What are the three conditions a program must meet to bypass UAC by default, and how does the exploit satisfy them?

A program must have `autoElevate=true` in its manifest, contain a valid signature, and execute from a trusted directory like `c:\windows\system32`. The exploit satisfies these by selecting an auto-elevating signed executable (e.g., `winsat.exe`), placing it inside a fake `c:\windows \` folder created with a Long UNC path, and running it from `c:\windows \system32\` which the system mistakenly treats as a trusted location. This approach is a variant of techniques discussed in Use CLR to bypass UAC.