What is the stop code for CRITICAL_PROCESS_DIED and what does it mean?

The stop code is 0x000000EF. It means the Windows kernel detected that a critical system process — such as smss.exe, csrss.exe, wininit.exe, or lsass.exe — exited or crashed without going through the normal Windows shutdown sequence. Because these processes are essential to OS operation, Windows cannot continue and forces a BSOD to prevent worse data corruption.

How is CRITICAL_PROCESS_DIED on Windows Server 2012 R2 different from Windows Server 2019?

The root stop code (0x000000EF) is identical. However, on Server 2012 R2, legacy driver incompatibilities and missing hotfixes after the end-of-extended-support period are the dominant causes. On Server 2019, virtualization layer issues (Hyper-V integration components), Windows Defender Credential Guard conflicts, and newer NVMe/Storage Spaces Direct driver bugs are more commonly implicated. The diagnostic and fix steps are largely the same, but the suspect driver categories differ.

My Windows Server keeps rebooting in a loop after CRITICAL_PROCESS_DIED. How do I stop the automatic restart?

If you can briefly reach the desktop or a command prompt before the next reboot, run: `wmic recoveros set AutoReboot=False` or navigate to System Properties → Advanced → Startup and Recovery → uncheck 'Automatically restart'. If you cannot reach Windows at all, boot from installation media into the Recovery Console and edit the registry: mount the offline hive at HKLM\SYSTEM\CurrentControlSet\Control\CrashControl and set 'AutoReboot' (REG_DWORD) to 0.

Can a Windows Update cause CRITICAL_PROCESS_DIED on Windows Server 2019?

Yes. Cumulative Updates that include kernel-mode components or driver updates can trigger this BSOD if a conflict exists with existing third-party drivers or if the update itself is partially corrupted during installation. To diagnose, run 'wmic qfe list brief /format:table' to identify recently installed KBs, correlate with the crash timestamp in Event Viewer, and uninstall the suspect KB with 'wusa /uninstall /kb:XXXXXXX /quiet /norestart'. Always test Cumulative Updates in staging before production deployment.

Will running SFC and DISM fix CRITICAL_PROCESS_DIED permanently?

SFC and DISM fix corrupted or missing Windows system files, which is one of several possible causes. If system file corruption is the root cause, these tools will resolve the issue permanently. However, if the crash is caused by a faulty third-party driver, bad RAM, or a failing disk, SFC/DISM will not prevent recurrence. Use them as a first-pass remediation step and follow up with driver analysis via WinDbg minidump examination and hardware testing if crashes persist.

CRITICAL_PROCESS_DIED on Windows Server 2012 R2 & 2019: Complete Fix Guide

Fix CRITICAL_PROCESS_DIED BSOD on Windows Server 2012 R2 and 2019. Step-by-step diagnosis with SFC, DISM, minidump analysis, and driver rollback commands.

Last updated: March 1, 2026

Last verified: March 1, 2026

2,103 words

Key Takeaways

Corrupt or incompatible kernel-mode drivers are the #1 cause of CRITICAL_PROCESS_DIED (Stop Code 0x000000EF) on both Windows Server 2012 R2 and 2019.
Corrupted Windows system files, failed Windows Updates, faulty RAM, and misconfigured antivirus/security software are common secondary causes.
Quick-fix path: Boot into Safe Mode, run 'sfc /scannow' and 'DISM /Online /Cleanup-Image /RestoreHealth', analyze the minidump with WinDbg, roll back the offending driver, and verify hardware integrity with MemTest86 and disk diagnostics.

Fix Approaches Compared
Method	When to Use	Time	Risk
SFC /scannow + DISM RestoreHealth	Corrupted system files suspected after update or crash	15–45 min	Low
Driver rollback via Device Manager	BSOD started after a driver or Windows Update	5–15 min	Low
WinDbg minidump analysis	Need to identify exact faulting module/driver	20–60 min	None (read-only)
Windows Startup Repair	Server fails to boot and Safe Mode is unreachable	10–30 min	Low
System Restore / Snapshot rollback	Recent change caused instability and restore point exists	20–60 min	Medium (data loss risk)
RAM test with MemTest86	Random BSODs with no consistent faulting module	2–8 hrs	None
Clean OS reinstall / In-place upgrade	All software fixes exhausted; OS integrity severely compromised	1–4 hrs	High (data risk)

Understanding the CRITICAL_PROCESS_DIED Error

When Windows Server encounters a fatal condition where a critical system process terminates unexpectedly, it halts with a Blue Screen of Death (BSOD) displaying:

Your PC ran into a problem and needs to restart.
Stop Code: CRITICAL_PROCESS_DIED

The underlying bug check code is 0x000000EF. This error means the Windows kernel detected that a process flagged as critical — such as smss.exe (Session Manager), csrss.exe (Client/Server Runtime), wininit.exe, or lsass.exe — has exited or crashed outside of the normal shutdown sequence. Windows treats this as an unrecoverable state and forces a reboot to prevent data corruption.

On Windows Server 2012 R2, this error is commonly tied to legacy drivers failing after cumulative updates, third-party security software hooking into kernel memory, and hardware issues on aging server platforms. On Windows Server 2019, the same stop code appears but is increasingly triggered by Hyper-V integration components, Storage Spaces Direct driver conflicts, and Windows Defender Credential Guard interactions.

Step 1: Collect the Minidump File

Before touching anything, retrieve the crash dump. By default, Windows writes minidumps to C:\Windows\Minidump\. If the server is still reachable over RDP or you can mount the disk offline:

Navigate to C:\Windows\Minidump\
Sort by date — grab the most recent .dmp file.
Also check C:\Windows\MEMORY.DMP for a full kernel dump if configured.

If the server is in a reboot loop, boot from Windows Server installation media, open the Recovery Console, and copy the dump file to a USB drive.

Step 2: Analyze the Minidump with WinDbg

Install the Windows Debugging Tools (part of the Windows SDK) on a separate workstation. Open WinDbg and run:

!analyze -v

Key fields to note from the output:

PROCESS_NAME: The process that died (e.g., csrss.exe, lsass.exe)
MODULE_NAME and IMAGE_NAME: The driver or DLL that caused the fault
STACK_TEXT: The call stack showing what was executing at crash time
FAILURE_BUCKET_ID: A unique identifier useful for searching Microsoft's knowledge base

Example output snippet:

BugCheck EF, {fffffa80`12345678, 0, 0, 0}
Process: csrss.exe
IMAGE_NAME: SomeThirdPartyDriver.sys
FAILURE_BUCKET_ID: 0xEF_SomeThirdPartyDriver.sys_IMAGE_SomeThirdPartyDriver

If the faulting module is a .sys file from a third-party vendor (antivirus, backup agent, NIC driver), that is your primary suspect.

Step 3: Boot into Safe Mode

If the server is in a crash loop, you must get it into Safe Mode:

Windows Server 2012 R2:

Press F8 repeatedly during POST to access Advanced Boot Options.
Select Safe Mode with Networking.

Windows Server 2019:

F8 is disabled by default. Boot from installation media → Repair your computer → Troubleshoot → Advanced Options → Startup Settings → Restart → Press 4 or F4.
Alternatively, if you can reach a command prompt before reboot: bcdedit /set {current} safeboot minimal then reboot. Remember to undo this afterward with bcdedit /deletevalue {current} safeboot.

Step 4: Repair System Files with SFC and DISM

Once in Safe Mode (or a working Windows environment), run the following in an elevated Command Prompt:

System File Checker:

sfc /scannow

This scans all protected system files and replaces corrupted versions with cached copies. It writes a log to C:\Windows\Logs\CBS\CBS.log.

DISM Image Repair (Windows Server 2012 R2):

DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth

DISM with explicit source (when Windows Update is unavailable):

DISM /Online /Cleanup-Image /RestoreHealth /Source:WIM:D:\sources\install.wim:1 /LimitAccess

Replace D: with your mounted ISO drive letter. After DISM completes, rerun sfc /scannow to apply repaired component files.

Step 5: Roll Back or Remove the Offending Driver

If WinDbg identified a specific driver:

Open Device Manager (devmgmt.msc).
Locate the device associated with the driver.
Right-click → Properties → Driver tab → Roll Back Driver.
If no rollback is available, right-click → Uninstall device and check "Delete the driver software for this device".

For kernel-mode security software (EDR agents, antivirus minifilters), use the vendor's official uninstaller in Safe Mode, not just Control Panel.

To list all third-party kernel drivers and their start types from PowerShell:

Get-WmiObject Win32_SystemDriver | Where-Object {$_.PathName -notlike "*system32\drivers*" -or $_.State -eq 'Running'} | Select-Object Name, PathName, State, StartMode | Format-Table -AutoSize

Step 6: Check Windows Update and Patch History

A failed or partially applied Windows Update is a common trigger:

rem View recent update history
wmic qfe list brief /format:table

rem Uninstall a specific problematic KB
wusa /uninstall /kb:XXXXXXX /quiet /norestart

Check C:\Windows\WindowsUpdate.log (Server 2012 R2) or use:

Get-WindowsUpdateLog

(Server 2019 — generates a human-readable log at %USERPROFILE%\Desktop\WindowsUpdate.log)

Step 7: Hardware Diagnostics

If no software cause is found, test hardware:

RAM: Run MemTest86 from bootable USB. Allow at least 2 full passes. A single error = replace the DIMM.
Disk: Run chkdsk C: /f /r /x from recovery console or Safe Mode. For SSDs/NVMe, use vendor tools (Samsung Magician, Intel MAS).
Event Logs: Review System and Application logs in Event Viewer around the crash timestamp for hardware errors (disk I/O errors, WHEA hardware errors).

rem Run disk check on next reboot
chkdsk C: /f /r /x

rem View WHEA hardware errors from PowerShell
Get-WinEvent -LogName System | Where-Object {$_.Id -eq 19 -or $_.Id -eq 18} | Select-Object TimeCreated, Message | Format-List

Step 8: Startup Repair and Last Resort Options

If the OS cannot boot at all:

Boot from Windows Server installation media.
Choose Repair your computer → Troubleshoot → Startup Repair.
If Startup Repair fails, attempt an in-place upgrade repair by running Setup from the installation media on the live (but broken) OS — this reinstalls Windows while preserving data and applications.

For Windows Server 2019 on Hyper-V or Azure: Check the Hyper-V Integration Services version. Outdated integration components are a documented cause of CRITICAL_PROCESS_DIED in virtualized environments. Update via Windows Update or by reinstalling the Hyper-V Integration Services package.

Prevention Recommendations

Enable complete memory dumps via System Properties → Advanced → Startup and Recovery for richer post-mortem analysis.
Configure the server to not automatically reboot on BSOD: wmic recoveros set AutoReboot=False
Maintain driver inventory and test updates in a staging environment before production deployment.
Use Windows Server Update Services (WSUS) to control update rollout velocity.
Enable Reliability Monitor (perfmon /rel) to correlate software installs with crash events.

Frequently Asked Questions

powershell

# ============================================================
# CRITICAL_PROCESS_DIED Diagnostic & Fix Script
# Run as Administrator in PowerShell or Command Prompt
# ============================================================

# --- 1. Prevent auto-reboot on next BSOD ---
Write-Host "[1] Disabling automatic reboot on BSOD..."
wmic recoveros set AutoReboot=False

# --- 2. Verify dump file configuration ---
Write-Host "[2] Checking crash dump configuration..."
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl' | Select-Object AutoReboot, CrashDumpEnabled, DumpFile, MiniDumpDir
# CrashDumpEnabled: 0=None, 1=Complete, 2=Kernel, 3=Small(Minidump), 7=Automatic
# Recommended: Set to 7 (Automatic)
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl' -Name 'CrashDumpEnabled' -Value 7

# --- 3. List recent minidump files ---
Write-Host "[3] Recent minidump files:"
Get-ChildItem -Path 'C:\Windows\Minidump\' -Filter '*.dmp' -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime, Length

# --- 4. Check recent Windows Update history ---
Write-Host "[4] Last 10 installed updates:"
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10 | Format-Table HotFixID, Description, InstalledOn -AutoSize

# --- 5. Run System File Checker ---
Write-Host "[5] Running SFC (this may take 10-20 minutes)..."
Start-Process -FilePath 'sfc.exe' -ArgumentList '/scannow' -Wait -NoNewWindow

# --- 6. Run DISM to repair Windows image ---
Write-Host "[6] Running DISM RestoreHealth (requires internet or source)..."
Start-Process -FilePath 'DISM.exe' -ArgumentList '/Online /Cleanup-Image /RestoreHealth' -Wait -NoNewWindow

# --- 7. List all running third-party kernel drivers ---
Write-Host "[7] Third-party kernel-mode drivers:"
Get-WmiObject Win32_SystemDriver | Where-Object {
    $_.State -eq 'Running' -and
    $_.PathName -notmatch 'system32\\drivers' -or
    ($_.PathName -match 'drivers' -and $_.PathName -notmatch 'windows')
} | Select-Object Name, PathName, State, StartMode | Format-Table -AutoSize

# --- 8. Check disk integrity (schedules on next boot) ---
Write-Host "[8] Scheduling CHKDSK for next reboot..."
cmd /c "echo Y | chkdsk C: /f /r"

# --- 9. Check Event Log for hardware errors (WHEA) ---
Write-Host "[9] Recent hardware/WHEA errors:"
Get-WinEvent -LogName System -ErrorAction SilentlyContinue | Where-Object {
    $_.Id -in @(18, 19, 47, 1001) -or $_.ProviderName -eq 'Microsoft-Windows-WHEA-Logger'
} | Select-Object -First 20 TimeCreated, Id, Message | Format-List

# --- 10. Enable verbose Boot Logging for next boot ---
Write-Host "[10] Enabling boot log (C:\Windows\ntbtlog.txt)..."
bcdedit /set {current} bootlog yes

Write-Host ""
Write-Host "=== Diagnostics complete. Review output above. ==="
Write-Host "Next steps:"
Write-Host " - Open C:\Windows\Logs\CBS\CBS.log to review SFC results"
Write-Host " - Analyze newest .dmp in C:\Windows\Minidump\ with WinDbg (!analyze -v)"
Write-Host " - Roll back or uninstall any flagged third-party drivers"
Write-Host " - Run MemTest86 from bootable USB if no driver cause is found"

Error Medic Editorial

The Error Medic Editorial team is composed of senior DevOps engineers, SREs, and Windows Server administrators with 10+ years of experience diagnosing kernel panics, Blue Screens of Death, and production outages across enterprise Windows Server environments. Our guides are built from real incident postmortems, Microsoft documentation, and hands-on lab reproduction of common failure scenarios.

Sources

Explore More windows Guides

Acer Aspire Blue Screen of Death Fix: How to Stop BSOD Crashes on Acer Laptops

Fix Acer Aspire Blue Screen of Death errors fast. Step-by-step guide covering driver updates, RAM checks, overheating, and Windows repair commands.

Acer Aspire Blue Screen of Death Fix: Step-by-Step Troubleshooting Guide (BSOD Errors Solved)

Fix Acer Aspire blue screen of death errors fast. Covers MEMORY_MANAGEMENT, DRIVER_IRQL, KERNEL_SECURITY_CHECK and more. Step-by-step commands included.

Acer Aspire Blue Screen of Death Fix: Stop Codes, Causes & Complete Solutions

Fix Acer Aspire Blue Screen of Death errors fast. Covers MEMORY_MANAGEMENT, DRIVER_IRQL, KERNEL_SECURITY_CHECK_FAILURE & more with exact commands.