What is the key difference between the original usage of wlbsctrl.dll in the primer and the privilege escalation technique described in this article?

The original Expansion on the Exploitation of "Lateral Movement — SCM and DLL Hijacking Primer" used wlbsctrl.dll with administrator privileges to copy the DLL and manually start the IKEEXT service for remote code execution. The privilege escalation technique builds on this by exploiting the fact that the IKEEXT service loads wlbsctrl.dll without an absolute path, allowing standard users to hijack the DLL via a writable directory in the PATH environment variable, then trigger the service using `rasdial` with a crafted `rasphone.pbk` file.