title: Screensaver (T1546.002)
id: df00tech-t1546-002
status: experimental
description: "Adversaries may establish persistence by modifying the Windows screensaver configuration. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. Adversaries can abuse this by modifying the SCRNSAVE.EXE registry value in HKCU\\Control Panel\\Desktop to point to a malicious executable that runs whenever the screen saver activates."
references:
  - https://attack.mitre.org/techniques/T1546/002/
  - https://df00tech.com/detections/T1546.002
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Corporate desktop management tools (e.g., SCCM, Group Policy) that configure screensaver timeout and path centrally"
  - "Legitimate third-party screensaver applications installed by users (e.g., 3D aquarium, slideshow screensavers) that install .scr files outside System32"
  - IT helpdesk tools that reset screensaver settings as part of standard baseline enforcement
  - "User-initiated changes through Windows Display Settings that write to the Control Panel\\Desktop registry key"
level: high