Windows NT keeps core system DLLs in virtual memory.

A user can load their own DLL into memory, using the same name as a system DLL, and change the entry point in the KnownDLLs list to point to their copy. When the DLL is invoked by a priviledged process, it can grant the user Admin rights.

To prevent this from occuring, navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Add Value name ProtectionMode as a type REG_DWORD and set the data value to 1. This enables stronger protection on base system objects, such as KnownDLLs. The default is 0.