Which system CLSIDs can be hijacked to bypass UAC when launching specific Microsoft Management Console (MMC) snap-ins?

The article identifies at least three CLSIDs that can be hijacked under `HKCU\Software\Classes\CLSID` to trigger a managed DLL when certain snap-ins are launched. For example, `{B29D466A-857D-35BA-8712-A758861BFEA1}` is invoked by `gpedit.msc`, and `{D5AB5662-131D-453D-88C8-9BBA87502ADE}` is invoked by `compmgmt.msc`, `eventvwr.msc`, `secpol.msc`, and `taskschd.msc`. Each requires setting `InprocServer32` to point to `mscoree.dll` with a custom `CodeBase` pointing to the attacker’s managed DLL. This method is similar to other COM-based UAC bypasses like Bypassing UAC via COM Component IARPUninstallStringLauncher.