drop registry hive · detect com type library hijack patterns · runs locally
cross-ref HKCU vs HKLM TypeLib win32 · flags suspicious DLL paths under user-writable dirs
heuristic screener · provide both HKCU and HKLM exports for shadow detection · not definitive proof