The repository contains psexec, which will help to exploit the forgotten pipe
Have a non-genius administrator connect using PsExec to the host:
We discovered this when we saw the RemCom_Communication bundle. This one is standard for PsExec
Using psexec_noinstall, it is possible to connect to this pipeline as any low-privileged user, since the DACL of the pipeline allows this:
Here's a checker: