Index: msgqueue.c
===================================================================
--- msgqueue.c	(revision 69815)
+++ msgqueue.c	(working copy)
@@ -13,8 +13,10 @@
 
 /* GLOBALS *******************************************************************/
 
+#if 0
 static PPAGED_LOOKASIDE_LIST pgMessageLookasideList;
 static PPAGED_LOOKASIDE_LIST pgSendMsgLookasideList;
+#endif
 INT SendMsgCount = 0;
 PUSER_MESSAGE_QUEUE gpqCursor;
 ULONG_PTR gdwMouseMoveExtraInfo = 0;
@@ -28,6 +30,7 @@
 NTAPI
 MsqInitializeImpl(VOID)
 {
+#if 0
    // Setup Post Messages
    pgMessageLookasideList = ExAllocatePoolWithTag(NonPagedPool, sizeof(PAGED_LOOKASIDE_LIST), TAG_USRMSG);
    if (!pgMessageLookasideList)
@@ -50,7 +53,7 @@
                                   sizeof(USER_SENT_MESSAGE),
                                   TAG_USRMSG,
                                   16);
-
+#endif
    InitializeListHead(&usmList);
 
    return(STATUS_SUCCESS);
@@ -735,7 +738,7 @@
 {
    PUSER_MESSAGE Message;
 
-   Message = ExAllocateFromPagedLookasideList(pgMessageLookasideList);
+   Message = ExAllocatePoolWithTag(PagedPool, sizeof(*Message), TAG_USRMSG)/*FromPagedLookasideList(pgMessageLookasideList)*/;
    if (!Message)
    {
       return NULL;
@@ -750,6 +753,7 @@
 VOID FASTCALL
 MsqDestroyMessage(PUSER_MESSAGE Message)
 {
+#if 0
    if (Message->pti == NULL)
    {
       ERR("Double Free Message\n");
@@ -756,7 +760,8 @@
       return;
    }
    Message->pti = NULL;
-   ExFreeToPagedLookasideList(pgMessageLookasideList, Message);
+#endif
+   ExFreePoolWithTag(Message, TAG_USRMSG)/*ToPagedLookasideList(pgMessageLookasideList, Message)*/;
 }
 
 PUSER_SENT_MESSAGE FASTCALL
@@ -764,7 +769,7 @@
 {
    PUSER_SENT_MESSAGE Message;
 
-   if(!(Message = ExAllocateFromPagedLookasideList(pgSendMsgLookasideList)))
+   if(!(Message = ExAllocatePoolWithTag(PagedPool, sizeof(*Message), TAG_USRMSG)/*FromPagedLookasideList(pgSendMsgLookasideList)*/))
    {
        ERR("AllocateUserMessage(): Not enough memory to allocate a message");
        return NULL;
@@ -785,12 +790,15 @@
 VOID FASTCALL
 FreeUserMessage(PUSER_SENT_MESSAGE Message)
 {
+    ERR("F %p by %p, flags 0x%lx\n", Message, _ReturnAddress(), Message->flags);
+#if 0
    Message->pkCompletionEvent = NULL;
+#endif
 
    /* Remove it from the list */
    RemoveEntryList(&Message->ListEntry);
 
-   ExFreeToPagedLookasideList(pgSendMsgLookasideList, Message);
+   ExFreePoolWithTag(Message, TAG_USRMSG);/*ToPagedLookasideList(pgSendMsgLookasideList, Message)*/;
    SendMsgCount--;
 }
 
@@ -878,6 +886,7 @@
    PLIST_ENTRY Entry;
    BOOL Ret;
    LRESULT Result = 0;
+   USER_SENT_MESSAGE MessageCopy;
 
    ASSERT(pti == PsGetCurrentThreadWin32Thread());
 
@@ -908,6 +917,8 @@
 
    ClearMsgBitsMask(pti, Message->QS_Flags);
 
+   MessageCopy = *Message;
+
    if (Message->HookMessage == MSQ_ISHOOK)
    {  // Direct Hook Call processor
       Result = co_CallHook( Message->Msg.message,           // HookId
@@ -954,6 +965,21 @@
                                   Message->Msg.lParam);
    }
 
+   {
+       PKEVENT DummyEvent;
+       NTSTATUS WaitStatus;
+       LARGE_INTEGER Timeout;
+       DummyEvent = ExAllocatePoolWithTag(NonPagedPool, sizeof(*DummyEvent), 'vE3W');
+       if (DummyEvent)
+       {
+           KeInitializeEvent(DummyEvent, NotificationEvent, FALSE);
+           Timeout.QuadPart = 0;
+           WaitStatus = KeWaitForSingleObject(DummyEvent, Executive, UserMode, FALSE, &Timeout);
+           ASSERT(WaitStatus == STATUS_TIMEOUT);
+           ExFreePoolWithTag(DummyEvent, 'vE3W');
+       }
+   }
+   
    /* If the message is a callback, insert it in the callback senders MessageQueue */
    if (Message->CompletionCallback)
    {
@@ -1173,6 +1199,7 @@
       SwapStateEnabled = KeSetKernelStackSwapEnable(FALSE);
    }
    pti->cEnterCount++;
+   TRACE("coMSM entry count %d\n",pti->cEnterCount);
 
    if (Block)
    {
@@ -1217,7 +1244,7 @@
       // Receiving thread passed on and left us hanging with issues still pending.
       else if (WaitStatus == STATUS_WAIT_1)
       {
-         ERR("Bk Receiving Thread woken up dead!\n");
+         ERR("Bk Receiving Thread %p woken up dead for message %p!\n", Message->ptiReceiver, Message);
          Message->flags |= SMF_RECEIVERDIED;
       }
 
@@ -1271,7 +1298,7 @@
          // Receiving thread passed on and left us hanging with issues still pending.
          else if (WaitStatus == STATUS_WAIT_2)
          {
-            ERR("NB Receiving Thread woken up dead!\n");
+            ERR("NB Receiving Thread %p woken up dead for message %p!\n", Message->ptiReceiver, Message);
             Message->flags |= SMF_RECEIVERDIED;
             break;
          }
@@ -1293,7 +1320,7 @@
    if (WaitStatus == STATUS_USER_APC)
    {
      // The current thread is dying!
-     TRACE("User APC\n");
+     ERR("User APC in thread %p for message %p\n", Message->ptiSender, Message);
 
      // The Message will be on the Trouble list until Thread cleanup.
      Message->flags |= SMF_SENDERDIED;
@@ -1300,6 +1327,7 @@
 
      co_IntDeliverUserAPC();
      ERR("User APC Returned\n"); // Should not see this message.
+     NT_ASSERT(WaitStatus != STATUS_USER_APC);
    }
 
    // Force this thread to wake up for the next go around.