persistence-info.github.io

View on GitHub

Screen Saver

Location:

HKCU\Control Panel\Desktop

Classification:

Criteria Value
Permissions User
Security context User; System1
Persistence type Registry
Code type EXE2
Launch type Automatic; Any logon required; User initiated3
Impact Non-destructive
OS Version All OS versions
Dependencies OS only
Toolset Scriptable

Description:

Well known key. If you provide a link to your .exe (can be renamed for .scr) in the registry, it will be launched as a screensaver.

References:

https://support.microsoft.com/en-us/topic/how-to-change-the-logon-screen-saver-in-windows-ab28d230-ffb9-65f8-74a9-c26c5e00ec73

Credits:

Well known, but @Alh4zr3d made me aware I did not mention it yet: https://twitter.com/Alh4zr3d/status/1622980055650410497

See also:

Remarks:

  1. If the default screen saver is changed. Admin required though. 

  2. Can be renamed to .scr 

  3. Screensaver executable must start due to inactivity, or when user changes its properties.