How To: Deploy A Custom Kernel

[gosh]

When you boot your xp computer one of the first things you see is the XP logo. This resource is in the xp kernel file, ntoskrnl.exe. Some people like to modify this to have there own custom boot logo. The tradional way to integrate a custom kernel is to first cab it (makecab ntoskrnl.exe), then put it in the i386 folder. This works, but it has some limitations. Below is my way of integrating a custom kernel, and the benefits of using my method.

First, download my custom kernel file here . As you will notice, i renamed ntoskrnl.exe to oemkrnl.exe.

Next, make an $OEM$ folder. Place the $OEM$ folder parallel to i386 folder if youre install locally. Place $OEM$ folder under i386 folder if installing from CD.

Under the $OEM$ folder make a folder called $$. In the $$ folder make a folder called System32. In this folder, place oemkrnl.exe

Now in cmdlines.txt or the GuiRunOnce section of your unattend file, put this:

bootcfg /RAW /A /Kernel=OEMKrnl.exe /ID 1

bootcfg /Timeout 0

In your unattend file, make sure you have this:

[unattended]

UnattendMode=FullUnattended

OemPreinstall=Yes

OemSkipEula=Yes

So here's what happens. When you install XP, it copies the $OEM$\$$\System32 folder to %windir%\system32. This places oemkrnl.exe into your system32 folder. Then when setup processes cmdlines.txt or your unattend file, it adds the switch /kernel=oemkrnl.exe to your boot.ini. Now when you boot up, you'll see the custom kernel.

So why do all this when you can just put your ntoskrnl.exe into the i386 folder? Several reasons:

1 - If you install a windows update that has a newer version of ntosrknl.exe, it'll replace your customized ntoskrnl.exe file. The only fix would be to resource edit the new ntoskrnl.exe. This isn't very practical when you consider there have been at least 4 kernel updates to xp since sp1 was released. Using my method, the custom ntoskrnl.exe is ALWAYS used, even if you do windows update.

2 - If you need to install a service pack, all you do is delete the /kernel= part in your boot.ini. If you integrated a custom ntoskrnl.exe file, you would have to use the switch -o to install a service pack. My method is more service pack friendly.

Note: Over time i have found a bug with bootcfg. If you are dual booting, it sometimes edits the wrong line in the boot.ini. I firmly feel that this is a bug in bootcfg, not my coding.

Also, bootcfg.exe is only included in xp pro, but you could probably use it in xp home. (bootcfg.exe is different from the bootcfg command in recovery console)

-gosh

[demlak]

1 - If you install a windows update that has a newer version of ntosrknl.exe, it'll replace your customized ntoskrnl.exe file. The only fix would be to resource edit the new ntoskrnl.exe. This isn't very practical when you consider there have been at least 4 kernel updates to xp since sp1 was released. Using my method, the custom ntoskrnl.exe is ALWAYS used, even if you do windows update.

don´t u think, that there is a reason for replacing the kernel file by hotfix/SP? the file is replaced because of security/fix issues.. so please don´t tell the community to ignore those fixes. maybe it´s uncomfortable to resource edit the file after each patch/fix.. but that´s better then an unsecure/unfixed system!

[DMX]

thanks a lot for the guide i have tried sometime ago to do this but by copying ntsokrnl.exe with the hel of a cmd file and it didn't work. also to initiallise the boot timeout to zero(i know it sounds stupid) i copied with a batch file an edited boot.ini file

[neophyte]

Doesn't the $OEM$ folder get placed in the root of the distribution source when using a CD?

I've tried it as a sub folder of i386, but it just doesn't work.

[gosh]

To demlak:

As you see, i don't delete the original ntoskrnl.exe. When you install a security fix, it updates ntoskrnl.exe fine. Any security issue with ntoskrnl.exe is going to be a local security issue. In other words, the only way someone is going to hack you with a security hole in ntoskrnl.exe is by having physical access to your computer. No one can hack you over the internet using a security hole in ntoskrnl.exe. I've used a custom ntoskrnl.exe for about a year and never been hacked.

My post is like any post on this site, if you don't like it don't do it. My method does not let people get hacked, like i said you need physical access to a computer to hack someone with ntoskrnl.exe. And let's face it, if someone has physical access to your computer they already have you.

To DMX:

The method i described works. The install i have at home uses a custom boot logo.

To neophyte:

I don't remember off hand where it goes. Just copy the $OEM$ folder to the root of cd and under i386.

-gosh

[demlak]

should i laugh or not?

1. who cares if u delete the ntoskrnl or not? if it´s updated or not? your SYSTEM do NOT care, because u said your system to NOT USE this file. so this file is unnecessary/not in use. which logicaly means, you are using an outdated file, with security holes. if these holes wide enough to hack the system is not part of my knowledge, but there is definitly a file in use which should be updated.

2. if u haven´t been hacked, congrats..

3.

My post is like any post on this site, if you don't like it don't do it

your right.. that´s like the world works.. like the internet works.. everyone is free and can do what he wants.. BUT, when u say tips to newbies without needed security info,then please accept a correction/adding of the info.

sorry, my english is very bad.. i don´t know, if i was able to tell detailed enough what i meant

[gosh]

Why don't you blow a nonissue into a big deal? Go out and take a walk or something, r-e-l-a-x. As far as i can see, you're the only one who has a problem with my method.

-gosh

[edg21]

Doesn't the $OEM$ folder get placed in the root of the distribution source when using a CD?

I've tried it as a sub folder of i386, but it just doesn't work.

Yes, you place it in the root of the cd.

[demlak]

Why don't you blow a nonissue into a big deal? Go out and take a walk or something, r-e-l-a-x. As far as i can see, you're the only one who has a problem with my method.

i don´t have a problem with your method.. but i have a problem when people tell newbies tips, without telling security issues on these tips.. like u did.

sorry, i don´t want to offend you, i just want that the newbies see, that this method is a security risk and that thi should be also said by you.

[Paul 365]

There is another issue to this.

If you are using a cpu with HyperThreading, setup builds a different kernel than the default one.

If you replace it using this method and you have a HyperThreading cpu your computer will not start on the reboot after the guirunonce section has customized the boot process.

Please note that this is only a working theory based on the following.

I have a unattended cd that uses this exact method to replace the kernel and have used it 100's of times. When I built my first PC with a HyperThreading cpu it refused to start after the above method had been done.

After spending a few minutes checking I found the ntoskrnl to be different than the one I had modified. I did a few compares with "blind Compare" to confirm this and then removed the offending command from the boot.ini and it booted up fine.

If anyone can offer any more info on this I would be grateful

[Klaassh]

If you are using a cpu with HyperThreading, setup builds a different kernel than the default one.

If anyone can offer any more info on this I would be grateful

Therre are actually 4 versions of the kernel

ntoskrnl.exe

Uniprocessor x86 architecture systems with 4 GB of physical memory or less.

ntkrnlpa.exe

Uniprocessor x86 architecture systems with PAE support.

ntkrnlmp.exe

Multiprocessor x86 architecture systems with 4 GB of physical memory or less.

ntkrpamp.exe

Multiprocessor x86 architecture systems with PAE support.

[Paul 365]

Thanks Klaassh.

Does it switch to the PAE supported version if you go above 4GB ? (not that most of us have to worry about thet )

[Klaassh]

Thanks Klaassh.

Does it switch to the PAE supported version if you go above 4GB ? (not that most of us have to worry about thet )

Not got 4gig to test with, but I would say it would be automatic like the multiprocessor one is in our case (hyperthreaded anyway)

[demlak]

btw, if u turn on logging on some resource editors, or use the scripting function of resource hacker, you are able to reproduce your hacks in a few seconds on new files.. as i told several times, take a look at this and this site if u are interested in resource hacking/editing,..

maybee this was half-offtopic =)

[b0r3d]

@gosh

I seem to have nothing but problems when using your method listed above. Perhaps im just retarted or possibly slightly mentally handicapped, but i tried it, and it simply doesnt work.

When i add these lines to the GUIRunOnce section of my winnt.sif file:

bootcfg /RAW /A /Kernel=OEMKrnl.exe /ID 1

bootcfg /Timeout 0

The CD wont boot, telling me there is an error on these two lines.

If i rem these two lines out, it boots fine.

Your suggestions on the matter would be appreciated.