How does the SilentCleanup UAC bypass exploit work?

The exploit modifies the user-level environment variable `%windir%` to point to a controlled path (e.g., `cmd /K`). When the `SilentCleanup` scheduled task runs, it launches `%windir%\system32\cleanmgr.exe` with high integrity, but due to the hijacked variable, the attacker's payload (like a cmd.exe) executes instead, bypassing UAC. A one-liner such as `reg add hkcu\Environment /v windir /d "cmd /K ..." && schtasks /Run /TN ...` performs the attack silently.