Your UEFI firmware can inject a PE binary into Windows on every boot via WPBT (Windows Platform Binary Table). smss.exe extracts it to disk and runs it as SYSTEM. OEMs use this to survive OS reinstalls. Attackers use it the same way.

One registry key tells Windows to ignore the table entirely:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v DisableWpbtExecution /d 1 /t REG_DWORD /f

Won't stop real firmware implants, but kills a whole class of cheap persistence for free.