This is a temporary helper for the system call entry point to store the user mode stack, before switching to the kernel mode stack. Initially it was copied to the trap frame inside KiSystemCallHandler. This has been moved to the system call entry point, but some remnants remained. The problem is that KiSystemCallHandler can be called twice in a system call (when the call is the first GUI call and the stack needs to be extended). In that scenario, when the thread was preempted, a new value could be saved in the PCR before running KiSystemCallHandler again, and then overwriting the proper value with a bogus one from a different thread. This rarely seemed to happen on UP, but happens a lot with SMP.
This is used in KiUserModeCallout instead of KiServiceExit2. The latter is broken, leaks non-volatile registers and will need to be modified to handle an exception frame, which we don't need/have here. It will also use sysret instead of iret and is generally simpler/faster.
Eventually it would be desirable to skip the entire trap frame setup and do everything in KiCallUserMode. This requires some cleanup and special handling for user APC delivery.
