The CloundExperienceHostBroker hosts unsafe COM objects accessible to a normal user leading to elevation of privilege.
7888834d5b9f65c613c040c3ae903e13e111aac394ea82b8960fd0610e98dd60
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.
6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3