How does the CLR-based UAC bypass technique work by setting environment variables?

The technique leverages the Common Language Runtime (CLR) profiling mechanism. By setting user-level environment variables `COR_ENABLE_PROFILING` to `1` and `COR_PROFILER` to a custom CLSID (e.g., `{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}`), any .NET process that starts—including high-integrity ones like `gpedit.msc`—will load a malicious DLL specified under `HKCU\Software\Classes\CLSID\{CLSID}\InprocServer32`. When the high-privilege .NET program runs, it loads the attacker’s DLL, executing code with elevated privileges and bypassing UAC. See Use CLR to bypass UAC for the full POC.