Quick post, for my own reference, and also for whoever may happen to wonder about NULL or 0 thread creation times in Windows. So, while instrumenting the Windows kernel, it quickly became clear that some threads were having a creation time of 0.
System idle process (PID 0)
Windows has a “System Idle Process” (PID 0). For a system with n logical cores, Windows will spawn n idle threads. These threads have no creation time, and TIDs from 0 to n-1.
System process (PID 4)
The “System” (PID 4) process will create a number of other threads, of which its main thread will also have no creation time, and TID of n.
These processes and threads are not object manager processes and threads. They are statically allocated and used to bootstrap the system (according to the Windows Internals book).
All other threads will have a valid thread creation time.
More info about the Idle process (from Windows Internals 6th Edition Part 1)
This occurs because the idle process has no user-mode address space and its threads execute no user-mode code, so they have no need of the various data needed to manage a user-mode environment. Also, the idle process is not an object-manager process object, and its idle threads are not object-manager thread objects.
Instead, the initial idle thread and idle process structures are statically allocated and used to bootstrap the system before the process manager and the object manager are initialized. Subsequent idle thread structures are allocated dynamically (as simple allocations from nonpaged pool, bypassing the object manager) as additional processors are brought online.
Once process management initializes, it uses the special variable PsIdleProcess to refer to the idle process.