The GetAncestor function can cause "Stop error code 0x0000001e" in Win32k.sys

This article was previously published under Q280582
If you pass the handle of a top-level non-desktop window and a GA_ROOT flag to the GetAncestor function, it automatically assumes that the window is a child of the desktop and dereferences the NULL spwndParent field. The resulting stop code in Service Pack 1 (SP1) is:
Stop 0x0000001e (0xc0000005, 0xa00f8d53, 0x00000000, 0x0000000c)
This problem is caused by a file handle of a window of the type that is described above when you call GetAncestor(hWnd,GA_ROOT). The problem occurs every time you do this. A crash dump in Win32k.sys shows that the crash always occurs in the context of Wfshell.exe. User-mode program components contributed to the crash. A program is passing the handle of the "root" window to GetAncestor. GetAncestor is not capable of handling this case with a GA_ROOT flag set and ends up dereferencing the parent pointer of the "root" window.

The "root" window is hidden from access by User-mode programs, but if a program can obtain the handle somehow and then call GetAncestor on the handle, the problem occurs
   Date       Time    Version          Size      File name   ---------------------------------------------------   5/31/2001  03:30p  5.0.2195.3649    222,480   Gdi32.dll   5/31/2001  03:44p  5.0.2195.3660  1,641,360   Win32k.sys(uniprocessor)   5/31/2001  03:32p  5.0.2195.3649    243,472   Winsrv.dll(uniprocessor)   5/31/2001  03:30p  5.0.2195.3649    379,664   User32.dll   5/31/2001  03:06p  5.0.2195.3660  1,641,360   Win32k.sys   5/31/2001  03:32p  5.0.2195.3649    243,472   Winsrv.dll				

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
