In the event that unauthorized individuals manage to access the server and insert specially crafted Dynamic Linked Libraries (DLL), there is a possibility that svcr.exe runtime, used for some TSplus Remote Access modules, might execute third-party code not originating from TSplus.

To prevent such situations, it is important to ensure that malicious individuals cannot access the server in the first place. If an attacker has already gained access, it is highly improbable that they will attempt to exploit svcr.exe, as it is a complex and time-consuming task, and they would likely opt for simpler methods.

If you have any questions or concerns about this security notification, please contact our support team for assistance.


The program svcr.exe implements an application runtime, which means that it allows the execution of other programs and cannot be executed itself. Therefore, to avoid executing arbitrary code, it is important that any of the following DLL files are not located in the same directory as the program:

  • propsys.dll
  • edputil.dll
  • urlmon.dll
  • iertutil.dll
  • srvcli.dll
  • netutils.dll
  • cldapi.dll
  • mpr.dll

when executing one of the following program:

  • C:\ProgramData\alternateshell.exe
  • C:\ProgramData\logonsession.exe
  • C:\ProgramData\removelastfolder.exe
  • C:\wsession\logonsession.exe
  • C:\wsession\refresh_environment.exe
  • C:\wsession\runwsession.exe