Index: C:/ROS/reactos/win32ss/user/ntuser/winsta.c
===================================================================
--- win32ss/user/ntuser/winsta.c	(revision 62928)
+++ win32ss/user/ntuser/winsta.c	(working copy)
@@ -641,6 +641,19 @@
    PVOID pvData = NULL;
    DWORD nDataSize = 0;
 
+   _SEH2_TRY
+   {
+      if (nLengthNeeded)
+         ProbeForWrite(nLengthNeeded, sizeof(*nLengthNeeded), sizeof(ULONG));
+      ProbeForWrite(pvInformation, nLength, 1);
+   }
+   _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+   {
+      SetLastNtError(_SEH2_GetExceptionCode());
+      return FALSE;
+   }
+   _SEH2_END;
+
    /* try windowstation */
    TRACE("Trying to open window station %p\n", hObject);
    Status = ObReferenceObjectByHandle(
@@ -727,11 +740,22 @@
    if (Status == STATUS_SUCCESS)
    {
       TRACE("Trying to copy data to caller (len = %lu, len needed = %lu)\n", nLength, nDataSize);
-      *nLengthNeeded = nDataSize;
-      if (nLength >= nDataSize)
-         Status = MmCopyToCaller(pvInformation, pvData, nDataSize);
-      else
-         Status = STATUS_BUFFER_TOO_SMALL;
+
+      _SEH2_TRY
+      {
+         if (nLengthNeeded)
+            *nLengthNeeded = nDataSize;
+
+         if (nLength >= nDataSize)
+            RtlCopyMemory(pvInformation, pvData, nDataSize);
+         else
+            Status = STATUS_BUFFER_TOO_SMALL;
+      }
+      _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+      {
+          Status = _SEH2_GetExceptionCode();
+      }
+      _SEH2_END;
    }
 
    /* release objects */