../Basics/Modifying system files
Modifying system files
A lot of items you see within the GUI (Graphical User Interface) of Windows are stored as seperate items in executables (.exe, .dll, .ocx). As such you could replace them with your own items (bitmaps, icons or cursors). Also it's possible to edit some other items, like menu names. It's fairly simple, but there's a couple of things to consider. For a growing list of confirmed mods, check
here. Also, check out the growing list of tutorials at
WinT's.
Please be sure to backup the original file before exchanging anything. Put it somewhere easily remembered, when dealing with system files. It's possible you can't get into Windows when something went wrong and you need to recover in DOS (see below). Stick with short filenames, 8.3 format (8 characters before the dot max, 3 behind) to avoid confusion there.
Resource editors
Formerly the most known, and very sophisticated, is
Restorator, by Florian Bömers. It lets you view, extract, edit & exchange almost anything. You can also create 'respatchers', executables that will perform the action you set up on itself, so they're "publishable". It's shareware though, and very expensive.
[*
toptool:] The freeware alternative is
Resource Hacker. Angus Johnson gave his app almost all functions mentioned above, very useful. Also it's easier to exchange images with ones that have a higher resolution (see below). Recommended, powerful, a favorite.
While Angus Johnson declared he was unlikely to continue development of RH, he pointed out
PE Resource Editor. Free, source available, but foremost adding some advanced options to the spectrum, image editing being one. Easy adding/changing controls, lots more, great tool! If it doesn't run straight out of the box, you're probably missing
these two delphi runtime files (767 kB); copy them to your system directory.
A shareware resource editor (very reasonable price), that can handle 16-bit files too, is
eXeScope, made by Emysoft. It has some interesting and easy options to change the look and behavior of dialogs too!
Another shareware resource editor ($99), for 32-bit files, is
PE Explorer (Win 9x/2k). We're talking about a real professional tool here (!), loads of options we don't even come close to understanding :)... but the pure "resource editing" component is now available as "Resource Tuner". Still to be considered an advanced, and thus not complete userfriendly tool ($24.95, all Windows).
A recent, free resource editor is made by
TGTsoft:
"With ResBuilder, skin/logon/shellstyle designers have a simple way to alter alpha mask bitmaps in a resource file. ResBuilder auto-converts 32 bit BMPs to PNGs and back so you can edit the 8 bit alpha mask in your favorite editor. Good for LogonUI.EXE files. Also has a text and hex editor."
What is particularly interesting also, is that it reads and lets you edit .xml, .ini and alike, embedded in executables (that's also those .msstyle files!) properly. Some other resource editors tend to show this information in hex, making this hard to edit. So this is a welcome addition.
Hex editors
Some menu items, like the startmenu names in explorer.exe, can also be edited with a HEX editor, though this is much more complicated... Want to exercise some HEX editing skills ?? Try these free editors,
XVI32 and
frhed, but don't start with explorer.exe...
File Exchangers
CopyLock (Win 9x/2k, free) "is a small program that allows the replacement of one or many files that are currently in use (...) Add the files to update, click Copy, restart and that's it!"
Replacer (Win 2k/XP, free) by undefined , one of our messageboard regulars, will replace system files for Windows 2k and XP with a simple drag and drop interaction.
ReplaceIt (Win 2k/XP, free) another command prompt exchanger app made by this-is-me. More info can be found on
this msgboard topic.
Other
Something interesting too, is
ResThief. Drop an executable on it and it will create a directory with all resources inside the file.
Really useful for locating that icon you want to replace is, as kendo pointed out,
SmartView. Fast scanner of whole directories!
16-bit/32-bit files
With the mentioned resource editors you can edit resources inside 32-bit applications. There are still some 16-bit executables, even in Windows 9x, like user.exe (some common icons) and sysdm.cpl (monitor picture on system properties tab). Only editor handling those is eXeScope.
For icons, you can also use some of the icon utility suites,
here, with a librarian and an editor inside. The hex editors can handle these files too, so might help replacing some string.
Editing (basic)
For the most common mods (replacement of a bitmap/icon), just extract the file first, and open it in your default program for editing this kind of resource. For bitmaps you've got at least MS Paint, which will do. But pre-installed computers, scanners, graphic cards often come with more advanced tools, check around. For icons, there's some shareware, but also increasingly advanced freeware
tools to do the editing.
Note sizes, palette, color for transparancy (if used), placement of items to use and start creating your replacement (or just edit the original).
Editing (advanced)
There's bitmaps inside system files that require some study before building your replacement:
- Often used for transparancy is magenta (rgb 255 0 255), but sometimes it's defined by the color of a specific pixel on the canvas. Usually that's one of the corner pixels.
- You could encounter bitmaps containing several buttons/bitmaps for different functions. Like toolbar buttons are often contained is what's called a "bitstrip". Find some rules on borders and behaviour. Note there's sometimes a second version of the strip for the buttons when hovered, etc. In other words, explore the resource, gain some understanding first.
Editing (advanced, XP)
XP adds some images inside files with an alphablending like behaviour (IE and explorer toolbars etc). That means these bitmaps are 32 bits per pixel, 24 bits for full colors, adding 8 bits to have an alpha channel defining transparency regions. As opposed to bitmaps that are less 24 bit or less, most editors (or least free ones) don't support 32bit bitmaps, making them harder to edit.
To complicate things more, the files responsible show up and are extracted as plain 24-bit .bmp's by the resource editors. But to solve this, all we have to do is:
- Make a 24bit verson of the bitmap you want to use (include a "mask" color that represents the background color, usually magenta (rgb 255 0 255).
- Turn it into a 32bit using this 24 to 32 bit converter.
Note: Two versions here: one takes your 24bit bitmap and turns one color (the "mask" color I was taliking about) to transparent, leaving the others opaque. The other "combines" the 24bit bitmap with another bitmap that contains the transparency information as shades of gray (black being fully transparent and white being fully opaque).
Here's another workaround:
- First, load the extracted bitmaps in the image editor of your choice. Save them right after that as .png (a format capable of displaying 32-bit images, 24-bit for full colors, adding 8-bit to have an alpha channel defining transparency regions).
- Second, figure out how to create/manipulate the transparency layer in your editor, and save it.
- Finally, open in MS Paint and save as .bmp. Bitmap will still be 32-bit. Somehow, this doesn't work with every tool. Tools like Irfanview just assume a .bmp can only be 24-bit and save as such, which is understood. But there's other tools that save as 32-bit, but the images produced still render the files they're placed in broken (so backup)...
Any image (icon/bitmap) comes with a certain color palette (and size). Restorator doesn't always allow changing that (at least with icons), Resource Hacker and eXeScope let you do it. But there's a risk involved the application won't allow it, or the system does check file size or something. Like Outlook Express 5, when originally displaying 16 colors (like folders in the upperleft pane), will display a bitmap with 256 colors, but still, with only 16 colors. Or Netscape, old versions, which check the colordepth and size of it's splash screen...
What's more, you could encounter problems if you don't use the exact same colors the original image used. Example: for the replacement of the toolbar buttons in OE5, if you create a new image, also 256 colors, but the colors differ a bit, result is the buttons get messed up (though work fine)...
What always works (<XP): extract the image first, edit without changing the palette, then exchange.
If that's not your style :), some clues:
- For icons/cursors it seems mostly possible to change colordepth.
- To increase your chances, stick with a common 256-color palette, it suits, mostly. Maybe you can load the system palette in your graphics app, maybe the application you're trying to edit (the 16 color images from) has some bitmaps inside (too) with a palette you could extract and use.
- If an increase from 16 to 256 colors or more doesn't work, applying your own 16 color palette míght work.
Notable examples are the 2k bootscreen, monitor on the system properties tab and minesweeper (ha!).
Besides the resources you can find in the regular "bitmap", "dialog" etc sections of executables, there's an increasing amount of GUI items stored as html: html pages, bitmaps it uses, xml scripts and more, in seperate sections. Like the IE "about" screen (courtesy: byblos), which is contained in shdoclc.dll, in the "23" section (there's also the "2110" section, holding those "friendly HTTP error message pages"). Editing in these sections is a bit different:
- Html pages and scripts are best handled with Resource Hacker. It shows them in a proper format, editing is easy. When done, hit the "compile script" button and you're done.
- Replacing the supporting .gif/.jpg files is rather complicated with Resource Hacker (because this bitmaps are mostly not in the regular bitmap section, thus are missed by the "replace bitmap" dialog). But it's easy with eXeScope, just hit the "import" button. Resbuilder handles it well, too.
- Note that when a .gif is used, you can replace with an animated one!
If the application you're changing is not part of Windows/IE and not loaded into memory, you can save as such. Otherwise you might shut it down, then save. Real system files (and with IE installed there's lots more...) need to be replaced in DOS (9x), so you've got to save under a different name. Then restart in DOS and type:
copy c:\windows\system\xxxx_new.dll c:\windows\system\xxxx_org.dll
Change the paths to match your own files and don't forget the space in between. Confirm (hit enter) and type "win" or "exit" to restart Windows.
Other options:
Very smart, in 98, you can use the system file checker to fool the system. Carl Soard tells us - and yes, it works - to just save a edited file, same name, different directory, and use the system file checker to replace it. Just type "sfc" in a run box, select the file, directory you want it, and you're set (well, will need a restart too). Nifty, and thanks Carl.
Red, one of our messageboard regulars, noted a couple of interesting ideas. One is to use a shell changer and use a shell other than explorer.exe to replace explorer.exe and files that might be related to it's usage. The other is by writing commands in autoexec.bat to automate the file changing process, and possibly do multiple file exchanges at once. Very nice ideas Red!
Also check some
tools to automate replacing.
Within Me "system restore" is introduced. There was the "system file checker" before Me, that let you manually check system files, now sfc.exe is no longer a standalone executable, but updates its restore files with every restart. Note it shouldn't be in your way: your mods get backed up too. But might you wanna disable it (cause a virus got into the restore folders on each drive, i.e.), rightclick My computer, go to properties. Check the performance tab, click the file system button. Then, at the troubleshooting tab there's a "disable System Restore" option. Check this, click OK there and once again, and click yes when asked to restart.
If you need to get into DOS to replace files, use the Me bootdisk. When asked how to start up, hit SHIFT + F5 and you'll have a command prompt.
Within 2000 you may find a hack won't work, or just for a couple of seconds... the original file is restored almost immediately. The "System File Checker" is optimized and can be disabled by adding/editing a Dword valua at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon called "SFCDisable" and set it to "ffffff9d" (no quotes).
Other options here are:
"0" = enabled (default);
"1" = disabled, prompt at boot to re-enable;
"2" = disabled at next boot only, no prompt to re-enable;
"3" = undocumented, enabled, performing a setup test (?);
"4" = enabled, with popups disabled.
Setting it to "2" is the best option if you want to do some one-time replacements, SFC will be in place afterwards.
For the exchange, you also may restart, pressing F8 and boot in safe mode - it lets you replace system files. Or if you're dual booting, use another OS (only works if the partition is fat/fat32).
Most easy is doing it from within 2k. For that, open a command prompt window, close everything else, then hit ctrl-alt-del. This will open the task manager, use it to shut down explorer.exe. Swith to the command prompt, replace your file (same syntax as above) and close it. Use the task manager to relaunch explorer.exe and you're done.
Other options are using
inuse.exe, a utility to replace files in use (with a restart). Provided with 2k resourcekit.
Or you could boot with your install cd, run the "recovery console" and replace from there; requires some command line knowledge again ;).
Notes/troubleshooting:
If you still find the original file being restored, or get errors, be aware some older versions of the resource editors mentioned don't update the "checksum" (sure...) of the file properly, so be sure to use a recent version. Our scope is limited, but we do know for sure Angus Johnson from Resource Hacker has been keeping up with some communities involved, so that will be our final answer to most issues :).
With servicepack 2 installed, you're not able to disable the System File Checker anymore (still, replacing in safe mode is reported to work, mostly). You may need to place your edited file at the places where the system takes its backup file from too. You're probably done by doing that only here:
\winnt\system32\dllcache
Only when not working, some more directories:
\winnt\driver cache
\winnt\driver cache\i386\driver.cab
\winnt\driver cache\i386\sp1.cab
\winnt\driver cache\i386\sp2.cab
\winnt\servicepackfiles\i386\
Replacing, if it's a key system file, can often be done in safe mode. If loaded even then, restarting with just a command line or inserting the 2k installation disk, choosing to start up with the 'recovery console' (thanks, Basuro :), give options to replace.
Another option is a modification of sfc.dll (system32 directory) with an hex editor. At offset 6211/6212 you should see '8B C6'. Only if there change to '90 90'. The registry setting above will work again (as found by
Jeremy Collake).
Within XP system restore is optimized again - safe, but editing your system isn't getting easier. Read the bit on 2k, that might help. Some additional comments:
- Rightclick My computer, go to properties. Click the "System Restore" tab, there you can "disable" it. Note the quotes, still a nagscreen pops up, telling you to insert your install disk... click no and/or cancel a couple of times.
- Additionally, or to keep the restore function in place, just not for files you specify, find \windows\system32\restore\filelist.xml. When opened you'll find it easy to add files, directories and/or extensions to the <Exclude> sections. Same idea, nagscreen keeps popping up.
- The registry key mentioned above is there, by default, but the "ffffff9d" value isn't working, like with 2k/sp2.
Offsets as mentioned for sfc.dll are not there either. Instead (source, Jeremy Collake, again), find sfc_os.dll, offset 0E2B8/0E2B9, and change "8B C6" to "90 90", again. No nags anymore. SP1 installed, it's now at offset 0E3BB/0E3BC.
- The hex edit won't restore the other options for the SFCDisable value; that is, we've seen no effect. Then why is the value there by default ?!
A simple alternative
It's known you can't delete system files that are being used by Windows. But that doesn't mean you can't rename them. By renaming the currently used file, Windows will use that renamed file. This allow us to place the edited copy with the orginal file's name into the folder without any conflict. After reboot Windows will use the edited copy which has the proper file name and extension. That's the trick, now let's break the steps down.
As always, do the first thing mentioned on this page, backup! Copy and paste the original file into a folder for safe keeping. Never edit or resource hack the back up file. Instead make another copy in a different folder and edit that copy instead.
Make sure you have these settings:
Go to Control Panel>System>System Restore tab: check 'Turn off System Restore'.
On Explorer window's menu, select Tools>Folder Options>View tab: check 'Show hidden files'.
In the same dialog, find and un-check 'Hide protected operating system files'.
File swapping:
1. Using an explorer window (or two), copy and paste the edited file into:
%windir%\system32\dllcache.
2. Find the actual system file to be replaced, and rename it with a different file extension.
3. Quickly paste the edited file into the folder (already copied into clipboard from step 1).
4. If and when the system restore warning ask to insert Windows XP CD etc, click Cancel.
Then click Yes on the following confirmation pop-up.
5. Reboot.
If the file was reshacked properly, everything should work as planned and now would be a good time to delete those renamed files in the Windows folders. If not, you might be stuck out of Windows.
Notes/troubleshooting:
When the rename/exchange was done with command prompt on XP, it corrupts the edited file. The nasty surprise came after reboot and Windows personally told you that the file you just replaced is corrupted. Because of this reaction, avoid using command prompts when doing this renaming method to replace system files.
If you have a NTFS partitioned hard drive, you might not be able to get access to it from an ms-dos boot disk. One way of replacing the file is to take out your boot drive (the drive Windows was installed on) and make it a slave drive on another computer so you can replace the files with the originals.