Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0441: Analytic 0441

Unusual screensaver (.scr) executions correlated with recent registry modifications to HKCU\Control Panel\Desktop values such as SCRNSAVE.exe, ScreenSaveTimeout, and ScreenSaveActive. Detection focuses on PE image paths not consistent with known legitimate screensavers and triggered after user inactivity timeout.

EnterpriseAN0441AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Windows screensaver configuration can become a persistence or execution signal when a recently changed user registry setting points to an unusual .scr executable. For leaders, the value is not the screensaver itself; it is whether the organization can correlate endpoint process execution with user-level registry changes and user inactivity timing well enough to catch suspicious behavior that may otherwise look like normal desktop activity.

Executive priority

Prioritize this as an endpoint visibility and correlation validation item for Windows environments. It helps answer whether SOC and IR teams have usable evidence for user-profile registry changes, executable launch paths, and context around when execution occurred. The business decision value is strongest for resilience and audit readiness: confirm that endpoint monitoring can distinguish expected corporate screensavers from unexpected PE image paths and preserve enough context for investigation.

Technical view

Validate whether Windows telemetry captures .scr process executions and recent modifications under HKCU\Control Panel\Desktop, especially SCRNSAVE.exe, ScreenSaveTimeout, and ScreenSaveActive. Detection should focus on correlation: a registry change followed by screensaver execution after an inactivity timeout, where the PE image path is not consistent with known legitimate screensavers. Because no ATT&CK tactic or relationship context is supplied, teams should treat this as a detection analytic requiring local baselining rather than as proof of a specific intrusion pattern.

Likely telemetry

  • Windows process execution events for .scr files and associated PE image paths
  • User registry modification events under HKCU\Control Panel\Desktop
  • Values for SCRNSAVE.exe, ScreenSaveTimeout, and ScreenSaveActive
  • User/session context and timing needed to assess inactivity-triggered execution
  • Endpoint inventory or allowlist data for known legitimate corporate screensavers

Detection direction

  • Baseline legitimate screensaver paths and expected enterprise configuration before alerting on all .scr execution.
  • Correlate recent HKCU screensaver registry modifications with subsequent .scr process execution instead of relying on process name alone.
  • Tune for false positives from approved personalization changes, corporate screen lock tooling, OS defaults, and managed desktop configuration updates.
  • Confirm telemetry includes per-user registry paths; HKCU-focused changes may be missed if collection only emphasizes machine-wide registry locations.
  • Investigate unusual PE image paths, unexpected user context, and timing alignment with configured inactivity timeout.

Mitigation priorities

  • Establish approved screensaver configuration standards for Windows endpoints.
  • Restrict or monitor user-level changes to screensaver-related registry values where operationally appropriate.
  • Maintain an inventory or allowlist of legitimate screensaver executables and expected paths.
  • Ensure endpoint logging and retention support process-to-registry correlation for incident response.
  • Use managed configuration controls where available to reduce unmanaged screensaver changes.
Analyst notes and limits

The supplied object is a detection analytic, AN0441, for Windows. It describes unusual .scr execution correlated with recent HKCU\Control Panel\Desktop registry modifications. No official detection logic, tactics, ATT&CK technique relationships, aliases, or labels were supplied, so this take emphasizes validation of telemetry and correlation requirements rather than mapping to a specific adversary objective.

This assessment is limited to the supplied ATT&CK fields and external reference. There is no relationship context, no official detection text, and no supported claim of active exploitation, attribution, impact, or coverage. Local baselines are required to define which screensaver paths and registry changes are expected in a specific environment.

Official MITRE ATT&CK definition

Analytic 0441

Unusual screensaver (.scr) executions correlated with recent registry modifications to HKCU\Control Panel\Desktop values such as SCRNSAVE.exe, ScreenSaveTimeout, and ScreenSaveActive. Detection focuses on PE image paths not consistent with known legitimate screensavers and triggered after user inactivity timeout.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
562a32421f3a7b35...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 562a32421f3a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0441
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use