What are the two different registry hijack methods demonstrated for bypassing UAC with sdclt.exe?

The first method sets the default value of `HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe` to the full path of an executable (e.g., cmd.exe), but it cannot include command‑line parameters. The second, fileless method creates a registry value `isolatedCommand` under `HKCU:\Software\Classes\exefile\shell\runas\command\` and then runs `sdclt.exe /KickOffElev` to execute the payload without writing a script to disk. Both methods are covered in detail in the Study Notes of using sdclt.exe to bypass UAC.