Canceling the shutdown dialog crashes explorer

(ntoskrnl\mm\mmfault.c:137) Address: ccccccd8

Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

msgina!UpdateShutdownDesc+0xdb:

001b:7734ae3b 8b510c          mov     edx,dword ptr [ecx+0Ch]

kd> kp

 # ChildEBP RetAddr  

00 0012e7d8 7734a5c6 msgina!UpdateShutdownDesc(struct HWND__ * hDlg = 0x0007007c, struct _SHUTDOWN_DLG_CONTEXT * pContext = 0x0012e834)+0xdb [R:\src\dev\dll\win32\msgina\shutdown.c @ 827] 

01 0012e858 77aa069a msgina!ShutdownDialogProc(struct HWND__ * hDlg = 0x0007007c, unsigned int uMsg = 0x111, unsigned int wParam = 0xa07d1, long lParam = 0n1048798)+0x316 [R:\src\dev\dll\win32\msgina\shutdown.c @ 1141] 

02 0012e888 77a8e9f1 user32!CALL_EXTERN_WNDPROC+0x1a

03 0012e96c 77a91b0e user32!IntCallWindowProcW(int IsAnsiProc = 0n0, <function> * WndProc = 0x7734a2b0, struct _WND * pWnd = 0x00331f28, struct HWND__ * hWnd = 0x0007007c, unsigned int Msg = 0x111, unsigned int wParam = 0xa07d1, long lParam = 0n1048798)+0x681 [R:\src\dev\win32ss\user\user32\windows\message.c @ 1552] 

04 0012e99c 77a73fd8 user32!CallWindowProcW(<function> * lpPrevWndFunc = 0x7734a2b0, struct HWND__ * hWnd = 0x0007007c, unsigned int Msg = 0x111, unsigned int wParam = 0xa07d1, long lParam = 0n1048798)+0xce [R:\src\dev\win32ss\user\user32\windows\message.c @ 1872] 

05 0012e9c8 77aa069a user32!DefDlgProcW(struct HWND__ * hDlg = 0x0007007c, unsigned int Msg = 0x111, unsigned int wParam = 0xa07d1, long lParam = 0n1048798)+0x78 [R:\src\dev\win32ss\user\user32\windows\dialog.c @ 1792] 

06 0012e9f8 77a8e9f1 user32!CALL_EXTERN_WNDPROC+0x1a

07 0012eadc 77a929db user32!IntCallWindowProcW(int IsAnsiProc = 0n0, <function> * WndProc = 0x77a73f60, struct _WND * pWnd = 0x00331f28, struct HWND__ * hWnd = 0x0007007c, unsigned int Msg = 0x111, unsigned int wParam = 0xa07d1, long lParam = 0n1048798)+0x681 [R:\src\dev\win32ss\user\user32\windows\message.c @ 1552] 

08 0012eb10 77a93e4d user32!IntCallMessageProc(struct _WND * Wnd = 0x00331f28, struct HWND__ * hWnd = 0x0007007c, unsigned int Msg = 0x111, unsigned int wParam = 0xa07d1, long lParam = 0n1048798, int Ansi = 0n0)+0x1eb [R:\src\dev\win32ss\user\user32\windows\message.c @ 1798] 

09 0012eb98 7c12af76 user32!SendMessageW(struct HWND__ * Wnd = 0x0007007c, unsigned int Msg = 0x111, unsigned int wParam = 0xa07d1, long lParam = 0n1048798)+0x11d [R:\src\dev\win32ss\user\user32\windows\message.c @ 2403] 

0a 0012ebd4 7c12c551 comctl32!CBRollUp(struct HEADCOMBO * lphc = 0x00178e00, int ok = 0n0, int bButton = 0n1)+0x106 [R:\src\dev\dll\win32\comctl32\combo.c @ 1071] 

0b 0012ebec 7c12d984 comctl32!COMBO_KillFocus(struct HEADCOMBO * lphc = 0x00178e00)+0x31 [R:\src\dev\dll\win32\comctl32\combo.c @ 1169] 

0c 0012eca8 77aa069a comctl32!COMBO_WindowProc(struct HWND__ * hwnd = 0x001000de, unsigned int message = 8, unsigned long wParam = 0x40108, long lParam = 0n0)+0x4e4 [R:\src\dev\dll\win32\comctl32\combo.c @ 1828] 

0d 0012ecd8 77a8e9c6 user32!CALL_EXTERN_WNDPROC+0x1a

0e 0012edbc 77a94630 user32!IntCallWindowProcW(int IsAnsiProc = 0n0, <function> * WndProc = 0x7c12d4a0, struct _WND * pWnd = 0x00331db8, struct HWND__ * hWnd = 0x001000de, unsigned int Msg = 8, unsigned int wParam = 0x40108, long lParam = 0n0)+0x656 [R:\src\dev\win32ss\user\user32\windows\message.c @ 1547] 

0f 0012ee5c 7c9377dc user32!User32CallWindowProcFromKernel(void * Arguments = 0x0012ee74, unsigned long ArgumentLength = 0x20)+0x360 [R:\src\dev\win32ss\user\user32\windows\message.c @ 3005] 

10 0012f054 77aa069a ntdll!KiUserCallbackDispatcher+0x2c

11 0012f084 77a8e9c6 user32!CALL_EXTERN_WNDPROC+0x1a

12 0012f168 77a929db user32!IntCallWindowProcW(int IsAnsiProc = 0n0, <function> * WndProc = 0x7c1280e0, struct _WND * pWnd = 0x00333160, struct HWND__ * hWnd = 0x00040108, unsigned int Msg = 0x201, unsigned int wParam = 1, long lParam = 0n655400)+0x656 [R:\src\dev\win32ss\user\user32\windows\message.c @ 1547] 

13 0012f19c 77a9229b user32!IntCallMessageProc(struct _WND * Wnd = 0x00333160, struct HWND__ * hWnd = 0x00040108, unsigned int Msg = 0x201, unsigned int wParam = 1, long lParam = 0n655400, int Ansi = 0n0)+0x1eb [R:\src\dev\win32ss\user\user32\windows\message.c @ 1798] 

14 0012f200 7734a147 user32!DispatchMessageW(struct tagMSG * lpmsg = 0x0012f228 {msg=0x201 wp=0x1 lp=0xa0028})+0x22b [R:\src\dev\win32ss\user\user32\windows\message.c @ 2046] 

15 0012f29c 77349d73 msgina!ShutdownDialog(struct HWND__ * hwndDlg = 0x000c014a, unsigned long ShutdownOptions = 7, struct GINA_CONTEXT * pgContext = 0x0012f2d0)+0x177 [R:\src\dev\dll\win32\msgina\shutdown.c @ 1260] 

16 0012f934 7b660525 msgina!ShellShutdownDialog(struct HWND__ * hParent = 0x000c014a, wchar_t * lpUsername = 0x00000000 "", int bHideLogoff = 0n0)+0x93 [R:\src\dev\dll\win32\msgina\shutdown.c @ 1380] 

17 0012f984 00420e4c shell32!ExitWindowsDialog(struct HWND__ * hWndOwner = 0x0006009c)+0x175 [R:\src\dev\dll\win32\shell32\dialogs\dialogs.cpp @ 1643] 

18 0012f994 00423ca8 explorer!CTrayWindow::DoExitWindows(void)+0x1c [R:\src\dev\base\shell\explorer\traywnd.cpp @ 417] 

19 0012f9a0 004261d0 explorer!CTrayWindow::OnDoExitWindows(unsigned int uMsg = 0x10, unsigned int wParam = 0, long lParam = 0n0, int * bHandled = 0x0012f9fc)+0x18 [R:\src\dev\base\shell\explorer\traywnd.cpp @ 2809] 

1a 0012fa08 0040fe23 explorer!CTrayWindow::ProcessWindowMessage(struct HWND__ * hWnd = 0x0006009c, unsigned int uMsg = 0x10, unsigned int wParam = 0, long lParam = 0n0, long * lResult = 0x0012fa40, unsigned long dwMsgMapID = 0)+0x760 [R:\src\dev\base\shell\explorer\traywnd.cpp @ 3139] 

1b 0012fa74 77aa069a explorer!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<1442840576,0> >::WindowProc(struct HWND__ * hWnd = 0x0006009c, unsigned int uMsg = 0x10, unsigned int wParam = 0, long lParam = 0n0)+0xa3 [R:\src\dev\sdk\lib\atl\atlwin.h @ 1594] 

1c 0012faa4 77a8e9c6 user32!CALL_EXTERN_WNDPROC+0x1a

1d 0012fb88 77a929db user32!IntCallWindowProcW(int IsAnsiProc = 0n0, <function> * WndProc = 0x003e0000, struct _WND * pWnd = 0x003322b0, struct HWND__ * hWnd = 0x0006009c, unsigned int Msg = 0x10, unsigned int wParam = 0, long lParam = 0n0)+0x656 [R:\src\dev\win32ss\user\user32\windows\message.c @ 1547] 

1e 0012fbbc 77a9229b user32!IntCallMessageProc(struct _WND * Wnd = 0x003322b0, struct HWND__ * hWnd = 0x0006009c, unsigned int Msg = 0x10, unsigned int wParam = 0, long lParam = 0n0, int Ansi = 0n0)+0x1eb [R:\src\dev\win32ss\user\user32\windows\message.c @ 1798] 

1f 0012fc20 004278e5 user32!DispatchMessageW(struct tagMSG * lpmsg = 0x0012fc40 {msg=0x10 wp=0x0 lp=0x0})+0x22b [R:\src\dev\win32ss\user\user32\windows\message.c @ 2046] 

20 0012fc64 0042783c explorer!CTrayWindow::TrayMessageLoop(void)+0x95 [R:\src\dev\base\shell\explorer\traywnd.cpp @ 3192] 

21 0012fc74 004031ca explorer!TrayMessageLoop(struct ITrayWindow * Tray = 0x0013ecfc)+0x3c [R:\src\dev\base\shell\explorer\traywnd.cpp @ 3439] 

22 0012fea4 0040341e explorer!StartWithDesktop(struct HINSTANCE__ * hInstance = 0x00400000)+0x17a [R:\src\dev\base\shell\explorer\explorer.cpp @ 174] 

23 0012feb4 0042b550 explorer!wWinMain(struct HINSTANCE__ * hInstance = 0x00400000, struct HINSTANCE__ * hPrevInstance = 0x00000000, wchar_t * lpCmdLine = 0x00133bfe "", int nCmdShow = 0n1)+0xbe [R:\src\dev\base\shell\explorer\explorer.cpp @ 223] 

24 0012fecc 0042aefa explorer!wmain(int flags = 0n1, wchar_t ** cmdline = 0x0013fc98, wchar_t ** inst = 0x00133000)+0x20 [R:\src\dev\sdk\lib\crt\startup\crt0_w.c @ 26] 

25 0012ffb4 0042b1c8 explorer!__tmainCRTStartup(void)+0x2ba [R:\src\dev\sdk\lib\crt\startup\crtexe.c @ 306] 

26 0012ffc0 7c6369e4 explorer!wWinMainCRTStartup(void)+0x28 [R:\src\dev\sdk\lib\crt\startup\crtexe.c @ 157] 

27 0012fff0 00000000 kernel32!BaseProcessStartup(<function> * lpStartAddress = 0x0042b1a0)+0x54 [R:\src\dev\dll\win32\kernel32\client\proc.c @ 463]