Move the Progress Bar in XP (SP2)

[Jiwek]

Today and yesterday I spent learning how to change my boot screen (continuous forum searching along with trial and error) and I realized that there was a severe problem. Nobody has the hexadecimal locations to the progress bar for Windows XP SP2! I decided to use my trial and error approach, making an excel sheet to keep track of my data, and it worked!

These values are for ntoskrnl.exe build 2622

Here is what I found:

There are, in all, five locations of code to change. Three are locations for the top of your bar, two are the locations for the bottom of your bar. If you have done your homework, this should be easy from here. The locations are as follows.

There are detailed steps below of how to do this. If you are not EXACTLY sure what you are doing, please read the tutorial below.

Top of bar:

32020h

346b0h

34730h

Initially these values will be set to 62 01 00 00, which is 00 00 01 62 backwards. I have read several pages containing the same information on how this is explained. Basically, Microsoft wanted to make it really hard to hack their logo (and they claim not to be a monopoly, right!?) so they wrote all of the hexadecimal code backwards! Anyway, to the point. This number (00 00 01 62) is 354 in decimal, which refers to the 354 pixels that it sets below the TOP of the screen. I'll explain more after we see the bottom values.

Bottom of bar:

320a0h

34730h

These are the places to modify the bottom of your bar (that's right folks! You can do anything from making the bar stretch the entire screen to eliminating it completely! [setting all five locations to code for the same number]).

These bottom values will appear as 6A 01 00 00, which is 00 00 01 6A backwards. This number is 362 in decimal, and subtracting 362 from 354 gives us 8, which is the height, in pixels, of the progress bar. It makes sense that the bottom number is 362 compared to the top number, since we are counting pixels from the TOP OF THE SCREEN. Remember that the image of the boot screen is 640x480, so this gives us 640 pixels vertically to play with.

How to change these values:

I would assume that anyone who wanted to tamper with their progress bar already knows the basics of ntoskrnl.exe and is competent enough to use a hexadecimal editor. If you don't know, or aren't farmliar, don't try (at least not yet, read about it first). Why? Because ntoskrnl.exe is the very core of your Operating System, and changing one value incorrectly could mean reformatting your computer and losing anything that you haven't backed up. This said, let's move on.

1) MAKE A BACKUP OF NTOSKRNL.EXE. If you already have a file you are working with (I expect that you do), use that one seeing as how changing the progress bar on the default screen would be utterly useless. I would suggest giving it another name, such as mykrnl.exe. Make sure you type in ".exe" or else it might not save with a file extension, therefore your file will not be recognized by Windows, along with anything else. I would also suggest making a folder on your desktop where you can save all of your image files along with your backup of krnl. Organization=success.

2) IF YOU DIDN'T MAKE A BACKUP, SEE 1.

3) IF YOU STILL HAVEN'T MADE A BACKUP, CONSIDER YOURSELF RETARDED, AND THEN SEE 1.

4) Go into your hex editor (I use Ultra Edit-32, which can be downloaded here). Open up mykrnl.exe in the hex editor and search for "62 01 00 00"

Again, the locations you are looking for are (top bar):

32020h

346b0h

34730h

Remember that this is the top of your bar so these values need to be smaller than the values in the next step.

Change this to whatever you want. Here is a link to a site with a converter for decimal values to backwards hexadecimal (almost the very bottom of the page). So make a guess of where you want the top of the bar, plug it in, and replace "62 01 00 00" in the three lines above with the value that the converter spits out. REMEMBER WHAT NUMBER YOU CHOOSE. Do not close your hex editor.

5) Next we will change the bottom of the progress bar.

The bottom bar locations are found at:

320a0h

34730h

Now is where that number comes in handy. If you are keeping the original bar and just using a different palette then you will want to keep the numbers 8 pixels from eachother, because the image size of the progress bar is 22x8 pixels. Search for the value "6A 01 00 00" until you get to these two locations in the hex code (my excel file shows that it was the third and fourth strings found). Change these two values to a value that is 8 greater than the number that you used for the top of the bar. Now save your file and exit the hex editor. Make sure you configured your boot.ini file correctly and be absolutely sure that you put mykrnl.exe into the C:\Windows\System32 directory.

*If you want to get rid of the progress bar (I haven't actually tested this) then enter the same value as you did for the top bar*

Good luck!

[Edit] Changed build value to 2622. Removed claim that progress bar cannot be moved sideways, because it can be. I was messing around in hex today and moved the right side of the bar but gave up before finding the left side value. What I found is that Ntoskrnl.exe reads this from left to right, and there is only one value for the right side of the bar, which is initially set to 78 01 00 00.

Edited May 7, 2006 by Jiwek

[Krisman]

Just so you know those values won't always correspond. My kernel is build 2868 from RyanVM's latest update pack. So your values don't work for mine.

Build 2868 values are

3205E

346F0

3477C

and

320DC

34772

With the pallete at

75288

So basically remember to post the build when you give values.

Also I forgot to mention that its probably different if you use ntkrnlmp.exe. Mines I single processor so it uses ntoskrnl.exe.

Edited May 6, 2006 by Krisman

[Angel Blue01]

Actually yes you can. I encountered a boot screen with the progress bar in the upper left corner

[Jiwek]

In Res Hacker it says

FILEVERSION 5,1,2600,2622

so would that be build 2600 or 2622?

[Krisman]

The last part is the build so 2622

[HyperHacker]

Has anyone found anything about moving the bar left/right and/or stretching it besides this? Also could we use a different sized bar image?

BTW, I don't think MS put the hex values backward to be difficult. Modern 32-bit PCs are big endian, which means when they read a string of 2 or 4 bytes from a file, they read it backward. Thus the bytes are stored backward in the file to compensate. (Dunno why this is.) You can find backward hex values in all manner of file formats, even on game consoles.

Edited August 6, 2006 by HyperHacker

[machkris]

Can someone HELP me?

I am trying to make my Boot Screen look like the one , but when Windows is booting up it is showing up as these LAST_SESSION.INI with distorted colors. Which file I need to edit in the Windows XP Pro CD and what do I need to do to correct this problem?

[gerwulf]

Hi Jiwek,

I searched my ntoskrnl.exe, which is version 5.1.2600.5512 (XP Pro SP3) for the relevant values, and found the ones at the following offsets are working for me:

Top of bar:

31af0

34b00

34b8c

Bottom of bar:

31b6e

34b82

Palette:

75d08

Maybe you could change the thread title to indicate that the SP3 values are in here too by now ;-)

Cheers,

Gerwulf

[darkemperor]

Has anyone found anything about moving the bar left/right and/or stretching it besides this? Also could we use a different sized bar image?

BTW, I don't think MS put the hex values backward to be difficult. Modern 32-bit PCs are big endian, which means when they read a string of 2 or 4 bytes from a file, they read it backward. Thus the bytes are stored backward in the file to compensate. (Dunno why this is.) You can find backward hex values in all manner of file formats, even on game consoles.

I have the same question, is it possible to reduce horizontal size of the bar or to move it left or right?

I have build 3427 (SP2 German ver.) and 5657 (SP3 English ver.)

Any suggestion in which values to look (for 5657) for?

[Edit] Changed build value to 2622. Removed claim that progress bar cannot be moved sideways, because it can be. I was messing around in hex today and moved the right side of the bar but gave up before finding the left side value. What I found is that Ntoskrnl.exe reads this from left to right, and there is only one value for the right side of the bar, which is initially set to 78 01 00 00.

I tried 78 01 00 00 (not all of them yet) but no luck so far.

Thanks for any help or suggestions.