Don't use alloca in a macro, which may be used in a loop. This does fix bug #805.
Modified: trunk/reactos/subsys/win32k/include/object.h
Modified: trunk/reactos/subsys/win32k/ntuser/accelerator.c
Modified: trunk/reactos/subsys/win32k/ntuser/caret.c
Modified: trunk/reactos/subsys/win32k/ntuser/class.c
Modified: trunk/reactos/subsys/win32k/ntuser/focus.c
Modified: trunk/reactos/subsys/win32k/ntuser/message.c
Modified: trunk/reactos/subsys/win32k/ntuser/misc.c
Modified: trunk/reactos/subsys/win32k/ntuser/msgqueue.c
Modified: trunk/reactos/subsys/win32k/ntuser/painting.c
Modified: trunk/reactos/subsys/win32k/ntuser/scrollbar.c
Modified: trunk/reactos/subsys/win32k/ntuser/vis.c
Modified: trunk/reactos/subsys/win32k/ntuser/window.c
Modified: trunk/reactos/subsys/win32k/ntuser/winpos.c
Modified: trunk/reactos/subsys/win32k/objects/color.c

Modified: trunk/reactos/subsys/win32k/include/object.h
--- trunk/reactos/subsys/win32k/include/object.h	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/include/object.h	2005-10-15 13:22:13 UTC (rev 18481)
@@ -90,20 +90,18 @@
    ASSERT(_obj_ == ref->obj); \
    \
 }
-#define UserRefObjectCo(_obj_) \
+#define UserRefObjectCo(_obj_, _ref_) \
 { \
    PW32THREAD t; \
-   PUSER_REFERENCE_ENTRY ref; \
    \
    ASSERT(_obj_); \
    t = PsGetWin32Thread(); \
    ASSERT(t); \
-   ref = (PUSER_REFERENCE_ENTRY)_alloca(sizeof(USER_REFERENCE_ENTRY)); \
-   ASSERT(ref); \
-   ref->obj = _obj_; \
+   ASSERT(_ref_); \
+   (_ref_)->obj = _obj_; \
    ObmReferenceObject(_obj_); \
  \
-   PushEntryList(&t->ReferencesList, &ref->Entry); \
+   PushEntryList(&t->ReferencesList, &(_ref_)->Entry); \
    \
 }
 

Modified: trunk/reactos/subsys/win32k/ntuser/accelerator.c
--- trunk/reactos/subsys/win32k/ntuser/accelerator.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/accelerator.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -433,6 +433,7 @@
    PWINDOW_OBJECT Window = NULL;
    PACCELERATOR_TABLE Accel = NULL;
    ULONG i;
+   USER_REFERENCE_ENTRY AccelRef, WindowRef;
    DECLARE_RETURN(int);
 
    DPRINT("NtUserTranslateAccelerator(hWnd %x, Table %x, Message %p)\n",
@@ -458,14 +459,14 @@
       RETURN( 0);
    }
 
-   UserRefObjectCo(Accel);
+   UserRefObjectCo(Accel, &AccelRef);
 
    if (!(Window = UserGetWindowObject(hWnd)))
    {
       RETURN( 0);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &WindowRef);
 
 
    /* FIXME: Associate AcceleratorTable with the current thread */

Modified: trunk/reactos/subsys/win32k/ntuser/caret.c
--- trunk/reactos/subsys/win32k/ntuser/caret.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/caret.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -405,6 +405,7 @@
 NtUserShowCaret(HWND hWnd OPTIONAL, BOOL bShow)
 {
    PWINDOW_OBJECT Window = NULL;
+   USER_REFERENCE_ENTRY Ref;
    DECLARE_RETURN(BOOL);
    BOOL ret;
 
@@ -416,7 +417,7 @@
       RETURN(FALSE);
    }
 
-   if (Window) UserRefObjectCo(Window);
+   if (Window) UserRefObjectCo(Window, &Ref);
    
    if (bShow)
       ret = co_UserShowCaret(Window);

Modified: trunk/reactos/subsys/win32k/ntuser/class.c
--- trunk/reactos/subsys/win32k/ntuser/class.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/class.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -547,6 +547,7 @@
 {
    PWINDOW_OBJECT Window;
    LONG Ret;
+   USER_REFERENCE_ENTRY Ref;
    DECLARE_RETURN(DWORD);
 
    DPRINT("Enter NtUserSetClassLong\n");
@@ -557,7 +558,7 @@
       RETURN(0);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    Ret = IntGetClassLong(Window, Offset, Ansi);
    co_IntSetClassLong(Window, Offset, dwNewLong, Ansi);

Modified: trunk/reactos/subsys/win32k/ntuser/focus.c
--- trunk/reactos/subsys/win32k/ntuser/focus.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/focus.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -61,12 +61,13 @@
 VOID FASTCALL
 co_IntSendActivateMessages(HWND hWndPrev, HWND hWnd, BOOL MouseActivate)
 {
+   USER_REFERENCE_ENTRY Ref;
    PWINDOW_OBJECT Window;
    
    if ((Window = UserGetWindowObject(hWnd)))
    {
       
-      UserRefObjectCo(Window);
+      UserRefObjectCo(Window, &Ref);
       
       /* Send palette messages */
       if (co_IntPostOrSendMessage(hWnd, WM_QUERYNEWPALETTE, 0, 0))
@@ -218,6 +219,7 @@
 {
    HWND Top;
    PWINDOW_OBJECT TopWindow;
+   USER_REFERENCE_ENTRY Ref;
 
    ASSERT_REFS_CO(Window);
 
@@ -231,7 +233,7 @@
          Top = IntFindChildWindowToOwner(DesktopWindow, Window);
          if((TopWnd = UserGetWindowObject(Top)))
          {
-            UserRefObjectCo(TopWnd);
+            UserRefObjectCo(TopWnd, &Ref);
             Ret = co_IntMouseActivateWindow(TopWnd);
             UserDerefObjectCo(TopWnd);
             
@@ -246,7 +248,7 @@
    if (!TopWindow) return FALSE;
 
    /* TMN: Check return valud from this function? */
-   UserRefObjectCo(TopWindow);
+   UserRefObjectCo(TopWindow, &Ref);
    
    co_IntSetForegroundAndFocusWindow(TopWindow, Window, TRUE);
    
@@ -386,6 +388,7 @@
 HWND STDCALL
 NtUserSetActiveWindow(HWND hWnd)
 {
+   USER_REFERENCE_ENTRY Ref;
    DECLARE_RETURN(HWND);
 
    DPRINT("Enter NtUserSetActiveWindow(%x)\n", hWnd);
@@ -412,7 +415,7 @@
          RETURN( 0);
       }
 
-      UserRefObjectCo(Window);
+      UserRefObjectCo(Window, &Ref);
       hWndPrev = co_IntSetActiveWindow(Window);
       UserDerefObjectCo(Window);
 
@@ -503,6 +506,7 @@
       PUSER_MESSAGE_QUEUE ThreadQueue;
       HWND hWndPrev;
       PWINDOW_OBJECT TopWnd;
+      USER_REFERENCE_ENTRY Ref;
 
       ASSERT_REFS_CO(Window);
 
@@ -523,7 +527,7 @@
       if (TopWnd && TopWnd->hSelf != UserGetActiveWindow())
       {
 //         PWINDOW_OBJECT WndTops = UserGetWindowObject(hWndTop);
-         UserRefObjectCo(TopWnd);
+         UserRefObjectCo(TopWnd, &Ref);
          co_IntSetActiveWindow(TopWnd);
          UserDerefObjectCo(TopWnd);
       }
@@ -547,6 +551,7 @@
 NtUserSetFocus(HWND hWnd)
 {
    PWINDOW_OBJECT Window;
+   USER_REFERENCE_ENTRY Ref;
    DECLARE_RETURN(HWND);
    HWND ret;
 
@@ -558,7 +563,7 @@
       RETURN(NULL);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    ret = co_UserSetFocus(Window);
    UserDerefObjectCo(Window);
    

Modified: trunk/reactos/subsys/win32k/ntuser/message.c
--- trunk/reactos/subsys/win32k/ntuser/message.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/message.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -547,6 +547,7 @@
 co_IntTranslateMouseMessage(PUSER_MESSAGE_QUEUE ThreadQueue, LPMSG Msg, USHORT *HitTest, BOOL Remove)
 {
    PWINDOW_OBJECT Window;
+   USER_REFERENCE_ENTRY Ref, DesktopRef;
 
    if(!(Window = UserGetWindowObject(Msg->hwnd)))
    {
@@ -554,7 +555,7 @@
       return TRUE;
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    if(ThreadQueue == Window->MessageQueue &&
          ThreadQueue->CaptureWindow != Window->hSelf)
@@ -572,7 +573,7 @@
          {
             PWINDOW_OBJECT Wnd;
             
-            UserRefObjectCo(DesktopWindow);
+            UserRefObjectCo(DesktopWindow, &DesktopRef);
             
             co_WinPosWindowFromPoint(DesktopWindow, Window->MessageQueue, &Msg->pt, &Wnd);
             if(Wnd)
@@ -664,6 +665,7 @@
    PUSER_MESSAGE_QUEUE ThreadQueue;
    PUSER_MESSAGE Message;
    BOOL Present, RemoveMessages;
+   USER_REFERENCE_ENTRY Ref;
 
    /* The queues and order in which they are checked are documented in the MSDN
       article on GetMessage() */
@@ -772,7 +774,7 @@
          {
             USHORT HitTest;
 
-            UserRefObjectCo(MsgWindow);
+            UserRefObjectCo(MsgWindow, &Ref);
 
             if(co_IntTranslateMouseMessage(ThreadQueue, &Msg->Msg, &HitTest, TRUE))
                /* FIXME - check message filter again, if the message doesn't match anymore,
@@ -972,6 +974,7 @@
    UINT Size;
    USER_MESSAGE Msg;
    DECLARE_RETURN(BOOL);
+//   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserGetMessage\n");
    UserEnterExclusive();
@@ -982,7 +985,7 @@
       RETURN(-1);
    }
    
-//   if (Window) UserRefObjectCo(Window);
+//   if (Window) UserRefObjectCo(Window, &Ref);
    
    if (MsgFilterMax < MsgFilterMin)
    {
@@ -1357,6 +1360,7 @@
    LPARAM lParamPacked;
    PW32THREAD Win32Thread;
    DECLARE_RETURN(LRESULT);
+   USER_REFERENCE_ENTRY Ref;
 
    /* FIXME: Call hooks. */
    if (!(Window = UserGetWindowObject(hWnd)))
@@ -1364,7 +1368,7 @@
        RETURN( FALSE);
    }
    
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    Win32Thread = PsGetWin32Thread();
 

Modified: trunk/reactos/subsys/win32k/ntuser/misc.c
--- trunk/reactos/subsys/win32k/ntuser/misc.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/misc.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -689,6 +689,7 @@
 {
    BOOL Ret = 0;
    PWINDOW_OBJECT Window;
+   USER_REFERENCE_ENTRY Ref;
    DECLARE_RETURN(BOOLEAN);
 
    DPRINT("Enter NtUserCallHwndLock\n");
@@ -698,7 +699,7 @@
    {
       RETURN( FALSE);
    }
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    /* FIXME: Routine can be 0x53 - 0x5E */
    switch (Routine)

Modified: trunk/reactos/subsys/win32k/ntuser/msgqueue.c
--- trunk/reactos/subsys/win32k/ntuser/msgqueue.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/msgqueue.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -477,6 +477,7 @@
    PVOID WaitObjects[2];
    NTSTATUS WaitStatus;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
    
    if( !IntGetScreenDC() ||
          PsGetWin32Thread()->MessageQueue == W32kGetPrimitiveMessageQueue() )
@@ -504,7 +505,7 @@
 
    DesktopWindow = UserGetWindowObject(IntGetDesktopWindow());
    
-   if (DesktopWindow) UserRefObjectCo(DesktopWindow);//can DesktopWindow be NULL?
+   if (DesktopWindow) UserRefObjectCo(DesktopWindow, &Ref);//can DesktopWindow be NULL?
    
    /* Process messages in the message queue itself. */
    IntLockHardwareMessageQueue(MessageQueue);

Modified: trunk/reactos/subsys/win32k/ntuser/painting.c
--- trunk/reactos/subsys/win32k/ntuser/painting.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/painting.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -295,7 +295,8 @@
             Window = UserGetWindowObject(*phWnd);
             if (Window && (Window->Style & WS_VISIBLE))
             {
-               UserRefObjectCo(Window);
+               USER_REFERENCE_ENTRY Ref;
+               UserRefObjectCo(Window, &Ref);
                co_IntPaintWindows(Window, Flags);
                UserDerefObjectCo(Window);
             }
@@ -722,6 +723,7 @@
    PROSRGNDATA Rgn;
    NTSTATUS Status;
    DECLARE_RETURN(HDC);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserBeginPaint\n");
    UserEnterExclusive();
@@ -731,7 +733,7 @@
       RETURN( NULL);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    
    co_UserHideCaret(Window);
 
@@ -828,6 +830,7 @@
 {
    PWINDOW_OBJECT Window;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserEndPaint\n");
    UserEnterExclusive();
@@ -839,7 +842,7 @@
 
    UserReleaseDC(Window, lPs->hdc, TRUE);
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    co_UserShowCaret(Window);
    UserDerefObjectCo(Window);
 
@@ -894,6 +897,7 @@
    DECLARE_RETURN(INT);
    PWINDOW_OBJECT Window;
    INT ret;
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserGetUpdateRgn\n");
    UserEnterExclusive();
@@ -903,7 +907,7 @@
       RETURN(ERROR);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    ret = co_UserGetUpdateRgn(Window, hRgn, bErase);
    UserDerefObjectCo(Window);
 
@@ -975,7 +979,8 @@
 
    if (bErase && !IntGdiIsEmptyRect(&Rect))
    {
-      UserRefObjectCo(Window);
+      USER_REFERENCE_ENTRY Ref;
+      UserRefObjectCo(Window, &Ref);
       co_UserRedrawWindow(Window, NULL, NULL, RDW_ERASENOW | RDW_NOCHILDREN);
       UserDerefObjectCo(Window);
    }
@@ -1013,6 +1018,7 @@
    NTSTATUS Status;
    PWINDOW_OBJECT Wnd;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserRedrawWindow\n");
    UserEnterExclusive();
@@ -1034,7 +1040,7 @@
       }
    }
 
-   UserRefObjectCo(Wnd);
+   UserRefObjectCo(Wnd, &Ref);
 
    Status = co_UserRedrawWindow(Wnd, NULL == lprcUpdate ? NULL : &SafeUpdateRect,
                                 hrgnUpdate, flags);
@@ -1206,6 +1212,7 @@
    BOOL bOwnRgn = TRUE;
    NTSTATUS Status;
    DECLARE_RETURN(DWORD);
+   USER_REFERENCE_ENTRY Ref, CaretRef;
 
    DPRINT("Enter NtUserScrollWindowEx\n");
    UserEnterExclusive();
@@ -1216,7 +1223,7 @@
       Window = NULL; /* prevent deref at cleanup */
       RETURN( ERROR);
    }
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    IntGetClientRect(Window, &rc);
 
@@ -1292,6 +1299,7 @@
          RECT r, dummy;
          POINT ClientOrigin;
          PWINDOW_OBJECT Wnd;
+         USER_REFERENCE_ENTRY WndRef;
 
          IntGetClientOrigin(Window, &ClientOrigin);
          for (i = 0; List[i]; i++)
@@ -1307,7 +1315,7 @@
 
             if (! UnsafeRect || IntGdiIntersectRect(&dummy, &r, &rc))
             {
-               UserRefObjectCo(Wnd);
+               UserRefObjectCo(Wnd, &WndRef);
                co_WinPosSetWindowPos(Wnd, 0, r.left + dx, r.top + dy, 0, 0,
                                      SWP_NOZORDER | SWP_NOSIZE | SWP_NOACTIVATE |
                                      SWP_NOREDRAW);
@@ -1329,7 +1337,7 @@
 
    if ((CaretWnd = UserGetWindowObject(hwndCaret)))
    {
-      UserRefObjectCo(CaretWnd);
+      UserRefObjectCo(CaretWnd, &CaretRef);
 
       co_IntSetCaretPos(caretrc.left + dx, caretrc.top + dy);
       co_UserShowCaret(CaretWnd);

Modified: trunk/reactos/subsys/win32k/ntuser/scrollbar.c
--- trunk/reactos/subsys/win32k/ntuser/scrollbar.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/scrollbar.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -548,6 +548,7 @@
    PWINDOW_OBJECT Window;
    BOOL Ret;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserGetScrollBarInfo\n");
    UserEnterExclusive();
@@ -564,7 +565,7 @@
       RETURN(FALSE);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    Ret = co_IntGetScrollBarInfo(Window, idObject, &sbi);
    UserDerefObjectCo(Window);
 
@@ -595,6 +596,7 @@
    DWORD sz;
    BOOL Ret;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserGetScrollInfo\n");
    UserEnterExclusive();
@@ -619,7 +621,7 @@
       RETURN(FALSE);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    Ret = co_IntGetScrollInfo(Window, fnBar, &psi);
    UserDerefObjectCo(Window);
 
@@ -650,6 +652,7 @@
    PSCROLLBARINFO InfoV = NULL, InfoH = NULL;
    BOOL Chg = FALSE;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserEnableScrollBar\n");
    UserEnterExclusive();
@@ -658,7 +661,7 @@
    {
       RETURN(FALSE);
    }
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    if(wSBflags == SB_CTL)
    {
@@ -732,6 +735,7 @@
    NTSTATUS Status;
    LONG Obj;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserSetScrollBarInfo\n");
    UserEnterExclusive();
@@ -740,7 +744,7 @@
    {
       RETURN( FALSE);
    }
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    Obj = SBOBJ_TO_SBID(idObject);
    if(!SBID_IS_VALID(Obj))
@@ -792,6 +796,7 @@
    NTSTATUS Status;
    SCROLLINFO ScrollInfo;
    DECLARE_RETURN(DWORD);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserSetScrollInfo\n");
    UserEnterExclusive();
@@ -800,7 +805,7 @@
    {
       RETURN( 0);
    }
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    Status = MmCopyFromCaller(&ScrollInfo, lpsi, sizeof(SCROLLINFO) - sizeof(ScrollInfo.nTrackPos));
    if(!NT_SUCCESS(Status))
@@ -892,6 +897,7 @@
    PWINDOW_OBJECT Window;
    DECLARE_RETURN(DWORD);
    DWORD ret;
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserShowScrollBar\n");
    UserEnterExclusive();
@@ -901,7 +907,7 @@
       RETURN(0);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    ret = co_UserShowScrollBar(Window, wBar, bShow);
    UserDerefObjectCo(Window);
 

Modified: trunk/reactos/subsys/win32k/ntuser/vis.c
--- trunk/reactos/subsys/win32k/ntuser/vis.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/vis.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -151,6 +151,7 @@
 {
    HRGN Temp;
    PWINDOW_OBJECT Parent;
+   USER_REFERENCE_ENTRY Ref;
 
    ASSERT_REFS_CO(Window);
 
@@ -164,7 +165,7 @@
                      Window->WindowRect.left - Parent->ClientRect.left,
                      Window->WindowRect.top - Parent->ClientRect.top);
 
-      UserRefObjectCo(Parent);
+      UserRefObjectCo(Parent, &Ref);
       co_UserRedrawWindow(Parent, NULL, Temp,
                           RDW_FRAME | RDW_ERASE | RDW_INVALIDATE |
                           RDW_ALLCHILDREN);

Modified: trunk/reactos/subsys/win32k/ntuser/window.c
--- trunk/reactos/subsys/win32k/ntuser/window.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/window.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -239,7 +239,8 @@
    Window = UserGetWindowObject(hWnd);
    if (Window)
    {
-//      UserRefObjectCo(Window);
+//      USER_REFERENCE_ENTRY Ref;
+//      UserRefObjectCo(Window, &Ref);
       
       if (!IntGetOwner(Window) && !IntGetParent(Window))
       {
@@ -569,7 +570,7 @@
    PW32THREAD WThread;
    PLIST_ENTRY Current;
    PWINDOW_OBJECT Wnd;
-
+   USER_REFERENCE_ENTRY Ref;
    WThread = Thread->Tcb.Win32Thread;
    
    while (!IsListEmpty(&WThread->WindowListHead))
@@ -588,7 +589,7 @@
       
       //ASSERT(co_UserDestroyWindow(Wnd));
       
-      UserRefObjectCo(Wnd);//faxme: temp hack??
+      UserRefObjectCo(Wnd, &Ref);//faxme: temp hack??
       if (!co_UserDestroyWindow(Wnd))
       {
          DPRINT1("Unable to destroy window 0x%x at thread cleanup... This is _VERY_ bad!\n", Wnd);
@@ -1355,6 +1356,7 @@
    BOOL MenuChanged;
    DECLARE_RETURN(HWND);
    BOOL HasOwner;
+   USER_REFERENCE_ENTRY ParentRef, Ref;
 
    ParentWindowHandle = PsGetWin32Thread()->Desktop->DesktopWindow;
    OwnerWindowHandle = NULL;
@@ -1388,7 +1390,7 @@
 //   {
    ParentWindow = UserGetWindowObject(ParentWindowHandle);
 
-   if (ParentWindow) UserRefObjectCo(ParentWindow);
+   if (ParentWindow) UserRefObjectCo(ParentWindow, &ParentRef);
 //   }
 //   else
 //   {
@@ -1441,7 +1443,7 @@
       RETURN( (HWND)0);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    ObDereferenceObject(WinSta);
 
@@ -2118,8 +2120,8 @@
 
                if (IntWndBelongsToThread(Child, PsGetWin32Thread()))
                {
-
-                  UserRefObjectCo(Child);//temp hack?
+                  USER_REFERENCE_ENTRY ChildRef;
+                  UserRefObjectCo(Child, &ChildRef);//temp hack?
                   co_UserDestroyWindow(Child);
                   UserDerefObjectCo(Child);//temp hack?
 
@@ -2165,6 +2167,7 @@
    PWINDOW_OBJECT Window;
    DECLARE_RETURN(BOOLEAN);
    BOOLEAN ret;
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserDestroyWindow\n");
    UserEnterExclusive();
@@ -2174,7 +2177,7 @@
       RETURN(FALSE);
    }
 
-   UserRefObjectCo(Window);//faxme: dunno if win should be reffed during destroy..
+   UserRefObjectCo(Window, &Ref);//faxme: dunno if win should be reffed during destroy..
    ret = co_UserDestroyWindow(Window);
    UserDerefObjectCo(Window);//faxme: dunno if win should be reffed during destroy..
 
@@ -2778,6 +2781,7 @@
 {
    PWINDOW_OBJECT Wnd = NULL, WndParent = NULL, WndOldParent;
    HWND hWndOldParent = NULL;
+   USER_REFERENCE_ENTRY Ref, ParentRef;
 
    if (IntIsBroadcastHwnd(hWndChild) || IntIsBroadcastHwnd(hWndNewParent))
    {
@@ -2811,8 +2815,8 @@
       return( NULL);
    }
 
-   UserRefObjectCo(Wnd);
-   UserRefObjectCo(WndParent);
+   UserRefObjectCo(Wnd, &Ref);
+   UserRefObjectCo(WndParent, &ParentRef);
    
    WndOldParent = co_IntSetParent(Wnd, WndParent);
    
@@ -2930,6 +2934,7 @@
    PWINSTATION_OBJECT WinStaObject;
    PWINDOW_OBJECT WndShell;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserSetShellWindowEx\n");
    UserEnterExclusive();
@@ -2985,7 +2990,7 @@
       RETURN( FALSE);
    }
 
-   UserRefObjectCo(WndShell);
+   UserRefObjectCo(WndShell, &Ref);
    co_WinPosSetWindowPos(WndShell, HWND_BOTTOM, 0, 0, 0, 0, SWP_NOMOVE|SWP_NOSIZE|SWP_NOACTIVATE);
 
    WinStaObject->ShellWindow = hwndShell;
@@ -3876,7 +3881,9 @@
 
    if (Changed && Repaint)
    {
-      UserRefObjectCo(Window);
+      USER_REFERENCE_ENTRY Ref;
+
+      UserRefObjectCo(Window, &Ref);
       co_WinPosSetWindowPos(Window, 0, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE |
                             SWP_NOACTIVATE | SWP_NOZORDER | SWP_FRAMECHANGED);
 
@@ -3917,6 +3924,7 @@
    WINDOWPLACEMENT Safepl;
    NTSTATUS Status;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserSetWindowPlacement\n");
    UserEnterExclusive();
@@ -3936,7 +3944,7 @@
       RETURN( FALSE);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    if ((Window->Style & (WS_MAXIMIZE | WS_MINIMIZE)) == 0)
    {
@@ -3982,6 +3990,7 @@
    DECLARE_RETURN(BOOL);
    PWINDOW_OBJECT Window;
    BOOL ret;
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserSetWindowPos\n");
    UserEnterExclusive();
@@ -3991,7 +4000,7 @@
       RETURN(FALSE);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    ret = co_WinPosSetWindowPos(Window, hWndInsertAfter, X, Y, cx, cy, uFlags);
    UserDerefObjectCo(Window);
 
@@ -4114,7 +4123,8 @@
 
    if(bRedraw)
    {
-      UserRefObjectCo(Window);
+      USER_REFERENCE_ENTRY Ref;
+      UserRefObjectCo(Window, &Ref);
       co_UserRedrawWindow(Window, NULL, NULL, RDW_INVALIDATE);
       UserDerefObjectCo(Window);
    }
@@ -4137,6 +4147,7 @@
    PWINDOW_OBJECT Window;
    BOOL ret;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserShowWindow\n");
    UserEnterExclusive();
@@ -4146,7 +4157,7 @@
       RETURN(FALSE);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
    ret = co_WinPosShowWindow(Window, nCmdShow);
    UserDerefObjectCo(Window);
 
@@ -4206,6 +4217,7 @@
    HWND Ret;
    PWINDOW_OBJECT DesktopWindow = NULL, Window = NULL;
    DECLARE_RETURN(HWND);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserWindowFromPoint\n");
    UserEnterExclusive();
@@ -4219,7 +4231,7 @@
 
       //hmm... threads live on desktops thus we have a reference on the desktop and indirectly the desktop window
       //its possible this referencing is useless, thou it shouldnt hurt...
-      UserRefObjectCo(DesktopWindow);
+      UserRefObjectCo(DesktopWindow, &Ref);
       
       Hit = co_WinPosWindowFromPoint(DesktopWindow, PsGetWin32Thread()->MessageQueue, &pt, &Window);
       

Modified: trunk/reactos/subsys/win32k/ntuser/winpos.c
--- trunk/reactos/subsys/win32k/ntuser/winpos.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/ntuser/winpos.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -149,6 +149,7 @@
 {
    PWINDOW_OBJECT WndTo = NULL;
    HWND Fg;
+   USER_REFERENCE_ENTRY Ref;
 
    ASSERT_REFS_CO(Window);
 
@@ -176,7 +177,7 @@
 
 done:
 
-   if (WndTo) UserRefObjectCo(WndTo);
+   if (WndTo) UserRefObjectCo(WndTo, &Ref);
 
    Fg = UserGetForegroundWindow();
    if ((!Fg || Window->hSelf == Fg) && WndTo)//fixme: ok if WndTo is NULL??
@@ -224,7 +225,8 @@
 
       if((WndChild->Style & WS_MINIMIZE) != 0 )
       {
-         UserRefObjectCo(WndChild);
+         USER_REFERENCE_ENTRY Ref;
+         UserRefObjectCo(WndChild, &Ref);
 
          co_WinPosSetWindowPos(WndChild, 0, x + UserGetSystemMetrics(SM_CXBORDER),
                                y - yspacing - UserGetSystemMetrics(SM_CYBORDER)
@@ -709,7 +711,8 @@
          if ((Wnd->Style & WS_POPUP) &&
                UserGetWindow(List[i], GW_OWNER) == hWnd)
          {
-            UserRefObjectCo(Wnd);
+            USER_REFERENCE_ENTRY Ref;
+            UserRefObjectCo(Wnd, &Ref);
 
             co_WinPosSetWindowPos(Wnd, hWndInsertAfter, 0, 0, 0, 0,
                                   SWP_NOMOVE | SWP_NOSIZE | SWP_NOACTIVATE | SWP_NOSENDCHANGING);
@@ -1530,6 +1533,7 @@
 {
    PWINDOW_OBJECT Current;
    HWND *List, *phWnd;
+   USER_REFERENCE_ENTRY Ref;
    
    ASSERT_REFS_CO(ScopeWin);
 
@@ -1572,7 +1576,7 @@
             break;
          }
 
-         UserRefObjectCo(Current);
+         UserRefObjectCo(Current, &Ref);
          
          if (OnlyHitTests && (Current->MessageQueue == OnlyHitTests))
          {
@@ -1657,6 +1661,7 @@
    MINMAXINFO SafeMinMax;
    NTSTATUS Status;
    DECLARE_RETURN(BOOL);
+   USER_REFERENCE_ENTRY Ref;
 
    DPRINT("Enter NtUserGetMinMaxInfo\n");
    UserEnterExclusive();
@@ -1666,7 +1671,7 @@
       RETURN( FALSE);
    }
 
-   UserRefObjectCo(Window);
+   UserRefObjectCo(Window, &Ref);
 
    Size.x = Window->WindowRect.left;
    Size.y = Window->WindowRect.top;

Modified: trunk/reactos/subsys/win32k/objects/color.c
--- trunk/reactos/subsys/win32k/objects/color.c	2005-10-15 12:40:30 UTC (rev 18480)
+++ trunk/reactos/subsys/win32k/objects/color.c	2005-10-15 13:22:13 UTC (rev 18481)
@@ -638,6 +638,7 @@
 {
    PWINDOW_OBJECT Wnd;
    BOOL calledFromUser, ret;
+   USER_REFERENCE_ENTRY Ref;
 
    calledFromUser = UserIsEntered();
    
@@ -657,7 +658,7 @@
       return FALSE;
    }
    
-   UserRefObjectCo(Wnd);
+   UserRefObjectCo(Wnd, &Ref);
    ret = co_UserRedrawWindow(Wnd, NULL, 0, RDW_INVALIDATE);
    UserDerefObjectCo(Wnd);