?
Solved

Adding a file to the Windows File Protection

Posted on 2005-04-28
9
Medium Priority
?
327 Views
Last Modified: 2010-04-07
Lets start with the beginning.... :)

I recently modded a few system files of windows to get another view of certain things. I modded the Ntoskrnl and i modded the bootscreen to show other images then the windows background and the standart bootup screen. They both work fine, and i havent had any trouble.

Now, the question. Because the files are modded and have another name (i put a new OS in that would us the other kernel), the windows file protection wont protect my new file. The question is, how can i add it to the WFP? The answer i DONT need is: "Boot in safe mode, delete the origional kernel and rename your file to ntsokrnl.exe to have file protection"

Thanks in Advance,
FHawk
0
Comment
Question by:FalconHawk
  • 4
  • 3
  • 2
9 Comments
 
LVL 12

Expert Comment

by:rossfingal
ID: 13885856
Not sure if this will work, but -
Try adding a copy of the file(s) to the dllcache folder.
Maybe, do this in Safe mode.

Good luck!
RF
0
 
LVL 4

Author Comment

by:FalconHawk
ID: 13886245
Thanks for the quick response RF. ill try that on my next reboot (which will be tomorrow, as im loaded with work :( )
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 1500 total points
ID: 13890470
Well If found a link, actually for win2k, but it seems to fit for windows xp too, since they are dealing with Windows File Protection too:

http://www.littlewhitedog.com/content-9.html


How To Change The Windows 2000 Boot Logo

Step 10. Time for a quick recap of what we've done so far. We've made a copy of our NTOSKRNL.EXE file and placed it in the C:WINNTSYSTEM32 folder. The copy was named KERNEL01.EXE and was opened using Resource Hacker. The bitmap resource image for the boot logo was replaced with our own customized version, and the file was saved.


Step 11. Conceptually, the next step is to "tell Win2K to use the new KERNEL01.EXE file when it boots, instead of it's normal NTOSKRNL.EXE file". We are going to do this by modifying the BOOT.INI file which is located in the root of your C: drive. The file is marked hidden and read-only by default so the first thing we should do is turn off the read-only attribute. Do this by right clicking on the boot.ini file and then clicking on properties. Uncheck the read-only box and click OK to apply changes.

NOTE: if you cannot find your boot.ini file, you probably have Windows Explorer setup so that it cannot view hidden files. Correct this by clicking on Tools and then Folder Options. Go to the View Tab and toggle the radio button to Show Hidden Files and Folders.

Step - 12. We're now ready to open the BOOT.INI file and modify its contents. I've listed below what my current BOOT.INI file looked like before any changes were made to it. Yours should be somewhat similar.
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINNT="Microsoft Windows 2000 Professional" /fastdetect

The line we're concerned with is the one under [operating systems] - this is the line that NTLDR parses to determine the location of the operating system boot partition. Make a copy of this line and paste is below the existing one. You should also take a minute and make sure the timeout=X line under the [boot loader] section has a value other than zero. This is the number of seconds that the boot menu will be displayed, before it accepts the default value and continues. The default value will be whatever is listed first under the [operating system] section.
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINNT="Microsoft Windows 2000 Professional" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)WINNT="Microsoft Windows 2000 Professional" /fastdetect

Modify the line directly below the [operating systems] heading, adding the following switch to the end: /KERNEL=KERNEL01.EXE (KERNEL01.EXE is the name of the file we modified in the previous steps) By doing this, we are telling NTLDR that we want to boot our system using the specified Kernel file, instead of the default NTOSKRNL file that is used when the /kernel= option does not exist. You should also change the description on this line from "Microsoft Windows 2000 Professional" to something like "Microsoft Windows 2000 Hacked Logo" so you know which option is which. Your boot.ini file should now look like this:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINNT="Microsoft Windows 2000 Hacked Logo" /fastdetect /kernel=kernel01.exe
multi(0)disk(0)rdisk(0)partition(1)WINNT="Microsoft Windows 2000 Professional" /fastdetect

Before we save this file and move to the dreaded Step 13, let's recap what we've done here just to make sure everything is right. We've opened up the boot.ini in edit mode (with read-only turned off) and have made the following changes: the timeout value is greater than zero, the default operating system line was copied and modified to include the /kernel switch pointing to the modified file from the previous steps. The original default operating system line was not changed in any way, it was just "bumped down" a spot to make room for our new kernel file.

Step 13. There really isn't much to Step 13, just reboot your system. You should be prompted with a menu for a period of 3 seconds asking you which boot option you would like: "The Hacked Logo" or the "Professional Boring" version. It should default to "The Hacked Logo" version after those 3 seconds have expired, since it resides at the top of the list. However should something go amuck and you've totally screwed up your "Hacked Logo" kernel file by using a 16-bit color bitmap image, instead of a 16 color image, you can still boot your system up using the original kernel file by choosing the second option on the menu. That's why is was so important to not make any changes to that line - it's your software version of an "Oh ****" handle.

Wrapping It Up
Hopefully you've grasped what we've done here. In our previous article we made a copy of the NTOSKRNL file, modified the copy, turned off Windows File Protection, and then replaced the working version of NTOSKRNL with our hacked copy. A quite intrusive method of changing the boot logo, with little room for error. This new method of making a copy of NTOSKRNL, modifying the copy, and then giving Win2K the option of using this modified kernel file on boot up, we've eliminated the the need to disable Windows File Protection, and we've built in a failsafe mode by leaving the original kernel file and boot option intact.

Those of you who have fully grasped what we've done here, are probably already thinking of ways to take this process one step further. "If I can tell Win2K to use a file called KERNEL01.EXE in addition to the original NTOSKRNL.EXE file, why can't I make a KERNEL02.EXE and KERNEL03.EXE, add them to my boot.ini file, and have a wide variety of boot logos on my system?" The answer is you can! In fact we've taken this concept to the extreme by creating a little utility called LWDKernel.exe that will randomly change your boot logo everytime your system boots. For more information about this utility along with a download link, head on over to this thread in our forums.

Hopefully this will be the last article we'll write on the subject of changing Windows 2000 Boot Logo's. We've come a long way since we published our first article on the subject. The forum thread on this topic has been replied to over 1300 times, and has been read over 83,000 times. Not to mention the Boot Logo Gallery which currently contains over 540 images created by some very talented artists. A big thank you goes out to everyone who's contributed to the cause!

---
Hope that helps you.

Tolomir
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:rossfingal
ID: 13890506
Nice find Tolomir!!  :)

Should probably work on XP.

RF
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13890790
Since the problem is the file protection, already existing in win2k, I see no problem with it. Even if that hacked kernel is not included in the windows file protection scheme, by any reason, it won't be overwritten by the protected copy of the original kernel, since it uses a different name.

So FalconHawk only has to modify the boot.ini according to the windows xp version:

ala (this is my own boot.ini "patched" like suggested in the article)
---
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Hacked Logo" /fastdetect /kernel=kernel01.exe
---

But since he already modified the bootlogo - my god I think, I've done that last time with OS/2 Warp -  I have full trust in him.

@ FalconHawk: A feedback would be appreciated, of cause.

So it's Bedtime for me,
Tolomir
0
 
LVL 4

Author Comment

by:FalconHawk
ID: 13892361
"@ FalconHawk: A feedback would be appreciated, of cause."

The way you described is indeed how i modded my bootscreen. The only thing i missed (surptise surprise) was the use of a hex editor to replace the pallette with a new one, since my image wasnt made of system colours.. (i did it, works just fine)

For my question: let me rephrase it a little bit. The problem is not getting the WFP or making the screen, im more interested in the point if its safe. Can i be sure that my AV, and other software like windows wont go messing around with my new file? since its not a windows file? thats actually the question :) i mean, i dont want to have to reload the bootscreen every week or something.....

But of course, you already earned points ^^
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13892398
Nope, i think, you are fine.

As it seems, windows itself doesn't care itself (might change in windows longhorn, the trusted computing....)
An antivirus solution will see no offence, since it will not match any malware. I mean you changed the bitmap...

I think, even if you file would be added to WFP, an overeager antivirus or antispyware solution would still kill the file everytime after leaving WFP. So the website I got the idea from, would have mentioned such a problem.

Tolomir
0
 
LVL 4

Author Comment

by:FalconHawk
ID: 13893104
Well, i guess thats all i need to know. The only warning i read was about updating windows, but only if you changed the file name and deleted the origional. Thanks, and enjoy the points ^^
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13893475
ok, thank you.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question