 Not-yet-initialized process in W2K SP0
========================================
 Not-yet-initialized process (NYIP) is process which was created with 
CREATE_SUSPENDED flag and was not resumed yet.
---------------------------------------------------------------------

1) Problems with remote threads
-------------------------------
 Because NT4 technique applied to NYIP in W2K can cause problems in
this process, it is better to determine if the process where I want to
apply hooks is NYIP and if I'm running in W2K. If both conditions are
true then it is better not to use NT4 technique. That's why I developed
EstablishApiHooksTimeW2K and RemoteExecuteTimeW2K. They do following:
 IF [(OS==W2K) && (PID==NYIP)] THEN (use W9X technique)
 ELSE (use NT4Time technique)

 Test in W2K:
 1)  Run MakeNYIP.exe, it will create suspended TaskMgr.exe process
     and displays message box.
 2a) Apply hooks to TaskMgr.exe (use WNT-2K version of AH) ->
     you should get error after pressing button on MakeNYIP's
     message box (resuming TaskMgr.exe process).
 2b) Apply hooks to TaskMgr.exe (use current version of AH) ->
     you should get no errors.

 Examples of expressions of the this bug:
  TaskMgr crashes
  Notepad can't invoke common dialog box
  Applications can't invoke/show common dialog boxes and controls
  ...
---------------------------------------------------------------------

2) Problems with process initialization (error 0xc0000145 - APP_INIT_FAILURE)
---------------------------------------
 Problems with NYIPs in W2K have also professional tools like
ListDLLs.exe from www.sysinternals.com. Even W2K OS alone has problems
with NYIPs: CreateToolhelp32Snapshot(NYIPpid, SNAP_MODULES) function causes
errors.

 Test in W2K:
 1)  Run MakeNYIP.exe, it will create suspended TaskMgr.exe process
     and displays message box.
 2a) Run ListDLLs.exe -> error box; press button on MakeNYIP's
     message box -> next error.
 2b) Run my TH32list.exe -> error box; press button on MakeNYIP's
     message box -> next error.

TH32list calls CreateToolhelp32Snapshot(NYIPpid, SNAP_MODULES).
ListDLLs calls RtlQueryProcessDebugInformation(..NYIPhandle..).

Bug path is:
 CreateToolhelp32Snapshot(NYIPpid, SNAP_MODULES) -->
  RtlQueryProcessDebugInformation(..NYIPhandle..) -->
   RtlCreateUserThread(..NYIPhandle..RtlpQueryProcessDebugInformationRemote..) -->
    Remote thread is created which executes code at 
     RtlpQueryProcessDebugInformationRemote (in ntdll.dll in NYIP).
 The bug appears after entering "WaitForThread" function and before
 the 1st instruction of remote thread is executed.

 Examples of expressions of the this bug:
 Error message box will show 0xc0000142 (DLL_INIT_FAILED) error or
 0x80000003 (BREAKPOINT) error if NYIP was created also in debug mode.
---------------------------------------------------------------------

3) Conclusion
-------------
 The source of bugs above is something bad in (passing control to) remote
threads in NYIP. I hope it will be fixed in the future service packs.