Index: ntoskrnl/mm/ARM3/pool.c
===================================================================
--- ntoskrnl/mm/ARM3/pool.c	(revision 66329)
+++ ntoskrnl/mm/ARM3/pool.c	(working copy)
@@ -24,7 +24,7 @@
 KGUARDED_MUTEX MmPagedPoolMutex;
 MM_PAGED_POOL_INFO MmPagedPoolInfo;
 SIZE_T MmAllocatedNonPagedPool;
-ULONG MmSpecialPoolTag;
+ULONG MmSpecialPoolTag = 'nevE';
 ULONG MmConsumedPoolPercentage;
 BOOLEAN MmProtectFreedNonPagedPool;
 SLIST_HEADER MiNonPagedPoolSListHead;
Index: win32ss/user/ntuser/msgqueue.c
===================================================================
--- win32ss/user/ntuser/msgqueue.c	(revision 66331)
+++ win32ss/user/ntuser/msgqueue.c	(working copy)
@@ -1044,7 +1044,7 @@
 {
    PTHREADINFO pti;
    PUSER_SENT_MESSAGE Message;
-   KEVENT CompletionEvent;
+   PKEVENT CompletionEvent;
    NTSTATUS WaitStatus;
    LARGE_INTEGER Timeout;
    PLIST_ENTRY Entry;
@@ -1116,7 +1116,8 @@
       return STATUS_INSUFFICIENT_RESOURCES;
    }
 
-   KeInitializeEvent(&CompletionEvent, NotificationEvent, FALSE);
+   CompletionEvent = ExAllocatePoolWithTag(NonPagedPool, sizeof(KEVENT), 'nevE');
+   KeInitializeEvent(CompletionEvent, NotificationEvent, FALSE);
 
    Timeout.QuadPart = Int32x32To64(-10000,uTimeout); // Pass SMTO test with a TO of 0x80000000.
    TRACE("Timeout val %lld\n",Timeout.QuadPart)
@@ -1127,7 +1128,7 @@
    Message->Msg.message = Msg;
    Message->Msg.wParam = wParam;
    Message->Msg.lParam = lParam;
-   Message->CompletionEvent = &CompletionEvent;
+   Message->CompletionEvent = CompletionEvent;
    Message->Result = &Result;
    Message->lResult = 0;
    Message->QS_Flags = 0;
@@ -1154,7 +1155,7 @@
    {
       PVOID WaitObjects[2];
 
-      WaitObjects[0] = &CompletionEvent;       // Wait 0
+      WaitObjects[0] = CompletionEvent ;       // Wait 0
       WaitObjects[1] = ptirec->pEThread;       // Wait 1
 
       UserLeaveCo();
@@ -1213,7 +1214,7 @@
    {
       PVOID WaitObjects[3];
 
-      WaitObjects[0] = &CompletionEvent;       // Wait 0
+      WaitObjects[0] = CompletionEvent;        // Wait 0
       WaitObjects[1] = pti->pEventQueueServer; // Wait 1
       WaitObjects[2] = ptirec->pEThread;       // Wait 2
 
@@ -1294,6 +1295,8 @@
       }
    }
 
+   ExFreePoolWithTag(CompletionEvent, 'nevE');
+
    return WaitStatus;
 }