.Net System Persistence / bypassuac / Privesc if the user who installs .net loses permissions

After Installation of “.NET core” modifies a registry key path that local system calls when different Microsoft default installed services run automatically which goes from user to System Persistence 



Path: Computer\HKEY_USERS\.DEFAULT\Environment or hku\.default\Environment

Post explains what “user” .Default is : https://devblogs.microsoft.com/oldnewthing/20070302-00/?p=27783

Before installation:


After Installation:

When a local System service runs and sees the environment variable %USERPROFILE% it knows to navigate to “c:\windows\system32\config\systemprofile\”.  Since the path was changed after installing .Net SDK the local system service ends up searching for a missing dll under the user writeable path “C:\users\kool\Appdata\Local\Microsoft\WindowsApps\”.


The path that gets called by different local system services on bootup is


2 Example services that calls this dll on boot:


Before adding the malicious dll (svchost.exe tries to queryopen and createfile a dll that is not there)

Added the malicious dll to the user writeable path