if this is what you are talking about, i have already tried and it dont work.
Well that was the first thing I tried, but realized it did not work, and got bsod with PROCESS1_INITIALIZATION_FAILED. I'm more positive to patching the kernel to not load hives as volatile, but am still failing. Have tried like 5-6 different places now. Winpeshl.exe has nothing to do with it. I replace it with cmd.exe as specified in the registry key CmdLine. Modifying the MiniNT string in the kernel does not help either, and neither does the removal the 2 WinPE keys, or even preventing the kernel from writing the MiniNT key under Control key (if you string replace MiniNT, it will still write the new name instead of MiniNT. I suspect the right way is to force write a 0/1 into the al/bl register at some place. Thereby fooling the kernel to think non-PE -> non-volatile hives. Just need ti figure out exactly where.. Btw, are we sure that the log files are in fact properly flushed (merged to hive) when shutting down with wpeutil.exe/shutdown.exe? Could also mention that changing the string Control\MiniNT to Control in wpeutil.dll will let you run all the PE utilities /winpeshl, wpeutil, wpeinit) with winpe=off.