If you use Process Monitor as often as I do, you probably know that loading a DLL via rundll32.exe produces this curious set of events:

It turns out that the code of rundll32.exe includes a routine called RunDLL_InitActCtx that tries to load these manifests one by one (via CreateActCtxW API).

So far, I have not found any way to abuse this feature, but documenting it here – perhaps you will be more successful!