Apparently the registry keys needed to calculate the SysKey are accessed by processes such as smss.exe, winlogon.exe and syskey.exe, but when the system boots. An adversary can migrate to those processes to blend in. A reference, the attacker can drop a payload in place of the abandoned referenced path to the Portable executable under the right conditions (e.g. writable path). …