And Yes, this solution is not a good idea because with the next version of winpe, the address will be modify.
just write 100 lines code in 1 or 2 hours
I want make a hard patch to switch the default jump, but the explorer.exe cann't startup with the change
00007ff6`01c96a7f 418887f9020000 mov byte ptr [r15+2F9h],al >>>>>>>>>>>>>>>>> on retrouve bien l'adresse du ba00007ff6`01c96a86 84c0 test al,al00007ff6`01c96a88 0f851f660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)00007ff6`01c96a8e 4138bff8020000 cmp byte ptr [r15+2F8h],dil00007ff6`01c96a95 0f8512660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::` >>>>>>>>> change jne to je
I will do a little bit of doc to explain another method of investigation:From a freshly installed W10 in a VM, explain how to modify the essential hives to get a WinPE with "almost" all elements of W10, services, files, keys and also the elements added by the installation phase of W10 (very Important to keep that in mind)
I continue to play with IE11-64bits