On XP,

EAX should be 0, because it'll be the return value of one of the APIs that the PE Loader calls (NtSetInformation i think).

EBX will be the value at fs:30h, which is the program's PEB.

EDX should be KiFastSystemRet, usually, since the PE Loader API that got called ended up going through that call.

EDI/ESI should not be assumed to be anything valid.

Best regards,
Alex Ionescu
Relsoft Technologies
http://www.relsoft.net