By setting an appropriate AppID it’s possible for a normal user process to set a global ROT entry. This can be abused to elevate privileges. When registering an object in the ROT the default is to only expose that registration to the same user identity on the same desktop/window station. However, it is possible to register an entry for all users/contexts by using the ROTFLAGS_ALLOWANYCLIENT flag. This flag indicates it can only be used if the COM process is a Local Service or a RunAs application. However, there are two clear problems with the check. Creating a RunAs COM object in the current session would typically run at the same privilege level as the caller, therefore an application which wanted to abuse this feature could inject code into that process. Secondly, while it’s not possible to register a per-user COM object which specifies a RunAs AppID, it’s possible to explicitly set the AppID when creating the object.