What limitation does the first sdclt.exe bypass method have, and how is it overcome in the second method?

The first method (hijacking `App Paths\control.exe`) cannot pass command‑line arguments to the launched executable. For example, setting the value to `C:\Windows\System32\cmd.exe /c calc.exe` fails because sdclt.exe does not interpret the space as argument separation. The second method overcomes this by using the `-KickOffElev` switch and storing the full command in the `isolatedCommand` registry value under `exefile\shell\runas\command`. This allows arbitrary arguments, enabling fileless execution since the command can be embedded without writing a script to disk.