scenarios require write access to the remote registry, as described in Penetration Techniques - Remote Registry in Windows.