What registry key can be modified to persist exploitation of CVE-2021-31196 without a MITM attack?

The registry key `HKLM\SOFTWARE\Microsoft\ExchangeServer\v15\UpdateExchangeHelp` stores the `ManifestUrl` value (type `REG_SZ`). By default it points to the Microsoft domain, but an attacker with local access can set it to a remote XML file (e.g., `http://192.168.1.3/poc.xml`). After that, any execution of `Update-ExchangeHelp` will download the attacker’s manifest and CAB file, enabling persistent arbitrary file writes. This persistence technique is detailed in the original analysis.