What is the key principle behind using sdclt.exe to bypass UAC in Windows 10?

The technique exploits the fact that sdclt.exe runs with elevated privileges because its manifest specifies `requireAdministrator`. During startup, sdclt.exe searches the registry under `HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe` and can be hijacked by creating that key with a malicious executable as the default value. This allows an attacker to launch a payload with high integrity without triggering a UAC prompt. For more details, see the Study Notes of using sdclt.exe to bypass UAC.