The case of screen saver timeout resetting to 10 minutes

One of the most amazing feautures I have seen in Process Monitor tool is its capability to capture system boot time events. Here I am going to write about a case where I have used this utility to find the root cause of an interesting issue.

The issue was that the screensaver timeout setting was resetting to a value of 10 minutes every time a user reboots his machine. The user would manually change the timeout value to a higher one only to find it reverted back to 10 minutes after a reboot. Users were annoyed and the case was assigned to me for investigation to find the root cause of this behavior.

I started my investigation suspecting that it could be a group policy setting that doesn’t allow the setting to persist a reboot. The fact that even a logoff would revert back the setting only accentuated my suspicion. I verified the resultant set of policies applied on the machine (using the command gpresult /z >gpresult.txt) and exported the output to a text file for offline analysis. However I couldn’t find any entries related to screensaver settings in the group policy log. I also observed that a gpupdate /force command was not reverting the setting which forced me to leave group policy and I knew I had a bigger task ahead.

The registry key that determines the group policy timeout value is HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut.

So something is changing the registry key value from a user set value to a value of 600 (10 minutes).The question is who is responsible for this change and how to catch the culprit it. :-)

I decided to use Procmon’s Boot logging capability which captures all the events during a system boot. I launched Procmon , set it to capture boot time events. I also set the timeout value to 100 minutes.

Procmon’s boot log is huge in size and has data about thousands of events. However it has a very efficient filtering mechanism and all I had to do was set a filter to display events about the above registry key.

I found the following very interesting entry in the Procmon log.

It was evident from the Process Monitor boot capture, that the process P95Tray.exe sets the registry HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut to a value of 600 (10 Minutes) every time a log off or reboot happens.

P95Tray.exe is related to the CheckPoint encryption software and who would imagine an encryption software would reset the screensaver setting :-). This process was configured to run as a system startup item.It was also further confirmed that once we disable the Pointsec Tray from the startup list the screensavertimeout setting doesn't revert back to 10 minutes.

That pretty much explains how powerful a tool can be and hope you have enjoyed reading :-)