How can TSMSISrv.dll and TSVIPSrv.dll be used to establish a backdoor on a domain controller?

If the domain controller has Remote Desktop enabled, the SessionEnv service automatically starts during boot and loads `C:\Windows\System32\TSMSISrv.dll` or `TSVIPSrv.dll`. Since these DLLs do not exist by default, an attacker with file write access can place a malicious DLL at that path. When the service starts, the DLL is loaded, achieving code execution and creating a persistent backdoor. This technique is useful when you can write files but cannot execute commands remotely, as described in the Expansion on the Exploitation of "Lateral Movement — SCM and DLL Hijacking Primer".