The concept here is pretty simple. Windows supports some built in accessibility features like Sticky Keys, Utilman, Narrator, Magnify that are available at pre-logon (at the login screen, either via a physical console or via Remote Desktop). Replacing them by cmd.exe live us with a SYSTEM access at pre-logon.
Practice
We can replace the C:\Windows\System32\Utilman.exe with a cmd.exe and rename it (utilman.exe). You may need to change utilman.exe owner to yourself first as TrustedIntaller may be giving you a hard time.
Know, press Windows Key+U to spawn an elevated shell
We can replace the C:\Windows\System32\sethc.exe with a cmd.exe and rename it (sethc.exe). You may need to change sethc.exe owner to yourself first as TrustedIntaller may be giving you a hard time.