Why doesn’t my lock screen image change after I replace the image file?

A customer was using the group policy “Force a specific default lock screen and logon image” to set the lock screen image to their company’s logo, pointing it to a path on the local computer. The company recently redesigned their logo, and they updated the image file on the computer, but the lock screen continued to show the old image. The customer wanted to know how to get the image to update.

When the lock screen image is set, the system uses a low-privilege process to decode the image. That way, if someone passes an image that exploits a previously-unknown defect in the image processing library, only a low-privilege process is compromised. The result is then re-encoded and saved in a protected location.

It is this sanitized version of the image that is used on the lock screen and logon screen. This avoids the problems that could occur if an untrusted image were decoded by a high-privilege process.

When you select an image to use as your lock screen image, the system takes a snapshot of that image, and it is the snapshot that is used on the lock screen. Any changes to the original image are ignored. You could even delete the original.

If you want to update the image, you need to go through the process of setting it. You can’t just smash the file that you specified as the lock screen image; the system doesn’t care about that file once it has been captured.

In the case of group policy, there’s another wrinkle: If you choose to deploy a new image and it has the same name as the old image, then the new file must have a timestamp newer than the timestamp of the old file, so that the code realizes that it needs to go sanitize the new image. Easier is to just give the new file a new name.