What is the core principle behind userland registry hijacking?

The principle is key value synchronization: modifying the default value of a registry key under `HKCU:\Software\Classes\` automatically updates the corresponding key under `HKCR:\` (if it already exists). This works because editing `HKCU` only requires standard user permissions, while modifying `HKCR` directly needs administrator privileges. Thus, a standard user can hijack high-privilege system registry entries by writing to their `HKCU` counterparts. For more details, see the original article.