Security: Fix Local privilege escalation via DLL hijack (#46145)

<!-- Enter a brief description/summary of your PR here. What does it
fix/what does it change/how was it tested (even manually, if necessary)?
-->
## Summary of the Pull Request
Attack vector:
1. user install per machine installer
2. Open an elevated command prompt and verify the newly added PowerToys
PATH entry
3. Inspect the ACL on the DSCModules directory an observe that the
"Authenticated Users" group have inherited Modify permissions
4. Log in as a low-privileged (non-admin) user and confirm that you can
create or modify files in C:\\PowerToys\\DSCModules\. This confirms that
a non-admin user can plant arbitrary DLLs in a system PATH directory.
5. The attacker identifies a DLL that a privileged process (e.g., a
system service or an application running as a different,
higher-privileged user) attempts to load via the standard DLL search
order. The attacker crafts a malicious DLL with the same name and places
it in C:\\PowerToys\\DSCModules.

The fix is to:
* Hardening the PowerToys DSC directory for per-machine custom installs
with correct ACL enforced with wix.

<!-- Please review the items on the PR checklist before submitting-->
## PR Checklist

- [ ] Closes: #xxx
<!-- - [ ] Closes: #yyy (add separate lines for additional resolved
issues) -->
- [ ] **Communication:** I've discussed this with core contributors
already. If the work hasn't been agreed, this work might be rejected
- [ ] **Tests:** Added/updated and all pass
- [ ] **Localization:** All end-user-facing strings can be localized
- [ ] **Dev docs:** Added/updated
- [ ] **New binaries:** Added on the required places
- [ ] [JSON for
signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json)
for new binaries
- [ ] [WXS for
installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs)
for new binaries and localization folder
- [ ] [YML for CI
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml)
for new test projects
- [ ] [YML for signed
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml)
- [ ] **Documentation updated:** If checked, please file a pull request
on [our docs
repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys)
and link it here: #xxx

<!-- Provide a more detailed description of the PR, other things fixed,
or any additional comments/features here -->
## Detailed Description of the Pull Request / Additional comments

<!-- Describe how you validated the behavior. Add automated tests
wherever possible, but list manual validation steps taken as well -->
## Validation Steps Performed

<img width="836" height="449" alt="image"
src="https://github.com/user-attachments/assets/f21a814c-6514-4a86-b214-0984653aaab4"
/>


After upgrade, the ACL:

Path : Microsoft.PowerShell.Core\FileSystem::C:\apps\Power
Toys\DSCModules
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
Audit  :
Sddl :
O:SYG:SYD:P(A;OICIIO;GA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)

---------

Co-authored-by: Copilot Autofix powered by AI <[email protected]>