.Net System Persistence / bypassuac / Privesc if the user who installs .net loses permissions

After Installation of “.NET core” modifies a registry key path that local system calls when different Microsoft default installed services run automatically which goes from user to System Persistence 

APPLIES TO:

.Net

Path: Computer\HKEY_USERS\.DEFAULT\Environment or hku\.default\Environment

Post explains what “user” .Default is : https://devblogs.microsoft.com/oldnewthing/20070302-00/?p=27783

Before installation:

    

After Installation:

When a local System service runs and sees the environment variable %USERPROFILE% it knows to navigate to “c:\windows\system32\config\systemprofile\”.  Since the path was changed after installing .Net SDK the local system service ends up searching for a missing dll under the user writeable path “C:\users\kool\Appdata\Local\Microsoft\WindowsApps\”.

https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/install

The path that gets called by different local system services on bootup is

C:\Users\kool\AppData\Local\Microsoft\WindowsApps\WptsExtensions.dll

2 Example services that calls this dll on boot:

Another:

Before adding the malicious dll (svchost.exe tries to queryopen and createfile a dll that is not there)

Added the malicious dll to the user writeable path