In my older post, I described the persistence mechanism (GPExtensionDLL Registry entry) that I couldn’t make to work at that time. I eventually found a way to trigger it, using a function LoadGPExtensionDll exported by the fwpolicyiomgr.dll.

One can execute:

rundll32.exe fwpolicyiomgr.dll, LoadGPExtensionDll

to load a DLL referenced by the following Registry entry:

HKLM\System\CurrentControlSet\Services\mpssvc\Parameters\GPExtensionDLL=<DLL>