Hi,
it seems there exist a problem with the message queues. If a process is terminated (killed) from outside, the thread message queue is deleted before the last window is deleted. If there is a message (key or mouse) for this window, the window does access the already freed message queue. This will crash the system. Possible it is related to the paged pool memory corruption bug. I've a (dirty) fix for this problem.
- Hartmut
Index: subsys/win32k/ntuser/window.c =================================================================== --- subsys/win32k/ntuser/window.c (Revision 16707) +++ subsys/win32k/ntuser/window.c (Arbeitskopie) @@ -1577,6 +1577,7 @@ IntSetMenu(WindowObject, hMenu, &MenuChanged); } WindowObject->MessageQueue = PsGetWin32Thread()->MessageQueue; + IntReferenceMessageQueue(WindowObject->MessageQueue); WindowObject->Parent = (ParentWindow ? ParentWindow->Self : NULL); if((OwnerWindow = IntGetWindowObject(OwnerWindowHandle))) { @@ -2180,7 +2181,7 @@ if (Window->MessageQueue->CaptureWindow == Window->Self) Window->MessageQueue->CaptureWindow = NULL; IntUnLockMessageQueue(Window->MessageQueue); - + IntDereferenceMessageQueue(Window->MessageQueue); /* Call hooks */ #if 0 /* FIXME */ if (HOOK_CallHooks(WH_CBT, HCBT_DESTROYWND, (WPARAM) hwnd, 0, TRUE))