Why can't we directly modify the HKEY_LOCAL_MACHINE registry key during the UAC bypass exploit?

During a UAC bypass, the attacker does not yet have administrator privileges, so they cannot write to `HKEY_LOCAL_MACHINE` (HKLM) because it requires elevated permissions. Instead, the exploit writes to `HKEY_CURRENT_USER` (HKCU) under `Software\Microsoft\Windows\CurrentVersion\Uninstall`, which maps to the user's registry hive. The COM component's `LaunchUninstallStringAndWait` method reads from both HKLM and HKCU, but the attacker can specify a registry key under HKCU (via its GUID) to execute the payload without elevation.