purk
2003-04-15, 05:16 PM
How To Change the Windows 2000 Boot Logo
Last Updated On: 04/29/2001
Introduction Stuff
A while back, someone E-mailed us regarding our article on modifying the start button, and said something to the effect of: OK wonder dogs... If you can change the boot logo on Win2k, then I'll be impressed. I wish we still had the E-mail floating around, because I would post it right now, but it is long gone. Since that day, we have been poking around at trying to figure out how to change that cheesy logo... and today - we have the solution.
You have to love articles that start out with a disclaimer, and this one is definitely getting one since I'm not exactly sure how this process would affect a warranty, so here it is.
Disclaimer: LittleWhiteDog.Com will NOT accept any responsibility for ANY data loss if you try to attempt this procedure on your own. This information is for educational and informational purposes only! Use at your own risk!
I'm not going to spend too much time yapping, because I know you came here for one reason, and one reason only - to learn how to change the Windows 2000 boot logo. Let's jump right in it, shall we?
The Tools And The Overview
The only tool you are going to need to get the job done is a resource hacker, and what do you know?... we found one right here. What a coincidence huh?
I will cover all steps in "llama format" so nothing is missed or overlooked, but I feel it's easier to read any process when you understand the big picture first. First off, I am going to assume Windows 2000 is loaded in the default location throughout this article. Ok - The screen you see when booting up Win2k, is a .BMP file located inside of "C:\WinNT\System32\Ntoskrnl.exe". In the following steps, I am going to:
Create a .BMP file that is 640x480 with 16 colors.
Use Resource Hacker to import the modified bitmap image into a copy of the .EXE.
Turn off Windows File Protection.
Replace the original Ntoskrnl.exe with the modified Ntoskrnl.exe.
Baby Steps
You should know from the beginning, this process only takes about 5-10 minutes to complete. It looks like a lot of steps listed, but from my own experience, I know doing it this way will save myself a lot of headaches down the road.
Step 1. Make a backup copy of NTOSKRNL.EXE and put it somewhere on your system. I don't care where you put it, just put it someplace where you will have it if you need it.
Step 2. Download and unzip Resource Hacker. Once it is unzipped, launch "ResHacker.exe".
Step 3. Click "File", then "Open", and browse to the C:\WinNT\System32\ directory. Open the file named NTOSKRNL.EXE.
Step 4. Double-Click on the word "Bitmap" and then the number "1". Click the icon that reads "1033" and you should see the Windows 2000 boot logo on the right side of the screen. The "Holy Grail" if you will. At this point, you can minimize Resource Hacker.
Step 5. Using any image editor, create an image that is 640 x 480 and only uses 16 colors. (Paintbrush is a great utility for doing this. Important! Do not deviate from 640x480 and 16 colors or your results may vary!! I tried it with more colors, and all I saw was a black screen during the period when the boot logo should appear. Personally, the way I accomplished it was.... I copied the current image into Photoshop and just edited the top portion. I then set the "mode" to "indexed colors" and set the number of colors to 16. If you would like a "pre-made" image that has been tested, you can view this one as an example.
Step 6. Once you have created the image, save it somewhere on your drive.
Step 7. From within Resource Hacker, click on "Action", then "Replace Bitmap" and a new window will pop-up at this point. Then click on the "Open file with new bitmap" button and browse to the 16-color image you just created. It should look similar to the picture on the right.
Step 8. Once you have selected the file, click on the "Replace" button and you should return to the "root" of Resource Hacker. Just for yucks, make sure that your change took effect. It should then look similar to this:
Step 9. Once everything looks good, click "File" then "Save As", and save the file anywhere but in the WinNT\System32 folder. You should save it with the original name though (NTOSKRNL.EXE). At this point, you should have the original file in the System32 folder, a backup of it somewhere, and your new modified file somewhere else. If you don't have these three files, go back and start over.
I'm going to take a second here and explain what happens next. At this point, if you replace the original file in the System32 directory and reboot, Windows File Protection takes over and will replace the file on bootup - thus overwriting your change. This has been the cause of many headaches around the ol' doghouse. I tried placing a copy of the modified file in the C:\WinNT\System32\Dllcache folder too, but to no avail. It was still getting overwritten on bootup discarding my changes. There's a file called "SFCfiles.dll" that contains a listing of the files checked by Windows File Protection. I tried Hex Editing the .DLL to remove any listing of NTOSKRNL.EXE, but that didn't work very well either.
Fido kept telling me to just shut off the file protection but I didn't know how to do so... and neither did he. After searching the web, he found the answer at Security Portal.Com. Jeremy Collake gets ALL of the credit for teaching us how to shut off Windows File Protection. Here's a quote I ripped right from their site.
Ok, after spending 6 hours in the guts of sfc.dll, sfcfiles.dll, and winlogon.exe I have *finally* discovered how to permanently disable windows file protection. The more I dug into the internals of SFC, the more I began to think that it would not be as easy as I first thought it would be - and indeed Microsoft does not want it to be easy. Windows File Protection, while annoying, does provide a good degree of system stability and even some level of virus/trojan protection by preventing system files from being modified without at least notifying the user. Therefore, I was *very* shocked when I was looking through a disassembly of sfc.dll and came to the code that checks the value of the SfcDisable in the WinLogon key.
You should know and understand that by turning Windows File Protection off, the chances of getting corrupt system files, or virus/trojans will increase. If you don't want to learn how to turn it off, then you should stop right here.
Step 10. Open Regedit.exe and navigate to [HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows NT \CurrentVersion \Winlogon]. You should see a DWORD value named "SFCDisable" with a value of "0". Change the value data of "SFCDisable" to "ffffff9d". Since pictures are worth a thousand words, here's the before and after shots:
Step 11. Exit regedit and reboot the machine because this will make the registry change take effect. After the machine is rebooted, you should see Event ID 64032 in the System Event logs letting you know that Windows File Protection is no longer active.
The Final Step - 12. Now all you have to do is copy the modified NTOSKRNL.EXE file into the C:\WinNT\System32 folder and overwrite the original file. Reboot, and you should have a modified boot logo! Since I can't screen cap it, here's a few pictures to show what the final results look like.
Wrapping It Up
I'm sure there's going to be a LOT of better boot logo's popping up in the near future than the one that was made here. This one was made just to show that it's possible to change the boot logo, and how to accomplish it. If anyone does venture out and try this on their own, I'd really like to see their finished products posted in our forums. Something else to keep in mind is.... this might be another item that will drive the office tech support person absolutely crazy trying to figure out what happened!? Not that I would condone or endorse such a thing though. Also, now that we all know how to change the logo, I would like someone to tell me how to do it without turning off Windows File Protection. If you do have the answer, either E-mail it to me, or post it at the forum link below so everyone will know how it's done. The curiosity is still driving me a little crazy. I hope some of you learned something new today, because in the end, that's what it's all about.
UPDATE: Now that Service Pack 2 has been released and the registry key does not work anymore, if you follow the forum thread listed below, you can find out how to change the logo with SP2 installed (page 31 for a good explanation). There is also information on changing the logon screen (page 11) by editing msgina.dll. Have Fun!
UPDATE #2: Due to popular demand, we have created a boot logo gallery to showcase some of the EXCELLENT submissions we have received.
- Spot
Last Updated On: 04/29/2001
Introduction Stuff
A while back, someone E-mailed us regarding our article on modifying the start button, and said something to the effect of: OK wonder dogs... If you can change the boot logo on Win2k, then I'll be impressed. I wish we still had the E-mail floating around, because I would post it right now, but it is long gone. Since that day, we have been poking around at trying to figure out how to change that cheesy logo... and today - we have the solution.
You have to love articles that start out with a disclaimer, and this one is definitely getting one since I'm not exactly sure how this process would affect a warranty, so here it is.
Disclaimer: LittleWhiteDog.Com will NOT accept any responsibility for ANY data loss if you try to attempt this procedure on your own. This information is for educational and informational purposes only! Use at your own risk!
I'm not going to spend too much time yapping, because I know you came here for one reason, and one reason only - to learn how to change the Windows 2000 boot logo. Let's jump right in it, shall we?
The Tools And The Overview
The only tool you are going to need to get the job done is a resource hacker, and what do you know?... we found one right here. What a coincidence huh?
I will cover all steps in "llama format" so nothing is missed or overlooked, but I feel it's easier to read any process when you understand the big picture first. First off, I am going to assume Windows 2000 is loaded in the default location throughout this article. Ok - The screen you see when booting up Win2k, is a .BMP file located inside of "C:\WinNT\System32\Ntoskrnl.exe". In the following steps, I am going to:
Create a .BMP file that is 640x480 with 16 colors.
Use Resource Hacker to import the modified bitmap image into a copy of the .EXE.
Turn off Windows File Protection.
Replace the original Ntoskrnl.exe with the modified Ntoskrnl.exe.
Baby Steps
You should know from the beginning, this process only takes about 5-10 minutes to complete. It looks like a lot of steps listed, but from my own experience, I know doing it this way will save myself a lot of headaches down the road.
Step 1. Make a backup copy of NTOSKRNL.EXE and put it somewhere on your system. I don't care where you put it, just put it someplace where you will have it if you need it.
Step 2. Download and unzip Resource Hacker. Once it is unzipped, launch "ResHacker.exe".
Step 3. Click "File", then "Open", and browse to the C:\WinNT\System32\ directory. Open the file named NTOSKRNL.EXE.
Step 4. Double-Click on the word "Bitmap" and then the number "1". Click the icon that reads "1033" and you should see the Windows 2000 boot logo on the right side of the screen. The "Holy Grail" if you will. At this point, you can minimize Resource Hacker.
Step 5. Using any image editor, create an image that is 640 x 480 and only uses 16 colors. (Paintbrush is a great utility for doing this. Important! Do not deviate from 640x480 and 16 colors or your results may vary!! I tried it with more colors, and all I saw was a black screen during the period when the boot logo should appear. Personally, the way I accomplished it was.... I copied the current image into Photoshop and just edited the top portion. I then set the "mode" to "indexed colors" and set the number of colors to 16. If you would like a "pre-made" image that has been tested, you can view this one as an example.
Step 6. Once you have created the image, save it somewhere on your drive.
Step 7. From within Resource Hacker, click on "Action", then "Replace Bitmap" and a new window will pop-up at this point. Then click on the "Open file with new bitmap" button and browse to the 16-color image you just created. It should look similar to the picture on the right.
Step 8. Once you have selected the file, click on the "Replace" button and you should return to the "root" of Resource Hacker. Just for yucks, make sure that your change took effect. It should then look similar to this:
Step 9. Once everything looks good, click "File" then "Save As", and save the file anywhere but in the WinNT\System32 folder. You should save it with the original name though (NTOSKRNL.EXE). At this point, you should have the original file in the System32 folder, a backup of it somewhere, and your new modified file somewhere else. If you don't have these three files, go back and start over.
I'm going to take a second here and explain what happens next. At this point, if you replace the original file in the System32 directory and reboot, Windows File Protection takes over and will replace the file on bootup - thus overwriting your change. This has been the cause of many headaches around the ol' doghouse. I tried placing a copy of the modified file in the C:\WinNT\System32\Dllcache folder too, but to no avail. It was still getting overwritten on bootup discarding my changes. There's a file called "SFCfiles.dll" that contains a listing of the files checked by Windows File Protection. I tried Hex Editing the .DLL to remove any listing of NTOSKRNL.EXE, but that didn't work very well either.
Fido kept telling me to just shut off the file protection but I didn't know how to do so... and neither did he. After searching the web, he found the answer at Security Portal.Com. Jeremy Collake gets ALL of the credit for teaching us how to shut off Windows File Protection. Here's a quote I ripped right from their site.
Ok, after spending 6 hours in the guts of sfc.dll, sfcfiles.dll, and winlogon.exe I have *finally* discovered how to permanently disable windows file protection. The more I dug into the internals of SFC, the more I began to think that it would not be as easy as I first thought it would be - and indeed Microsoft does not want it to be easy. Windows File Protection, while annoying, does provide a good degree of system stability and even some level of virus/trojan protection by preventing system files from being modified without at least notifying the user. Therefore, I was *very* shocked when I was looking through a disassembly of sfc.dll and came to the code that checks the value of the SfcDisable in the WinLogon key.
You should know and understand that by turning Windows File Protection off, the chances of getting corrupt system files, or virus/trojans will increase. If you don't want to learn how to turn it off, then you should stop right here.
Step 10. Open Regedit.exe and navigate to [HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows NT \CurrentVersion \Winlogon]. You should see a DWORD value named "SFCDisable" with a value of "0". Change the value data of "SFCDisable" to "ffffff9d". Since pictures are worth a thousand words, here's the before and after shots:
Step 11. Exit regedit and reboot the machine because this will make the registry change take effect. After the machine is rebooted, you should see Event ID 64032 in the System Event logs letting you know that Windows File Protection is no longer active.
The Final Step - 12. Now all you have to do is copy the modified NTOSKRNL.EXE file into the C:\WinNT\System32 folder and overwrite the original file. Reboot, and you should have a modified boot logo! Since I can't screen cap it, here's a few pictures to show what the final results look like.
Wrapping It Up
I'm sure there's going to be a LOT of better boot logo's popping up in the near future than the one that was made here. This one was made just to show that it's possible to change the boot logo, and how to accomplish it. If anyone does venture out and try this on their own, I'd really like to see their finished products posted in our forums. Something else to keep in mind is.... this might be another item that will drive the office tech support person absolutely crazy trying to figure out what happened!? Not that I would condone or endorse such a thing though. Also, now that we all know how to change the logo, I would like someone to tell me how to do it without turning off Windows File Protection. If you do have the answer, either E-mail it to me, or post it at the forum link below so everyone will know how it's done. The curiosity is still driving me a little crazy. I hope some of you learned something new today, because in the end, that's what it's all about.
UPDATE: Now that Service Pack 2 has been released and the registry key does not work anymore, if you follow the forum thread listed below, you can find out how to change the logo with SP2 installed (page 31 for a good explanation). There is also information on changing the logon screen (page 11) by editing msgina.dll. Have Fun!
UPDATE #2: Due to popular demand, we have created a boot logo gallery to showcase some of the EXCELLENT submissions we have received.
- Spot