diff --git a/src/coreclr/nativeaot/Runtime/i386/AsmMacros.inc b/src/coreclr/nativeaot/Runtime/i386/AsmMacros.inc
index 3310d0403bafb4..9a1149c7e344f1 100644
--- a/src/coreclr/nativeaot/Runtime/i386/AsmMacros.inc
+++ b/src/coreclr/nativeaot/Runtime/i386/AsmMacros.inc
@@ -130,6 +130,7 @@ PTFF_SAVE_RDI           equ 00000004h
 PTFF_SAVE_ALL_PRESERVED equ 00000007h   ;; NOTE: RBP is not included in this set!
 PTFF_SAVE_RSP           equ 00008000h
 PTFF_SAVE_RAX           equ 00000100h   ;; RAX is saved if it contains a GC ref and we're in hijack handler
+PTFF_SAVE_RCX           equ 00000200h   ;; RCX is saved if it contains a GC ref and we're in hijack handler
 PTFF_SAVE_ALL_SCRATCH   equ 00000700h
 
 ;; These must match the TrapThreadsFlags enum
diff --git a/src/coreclr/nativeaot/Runtime/i386/GcProbe.asm b/src/coreclr/nativeaot/Runtime/i386/GcProbe.asm
index 9ce0bb236478a6..82db72de4b0d2a 100644
--- a/src/coreclr/nativeaot/Runtime/i386/GcProbe.asm
+++ b/src/coreclr/nativeaot/Runtime/i386/GcProbe.asm
@@ -20,9 +20,9 @@ DEFAULT_PROBE_SAVE_FLAGS        equ PTFF_SAVE_ALL_PRESERVED + PTFF_SAVE_RSP
 ;;  All registers correct for return to the original return address.
 ;;
 ;; Register state on exit:
-;;  EAX: not trashed or saved
+;;  EAX: saved at [ebp - 12]
 ;;  EBP: new EBP frame with correct return address
-;;  ESP: points to saved scratch registers (ECX & EDX)
+;;  ESP: points to saved scratch registers (ECX, EDX, EAX)
 ;;  ECX: return value flags
 ;;  EDX: thread pointer
 ;;
@@ -32,6 +32,7 @@ HijackFixupProlog macro
         mov         ebp, esp
         push        ecx         ; save scratch registers
         push        edx         ; save scratch registers
+        push        eax         ; save scratch registers
 
         ;; edx <- GetThread(), TRASHES ecx
         INLINE_GETTHREAD edx, ecx
@@ -68,6 +69,7 @@ endm
 ;;  All registers restored as they were when the hijack was first reached.
 ;;
 HijackFixupEpilog macro
+        pop         eax
         pop         edx
         pop         ecx
         pop         ebp
@@ -92,7 +94,8 @@ endm
 ;;  ECX is NOT trashed if BITMASK_REG_OR_VALUE is a literal value and not a register
 ;;
 PushProbeFrame macro BITMASK_REG_OR_VALUE
-        push        eax                     ; EAX
+        push        [ebp - 4]               ; ECX
+        push        [ebp - 12]              ; EAX
         lea         eax, [ebp + 8]                      ; get caller ESP
         push        eax                     ; ESP
         push        edi                     ; EDI
@@ -128,6 +131,7 @@ endm
 ;;  ESI: restored
 ;;  EDI: restored
 ;;  EAX: restored
+;;  ECX: restored
 ;;
 PopProbeFrame macro
         add         esp, 4*4h
@@ -135,7 +139,8 @@ PopProbeFrame macro
         pop         esi
         pop         edi
         pop         eax     ; discard ESP
-        pop         eax
+        pop         [ebp - 12]                          ; write updated EAX back to HijackFixupProlog save location
+        pop         [ebp - 4]                           ; write updated ECX back to HijackFixupProlog save location
 endm
 
 ;;
@@ -147,7 +152,7 @@ endm
 ;;  ECX: register bitmask
 ;;  EDX: thread pointer
 ;;  EBP: EBP frame
-;;  ESP: scratch registers pushed (ECX & EDX)
+;;  ESP: scratch registers pushed (ECX, EDX, EAX)
 ;;
 ;; Register state on exit:
 ;;  All registers restored as they were when the hijack was first reached.
@@ -213,7 +218,7 @@ endm
 ;;  EDX: thread pointer
 ;;  ECX: register bitmask
 ;;  EBP: EBP frame
-;;  ESP: scratch registers pushed (ECX and EDX)
+;;  ESP: scratch registers pushed (ECX, EDX, EAX)
 ;;
 ;; Register state on exit:
 ;;  All registers restored as they were when the hijack was first reached.
@@ -241,7 +246,7 @@ _RhpGcProbeHijack@0  proc public
         HijackFixupEpilog
 
 WaitForGC:
-        or          ecx, DEFAULT_PROBE_SAVE_FLAGS + PTFF_SAVE_RAX
+        or          ecx, DEFAULT_PROBE_SAVE_FLAGS + PTFF_SAVE_RAX + PTFF_SAVE_RCX
         jmp         RhpWaitForGC
 
 _RhpGcProbeHijack@0  endp
@@ -250,7 +255,7 @@ ifdef FEATURE_GC_STRESS
 _RhpGcStressHijack@0  proc public
 
         HijackFixupProlog
-        or          ecx, DEFAULT_PROBE_SAVE_FLAGS + PTFF_SAVE_RAX
+        or          ecx, DEFAULT_PROBE_SAVE_FLAGS + PTFF_SAVE_RAX + PTFF_SAVE_RCX
         jmp         RhpGcStressProbe
 
 _RhpGcStressHijack@0  endp
diff --git a/src/coreclr/nativeaot/Runtime/inc/rhbinder.h b/src/coreclr/nativeaot/Runtime/inc/rhbinder.h
index 963942ce6d846b..534e41f695aec3 100644
--- a/src/coreclr/nativeaot/Runtime/inc/rhbinder.h
+++ b/src/coreclr/nativeaot/Runtime/inc/rhbinder.h
@@ -521,8 +521,8 @@ struct PInvokeTransitionFrame
 // RBX, RSI, RDI, R12, R13, R14, R15, RAX, RSP
 #define PInvokeTransitionFrame_SaveRegs_count 9
 #elif defined(TARGET_X86)
-// RBX, RSI, RDI, RAX, RSP
-#define PInvokeTransitionFrame_SaveRegs_count 5
+// RBX, RSI, RDI, RSP, RAX, RCX
+#define PInvokeTransitionFrame_SaveRegs_count 6
 #elif defined(TARGET_ARM)
 // R4-R10, R0, SP
 #define PInvokeTransitionFrame_SaveRegs_count 9