> If the application has a manifest, then any .local files are ignored.
I suppose this does not hold true for the .local folder named that, apparently? I had not seen it documented before that it looks in that specially crafted dll subfolder (presumably using information from the manifest) to load a dll that is specified in one.
The easiest way to see this is a tool like procmon - you can see every file that anyone tries to access or open. By taking a log of procmon while plugging in a USB device, I'm sure you can find a few things that shouldn't be being accessed...
Even when microsoft fixes all their issues, I can bet a bunch of 3rd party apps touch files on external media, and to exploit a locked computer, any third party app running on a users desktop is sufficient too!
I suppose this does not hold true for the .local folder named that, apparently? I had not seen it documented before that it looks in that specially crafted dll subfolder (presumably using information from the manifest) to load a dll that is specified in one.