Windows seems to dereference lpStartupInfo->lpAttributeList, despite it being NULL since we had no attributes to set. Smells like a Windows bug in the compatibility shim, since it doesn't crash in non compatibility mode.

Not setting EXTENDED_STARTUPINFO_PRESENT when lpStartupInfo->lpAttributeList is NULL will fix this. Not sure about lpStartupInfo->cb, I think Windows only checks it's large enough.

Also attached is a crash dump with symbols and used source revision of a reproduction of this.

Stack Trace:
00 00fee690 5ad47c1c AcLayers!NS_ElevateCreateProcess::APIHook_CreateProcessW+0x110
01 00fee740 5ad45f79 python38_d!_winapi_CreateProcess_impl+0x15c [cpython\modules\_winapi.c @ 1046]
02 00fee798 5ad78e75 python38_d!_winapi_CreateProcess+0x79 [cpython\modules\clinic\_winapi.c.h @ 326]
03 00fee7f8 5ad77b64 python38_d!_PyMethodDef_RawFastCallKeywords+0x245 [cpython\objects\call.c @ 651]
04 00fee81c 5aed8f9f python38_d!_PyCFunction_FastCallKeywords+0x84 [cpython\objects\call.c @ 730]
05 00fee854 5aee038f python38_d!call_function+0x15f [cpython\python\ceval.c @ 4532]
06 00fee8f4 5ad7b336 python38_d!_PyEval_EvalFrameDefault+0x59bf [cpython\python\ceval.c @ 3128]
07 00fee92c 5ad77ce4 python38_d!function_code_fastcall+0xe6 [cpython\objects\call.c @ 283]
08 00fee994 5ad79be7 python38_d!_PyFunction_FastCallDict+0x134 [cpython\objects\call.c @ 322]
09 00fee9d8 5ad79aa6 python38_d!_PyObject_FastCallDict+0xc7 [cpython\objects\call.c @ 98]
0a 00feea14 5ae0b8f7 python38_d!_PyObject_Call_Prepend+0xf6 [cpython\objects\call.c @ 904]
0b 00feea50 5ae10a97 python38_d!slot_tp_init+0x47 [cpython\objects\typeobject.c @ 6597]
0c 00feea74 5ad7a28e python38_d!type_call+0x187 [cpython\objects\typeobject.c @ 949]
0d 00feeae0 5aed91d1 python38_d!_PyObject_FastCallKeywords+0x37e [cpython\objects\call.c @ 199]
0e 00feeb18 5aedc95b python38_d!call_function+0x391 [cpython\python\ceval.c @ 4576]