i have personally done this before but my only purpose was monitoring system services used, so I hooked cpusimulate()
my thoughts are that it's great for analysis for several reasons:
a. don't have to go through the trouble of writing a driver to achieve the same results.
b. method of monitoring manual system service invocations (which is common in malware and anti-debug schemes)
c. few others i cant think of right now :D
negative side of things:
a. not portable obviously
b. if the author of the software were so inclined they could just jmp or iret out of the wow64 thunk layer and build a 64 bit stack manually, thus bypassing all of your hooks.
A forum for reverse engineering, OS internals and malware analysis
