Terry's Place

Changing the Win2k Startup Logo August 30, 2001

This procedure is not for the faint of heart; it was taken from an article by Greg Kras, Sunbelt Software Technical Services Manager - I have tested it out for myself and it works just fine.
However; in my view the shortcut method decribed below (from the LittleWhiteDog.com) is far superior.
In order to modify the W2K startup logo you have to be aware of a few things up front:
The logo is a 16 color (not bit) bitmap that is 640 by 480 in size. It is built into the ntoskrnl.exe. W2k file protection will not let you just modify this file and place it in the system32 directory, it will be overwritten shortly thereafter with the original. Knowing this you'll need a tool to pull apart the ntoskrnl.exe and replace the bitmap. I'm using a tool called Resource Hacker
It's a fairly simple program, just extract the files to a directory and run the exe. Once it's open, do a "File/Open" and select your ntoskrnl.exe. This is located in X:\winnt\sytem32.
You'll get 3 main folders, Bitmap is the one we want to work with. If you are on W2k Pro, it's under the directory "1" and is called "1033". If you run W2k Server, it's under "4" and is also called "1033". You'll see the current boot time logo.
Now you can do "Action/Replace Bitmap". Select the bitmap you have created to replace the old bitmap. Or, you could export the bitmap, modify it, then import it back in. It is very important that you do not deviate from 640x480 w/ 16 colors. Remember to use Irfanview to convert the images to 640x480 16 color bitmaps.
In the Replace Bitmap browser once you have selected the new bitmap you'll need to select the bitmap number in the bottom right that you wish to replace. "1" for Pro and "4" for Server (or Adv Server).
Now you need to do a "File/Save As" and save the file somewhere on your drive. Do *NOT* save it in the same directory or it will be quickly snarfed up by Windows File Protection.
For the next step we'll need a tool that can open .CAB files as well as create them. I used WinAce
Now you'll need to open the latest service pack .cab file that you have in your system. This file is located in X:\winnt\driver cache\i386 and will be called something like SP1.cab or SP2.cab. Extract the contents of the most current one to a directory. Now take your modified ntoskrnl.exe and drop it in that directory, it will overwrite the existing one.
Re-compress the all the files back into a .CAB and overwrite the original SP1.cab or SP2.cab (Back up the original first just in case). Then drop your modified ntoskrnl.exe into (which ever of these directories you have) X:\winnt\system32\dllcache and X:\winnt\system32 and x:\winnt\ServicepackFiles\ in that order. This way Windows file protection has nowhere to get the original ntoskrnl.exe and leaves well enough alone. At this point, you can reboot.
And here's the Little White Dog.com shortcut method:
1-Modify th NTOSKRNL.exe as usual with Resource Hacker...Save the file as "NTOSCHK.EXE".
2-Place it in the folder "c:\Winnt\System32\", leave the original NTOSKRNL.EXE in the Sysytem32 folder...
3-Open the "boot.ini" file (it's in c:\boot.ini, if it don't appear, you have to activate the option "display the protect system files" in the "folder options" of your explorer.).
4-Add the command line at the "boot.ini": (after ".../fastdetect"), /KERNEL=NTOSCHK.EXE
It must look like this: multi(0)disk(0)rdisk(0)partition(2)\WINNT="Microsoft Windows 2000 Professionnal" /fastdetect /KERNEL=NTOSCHK.EXE
5-And reboot...