Terry R. said:
I suggest you find an XP workstation and look for the files in the Windows
folder. If they're within ntoskrnl.exe, why are they included
Okay, now we're getting down to the nitty-gritty stuff ...
Yes: those winnt.bmp and winnt256.bmp files are present in the Windows
folder on XP. But normally they're hidden files, and should not appear to
casual snooping users. It is trivially easy to demonstrate they are not used
as boot logo pictures in any straightforward way: edit winnt256.bmp using
Paintbrush or whatever, save the changes, and reboot. Does the logo reflect
your changes? - no. You can also totally delete these files, with no impact
on how the system boots. So they don't appear to play any critical role in
booting.
I don't know exactly why those files are present. I suspect it may have
something to do with backwards compatibility (maybe some software assumes
these files will be present?); or else, some aspect of system file
protection (SFC) for the ntoskrnl.exe file.
If you open ntoskrnl.exe (or nrknlpa.exe) using any tool which can edit
resources in EXE files - such as Visual Studio - the boot logo images are
there, plain to see, in the Resource section of the file. On SP2, the big
Windows logo is bitmap number 5, of 11 bitmaps. I'm staring at it, as I
type.
If you edit Bitmap 5 in ntoskrnl.exe, then Windows\winnt256.bmp is
automatically updated with the changes (why? I dunno). However, SFC will
kick in and immediately replace the edited ntoskrnl.exe file with the cached
genuine copy; so when you reboot, the boot logo still appears the same as
before.
I did a little research on your comment and found this:
"Microsoft decided to remove the pallet from the logo to another location
(in XP). So now when you open up ntoskrnl.exe in Resource Hacker, the
.bmps are just black images."
The "pallet" (palette?) is just a look-up table of RGB colour values, which
an image editor can use to adjust the colours of a bitmap. When you open a
BMP file in Paintbrush for example, it uses a simple "normal" set of RGB
values. In XP, Microsoft have obfuscated the boot logo resources somewhat,
by using a reversed set of RGB colour values in the embedded resources. So
royal blue is normally 0x41 0x69 0xE1, in the embedded boot logo bitmap it
is 0xE1 0x69 0x41. The palette for these "reversed colours" is itself
embedded into ntoskrnl.exe. When the bitmap is examined using the standard
palette, they appear all black. At boot-time, XP uses its built-in boot
palette in ntoskrnl.exe to interpret the colours in the embedded resource,
thus displaying the colourful image we see on the screen.
The main thing is: Windows NT used winnt.bmp and winnt256.bmp as the splash
screen logos in a fairly simple, obvious manner. If you editing the BMP file
on disk and rebooted NT, you'd see the changes in your logon screen (I used
to make my NT workstation boot "OS/2" this way
. But Microsoft - or at
least, some forces within Microsoft - wanted tighter control over the
branding of Windows: letting users modify their start-up screens was
allegedly "diluting" the value of the Windows brand. So in Windows 2000, the
logo was moved from a discrete BMP file, easily modified by users, to an
internal binary resource, quite difficult for users to access or change. XP
and Vista may have modified this mechanism in various ways (eg by
obfuscating the palette); but the basic prinicple remains the same.
Returning to the original poster's question: nothing that happens to any
winnt.bmp or winnt256.bmp file would prevent the XP boot logo from
appearing. But what they are describing - the minimalist boot screen with
progress bar - is normal boot behaviour for Vista, anyway.
Hope this makes sense!
Andrew
