I've stumbled accross some code which reads a dword at memory location 
0x7ffe000, which causes the program to crash and the wine debugger to start.

After some investigation, it seems that reading the memory location 
0x7ffe0000 should return KeTickCount.LowPart to the user process. Has anyone 
ever heard about that ? I was wondering if it was a native windows NT 
behaviour, or if it was done by a special kernel-space exception handler 
installed by the program.
What program uses that code? Does it change the behaviour if run with
-winver win98 or similar?
The DLL which does that is drvmgt.dll, from SafeDisc copy protection. It came with a driver (secdrv.sys) which returns, among other things, KeTickCount.LowPart to userland, and that value seems to be compared at a later time with *(LPDWORD)0x7ffe0000.

I can't tell if the behaviour is the same with -winver win98, as the program crashes quite early with that option when trying to execute ring 0 code. Anyway I expect that -winver win95 and -winver win98 won't try to read *(LPDWORD)0x7ffe0000 because drvmgt.dll and secdrv.sys seem to be used to detect if a debugger is running (by inspecting the IDT and the debug register DB1 and DB7), and that detection if performed from userspace under windows 95 and 98.

Laurent Pinchart