How does this code get on the target client? Is that a fair question?
1.) If there is a already a vulnerable trusted app installed on the user's system and executing when somehow you exploit it in proc via, say, some memory attack, e.g., buffer overrun, which then executes this code in context.
2.) If the user chooses to run an unsigned exe containing this code from an untrusted source, say, from your website.