Note: this tutorial was written by JJoelC and posted with permission by Orion

I started changing boot logos back when Windows95 first came out. That was awfully simple, and evidently Microsoft got tired of other people and companies changing "their" boot screens. When Windows 2000 came out, they upped the ante a bit, and embedded the boot screen into the kernel executable file itself. Needless to say, it didn't keep people from changing them anyway. Take a look in the littlewhitedog.com forums for proof of that!

Now WindowsXP is here, and Microsoft has made it even more difficult to make changes the boot screen. Not only is it embedded into the kernel, but it is made up of several images, all layered on each other. And to top things off, it relies on a "system" 16 color palette. This is where I have heard the most complaints. It is not really any different to change the boot screen in XP than in Win2000, but in Win2000 you could at least optimize the color palette of the image. In WinXP, you are stuck using the palette built into the kernel. Not anymore!

A Warning:

Changing the boot screen palette in Windows XP involves getting in and making changes to the kernel of your system. If you screw things up, you can REALLY screw things up! Your system could become "unstable" or it might not even boot. If you are not prepared for this eventuality, I would suggest you quit reading now, and learn to live with the boot screen that comes standard in Windows XP. I will show you all of the steps to take to make sure you are able to recover from any errors, but nothing is foolproof. I simply cannot be responsible for anything that happens with your system because of steps taken in this How-To.

Resources Needed:

1. Windows XP Operating system
2. Paint Shop Pro 6 (www.jasc.com)
3. Resource Hacker (Click here)
4. UltraEdit (http://www.ultraedit.com) or another hex editor

Safety First!

Before you even THINK about hacking into the kernel, make a backup. Of everything you even remotely care about on your system. Now make a backup copy of "..Windows\System32\ntoskrnl32.exe" in whatever directory you like. NOW make ANOTHER copy of it to actually do your hacking on. Put it into a completely separate directory from your backup copy. (Trust me on this, I had to learn the hard way!

Make Your Own Boot Screen

Open up Paint Shop Pro, and design your boot screen. It has to be 640x480, and you'll need to reduce it to a 16 color palette. How do I do that, you ask? Once you have the image designed, go to the "Colors" menu, choose "Decrease Color Depth" then "16 Colors". Take a look at the screen shot below, for an example. You may need to experiment with this a bit to get things looking the best they can. And it may take a bit of work to clean things up (16 colors isn't very many!), but eventually you should have a 16 color image to your liking.

 reduce1.jpg ( 28.96k ) Number of downloads: 338


Now that you have a good 16 color image, it's time for some paperwork. The simplest way to start all of this is to save the palette used in your boot image. Again go to the "Colors" menu, and choose "Save Palette". This will let you choose a name for the file, and by default will save it in the "..Program Files\PaintShopPro6\Palettes..." directory. This is simply a text list of the RGB values of each color in your palette. In order. Don't quit yet, we're not done! Open up the .pal file you just saved in Notepad. We're going to keep some notes in there also. You will need to know the exact order of your palette, and the hex values of those colors in order to make the changes in your kernel. To get that information, we are going to bring up the "edit Palette" dialog box in PSP. Again, go to the "Colors" menu and choose "Edit Palette". You will get a dialog box that looks something like the screen shot below.

 editpalette.jpg ( 8.58k ) Number of downloads: 222


This dialog gives us all of the information we are going to need later when we go to make the changes to the kernel. Click on the first color on the left. You'll see the RGB values listed at the bottom center of the dialog box, and the hex values listed in the lower right labeled as "HTML". Now, make sure you can see this window, and the Notepad window with your Pal file open at the same time. Next to the first set of RGB values in the notepad file, type in the hex values shown for the leftmost color entry in the "Edit Palette" window. Work your way down the list, noting the hex values next to each RGB value. Don't worry, you'll understand why later. You should end up with something like the following:

JASC-PAL

0100

16

23 13 23	         || 17 0D 17 

48 40 72	         || 30 28 48 

53 71 49	         || 35 47 31 

52 77 92	         || 34 4D 5C 

84 30 43	         || 54 1E 2B 

92 45 77	         || 5C 2D 4D 

84 75 53	         || 54 4B 35 

97 84 95	         || 61 54 5F 

103 110 135	|| 67 6E 87 

111 137 111	|| 6F 89 6F 

102 145 155	|| 66 91 9B 

154 64 92	         || 9A 40 5C 

173 109 140	|| AD 6D 8C 

149 139 116	|| 95 8B 74 

200 186 193	|| C8 BA C1 

0 0 0		|| 00 00 00 

Now, you are going to need to create an all black palette. While you are in the "Edit Palette" window, double click on each color and make it black. Yes, all 16 entries need to be black. When you click on "OK" your image should be solid black. Go back to the "Colors" menu again and select "Save Palette" give this black palette a new name and save it. Then save your image (still all black) somewhere, and close out of Paint Shop. We're done in there.

Putting Your Image Into the Kernel

Now it is time to replace the standard Microsoft boot image with yours. Open up Resource Hacker and open up your "working" copy of "ntoskrnl32.exe". Then choose the "Action" menu and select "Replace Bitmap". A dialog box will open up that will allow you to choose which bitmap to replace (you are going to replace .bmp 1 in this case) and to browse to the .bmp you want to use as a replacement. When you have replaced the .bmp, go to the "File" menu, and choose "Save As". Give the file a new name like "mykrnl.exe" or whatever, and save it. You can go ahead and close out of Resource Hacker. We're done there.

Some Other Information About Ntoskrnl32.exe And ResHacker.

Resource Hacker is a great little program. I just want to give you some more information about the other things you may want to change while in Resource Hacker. First, you may want to save some of the other .bmp files in the kernel, and modify and replace them also. Here's a Quick rundown of the .bmp's :

1 - The main boot logo screen. This is the background image for the boot screen, there are a few other images that may be overlaid on this background. Here is a Paint Shop Pro image file that marks where these overlays occur:
 blank.zip ( 2.04k ) Number of downloads: 511


2 - Hibernating. This is the overlay for the waiting period when waking up from hibernation, It overlays in the same position as the progress bar during boot up.

3 - It is now safe to turn off your computer. This is the image for the message you see when shutting down windows. It is actually built differently and is seperate from the boot up screen, so I didn't include it in the blank template.

4 - This is the grey progress bar. I'm not sure which flavor of XP uses this one, but if you see a grey progress bar while booting up, edit this file to make changes.

8 - This is the blue progress bar used by XP Pro.

9 - This is the green progress bar used by XP Home.

10 - Professional. This is the text oevrlay for XP Pro. I usually just replace it with a 1x1 pixel image, effectively erasing it.

11 - Home Edition. This is the overlay for XP Home. Again I'd just get rid of it as described above.

12 - Embedded. I don't think anyone is using this one yet, but here it is.

You can simply modify any of these resources, and place them back into the kernel with Res Hacker. You will need to have a "system" palette (the one you see during boot up) and a "black" palette (all black) that is used to store the bmp in the kernel. I have provided both here:  Palettes.zip ( 524bytes ) Number of downloads: 391


To use these palettes, simply extract them to the "..Program Files\Paint Shop Pro 6\Palettes" directory. When you want to see what the image will look like at boot, go to the "Colors" menu, and choose "Load Palette". Then select the "system16.pal" file. You may need to switch between this view, and full color mode quite a bit while designing your image, and there will likely be some ugly artifacts from the reduction in colors. The final step before saving the modified image is to load the all black palette. Again, go to the "Colors" menu, choose "Load Palette" and select the "black16.pal" file. Be certian that you choose "Maintain Indexes" in the "Apply Palette Using" section at the bottom of the "Load Palette" dialog. Your image will turn all black, and you are all set to save it and place it into the kernel.

Changing The Built-In Palette.

Now comes the hard part. Microsoft seems to have gone to some bit of trouble to hide the palette in the kernel, so this will take a bit of explaining.

Start off by opening up your "mykrnl.exe" (or whatever you named it) in UltraEdit or another hex editor. You need to do a search for the following hex string (without the quotes)...

"00 00 00 00 15 1A 20 00 46 46 46 00 D2 3E 2D 00 01 65 53 00 05 35 B2 00 7E 7E 7E 00 00 92 89 00 FC 7F 5E 00 20 6B F7 00 FF A6 8D 00 04 DC 8E 00 1B BC F3 00 BC BC BC 00 FC FC FC FF FF FF"

Yes, That is a LOOONNGG search string. But when you find the entire thing, you know you are in the right place. Below is a screen shot of the results on my computer.

 ueditorig.jpg ( 37.63k ) Number of downloads: 682


This shot is on Windows XP Professional Gold. Build 2600, corporate license, so it may be in a slightly different place on your computer, but it will be there.

Now to explain a bit about what you are looking at. Each color on your screen is made up of an RGB value. White, for example is "255 255 255". Those RGB values can be translated into a hexadecimal value. White is "FF FF FF". Those of you familiar with web design or image editing at all are probably already aware of all of this. What you see in the image above, and in your own hex editor, is a list of 16 such hex values separated by a "null" character (00). This is the palette windows uses to turn the all black boot screen image into what you see on screen.

Like I said though, Microsoft evidently went to a little bit of trouble to hide this, because each hex value is backwards! For example, one of the orange colors in the original palette has the RGB value of "247 107 42", which translates in hex to "F7 6B 20". In the screen shot above though, you will notice that it is listed as "20 6B F7" The values of each color in the palette are listed in this manner. So, Let's take another look at our notes, and just to simplify things, make another listing next to each value of the reversed hex values. My example came out looking like the following:

JASC-PAL

0100

16

23 13 23	         || 17 0D 17 || 17 0D 17

48 40 72	         || 30 28 48 || 48 28 30

53 71 49	         || 35 47 31 || 31 47 35

52 77 92	         || 34 4D 5C || 5C 4D 34

84 30 43	         || 54 1E 2B || 54 1E 2B

92 45 77	         || 5C 2D 4D || 4D 2D 5C

84 75 53	         || 54 4B 35 || 35 4B 54

97 84 95	         || 61 54 5F || 5F 54 61

103 110 135	|| 67 6E 87 || 87 6E 67

111 137 111	|| 6F 89 6F || 6F 89 6F

102 145 155	|| 66 91 9B || 9B 91 66

154 64 92	         || 9A 40 5C || 5C 40 9A

173 109 140	|| AD 6D 8C || 8C 6D AD

149 139 116	|| 95 8B 74 || 74 8B 95

200 186 193	|| C8 BA C1 || C1 BA C8

0 0 0		|| 00 00 00 || 00 00 00 

Now, the first column is the RGB values of each color, the second is the hex values, and the third is the reversed hex values we are going to type into our kernel. If You look again at the screen shot, you'll notice that each set of 3 hex values is separated by a "null" or "00". Be sure to leave those in there, or there's no telling what things will come out looking like! If they work at all.

So what we need to do is replace the existing entries with our palette values. This is where our notes will pay off. Just start with the top line of the third column, and type over what's already in the kernel file. Remember to leave the "nulls" between each listing! The image below is a screen shot of my kernel file after the changes. When you are done, save the file. Believe it or not, we are done! All we have left is to boot to our new kernel.

 uedit2.jpg ( 49.1k ) Number of downloads: 237

Booting To Your New Kernel.

The next step is to copy your hacked kernel into the ..Windows\System32 directory. Leave it named whatever you did before. You do not want to overwrite the existing "ntoskrnl.exe"! What would you do if it didn't work!? Boot to a command prompt and do a lot of typing and praying! That's what! There is a much safer and simpler way to do this. Open up "C:\boot.ini" in Notepad. On my system it looks like the following:

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Windows XP Professional" /fastdetect 

What we are going to do is copy the bottom line, and paste it at the bottom of the file. Then we'll modify it as follows:

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Windows XP Professional"  /fastdetect

multi(0)disk(0)rdisk(0)partition(1)WINDOWS="JJoelC's Hacked OS"       /fastdetect /kernel=mykrnl.exe 

Notice the "/kernel=" switch at the end of the line. This is where you would enter the name you saved your hacked kernel as. Now when you boot up your computer, you will get a menu asking you which operating system you would like to start. Choose your hacked OS, and watch the show. If anything doesn't go right, just reboot, and choose the original configuration. No hassle, no fuss. When everything is working to your satisfaction, you can remove the original entry from the boot.ini file, leaving only the edited entry and you won't get the menu at boot anymore. Here's a shot of the image I created to test all of this out. And yes, this is the 16 color version.

 logo.jpg ( 26.22k ) Number of downloads: 304

The End!

If you notice any errors in this, or think I need to add or clarify something, please let me know. This is a prety rough draft, and I'm sure I'll polish it up. I just wanted to get the thing built and out there as soon as possible!

JJoelC.
jjoelc@excite.com

this was a AMAZING tutorial! i created my first bootscreen in just half an hour.

Just one error in it ... when searching for the pallette, you said to search for ""00 00 00 00 15 1A 20 00 46 46 46 00 D2 3E 2D 00 01 65 53 00 05 35 B2 00 7E 7E 7E 00 00 92 89 00 FC 7F 5E 00 20 6B F7 00 FF A6 8D 00 04 DC 8E 00 1B BC F3 00 BC BC BC 00 FC FC FC FF FF FF"

Actually there is a mistake, there are some zeros missing between the last FC and FF. here is the correct string (worked for me):

"00 00 00 00 15 1A 20 00 46 46 46 00 D2 3E 2D 00 01 65 53 00 05 35 B2 00 7E 7E 7E 00 00 92 89 00 FC 7F 5E 00 20 6B F7 00 FF A6 8D 00 04 DC 8E 00 1B BC F3 00 BC BC BC 00 FC FC FC 00 FF FF FF 00"

but again, excellent job

btw, just an example of how much is possible to do with only 16 colors:
 1_4bit.bmp ( 150.12k ) Number of downloads: 325

Hi there,

It is success..!!!...However, the graphic quality is even worst than the originals or worst than xptheme.org provides. Why? Anyone could help me to get better graphic quality please???...Because during the booting time, it shown on the left up corner a little black square which is I have no idea where it coming from....

Anyone can help me please?

Thanks,

Mona

Hi there,

As I read on your tutorial, you said that:

"To use these palettes, simply extract them to the "..Program Files\Paint Shop Pro 6\Palettes" directory. When you want to see what the image will look like at boot, go to the "Colors" menu, and choose "Load Palette". Then select the "system16.pal" file. You may need to switch between this view, and full color mode quite a bit while designing your image, and there will likely be some ugly artifacts from the reduction in colors. The final step before saving the modified image is to load the all black palette. Again, go to the "Colors" menu, choose "Load Palette" and select the "black16.pal" file. Be certian that you choose "Maintain Indexes" in the "Apply Palette Using" section at the bottom of the "Load Palette" dialog. Your image will turn all black, and you are all set to save it and place it into the kernel[U]."

The underlined statement for me was not clear. How to place it in Kernel and what to place it? Please explain me further detail and clear. Because during booting, my color even different with actual colors.....

Thanks,

Mona

Hi,

I did but the color was distorted. Anyone can help me why please?

Thanks,

It means to save the bmp file into the kernel. The instructions for that are in the tutorial. You use reshacker for that step.

Are there any known issues with this guide and it's compatability with WinXP MCE?

Also... Are there any other programs that can extract the palet info in the way you need, such as Adobe Photoshop? ...I may have easier access to PS.