Initial Register values

Thanks for the tip with _BaseProcessStart@4.
So the very top level of the stack is the original EBP. I'll have a look at it.
I found out that ebx originally points to the PEB (Process Environment Block). Its address is fixed at 0x7ffdf000 (it can be verified by getting fs:[0x30])
Found some stuff here (Something non-european):
hxxp://www.nsfocus.net/index.php?act=magazine&do=view&mid=2002

Why is 0x00010000 added to the initial stack frame??? Is it for checking Stack overflows?

Edit: The initial value of ebp seems to be zero, since it is the first value stored on the stack by _BaseProcessStart@4 is ebp.
My startup code looks like this:

Code:

$ ==>    > . 55             PUSH EBP                                 ;  Main entrypoint
$+1      > . 8BEC           MOV EBP,ESP
$+3      > . 6A FF          PUSH -1
$+5      > . 68 001BE877    PUSH KERNEL32.77E81B00
$+A      > . 68 97E5E777    PUSH KERNEL32.77E7E597                   ;  SE handler installation
$+F      > . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
$+15     > . 50             PUSH EAX
$+16     > . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
$+1D     > . 51             PUSH ECX
$+1E     > . 51             PUSH ECX
$+1F     > . 51             PUSH ECX
$+20     > . 53             PUSH EBX
$+21     > . 56             PUSH ESI
$+22     > . 57             PUSH EDI
$+23     > . 8965 E8        MOV DWORD PTR SS:[EBP-18],ESP
$+26     > . 8365 FC 00     AND DWORD PTR SS:[EBP-4],0
$+2A     > . 6A 04          PUSH 4
$+2C     > . 8D45 08        LEA EAX,DWORD PTR SS:[EBP+8]
$+2F     > . 50             PUSH EAX
$+30     > . 6A 09          PUSH 9
$+32     > . 6A FE          PUSH -2
$+34     > . FF15 4C13E777  CALL DWORD PTR DS:[<&NTDLL.NtSetInformat>;  ntdll.ZwSetInformationThread
$+3A     > . FF55 08        CALL DWORD PTR SS:[EBP+8]
$+3D     > . E9 365B0200    JMP KERNEL32.77EA7631

regards
PHaX