Since process handles are the responsability of the object manager, it is the lowest place and the only place that should report this failure. Rtl code shouldn't make assumptions about what is a valid handle and what is not. If one day a new object manager is created which uses negative handles as correct handles, and the 0 handle as "Current process" handle, then thousands of lines of code woul dhave to be changed. By leaving the responsability of determing what is and what isn't a valid handle to the object manager itself, this keeps the kernel componentized and mostly independent.
So what you're saying is that the functions in the modules of code which actually do the work should perform the checking. What about this: If a parameter is passed straight through a function to another no checking should take place, but if any manipulation of the parameters occurs then they should be checked? I think this might be slightly different to your idea Alex. What does everyone think? I personally think this is the best approach as it requires little, if any duplicated checking code.
Comments welcome, Martin