05-24-2009, 03:06 PM
Join Date: Mar 2009
Location: Portland, OR
OS: MS-Dos 6.22 - Win7
I'll bet Windows File Protection (WFP) replaced the edited file with a backup copy. They forgot to mention that in the article, and I didn't think of it (or test it first, sorry about that).
If you check the logonui.exe file, you'll see the change is no longer there. You'll also see an entry in the Event Viewer System log with source Windows File Protection.
As of SP2, you can't disable WFP, but the following worked for me:
Copy the original Windows\System32\logonui.exe and rename it logonui-original.exe
Copy Windows\System32\logonui.exe to the Desktop
Edit the logonui.exe file on the desktop and change the 74 to a 75
(In the version 6.0.2900.2180 file that byte is at offset 7BE9)
Make a copy of the modified file named logonui-modified.exe
Copy the modified file to Windows\System32\dllcache
You should be propmpted about replacing the file.
Open Windows\System32 and set your view to Details
Note the Modified date on the logonui.exe file
Copy the modified version to Windows\System32
Refresh the window (Press F5) and check the Modified date again
If it's reverted back to the original, copy the file again (Don't know why, but I had to do it twice before it took)
Reboot, and the "flash" should be gone.
If Windows still keeps replacing the file with the original version, you can Reboot to the Recovery Console, or use a Live CD to replace the file.