At the office, we’ve been investigating an issue where (for reasons as yet undiagnosed) a number of Windows PCs that are configured via Active Directory Group Policy to automatically lock their screens after 5 minutes of inactivity aren’t doing that. In the process, I’ve started writing some scripts to gather data during off-hours times (e.g., 2am when few people should be working) to see whose machines aren’t locked and capture information about system resources, running processes, and the like. Not enough data is available yet to reach any conclusions, but I have run into a few interesting tidbits that might be of use to other Windows administrators and support personnel. I’ve decided to compile those tidbits here so that you’ll be able to make use of them in your own environment if you so choose.
The Registry Keys Governing Screen Saver Activity (Windows XP)
The key that determines if a screen saver is password protected is:
HKCU\Control Panel\Desktop\ScreenSaverIsSecure
This key has a value of 0 if it’s not password protected, and 1 if it is.
The key that tells Windows if a screen saver has been selected for activation or not is:
HKCU\Control Panel\Desktop\ScreenSaveActive
This key has a value of 0 if no screen saver has been selected, and 1 if a screen saver has been selected.
To set how long the “idle time” has to be before the screen saver kicks in, check this key:
HKCU\Control Panel\Desktop\ScreenSaverTimeout
This contains the “idle time” in milliseconds before the selected screen saver activates.
The key governing which screen saver is to be used is this one:
HKCU\Control Panel\Desktop\SCRNSAVE.EXE
The value of this key is the path to the selected screen saver, such as “C:\WINDOWS\System32\logon.scr”.
Where Screen Savers Are Stored
(Windows XP)
The “normal” or “default” screen savers that ship with Windows (along with most user-installed screen savers) can be found in:
C:\Windows\System32
Where “Windows” is the name of the directory into which Windows is installed on your PC (i.e., if you’ve changed that to a different directory, adjust the “C:\Windows” part accordingly.
There’s nothing that requires screen savers to be stored in this particular directory, however, so you could find screen savers in other directories on the PC.
If you want to look for the screen savers on your particular PC, do a Windows search for files whose names end in “.scr” as those are (more likely than not) screen saver modules.
Starting a Screen Saver from the Command Line (Windows XP)
To start a screen saver from the command line on the PC you’re using, bring up a command line and enter the command:
c:\windows\system32\logon.scr /s
Where “C:\Windows” is the directory where Windows is installed on your PC, and “logon.scr” is the name of the screen saver you want to start running. The “/s” tells Windows to start the screen saver running. Optionally, you could leave off the “/s” (or use “/c”) to see any options you can set for that screen saver (or get an error if there are none). You can also use “/p <HWND>” to invoke the screen saver as a “child of the
window referred to the window <HWND>” (I’ve not used that particular function so I can’t tell you much about it).
Note that even though your screen saver might be set to require a password when it comes back, my testing indicates that invoking the screen saver as above does not cause this to happen. You’re better off, if you’re concerned about security, issuing a command to force the system locked.
Locking the Screen from the Command Line (Windows XP)
It’s possible to lock your system from the command line. To do this, bring up a command line and enter the following command exactly as written:
rundll32.exe user32.dll, LockWorkStation
This will almost immediately lock the screen/system.
Locking the Screen or Starting the Screen Saver Remotely (Windows XP)
There may be times you want to lock a system that’s somewhere else on the network. That can be done pretty easily by first downloading the “psexec” tool from SysInternals (now a part of Microsoft). Using psexec, you could remotely lock the screen of a PC on your network named “PC123″ by issing the following command from the command line:
psexec \\pc123 rundll32.exe user32.dll, LockWorkStation
(The above command should all be on one line. It’s not two separate commands.)
You can also invoke a screen saver remotely (with the caveat that it doesn’t actually lock the system) by using psexec to issue the following command:
psexec -i \\pc123 cmd /c start c:\windows\system32\logon.scr /s
(Again, the above command should all be typed together on one line.)
Determining if a Screen Saver is Running on a Remote PC (WMI/VBScript)
Since “normal” screen saver modules are all executables with the extension “.scr” in their name, identifying whether a screen saver is running on a remote PC can be determined by creating a single VBScript to connect to the Windows Management Instrumentation (WMI) service on the remote PC and query the list of processes to find one with “.scr” in the name. If you find one, then more likely than not there’s a screen saver active on that machine. The following VBScript code will tell you for the computer named in “strComputer” whether a screen saver is running or not.
dim objWMIService, colItems
strComputer = “pc123″
Set objWMIService = GetObject(”winmgmts:\\” & _
strComputer & “\root\CIMV2″)
Set colItems = objWMIService.ExecQuery( _
“SELECT * FROM Win32_Process”,,48)
ssActive = false
For Each objItem in colItems
if instr(1,objItem.Caption, “.scr”) > 0 then
ssActive = true
end if
Next
if ssActive = true then
wscript.echo “Screen saver is active on ” & _
strComputer
else
wscript.echo “Screen saver not active on ” & _
strComputer
end if
The above script connects to the specified machine’s WMI provider, retrieves a collection object representing the processes running on the system, scans through the collection looking for any with “.scr” in the name. If one is found, the variable “ssActive” is set to true. It then checks the value of that variable to see if it found a screen saver running and reports that. The above script assumes that the user running it has administrator permission on the remote machine. If not, it will fail.
Note that I’ve intentionally left all error-checking out of the above script code to keep it short for publication. If you plan to use this in any kind of production mode you’ll want to build in checks to identify if the PC in question can be reached, if there is a problem retrieving the list of processes, etc.
If you don’t want to use VBScript but would still like to know if a remote system is locked, and you have administrator permissions on that machine, the “pslist” utility from SysInternals (now Microsoft) can make that fairly easy. Just download pslist from the Microsoft web site, bring up a command line, and enter a command line like the following:
pslist \\pc123 logon.scr
You’ll get back a response like this if the specified screen saver (logon.scr) is running:
PsList 1.26 – Process Information Lister
Copyright (C) 1999-2004 Mark Russinovich
Sysinternals – www.sysinternals.com
Process information for pc123:
Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
logon.scr 2324 8 1 17 408 0:00:00.078 0:00:09.915
This will tell you if the “logon.scr” process is running on that PC and how long it has been running. If you’re not sure what screen saver the user might have active, just run pslist without specifying a process name. You’ll get a much longer list, but anything in that list with “.scr” in the name indicates which screen saver module (if any) is running.
Note that while the above information is based on Windows XP Pro and has been tested with XP, in theory it should also work with Windows 2000 and possibly Windows Vista, but I have not tested it with those.
admin Windows Administration lock screen, lock workstation, Registry, screen saver, VBScript, Windows Administration, Windows XP
