This detection rule aims to identify the execution of the Windows Problem Steps Recorder (psr.exe), a utility commonly used to document user activities on the screen along with clicks. The rule utilizes process creation logs to monitor and detect when psr.exe is launched with specific command-line arguments that suggest an active screen recording session. Given that this tool can be misused to capture sensitive screen information unattended, monitoring its execution is crucial for detecting potential information leakage or unwanted surveillance activities within the environment. The detection logic looks for a specific file path (\Psr.exe) and command line parameters (either /start or -start) which are indicative of the intended screen recording operation. Organizations utilizing this detection rule should be aware of potential false positives as legitimate users may also use this tool for benign purposes.