Index: win32ss/user/ntuser/msgqueue.c
===================================================================
--- win32ss/user/ntuser/msgqueue.c	(revision 66849)
+++ win32ss/user/ntuser/msgqueue.c	(working copy)
@@ -1032,6 +1032,7 @@
    PLIST_ENTRY Entry;
    PWND pWnd;
    LRESULT Result = 0;   //// Result could be trashed. ////
+   BOOLEAN CleanedMessage;
 
    pti = PsGetCurrentThreadWin32Thread();
    ASSERT(pti != ptirec);
@@ -1121,6 +1122,8 @@
    Message->HookMessage = HookMessage;
    Message->HasPackedLParam = FALSE;
 
+   CleanedMessage = FALSE;
+
    /* Add it to the list of pending messages */
    InsertTailList(&pti->DispatchingMessagesHead, &Message->DispatchingListEntry);
 
@@ -1163,6 +1166,7 @@
                RemoveEntryList(&Message->DispatchingListEntry);
                ClearMsgBitsMask(ptirec, Message->QS_Flags);
                ExFreePoolWithTag(Message, TAG_USRMSG);
+               CleanedMessage = TRUE;
                break;
             }
             Entry = Entry->Flink;
@@ -1183,11 +1187,16 @@
                Message->Result = NULL;
                RemoveEntryList(&Message->DispatchingListEntry);
                InitializeListHead(&Message->DispatchingListEntry);
+               CleanedMessage = TRUE;
                break;
             }
             Entry = Entry->Flink;
          }
       }
+      else
+      {
+          CleanedMessage = TRUE;
+      }
       while (co_MsqDispatchOneSentMessage(pti))
          ;
    }
@@ -1226,6 +1235,7 @@
                   InitializeListHead(&Message->DispatchingListEntry);
                   ClearMsgBitsMask(ptirec, Message->QS_Flags);
                   ExFreePoolWithTag(Message, TAG_USRMSG);
+                  CleanedMessage = TRUE;
                   break;
                }
                Entry = Entry->Flink;
@@ -1248,11 +1258,16 @@
                   Message->Result = NULL;
                   RemoveEntryList(&Message->DispatchingListEntry);
                   InitializeListHead(&Message->DispatchingListEntry);
+                  CleanedMessage = TRUE;
                   break;
                }
                Entry = Entry->Flink;
             }
          }
+         else
+         {
+             CleanedMessage = TRUE;
+         }
 
          if (WaitStatus == STATUS_USER_APC) break;
 
@@ -1269,6 +1284,15 @@
      ERR("User APC Returned\n"); // Should not see this message.
    }
 
+   /* If we're not sure the message was cleaned up yet, we must wait before
+      letting the stack event go out of scope */
+   if (!CleanedMessage)
+   {
+      UserLeaveCo();
+      KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
+      UserEnterCo();
+   }
+
    if (WaitStatus != STATUS_TIMEOUT)
    {
       if (uResult)