Comment by codedokode

I tried googling for KiInitializeContextThread and there are lot of search results for this name. For example, a presentation in Chinese dated 2005 year described process creating and mentions this function: [1]

The sequence of events that happens inside KeInitThread() can be obtained from reverse engineering. If you compare the code of this function in WRK [2] and in Reactos [3] code, you'll see that while they do similar things, the code is not the same.

Regarding NpxFrame, I don't know why this name is used in KiExitV86Mode, but if you compare functions KiInitializeContextThread in WRK and in Reactos, you'll see that in WRK the variable is named NpxFrame [4], and in Reactos a similar variable is named FxSaveArea (which matches structure FX_SAVE_AREA). The variable named NpxFrame in Reactos is used in other function, KiExitV86Mode.

[1] https://slideplayer.com/slide/6561298/

[2] https://github.com/Zer0Mem0ry/ntoskrnl/blob/master/Ke/thredo...

[3] https://github.com/reactos/reactos/blob/master/ntoskrnl/ke/t...

[4] https://github.com/Zer0Mem0ry/ntoskrnl/blob/a1eded2d8efb0716...

[5] https://github.com/reactos/reactos/blob/893a3c9d030fd8b078cb...