Index: ntoskrnl/mm/ARM3/pool.c
===================================================================
--- ntoskrnl/mm/ARM3/pool.c	(revision 69799)
+++ ntoskrnl/mm/ARM3/pool.c	(working copy)
@@ -24,7 +24,7 @@
 KGUARDED_MUTEX MmPagedPoolMutex;
 MM_PAGED_POOL_INFO MmPagedPoolInfo;
 SIZE_T MmAllocatedNonPagedPool;
-ULONG MmSpecialPoolTag;
+ULONG MmSpecialPoolTag = 'W32K';
 ULONG MmConsumedPoolPercentage;
 BOOLEAN MmProtectFreedNonPagedPool;
 SLIST_HEADER MiNonPagedPoolSListHead;
Index: ntoskrnl/mm/ARM3/special.c
===================================================================
--- ntoskrnl/mm/ARM3/special.c	(revision 69799)
+++ ntoskrnl/mm/ARM3/special.c	(working copy)
@@ -74,9 +74,51 @@
 {
     /* Special pool is not suitable for allocations bigger than 1 page */
     if (NumberOfBytes > (PAGE_SIZE - sizeof(POOL_HEADER)))
+    {
         return FALSE;
+    }
 
+#ifdef __REACTOS__
+    if (MmSpecialPoolTag == 'W32K')
+    {
+        PLDR_DATA_TABLE_ENTRY LdrEntry;
+        PVOID CallersCaller;
+        UNICODE_STRING Win32k = RTL_CONSTANT_STRING(L"win32k.sys");
+
+        /* If we can't be sure, use special pool so we don't miss anything */
+        if (Tag == 'enoN' ||
+            KeGetCurrentIrql() >= DISPATCH_LEVEL ||
+            !PsLoadedModuleList.Flink)
+        {
+            return TRUE;
+        }
+
+        /* Find the first four letters of the driver name if we can */
+        RtlGetCallersAddress(NULL, &CallersCaller);
+        LdrEntry = MiLookupDataTableEntry(CallersCaller);
+        
+        /* Couldn't find it. Default to special pool */
+        if (!LdrEntry)
+        {
+            return TRUE;
+        }
+        
+        /* Got the name. Is it win32k? */
+        if (RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Win32k, TRUE))
+        {
+            return TRUE;
+        }
+
+        /* Non-win32k allocation */
+        return FALSE;
+    }
+#endif
     return Tag == MmSpecialPoolTag;
+    //return Tag == 'nevE' ||
+    //       Tag == 'cbsu' || Tag == 'LBSU' ||
+    //       Tag == 'hbsu' || Tag == 'sbsu' ||
+    //       Tag == 'ICHE' || Tag == 'ICHO' || Tag == 'ICHU' ||
+    //       Tag == 'UdiH' || Tag == 'rUiH';
 }
 
 BOOLEAN
@@ -135,7 +177,9 @@
     /* Reserve those PTEs */
     do
     {
-        PointerPte = MiReserveAlignedSystemPtes(SpecialPoolPtes, 0, /*0x400000*/0); // FIXME:
+        PointerPte = MiReserveAlignedSystemPtes(SpecialPoolPtes,
+                                                SystemPteSpace,
+                                                /*0x400000*/0); // FIXME:
         if (PointerPte) break;
 
         /* Reserving didn't work, so try to reduce the requested size */
@@ -261,6 +305,13 @@
                      0x30);
     }
 
+    /* Some allocations from Mm must never use special pool */
+    if (Tag == 'tSmM')
+    {
+        /* Reject and let normal pool handle it */
+        return NULL;
+    }
+
     /* TODO: Take into account various limitations */
     /*if ((PoolType != NonPagedPool) &&
         MiSpecialPagesNonPaged > MiSpecialPagesNonPagedMaximum)*/
Index: win32ss/user/ntuser/msgqueue.c
===================================================================
--- win32ss/user/ntuser/msgqueue.c	(revision 69799)
+++ win32ss/user/ntuser/msgqueue.c	(working copy)
@@ -13,8 +13,10 @@
 
 /* GLOBALS *******************************************************************/
 
+#if 0
 static PPAGED_LOOKASIDE_LIST pgMessageLookasideList;
 static PPAGED_LOOKASIDE_LIST pgSendMsgLookasideList;
+#endif
 INT SendMsgCount = 0;
 PUSER_MESSAGE_QUEUE gpqCursor;
 ULONG_PTR gdwMouseMoveExtraInfo = 0;
@@ -28,6 +30,7 @@
 NTAPI
 MsqInitializeImpl(VOID)
 {
+#if 0
    // Setup Post Messages
    pgMessageLookasideList = ExAllocatePoolWithTag(NonPagedPool, sizeof(PAGED_LOOKASIDE_LIST), TAG_USRMSG);
    if (!pgMessageLookasideList)
@@ -50,7 +53,7 @@
                                   sizeof(USER_SENT_MESSAGE),
                                   TAG_USRMSG,
                                   16);
-
+#endif
    InitializeListHead(&usmList);
 
    return(STATUS_SUCCESS);
@@ -735,7 +738,7 @@
 {
    PUSER_MESSAGE Message;
 
-   Message = ExAllocateFromPagedLookasideList(pgMessageLookasideList);
+   Message = ExAllocatePoolWithTag(PagedPool, sizeof(*Message), TAG_USRMSG)/*FromPagedLookasideList(pgMessageLookasideList)*/;
    if (!Message)
    {
       return NULL;
@@ -750,6 +753,7 @@
 VOID FASTCALL
 MsqDestroyMessage(PUSER_MESSAGE Message)
 {
+#if 0
    if (Message->pti == NULL)
    {
       ERR("Double Free Message\n");
@@ -756,7 +760,8 @@
       return;
    }
    Message->pti = NULL;
-   ExFreeToPagedLookasideList(pgMessageLookasideList, Message);
+#endif
+   ExFreePoolWithTag(Message, TAG_USRMSG)/*ToPagedLookasideList(pgMessageLookasideList, Message)*/;
 }
 
 PUSER_SENT_MESSAGE FASTCALL
@@ -764,7 +769,7 @@
 {
    PUSER_SENT_MESSAGE Message;
 
-   if(!(Message = ExAllocateFromPagedLookasideList(pgSendMsgLookasideList)))
+   if(!(Message = ExAllocatePoolWithTag(PagedPool, sizeof(*Message), TAG_USRMSG)/*FromPagedLookasideList(pgSendMsgLookasideList)*/))
    {
        ERR("AllocateUserMessage(): Not enough memory to allocate a message");
        return NULL;
@@ -785,12 +790,14 @@
 VOID FASTCALL
 FreeUserMessage(PUSER_SENT_MESSAGE Message)
 {
+#if 0
    Message->pkCompletionEvent = NULL;
+#endif
 
    /* Remove it from the list */
    RemoveEntryList(&Message->ListEntry);
 
-   ExFreeToPagedLookasideList(pgSendMsgLookasideList, Message);
+   ExFreePoolWithTag(Message, TAG_USRMSG);/*ToPagedLookasideList(pgSendMsgLookasideList, Message)*/;
    SendMsgCount--;
 }
 
@@ -1171,6 +1178,7 @@
       SwapStateEnabled = KeSetKernelStackSwapEnable(FALSE);
    }
    pti->cEnterCount++;
+   TRACE("coMSM entry count %d\n",pti->cEnterCount);
 
    if (Block)
    {