Why does modifying the PEB structure allow an attacker to bypass UAC when using IFileOperation?

The COM component IFileOperation uses the Process Status API (PSAPI) to read the process's PEB structure, specifically the ImagePathName and DLL names, to determine if it's a trusted process. By modifying these fields to mimic a trusted file like explorer.exe, the process can invoke IFileOperation with elevated privileges without triggering a UAC confirmation dialog. This technique is similar in concept to other UAC bypass methods, such as Bypassing UAC via COM Component IARPUninstallStringLauncher.