CRITICAL_PROCESS_DIED: How to Fix the Microsoft Stop Code (Complete Guide)
Fix the CRITICAL_PROCESS_DIED Blue Screen of Death on Windows. Step-by-step diagnosis using WinDbg, SFC, DISM, and driver rollback. Resolve stop code 0x000000EF
- Root Cause 1: A critical Windows kernel process (such as smss.exe, csrss.exe, wininit.exe, or winlogon.exe) terminated unexpectedly, forcing the OS to halt with stop code 0x000000EF.
- Root Cause 2: Faulty, outdated, or incompatible device drivers — especially graphics, storage (NVMe/SATA), and chipset drivers — corrupt kernel memory and trigger the crash.
- Root Cause 3: Corrupted Windows system files, bad RAM modules, failing SSDs/HDDs, or malware infections targeting system processes cause repeated BSODs.
- Quick Fix Summary: Boot into Safe Mode, run 'sfc /scannow' and 'DISM /RestoreHealth', update or roll back suspect drivers, run Windows Memory Diagnostic, and check Event Viewer for the offending process before the crash.
| Method | When to Use | Time | Risk |
|---|---|---|---|
| SFC + DISM Scan | Corrupted system files suspected; first-line fix after any BSOD | 10–30 min | Low |
| Driver Rollback / Update | BSOD started after a Windows Update or new hardware install | 5–15 min | Low–Medium |
| Windows Memory Diagnostic | Random BSODs not tied to specific action; RAM upgrade recent | 15–60 min | Low |
| Check Disk (chkdsk) | Storage errors in Event Viewer; HDD/SSD showing health warnings | 30–120 min | Low |
| System Restore | BSOD appeared after a known software or driver change | 15–30 min | Low |
| Clean Boot / Safe Mode Diagnosis | Cannot isolate culprit; third-party software suspected | 20–40 min | Low |
| Reset / Reinstall Windows | All other methods failed; filesystem too corrupted to repair | 60–180 min | High — data loss risk |
Understanding the CRITICAL_PROCESS_DIED Error
The full error message displayed on the Blue Screen of Death (BSOD) reads:
Your PC ran into a problem and needs to restart.
Stop code: CRITICAL_PROCESS_DIED
This corresponds to Windows stop code 0x000000EF. It means the Windows kernel detected that a process marked as critical to system operation has exited or crashed in an unexpected way. Windows has no recovery path from this state and forces an immediate system halt.
Common critical processes include:
- smss.exe — Session Manager Subsystem
- csrss.exe — Client/Server Runtime Subsystem
- wininit.exe — Windows Initialization
- winlogon.exe — Windows Logon
- services.exe — Service Control Manager
- lsass.exe — Local Security Authority
If any of these processes exit with a non-zero code or are forcibly terminated, the kernel issues the CRITICAL_PROCESS_DIED bugcheck.
Step 1: Capture the Crash Dump and Read Event Viewer
Before making any changes, gather forensic data.
Enable complete memory dumps (if not already set):
- Open System Properties → Advanced → Startup and Recovery → Settings.
- Under "Write debugging information," select Small memory dump (256 KB) or Kernel memory dump.
- Note the dump path (default:
%SystemRoot%\Minidump).
Read the crash dump with WinDbg:
Install WinDbg from the Microsoft Store or the Windows SDK. Open the most recent .dmp file from C:\Windows\Minidump.
In WinDbg, run:
!analyze -v
Look for the PROCESS_NAME and STACK_TEXT fields. These identify the exact process and code path that triggered the crash.
Check Event Viewer:
- Press
Win + X→ Event Viewer. - Navigate to Windows Logs → System.
- Filter by Critical and Error level events.
- Look for events from BugCheck, Kernel-Power, or WER (Windows Error Reporting) at the timestamp of the crash.
- Also check Applications and Services Logs → Microsoft → Windows → WER-Diagnostics.
Step 2: Boot into Safe Mode
If the system crashes on every boot, you must enter Safe Mode to work:
- On the login screen, hold Shift and click Restart.
- Go to Troubleshoot → Advanced Options → Startup Settings → Restart.
- Press 4 (Safe Mode) or 5 (Safe Mode with Networking).
Alternatively, boot from a Windows 10/11 installation USB:
- Select Repair your computer → Troubleshoot → Advanced Options → Command Prompt.
Step 3: Run SFC and DISM to Repair System Files
System File Checker replaces corrupted protected Windows files:
# Run as Administrator in Command Prompt or PowerShell
sfc /scannow
If SFC reports it could not fix all errors, run DISM to repair the component store first, then repeat SFC:
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
# After DISM completes:
sfc /scannow
Reboot after completion and observe if the BSOD recurs.
Step 4: Update or Roll Back Device Drivers
Drivers are the most frequent non-hardware cause of CRITICAL_PROCESS_DIED. Focus on:
- GPU drivers (NVIDIA, AMD, Intel)
- NVMe/SATA controller drivers
- Chipset drivers
- Network adapter drivers
To roll back a driver:
- Press
Win + X→ Device Manager. - Expand the relevant category, right-click the device → Properties.
- Go to the Driver tab → Roll Back Driver.
To update all drivers via command line:
# Scan for driver updates using Windows Update
usoclient StartScan
# Or use PowerShell to list problematic devices
Get-WmiObject Win32_PnPEntity | Where-Object {$_.ConfigManagerErrorCode -ne 0} | Select-Object Name, DeviceID, ConfigManagerErrorCode
If the dump file from Step 1 names a specific .sys file in the stack trace, search for that file name — it is the driver to target.
Step 5: Check RAM with Windows Memory Diagnostic
Faulty RAM causes kernel corruption that manifests as CRITICAL_PROCESS_DIED.
# Run from Start Menu search or Run dialog (Win + R)
mdsched.exe
Choose Restart now and check for problems. After the test, results appear in Event Viewer under Windows Logs → System, source MemoryDiagnostics-Results.
For more thorough testing, use MemTest86 (bootable USB, runs outside Windows).
Step 6: Check Disk Health
# Check disk for errors on C: drive (schedules on next reboot)
chkdsk C: /f /r /x
# View SMART data for NVMe drives
Get-PhysicalDisk | Get-StorageReliabilityCounter | Select-Object DeviceId, ReadErrorsTotal, WriteErrorsTotal, Temperature
# For HDD/SSD via WMIC
wmic diskdrive get status, model, size
If chkdsk reports bad sectors or SMART shows reallocated sectors, the drive is failing and must be replaced.
Step 7: Scan for Malware
Malware targeting system processes can cause this BSOD. Run a full offline scan:
# Windows Defender offline scan (triggers on next reboot)
Start-MpScan -ScanType OfflineScan
# Or from Command Prompt
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3
Also consider running Malwarebytes in Safe Mode for a second opinion.
Step 8: Perform a System Restore
If the BSOD began after a specific date:
- Press
Win + R→ typerstrui.exe→ Enter. - Select a restore point from before the issue started.
- Confirm and let Windows roll back.
System Restore does not affect personal files but will remove apps and drivers installed after the restore point.
Step 9: Reset or Reinstall Windows (Last Resort)
If all else fails:
- Go to Settings → System → Recovery → Reset this PC.
- Choose Keep my files (repairs Windows while preserving documents) or Remove everything (clean install).
For a completely clean install, boot from a Windows ISO USB created with the Media Creation Tool from Microsoft.
Advanced: Analyze Minidump with WinDbg
If you want to pinpoint the exact root cause:
- Install WinDbg Preview from the Microsoft Store.
- Set the symbol path:
File → Settings → Debugging Settings → Symbol Path→ entersrv*C:\Symbols*https://msdl.microsoft.com/download/symbols - Open the
.dmpfile fromC:\Windows\Minidump. - Run
!analyze -vand look for:BUGCHECK_STR: CRITICAL_PROCESS_DIEDPROCESS_NAME:— the crashing processIMAGE_NAME:— often a.sysdriver fileSTACK_TEXT:— the call stack leading to the crash
This gives you the precise driver or component to target.
Frequently Asked Questions
# ============================================================
# CRITICAL_PROCESS_DIED Diagnostic & Fix Script
# Run as Administrator in PowerShell
# ============================================================
# --- Step 1: Check for recent BSODs in Event Log ---
Write-Host "=== Recent BSOD Events ==="
Get-WinEvent -LogName System -MaxEvents 500 | Where-Object {
$_.Id -eq 1001 -and $_.ProviderName -eq 'Microsoft-Windows-WER-SystemErrorReporting'
} | Select-Object TimeCreated, Message | Format-List
# --- Step 2: List minidump files ---
Write-Host "`n=== Minidump Files ==="
Get-ChildItem "$env:SystemRoot\Minidump" -Filter "*.dmp" -ErrorAction SilentlyContinue |
Sort-Object LastWriteTime -Descending |
Select-Object Name, LastWriteTime, @{N='SizeMB';E={[math]::Round($_.Length/1MB,2)}}
# --- Step 3: Run System File Checker ---
Write-Host "`n=== Running SFC (this may take 10-20 minutes) ==="
$sfcResult = sfc /scannow
$sfcResult
# --- Step 4: Run DISM RestoreHealth ---
Write-Host "`n=== Running DISM RestoreHealth ==="
DISM /Online /Cleanup-Image /RestoreHealth
# --- Step 5: Check for problematic devices (driver issues) ---
Write-Host "`n=== Devices with Errors ==="
Get-WmiObject Win32_PnPEntity | Where-Object {
$_.ConfigManagerErrorCode -ne 0
} | Select-Object Name, DeviceID, ConfigManagerErrorCode | Format-Table -AutoSize
# --- Step 6: Check disk health via SMART ---
Write-Host "`n=== Physical Disk Reliability Counters ==="
Get-PhysicalDisk | Get-StorageReliabilityCounter | Select-Object `
DeviceId, ReadErrorsTotal, WriteErrorsTotal, `
Temperature, Wear, PowerOnHours | Format-Table -AutoSize
# --- Step 7: Check disk for errors (schedules on next reboot) ---
Write-Host "`n=== Scheduling CHKDSK on C: ==="
cmd /c "echo y | chkdsk C: /f /r /x"
# --- Step 8: Trigger Windows Memory Diagnostic ---
Write-Host "`n=== Launching Memory Diagnostic (will require reboot) ==="
$response = Read-Host "Run Memory Diagnostic now? (y/n)"
if ($response -eq 'y') { mdsched.exe }
# --- Step 9: Run Defender Quick Scan ---
Write-Host "`n=== Running Windows Defender Quick Scan ==="
Start-MpScan -ScanType QuickScan
# --- Step 10: List recently installed drivers ---
Write-Host "`n=== Drivers Installed in Last 30 Days ==="
$cutoff = (Get-Date).AddDays(-30)
Get-WmiObject Win32_PnPSignedDriver | Where-Object {
$_.DriverDate -ne $null -and
[Management.ManagementDateTimeConverter]::ToDateTime($_.DriverDate) -gt $cutoff
} | Select-Object DeviceName, DriverVersion, DriverDate, Manufacturer |
Sort-Object DriverDate -Descending | Format-Table -AutoSize
Write-Host "`n=== Diagnostic Complete. Review output above and check C:\Windows\Minidump for dump analysis. ==="Error Medic Editorial
The Error Medic Editorial team consists of senior DevOps engineers, SREs, and Windows systems administrators with over a decade of combined experience diagnosing kernel-level failures, BSOD crashes, and enterprise Windows infrastructure incidents. Our guides are based on hands-on troubleshooting, official Microsoft documentation, and analysis of real crash dumps across thousands of support cases.
Sources
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xef--critical-process-died
- https://support.microsoft.com/en-us/windows/run-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chkdsk
- https://stackoverflow.com/questions/tagged/bsod
- https://answers.microsoft.com/en-us/windows/forum/all/critical-process-died/
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg