What limitations does Process Doppelgänging have in practical exploitation?

One limitation is that it requires file replacement, so targeting files under system32 like calc.exe may fail due to insufficient permissions even for administrators. Additionally, on Windows 10 systems before RS3, a null pointer bug in `NtCreateProcessEx` can cause a blue screen. Attackers often store the payload in a buffer (fileless) to avoid writing to disk, as described in the exploitation approach in the Introduction to Process Doppelganging Exploitation.