This detection rule aims to identify potentially malicious behavior linked to the file creation activity of Microsoft's desktopimgdownldr process. Specifically, it targets scenarios where this executable saves files to unusual locations or with unexpected extensions. The rule is constructed to detect instances where svchost.exe is responsible for creating files within the Personalization\LockScreenImage\ directory, but explicitly excludes file creations within the Windows directory and those that end in common image formats such as .jpg, .jpeg, and .png. This selective approach helps reduce false positives. The rule is important for identifying possible attempts to misuse the desktopimgdownldr process for unauthorized file manipulation, particularly in environments where administrative scripts may raise false alarms.