Edit the boot logo and boot logo palette in Windows XP
An Introduction
Let me start off by saying "WOW!" When I originally posted this little tutorial back on Dec 26, 2001, I never expected the huge response it would generate. Things have slowed down quite a bit since the heydays, when hits to this page alone would exceed my bandwidth limitations here on Geocities. Not bad for a page which, including graphics, came to a total size less than 20k.
A few things have obviously changed since I first posted this. There are literally dozens of utilities out there which will do all of this work for you quickly and painlessly (I listed a couple of the most popular ones on the sidebar), and Service Pack 2 for Windows XP is out. Despite these changes, I am still getting a steady flow of visitors to this page, and a good amount of e-mail from people like you, asking questions. (If I didn't answer, I apologize.)
So, realizing these things, and feeling guilty for letting the page stagnate, I decided it was time for an update.
Why? As I just said, there are literally dozens of tools to do this for you... Doesn't that make this tutorial obsolete? Well, yes, and no. Yes, even I use one of the many programs out now for changing the boot image rather than doing by hand anymore. But simply using a program like that, you don't really know what is going on. There is still a great amount of satisfaction to be had in simply knowing what is happening with these programs, what it is doing to your system, and even in taking the effort to do it yourself.
Also, I mentioned all of those e-mails people send me right? Believe it or not, some of them asked intelligent questions, or pointed out legitimate mistakes. Of course some of them were "I know you said to make a backup copy of NTOSKRNL32.EXE, but I didn't... Help me!" I want to answer as many of those questions as I can in this article, and try (in vain, I'm sure) to do a little bit more to convince people that something CAN go wrong to YOUR file, and fixing it is a REAL PAIN IN THE NECK if you don't make a backup.... So with that I'll start with:
A Warning:
Changing the boot screen palette in Windows XP involves getting in and making changes to the kernel of your system. If you screw things up, you can REALLY screw things up! Your system could become "unstable" or it might not even boot. If you are not prepared for this eventuality, I would suggest you quit reading now, and learn to live with the boot screen that comes standard in Windows XP. I will show you all of the steps to take to make sure you are able to recover from any errors, but nothing is foolproof. I simply cannot be responsible for anything that happens with your system because of steps taken in this How-To.
Resources Needed:
1. Windows XP Operating system
2. Paint Shop Pro (http://www.jasc.com)
3. Resource Hacker (http://www.users.on.net/johnson/resourcehacker/)
4. UltraEdit (http://www.ultraedit.com) or another hex editor (see list in the sidebar)
Safety First!
Before you even THINK about hacking into the kernel, make a backup. Of everything you even remotely care about on your system. Now make a backup copy of "..\Windows\System32\ntoskrnl.exe" in whatever directory you like. NOW make ANOTHER copy of it to actually do your hacking on. Put it into a completely separate directory from your backup copy. (Trust me on this, I had to learn the hard way!
Make Your Own Boot Screen
While it is possible to use Photoshop to do this, it is MUCH simpler to do in Paint Shop Pro. If you are using one of the many programs to change your boot screen, then you might consider using Irfanview to resize and reduce the color depth of the image you want to use. All of the following instructions use Paint Shop Pro, but the basic concept is exactly the same in any other image editing program.
Open up Paint Shop Pro, and design your boot screen. It has to be 640x480, and you'll need to reduce it to a 16 color palette. How do I do that? You ask? Once you have the image designed, go to the "Colors" menu, choose "Decrease Color Depth" then "16 Colors" Take a look at the screen shot below, for an example. You may need to experiment with this a bit to get things looking the best they can. And it may take a bit of work to clean things up (16 colors isn't very many!), but eventually you should have a 16 color image to your liking.
(In Photoshop, you will have to set the image mode to "index" Then "save as..." "bmp". After choosing the filename you want to save as, you will get another options window. Choose 4 bit, Windows, and be sure "Compress (RLE)" is NOT checked)
Now that you have a good 16 color image, it's time for some paperwork. The simplest way to start all of this is to save the palette used in your boot image. Again go to the "Colors" menu, and choose "Save Palette". This will let you choose a name for the file, and by default will save it in the "..\Program Files\PaintShopPro6\Palettes\..." directory. This is simply a text list of the RGB values of each color in your palette. In order. Don't quit yet, we're not done! Open up the .pal file you just saved in Notepad. We're going to keep some notes in there also. You will need to know the exact order of your palette, and the hex values of those colors in order to make the changes in your kernel. To get that information, we are going to bring up the "edit Palette" dialog box in PSP. Again, go to the "Colors" menu and choose "Edit Palette" You will get a dialog box that looks something like the screen shot below.
This dialog gives us all of the information we are going to need later when we go to make the changes to the kernel. Click on the first color on the left. You'll see the RGB values listed at the bottom center of the dialog box, and the hex values listed in the lower right labeled as "HTML". Now, make sure you can see this window, and the Notepad window with your Pal file open at the same time. Next to the first set of RGB values in the notepad file, type in the hex values shown for the leftmost color entry in the "Edit Palette" window. Work your way down the list, noting the hex values next to each RGB value. Don't worry, you'll understand why later. You should end up with something like the following:
JASC-PAL
0100
16
23 13 23 || 17 0D 17
48 40 72 || 30 28 48
53 71 49 || 35 47 31
52 77 92 || 34 4D 5C
84 30 43 || 54 1E 2B
92 45 77 || 5C 2D 4D
84 75 53 || 54 4B 35
97 84 95 || 61 54 5F
103 110 135 || 67 6E 87
111 137 111 || 6F 89 6F
102 145 155 || 66 91 9B
154 64 92 || 9A 40 5C
173 109 140 || AD 6D 8C
149 139 116 || 95 8B 74
200 186 193 || C8 BA C1
0 0 0 || 00 00 00
Now, you are going to need to create an all black palette. While you are in the "Edit Palette" window, double click on each color and make it black. Yes, all 16 entries need to be black. When you click on "OK" your image should be solid black. Go back to the "Colors" menu again and select "Save Palette" give this black palette a new name and save it. Then save your image (still all black) somewhere (just be sure you have "maintain indexes" checked.), and close out of Paint Shop. We're done in there.
Putting Your Image Into the Kernel
Now it is time to replace the standard Microsoft boot image with yours. Open up Resource Hacker and open up your "working" copy of "ntoskrnl32.exe". Then choose the "Action" menu and select "Replace Bitmap" A dialog box will open up that will allow you to choose which bitmap to replace (you are going to replace .bmp 1 in this case) and to browse to the .bmp you want to use as a replacement. When you have replaced the .bmp, go to the "File" menu, and choose "Save As". Give the file a new name like "mykrnl.exe" or whatever, and save it. You can go ahead and close out of Resource Hacker. We're done there.
Some Other Information About Ntoskrnl32.exe And ResHacker.
Resource Hacker is a great little program. I just want to give you some more information about the other things you may want to change while in Resource Hacker. First, you may want to save some of the other .bmp files in the kernel, and modify and replace them also. Here's a Quick rundown of the .bmp's :
1 - The main boot logo screen. This is the background image for the boot screen, there are a few other images that may be overlaid on this background. I have provided a "blank" layered Paint Shop Pro image file that marks where these overlays occur.
2 - Hibernating. This is the overlay for the waiting period when waking up from hibernation, It overlays in the same position as the progress bar during boot up.
3 - It is now safe to turn off your computer. This is the image for the message you see when shutting down windows. It is actually built differently and is separate from the boot up screen, so I didn't include it in the blank template.
4 - This is the gray progress bar. I'm not sure which flavor of XP uses this one, but if you see a gray progress bar while booting up, edit this file to make changes.
8 - This is the blue progress bar used by XP Pro.
9 - This is the green progress bar used by XP Home.
10 - Professional. This is the text overlay for XP Pro. I usually just replace it with a 1x1 pixel image, effectively erasing it.
11 - Home Edition. This is the overlay for XP Home. Again I'd just get rid of it as described above.
12 - Embedded. I don't think anyone is using this one yet, but here it is.
You can simply modify any of these resources, and place them back into the kernel with Res Hacker. You will need to have a "system" palette (the one you see during boot up) and a "black" palette (all black) that is used to store the bmp in the kernel. I have provided both in this zip file.
To use these palettes, simply extract them to the "..\Program Files\Paint Shop Pro 6\Palettes\" directory. When you want to see what the image will look like at boot, go to the "Colors" menu, and choose "Load Palette". Then select the "system16.pal" file. You may need to switch between this view, and full color mode quite a bit while designing your image, ad there will likely be some ugly artifacts from the reduction in colors. The final step before saving the modified image is to load the all black palette. Again, go to the "Colors" menu, choose "Load Palette" and select the "black16.pal" file. Be certain that you choose "Maintain Indexes" in the "Apply Palette Using" section at the bottom of the "Load Palette" dialog. Your image will turn all black, and you are all set to save it and place it into the kernel.
Changing The Built-In Palette.
Now comes the hard part. Microsoft seems to have gone to some bit of trouble to hide the palette in the kernel, so this will take a bit of explaining. Start off by opening up your "mykrnl.exe" (or whatever you named it) in UltraEdit or another hex editor. You need to do a search for the following hex string (without the quotes)...
"00 00 00 00 15 1A 20 00 46 46 46 00 D2 3E 2D 00 01 65 53 00 05 35 B2 00 7E 7E 7E 00 00 92 89 00 FC 7F 5E 00 20 6B F7 00 FF A6 8D 00 04 DC 8E 00 1B BC F3 00 BC BC BC 00 FC FC FC 00 FF FF FF"
Yes, That is a LOOONNGG search string. But when you find the entire thing, you know you are in the right place. Below is a screen shot of the results on my computer.
This shot is on Windows XP Professional Gold. Build 2600, corporate license, so it may be in a slightly different place on your computer, but it will be there. (Be sure to search for the entire string, as I believe the position has changed in SP1, and I would imagine it has again in SP2)
Now to explain a bit about what you are looking at. Each color on your screen is made up of an RGB value. White, for example is "255 255 255". Those RGB values can be translated into a hexadecimal value. White is "FF FF FF". Those of you familiar with web design or image editing at all are probably already aware of all of this. What you see in the image above, and in your own hex editor, is a list of 16 such hex values separated by a "null" character (00). This is the palette windows uses to turn the all black boot screen image into what you see on screen.
Like I said though, Microsoft evidently went to a little bit of trouble to hide this, because each hex value is backwards! For example, one of the orange colors in the original palette has the RGB value of "247 107 42", which translates in hex to "F7 6B 20". In the screen shot above though, you will notice that it is listed as "20 6B F7" The values of each color in the palette are listed in this manner. So, Let's take another look at our notes, and just to simplify things, make another listing next to each value of the reversed hex values. My example came out looking like the following:
JASC-PAL
0100
16
23 13 23 || 17 0D 17 || 17 0D 17
48 40 72 || 30 28 48 || 48 28 30
53 71 49 || 35 47 31 || 31 47 35
52 77 92 || 34 4D 5C || 5C 4D 34
84 30 43 || 54 1E 2B || 54 1E 2B
92 45 77 || 5C 2D 4D || 4D 2D 5C
84 75 53 || 54 4B 35 || 35 4B 54
97 84 95 || 61 54 5F || 5F 54 61
103 110 135 || 67 6E 87 || 87 6E 67
111 137 111 || 6F 89 6F || 6F 89 6F
102 145 155 || 66 91 9B || 9B 91 66
154 64 92 || 9A 40 5C || 5C 40 9A
173 109 140 || AD 6D 8C || 8C 6D AD
149 139 116 || 95 8B 74 || 74 8B 95
200 186 193 || C8 BA C1 || C1 BA C8
0 0 0 || 00 00 00 || 00 00 00
Now, the first column is the RGB values of each color, the second is the hex values, and the third is the reversed hex values we are going to type into our kernel. If You look again at the screen shot, you'll notice that each set of 3 hex values is separated by a "null" or "00". Be sure to leave those in there, or there's no telling what things will come out looking like! If they work at all.
So what we need to do is replace the existing entries with our palette values. This is where our notes will pay off. Just start with the top line of the third column, and type over what's already in the kernel file. Remember to leave the "nulls" between each listing! The image below is a screen shot of my kernel file after the changes. When you are done, save the file. Believe it or not, we are done! All we have left is to boot to our new kernel.
Booting To Your New Kernel.
The next step is to copy your hacked kernel into the ..\Windows\System32\ directory. Leave it named whatever you did before. You do not want to overwrite the existing "ntoskrnl.exe"! What would you do if it didn't work!? Boot to a command prompt and do a lot of typing and praying! That's what! There is a much safer and simpler way to do this. Open up "C:\boot.ini" in Notepad. On my system it looks like the following:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional" /fastdetect
What we are going to do is copy the bottom line, and paste it at the bottom of the file. Then we'll modify it as follows:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="JJoelC's Hacked OS" /fastdetect /kernel=mykrnl.exe
Notice the "/kernel=" switch at the end of the line. This is where you would enter the name you saved your hacked kernel as. Now when you boot up your computer, you will get a menu asking you which operating system you would like to start. Choose your hacked OS, and watch the show. If anything doesn't go right, just reboot, and choose the original configuration. No hassle, no fuss. When everything is working to your satisfaction, you can remove the original entry from the boot.ini file, leaving only the edited entry and you won't get the menu at boot anymore.
Here's a shot of the image I created to test all of this out. And yes, this is the 16 color version.
Thanks!
Common questions:
As I said, I get a lot of e-mails about this, and unfortunately there is no way I can answer them all. I'll try to answer the most common questions here.
How do I change the position of the progress bar?
How do I get rid of the progress bar?
Well, to be honest, the only way I would recommend changing the position of the progress bar is to use one of the several programs out there to change Windows boot screens. But if you are like me, you will hate having to rely on something someone else did to get it done. So with that in mind, here is a brief explanation:
In order to change progress bar's position you must change 5 values (4 bytes each) inside ntoskrnl.exe. Three of them have the value of the top of the progress bar. The other 2 have the value of top position + the height of the progress bar (=the bottom of the progress bar). So we can change the height of progress bar too!
So, in a hex editor we will find these values, (for ntoskrnl.exe file version 5.1.2600.1106 {SP1}). Note that there's multiple in between versions since the launch of XP, where the location of these values differs, and there are lots more of those same values in several other places, so again, manual editing is mostly not advised:
For ntoskrnl.exe file version 5.1.2600.1106 (SP1):
1. At position 211263 (offset 3393F) the value 62 01 00 00. That is a long value swapped, so 00 00 01 62 in hex = the value 354 in decimal. This means the top of the progress bar is 354 pixels from the top of the screen.
2. At position 207838 (offset 32BDE) the value 62 01 00 00. Same as above.
3. At position 207808 (offset 32BC0) the value 62 01 00 00. Same as above.
4. At position 211389 (offset 339BD) the value 6A 01 00 00. That is a long value swapped, so 00 00 01 6A in hex = the value 362 in decimal (or 354 + 9 pixels the height of progress bar -1). In other words from pixel 354 to pixel 362 there are 9 pixels (the height of progress bar).
5. At position 207798 (offset 32BB6) the value 6A 01 00 00. Same as above.
So, if you want to change the position or size of the progress bar, you must change the above 5 values.
For example... If you want the progress bar to be the same size, just at the very bottom of the screen, you would change the first three values to decimal 471 (="D7 01 00 00" as you would type it into the kernel) and the last 2 to decimal 480 (="E0 01 00 00" as you would type it into the kernel.)
If you want to make the progress bar disappear (I've never tried it, so let me know) you would simply change the last 2 values to match the first 3.
If you want a bigger progress bar make values 4 and 5 bigger (bigger difference between valeus1,2,3, and values 4,5), and if you want a smaller progress bar, make them smaller (less difference between values 1,2,3, and values 4,5.)
I didn't make a backup of NTOSKRNL.EXE! How do I fix it?
Well, friend, you have a long road ahead of you. And it may end with you simply reinstalling Windows XP. But there are a couple of things you can try first:
1. Did you modify your "boot.ini" file like I instructed? If so, all you have to do is choose the first option in the menu that comes up when you boot. End of problem.
2. Boot from your Windows XP installation CD. Then follow these instructions:
- When prompted, press "R" to "repair a Windows XP installation using the recovery console"
- You will be prompted to select the installation you want to repair (usually there is only one listed, so just type "1" and hit enter...)
- You will be prompted to enter the Administrator password.
- Now you will be at a command prompt. Assuming your windows directory is "C:\Windows" and the Windows XP CD is in the "D:\" drive type in the following command: expand d:\i386\ntoskrnl.ex_ c:\windows\system32\ntoskrnl.exe
- When that is done, type: exit and your computer will reboot. be sure to remove the CD from the drive, or choose not to boot from it.
- If this works, you will need to re-install any updates (like SP1 or SP2) that have been applied since you originally installed Windows.
3. If all else fails, you have no choice but to reinstall Windows, all of your programs, re-do all of your settings, tweaks, and customizations. And unless you made regular backups (HAH!) you will have completely lost all of your e-mails, bookmarks, downloaded images, or other documents created in other programs like Word, Excel, etc. (Remember that term paper you were supposed to be working on instead of trying to change your boot logo?) Have fun, and remember to make a backup next time!
How do I slipstream my boot image onto an install CD so I don't have to keep re-doing it?
This is actually pretty simple to do. Follow these Instructions on how to create a CD with SP1 (or 2) slipstreamed. But after you have applied the SP update, and before you start to burn the CD, hack the "ntoskrnl.exe" file inside the folders you are about to slipstream. From there, proceed as usual to burn the bootable CD.
Honestly, I don't see a whole lot of value in this approach, as you will still have to reinstall all of your other programs, make all of your customizations again, etc. I prefer to use Norton Ghost, or Powerquest DriveImage to make an image of my drive, and put that onto a bootable CD. All of your settings and files will then be EXACTLY as they were when you made the image. Personalized "System Restore" disks!
I Downloaded a "ntoskrnl.exe" file from a web site, but it is a different version than mine. Can I still use It?
NO!
Actually I would strongly urge you to NEVER use an entire "ntoskrnl.exe" downloaded from some strange web site. This is the core of the Windows operating system.... Do you really trust these people with everything on your computer?
Instead, find and download an image file and use that to insert into your own ntoskrnl.exe file. If you just HAVE to have a pic, and you can only find it as a ntoskrnl.exe file, then use Resource Hacker to extract the boot screen from the downloaded file, then place that image into your own file.
No comments:
Post a Comment