T1546.002 Screensaver
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.2 The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
SCRNSAVE.exe- set to malicious PE pathScreenSaveActive- set to ‘1’ to enable the screensaverScreenSaverIsSecure- set to ‘0’ to not require a password to unlockScreenSaveTimeout- sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.1
| Item | Value |
|---|---|
| ID | T1546.002 |
| Sub-techniques | T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016, T1546.017, T1546.018 |
| Tactics | TA0004, TA0003 |
| Platforms | Windows |
| Version | 1.3 |
| Created | 24 January 2020 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0168 | Gazer | Gazer can establish persistence through the system screensaver by configuring it to execute the malware.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Use Group Policy to disable screensavers if they are unnecessary.3 |
| M1038 | Execution Prevention | Block .scr files from being executed from non-standard locations. |